The 11 Biggest Data Breaches of 2020

The 11 Biggest Data Breaches of 2020

Since the COVID-19 pandemic has forced companies to move their business to remote operations, there has been a significant increase in the number of data breaches. It has ignited a proliferation of attempts to damage, disrupt, or gain unauthorized access to the network storage systems of banks and other financial institutions. From February to April 2020 alone, amid the COVID-19 surge, cyberattacks against the financial sector increased by 238%, according to VMware Carbon Black data. However, it’s worth noting that, in very few incidents, the number of affected records is revealed – either because the affected organisations don’t know or because it’s not required to disclose that information.

Below we list 11 of the most noteworthy data breaches from 2020.

1. SolarWinds

On December 13, 2020, The Washington Post reported that multiple government agencies were breached through SolarWinds’s Orion software. SolarWinds sells software that lets an organization see what’s happening on its computer networks. Hackers inserted malicious code into an update of that software, Orion. The compromised update has had a sweeping impact, the scale of which keeps growing as new information emerges. The company stated in an SEC filing that fewer than 18,000 of its 33,000 Orion customers were affected, involving versions 2019.4 through 2020.2.1, released between March 2020 and June 2020.

According to Microsoft, hackers acquired superuser access to SAML token-signing certificates. This SAML certificate was then used to forge new tokens to allow hackers trusted and highly privileged access to networks. The Cybersecurity and Infrastructure Security Agency issued Emergency Directive 21-01 in response to the incident, advising all federal civilian agencies to disable Orion.

US intelligence agencies attributed the sophisticated malware campaign to Russia several weeks after public reports of the hack that has affected local, state and federal agencies in the US in addition to private companies.

2. Twitter

In a massive hack, several high-profile Twitter accounts were compromised, making it one of the biggest profile hacks of 2020. Elon Musk, Joe Biden, Jeff Bezos, Michael Bloomberg, Kim Kardashian West and Bill Gates were among the accounts pushing out tweets claiming that followers would receive double the money they send to a certain Bitcoin address.

Twitter confirmed the breach and said it was a “co-ordinated social engineering attack” on its employees that had access to “internal systems and tools”.

The scam targeted the accounts of 130,000 high profile public figures, with the assailants able to reset the passwords of the celebrities’ accounts.

The cyber attackers were able to solicit $121,000 in donations following the social engineering hack.

Cybersecurity experts claim that the social engineering featured in this scam demonstrates that the attackers targeted Twitter employees with access to internal tools and preyed on the trust associated with verified accounts and the attraction of doubling your money.

3. CAM4 data breach

Adult video streaming website CAM4 has had its Elasticsearch server breached exposing over 10 billion records.

The breached records included sensitive information such as full names, email addresses, sexual orientation, chat transcripts and IP addresses.

Many of the exposed email addresses are linked to cloud storage services. If hackers were to launch successful phishing attacks on these users, they could gain deeper access to personal photos and business information.

Due to the licentious connection of the breached database, compromised users could fall victim to blackmail and defamation attempts for many years to come.

4. Zoom

The Covid-19 pandemic fuelled the exponential growth of virtual meeting app Zoom, as hundreds of millions of people across the world were forced to work and study from home.

In April 2020, as the pandemic was ratcheting up into fifth gear, Zoom suffered a humiliating data breach that saw cyber criminals make off with the login credentials of over 500,000 users. Hackers then sold login details to those accounts on the Dark Web, enabling pranksters and criminals to log in and join meetings mid-stream. The hackers were also able to harvest the personal details of the Zoom members, including email addresses and other contact information.

5. Nintendo

Online gaming pioneer Nintendo suffered a major data breach in April 2020, when more than 160,000 user accounts were compromised in a single attack. Hackers used the online accounts to buy digital products through the Nintendo network, following the credential stuffing attack.

Such attacks are commonplace in the gaming and media sector, with Disney, Spotify and streaming giant Netflix all falling victim to similar attacks over the past year.

Nintendo announced that 160,000 accounts had been breached in a presumptive credential stuffing attack. Hackers had apparently been using the hijacked accounts to buy coveted digital items.

As a result of the breach, Nintendo discontinued the practice of letting users log in with their Nintendo Network ID (NNID). The company also recommended that users enable two-factor authentication to protect their data.

Nintendo is only the most recent victim of credential stuffing attacks targeting digital media. Netflix, Spotify, and Disney+ have all had similar issues in recent months and years.

Once hackers gained access to Nintendo accounts, they could make purchases and view sensitive data like email address, birth date, and country. Nintendo said the compromised credentials were “obtained illegally by some means other than our service.” That strongly suggests that the affected users weren’t using unique IDs and passwords. So when their credentials were breached in another attack, hackers could use them to break into their Nintendo accounts.

6. Parler 

In November, Twitter lit up with claims that Parler, a social media platform surging in popularity among Trump supporters was hacked.

Parler’s CEO John Matze denied the claim, but the rumours continued circulating online. Some say the leak has been debunked (Snopes has labelled the accusations false), while others are adamant more damning information will be disclosed soon. Based on the evidence of the time of writing, there wasn’t a hack however there are still security concerns which need addressing.

This rumor, which held that Parler users had their Social Security numbers and private messages stolen, was largely based on a single (since deleted) tweet and a months-old screenshot.

