INTERNATIONAL JOURNAL OF LATEST TECHNOLOGY IN ENGINEERING,

MANAGEMENT & APPLIED SCIENCE (IJLTEMAS)

ISSN 2278-2540 | DOI: 10.51583/IJLTEMAS | Volume XIV, Issue X, October 2025

www.ijltemas.in Page 246

Lessons from the Past: What We Can Learn From Major

Cybersecurity Breaches and How to Prevent Them in the Future

Ananya Shilin, C.N Prasad, B.G Prasanthi, Dr B.G Lakshmi

Asst.Professor, St.Josephs University, Bangalore prasad

Asst.Professor, St.Josephs University, Bangalore, Department of Computer Science St.Joseph’s University

DOI: https://doi.org/10.51583/IJLTEMAS.2025.1410000034

Abstract: This research paper explores significant cybersecurity incidents that have impacted global firms and industries,

pointing to weaknesses in digital infrastructure. Through the examination of high-profile case studies like Equifax, Facebook, JW

Marriott, and Sony, the paper looks at causes, effects and operational disruptions that followed. The study focuses on how

companies can enhance their security models, adopt proactive approaches, and reduce risks in an increasingly interdependent

world. Finally, it emphasizes the need for strong defenses to deter further attacks.

I. Introduction

In the digital age, cybersecurity breaches have emerged as one of the most significant threats to multinational corporations

(MNCs) across various industries. These breaches compromise sensitive data, disrupt business operations, and lead to severe

financial and reputational consequences.

High-profile cyberattacks on major organizations highlight vulnerabilities in even the most sophisticated security infrastructures.

Studying past cybersecurity breaches provides valuable insights into the evolving tactics of cybercriminals and helps

organizations strengthen their security frameworks. By analyzing these incidents, businesses can identify weaknesses, learn from

past mistakes, and implement proactive measures to prevent future attacks.

This paper examines four major cybersecurity breaches that have impacted different industries:

●

Equifax (2017): A financial sector breach that exposed the personal data of approximately 147 million individuals [1].

●

Facebook (2019): A social media data leak involving over 530 million users’ personal information [2].

●

JW Marriott (2018): A hospitality industry breach that compromised 500 million guest records [3].

●

Sony Pictures (2014): An entertainment industry attack that resulted in leaked confidential data and significant operational

disruptions[4].

By exploring these case studies, this research aims to address the following question: What lessons can businesses learn from

major cybersecurity breaches, and how can they implement better strategies to prevent future cyberattacks?

Understanding the root causes of these breaches and the countermeasures taken can help organizations across all sectors develop

robust security policies, enhance threat detection capabilities, and minimize the risk of data breaches in an increasingly

interconnected world.

II. Background on Cybersecurity Threats

As businesses increasingly rely on digital infrastructure, the threat landscape in cybersecurity continues to evolve. Organizations,

particularly multinational corporations (MNCs), face growing risks from cybercriminals who seek to exploit vulnerabilities for

financial, political, or strategic gain. Understanding these threats, the reasons MNCs are targeted, and the regulatory landscape is

crucial for developing effective defense mechanisms against cyberattacks.

Cyber threats come in many forms, ranging from deceptive social engineering tactics to sophisticated malware that can cripple

entire networks. One of the most prevalent threats is phishing, where attackers use fraudulent emails or websites to trick

individuals into revealing sensitive information such as passwords and financial details. Another growing concern is ransomware,

a form of malware that encrypts data and demands payment in exchange for its release. Ransomware attacks have disrupted major

corporations, hospitals, and even government institutions, often leading to significant financial and operational consequences

[5],[6]. Data breaches also pose a severe threat, as cybercriminals exploit security vulnerabilities to gain unauthorized access to

confidential information [1],[2],[3]. These breaches not only result in identity theft and financial fraud but also damage a

company’s reputation and invite regulatory penalties [4],[8]. Additionally, distributed denial-of-service (DDoS) attacks are

frequently used to overwhelm websites and online services, rendering them inaccessible. Insider threats, whether intentional or

accidental, further complicate cybersecurity efforts, as employees with privileged access may leak sensitive data or misconfigure

security settings, making an organization more vulnerable to attacks.

