The Top 10 Most Significant Data Breaches Of 2020
Most everyone agrees that 2020 was a loss-leader of a year.
To put it mildly, the year in cybersecurity wasn’t much better. While the COVID-19 pandemic was transforming the world of work, it fueled a pandemic of cyberattacks and data breaches.
In just the first three quarters of 2020 there were 2,953 publicly reported breaches, 51% increase compared to the same time period in 2019. By the end of Q2, 2020 was already the “worst year on record” in terms of total data records exposed. By October, the number of records breached had grown to a mind-boggling 36 billion.
For this most epic of years, we decided to recognize the Top Ten breaches of 2020 that were significant in ways that can’t always be measured in dollars or terabytes of data.
In a January 2020 blog post, Microsoft said that an internal customer support database on which the company stored anonymized user analytics had been accidentally exposed online.
The post was somewhat understated. Over 250 million Microsoft customer records, spanning 14 years, were exposed online without any password protection. The naked database was discovered — and reported to Microsoft — by Bob Diachenko, a security researcher with Security Discovery.
Microsoft blamed the accidental server exposure on misconfigured Azure security rules the company deployed on Dec. 5, 2019.
Upon learning of the gaffe, Microsoft engineers quickly remediated the configuration to prevent unauthorized access to the database. The company expressed confidence that its commercial cloud services were not exposed.
The 2020 data breach exposed email addresses, IP addresses, and other details stored in a support case analytics database. (Microsoft says that no other personal information was stored in the database.)
A corporate spokesman said that data stored in this type of analytics database is automatically redacted to remove any personal information.
However, if users entered customer support requests using non-standard data conventions (for example, “name surname @ email domain com” instead of “email@example.com”) the data would not have been detected or redacted; it would have been visible in the exposed database.
For records containing data in non-standard format, Microsoft said it had immediately notified any affected customers. An internal investigation was unable to find any “malicious use” exposing personally identifiable information (PII).
Why it matters …
Is it something with the water in Redmond?
Even before this New Year’s muck-up, Microsoft was making news for a number of security lapses, including an Internet Explorer zero-day vulnerability that remained unpatched for weeks, despite being actively exploited.
The January security failure came mere days after the U.S. Government issued a highly-critical Windows 10 update alert regarding an “extraordinarily serious” curveball crypto vulnerability.
Any security breach is meaningful if it involves one of the “five brothers”, the quintet of technology megacorporations that dominate digital commerce and social communications across the planet. While we didn’t think it could have gotten any worse, but Microsoft’s involvement in the 2020 Solarwinds APT hack, as well as the more recent 2021 Exchange Server recent security incidents have put it at the head of the list.
2. Estee Lauder
In February, security researcher Jeremiah Fowler came upon a massive online database belonging to cosmetics giant Estee Lauder. According to Fowler, the unsecured database exposed confidential information stored in over 440 million customer records.
No payment information or other sensitive data was found to be unprotected, but email addresses, IP addresses, ports, pathways, and storage information was there for the taking, by anyone who wanted it.
A spokesperson for Estée Lauder blamed the 2020 data exposure middleware security failures. That may have provided a way for malware to access applications, data, and systems. Apparently, the database was part of an “education platform” that didn’t contain any consumer data. The company maintains there was no evidence of any unauthorized use of the data.
Why it matters …
A staggering number of customer records were sitting out in cyberspace, unprotected. This was not a sophisticated data breach pulled off by a powerful nation state with scores of dedicated hackers.
Jeremiah Fowler told Forbes that the entire database could have been easily accessed by anyone with an internet connection and basic computer skills. Your mom, for example. No hacking skills required.
This information, by itself, is deeply troubling in a marketplace that sees billions of dollars spent each year on cybersecurity solutions. No amount of money can fend off cybercrime when companies simply leave valuable data sitting on the curb.
The Estee Lauder data breach should also trouble anyone who believes that corporations treat personal information with extreme care.
3. MGM Resorts
Also in February, someone in a hacking forum leaked personal information about more than 10.6 million guests of MGM Resorts hotels.
The leaked contact information for millions of former hotel guests included records of celebrities that included Justin Bieber, Twitter CEO Jack Dorsey, and a number of government officials. MGM insists that no credit card information or passwords were exposed in the data breach.