However, parallel to the debunked WordPress log are claims of a separate security flaw that compromised over 6.3GBs of Parler user data culled from one of its advertising partners. These claims come from several security researchers on Twitter, including the head of cybersecurity for Joe Biden’s presidential campaign, Jackie Singh, and Shutterstock’s Application Security Engineer John Jackson, among others. They are also clear to note the issue at hand is still not a hack; the security researchers merely found and investigated an alleged vulnerability. Still, it nonetheless added fuel to the hacking claims.

7. LiveJournal

Back in the early days of blogging, millions of people took to LiveJournal to air their secrets, form communities, and write reams of fanfic. In May, many of those users had an unpleasant shock when Bleeping Computer reported that hackers were passing around a database containing 26 million login credentials.

The most damning part of this story is that rumors about this leak had been circulating since 2014. LiveJournal has still not publicly acknowledged the breach. That left users vulnerable, and Threatpost reports that hackers have been using the information for both credential stuffing and targeted email-based extortion.

The database contains email addresses, user names, and unencrypted passwords. Typically, this type of data would only have value as a tool to enable further credential stuffing attacks. However, blogging’s highly personal nature means that hackers can use private drafts and messages for blackmail.

8. Marriot

In March 2020, the Marriot Hotel Group suffered a huge data breach, which compromised the records of 5.2 million hotel guests.

The company believed that information including account numbers, gender, birthdates and room preferences may have been involved for up to approximately 5.2 million guests, although not all of this information was present for every guest involved.

This news is particularly unfortunate for Marriott since it’s only been two years since it discovered another massive breach, stemming from its acquisition of Starwood Hotels.

A hacker obtained the credentials of two employees at a Marriott property and used them to siphon data for roughly a month before being discovered, however it is unclear how that hacker obtained employee credentials. Credential stuffing and phishing are both likely culprits.

9. EasyJet

EasyJet, a low-cost airline that is based in the UK reported that 9 million data records and as well as 2,200 credit card information of their customers were stolen by cybercriminals.  Due to the strict GDPR rules in Europe, it’s only natural for a company like EasyJet to get fined and to pay compensation to the affected customers.

EasyJet has not revealed any information as to how the databases had been hacked, except to say that the hacker appeared to be targeting the company’s intellectual property, as opposed to the personal data of its client.

Even though EasyJet reported the matter immediately to the information commissioner’s office and other regulatory authorities, critics claim that customers were only notified four months after the incident took place.

EasyJet could face penalties amounting to tens of millions of pounds due to the breach of the General Data Protection Regulation, so hard times await EasyJet. In addition to this, last month the low-cost carrier unveiled plans to reduce up to 30% of its 15,000 employees as it became the latest airline to note that the aviation industry is facing a slow recovery from the collapse of the coronavirus pandemic.

10. Antheus Tecnologia Biometric Data Breach

Security researchers have uncovered a massive data breach at the Brazilian company Antheus Tecnologia, which produces and sells biometric solutions both in Brazil and internationally.

The data was discovered on an unsecured server including 76,000 unique fingerprints, emails from company employees, telephone numbers and more. The server did not store direct fingerprint scans, but the binary code that hackers might use to recreate them, with potentially harmful results.

Antheus Tecnologia stated in response to the report that the exposed fingerprints are public. However, they claimed that the captured data had been hashed, but that was not the case.

11. Slickwraps

Slickwraps, a company that lets users design custom skins for their electronics, was embroiled in a data breach story The Verge called “comically bad.” The breach started when someone claimed to be a “white hat” hacker who tried to alert the company about its “abysmal cybersecurity.”

Unfortunately, Slickwraps ignored them, so the hacker published a now-deleted Medium post about the experience. A second hacker read this post and exploited Slickwraps’ vulnerability, hacking the company. In a particularly egregious touch, the hacker then emailed all the customers to notify them that their data had been compromised.

The company’s phone customization tool was vulnerable to remote code execution. Users needed to be able to upload their custom photos, but Slickwraps let them upload any file to the highest directory on the server. So this hacker uploaded a file that allowed them to achieve remote code execution and execute shell commands. (In the Medium post, the hacker called this “akin to obtaining a skeleton key.”)

Per the original hacker, the vulnerability gave them nearly free rein over Slickwraps’ systems, including access to customer photos, billing and shipping addresses, admin account details, and the resumes of all employees.

Mitigating Cyber Threats

To reduce risk of being attacked or hacked, organizations are advised to establish an anti-phishing strategy, which includes training employees to recognise malicious emails and sites, or use email systems with integrated anti-phishing solutions.

Additional advice includes using two-factor authentication where possible, unique passwords for different services and automatic system updates, as well as deploying ransomware protection and antivirus systems.

“Another effective way is to make public-facing websites static,” the global technology company Acronis advised. “Since some companies do not need complex content management systems on their websites, pre-rendered static pages are more secure.”

User monitoring applications are also becoming standard in many companies, particularly those handling sensitive software such as in the healthcare sector. This software monitors what users are doing while logged in remotely and helps to provide clear evidence and root causes during investigations of security breaches.

This software is often necessary for compliance and auditing purposes as in the case of HIPAA medical regulations regarding handling of patient records.

Learn about how RecordTS’s Remote Desktop Session Recording software can help here – www.tsfactory.com.