Home / Blogs

3 Most Scary Attacks that Leaked Personally Identifiable Information (PII) of Millions of Users

Cybercriminals are increasingly targeting Personally Identifiable Information (PII). The reason being “data is the new gold” in this digital world, and the more sensitive some data is, the more value it has. There is no more sensitive data than personally identifiable information because it contains enough information to identify you digitally.

Examples of personally identifiable information include name, email, contact number, address, social security number, tax file number, banking or financial information, and more such data that helps identify you.

Since the last decade, Personally Identifiable Information (PII) has become a prime issue for businesses as well as individuals, raising concerns over legal and ethical areas. On top of all, poor information security also raises concerns over compromised user credentials. With the growing digitization of each and everything in our lives, we are storing information digitally now more than ever. And yet, the danger is often underestimated by both businesses and individuals. That is the reason behind cybercriminals increasingly aiming to attack and leak or steal personally identifiable information of the netizens. It is no surprise that there had been many attacks in the last decade that combinedly leaked hundreds of millions if not billions of records. Let’s review the worst attacks to get to know them: their attack vectors, entry points, and prevention methodologies.


Equifax—one of the largest credit reporting agencies in the US—faced a breach in 2017. Shockingly, attackers are successful in stealing hundreds of millions of records of their customers. The breached data included names, addresses, social security numbers, driver licenses’ numbers, and more. Moreover, 200,000 of those records also included credit card numbers, making it the worst data leak in history. In fact, it almost affected 143 million people, i.e., more people than the 40 percent of the population of the United States.

However, this data never saw the light of day on the dark web, raising a theory that this attack was sponsored by a state-backed hacker group in China with the purpose of espionage. After this attack, Equifax invested $1.4 billion to upgrade its security infrastructure. If only it had done it before the attack. It all began in March 2017 when a vulnerability named CVE-2017-5638 was discovered in Apache Struts, one of the popular development frameworks used by Equifax. On March 7, a patch for this bug was released, and on March 9, Equifax admins were told to apply the patch to their systems. However, they failed to do so. It was found that Equifax was hacked on March 10, 2017, but the attackers sat silent for almost two months. On May 13, 2017, they started compromising and exfiltrating data from other parts of the network. Attackers were smart enough to encrypt the data before moving it out of the network, and Equifax was dumb enough not to renew its certificate used for analyzing encrypted internal network traffic. After not renewing it for almost ten months, Equifax renewed this certificate on July 29, 2017. Then, they came to know about the attack. That is, Equifax made multiple silly mistakes, which led to the biggest data leak known in history.

Starwood (Marriott)

Starwood Hotels and Resorts—now owned by Marriott International—became the talk of the town in late 2018 when it announced that it had been attacked, leaking hundreds of millions of customer records. The attack came to light on September 8, 2018, when an internal security tool reported a suspicious activity to access the internal guest reservation systems of Starwood. Marriott took the flag importantly and performed an internal investigation to find that it was compromised sometime in 2014. Marriott bought the company in 2016, but they did not migrate Starwood’s original systems to Marriott’s even after two years. And the result was that the cybercriminals were able to extract data of almost 500 million guest records by November 2018, making this attack the second-worst attack in history that leaked personally identifiable information.

Investigators found a Remote Access Trojan (RAT) inside Starwood’s systems along with MimiKatz—a user credential sniffer. It is believed that these two tools gave administrators access to the attackers, which they further utilized to gain access to internal networks and eventually to the secure systems holding customer and guest records. Shockingly, the leaked data included names, email addresses, phone numbers, and other sensitive information like credit card and passport numbers, posing a disastrous impact on the people. Like Equifax, Starwood (or Marriott) made multiple mistakes that led to this big data leak. For instance, the encrypted sensitive data like credit card numbers, but they kept the encryption key on the same server, making it utterly easy for the attackers to decrypt and steal the data. Some passports were also saved in plain text, while the industry norm is to encrypt all personally identifiable information.


eBay—one of the biggest online e-commerce platforms—was attacked in 2014. Shockingly, the attack leaked 145 million user records. But fortunately, eBay had found no evidence of unauthorized access to the credit card or financial information at PayPal—its payments platform subsidiary that is the most popular method of sending and receiving money on the Internet. Security experts warned its users to stay on alert since attackers had both email addresses and passwords. If they were able to decrypt passwords, they might have tried logging in to other sites using the leaked credentials, allowing them to perform more damage overall.

The leaked data contained email addresses, birth dates, encrypted passwords, mailing addresses, and more personal information of its users. “Exposure of personal information such as postal addresses and dates of birth puts users at risk of identity theft, where the data is used to claim ownership of both online and real-world identities. Users are also at risk of phishing attacks from malicious third-parties, which use the private details to trick people into handing over a bank account, credit card or other sensitive information,” according to The Guardian.

In all the cyberattacks listed above, there were some common issues. First of all, organizations were not taking cybersecurity seriously. Period. Secondly, they were not keeping their systems up to date. And last but important, they were unable to detect intrusions and take responsibility for their actions sooner.

By Evan Morris, Network Security Manager

Filed Under


One thing I keep harping on is Todd Knarr  –  Feb 13, 2021 7:02 AM

One thing I keep harping on is that all that PII should certainly be enough to identify you, but it should not be enough to authenticate you. As long as companies rely on identifying information to authenticate identity, we’ll continue to have problems even with perfect security.

Eg., my email address should be enough to identify who an online account’s for. The very next step, though, should be “OK, prove you’re him.” by, for instance, being able to send an email message that passes all authentication checks (DMARC policies, DKIM signatures, SPF records, possibly S/MIME or PGP signatures depending on the environment).

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC