upgrade
upgrade

🔒Cybersecurity for Business

Major Data Breach Case Studies

Study smarter with Fiveable

Get study guides, practice questions, and cheatsheets for all your subjects. Join 500,000+ students with a 96% pass rate.

Get Started

Why This Matters

Data breaches aren't just IT problems—they're business catastrophes that test everything you're learning about risk management, regulatory compliance, incident response, and third-party security. When you study these cases, you're seeing how failures in vulnerability management, access controls, and security governance translate into hundreds of millions in losses, regulatory fines, and permanent reputation damage. Each breach reveals a specific breakdown in the security framework that organizations should have had in place.

You're being tested on your ability to identify root causes, understand regulatory consequences, and recognize attack vectors across different industries. Don't just memorize breach statistics—know what security principle each case illustrates and why that failure occurred. When an exam question asks about supply chain risk or cloud misconfiguration, you need to immediately connect it to the right case study.

Vulnerability Management Failures

These breaches occurred because organizations failed to patch known vulnerabilities or properly configure their systems. The window between vulnerability disclosure and exploitation is often measured in days, not months.

Equifax Data Breach (2017)

  • 147 million records exposed—including Social Security numbers, birth dates, and addresses, making it one of the most damaging breaches for identity theft risk
  • Unpatched Apache Struts vulnerability was the entry point; the patch had been available for two months before attackers exploited it
  • $700 million settlement plus ongoing regulatory scrutiny demonstrated how patch management failures create existential business risk

Capital One Data Breach (2019)

  • 100+ million customer records compromised—including bank account numbers and Social Security numbers from credit card applications
  • Misconfigured Web Application Firewall (WAF) in AWS allowed a former cloud company employee to exploit server-side request forgery (SSRF)
  • $80 million OCC fine specifically cited failure to establish effective risk assessment processes before migrating to cloud infrastructure

Compare: Equifax vs. Capital One—both stem from technical misconfigurations, but Equifax failed at basic patching while Capital One failed at cloud security architecture. If an FRQ asks about configuration management, these are your go-to examples for on-premises vs. cloud environments.

Third-Party and Supply Chain Vulnerabilities

These cases demonstrate how attackers exploit the weakest link—often a vendor or contractor with legitimate access. Your security is only as strong as your least secure business partner.

Target Data Breach (2013)

  • 40 million payment cards compromised during peak holiday shopping season, maximizing both data volume and reputational damage
  • HVAC vendor credentials were the attack vector; attackers pivoted from vendor access to point-of-sale systems
  • $200+ million in costs and multiple lawsuits established vendor risk management as a board-level concern

Home Depot Data Breach (2014)

  • 56 million payment cards exposed through malware installed on POS systems across stores nationwide
  • Stolen vendor credentials again enabled initial access, with attackers deploying custom-built RAM-scraping malware
  • $179 million in breach costs reinforced that retailers must implement network segmentation and vendor access controls

Compare: Target vs. Home Depot—nearly identical attack patterns using vendor credentials to access POS systems. Both occurred within a year of each other, yet Home Depot didn't learn from Target's public failure. This illustrates why threat intelligence sharing matters.

Delayed Detection and Disclosure Failures

These breaches reveal what happens when organizations lack proper monitoring or delay public disclosure. The longer attackers remain undetected, the more damage they inflict.

Yahoo Data Breaches (2013-2014)

  • All 3 billion user accounts compromised across two separate breaches—the largest data breach in history by volume
  • Disclosure delayed until 2016—two to three years after the actual breaches, raising serious questions about incident detection capabilities
  • $350 million reduction in Verizon's acquisition price demonstrated how breaches directly impact company valuation

Marriott International Data Breach (2018)

  • 500 million guest records exposed—including passport numbers and encrypted credit card data from the Starwood reservation system
  • Breach originated in 2014 but wasn't discovered until 2018; Marriott inherited the compromise through its 2016 Starwood acquisition
  • $124 million GDPR fine (later reduced) highlighted the importance of security due diligence in M&A transactions

eBay Data Breach (2014)

  • 145 million user records compromised—names, addresses, dates of birth, and encrypted passwords
  • Detection came from anomaly monitoring when unusual network activity triggered investigation, showing the value of behavioral analytics
  • Password reset required for all users, but delayed detection meant attackers had extended access to harvest credentials

Compare: Yahoo vs. Marriott—both involved years-long detection failures, but Marriott's breach was inherited through acquisition. This is critical for understanding why cybersecurity due diligence must be part of any M&A process.

Sector-Specific Regulatory Consequences

Different industries face different regulatory frameworks, and these cases show how sector-specific rules shape breach consequences. Healthcare and financial services face the strictest penalties.

Anthem Health Insurance Data Breach (2015)

  • 78.8 million patient records exposed—including Social Security numbers, medical IDs, and employment information
  • Spear-phishing attack gave attackers access to a database administrator's credentials, demonstrating the human element in sophisticated attacks
  • $16 million HHS fine—the largest HIPAA settlement ever at the time—plus state attorney general settlements totaling $115 million

Adobe Data Breach (2013)

  • 38 million user accounts compromised plus source code for major products like Photoshop and ColdFusion leaked
  • Weak encryption practices exposed when researchers cracked password hints, revealing widespread password reuse among users
  • $1.1 million settlement was relatively small, but the source code theft created ongoing security risks for Adobe products

Compare: Anthem vs. Adobe—both massive breaches, but Anthem's healthcare data triggered HIPAA's strict penalties while Adobe faced lighter consequences under less stringent regulations. Know which regulatory framework applies to which industry.

Reputational and Strategic Impact

Some breaches transcend financial losses and fundamentally alter an organization's strategic position or industry practices.

Sony Pictures Entertainment Hack (2014)

  • Unreleased films, employee data, and executive emails leaked—causing embarrassment beyond typical data exposure
  • "Guardians of Peace" attack attributed to North Korea in retaliation for the film The Interview, making this a nation-state attack case study
  • Industry-wide security overhaul followed as entertainment companies recognized they were targets for both financial and political motivations

Compare: Sony vs. Anthem—both faced sophisticated, targeted attacks, but Sony's was politically motivated (nation-state) while Anthem's was financially motivated (data theft). Understanding attacker motivation helps predict attack methods and targets.

Quick Reference Table

ConceptBest Examples
Patch Management FailureEquifax, Adobe
Cloud MisconfigurationCapital One
Third-Party/Vendor RiskTarget, Home Depot
M&A Security Due DiligenceMarriott (Starwood)
Delayed DetectionYahoo, Marriott, eBay
HIPAA/Healthcare ComplianceAnthem
GDPR EnforcementMarriott
Nation-State AttacksSony Pictures
POS MalwareTarget, Home Depot
Credential Theft EntryTarget, Home Depot, Anthem

Self-Check Questions

  1. Which two breaches best illustrate the risks of third-party vendor access, and what specific control failure did they share?

  2. Compare the regulatory consequences faced by Anthem versus Marriott. What explains the difference in fine amounts and regulatory frameworks involved?

  3. If an FRQ asks you to explain why security due diligence in mergers and acquisitions matters, which case study provides the strongest evidence, and what specific timeline supports your argument?

  4. Both Equifax and Capital One suffered from configuration-related failures. How do their root causes differ, and what does this suggest about security challenges in cloud migration?

  5. Rank Yahoo, Marriott, and eBay by detection time. What monitoring or governance controls might have shortened the dwell time in each case?