MNCs are particularly attractive targets for cybercriminals due to the sheer scale of their operations and the volume of data they

manage. With extensive global networks, multiple subsidiaries, and complex supply chains, these corporations present numerous

INTERNATIONAL JOURNAL OF LATEST TECHNOLOGY IN ENGINEERING,

MANAGEMENT & APPLIED SCIENCE (IJLTEMAS)

ISSN 2278-2540 | DOI: 10.51583/IJLTEMAS | Volume XIV, Issue X, October 2025

www.ijltemas.in Page 247

entry points for attackers. Many MNCs store vast amounts of sensitive customer, employee, and business data, making them prime

targets for identity theft and corporate espionage. Furthermore, cybercriminals are often motivated by financial gain, as they can

demand large ransoms or sell stolen data on the dark web. Beyond financial implications, cybersecurity breaches can have severe

legal and regulatory consequences.

Organizations that fail to secure their data may face lawsuits and substantial fines under data protection laws. Moreover,

reputational damage following a cyberattack can result in the loss of customer trust, reduced market value, and long-term business

disruptions [4],[8].

To address these growing threats, governments and regulatory bodies have established cybersecurity frameworks and compliance

requirements aimed at protecting businesses and consumers. One of the most influential regulations is the General Data

Protection Regulation (GDPR), which enforces strict data protection measures across the European Union and imposes heavy

fines on companies that fail to safeguard user data. Similarly, the California Consumer Privacy Act (CCPA) grants individuals

greater control over their personal information, requiring businesses to disclose how data is collected and used. In the financial

sector, the Payment Card Industry Data Security Standard (PCI DSS) sets security guidelines for handling credit card transactions

to prevent fraud and data breaches. The healthcare industry is governed by the Health Insurance Portability and Accountability

Act (HIPAA), which mandates strict security measures to protect patient information. Additionally, the Cybersecurity Maturity

Model Certification (CMMC) ensures that defense contractors working with the U.S. Department of Defense comply with robust

security protocols. These regulations underscore the importance of cybersecurity compliance, pushing organizations to implement

strong data protection policies and proactive risk management strategies [7].

As cyber threats continue to evolve, MNCs must remain vigilant by adopting comprehensive security measures, investing in

advanced threat detection technologies, and fostering a culture of cybersecurity awareness within their organizations. Regulatory

compliance alone is not enough; businesses must take proactive steps to mitigate risks, respond to incidents effectively, and build

resilience against future attacks. By understanding past cybersecurity breaches and learning from them, organizations can enhance

their defenses and create a more secure digital environment for the future [8].

Equifax Data Breach (2017) – Financial Sector

In 2017, Equifax, one of the largest credit reporting agencies in the United States, suffered a monumental data breach that

exposed sensitive personal information of approximately 147 million individuals. This incident not only highlighted significant

lapses in cybersecurity but also underscored the potential consequences of inadequate data protection measures within the

financial sector [1].

What Happened

The breach originated from a vulnerability in the Apache Struts web application framework, a widely used technology for building

web applications. On March 7, 2017, a critical security flaw in Apache Struts was publicly disclosed, and a corresponding patch

was released to address the issue. The U.S. Department of Homeland Security's Computer Emergency Readiness Team (US-

CERT) promptly notified Equifax about this vulnerability on March 8, emphasizing its severity and the necessity for immediate

remediation [1].

Despite these warnings, Equifax failed to apply the necessary patch to its systems. This oversight was primarily due to the

company's lack of a comprehensive IT asset inventory, which meant they were unaware of all instances where Apache Struts was

deployed within their network.

Consequently, the vulnerable version of Apache Struts remained unpatched in Equifax's online dispute portal [1].

Attackers exploited this unpatched vulnerability on March 10, 2017, gaining unauthorized access to Equifax's network. Initially,

the intrusion was confined to the online dispute portal, but by May 13, the attackers had expanded their access to other parts of the

network. Over the ensuing months, they systematically extracted vast amounts of personal data, including names, addresses, dates

of birth, Social Security numbers, and, in some cases, credit card information [1].

A critical factor that exacerbated the breach was the expiration of an SSL (Secure Sockets Layer) certificate, which is essential for

encrypting and monitoring network traffic. The expired certificate hindered Equifax's ability to detect the attackers' activities,

allowing them to operate undetected for an extended period [1].

Impact

The breach had far-reaching consequences. Approximately 147 million individuals had their personal information compromised,

placing them at heightened risk for identity theft and fraud. The exposure of such sensitive data eroded public trust in Equifax and

raised serious concerns about the security practices of organizations handling personal information [1],[5].

