December 17, 2019 by Siobhan Climer
From unsecured online databases to phishing scams, the vulnerabilities exploited by cybercriminals remain relatively unchanged. Despite this, in the first six months of 2019 there were over 3,800 publicly disclosed breaches – and that doesn’t even count the ones yet waiting to be discovered.
While it would be feasible, though unpleasant, to recount a data breach for every day of the year, the year isn’t quite yet over. So, while reports of data breaches and compromised records continue rolling in, here is an overview of the 12 biggest data breaches of 2019.
January 2019 – Collection #1
Sound ominous? Troy Hunt, a well-known web security expert and creator of Have I Been Pwned? – a data breach website that enables anyone to identify if their personal information has been compromised – uncovered nearly 773 million unique email addresses and 22 million unique passwords sitting in a cloud storage service called MEGA.
February 2019 – UConn Health
The state-led health system announced in February that an unauthorized third party had gained access to employee email accounts, breaching the privacy of up to 326,000 patients – a small portion of which were UConn employees. The unknown criminal used a phishing attack to exploit users via email.
March 2019 – FEMA
The U.S. Federal Emergency Management Agency (FEMA) announced in late March that 2.3 million disaster victims’ personal information – including email addresses and bank account information – was exposed via a third-party contractor. The contractor was given elevated access, leading to an increased risk of identity theft and fraud for survivors of Hurricanes Harvey, Irma, and Maria, as well as the 2017 California wildfires.
April 2019 – Facebook (Again and Again and Again)
Facebook actually had separate data breaches in March and April, and received a fine for a previous breach in July – but we are relegating them to just one month. In March, Facebook announced that hundreds of millions of passwords were stored in plain-text. In April, over 540 million Facebook records were found on exposed AWS servers. And, in July, the U.S. Federal Trade Commission (FTC) finalized a settlement of $5 billion with Facebook as part of the Cambridge Analytica scandal – uncovered back in 2015.
May 2019 – WhatsApp
Criminals installed surveillance technology on the phones of WhatsApp users. Unlike many breaches, it is unclear how many of WhatsApp’s 1.5 billion users worldwide were impacted. An unnamed source familiar with the investigation claimed an Israeli cyber company – NSO Group – was responsible. The vulnerability was first reported by the Financial Times.
June 2019 – Tech Data Corp.
In June, the research team at vpnMentor uncovered a major data leak at Tech Data Corporation, the Fortune 500 global technology services company. The data breach exposed 264GB of client servers, invoices, SAP integrations, plain-text passwords – and more. Researchers were able to search the exposed database and find highly valuable information, which could easily be used by malicious entities to infiltrate users’ accounts.
July 2019 – Equifax and CapitalOne
While the infamous Equifax breach occurred back in 2017, the settlement between the U.S. FTC and Equifax – which was the subject of much controversy – was only finalized in July. The breach, which led to the theft of over 146 million records by a hacker, was the result of a previously disclosed vulnerability. The slap-on-the-wrist penalty, a measly $700 million dollar joint victim payment/free credit-monitoring behemoth that left millions of people around the globe disturbed, left many in the cybersecurity frustrated. For one thing, the free credit-monitoring comes from the same company that exposed the records of credit-monitoring clients. For another, the FTC and Equifax made claiming the settlement funds (which started at $125/person and ended up around $8/person) a bureaucratic nightmare.
July was also the month the CapitalOne breach came to light; 6 million Canadians and 100 million Americans were subject to a breach of personally identifiable information (PII) over the course of 14 years (2005 to 2019). Included in the breach were social security numbers.
August 2019 – Poshmark
Online retailer Poshmark reported a data breach in August, despite using bcrypt hashing algorithms to scramble passwords – a relatively strong algorithm. Profile information and user preferences were included in the breach of approximately 50 million users.
September 2019 – DoorDash
DoorDash reported a breach in late September of almost 5 million users, drivers, and merchants – including driver’s license numbers, delivery addresses, phone numbers, and hashed, salted passwords. The unauthorized access went unnoticed for approximately 5 months, and DoorDash only became aware of the breach based on information from a third-party provider.
October 2019 – Adobe
Security researcher Bob Diachenko from Security Discovery and technology journalist Paul Bischoff from CompariTech notified Adobe’s security team of a breach in October. Adobe for it’s part, immediately secured the breach. 7.5 million Adobe Creative Cloud users were exposed in an online Elasticsearch database that was connected to the internet without a required password. The discovery team noted that the breach was one of the least severe of breaches uncovered due to the minimal personal information included in the database. They also praised Adobe’s quick response – they secured the breach the same day the team alerted them.
November 2019 – Macy’s
On November 14th, Macy’s finally notified customers of a breach that had occurred on October 15th – a rather lengthy time-to-notification. Cybercriminals added code to the online checkout page and the wallet page and were successful in gathering credit card information and PII of customers. Macy’s did not release information indicating the number of individuals or accounts affected. In response to the report, Macy’s shares dropped 11%.
December 2019 – Disney+
The highly anticipated release of Disney+, Disney’s video streaming service, suffered several immediate set-backs. With over 10 million customers signing up in 24 hours, the service was unavailable to many users. In addition to the downtime, many users reported their accounts were hacked. Twitter user @Travel4vr wrote:
“#distwitter has anyone’s @disneyplus account been hacked? My friend’s was; hackers changed email and password. Now she’s completely blocked from her 3-year prepaid Disney+ account. She’s been on hold for >2 hours”
In fact, within hours of the service launch accounts were already for sale on Dark Web forums for between $3 to $11 per account. Several security experts noted the lack of multifactor authentication (MFA) on the part of Disney, which made it easy for criminals to change passwords on accounts.
What is important to note about the Disney+ “breach” is that it appears Disney was not, in fact, hacked. Instead, users reused passwords and usernames that had already been stolen or exposed in other breaches.
Take-A-Ways From The Biggest Breaches Of 2019
Change your passwords.
Secure your databases.
Hire Mindsight here.
Use MFA.
In some cases, though, there is little to be done to protect credentials. In our globally-connected world, it is expected users will utilize online retailers and credit card companies, SaaS providers and social media.
Users have to do better, but so do the companies with shich individuals do business. The inconsistent application of FTC penalties, and the lack of outcry by citizens around the world do little to encourage improved cybersecurity controls.
Start 2020 off right by ensuring your organization stays off the list of biggest data breaches for next year. Implement strong security controls and security frameworks with the help of cybersecurity experts from Mindsight so you can stay on the good list for 2020.
Learn more about Mindsight’s cybersecurity assessments here.
Like what you read?
Contact us today to discuss your cybersecurity posture.
About Mindsight
Mindsight, a Chicago IT services provider, is an extension of your team. Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We have one of the largest expert-level engineering teams delivering the full spectrum of IT services and solutions, from cloud to infrastructure, collaboration to contact center. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.
Contact us at GoMindsight.com.
About The Author
Siobhan Climer, Science and Technology Writer for Mindsight, writes about technology trends in education, healthcare, and business. She writes extensively about cybersecurity, disaster recovery, cloud services, backups, data storage, network infrastructure, and the contact center. When she’s not writing tech, she’s reading and writing fantasy, gardening, and exploring the world with her twin daughters. Find her on twitter @techtalksio.
Protecting Your Business From Rise In Ransomware: A Cybersecurity Report