Incredibly, this is not the first time confidential information about MGM guests had been openly published online. In mid-2019, MGM employees noticed there had been unauthorized access of a corporate server. That very same day, the stolen information started appearing in a number of hacking forums.
In July of 2020, researchers discovered an ad on a dark web marketplace offering the records of more than 142 million MGM guests for the bargain price of $2,900. The offer suggests that the original breach may have been far worse than previously indicated.
A MGM Resort spokesperson said that all guests affected by the breach were informed of the incident. The spokesperson added: “We are confident that no financial, payment card, or password data was involved in this matter.”
Why it matters …
The MGM breach matters for several reasons. MGM is a major player in the hospitality industry — and a touch point for hundreds of millions of people who spend their leisure time and entertainment dollars at the company’s resorts. While the hacked personal data appears to be limited to “phone book” information, that won’t stop someone from trying to use the information as the basis for invasive “spear phishing” campaigns.
When it comes to security, MGM seems to have problems staying out of the limelight. The fact that this was the second time in a year that someone was trying to sell hacked MGM guest records might indicate a problem that is more persistent than it’s being portrayed.
In April, 2020, around the time COVID-19 protocols were starting to take effect, more than 267 million Facebook profiles popped up for sale on the Dark Web — for the princely sum of $600.
The pirated profiles were traced back to a data leak discovered in December, but with additional PII (personally identifiable information), including phone numbers and email addresses.
The leaked information would make it possible for cybercriminals to launch spear-phishing campaigns designed to collect Facebook user passwords through bogus email campaigns or SMS texts disguised as official communications from Facebook.
Why it matters …
There will always be a certain percentage of the public that is likely to believe anything that comes in the mail (or email) — and who will willingly provide attackers with the information they want.
The Facebook data found circulating on the Dark web is precisely the type of data that forms a basis for spear-phishing campaigns that can compromise unsuspecting users.
As one of the “Five Brothers” that dominate the global economy, Facebook invites added scrutiny as an enterprise that manages the social interactions of billions of people across the planet.
In April of 2020, when stay-at-home orders were turning millions into teleworkers, use of video conferencing apps rocketed — with Zoom the primary beneficiary of the increased demand.
As record numbers of workers flocked to Zoom, cyber attackers were able to breach the credentials of over 500,000 Zoom teleconferencing accounts and post them for sale on the dark web for as little as $.02, or simply give the records away on various hacker forums.
Evidence suggests that hackers canvassed dark web databases for previously compromised login credentials dating back to 2013. The tendency of users to recycle passwords gave the hackers easy access to many new Zoom accounts created by people who saw nothing wrong with reusing their dog’s name spelled backwards for their Zoom password.
Hackers quickly used the compromised passwords to launch credential stuffing attacks that gave them access to even more accounts. The end result? The “zoombombing” of remote workplace meetings by individuals possessing stolen credentials — malcontents who would log into live streaming meetings and create chaos in a variety of ways, including screensharing of disturbing images from pornography and shock videos.
Zoom responded by hiring intelligence firms to locate these password dumps and shut down thousands of websites designed to fool users into downloading malware or ceding their credentials.
The company also locked any accounts found to be compromised by the cyber attack and asked its users to change their passwords to more secure formats.
Why it matters …
The cyberattacks on Zoom underscore the security weaknesses that accompany the pandemic.
Like the rest of us, Zoom was ill-prepared when it came to responding to a post-pandemic world.
More people working remotely means more devices connected to a network, expanding the attack surface and creating more opportunities for criminal activity.
More than ever, companies need to enable scalable strategies for cybersecurity, strategies capable of meeting greater demand and sudden shifts in user behavior.
6. Magellan Health
April 2020 saw Healthcare giant Magellan Health fall victim to a phishing scam plus ransomware attack that affected 365,000 patients across eight affiliates and healthcare providers.
The sophisticated 2020 cyber attack started with a phishing scheme to impersonate clients, a ruse that gave criminals access to a single corporate server on which to deploy malware that yielded sensitive patient details that included W-2 data and Social Security or Taxpayer ID numbers — information that could be ransomed for large sums of money.
Why it matters …
Data breaches in the health sector are amplified during the worst pandemic of the last century.
