The worst data breaches of 2019

Worst data breaches of 2019 web 1400x800

2019 saw some of the largest data breaches in history. Hackers targeted some companies because they had valuable data. Some firms had undiscovered vulnerabilities in their systems and databases open to the public. And, most alarmingly, some were attacked just to prove a point. No matter the reason, data breaches are always a huge blow to a company’s reputation. In some cases, it turns out to be impossible to recover from.

Read on to learn about the largest and worst data breaches of 2019.

AMCA (19.6 million)

In June last year, the American Medical Collection Agency (AMCA) admitted it had been hacked. The medical billing company’s two major clients were affected: Quest Diagnostics and LabCorp.

AMCA first notified Quest Diagnostics that the hack affected the data of 11.9 million of its clients. The attacker managed to gain unauthorized access to databases with their personal information. It included credit card details, medical and banking information, and even Social Security numbers.

The hackers also stole similar data of 7.7 million LabCorp’s customers. To make matters worse, AMCA did not notice that someone was snooping around in their databases for eight months. Both lab testing firms terminated their contacts with AMCA. The company couldn’t get back up and filed for bankruptcy soon after the incident.

Suprema (27.8 million)

In August, security researchers discovered that a loophole allowed anyone to access 27.8 million people’s data. It was stored in Suprema’s public database, but there were no signs that anyone downloaded or used the information.

Organizations from multiple companies use Suprema’s security system Biostar 2 to secure access to their buildings. The publicly accessible data included things like usernames and passwords (all stored in plaintext), fingerprint and facial recognition information, staff’s personal data, and security level and clearance logs.

This vulnerability was especially concerning because users can change their passwords and block credit cards, but leaked biometric data is permanent. To make matters even worse, Suprema did not take the incident too seriously, stating that there was no definite threat and no actions were needed.

Houzz (48.9 million)

Houzz, a home improvement startup, announced at the beginning of last year that someone stole a file containing private and public user data. It included Houzz users’ addresses, Facebook information, emails, encrypted passwords, and IP addresses. The company did not disclose how the data was stolen, how it found out about the breach, or how many users were affected. Nevertheless, the Identity Theft Resource Center estimated that as much as 49 million users were affected by the hack.

Capital One (106 million)

One of the worst breaches of 2019 happened in July. Capital One reported that on March 22 and 23 of the same year, someone hacked into their servers. The attacker gained access to 106 million Capital One customers’ data. It included their names, home and email addresses, credit scores, and transaction data. Most alarmingly, hackers also got their hands on approximately 140,000 social security numbers and 80,000 linked bank accounts belonging to US citizens and about 1 million social insurance numbers of the bank’s Canadian customers.

Capital One immediately alerted its customers about the breach and contacted the FBI. After a few days, Paige A. Thompson was arrested and charged with computer fraud and abuse.

Zynga (218 million)

Mobile gaming giant Zynga, the creator of FarmVille and Words With Friends, released a statement in September, acknowledging that someone hacked their system. The Pakistani attacker targeted Draw Something and Words With Friends players, gaining access to 218 million users’ data. He stole their names, passwords, email addresses, player IDs, and phone numbers. Zynga stated that no financial information was affected. 

Facebook (419 million)

Unfortunately, no one was particularly surprised when in September, a GDI Foundation researcher found a publicly accessible database containing 419 million users’ records. Approximately 200 million of them were phone numbers.

It also included Facebook IDs, and some had the person’s name, location, and gender. The server was not password-protected, so anyone could get their hands on the data and use it for further cyber attacks.

It’s not clear who owned the database. A Facebook spokesperson stated that the data had likely been scraped before the social network disabled search by phone number in 2018. The server was taken down soon after the news broke out.

Collection by Gnosticplayers (1 billion+)

Gnosticplayers is a hacker who got in the news last year because of his aim to steal a billion credentials — a goal he reached by the end of May. He managed to get 1.071 billion records from 45 different companies and released them in six batches. Gnosticplayers put them for sale on the dark web.

The attacker was actively promoting the stolen data in the media, asking for various amounts of bitcoin. It included users’ names, home and email addresses, social media information, and location data. He collected this information from various apps and companies’ databases. Some ended up paying the ransom to prevent their data from going public.

The most affected companies were Dubsmash with 162 million records, MyFitnessPal with 151 million, and MyHeritage with 92 million.

Collections #1-5 (3 billion)

A mega-leak containing approximately three billion records surfaced online in January. It remains the largest compilation of stolen data ever gathered from thousands of different breaches. Collection #1 appeared on the dark web, and a few weeks later, collections #2-5 were distributed on torrenting sites and hacker’s forums. The whole collection amounts to almost a terabyte of data.

Security researcher Troy Hunt discovered it in one of the forums. The leak contained users’ passwords and emails from popular services like Yahoo, LinkedIn, Dropbox, and MEGA. Almost none of it was new, but a lot of people and companies were affected by it and had to take action.

What should you do next?

2019 saw some of the largest data breaches in history, affecting billions of people. Therefore, there’s a high chance that at least one of the services your business uses suffered from a hack or leak recently.

Go to Have I been pwned and check all personal or work emails to see if they ever ended up in a data breach. If they were — you’ll know which accounts are responsible for it. And if something happened, follow service providers’ instructions on how you should act.

A respectable business will have a plan for its customers to ensure their safety in the light of a recent attack. If they don’t, and you’re concerned that changing the passwords won’t guarantee the security of your accounts, you might need to look for a new provider. Yes, moving your whole business to a new service might be costly, but it’s worth it in the long run. 

Share article


Copy failed

Cybersecurity isn't just a trend.

Give your business a safer future with NordLayer. Learn how to mitigate risk and protect your team today.

Protect your business with cybersecurity news that matters

Join our expert community and get tips, news, and special offers delivered to you monthly.

Free advice. No spam. No commitment.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.