Despite the many changes that 2020 brought, including new home offices, new (and quickly abandoned) hobbies, and new threats, some things stayed the same: numerous data breaches, disruptive hacks, and staggering fines.
We thought 2019 was a momentous year for data breaches, and it even earned the name “the worst year on record” before the end of September. While fewer data breaches were reported in 2020, it wasn’t a year to be outdone: over 36 billion records were exposed by the end of Q3, according to Risk Based Security.
2020 Data Breach Hall of Shame
Annual reports, including ZDNet’s, compiled the worst hacks and data breaches of the year. They were due to the rising threat of ransomware, software vulnerabilities, and both internal and external risks.
One of the biggest new offenders? Poor cybersecurity practices while working at home. Repeat after me: Secure your database and use your VPN!
Related Reading: How Are Cyber Risks Changing? New Tech and New Hacks
January: Not a Chill Start to the Year
Security researchers uncovered an unsecured Amazon S3 bucket from a marijuana Point-of-Sale system used in various dispensaries in the United States. The sensitive information of 30,000 people was viewable, including scanned government and employee IDs.
A combination of patient, customer, employee, and business-related data was exposed. This included personally identifiable information (PII) like full names, birth dates, medical ID numbers, and contact information like phone numbers, addresses, and email. Also exposed was information about the cannabis purchased and used, along with sales information like price, quantity purchased, and full receipts.
What makes it the worst: While Microsoft revealed a late-2019 data exposure in January, the Point-of-Sale software data breach impacted a nascent, highly-regulated industry that touches sensitive patient data. If this breach is considered a medical data breach, there could be fines under HIPAA for failure to secure protected health information.
Related Reading: Compliance for Healthcare: Secure File Transfer Holds the Key
February: No Love for Denmark
Denmark’s government tax portal had an ongoing, five-year software error that exposed the personal information of 1.26 million Danes – one-fifth of the country’s population. Luckily, the breach was discovered during an audit by a Danish agency, which found that taxpayers’ personal identification (CPR) numbers were accidentally added to the site’s URL and subsequently collected by analytics services on the site.
While only the CPR numbers were exposed, each one contains personal information about an individual: the first four digits are the citizen’s birthdate and the last digit indicates whether they are male or female.
What makes it the worst: Few data breaches in February came close to one million records breached, and none found a five-year-old security flaw. These jaw-dropping numbers put Denmark’s tax portal breach at number one.
Runners up included the UK finance industry watchdog, which, as part of a Freedom of Information Act request, exposed the personal data of 1,600 complainants, which leans a little retaliatory. An electronic accessories company suffered a “comically bad data breach,” in which the hackers emailed all impacted customers warnings about poor cybersecurity practices. And last but not least, a controversial facial recognition company suffered a possible “hacktivism” breach wherein their entire client list (consisting mostly of law enforcement agencies) was stolen.
March: Spilling Secrets
An open database exposed 900 million user records for a secret sharing app, making anonymous user activity fully visible. No usernames were included in the breached records, but nicknames, ethnicities, genders, and stated information like age, hometown, and sexual preference, were all part of the leak. Location metadata from each post was also included in the breached database as coordinates, revealing addresses to homes, schools, and offices.
What makes it the worst: The data was stored in a non-password-protected database that was available publicly online, and user information for children and teenagers was easily searchable. The Washington Post researchers were able to sort and download the data in bulk, access users accounts, and see user chat activity.
April: Social Distancing Takes a Hit
Credential stuffing – the practice of using credentials stolen from one site to gain access to others that use the same usernames and passwords – led to 500,000 stolen video-calling passwords. Researchers from IntSights found that the hackers collected previously stolen account credentials from the dark web and tested them against the site's login. Any successful logins resulted in a stolen video-calling account and potential sale for the hackers.
What makes it the worst: As people stayed home, video chatting services were main points of contact for friends, families, schools, and coworkers. This data breach, while smaller than others reported in April, hit at a time when its services were close to essential.
May: Millions of Records Up for Grabs
May was a tough month for data breaches. Quite a few organizations reported several millions of records exposed, each. However, an Indonesian e-commerce site came out the worst. Hacked by Shiny Hunters, the breach was initially reported at 15 million records, but the number quickly ballooned to 91 million. The hack was discovered when a data breach monitoring group found user information on a dark web request for help cracking the hashed passwords.
What makes it the worst: The e-commerce site had the most user records exposed in May, but leadership was also slow to confirm the breach and offered contradictory information to customers. Finally, they shared that passwords and financial information was not lost in the hack – although they recommended that users change their passwords.
Runners up for May, each with more than a million records exposed, include:
- An ID caller app (47.5 million records), although they claim the data may not be from a 2020 breach. Exposed personal data of the people impacted in India included phone numbers, phone service provider, name, gender, city, email, and Facebook ID.
- A journaling site (26 million records), who had a hack exposed (finally) after rumors of the breach simmered for years.
- A math tutoring site (25 million records), a popular resource for students, was potentially hacked by the same group as the e-commerce site. Lost information included email addresses and hashed passwords.
- Qatar’s COVID-19 contact tracing app (over a million). Luckily, Amnesty International discovered the vulnerability, presumably before any data was lost.
June: Tracking Information Exposed
This may surprise you, but a marketing information company holds one of the largest banks of web tracking data outside of the federal government. By using website cookies and other tracking tech, it follows web users around the internet and sells the data it amasses to marketers.
