10 of the Biggest Data Breaches in History

DataProt is supported by its audience. When you buy through links on our site, we may earn a commission. This, however, does not influence the evaluations in our reviews. Learn More.

Data breaches by the dozens happen every day. Cybercriminals are constantly coming up with new ways to access databases loaded with sensitive information they can sell on the dark web or use for future attacks. If the daily news has you wondering about the biggest data breaches of all time, we have answers for you. Read on to explore the worst breaches to date, what caused them, how were they discovered, and what consequences we are all still living with.

1. Yahoo! Data Breach

  • Year of breach: 2013 – 2016
  • Data breached: 3 billion user accounts

According to data breach statistics, the largest data breach in history is the one that Yahoo! suffered for several years. Not only is it the biggest breach according to the number of affected users, but it also feels like the most massive one because of all the headlines.

The flood of ongoing news coverage is understandable. It took the company a long time to figure out just how big a data leak it was dealing with, so news kept dribbling out. It turned out the company was hacked by Russian spies, giving the security breach an even grimmer outlook. The world’s biggest data breach has recently returned to the front pages because of a class action lawsuit and settlement payments to affected users.

In September 2016, Yahoo! notified the public that 500 million user accounts had been breached in a 2014 cyberattack. A state-sponsored actor was suspected to be behind the attack. Just three months later, the company came forward again, saying that it discovered another breach that had occurred in August 2013. At the time, Yahoo! estimated that 1 billion user accounts had been affected, making it one of the worst data breaches of all time. After the FBI got involved, it was determined that all 3 billion Yahoo! accounts had been compromised, making it a breach of unprecedented size.

How Did It All Happen?

The hack of Yahoo! users was orchestrated by two hackers, Latvian Alexey Belan and Canadian Karim Baratov. They were hired by Russia’s Federal Security Service, the FSB, to get their hands on information belonging to several high-profile persons. The hacking duo targeted Russian journalists, employees of a Russian cybersecurity company, and Russian officials. Other targets of what turned out to be the biggest data breach ever were the CTO of a French transportation company, a Shanghai-based managing director of a US private equity firm, a Nevada gaming official, and 14 employees of a Swiss Bitcoin banking firm.

Belan and Baratov sent Yahoo! employees a series of spear-phishing emails containing a malware download link. All it took for hackers to gain access to the company’s network was a single click by one staff member.

Once they were inside the network, the was to find the user database and internal tools that were used to alter the data. They quickly accomplished both goals of this major cyber attack. Making sure not to lose access to the network, they created a back door on a Yahoo! server. They returned in December 2014 to download a copy of the entire user database.

What Records Were Leaked?

Names, phone numbers, security questions and answers, as well as password recovery emails and a cryptographic value unique to each account were copied by the attackers.

What Are the Consequences of the Yahoo! Breach?

When the company realized it was a victim of the biggest hack of all time and notified everyone with a Yahoo! account, the public was shocked. A class action lawsuit ensued. Under the terms of settlement, Yahoo! has agreed to create a settlement fund worth $117,500,000 to compensate for the damage it caused American and Israeli users. Affected individuals can opt for at least two years of credit monitoring services that include identity-theft monitoring or a cash reimbursement ranging from less than $100  to a maximum of $358.80. As for the perpetrators of the Yahoo! breach, Baratov was sentenced to 5 years in prison and a fine of $2.25 million. Belan is still at large, as are the duo’s FSB collaborators.

2. Collection #1-5 Data Breach

  • Year of breach: 2019
  • Data breached: 2.2 billion usernames and associated passwords

2019 kicked off with a massive data breach when the so-called Collection #1 database surfaced in mid-January. It contained a staggering mass of credentials – 773 million unique email addresses and more than 21 million passwords. The data, approximately two or three years old, was a collection of credentials acquired in previous high-profile company data breaches, including the LinkedIn and Dropbox breaches of 2016,

This was just the beginning. By the end of January 2019, four subsequent databases – Collections #2-5 – became available for free download on Torrent websites. In total, these five databases revealed 2.2 billion unique credentials. The revealed data wasn’t all that sensitive – no credit card information or Social Security numbers were disclosed. But the sheer amount of data makes it one of the biggest data breaches of all time.

How Did It All Happen?

Troy Hunt, the man behind the breach notification website haveibeenpwned.com, was the first to draw public attention to the existence of Collection #1. In mid-January, several people directed him to the cloud storage website Mega, where he found the treasure trove. Collection #1 was an 87 gigabyte database containing nearly 2.7 billion rows of email addresses and passwords. Hunt went through considerable trouble to clean up the database by eliminating duplicates and stripping out unusable bits of data that were scattered in 12,000 files.

Following Hunt’s notification, the database was removed from Mega –  but it was still available on underground hacking forums. The information exposed in this recent data breach from early 2019 was being sold for just $45. Before long it could be downloaded from many sites for free.

Brain Krebs, a cybersecurity journalist running his own website,  got in on the investigation. He contacted the hacker selling Collection #1 and learned there were four additional leaks in the works. The remaining collectionswere exposed by the end of January.

What Records Were Leaked?

Collections #2-5 were like a Frankenstein’s monster of information obtained in recent security breaches – Yahoo!, LinkedIn – and some not-so-recent exploits like the MySpace breach of 2008. A staggering amount of information was distributed – 845 gigabytes. In most cases, only credentials were shared. A total of 2.2 unique user names and associated passwords were exposed in all 5 collections.

What Are the Consequences of the Collection #1-5 Data Breach?

It could have been worse. Most of the information that was revealed is outdated. Years have passed since the data obtained in the MySpace breach first started circling the dark web. When it was first offered for sale, it was going for a much heftier price than $45.

What makes this incident one of the top data breaches ever is that it opened our eyes to the fact that hackers have been sharing and saving a lot of the data breached in the earlier attacks. It is most valuable to cybercriminals who want to perform credential stuffing attacks. Given the bad habit of using the same password for multiple websites, hackers can deploy an automated process that uses email and password combinations until it gains access to a website. This puts people at risk of dangerous attacks like phishing, fraudulent loan applications, unauthorized purchases, and money transfers.

To avoid becoming a victim of future major security breaches, you should change your passwords from the standard one or two you are using to unique and complex ones for each website. Password management tools are of great assistance.

3. Aadhaar Data Breach

  • Year of breach: 2018
  • Data breached: identity and biometric information of 1.1 billion Indian citizens

The Aadhaar breach is the perfect example of a massive cybersecurity incident if ever there was one. The world’s largest ID database, Aadhaar, was established by the Unique Identification Authority of India in 2009. The database contained information on more than 1.1 billion Indian citizens, including a 12-digit unique identity number, fingerprint scans of all 10 fingers, two iris scans, name, gender, and contact information.

Most Indians have an Aadhaar card even though it isn’t mandatory. However, the card is required when applying for state aid or financial assistance, buying a cellular SIM card, opening a bank account, enrolling in utilities, and getting other bureaucratic things done. The news of the Aadhaar database being hacked broke in January 2018, making the biggest data breaches of 2018 list.

How Did It All Happen?

Malicious actors infiltrated the Aadhaar database through the website of a state-owned utility company named Indane. The utility provider is connected to the government database through an application programming interface that allows applications to retrieve data stored by other applications or software. Regrettably, Indane’s API had no access controls. This left the company’s data vulnerable. And the data of its customers, too. And every Aadhaar card owner.

Karan Saini, a New Delhi-based security researcher, discovered this system weakness and notified the state-owned company that one of the largest data breaches in history was looming. In addition to lacking access security controls, the flawed API could also allow an attacker to go through every permutation of an Aadhaar number, receiving in-depth information every time it made a hit. Saini’s warnings were met with nothing but denial by the UIDAI on Twitter.

