5 Biggest Data Breaches of All Time from Phishing

Data breaches are becoming a relatively common occurrence for businesses of all sizes around the world — for companies in the United States in particular. Recently announced was the discovery of Collection Number One, a massive collection of information that is thought to be one of the biggest data breaches in history. The incident left more than one billion combinations of email addresses and passwords unprotected.

Some of the most eye-opening phishing attack statistics come from Verizon. According to the company’s 2018 Data Breach Investigations Report, “Phishing and pretexting represent 98% of social incidents and 93% of breaches. Email continues to be the most common vector (96%).” While the biggest data breaches can be the result of hacks and insider threats (such as begrudged employees), it’s easy to see that many of the most well-known and biggest data breaches occurred due to phishing attacks.

Phishing breaches are launched by phishers who use malicious social engineering attacks to gain information from unsuspecting users. The two most commonly used methods include the use of phishing email scams and website email scams. The email scams are designed to look like they were sent from legitimate companies or people the recipients know. They often contain malicious software that will automatically download to the recipients’ machines or link the users to fraudulent websites that are designed to look authentic through design, “typosquatting,” and using Unicode domains.

The Biggest Phishing Attack Examples to Make Headlines

We’ve compiled a brief list of some of the biggest data breaches that have occurred from email phishing attacks:

#1 of the Biggest Data Breaches from Phishing: John Podesta’s Email

There was a lot of controversy surrounding the November 2016 election on both sides of the political spectrum. One of the most notable was the hack of John Podesta’s Gmail account. Podesta, chairman of presidential candidate Hillary Clinton’s democratic election campaign, found himself as one of the country’s top phishing attack examples when his account was victimized by a Russian hacker group known as Fancy Bear. The phishers, pretending to be Google, sent an email saying that he needed to change his email after an attempted hack occurred. However, in true phishing attack fashion, the email linked to a malicious website. When someone with access to Podesta’s email used the compromised link, the hackers gained access to his account. This lead to the eventual release of thousands of Podesta’s emails via WikiLeaks in the weeks leading up to the November election.

#2 of the Biggest Data Breaches from Phishing: The U.S. Power Grid

In January, we published an article about how state-sponsored Russian hackers gained access to the power grid infrastructure of the United States. According to a joint report by the U.S. Department of Homeland Security (DHS) and the FBI, the attacks “affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors.”

Contrary to popular belief, the attackers didn’t accomplish this through some brazen, direct attack of high-value targets. Instead, the hackers targeted smaller companies — educational training website, excavation companies, and a construction firm — to use them as PhishBots against one another and to target the larger power grid organizations with which they had working relationships. They took advantage of the companies’ known contacts — their trust graph — and used those connections to their advantage.

Although there is no known damage or sabotage to any of the power equipment (their mission appeared to be one of surveillance and observation), it serves as a stark warning that if the hackers did it once, they likely could do it again.

#3 of the Biggest Data Breaches from Phishing: JPMorgan Chase

JPMorgan Chase holds the undesirable title of being a company that has experienced one of the most significant phishing breaches in history. In 2014, the company announced that the contact information for 76 million households and seven million businesses were compromised in the massive attack. Hackers utilize a combination of phishing tactics to get login credentials and exploitation of an OpenSSL vulnerability to steal information that is typically encrypted.

#4 of the Biggest Data Breaches from Phishing: Sony Pictures

In retaliation for the creation of the movie “The Interview,” a film about the plot to kill North Korea’s head of state, a North Korean government-backed hacker group launched a devastating attack on the entertainment giant in November 2014. Using phishing and spearphishing emails, which contained malware, the attackers gained access to Sony’s network and performed months of covert reconnaissance.

Once inside, they also threatened company employees and executives, stole confidential data, and disabled thousands of the company’s computers. The attack is thought to have cost the company upwards of $100 million.

#5 of the Biggest Data Breaches from Phishing: BenefitMall

Among the most recent phishing attacks reported by the media is one that affected BenefitMall, a human resource, employee benefits, and payroll administration solutions company. Between June 2018 and October 2018, the company’s website was accessed via employee email login credentials that were exposed during an email phishing attack, according to a press release.

The types of consumer information left exposed in the affected mailboxes are thought to include:

  • Names
  • Email addresses
  • Birth dates
  • Bank account information
  • Insurance premium payment information

Although the full extent of the attack is not yet known, BenefitMall works with “a network of more than 20,000 Trusted Advisors” to serve more than “200,000 small and medium-sized businesses.” This leaves a potentially enormous group of employees and businesses at risk.

Phishing Attack Honorable Mention: Facebook and Google

Although these, technically, aren’t phishing-related data breaches, they still are worth mentioning. Facebook and Google each lost $100 million to sophisticated phishing and wire fraud schemes that were allegedly perpetrated by a Lithuanian hacker named Evaldas Rimasauskas. Rimasauskas, whom The Guardian reports is accused of posing as Quanta Computer, an electronics manufacturer and vendor for major companies that include Facebook and Google, reportedly sent phishing emails in the form of fraudulent invoices to con the companies out of the money.

Protect Your Data with a Phishing Prevention Solution

Want to keep your company’s name off our future lists of the biggest data breaches? Discover how you can protect your company and employee emails from phishing attacks and spearphishing threats with ClearedIn, an anti phishing platform. Our business anti-phishing solution protects companies by using artificial intelligence (AI) and machine learning to analyze their email and chat communications metadata. Looking at the frequencies that emails are sent or received by specific individuals, the platform creates individualized Trust Graphs for your business and employees. This information is then used to identify potential threats and educate your employees about the threats to keep them safe.

Contact our team of cyber security experts today to schedule a free demo or to learn more.New call-to-action

The Dangers of Unicode in ...

Subscribe for updates

Get weekly updates on phishing and other web attacks