Financially, Equifax faced substantial repercussions. The company incurred significant costs related to legal settlements,

regulatory fines, and remediation efforts. Additionally, the breach prompted a reevaluation of cybersecurity practices across the

financial sector, leading to increased regulatory scrutiny and the implementation of more stringent data protection measures[1],[5].

INTERNATIONAL JOURNAL OF LATEST TECHNOLOGY IN ENGINEERING,

MANAGEMENT & APPLIED SCIENCE (IJLTEMAS)

ISSN 2278-2540 | DOI: 10.51583/IJLTEMAS | Volume XIV, Issue X, October 2025

www.ijltemas.in Page 248

Response

Upon discovering the breach on July 29, 2017, Equifax took several steps to mitigate the damage. The company engaged a

cybersecurity firm to investigate the intrusion and assess its scope. Equifax also notified law enforcement agencies and began the

process of identifying affected individuals [1].

Public disclosure of the breach occurred on September 7, 2017, six weeks after its discovery. Equifax offered free credit

monitoring and identity theft protection services to those impacted. However, the delay in public notification and the initial

handling of the breach drew criticism from consumers, regulators, and legislators[1].

In the aftermath, Equifax undertook significant measures to enhance its cybersecurity posture. This included overhauling its

security protocols, implementing more rigorous patch management processes, and investing in advanced threat detection

technologies[1].

Lessons Learned

The Equifax data breach stands as a stark reminder of the critical importance of implementing robust cybersecurity practices. One

of the primary lessons from this incident is the necessity of timely patch management. Organizations must establish effective

processes to ensure that security patches addressing known vulnerabilities are applied promptly. Any delay in patching exposes

systems to exploitation, as cybercriminals actively scan for such weaknesses to infiltrate networks [1],[8].

Another vital takeaway is the need for a comprehensive IT asset inventory. Maintaining an accurate and up-to-date record of all

hardware and software assets within an organization is essential. This inventory enables IT teams to efficiently manage

vulnerabilities, ensuring that no critical component is overlooked during security updates or incident response efforts[1].

Additionally, the breach highlights the significance of continuous monitoring. Organizations must adopt continuous surveillance

of their systems, including regular renewal and management of security certificates such as SSL. Continuous monitoring

enhances the ability to detect unauthorized activities swiftly, mitigating potential threats before they escalate [8].

Lastly, transparent communication emerged as a key factor in managing the aftermath of the breach. Equifax's delayed public

disclosure drew widespread criticism and damaged its reputation. This incident underscores the importance of prompt and

transparent communication with affected individuals, regulatory bodies, and other stakeholders. Clear and timely communication

not only helps maintain public trust but also allows for more effective coordination of remediation efforts following a cyber

incident [8].

Facebook-Cambridge Analytica Scandal (2018) – Social Media

In 2018, the Facebook-Cambridge Analytica scandal emerged as a pivotal moment in the discourse on data privacy and the

ethical use of personal information. The controversy centered around the unauthorized harvesting of data from millions of

Facebook users, which was subsequently utilized for political advertising purposes [2].

What Happened

The scandal traces back to 2013 when Dr. Aleksandr Kogan, a researcher at the University of Cambridge, developed a personality

quiz app called "This Is Your Digital Life." The app was presented as a research tool for academic purposes and was made

available to Facebook users. Approximately 270,000 individuals installed the app, consenting to share their personal data for

research [2].

At that time, Facebook's data-sharing policies allowed apps to collect not only the data of users who installed them but also certain

information from their friends' profiles. This policy enabled Kogan's app to amass data from millions of users without their

explicit consent. Estimates suggest that up to 87 million users were affected by this data collection practice [2].

In 2014, Kogan shared the harvested data with Cambridge Analytica, a British political consulting firm specializing in data

analysis and strategic communication. Cambridge Analytica utilized this information to create detailed psychological profiles of

voters, which were then employed to craft targeted political advertisements during various election campaigns, including the 2016

U.S. presidential election [2].

Impact

The revelation of these practices had profound implications. It exposed significant lapses in Facebook's data governance and user

privacy protections, leading to a global outcry and intense media scrutiny. Users felt betrayed by the misuse of their personal

information, and the incident sparked widespread debates about digital privacy and the ethical boundaries of data-driven political

campaigns [2].

