According to a 2016 survey conducted by PricewaterhouseCoopers, organizations rank cybercrime as the second most reported type of economic crime, up from fourth place. (It’s worth noting that most cybercrimes go unreported.)
In the survey, 32 percent of organizations admitted they had been a victim of cybercrime and 34 percent expected to become a victim in the next two years. Only 37 percent had a plan to respond to these incidents.
Such stats indicate widespread denial in the face of a growing problem. Online crime has way beyond teenage hackers pushing boundaries and into elaborate worldwide syndicates that are well organized and use sophisticated tools. They steal personal data, passwords and other information, then use it to blackmail businesses or scam consumers. Or they might sell it on the black market, where others can use it to steal identities and run up credit card charges.
Here are 10 of the most notable cybercrimes, either by size or significance. They illustrate the growing threat to businesses, consumers and governments.
Rarely a week goes by without news of another data breach at another corporation. And cyber thieves are taking different types of data and doing more things with them.
Infographic: 10 Biggest Cyber Crimes and Data Breaches
1. 50 Millions Credit Cards Data Stolen from Home Depot’s System (2014)
In 2014 retailer Home Depot’s system was breached, exposing data from over 50 million credit cards.
The thieves used a vendor’s user name and password to get onto the company’s computer network, then installed malware on its point-of-sale systems, which meant that consumers swiping their credit cards were literally handing over their data to the criminals.
In short, people were buying physical items from a real life store, but ended up giving their credit card data to hackers. Scary, huh?
2. Single Largest Theft of Customer Data (Citigroup, HSBCS, Dow Jones & Others) in 2014
Bank JPMorgan Chase in 2014 disclosed a massive breach that compromised the data of 76 million households and 7 million small businesses. Other U.S. financial institutions, brokerage firms, and financial news publishers were targeted, including Citigroup, HSBC, Dow Jones and payroll service company ADP.
Three men, now under arrest and pending trial, had set up “hacking as a business model,” according to Preet Bharara, the United States attorney for the Southern District of New York. He called the breach:
“The single largest theft of customer data from a U.S. financial institution ever.”
The charges allege that the men used the stolen information in pump-and-dump schemes, manipulating prices of stocks by sending fake e-mails to customers whose data was stolen, tricking them into investing then profiting by the rise in stock price. The three men also allegedly operated unlawful internet gambling sites, distributed counterfeit and malicious software and operated an illegal BitCoin exchange.
3. Yahoo Data Breach: Over 1,5 Billion Users Data Was Breached (2013 to 2016)
Yahoo! has been the target of at least two major breaches.
In September 2016, the company disclosed that it had a 2014 breach compromised the data of at least 500 million users.
Then in four months later it reported another breach had happened in August 2013 that exposed data of more than a billion Yahoo! users. The company did not explain why it took so long to report the breaches, which could land it in trouble with regulators.
The U.S. Securities & Exchange Commission issued guidance in 2011 that required companies to disclose material information about cyber incidents if they could impact investors. The agency is reportedly investigating the company.
4. In 2015, 79 Million Customer’s Data was Stolen from HealthCare Companies
The last three years have shown how vulnerable consumer health data can be as hackers increasingly target health insurance and medical information.
In 2015, three healthcare companies – Anthem, Premera Blue Cross and CareFirst BlueCross BlueShield, were hacked. Anthem’s was the largest – exposing some 79 million customers’ data. Premera lost information on more than 11 million customers. Then CareFirst uncovered a breach that compromised the information of over a million customers.
The U.S. government, which sometimes holds even more critical information than companies, has become a juicy target.
5. Over 700,000 Social Security Numbers Were Stolen From IRS in 2015
In 2015, the U.S. Internal Revenue Service had a breach that exposed more than 700,000 Social Security numbers and other sensitive information. Published reports say the hackers took advantage of an online IRS program called “Get Transcript,” which allowed taxpayers to access their tax history.
Even before the breach, identity thieves were using stolen Social Security numbers to fraudulently file for refunds. According to a report by the inspector general, in the 2016 tax season the IRS identified 42,148 tax returns with $227 million claimed in fraudulent refunds, and that was only as of early March of that year.
6. Largest Government Data Breach (2016) Due to Outdated Technology
Meanwhile, the U.S Office of Personnel Management (OPM) exposed records of as many as 21.5 million people, one of the largest breaches of government data in U.S. history.
Information included Social Security numbers, names, dates and places of birth, health and financial details and even fingerprints of people who had been subjected to government background checks. A congressional report published in September 2016 said the government was using outdated technology that left its systems vulnerable. One of the hackers used a contractor’s credentials to log on, install malware and create a backdoor to the network.
Governments around the world also have learned how to use hacking to their advantage, for cyber-espionage.
7. Google Corporate Servers in China Were Hacked in 2009
In 2009, hackers accessed several of Google’s corporate servers in China, stealing intellectual property and other information. The company said it had “evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists.”
Four years later, in 2013, U.S. government officials said the Chinese hackers had accessed a sensitive database that contained court orders authorizing surveillance, possibly of Chinese agents who had Gmail accounts. A Microsoft official suggested that Chinese hackers had targeted its servers at about the same time as Google’s, possibly seeking similar information about its email service.
8. North-Korea “supposedly” Hacked Sony Pictures and Stole Unreleased Movies
In 2014, hackers attacked the computer network of Sony Pictures, stealing employee e-mails, information on executive salaries and copies of unreleased movies. There was widespread speculation that the group was trying to disrupt release of the film, The Interview, a comedy depicting a plot to assassinate North Korean leader Kim Jong-un.
The U.S. government blamed the North Korean government for the breach – the first time the U.S. government publicly accused a country of a cyber attack.
9. WikiLeaks: Sensitive Emails From Democratic National Committee (2016)
… and it would not be the last.
In July WikiLeaks published a series of emails taken from servers of the Democratic National Committee. The e-mails contained private correspondence, some of which derided the campaign of the Bernie Sanders, and sensitive financial data on high-profile donors to Hillary Clinton’s campaign.
The revelations prompted the resignation of the DNC’s chairperson and arguably impacted the U.S. election. S. intelligence agencies said they were confident that the Russian government was behind the hacks and even issued a report at the end of 2016 providing details on how the Russians allegedly carried out the exploit. Others, particularly new President Donald Trump, expressed doubt that Russia was responsible.
10. Biggest DDOS Attack That Took Down Twitter, PayPal, Netflix and Others (October, 2016)
2016 also marked the first time the so-called “Internet of Things” (IoT) was widely used in a cybercrime. In October, a cyberattack on one of the companies that host the internet’s Domain Name System, a directory of internet addresses, took down many of the internet’s most popular sites, including Twitter, Netflix, Paypal and Spotify.
The attack was of a common type, called a distributed denial of service (DDoS), which shuts down systems by bombarding them with too many requests at the same time. The unusual and alarming aspect, however, was that rather than using “zombie PCs,” where malware has been downloaded onto the PCs of unsuspecting consumers, making them into a sort of robot that can help to send all these requests, the attackers used common internet-connected things like baby monitors and digital recorders.
The company, called Dyn, said the onslaught came from millions of internet addresses, making it one of the largest cyberattacks of all time.
Experts believe that as more things are connected to the internet, cybercrime is only going to get worse. Research firm Gartner forecasts that there will be 6.4 billion things connected to the internet by 2018. It predicts that by 2020 some 25 percent of known cyberattacks will involve the IoT.