The beginning of a new year is a good time to reflect on past mistakes and resolve to do better in the future.
As is the case every year, 2019 saw its fair share of major data breaches, including the massive Collection 1 leak, which included 2.2. billion unique usernames and passwords.
But we can only hope that all the companies that got hit last year have made tightening up cybersecurity one of their new year’s resolutions and top priorities.
Here are just 8 of those data breaches that we think you should know about: what companies were affected, how they got hacked, and what data was compromised.
Back in September, food delivery service Doordash reported that the private data of 4.9 million customers, delivery workers, and merchants were stolen, including names, emails, addresses, passwords, and more. According to the company, the breach happened in May and was blamed on an unnamed third-party service provider.
In October, it was found that creative software developer Adobe was hosting nearly 7.5 million user records on an unprotected database that could be accessed without a password or any other form of authentication. This exposed information included emails, subscription statuses, and more details which could be used in targeted phishing campaigns. When notified about this by a security researcher, Adobe secured the database that same day.
American Medical Collection Agency
A total of 21 companies and 24.4 million patients were affected by this data breach. In June, medical bill and debt collector AMCA informed one of its clients, Quest Diagnostics, that an "unauthorized user" had access to their system and might have accessed data on 11.9 million Quest patients, including credit card numbers, bank account information, medical information, and Social Security Numbers. More of AMCA’s clients would soon disclose that they had been affected by the breach, bringing the total up to 21.
Capital One bank announced in July that data belonging to 100 million US citizens and 6 million Canadian residents had been stolen by a hacker. This data included 140,000 US Social Security numbers, 80,000 bank account numbers, and 1 million Canadian social insurance numbers, in addition to names, addresses, ZIP codes, phone numbers, emails and birth dates. The hacker behind the data breach allegedly stole the information by finding a misconfigured firewall on Capital One's Amazon Web Services cloud server, and was quickly apprehended by the FBI.
This past May, online graphic design tool Canva was hit with a data breach that exposed the private data of roughly 139 million users. The data, which included names, usernames, email addresses, and city and country information, was obtained by the same hacker responsible for the Collection 1 leak, Gnosticplayers. Email passwords were also accessed, however they were salted and hashed using the Bcrypt algorithm.
In September, Words With Friends developers Zynga announced that "certain player account information may have been illegally accessed by outside hackers”. The hacker Gnosticplayers once again claimed responsibility for this data breach, revealing that they had accessed the data of 218 million Words With Friends users. Compromised information included players’ names, emails, login IDs, hashed passwords, password reset tokens (if requested), phone numbers (if provided), Facebook IDs (if connected via the social network) and Zynga account IDs.
Also in September, the phone numbers of more than 419 million Facebook users were exposed. The breach was the result of exposed servers, not protected by any password, one holding 133 million records on U.S.-based Facebook users, 18 million records of users in the U.K., and another with more than 50 million records on users in Vietnam. Each record contained a user’s unique Facebook ID and the phone number listed on the account, exposing these users to SIM Swapping attacks or worse.
Back in May, it was found that financial services company First American had 885 million sensitive customer financial records openly exposed on its website. This exposed data included included Social Security numbers, driver's license images, bank account numbers and statements, mortgage and tax documents, and wire transaction receipts. The discovery was made by independent security journalist Brian Krebs, and when informed, First American took immediate action and shut down external access to the application.
Learning from mistakes in 2020
From banks to game developers, data breaches are a risk to businesses of all types and sizes. In more than one of the incidents covered above, major data leaks could have easily been prevented had customer data been protected by a strong password.
Get started with Myki for MSPs now to ensure a more secure 2020 for you and your clients.