Regulatory bodies across the world initiated investigations into Facebook's data practices. In the United States, the Federal Trade

Commission (FTC) imposed a record $5 billion fine on Facebook for privacy violations. In the United Kingdom, the Information

Commissioner's Office fined Facebook £500,000, the maximum penalty allowed at the time. Additionally, Facebook faced

numerous lawsuits and a decline in user trust [2].

INTERNATIONAL JOURNAL OF LATEST TECHNOLOGY IN ENGINEERING,

MANAGEMENT & APPLIED SCIENCE (IJLTEMAS)

ISSN 2278-2540 | DOI: 10.51583/IJLTEMAS | Volume XIV, Issue X, October 2025

www.ijltemas.in Page 249

Response

In the aftermath of the scandal, Facebook undertook a series of significant measures aimed at regaining user trust and reinforcing

its data privacy framework. One of the key initiatives involved comprehensive policy reforms.

The company revised its data-sharing policies to substantially limit the amount of information accessible to third-party

applications. Additionally, Facebook enhanced its app developer review process, ensuring stricter compliance with data

protection standards and reducing the likelihood of unauthorized data access in the future[2].

Another crucial step was user empowerment. Recognizing the need for greater transparency, Facebook introduced more

accessible and clearer privacy settings. These reforms were designed to give users better control over their personal data, allowing

them to make informed decisions regarding what information they share and how it is utilized on the platform [7].

Furthermore, Facebook engaged actively with regulatory bodies following the breach. The company cooperated with various

investigations and demonstrated a commitment to complying with stricter data protection regulations, including the European

Union’s General Data Protection Regulation (GDPR). By aligning its policies with global data privacy standards, Facebook aimed

to rebuild public trust and demonstrate its dedication to safeguarding user information [7].

Despite these efforts, the scandal had a lasting impact on Facebook's reputation and intensified discussions about the need for

robust data protection regulations.

Lessons Learned

The Facebook-Cambridge Analytica scandal brought to light several critical lessons that continue to shape data privacy policies

globally. Foremost among these is the importance of ensuring informed consent. Digital platforms must guarantee that users are

fully aware of the nature and extent of data being collected from them. It is essential that users not only provide consent but also

understand how their personal information will be used, shared, or stored [8].

Another key lesson emphasizes the need for rigorous third-party oversight. Companies must establish stringent review and

monitoring mechanisms for third-party developers who access user data through their platforms. Without proper oversight, there

is an increased risk of unauthorized access and potential misuse of sensitive information, as seen in this case [8].

The scandal also underscored the significance of strong regulatory frameworks. It demonstrated the necessity for comprehensive

data protection regulations that hold organizations accountable for safeguarding user information. Regulatory bodies play a crucial

role in enforcing compliance and ensuring that companies adhere to ethical data handling practices [7].

Finally, the incident highlighted the importance of user awareness. Empowering users with knowledge about their data privacy

rights and educating them on how their personal information is collected and utilized is essential[8]. Informed and aware users are

better equipped to make responsible decisions about sharing their data in the digital space.

JW Marriott Data Breach (2018) – Hospitality Sector

In 2018, Marriott International, a leading hospitality company, disclosed a significant data breach that compromised the personal

information of hundreds of millions of guests. This incident underscored the vulnerabilities within the hospitality industry's data

security practices and highlighted the critical importance of robust cybersecurity measures [3].

What Happened

The breach originated from Marriott's acquisition of Starwood Hotels & Resorts Worldwide in 2016. Unbeknownst to Marriott at

the time of acquisition, Starwood's guest reservation system had been compromised since 2014. The intrusion went undetected for

several years, allowing unauthorized access to a vast array of guest information. The breach was only discovered in September

2018 when an internal security tool flagged a suspicious attempt to access the internal guest reservation database for Marriott's

Starwood brands.

Upon investigation, it was revealed that the attackers had maintained persistent access to the network, exfiltrating sensitive data

over an extended period [3].

Impact

The breach had far-reaching consequences, affecting approximately 500 million guests who had made bookings with Starwood

properties. The compromised data included names, addresses, phone numbers, email addresses, passport numbers, dates of birth,

and encrypted credit card information [3].

The exposure of such sensitive information posed significant risks of identity theft and fraud for the affected individuals.

Financially, Marriott faced substantial repercussions, including regulatory fines and legal settlements. For instance, the United

Kingdom's Information Commissioner's Office fined Marriott £18.4 million for failing to protect guest information [3].

Additionally, in 2024, Marriott agreed to pay $52 million and implement enhanced data security measures to settle federal and

state investigations related to the breach.