Due to an unsecured server, over one billion records were exposed, including names, addresses, email addresses, and other identifiable information. Among the personal data was users’ sensitive web browsing activity; according to TechCrunch, this included everything “from purchases to newsletter unsubscribes.”
What makes it the worst: While there are clear consequences for lost personally identifiable information, the implications of stolen web activity are more nebulous.
July: What Happens in Vegas…
A Las Vegas-based fitness company had an unsecured AWS S3 bucket containing lead generation, customer, and trainer files – each with PII included. Among the data was identifiable information like names, addresses, birth dates, social media account details, and usernames and passwords. Other information included recipes and training plans. With 1.3 million files initially available, the fitness group removed the most sensitive information after being contacted by a security researcher.
What makes it the worst: The workout center removed the files containing PII quickly, but purposefully kept the open database available online for their customers. Not all of the PII was removed, including potentially sensitive “before and after” photos of clients. This suggests a subset of organizations that, due to small teams or a lack of information around sharing PII, may not take secure file sharing seriously.
August: SQL Injection
A free graphics site that’s among the top 100 most popular websites today found that hackers stole user information for 8.3 million of their oldest users. While all 8.3 million had their usernames stolen, only 4.5 million of those also had their password hacked; the remaining 3.55 million records exposed only hashed passwords.
This security breach was caused by a SQL injection, a tactic in which hackers enter malicious commands into web forms of unsecured websites. If successful, the hackers can gain access to the SQL database.
What makes it the worst: Because it is one of the most popular websites today, along with its sister site, the possible snowball effect of this hack could have been dire. Plus, cybersecurity researchers typically consider SQL injections among the easiest to defend against because they’re so unsophisticated. A website with as high a thoroughfare as this one should have been able to thwart a SQL injection, if not avoid it entirely, without losing millions of user records.
September: Music to My Ears
An American multinational entertainment and record label experienced a Magecart attack that lasted for three months. During that time, the label leaked both personal and financial information of customers who made a purchase. Magecart is a conglomerate of hacking groups that targets payment card data online. They often focus on the supply chain, where they can infect a third-party piece of software and skim customer data as purchases are made.
What makes it the worst: Full payment card information, including card number, CVC/CVV, and expiration date, were exposed in the label's Magecart attack, putting the company at risk of PCI DSS non-compliance. Further, impacted customers are at risk both on a personal front and financially. With both types of information, hackers can easily carry out fraudulent purchases and phish for more information.
October: Spooky, Scary, Unsecured Databases
A Voice over IP (VoIP) vendor had an exposed cluster of databases that contained more than 350 million customer records. Among the data exposed were the usual: names, phone numbers, and locations; but also transcripts of voicemails – some of which included calls from medical providers and financial organizations.
What makes it the worst: With the company's transcriptions of sensitive health and financial information, we can see the grey area where organizations that may not have to comply with certain regulations – HIPAA, HITECH, and various financial requirements, for example – can expose that information.
November: Human Error is For Everyone
Human error caused a multi-million record breach in Texas. An insurance software provider found that Texans’ drivers license information was stored on an unsecured external storage service. The data stored on the unsecured service included driver license numbers, names, dates of birth, addresses, and vehicle registration histories.
What makes it the worst: It’s yet another reminder that humans aren’t infallible. It’s why solutions that automate your processes – including security processes – are so important.
A close runner up is the dually-breached Spotify data: thanks to credential stuffing, hackers were able to match usernames and passwords to more than 350,000 Spotify accounts. However, the hackers decided to store this information on an unsecured cloud database – a reminder that, no matter how nefarious they may seem, hackers aren’t foolproof. And, thanks to the security researchers who discovered the unsecured data, affected Spotify users were prompted to reset their account information.
December: Cybersecurity Firms Under Attack
A high-end cybersecurity firm was robbed of their crown jewels – the very offensive tools they use to secure government and corporate systems. Purporting that the hacker was “a nation with top-tier offensive capabilities,” the company also reported that “they used a novel combination of techniques” that they and their partners had never seen before.
What makes it the worst: Like when the villain gets ahold of the hero’s secret weapon in a movie, this hack reveals the damage that can be done when hackers acquire the software and techniques used to keep organizations safe.
Related Reading: See 2019’s Top Data Breaches
What Will a Data Breach Cost You?
Making headlines for a data breach can cost you – and more than just reparations or a fine. Data breaches are the worst of bad press, and can impact your finances for years to come.
The average cost of a data breach was recently estimated at $3.92 million by IBM, but organizations in the United States or in highly targeted industries like finance, healthcare, and retail can have higher price tags. That’s because breaches that involve personally identifiable information are typically the most expensive for organizations to mitigate, and a plethora of personal data flows through financial, health, and retail organizations. Even if you’re in a different industry, if you store or transfer identifiable data, your organization could be an attractive target.
Altogether, costs can include:
Related Reading: How a Data Security Breach Puts Your Organization at Risk
- Payments to impacted individuals, including compensation and assistance in the form of credit checks and the staffing of dedicated help lines
- Investigating the data breach and implementing measures to prevent a recurrence
- Ransom payments to regain any stolen data
- Investing in new ways to safeguard your data
- Loss of current and potential future customers
- Payment of any applicable regulatory fines and penalties