US tech portal ZDNet also got involved. Its reporters emailed Indian authorities regarding the latest security breaches in the government database several times, but to no avail. An entire month went by and they got no reply. Then the ZDNet team reached out to the Indian Consulate in New York and explained the issue to the consul of trade and customs. Two weeks passed without any action to take down the exposed database. It wasn’t until March 23, 2018, after ZDNet published the story to its American audience, that Indian authorities took the vulnerable access point offline.

What Records Were Leaked?

A staggering amount of data was revealed in one of the biggest government breaches of all time. The database with information on 1.1 billion citizens had been sitting unprotected for years. In it were names, addresses, photos, phone numbers, and emails, as well as biometric data like fingerprints and iris scans. This turned out to be a credit breach too, since the database also held information about bank accounts connected with the unique 12-digit number. Before the breach was exposed, the Indian government made a tweet denying that it stored that bank information.

What Are the Consequences of the Aadhaar Breach?

The extremely poor security measures deployed by UIDAI is likely to have ongoing catastrophic consequences. Virtually all Indian adults became potential victims of identity theft and other crimes stemming from it. The worst part is – the information from this recent data breach of 2018 had already fallen into the wrong hands before the vulnerability was eliminated.

Reporters at India’s Tribune newspaper were able to purchase stolen data from hackers who were offering it through a Whatsapp group. It cost only $7 to get someone’s personal information. For an additional $4 they obtained software to print fake Aadhaar cards. The consequences of this mega breach remain to be seen.

4. First American Financial Corp. Data Breach

  • Year of breach: 2019
  • Data breached: 885 million records

First American Financial Corp., the largest title insurance provider in the US, exposed 885 million records in one of the biggest data breaches of 2019. Real-estate buyers and sellers partner up with First American to secure property transactions, sharing in-depth personal and financial information with the company. Instead of protecting the sensitive data it collects, the insurance company let it sit unprotected on its website, accessible to everyone and anyone.

How Did It All Happen?

The unguarded database was first discovered by Brian Krebs, an independent security journalist. Krebs was tipped off about this major data breach by a Washington-based real estate developer who was working with First American. He was the one who first noticed that First American’s website was leaking records – potentially hundreds of thousands of them. He realized that anyone who knew the URL of a valid document on the insurance company’s website could view other documents just by editing a single digit in the link. After getting no response from First American, he got in touch with Krebs. On May 24, he reported the news on his cybersecurity blog. After that, it went viral.

What Records Were Leaked?

Recent cyber attacks, like the ones targeting Marriott and Equifax, were the doing of malicious third parties who were out to get valuable data. In the case of First American, the company itself was responsible for making its records publicly available to anyone who knew where to look.

The website leaked bank account numbers and statements, mortgage and tax documents, wire transaction receipts, Social Security numbers, and drivers license images dating back to 2003. It was a gold mine for identity thieves. It is still unclear whether cybercriminals downloaded copies of the data and if so, what they plan to do with it.

What Are the Consequences of the First American Breach?

The day Kerbs published the story, the company took down the parts of its website that were spilling precious data. However, when First American made a public announcement about the events that put millions of Americans in danger of identity theft, it seriously downplayed its own responsibility in the matter. The recent data breach was characterized as “a design defect in the web application that may or may not have had an effect on the security of customer information.”

New York’s Department of Financial Services immediately launched an investigation into the security failure that exposed 16 years’ worth of digital documents. The U.S. Securities and Exchange Commission began looking into the matter as well, in August 2019. The results are pending.

As for the potential victims, they have filed a class action lawsuit accusing the insurance giant of failing to implement even rudimentary security measures.

5. Verifications.io Data Breach

  • Year of breach: 2019
  • Data breached: 800 million records

Among the data spills of 2019, the one affecting verifications.io took everyone by surprise – mostly because people had never heard of this company before, yet it managed to leak 800 million personal and business records. Verifications.io LLC describes itself as a “big data email verification platform.” It is hired by marketing companies to verify the validity of email addresses used in advertising campaigns. Basically, verifications.io does the heavy lifting of verifying millions of email addresses to ensure that they are active before marketers start contacting them. And then it wound up on the list of companies with data breaches.

