- 5 Privacy Breach Examples: Lessons Learned & How to Prevent Them
5 Privacy Breach Examples: Lessons Learned & How to Prevent Them
Table of Contents
A privacy breach happens when someone accesses another person’s personal information without his or her permission. It is very similar to a data breach, which happens when someone accesses information without authorization. Many people use the two terms interchangeably, but there is a difference in terms of what information is illegally accessed.
A privacy breach specifically refers to breaches that target information about people.
A data breach can be more generic and be about things other than people, such as business plans, internal sales data, security breaches, sensitive data, exposed data on the dark web, and other sensitive information.
5 Privacy Breach Examples
2016 Yahoo Breach
When your company is in the process of being bought out, the last thing you want the FTC to scrutinize you over is your improper sensitive data handling. For Yahoo, that is exactly what happened in 2016 as they were being acquired by Verizon Communications.
In 2013, Yahoo experienced the first of several data breaches by unauthorized third parties, breaches that continued into 2014. However, while Yahoo! worked with both security companies and law enforcement to address the beach, they failed to notify affected user accounts and governments around the world. This continued until 2016, when a user attempted to sell over 200 million Yahoo! accounts and the personal information from over 500 million other Yahoo! users.
Yahoo! finally reported the series of breaches to the public in September of 2016, two months after user accounts had been put up for sale and several years after the initial breaches occurred. Because they kept the breaches to themselves and failed to take proper security precautions, Yahoo! was forced to settle a class action lawsuit for $117.5 million dollars in 2019. Additionally, Verizon acquired Yahoo! at a $350 million dollar discount because of these complications.
2016 MySpace Breach
While MySpace no longer has the same global influence that it once did, its legacy is felt through other social media platforms and for having one of the worst privacy breaches in internet history. In May of 2016, Myspace announced that over 360 million accounts had been compromised, with hackers attempting to sell personal details including usernames, passwords, and email addresses.
Despite the announcement occurring in 2016, the breach may have occurred as early as 2008, with the last confirmed date breach confirmed to have taken place in 2013. This is important because unlike many of the other companies on this list, MySpace responded swiftly to the discovery and invalidated all passwords created prior to 2013. While it wasn’t a perfect solution, annoying many users, it did allow MySpace to protect many of those affected by the breach.
While MySpace had been fined by the FTC in the past for data handling failures, their swift actions to protect customers allowed MySpace to avoid penalties for this privacy breach.
2017 Equifax Breach
Credit bureaus handle extremely sensitive personal information, which makes them a frequent target of data hacks. While many companies do a good job of protecting their consumers, one organization that failed to prepare and respond properly was Equifax. The 2017 personal data breach affected citizens in the United States, the United Kingdom, and Canada.
In March 2017, Equifax was notified that there was a security exploit in software that they were using, and they were encouraged to update immediately to prevent credit card data theft and a damaging security incident. Equifax failed to do so, and multiple hackers accessed its servers for over two months before a breach was detected. The end result? One hundred forty-seven million US records, 15 million UK records, and 19,000 Canadian records were stolen in the breach. The Equifax breach is an instance of a privacy breach example in Canada and ranks as one of the largest data breaches in the world.
Governments around the world found that Equifax had failed in its data handling duties because they didn’t update their software when alerted. They also failed other data handling issues that included poor general security and failure to alert regulatory bodies as soon as possible. The end result was over $575 million in fines, a massive drop off in stock prices due to investor mistrust, and a reputation that Equifax is still trying to repair to this day.
2018 Marriott Breach
When one company acquires another, that business should examine everything it acquires with careful detail. Had Marriott International done so, they would have avoided one of the biggest data breaches of all time. In 2018, Marriott discovered a data breach that leaked over 500 million guest records, which led to heavy fines and a significant decrease in the number of guests staying at Marriott hotels in 2019.
How did the privacy breach happen? It actually began with another company, Starwoods Hotels. Starwoods was notorious for their poor security and a bad reservation system, which allowed hackers to access guest records in 2014. Marriot acquired Starwoods in 2016, but instead of transferring the old Starwoods hotels into their prosperity reservation system, they used the old one. Marriott also fired most of Starwoods’ IT staff, which left few IT professionals to monitor the Starwoods data.
