In the past couple of years, large and small businesses suffered from significant data breaches as millions have been working remotely due to the Covid-19 pandemic. We’ve seen cybercriminals exploit every opportunity to cash in on global fear, from phishing to credential stuffing to social engineering attacks.
No matter the reason, data breaches can be devastating financially and cause severe damage to a company’s reputation. With the average cost of a data breach now at $3.86M and remote work still very prominent – taking all the necessary precautions to keep your corporate network – as well as your financial data and sensitive information safe has never been more critical.
From dodgy forums to dark web pages – personal details of both employees and customers can end up anywhere if you're not careful enough with your cyber security.
Data breaches 2020
CAM4 (10.88 billion)
The adult live-streaming website CAM4 had accidentally left an unsecured database with 10.88 billion records of highly sensitive data. Luckily, security researchers from SafetyDetectives discovered the leak earlier this year and immediately informed the company.
CAM4 reported that the unsecured database was taken down before cybercriminals could steal customer data and that only a small amount of exposed information could’ve been traced to specific individuals.
The data leak exposed around 7TB of personally identifiable information, including full names, email addresses, sexual orientation, credit card types, and chat transcripts. As a result, millions of users were left at risk of identity theft, fraud, and blackmail attempts.
Twitter (350 million)
On July 15, Twitter suffered a major data breach involving a Bitcoin scam that targeted some of the world’s most prominent figures. Joe Biden, Barack Obama, Elon Musk, and Bill Gates were among those compromised, with 130 high-profile accounts affected by the breach.
Hacked accounts sent out a series of tweets promising users they’d get double the amount they sent to a certain Bitcoin address. Cybercriminals managed to steal $121,000 worth of Bitcoin within a few hours.
Twitter announced that this was a “coordinated social engineering attack,” claiming that cybercriminals successfully targeted a small number of employees who had access to internal systems and tools.
Antheus Tecnologia (80+ million)
In March, the security research team at SafetyDetectives discovered a massive leak in Antheus Tecnologia’s database, a Brazilian biometric solutions company. Over 80 million records were accessible on the internet, including employees’ contact details and 76,000 unique fingerprint records.
The leak occurred because the company failed to password protect and encrypt a database.
The misconfigured server on which the database was stored didn’t contain actual fingerprint scans but a binary stream – a string of ones and zeroes. Nevertheless, researchers claimed that cybercriminals could use the available data to recreate a full biometric fingerprint image.
Since fingerprint records are now in the public domain, compromised individuals might face security issues in the future when biometric authentication becomes a more common method of verifying user identities.
These security breaches highlight the importance of implementing strong password and encryption policies, as the consequences can be disastrous.
Wishbone (40+ million)
Wishbone, a popular social polling app among youngsters, fell victim to a data breach earlier this year. Hackers gained unauthorized access to the entire database – with personal data of more than 40 million users was reported to be available on the dark web. Such data breaches are particularly troubling given the young age of most of Wishbone’s users.
The database was leaked by a group of cybercriminals called Shiny Hunters. The group is known for other high-profile breaches, but it’s unclear whether they merely leaked the records or committed the initial breach.
Cybercriminals exposed sensitive data, including names, contact details, geolocation, gender, and hashed passwords. Cybersecurity researchers claim that the breach could’ve been avoided if data was properly encrypted.
LiveJournal (26 million)
In May, 26 million account credentials stolen from the blogging platform LiveJournal were offered for sale on various dark web marketplaces, and later, even shared for free on hacker forums.
Though reports about the breach have been circulating since 2014, the stolen records have only been shared and distributed broadly this year. The incident exposed a database of compromised LiveJournal accounts that contained usernames, email addresses, and plain text passwords.
LiveJournal failed to notify its users about the breach, leaving them vulnerable to credential stuffing, blackmail, and targeted email-based extortion. Changing passwords and enabling multi-factor authentication could help affected users tackle risks and stay safe.
easyJet (9 million)
In the first half of 2020, the low-cost airline easyJet suffered a major data breach caused by a “highly-sophisticated attack.” The personally identifiable information of 9 million customers was stolen when hackers gained unauthorized access. The breach exposed customers’ names, email addresses, and travel records. To make matters worse, roughly 2,200 people had their credit card details, including CVV, stolen.
easyJet didn’t reveal how the breach occurred but confirmed that they reported the incident to the National Cyber Security Centre and other regulatory authorities. However, the company still faced criticism for waiting several months to inform its customers.