How Did It All Happen?

In an ocean of cyber security breaches where companies are targeted by data-thirsty hackers, this incident was more of a data leak. Luckily, it was discovered by white-hat cybersecurity researchers who notified the company right away. Bob Diachenko and Vinny Troia uncovered an unprotected 150GB MongoDB database. To their surprise, it held both personal and business information. After their discovery of the cybersecurity breach, Diachenko and Troia notified the administrators of verifications.io, who immediately took down the database. It hasn’t been restored since, and the company website was deactivated too.

What Records Were Leaked?

As soon as the pair began analyzing the publicly available data that they had stumbled across, they knew they were dealing with one of the biggest data breaches of the year. The researchers found four databases containing names, email addresses, social media data, home addresses, phone numbers, gender, and birth dates. There was also delicate information about people’s credit scores – characterizations like average, below average, and above average.

Other data was related to companies that could be used for generating sales leads. Company names, annual revenue figures, websites, industry identifiers for categorizing companies called SIC and NAIC, and fax numbers could be found. Diachenko and Troia got in touch with a fellow white-hatter, Troy Hunt, who runs Have I been pwned, a website where people can determine whether their data has been breached. Hunt cross-referenced the newly discovered dataset with information obtained in recent breaches and some not so recent. It turned out to be fresh.

What Are the Consequences of the Verifications.io Breach?

It is always bad when huge amounts of personal and business information become available for public download. People whose data was exposed in this cyber breach are in danger of phishing and scamming attacks. On the other hand, there were no passwords, no Social Security numbers, and no credit card information. What’s more, a lot of the info contained in the verifications.io database was already publicly available. And the company took down the database right after learning about the vulnerability.

6. Equifax Data Breach

  • Year of breach: 2017
  • Data breached: 605 million records of 147 million people

The Equifax breach was colossal in many ways. First and foremost, it was gargantuan because of the extremely sensitive information that got leaked. It was huge in terms of the number of affected individuals. That’s enough to make it rank high among significant security breaches.

But there’s more. The notification process was slow. In the six weeks between realizing there was a breach and notifying the public, executives sold lots of Equifax stock, raising suspicions of insider trading. And it is one of the largest data breaches when it comes to the settlement fee – a staggering $700 million.

How Did It All Happen?

Forensic analysis determined that the system was breached on March 10, 2017. The attackers exploited a vulnerability of the customer complaint portion of the Equifax website. A patch for that widely known software weakness had been released three days earlier, but Equifax’s IT staff had not yet installed the update. This is how one of the biggest hacks of all time began.

Equifax’s information security team didn’t notice the system vulnerabilities or unpatched software despite having run a series of scans aimed at discovering them on March 15. It remains unclear why system scans failed to detect the problems. Be that as it may, the attackers stayed more or less dormant until May 2017.

Then they moved from the compromised server to other parts of Equifax’s network and stole data thanks to yet another mistake. Equifax was 10 months late renewing the annual public key certificate it used to decrypt, analyze, and re-encrypt data pulled from the internal network. This lapse allowed the cyberthieves to extract terabytes of sensitive information unnoticed, landing Equifax on the list of biggest companies hacked in 2017. On July 29, system administrators finally became aware of the attack. A month of forensic investigation ensued. The public was informed of the breach on September 8.

What Records Were Leaked?

A series of slip-ups at the credit reporting agency led to the theft of approximately 605 million records belonging to 147 million Americans. Some 40% of the population got some of the following data exposed: name, date of birth, Social Security number, address, gender, phone number, driver’s licence number, email address, taxpayer ID, drivers license, and passport photo. And unlucky 200,000 individuals suffered a credit card breach too. This is information that can be used for a number of illegal activities. An identity thief could use it to open new credit card accounts or get a loan or open fake social media accounts or commit fraud posing as the victim. The possibilities are endless.

What Are the Consequences of the Equifax Breach?

The list of companies that have been hacked in the last decade is a long one. The Equifax case is unique because of the type of customer information it leaked. Affected individuals filed a class action lawsuit that was resolved in 2019. The company is to pay a total of $700 million to damaged parties. Considering the number of people whose information was leaked, each person is entitled to a maximum settlement of $125.

Cybersecurity specialists continue to monitor the dark web for massive dumps of the stolen data. Since none of it has appeared for sale, some believe that Chinese state actors were responsible. Their goals are thought to be espionage, not theft.

7. Facebook Data Breach

  • Year of breach: 2019
  • Data breached: 540 million records

During its 15 years of existence, Facebook has had more than its fair share of cybersecurity breaches. With approximately 2.3 billion active monthly users, Facebook collects and stores enormous amounts of data 0 and tends to spill a lot of it, quite frequently. Maybe you remember the Cambridge Analytica scandal of 2016, for example, when the personal information of 87 million U.S. voters got exploited by consultants working on Trump’s presidential campaign.

Or the two recent data breaches of 2019, uncovered within a month of CEO Mark Zuckerberg’s announcement of Facebook plans to “pivot to privacy” in March 2019. The first of the security breach examples revealed that Facebook and Instagram passwords of millions of users, dating back to 2012, were left unencrypted on company servers and accessible to 20,000 Facebook employees. The second involved two third-party app developers, Cultura Colectiva and At the Pool, and 540 million records about user tastes and preferences. We’ll explore that one in more detail.

How Did It All Happen?

It’s wasn’t large scale cyber attacks that led to these breaches. It was the social media giant’s inability to protect the massive quantities of information it collects. A team of cybersecurity investigators at UpGuard discovered two databases on Amazon’s publicly accessible S3 cloud service. One belonged to a Mexican media company Cultura Colectiva, the other to a Facebook-integrated app called At the Pool. Both were available for download; both contained a social engineer’s pot of gold.

Upon the discovery of the poorly configured databases on the Amazon cloud, the UpGuard team reached out to Cultura Colectiva and At the Pool. They emailed Cultura Colectiva on January 10 and again on January 14, but they never got a response. The UpGuard team then contacted Amazon Web Services in late January. AWS took note of the recent security breach and said it would inform the database owner of the incident. Two months passed and the data stayed online. It was only in April, when Bloomberg questioned Facebook about the leak, that the databases were secured. As for the database belonging to At the Pool, it was taken down during UpGuard’s investigation.

What Records Were Leaked?

Data stemming from the Cultura Colectiva breach was 145GB. It consisted of more than 540 million records revealing likes, comments, reactions, account names, and Facebook IDs. The At the Pool database was smaller but contained even more detailed information: users’ likes, photos, books, movies, music, friends, groups, check-in, events, interests, and 22,000 unencrypted passwords.

What Are the Consequences of This Facebook Security Breach?

The information that was available for public download on the Amazon cloud is much like the data released in the Cambridge Analytica breach. It can be used for future hacking cases by malicious actors who want to perform social engineering attacks. Or it could be used to sway an election.

The curious thing is that no matter how many breaches the social media website has and regardless of nearly constant Facebook hack news, billions of users still stay on the network. No legal action has been taken so far regarding these two user security breaches, though Facebook has been sued multiple times for violating user privacy.

8. Marriott Data Breach

  • Year of breach: 2018
  • Data breached: 500 million records

When we look at the list of recent data breaches, the one that affected the world’s largest chain of hotels definitely stands out. Affecting approximately 500 million records, among them sensitive credit card information and passport numbers, it is classified as a major breach. One year after the leak was discovered, it remains unclear who was behind it. The fact that the stolen records haven’t ended up on the dark web, paired with the fact that Marriott is the main hotel provider for U.S. military and government officials, focus suspicions on Chinese state-sponsored actors.

How Did It All Happen?

One of the latest data breaches, the Marriott leak was discovered in late 2018. A red flag was detected when a suspicious attempt to access the guest reservation system of Marriott’s Starwood brands was made on September 8. Two days later, third-party investigators were hired to look into the incident and to help implement containment measures.

