12 Privacy Breach Examples: Lessons Learned & How to Prevent Them
Table of Contents
A privacy breach happens when someone accesses another person’s personal information without his or her permission. It is very similar to a data breach, which happens when someone accesses information without authorization. Many people use the two terms interchangeably, but there is a difference in terms of what information is illegally accessed.
A privacy breach specifically refers to breaches that target information about people.
A data breach can be more generic and be about things other than people, such as business plans, internal sales data, security breaches, sensitive data, exposed data on the dark web, and other sensitive information.
12 Privacy Breach Examples
2014 Experian Breach
U.S. credit monitoring firm Experian suffered a privacy breach involving the personal records of 200 million individuals after a Vietnamese man gained unauthorized access to one of its subsidiaries.
According to news reports, Ngo managed to deceive Court Ventures by masquerading as a private investigator from Singapore, ultimately gaining unauthorized access to a personal records database. The details surrounding this breach were exposed when Ngo pleaded guilty to multiple charges in March 2014 at a court in New Hampshire.
2014 Yahoo Breach
When your company is in the process of being bought out, the last thing you want the FTC to scrutinize you over is your improper sensitive data handling. For Yahoo, that is exactly what happened in 2016 as they were being acquired by Verizon Communications.
In 2013, Yahoo experienced the first of several data breaches by unauthorized third parties, breaches that continued into 2014. However, while Yahoo! worked with both security companies and law enforcement to address the beach, they failed to notify affected user accounts and governments around the world. This continued until 2016, when a user attempted to sell over 200 million Yahoo! accounts and the personal information from over 500 million other Yahoo! users.
Yahoo! finally reported the series of breaches to the public in September of 2016, two months after user accounts had been put up for sale and several years after the initial violations occurred. Because they kept the violations to themselves and failed to take proper security precautions, Yahoo! was forced to settle a class action lawsuit for $117.5 million dollars in 2019. Additionally, Verizon acquired Yahoo! at a $350 million dollar discount because of these complications.
2016 MySpace Breach
While MySpace no longer has the same global influence that it once did, its legacy is felt through other social media platforms and for having one of the worst privacy breaches in internet history. In May of 2016, Myspace announced that over 360 million accounts had been compromised, with hackers attempting to sell personal details including usernames, passwords, and email addresses.
Despite the announcement occurring in 2016, the breach may have occurred as early as 2008, with the last confirmed date breach confirmed to have taken place in 2013. This is important because unlike many of the other companies on this list, MySpace responded swiftly to the discovery and invalidated all passwords created prior to 2013. While it wasn’t a perfect solution, annoying many users, it did allow MySpace to protect many of those affected by the breach.
While MySpace had been fined by the FTC in the past for data handling failures, their swift actions to protect customers allowed MySpace to avoid penalties for this privacy breach.
2017 Equifax Breach
Credit bureaus handle extremely sensitive personal information, which makes them a frequent target of data hacks. While many companies do a good job of protecting their consumers, one organization that failed to prepare and respond properly was Equifax. The 2017 personal data breach affected citizens in the United States, the United Kingdom, and Canada.
In March 2017, Equifax was notified that there was a security exploit in software that they were using, and they were encouraged to update immediately to prevent credit card data theft and a damaging security incident. Equifax failed to do so, and multiple hackers accessed its servers for over two months before a breach was detected. The end result? One hundred forty-seven million US records, 15 million UK records, and 19,000 Canadian records were stolen in the breach. The Equifax breach is an instance of a privacy breach example in Canada and ranks as one of the largest data breaches in the world.
Governments around the world found that Equifax had failed in its data handling duties because they didn’t update their software when alerted. They also failed other data handling issues that included poor general security and failure to alert regulatory bodies as soon as possible. The end result was over $575 million in fines, a massive drop off in stock prices due to investor mistrust, and a reputation that Equifax is still trying to repair to this day.
