Incidents from
Chinese state-attributed operators sat undetected on Starwood's guest reservation database from 2014, surviving Marriott's 2016 acquisition. Disclosed 2018: 500 million guest records exposed, including 5.25 million unencrypted passport numbers.
Magecart operators injected card-skimming JavaScript into British Airways' payment page, stealing card details on 380,000 transactions over 15 days. UK ICO initially proposed a ยฃ183.4M GDPR fine โ later reduced to ยฃ20M after Covid-impact mitigation arguments.
Chinese state-attributed actors exfiltrated personal and outpatient medication records on 1.5 million SingHealth patients โ including Prime Minister Lee Hsien Loong โ in Singapore's most serious cyber incident.
Tokyo-based cryptocurrency exchange Coincheck lost 523 million NEM tokens (~$530M at the time) from a hot wallet that had no multi-signature protection. The largest single crypto-exchange theft at the time โ later attributed to North Korea's Lazarus Group.
Tribune India journalists demonstrated that paid intermediaries could provide full Aadhaar records โ including biometric-linked identity data on roughly 1.1 billion Indian residents โ for 500 rupees per record.