Investigators worked quickly, and on September 17, 2018, they found what caused the data leak. A remote access Trojan – a type of malware that lets hackers secretly access, monitor, and even control a computer – was used by cybercriminals in the Marriott breach. The malicious actors also deployed Mimikatz, a tool for finding combinations of usernames and passwords in system memory. Armed with the credentials of one of the system administrators, the attackers made the suspicious guest database query on September 8. The query was caught by Accenture, the IT security company that has monitored all Starwood hotel databases since before the merger with Marriott.

Marriot purchased Starwood Hotels and Resorts in 2016. Following the acquisition, all of Starwood’s corporate employees were discharged, including the staff responsible for information security. Since the Marriott booking system wasn’t immediately able to handle reservations made in thousands of Starwood hotels, reservations made in those hotels continued to go through the virus-infected Starwood system. Investigators hired by Marriott discovered that the Starwood security breach happened back in 2014 and went on unnoticed for four years.

What Records Were Leaked?

During the time hackers had access to guest data, they accessed 500 million records. Full names, gender, email addresses, telephone numbers, mailing addresses, passport numbers, and credit card information were leaked. Even though the credit card numbers were protected by encryption, the encryption keys were recklessly stored on the same server that got raided by the hackers. Some of the passport numbers that got exposed in one of the biggest data breaches ever were encrypted, others were not.

What Are the Consequences of the Marriott Hack?

So far, millions of affected guests are relieved that their sensitive information, which could be used for identity theft, hasn’t been posted for sale on the dark web. However, if cybercrime investigators are right to believe that the reason for the attacks was gathering intelligence on US officials, then the consequences could be much more far-reaching.

As for Marriott, most of the expenses were borne by its insurance company. By May 2019, the costs associated with the recent data breaches amounted to $72 million. Marriott’s cyber insurance policy covered $71 million of it. The hotel industry giant was issued a $120 million fine by the UK Information Commissioner’s office, but it has yet to pay. Several class action lawsuits have been filed by affected guests and are yet to be resolved.

9. Friend Finder Networks Data Breach

  • Year of breach: 2016
  • Data breached: 412 million user accounts

When we look back at the last decade of information security breaches, 2016 was a memorable year. Before the gravity of the Yahoo! hack was publicized at the end of the year, the Friend Finder Networks leak was considered the biggest among data breaches of 2016. Some 20 years’ worth of data – 412 million records on users of the adult entertainment and dating network – were exposed due to a malicious attack. The affected individuals were registered users of five websites under the Friend Finder Networks umbrella – adultfriendfinder.com, penthouse.com, cams.com, iCams.com and stripshow.com.

How Did It All Happen?

The data hacks that occurred in October 2016 were reported on Twitter by a vulnerability researcher who goes by two pseudonyms – Revolver and 1×0123. He had discovered flaws on the Adult Friend Finder website that allowed unauthorized parties access to the site’s databases. Aware of the fact that the local file inclusion flaws could lead to major data breaches, he notified Adult Friend Finder of his discovery. Just 12 hours later, Revolver reported that he had worked with Adult Friend Finder and resolved the issue. He added that customer information hadn’t left the website.

That soon proved to be unjustified optimism. LeakedSource, a breach notification website, got hold of the leaked databases, source code, access control lists, certificate keys, and configuration files. LeakedSource estimated the time of the breach to be September or October 2016.

What Records Were Leaked?

In what was then one of the world’s biggest data breaches, six databases with information reaching back to the 1996 launch of Friend Finder Networks leaked. Hackers stole user names, email addresses, and passwords, plus private and public keys for the company’s servers, source code for credit card processing, user management in the billing database, and scripts for internal IT functions. Accounts from the cams.com and penthouse.com websites also included user IP addresses and membership status.

LeakedSource discovered that Friend Finder Networks didn’t use the necessary precautions to safeguard user passwords. Some of them were stored in plain format, while others used a very weak method of protection. In total, accounts of more than 412 million users were breached, including 15 million deleted accounts.