2018 Marriott Breach
When one company acquires another, that business should examine everything it acquires with careful detail. Had Marriott International done so, they would have avoided one of the biggest data breaches of all time. In 2018, Marriott discovered a data breach that leaked over 500 million guest records, which led to heavy fines and a significant decrease in the number of guests staying at Marriott hotels in 2019.
How did the privacy breach happen? It actually began with another company, Starwoods Hotels. Starwoods was notorious for their poor security and a bad reservation system, which allowed hackers to access guest records in 2014. Marriot acquired Starwoods in 2016, but instead of transferring the old Starwoods hotels into their prosperity reservation system, they used the old one. Marriott also fired most of Starwoods’ IT staff, which left few IT professionals to monitor the Starwoods data.
The repercussions for Marriott’s failure to properly integrate Starwoods upon acquiring them were steep. Marriott was nearly fined $123 million dollars, but because they took proper measures when they discovered the breach, they were fined $23.8 million instead. However, there was little that could save their reputation. A year after the data breach was reported, Marriott saw a significant decrease in reservations. Surveys conducted around that time suggested that a quarter of Americans would not stay at Marriott hotels since the breach.
2018 Aadhar Breach in India
A database holding the personal information of over a billion Indians was leaked and sold online in 2018. Reports said that the hackers were able to access over 200 websites containing information like names, addresses, and bank details of Indian citizens. The Aadhar database included things like photographs, thumbprints, retina scans and other identifying details of every Indian citizen and were handed over for payments as low as $10 USD per record.
Repeated LinkedIn Breaches (2012 & 2021)
LinkedIn has established itself as one of the most important platforms for business professionals to connect with each other in the modern age. Unfortunately, that has made the professional network service company a target of repeated hacks and breaches. In 2012, LinkedIn suffered a data breach that affected 167 million users. Due to poor security practices, LinkedIn had to pay $1.25 million to victims and was given a deadline of five years to update their security.
LinkedIn has suffered other data and privacy breaches over the years, including a 2021 breach that has affected over 500 million users. LinkedIn claims that this breach was not due to a fault in their security, but publicly obtained data obtained through web scraping. However, organizations are still concerned about LinkedIn's security measures, and are actively being investigated over this breach by organizations like the Italian Data Protection Authority.
2023 Oreo Breach
The personal data of more than 50,000 employees at Mondelez International — the parent company of Oreo and Ritz, was exposed by a privacy breach involving a third party vendor in May. A report by Bloomberg said the information stolen included employee dates of birth, social security numbers, and home addresses.
The hackers targeted a lawfirm used by Mondelez which held records about its employees. A Mondelez representative said that no internal systems of the company were affected by the breach, and that the firm was cooperating with British law enforcement agencies to unearth more details. Employees were notified about the incident nearly three weeks after it occurred and any long-term repercussions have yet to be ascertained.
2023 Petro Canada Breach
The most recent example of a privacy breach comes from Canada, after a damaging cybersecurity incident hit Suncor Energy — one of its largest petroleum companies. Details of the incident are still not clear and the company's systems are not fully operational yet, even a week after the initial outage.
The breach caused a countrywide outage of the PetroCanada mobile app, web accounts, payment gateways, and internal systems. It's too early to say how many individual details were leaked by the incident, but the number will likely be substantial.
2023 Okta Privacy Breach
Hackers targeted cybersecurity firm Okta in October with the firm initially downplaying the incident, saying it only impacted 130 customers or 1% of its userbase. However, it has now emerged that the attacks were far more damaging with the entire database of its customer support system siphoned off Okta's servers.
This includes sensitive personal information including names and email addresses of high-profile clients like Zoom, FedEx, and Peloton. The company notified its users of the latest revelations via a letter delivered Tuesday, Nov 28th.
2024 Giant Tiger Privacy Breach
Canadian retailer Giant Tiger was hit by a privacy breach after a third-party vendor it uses was compromised by a cybersecurity incident.
