Indeed, 2020 has been a soul-destroying year and a bitter pill to swallow. Actually, none of us has escaped the year unscathed by the coronavirus pandemic that has completely altered the way we do things. People have lost loved ones, jobs, and some have lost their minds. Importantly, remote working has become more widespread as companies try to implement social distancing to minimize the spread of the Covid 19 pandemic.
Despite the increased numbers of remote workers, something devastating has grown – cybercrime. An INTERPOL assessment of the impact of COVID-19 on cybercrime showed that cybercriminals are increasingly targeting larger corporations. A Europol report published in October also confirms that the pandemic has ignited an upward trend on cybercrime. In the UK alone, there was a 31% increase in cybercrime during the pandemic. A report by RiskIQ revealed that by the year 2021, cybercriminals will skim the world $11.4m per minute. With such glaring statistics, the internet is no longer a safe place. Unless companies enforce serious cybersecurity measures, they will continue to lose more yearly.
As we close the curtain of 2020, we will review the top 10 data breaches of the year to learn from the mistakes made. Probably, we may get more insights on how to handle cybersecurity issues in 2021. Here we go!
1. Marriott Data Breach
If you remember, Marriot was a victim of a data breach in 2018 in which hackers accessed the personal details of its 500 million Starwood guest reservation base. Actually, the hackers managed to access names, payment information, email contacts, passport numbers, and email addresses. Come January 2020, the international hotel was again a victim of a security breach. This time 5.2 million guests’ personal details were accessed.
The hackers obtained the login credentials of the hotel’s employees and used them to access the guests’ details. Specifically, the cybercriminals accessed names, mailing addresses phone numbers, email addresses, loyalty account details, and additional details such as birthdays, affiliations, and related information.
In October this year, the UK private data agency- Information Commissioner’s Office (ICO) – fined Marriot £18.4m for the latest data breach.
2. Tetrad Data Breach
In February, the culprit of a data breach was a renowned Australian market analysis firm, Tetrad. Actually, it was on February 3, 2020, that a researcher from UpGuard downloaded the Amazon S3 storage only to realize that Tetrad had left data belonging to 120 million Americans exposed. The data varied with business type but it was made up of Tetrad’s clients. It’s not very clear for how long the data was exposed, upon being notified, Tetrad closed access to the details within a week of being notified.
3. MGM Hotel Data Breach
Imagine visiting a hotel only to, later on, find your personal data in some shadowy online site? And it’s not one person – we are talking of personal details of 10,683,188 former hotel guests. Yes, it happened in February when hackers posted data they had obtained in July 2019 from MGM hotel online.
To make matters worse, data included personal details such as full names, dates of birth, phone numbers, home addresses, and emails. And it wasn’t just the regular tourists who were affected. Government officials, celebrities, reporters, and other prominent personalities were the victims of the data shared on the dark web.
4. Keepnet Labs Data Breach
In March, UK-based security company Keepnet Labs was a victim of one of the largest data breaches of the year. The company gathers historic online data from “online public resources” and notifies its clients on the security of their business domains.
But in March, a security expert, Bob Diachenko noted a leaky Elasticsearch database that exposed 5,088,635,374 records and another one that revealed over 15 million records, with the latter being constantly being updated. Specifically, the collections were composed of data leaks that occurred during 2012-2019. Moreover, the security researcher observed that the data was “very well structured”, containing hash type, leak date, password, email, email domain, and source of the leak.
Following the revelation of the massive data breach, a security expert and blogger who published the leak was threatened with legal action. It is only in June that Keepnet Labs confirmed through a statement that indeed there was a data leak. They actually blamed the contractor who was performing serviced maintenance for the leak.
5. CAM4 Data Breach
CAM4, an adult live streaming platform owned by Irish company Granite Entertainment faced a serious data leak from March 16, 2020, and the figures increased daily to 10.88 billion records. The massive data leak took place by a group of researchers led by Anurag Sen during a search on the Shodan engine to detect any unsecured databases.
Out of the 10.88 billion records that were exposed, 11 million contained email addresses, while an alarming 26,392,701 had password hashes for web systems and CAM4 users. If someone managed to dig into the data, he/she could have obtained very sensitive information about sexual preferences of CAM4’s users and, probably, use it for blackmail.
It’s not possible to tell whether the database was hacked, or if malicious actors infiltrated the database, but that doesn’t mean it wasn’t. The company replied in a
statement saying, “The team concluded without any doubt that absolutely no personally identifiable information, including names, addresses, emails, IP addresses or financial data, was improperly accessed by anyone outside the SafetyDetectives firm and CAM4’s company investigators,”
6. Magellan Health Data Breach
In April 2020, Megan Health was a victim of a ransomware and data breach. The healthcare behemoth discovered a breach to its systems after hackers used malware to steal an employee’s login details. The cybercriminals then used the credentials to engage in phishing activities to gain more access to the healthcare body’s systems.
After accessing the system, they deployed a ransomware attack on the health service provider. Megan Health confirmed that 365,000 patients were affected by this bold attack. But after some months, the number of people affected is said to be circa 1.7 million.
7. Zoom Data Breach
April was not the best of months for Zoom. News broke out that 500,000+ Zoom accounts passwords were on sale on the dark web. Interestingly some were shared for free with others going for less than a penny.
But how did hackers infiltrate these accounts? Well, IntSights researchers established that they used a technique called credential stuffing attacks. It all began when the hackers visited online hacker forums to collect usernames and passwords of previously hacked accounts.
With the habits of people reusing passwords, it wasn’t difficult for the cybercriminals to find successful logins, which were compiled and sold, with others given free.
8. Nintendo Data Breach
April was also not very good for Japanese gaming giant, Nintendo. Specifically, the day was on April 21 when the first report of a hack was made. On April 24, Nintendo confirmed that indeed 160,000 Network ID accounts had been hacked. Later the company confirmed that the number was actually 300,000.
The company did not confirm how the hack took place, but there was a clear mention of the same password across both the Nintendo Network ID and Nintendo accounts, which is clearly a hack through the use of unauthorized logins.
9. Bluekai Data Breach
BlueKai, a division of technology giant BluKai faced one of the most embarrassing and largest data breaches in 2020. Acquired by oracle in 2014, BlueKai uses cookies to track web users and had the largest trove of web users’ data. But in June, a security researcher discovered that one of the tech’s servers was lying unsecured, without a password. The data breach exposed names, email addresses, home addresses, and other personal information of billions of people. Additionally, the breach revealed web browsing activity and newspaper unsubscribe.
10. Twitter Data Breach
On July 15, 2020, microblogging site, Twitter was a victim of a cyber attack in which 130 accounts were infiltrated. The cybercriminals used a phone spear-phishing attack to obtain credentials of the 130 employees and then proceeded to tweet from 45 accounts. Ultimately, they managed to access the DM inbox of 36 accounts and downloaded Twitter data from 7 accounts.
Twitter admitted there was a breach and replied, “the attack on July 15, 2020, targeted a small number of employees through a phone spear-phishing attack. This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.”
