Stuxnet, Target, Equifax: Worst breaches of 2010s
Frederic J. Brown | AFP | Getty Images
Almost daily, we hear about another privacy “incident,” or an “exposure” of information. Among the billions of these incidents that took place over the decade — the vast majority of which were either undetected or unreported — only a handful can legitimately be called security “breaches”: that is, non-theoretical events that actually harmed people or equipment, or sowed real chaos.
These incidents do not include the well-known violations of privacy, like Facebook allowing Cambridge Analytica to collect information from unwitting consumers. Nor does it include theoretical nation-state risks of a high level, like those alleged by U.S. intelligence agencies against China’s Huawei.
Of the trillions of threats this decade, and the billions of breaches, and the thousands of those breaches that actually made it to the news, here are the six incidents that really mattered.
2010: Iranian nuclear facilities
What happened: A cyberweapon known as Stuxnet was first uncovered in 2010 but had probably been used for many years prior. The extremely sophisticated malicious software was used most famously to modify the workflow of centrifuges in an Iranian nuclear power plant, causing them to spin uncontrollably and explode or catch fire.
It was the first time a malicious computer program had been used to cause so much physical damage.
Why it was disruptive: Stuxnet catapulted cybersecurity to the forefront of global national security conversations. The incident has raised numerous policy questions — particularly how countries can determine when a cyberattack constitutes an act of war — and illuminated the way in which a country might use the digital realm to cause severe damage to an enemy. Governments also began to invest more heavily in security efforts touching the electrical grid.
Stuxnet had another unexpected effect: the military-grade malicious code, rumored heavily to have been developed jointly by Israeli and American intelligence, was re-engineered by the Iranians and used to attack other targets, notably in Saudi Arabia. The code also leaked onto the internet, putting one of the most powerful cyberweapons that had ever been developed into the hands of just about anyone who could figure out how to use it.
What happened: At the peak of the holiday season in 2013, Target’s CEO announced a massive breach of 110 million customer credit cards and other personal details, including names, addresses, phone numbers and emails. The timing of the breach announcement created a perfect storm of bad press for the company.
The breach was caused by malware-infected technology belonging to an HVAC provider to the company, and infected point-of-sale terminals and other retail equipment.
There were hundreds of similar incidents during the decade. But unlike many of those others, Target suffered real repercussions.
CEO Gregg Steinhafel came out immediately after announcing the breach with heavily apologetic messaging. Rather than calm stormy waters, the approach seemed to exacerbate Target’s problems and annoy anxious holiday shoppers. Target’s year-over-year revenue fell 46% in the fourth quarter of 2013 as a result. Steinhafel would resign by May 2014 because of the incident; he was preceded by the company’s CIO, Beth Jacob, who left in March 2014.
By contrast, Home Depot suffered a nearly identical breach but did not disclose it until early in 2014, which appeared to temper consumer outrage over the incident.
Target introduced numerous reforms to its cybersecurity program following the incident, built a global cybersecurity fusion center and invested heavily in information-sharing initiatives with other retailers, financial services firms and the hospitality industry.
Why it was disruptive: Target’s breach had numerous long-term consequences for cybersecurity.
Crisis teams have closely studied the timing of the breach and the messaging Target used. Target’s in-your-face, highly apologetic strategy backfired; that’s why so many breaches today are announced in staid press releases, and executives seldom spend much time talking about them.
Second, the fact that a mundane third-party service provider opened Target to criminal hackers sparked far greater focus on third-party vendors. Programs vetting the cybersecurity practices of outsourced service providers are much more prominent than they were.
The resignations of the company’s CEO and other top executives because of the breach also marked a first. CEOs, board members and other leaders started paying a lot closer attention to cybersecurity after the Target breach.
What happened: In November 2014, private information and emails of employees of Sony Motion Pictures were stolen and leaked by hackers associated with the North Korean government. The incident was, the attackers said, retaliation for a comedy film produced by Sony that depicted the assassination of North Korean leader Kim Jong-Un.
Why it was disruptive: The Sony breach reverberated through board rooms as much as it did through tabloid media. Execs started grilling cybersecurity staffers about topics they’d shown little interest in before, like whether their companies were angering any hostile nation-states and how their companies treat email retention.
The incident thrust “reputational risk” front and center to the considerations of how cybersecurity could harm the corporation.