INTERNATIONAL JOURNAL OF LATEST TECHNOLOGY IN ENGINEERING,

MANAGEMENT & APPLIED SCIENCE (IJLTEMAS)

ISSN 2278-2540 | DOI: 10.51583/IJLTEMAS | Volume XIV, Issue X, October 2025

www.ijltemas.in Page 250

The incident also led to a loss of consumer trust and highlighted the need for improved cybersecurity practices within the

hospitality industry [3].

Response

Upon discovering the breach, Marriott took immediate steps to contain the incident and initiated a comprehensive investigation.

The company notified affected guests and offered free identity monitoring services. Marriott also cooperated with regulatory

authorities and law enforcement agencies to address the breach's ramifications. In response to the incident, Marriott implemented

several measures to enhance its cybersecurity posture, including upgrading its network security infrastructure, improving

monitoring capabilities, and revising data retention policies. Furthermore, Marriott agreed to implement a robust information

security program and provide all U.S. customers with a way to request the deletion of their personal information [3],[7].

Lessons Learned

The Marriott data breach serves as a cautionary tale about the importance of due diligence in mergers and acquisitions,

particularly concerning cybersecurity assessments. Organizations must ensure that acquired entities adhere to stringent data

security standards to prevent inherited vulnerabilities. The incident also highlights the necessity of continuous network

monitoring, timely detection of unauthorized access, and the implementation of comprehensive data protection strategies. Regular

security audits, employee training, and adherence to regulatory requirements are crucial components in safeguarding sensitive

information and maintaining consumer trust [7],[8].

Sony Pictures Hack (2014) – Entertainment Industry & Nation-State Attack

In 2014, Sony Pictures Entertainment (SPE) experienced a devastating cyberattack that not only disrupted its operations but also

had significant geopolitical implications. This incident is notable for its association with a nation-state actor and its profound

impact on the entertainment industry.

What Happened

The attack commenced on November 24, 2014, when SPE employees discovered that their computer screens displayed a

threatening message accompanied by a skull graphic. The message warned of the release of confidential data if certain demands

were not met. The hacker group, self-identified as the "Guardians of Peace," claimed responsibility for the

breach. The attackers deployed destructive malware known as "Wiper," which erased data from Sony's servers and rendered

thousands of computers inoperable [4].

The breach led to the theft and subsequent online dissemination of vast amounts of sensitive information, including unreleased

films, confidential emails, personal employee data, and internal documents [4].

Impact

The ramifications of the hack were extensive. Financially, SPE incurred significant losses due to disrupted operations, data

restoration efforts, and legal liabilities. The leaked emails caused reputational damage, strained business relationships, and led to

the resignation of key executives. The release of unreleased films resulted in substantial revenue losses. Moreover, the attack had

geopolitical consequences, as the FBI attributed the cyberattack to North Korea, marking the first time the United States had

openly accused a foreign government of a destructive cyberattack against an American corporation[4].

This attribution was linked to North Korea's displeasure with the impending release of "The Interview," a comedy film depicting

an assassination plot against its leader, Kim Jong-un [4].

Response

In the aftermath of the attack, SPE undertook extensive measures to assess and mitigate the damage. The company collaborated

with the FBI and cybersecurity firms to investigate the breach and secure its networks. SPE also implemented enhanced security

protocols to prevent future incidents. On a broader scale, the

U.S. government responded by imposing new sanctions on North Korea, escalating tensions between the two nations. The incident

prompted widespread discussions about cybersecurity, the protection of intellectual property, and the challenges of defending

against nation-state actors [4].

The Sony Pictures hack underscored the vulnerability of even large corporations to sophisticated cyberattacks, particularly those

orchestrated by nation-states. It highlighted the necessity for organizations to implement robust cybersecurity measures, including

advanced threat detection systems, comprehensive incident response plans, and regular security assessments. The incident also

emphasized the importance of securing sensitive data, fostering a culture of security awareness among employees [4],[8].

Lessons Learned

The Sony Pictures hack underscored several critical cybersecurity lessons for organizations across all sectors. Firstly, it

highlighted the necessity of implementing basic security measures, such as data encryption and breach detection tools, to protect

sensitive information and promptly identify unauthorized access.

