Right before Thanksgiving weekend, Uber surprised investors by self-revealing a major data leak that the company had wanted to cover up. Uber confessed that it had paid two hackers $100,000 to conceal the data breach that compromised 57 million user accounts.
The news broke a few days before a SoftBank-led investor consortium were scheduled to place a bid to buy a significant chunk of Uber (14 percent). In a November 26 article, The Wall Street Journal, citing industry observers, speculated that the fallout could be quiet, because “corporate breaches are becoming so routine that they shouldn’t weigh on a company’s valuation.”
It turns out the Journal is partially wrong. The investors discounted Uber’s valuation by 30 percent when they announced the offer yesterday, Reuters reported.
But the Journal made a valid point about how ubiquitous cybersecurity breaches are these days. “There are a massive amount of consumer email lists circling around in the market as a result of past data leaks,” Alex Heid, chief research officer at cybersecurity rating agency SecurityScorecard, told Observer in a recent interview.
Not all data leaks are treated equally. While some companies—like Equifax and Uber—suffered immediate consequences, others didn’t pay their dues until years later.
Here is a list of major cybersecurity breaches in recent years and how the aftermath unfolded. The list is not exhaustive of all companies that have had cybersecurity breaches, but serves to identify, on a surface level, the most notable cases in their respective sectors.
Uber (ride-sharing service): 57 million user accounts were hacked in 2016. Uber paid two hackers to destroy the stolen data. The incident and cover-up happened under the charge of former CEO Travis Kalanick.
Damage: Uber fired chief security officer Joe Sullivan and his deputy; Company valuation dropped by 30 percent; The New York State Attorney General’s office opened an investigation.
Equifax (consumer credit rating agency): 143 million records of personal information were hacked in July. The leaked data included names, Social Security numbers, birth dates, addresses and driver’s license numbers. The breach was made public in September.
Damage: CEO Richard Smith, chief information officer and chief security officer resigned immediately after the news broke; Stock prices slumped by 35 percent in a week (and has remained flat); The 2017 third-quarter profit declined by 27 percent compared with last year; The company has incurred $87 million in cost related to the breach; Dozens of government investigation are going on.
Yahoo (Internet media): 3 billion user accounts were hacked in 2013. Number wasn’t disclosed until October 2017.
Damage: Yahoo has faced 41 class action lawsuits, per CNBC; Former CEO Marissa Mayer was subpoenaed to testy before Senate in October. (Mayer left Yahoo when Verizon acquired the company in June.)
LinkedIn (social/professional networking site): 117 million user accounts were hacked in 2012. The scale of the breach was first reported at 6.5 million. The actual number was found when a Russian hacker began selling 117 million emails and passwords for bitcoin on a dark web marketplace in May 2016.
LinkedIn asked all users to reset their passwords and enable two-step authentication.
Damage: A group of LinkedIn Premium users filed a class action against LinkedIn for failing to protect user data. The case was dismissed in 2013. (LinkedIn was acquired by Microsoft (MSFT) in 2016 for $26 billion, one of the largest deals in technology sector.)
Home Depot (retail chain): 26 million credit card numbers were stolen in 2014.
Damage: Home Depot paid $19.5 million in a settlement to affected consumers, $25 million to settle with banks, and $134.5 million in compensation to credit card companies and banks, Fortune reported.