The incident leaked customers' names, phone numbers, and email addresses. The company was first alerted to the possibility of a breach in early March, and by 15 March, the outcome was confirmed.
Why are privacy breaches so damaging to companies?
The most common and harmful privacy breach occurs when a malicious party breaches an organization's security to access consumer information. By targeting major companies, hackers and other data thieves gain access to hundreds of thousands of private consumer records with a single attack. Often stolen information includes addresses, financial information, and personal identification data.
In response to these extremely harmful acts, regulations like CCPA, GDPR, PIPEDA, and other data privacy acts have imposed certain requirements on corporate data security. These requirements encourage companies to safeguard consumer information. Furthermore, many legislative acts now require organizations to inform employees, consumers, and the government of data leaks and breaches as soon as they occur.
Failure to comply with the data security requirements can result in three major consequences:
-
Increased risk of intrusion. Guidelines to handle data properly aren’t in place just to make business harder for your company. These guidelines are best practices if businesses want to maintain good data security. Failure to follow regulation guidelines means that your company is likely at a high risk to experience a data or privacy breach.
-
Financial damages for data breaches. Regulatory bodies can investigate your organization for non-compliance with data handling laws, and they’ll certainly examine your organization with a keen eye when a breach occurs. If your company is found not to have taken the proper steps to protect consumer data, the financial penalties can be extreme. For 2022, the average global data breach now results in over $4 million dollars in financial damages.
-
Loss of consumer trust. The greatest damage that comes with a privacy breach is the loss of consumer trust. Sometimes a good reputation is all that allows one business to succeed over a competitor. An organization that suffers a preventable privacy breach tells the public they shouldn’t trust this organization with their personal information. A company that loses customer trust probably won't stay in business for long.
👉 Looking to prevent privacy breaches? Our list of the best cybersecurity tools will point you in the right direction.
How to Recover From a Data Privacy Breach
The above examples are case studies in what not to do when a business prepares and responds to a privacy breach. That being said, even the most secure companies in the world may experience a privacy breach at some point, especially those that hold valuable and sensitive personal information. How should your business respond to a privacy breach? Make sure you do the following:
-
Notify customers and regulatory bodies immediately. As soon as a breach is detected, notify affected customers and regulatory bodies. Most data privacy regulators have resources that can help a business respond to a breach. Additionally, you greatly reduce the risk of being fined for your response if you take immediate action rather than try to cover up the breach.
-
Audit your third-party vendors. Adequate vendor management is key to avoiding third-party risk. For example, in the Giant Tiger breach, the offending party was a vendor of the company. So regularly audit your vendors and make sure they are up to date with the latest security protocols. Or use vendor management software to automate this process.
-
Make sure your business is compliant with global data privacy laws. As explained above, consumer data and privacy regulations exist to help companies safely handle and protect customer data. If yours stays compliant with the latest data privacy regulations, you’ll reduce the risk of data breaches, and if one does occur, your company may likely be forgiven by the regulatory bodies rather than penalized for improper behavior.
Rely on Enzuzo for Data Privacy Handling
There are many tools that can improve your organizational data privacy handling, each with its own particular features and focuses. Are you looking for a single platform that has everything you need to stay compliant with the latest data privacy regulations? If so, you’ll want to check out the Enzuzo data privacy platform.
Enzuzo features quick integration into mobile applications, websites, eCommerce services, Shopify Plus, and more. Worried whether your privacy policies are up to par? Trust our attorney-vetted privacy policy generator along with our terms of service generator and EULA generator. Our platform is packed with features to bolster your consumer data security and reduce the risk of a privacy breach.
Contact us today to learn more about the Enzuzo data privacy platform or book a demo to try it out. Stay compliant with GDPR, CCPA, PIPEDA, and other data privacy regulations around the world by working with our team of data privacy experts here at Enzuzo.
Osman Husain
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.