The Magellan attack was one of the largest breaches to the healthcare sector in 2020. It was also the second notable phishing scheme the company has suffered in recent years.
The optics aren’t good. Magellan’s stumbles suggest that a major healthcare enterprise doesn’t have a robust cybersecurity strategy in place — at a time when consumers are looking much more closely at the nation’s health care providers.
Also in April, the Maze group launched a ransomware attack on Cognizant Technology Solutions (CTS), causing a disruption of services to the company’s clients.
Confirming the data breach on its website, Cognizant said it had taken steps to contain the incident and notified clients about the attack as well as the measures it was taking to ensure protection.
In a typical ransomware attack, cybercriminals infect a target company’s systems with a virus and demand payment for returning the data to a usable state. In the case of Cognizant, the Maze attackers demanded payment of a ransom to prevent it from publishing the breached information online.
In June, Cognizant, one of the largest IT managed services enterprises, announced that hackers had stolen customer information in a ransomware attack a few months earlier. The personal information taken in the heist included names, Social Security numbers, tax identification numbers, financial account information, driver’s licenses, and passport information.
Two months earlier, Cognizant emailed clients, informing them of the 2020 cyber attack by the Maze Ransomware and instructing customers to shut down any network connections with Cognizant to protect themselves from possible infection. All of this suggests that like many successful breaches, the hacker was probably in for several months before Cognizant was aware of the ransomware.
In providing IT services remotely, Cognizant connects to customers through end-point clients software installed on workstations — using these links to push out patches, software updates, and provide other remote services. Cognizant also revealed that it paid a ransom of $50–70 million to Maze to have the information restored.
Why it matters …
The sheer dollar amount of the ransom. And the audacity of an attack that breached one of world’s largest IT management services companies. (Cognizant employs over 300,000 people worldwide, including a large security staff that should be focused on maintaining a secure infrastructure to keep its customers safe, and reports $15 billion a year in revenue.)
Also significant was the possibility of an attack that could leap across the internet and spread to customer sites across the globe.
In April, Nintendo originally reported that 160,000 users were affected by a mass account hijacking that leveraged the company’s NNID legacy login system. The hijacking gave data hackers access to payment services linked to these accounts, including PayPal accounts or credit cards the cybercriminals used to make unsolicited digital purchases. (Reports indicate that these attacks went on for weeks.)
Nintendo responded by shutting down all NNID logins and asking Switch owners to lock down their accounts.
The gaming giant admitted that the attack may have exposed private information that included nicknames, email addresses, dates of birth and gender. While confirming that purchases were made through user accounts, Nintendo maintains that credit card data itself was not accessed.
Security experts suspect that weak passwords are to blame. Hackers took advantage of vulnerabilities associated with legacy accounts that used Nintendo Network ID (NNID) for older platforms such as Wii U and 3DS. Designed for setup with the system’s original screen keyboards, NNID made it difficult for users to create strong passwords. (The current system allows users to create account profiles on a web browser.) To prevent additional breaches, Nintendo posted a tweet instructing members to enable 2-step authentication.
NOTE: In June 2020, Nintendo revealed that another 140,000 Nintendo accounts had been compromised, raising the total number of breached user accounts 300,000.
Why it matters …
The cultural significance of Nintendo being gamed aside, the attack should be a wake-up call to a gaming industry that supports many legacy platforms and logins — a minefield for cybersecurity profiles.
In July, social media powerhouse Twitter suffered an unprecedented hacking of celebrity accounts as the result of an audacious spear-phishing attack targeting Twitter employees. 130 accounts were hijacked, including the social media platforms of Barack Obama, Kanye West, Elon Musk, Joe Biden and Bill Gates.
Cybercriminals used the hacked accounts to publish a bitcoin scam while also gaining access to these individuals’ direct messages. Reportedly, the scammers netted more than $100,000 from people who had no reason to question why a celebrity would tweet:
“I’m giving back to the community. All bitcoin sent to the address below will be sent back doubled! If you send $1000, I will send back $2000. Only doing this for 30 minutes.”