Following the breach, the law firm PGMBM filed a class-action lawsuit against easyJet for $23 billion. Some critics say that the company will face a lighter penalty since the airline industry is fighting for its survival due to the pandemic.
Marriott (5.2 million)
Marriott’s hotel chain suffered a massive data breach on March 31, 2020, affecting an estimated 5.2 million customers.
Cybercriminals used stolen employee credentials to gain access to a wide range of personal data and sensitive information, including contact details, date of birth, gender, and loyalty account information. Fortunately, Marriott stated that no payment data had been stolen.
Implementing basic security controls like multi-factor authentication could have helped prevent the breach, as stolen employee credentials wouldn’t have been enough to breach the system.
Magellan Health (1+ million)
The healthcare giant Magellan Health discovered that an unauthorized third party had gained access to the private data of over 1 million individuals stored in its database.
In April 2020, the company fell victim to a ransomware attack when a Magellan employee responded to a spear-phishing email. Cybercriminals were able to access Magellan’s internal server, exposing the personal information of both employees and customers.
The compromised data included full names, contact details, employee ID numbers, social security numbers, physical addresses, treatment information, and other health-related details.
In the first week of April 2020, more than half a million Zoom account credentials were found for sale on the dark web. Usernames and passwords were sold for less than a penny or even given away for free, alarming millions of users that have flocked to Zoom during the pandemic.
The data breach also contained personal information, including contact details, host keys, and private meeting URLs. This enabled cybercriminals to join business meetings, and access confidential information shared in them. In terms of confidential data being leaked, this meant that the total number of impacted users was even greater than the number of credentials exposed.
The data appears to have been collected via credential stuffing, using usernames and passwords obtained in past breaches of other companies.
In April, Nintendo announced that 160,000 accounts had been compromised in a credential stuffing attack. After further investigation, the company found out that the actual number of compromised accounts was 300,000.
Stolen account information allowed cybercriminals to make digital purchases through the company’s network and access sensitive data, including email addresses, birth date, and country.
Following the breach, Nintendo disabled logins through Nintendo network ID and encouraged users to enable multi-factor authentication for added security.
What should you do to prevent data breaches?
This year, businesses across the globe fell victim to highly sophisticated cyber-attacks and data breaches that have affected billions of people. 2020 has clearly shown that no business is immune, and with millions working remotely, building a robust security infrastructure will be crucial for any company going forward. Here are some ways you can strengthen your cybersecurity defenses and safeguard sensitive data:
Use remote work security solutions to combat digital threats.
By utilizing remort work you can reduce the strain on legacy infrastructure. A solution making use of NordLayer's Network Access Control reduces the surface area for attack, as well as reducing the risk of human error leading to exposed records.
Implement regular security training to educate your team about the latest threats and digital hygiene.
Training staff on the largest data breaches and how easily they can happen is a great way to ensure it doesn't happen to your business. Teach them the importance of never having an unsecured database or unsecured server.
Keeping up to date with the latest trends in cyber security is always a good idea, but hiring the best security professionals is essential.
Always update and patch your software.
The majority of the world is online now – so it's more important than ever to ensure that all devices are running the latest software and firmware. Usually, every software update on major operating systems, no matter how small in size, brings with it security patches and loophole closes. This is vital to stop your company from having leaked data or a security breach – if the software is up to date, the hackers have much less opportunity and time to find a way in.
Make sure all data is encrypted and secure.
An unprotected database is like having no lock on your front door at home. Sure, you might live in a nice neighborhood and the likelihood of something happening is low, right? Unfortunately, it only takes one person to have devious thoughts for things to come crashing down. Encryption is vital, essentially it scrambles the data being transferred from point to point - stopping would-be interceptors from being able to understand it.
Use multi-factor authentication and strong login credentials to keep your accounts safe.
Login credentials must meet strict password guidelines - pair this with 2FA (Two-Factor Authentication) to reduce even further the possibility of intruders. A password breach can be seriously bad news, but if you're enforcing strict secondary authentication methods, it won't be the end of the world.