What Are the Consequences of the Adult Friend Finder Breach?

Looking at data breach examples from the past decade, this one was significant because it revealed a staggering number of easy-to-crack passwords. For example, nearly a million accounts were “protected” by the password “123456.” Another 1.5 million used some combination of numbers 0 through 9. The word “password” was the password for 101,046 users.

Friend Finder Networks notified the affected users one month after the spill was reported by Revolver on Twitter and on the LeakedSource website. Even then, the company filed to incorporate best practices when it comes to breach notification. Instead of emailing everyone who was affected, they informed users of the breach via their websites. That means the 15 million users who had deleted their accounts never got warnings that their data was circulating online. Unlike other famous data breaches, which were resolved in court, the Friend Finder Networks class-action lawsuit was moved to arbitration in May 2019.

10. U.S. Voter Data Breach

  • Year of breach: 2017
  • Data breached: personal and political information on 198 million American voters

Enormous amounts of data about nearly every adult American were leaked in June 2017. The information, which was gathered by the Republican National Committee during the Trump electoral campaign of 2016, was remarkable both in scope and scale. Not only was there personally identifiable information like names, surnames, dates of birth, and so on, but the database also included included ethnicity and religion. The privileged data of more than 198 million Americans was left unprotected in cloud storage, leading to the largest U.S. voter database breach we have seen so far.

How Did It All Happen?

Three data analytics firms – Deep Root Analytics, TargetPoint Consulting, and Data Trust – were hired by the Republican National Committee to support Trump’s campaign. All three companies were either aligned with or founded by the GOP. They were tasked with creating a data repository of in-depth voter information that would help make informed decisions regarding electoral advertising and microtargeting of key demographics groups. The end goal was winning the election.

After Trump was elected and inaugurated, Chris Vickery found the data goldmine created by the three companies. On June 12, 2017, the UpGuard cybersecurity researcher discovered a 1.1 terabytes database on an Amazon Web Services S3 server. Due to its tremendous size and the fact that it lacked any access controls, it led to the biggest voter data leak ever. Since the public-facing cloud server had no protection measures in place, Vickery was able to download all the data it contained. So massive was the repository that it took him two days to complete the download.

What Records Were Leaked?

Perhaps a better question would be – what records were NOT leaked? The Amazon database titled DRA-DW contained names, surnames, birthdays, genders, home and email addresses, address changes, phone numbers, registered party affiliations, self-reported racial demographics, voter registration statuses, and whether people were on the federal “Do Not Call” list.

Information accessible through one of the largest data breaches in history also detailed how each particular voter feels about various political issues, ranging from gun control to Trump’s “America first” foreign policy. Vickery informed federal authorities of his discovery on June 14. The database was taken down immediately by Data Root Analytics.

What Are the Consequences of the Rnc Data Leak?

The nation was in shock when word of this leak got out. It was disquieting how much information was collected and how much information could be obtained through data analysis. UpGuard’s researcher checked his own data to see if the analytics companies predicted his political views correctly. He reported they were right most of the time. This raised serious concerns about how politicians are taking advantage of big data to sway elections in their favor.

Another major concern was the fact that this deep data pool was left unprotected for anyone to stumble upon. Data security is a burning issue of our time and it’s largely unaddressed by lawmakers. Just days after the news of one of the biggest data breaches broke, people filed a class action lawsuit.

Lessons Learned From Mega Breaches

If these incidents have taught us anything, it is that we need to take data security more seriously. Companies big and small are gathering confidential information, but they aren’t safeguarding it. If government organizations and large corporations are spilling data due to poor security measures and cyberattacks, we can only assume that small and medium-size businesses are victims of the same ploys.

With the proliferation of IoT devices, the amount of data we collect is growing exponentially. If we want to accommodate this growth and prevent future attacks, we need better cybersecurity laws and higher penalties for companies that fail to protect the sensitive information they collect. These measures, paired with more cybersecurity training and employee awareness, could ensure that history’s biggest data breaches are behind us.

Leave a Comment

Scroll to Top