Bitcoin tweets were published from 45 of the 130 targeted accounts. (The contents of DM messages were accessed on 36 of the accounts and Twitter data was downloaded from seven.) The cyber attack started with calls to Twitter employees by hackers posing as colleagues who needed credentials to internal systems. The trusting employees granted the callers access to the company’s internal support system, enabling the scammers to target additional employees.
Twitter Support’s comment on the incident didn’t mince words about where the blame would fall: “This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.”
The celebrity hack came barely a month after another security lapse at Twitter allowed the billing information for many business users to be inadvertently stored in a browser cache, exposing sensitive data to unauthorized access.
Why it matters …
If breaches continue to cascade, it is likely to fuel widespread distrust with Twitter and its security infrastructure at a time when many Americans are wondering who they can trust.
This past March, hackers posted the contents of a database containing 900 million Whisper posts, along with metadata related to the anonymous social media posts. In promoting its eponymous “secret-sharing” app, Whisper likes to refer to itself as the “safest place on the Internet”.
That tagline might need a refresh after cyberthieves exposed all of the PII belonging to Whisper users, including personal confessions, ages, locations and other details — allowing anyone to access all of the content tied to anonymous “whispers” posted to the app.
The exposed records don’t provide any real names but they do include a great deal of demographic information such as the stated age of users, ethnicity, gender, hometown, nickname and any membership in groups, including many devoted to sexual confessions and discussions regarding sexual orientation and desires.
The database was discovered by independent researchers who reported that they were able to access a staggering 900 million user records dating from the original app release in 2012 to the present day.
Why it matters …
If users didn’t already know it, the internet is forever.
Apparently, that axiom also applies to your most private and intimate secrets. There’s potential for blackmail by cybercriminals able to infer identity from the profile information that Whisper users were led to believe was safe and secure.
And yet another reason for consumers to mistrust companies that promise privacy in the digital realm.
How could these have been avoided?
These high-profile 2020 data breaches show how ill-prepared the industry is to find and stop sophisticated attacks that unfortunately, are all too common. Sophisticated cyber attackers don’t use technology from a decade ago — they use zero-day approaches that must be detected by the abnormal device or application behaviors.
Our ARIA CloudADR was purpose-built to alleviate these challenges associated with today’s threat detection and response processes.
- It is a cloud-based, automated solution that automatically finds and stops the most harmful attacks, including zero-day attacks, ransomware, malware, intrusions, including stopping sophisticated nation state-sponsored attackers, and more.
- It requires no human involvement to find and stop such cyber attacks.
- Its fast finding and stopping such attacks as they become active in the network
- It’s easy to deploy — up and operational in no more than a couple hours by staff with little to no security training.
ARIA ADR automatically stops the attackers by detecting any abnormal communications from within the network’s network and movements. It can stop those communications and lateral movements, as well as stopping data exfiltration. With the ARIA CloudADR solution, attacks can’t hide, and the attackers’ obfuscation techniques don’t work. Nothing gets lost in the noise.
With ARIA CloudADR, an organization’s entire environment from the cloud to its on-premises infrastructure and remote devices is fully protected.
In a single platform, organizations gain not only a solution that works right out-of-the-box and:
- Full threat surface coverage: the cloud, on-premises infrastructure, and remote devices.
- Leverage Machine Learning: find threats by their tell-tale behaviors learning capabilities built into over 70 threat models.
- Alerts on only confirmed attacks: Artificial Intelligence automates the correlating threat indicators coming from the threat models, detecting, naming, and verifying the attack.
- Automatic stopping of attacks: AI-driven capable of stopping attacks immediately with or without humans involved.
It is all in a solution that can be operated part-time by IT staff with little to no security training and can be operated from anywhere.
About ARIA Cybersecurity Solutions
ARIA Cybersecurity Solutions recognizes that better, stronger, more effective cybersecurity starts with a smarter approach. Our solutions provide new ways to monitor all internal network traffic, while capturing and feeding the right data to existing security tools to improve threat detection and surgically disrupt intrusions. Customers in a range of industries rely on our solutions each and every day to accelerate incident response, automate breach detection, and protect their most critical assets and applications. With a proven track record supporting the Department of Defense and many intelligence agencies in their war on terror, and an award-winning portfolio of security solutions, ARIA Cybersecurity Solutions is committed to leading the way in cybersecurity success.