How Marriott's data breach ranks among the biggest corporate data fails
Marriott on Friday said up to 500 million Starwood properties guests' information may have been exposed in a massive data breach that began in 2014.
The hotel giant joins a list of other corporations whose systems to protect their customers' personal information failed. Here is how the breach stacks up against other corporate data debacles.
1.Yahoo
Verizon in 2017 said all three billion Yahoo users' data was breached in a 2013 hack, after it initially reported that just one billion accounts had been compromised.
Verizon acquired Yahoo in a $4.5 billion deal that closed in June 2017 -- and said the security breach was discovered during the integration of the two firms.
An investigation revealed that users' passwords in clear text, payment card data and bank information were not stolen.
2. Marriott
Personal data belonging to roughly 500 million Starwood properties guests was compromised in the second-largest cyberattack on a company in history.
Marriott said Friday it discovered that beginning in 2014, hackers gained "unauthorized" access to its database of customer information. That included guests' names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, genders, reservation dates and more.
Credit card numbers and their expiration dates were also taken, the hotel chain said.
"Yahoo is the only one that I am aware of that was bigger, so this is a really important deal for consumers," CreditCards.com industry analyst Ted Rossman told CBS MoneyWatch. "And it looks like Yahoo was comparable in terms of what was taken, including names, dates of birth, email addresses, passwords."
Marriott is multinational, but the breach appears to be limited to the U.S., the UK and Canada.
3. Friend Finder Networks
Friend Finder Networks Inc., a network of adult dating and webcam sites, said in 2016 that more than 412 million user accounts were affected by a data breach. Individuals' usernames, emails and passwords were leaked from dating and hookup websites including Adult FriendFinder, Cams.com and Penthouse.
The passwords were stored as plaintext or encrypted by the insecure SHA-1 hashing algorithm and were easily decoded.
AFF Vice President Diana Ballou at the time said the company "did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability."
4. EBay
eBay in 2014 urged all 145 million of its users to change their passwords after hackers stole encrypted passwords, email addresses, mailing addresses, phone numbers and dates of birth. No financial information, such as credit card numbers or taxpayer IDs were accessed.
"Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network," the company said in a statement at the time.
The online auction giant saw a decline in user activity following the breach. It had little effect on revenue, though.
5. Equifax
The credit reporting bureau said in September 2017 that 145.5 million users' information had been compromised in a data breach. The stolen data included individuals' names, social security numbers, and credit card numbers. Finer details, including credit card expiration dates, were not believed to have been exposed.
Rossman noted that, in the case of Marriott, guests' social security numbers don't appear to have been accessed in the breach. "That would be very damaging," he said.
Equifax subsequently replaced its CEO and spent millions of dollars in prevention efforts.