The repercussions for Marriott’s failure to properly integrate Starwoods upon acquiring them were steep. Marriott was nearly fined $123 million dollars, but because they took proper measures when they discovered the breach, they were fined $23.8 million instead. However, there was little that could save their reputation. A year after the data breach was reported, Marriott saw a significant decrease in reservations. Surveys conducted around that time suggested that a quarter of Americans would not stay at Marriott hotels since the breach.
Repeated LinkedIn Data Breaches
LinkedIn has established itself as one of the most important platforms for business professionals to connect with each other in the modern age. Unfortunately, that has made the professional network service company a target of repeated hacks and breaches. In 2012, LinkedIn suffered a data breach that affected 167 million users. Due to poor security practices, LinkedIn had to pay $1.25 million to victims and was given a deadline of five years to update their security.
LinkedIn has suffered other data and privacy breaches over the years, including a 2021 breach that has affected over 500 million users. LinkedIn claims that this breach was not due to a fault in their security, but publicly obtained data obtained through web scraping. However, organizations are still concerned about LinkedIn's security measures, and are actively being investigated over this breach by organizations like the Italian Data Protection Authority.
Why are privacy breaches so damaging to companies?
The most common and harmful privacy breach occurs when a malicious party breaches an organization's security to access consumer information. By targeting major companies, hackers and other data thieves gain access to hundreds of thousands of private consumer records with a single attack. The information often stolen includes addresses, financial information, and personal identification data.
In response to these extremely harmful acts, regulations like CCPA, GDPR, PIPEDA, and other data privacy acts have imposed certain requirements on corporate data security. These requirements encourage companies to safeguard consumer information. Furthermore, many legislative acts now require organizations to inform employees, consumers, and the government of data leaks and breaches as soon as they occur.
Failure to comply with the data security requirements can result in three major consequences:
Increased risk of privacy breaches. Guidelines to handle data properly aren’t in place just to make business harder for your company. These guidelines are best practices if businesses want to maintain good data security. Failure to follow regulation guidelines means that your company is likely at a high risk to experience a data or privacy breach.
Financial damages for data breaches. Regulatory bodies can investigate your organization for non-compliance with data handling laws, and they’ll certainly examine your organization with a keen eye when a breach occurs. If your company is found not to have taken the proper steps to protect consumer data, the financial penalties can be extreme. For 2022, the average global data breach now results in over $4 million dollars in financial damages.
Loss of consumer trust. The greatest damage that comes with a privacy breach is the loss of consumer trust. Sometimes a good reputation is all that allows one business to succeed over a competitor. An organization that suffers a preventable privacy breach tells the public they shouldn’t trust this organization with their personal information. A company that loses customer trust probably won't stay in business for long.
To demonstrate the seriousness of privacy breaches, we share three of the biggest breaches that have occurred in the past decade. We hope you learn from their examples and understand the importance of good data handling security practices.
How to Recover From a Privacy Breach
The above examples are case studies in what not to do when a business prepares and responds to a privacy breach. That being said, even the most secure companies in the world may experience a privacy breach at some point, especially those that hold valuable and sensitive personal information. How should your business respond to a privacy breach? Make sure you do the following:
Notify customers and regulatory bodies immediately. As soon as a breach is detected, notify affected customers and regulatory bodies. Most data privacy regulators have resources that can help a business respond to a breach. Additionally, you greatly reduce the risk of being fined for your response if you take immediate action rather than try to cover up the breach.
Make sure your business is compliant with global data privacy laws. As explained above, consumer data and privacy regulations exist to help companies safely handle and protect customer data. If yours stays compliant with the latest data privacy regulations, you’ll reduce the risk of data breaches, and if one does occur, your company may likely be forgiven by the regulatory bodies rather than penalized for improper behavior.
Rely on Enzuzo for Data Privacy Handling
There are many tools that can improve your organizational data privacy handling, each with its own particular features and focuses. Are you looking for a single platform that has everything you need to stay compliant with the latest data privacy regulations? If so, you’ll want to check out the Enzuzo data privacy platform.
Contact us today to learn more about the Enzuzo data privacy platform or book a demo to try it out. Stay compliant with GDPR, CCPA, PIPEDA, and other data privacy regulations around the world by working with our team of data privacy experts here at Enzuzo.
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.