INTERNATIONAL JOURNAL OF LATEST TECHNOLOGY IN ENGINEERING,

MANAGEMENT & APPLIED SCIENCE (IJLTEMAS)

ISSN 2278-2540 | DOI: 10.51583/IJLTEMAS | Volume XIV, Issue X, October 2025

www.ijltemas.in Page 251

Secondly, the incident emphasized the importance of investing wisely in cybersecurity infrastructure and hiring qualified

information security professionals to proactively defend against sophisticated threats.

Thirdly, it brought attention to the need for comprehensive business continuity plans to ensure operational resilience in the face of

cyber disruptions

Additionally, the breach demonstrated the critical role of employee cybersecurity training in preventing attacks that exploit human

vulnerabilities.

Finally, the attack served as a reminder that any organization can be a target, reinforcing the need for vigilance and robust security

practices[4],[7],[5],[8].

Analysis

In recent years, the cybersecurity domain has witnessed several unprecedented data breaches, each revealing unique weaknesses

across different industries.

Four major incidents—the Equifax Data Breach (2017), the Facebook-Cambridge Analytica Scandal (2018), the JW Marriott Data

Breach (2018), and the Sony Pictures Hack (2014)—stand as critical case studies for analyzing both recurring patterns and sector-

specific vulnerabilities. A detailed comparison of these incidents offers crucial insights into the evolving threat landscape and

presents valuable lessons for strengthening organizational defenses [7].

Upon examining the root causes of these breaches, certain parallels become immediately apparent. The Equifax breach primarily

resulted from the company's failure to patch a well-known vulnerability in the Apache Struts web application framework. The

vulnerability had been disclosed months prior to the attack, yet lax internal protocols and ineffective patch management left

Equifax's systems exposed [1],[7]. In stark contrast, the Facebook-Cambridge Analytica scandal was less about technical

oversight and more about inadequate data governance. Facebook permitted third-party developers extensive access to user data,

with minimal oversight or verification processes, creating opportunities for misuse [2]. The JW Marriott breach highlighted a

different issue: the compromise originated from the acquisition of Starwood Hotels, whose systems contained pre-existing

security flaws. Insufficient due diligence during the merger process, coupled with weak encryption of sensitive customer

information, allowed attackers to maintain unauthorized access over a prolonged period [3],[7]. Sony Pictures, meanwhile, was

targeted by sophisticated state-sponsored attackers. However, the severity of the breach was magnified by basic internal security

failings, such as poorly managed passwords and a lack of proper network segmentation, which facilitated lateral movement within

the system [4].

The following line graph illustrates the prominence of specific vulnerabilities across the case studies:

Figure 1: Line graph comparing the primary causes of breaches across Equifax, Facebook, JW Marriott, and Sony Pictures.

The line graph displays severity levels for vulnerabilities such as unpatched software, poor data governance, weak encryption, and

internal security failings, showing how each contributed to the breaches of Equifax, Facebook, JW Marriott, and Sony Pictures.

The impacts of these breaches varied significantly, both in scope and in societal effect. Equifax suffered one of the most severe

breaches in history, compromising sensitive financial and personal data of over 147 million individuals. The incident not only

triggered regulatory penalties totaling over

$700 million but also eroded public confidence in credit monitoring services. Facebook’s scandal, while involving fewer users—

approximately 87 million—had far-reaching social and political consequences. The unauthorized harvesting of user data by

Cambridge Analytica played a controversial role in influencing democratic processes, leading to global debates around data ethics,

user consent, and privacy regulations [8].

The following pie chart highlights the varied impacts of the Equifax and Facebook breach:

INTERNATIONAL JOURNAL OF LATEST TECHNOLOGY IN ENGINEERING,

MANAGEMENT & APPLIED SCIENCE (IJLTEMAS)

ISSN 2278-2540 | DOI: 10.51583/IJLTEMAS | Volume XIV, Issue X, October 2025

www.ijltemas.in Page 252

Impacts Comparison of Equifax and Facebook Breaches

Figure 2: Pie charts illustrating the impact distribution of the Equifax and Facebook breaches, covering financial loss, regulatory

penalties, public trust erosion, operational disruption, and societal consequences.

Facebook’s chart gives more prominence to Public Trust Erosion (50%) and Societal Consequences (25%), highlighting the

broader societal effects of the breach.

The lessons derived from these breaches underscore fundamental principles that must be integrated into modern cybersecurity

strategies. Equifax’s failure emphasizes the critical importance of timely patch management and rigorous vulnerability scanning.