North Korea also emerged from the incident as a significant and surprising power player on the cyberthreat stage. The country has raised significant money from its cyberattacks after Sony, which have included major ransomware incidents and bank heists.
What happened: On June 27, 2017, several things happened at once: labs in the U.S. that made vaccines for Merck stopped running, ships that brought goods through Scandinavia and across the oceans for Maersk stopped shipping, factories that churned out chocolates for Cadbury stopped churning, and shipments bound for shops across Europe managed by Reckitt Benckiser and FedEx ground to a halt. All because of NotPetya.
NotPetya was a ransomware virus that acted like a worm, jumping from company to company across networks. It mirrored a predecessor bug known as WannaCry, but was far more damaging, causing lasting outages and significant damage not just to desktop computers, but to the systems that run large industrial equipment or logistics operations. The incident was attributed to Russia, and 80% of the affected systems hit by the ransomware were in Ukraine.
Why it was disruptive: NotPetya displayed plainly for the first time how interconnected different industries are.
It also sparked a reckoning for the nascent industry of cyber insurance. Companies such as FedEx that had no cyber insurance incurred massive costs. Several companies that did have cyber insurance have sued their insurers because those insurers have denied the claims for various reasons, including by invoking “act of War” clauses.
Warren Buffet even cited NotPetya as a reason why he has remained mostly uninvolved in the cyber insurance business, despite Berkshire Hathaway’s considerable holdings in other types of insurance offerings. “We can figure the probability of a quake or a hurricane but don’t know as much in cyber,” Buffett said in 2018. “It’s uncharted territory on the insurance side and will get worse, not better.”
NotPetya and WannaCry also introduced the world to the unsavory world of ransomware, which has reverberated around the world and since hit U.S. cities, educational institutions and health-care providers.
What happened: In March 2017, something barely noticeable happened on the cybersecurity landscape — a vulnerability in an open source software platform known as Apache Struts was discovered. The U.S. Computer Emergency Response Team released an urgent memo to companies to patch the problem.
Credit ratings agency Equifax got the memo. The directive to patch the Struts problem was passed down throughout different parts of the organization responsible for these fixes. But one of those departments didn’t fulfill the patching as requested. The rest is history.
By around May, criminals had found the unpatched system, a database housing information on credit bureau complaints. From there, these hackers — who are still unknown — made off with the Social Security numbers and other credit details of nearly half of all Americans, along with some residents of Canada and the U.K.
Why it was disruptive: The Equifax breach, announced Sept. 7, 2017, may not be the biggest or the most expensive, but it absolutely will go down in history as one of the messiest and most likely to spark vitriolic outrage in consumers.
Like the Target breach, executives at other companies looked on in fear as the fallout reached deep within the Equifax organization. CEO Richard Smith left Sept. 26 following a disastrous response. The company’s CIO was later indicted on charges he used information about the breach before it was made public to trade the company’s stock.
Equifax has spent hundreds of millions on this incident, including the most recent $575 million settlement with consumers whose data was stolen in the incident.
The company’s stock has recovered, but its reputation remains battered as it continues to make missteps — most recently, in July 2019, the Federal Trade Commission said Equifax could run out of settlement money before paying all the claims made by consumers whose information was stolen. The company has, however, invested significantly in building a stronger cybersecurity program, including emphasizing communication between leaders and cybersecurity executives, and integrating security projects throughout disparate lines of business.
What happened: By 2018, breaches of massive amounts of consumer data had become so commonplace that Marriott was not even particularly memorable. Its numbers were eye-popping — an original estimate of up to 500 million people affected, but no Social Security numbers. The theft of 5 million passport numbers stirred consumers a bit more than the average. But the incident sparked only a few weeks of commentary before mostly fading away.
So why is it on this list? Because under the surface, the Marriott breach was highly disruptive to one cyberthreat area that had mostly gone ignored throughout the decade: merger due diligence. The breach originated with a database managed by Starwood Resorts, which was purchased by Marriott in 2016 for $13.3 billion. The data leak may have been ongoing for several years, the company has said.
Why it was disruptive: Just as Target sparked a whole generation of robust third-party oversight programs in the corporate world in the early half of the decade, the Marriott breach is already causing companies to improve how they conduct investigations of companies they plan to purchase.
Shareholder lawsuits calling into question Marriott’s merger due-diligence practices make some of the most compelling data-breach suits in years.
In many ways, Marriott is a sleeper breach — one that we might not think about much but will cause ripple effects in some major areas of business well into the next decade.