The Facebook incident sheds light on the ethical responsibility of organizations to anticipate and control third-party access to user

data, going beyond mere compliance to prioritize transparency and accountability.[2],[5] JW Marriott’s experience highlights the

necessity of conducting thorough cybersecurity audits during mergers and acquisitions, ensuring inherited systems do not

introduce exploitable weaknesses. Sony Pictures’ breach serves as a stark reminder of how inadequate internal controls, such as

improper password management and a lack of network segmentation, can significantly magnify the impact of targeted attacks.

Across all cases, the importance of encryption, regular risk assessments, proactive governance, and a layered defense strategy

emerges as a consistent and indispensable theme[8].

These four breaches collectively demonstrate that cybersecurity failures are rarely isolated incidents stemming from a single flaw.

Instead, they are often the result of systemic oversights, weak governance, and a lack of holistic strategy.

A comparative lens not only exposes these weaknesses but also charts a clear path forward, emphasizing the need for

organizations to adopt a proactive, ethical, and multi-layered approach to safeguard their digital assets and maintain public trust.

III. Conclusion

The analysis of the Equifax, Facebook-Cambridge Analytica, JW Marriott, and Sony Pictures breaches highlights recurring

patterns of cybersecurity weaknesses, emphasizing the critical role of proper governance, technical preparedness, and internal

controls. Across all cases, common findings include the consequences of unpatched software, inadequate oversight of third-party

access, insufficient encryption practices, and lack of internal security hygiene. The impacts were far-reaching—ranging from

severe financial penalties and loss of consumer trust to geopolitical tensions and regulatory scrutiny. These case studies illustrate

how even a single point of failure, whether technical or managerial, can expose millions of individuals to data misuse and can

significantly damage a company’s reputation and operational stability.

To improve their cybersecurity posture, businesses must prioritize a multi-layered defense strategy rooted in proactive governance.

This involves implementing stringent patch management protocols, conducting regular vulnerability assessments, and ensuring

robust encryption of sensitive data. Equally essential is the establishment of strict data access controls, particularly when dealing

with third-party entities. Corporations must embed cybersecurity audits into their merger and acquisition processes and invest in

employee training programs focused on digital hygiene, such as strong password practices and phishing awareness. Moreover,

organizations should adopt transparent data governance frameworks, ensuring users’ data is handled ethically and in compliance

with international regulations like GDPR.

Looking ahead, the future of cybersecurity within corporations will hinge on adaptability and resilience. As threat actors become

increasingly sophisticated, leveraging AI-driven attacks and exploiting supply chain vulnerabilities, companies must evolve to

match these advances. Emerging technologies such as artificial intelligence, machine learning, and blockchain offer promising

tools to enhance threat detection, automate response protocols, and secure digital transactions. However, the human element will

remain crucial—strong leadership, continuous education, and a culture of security-first thinking will be indispensable. Ultimately,

fostering collaboration between industry, government, and regulatory bodies will be key to shaping a secure, transparent, and

resilient digital ecosystem in the years to come.

INTERNATIONAL JOURNAL OF LATEST TECHNOLOGY IN ENGINEERING,

MANAGEMENT & APPLIED SCIENCE (IJLTEMAS)

ISSN 2278-2540 | DOI: 10.51583/IJLTEMAS | Volume XIV, Issue X, October 2025

www.ijltemas.in Page 253

References

1. Federal Trade Commission. (2022). Equifax Data Breach Settlement. Retrieved from

https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data- breach-settlement

2. The Guardian. (2018). Cambridge Analytica Files. Retrieved from https://www.theguardian.com/news/series/cambridge-

analytica-files

3. Marriott International. (2018). Starwood Guest Reservation Database Security Incident. Retrieved from

https://news.marriott.com/2018/11/marriott-announces-starwood-guest-re servation-database-security-incident/

4. Wired. (2014). Inside the Sony Hack. Retrieved from https://www.wired.com/story/sony-hack-north-korea/

5. IBM. (2023). Cost of a Data Breach Report. Retrieved from https://www.ibm.com/reports/data-breach

6. Verizon. (2023). Data Breach Investigations Report (DBIR). Retrieved from

https://www.verizon.com/business/resources/reports/dbir/

7. NIST. Cybersecurity Framework. Retrieved from https://www.nist.gov/cyberframework

8. Harvard Business Review. (2020). Lessons from Major Cybersecurity Breaches. Retrieved from

https://hbr.org/2020/09/lessons-from-major-cybersecurity-breaches