According to a RiskBasedSecurity report, 2019 saw approximately 7.9 to 8.5 billion records compromised. To put that in perspective, the world population is currently 7.5 billion. Despite the numerous small breaches throughout 2019, the majority of these records were compromised by a few large breaches and subsequent chain reaction minor breaches.
Today, major businesses are victims of security threats that jeopardize their organizations and the third parties with which they collaborate. From database intrusions to lax repository security, companies need to take a serious look at how and why they implement security measures. Read on to learn about 10 of the largest data breaches of 2019 and the lessons they reveal about how to better protect customer and company data.
What Counts as a “Large” Breach?
The year 2019 saw a 33 percent increase in breaches resulting in approximately 5,183 data breaches. The classification of a “major” data breach remains ambiguous. Is there a minimum threshold for the number of compromised records that garners a “major” designation? The short answer is no; there is not an accepted threshold for “large” breaches.
Rather, the category is often designated by weighing the risk/damage to a company versus the number of records compromised. For example, if a hacker stole a large batch of emails, the damage to a company would be largely in reputation; however, if a hacker stole a smaller batch of highly sensitive Personally Identifiable Information (PII) information, the impact would be significant and thus classify the attack as a major breach.
The 10 Major Breaches
Regardless of the nomenclature used, the breaches below represent either large breaches in terms of the number of compromised records or major breaches in terms of impact. Before reading on, it’s important to understand that breaches are rarely cut and dry affairs. In many cases, a domino effect occurs where one mistake can affect numerous companies. Many little vulnerabilities can lead to a critical large security breach, making it difficult to assign blame. Those little vulnerabilities may go unnoticed until the critical vulnerability forces companies and the public to take notice.
These breaches span the globe, as the cyber world does not distinguish borders. Each snapshot below breaks down what happened, how the intruder compromised records, the extent of the breach, and the flaw that ultimately led to the breach. Reviewing the mistakes of the year helps companies better understand how to strategize and allocate cybersecurity resources.
Breach 1: AMCA
What happened? – The American Medical Collection Agency (AMCA) provides billing collection services to numerous medical companies, including Quest Diagnostics and Labcorp. Between 1 August 2018 and 30 March 2019, an unauthorized individual had access to AMCA’s data. AMCA stored medical, financial, and personal information. Although the initial breach started with the Quest, a total of 21 companies were ultimately affected, including CompuNet Clinical Laboratories, Inform Diagnostics, and West Hills Hospital & Medical Center. Over 20 million customers now face potential repercussions. For the most part, lab results were left untouched.
What went wrong? – AMCA failed not only to detect the breach for eight months but also to alert consumers and companies in a timely manner. When hackers gained access to the web payment page, they obtained the ability to steal health benefits, insurance payouts, and entire identities. Under HIPAA regulations, AMCA was obligated to notify patients within 60 days, which it failed to do. Additionally, the companies utilizing AMCA’s third party services lacked proper audit logs, access reports, and security incident tracking reports, according to industry experts. This scenario highlights the importance of third party auditing as well as comprehending the legal and monetary ramifications of failing to disclose breaches.
Breach 2: MongoDB
What happened? – In April 2019, Bob Diachenko, a cybersecurity researcher, discovered a publicly visible database endangering 275 million records of Indian residents. The records included names, genders, email addresses, employment histories, current employers, current salaries, and mobile phone numbers.
What went wrong? – In this case, Diachenko believes the database owner likely used an old version of MongoDB without the remote access protection. While collecting information today is relatively easy, the problem lies in how companies store such data. Companies that start collecting information quickly in an attempt to gain a competitive edge often ignore the precautions necessary for securely storing mass quantities of data.
Breach 3: Capital One
What happened? – In July, Capital One announced that hackers stole the information of 100 million US citizens and 6 million Canadian residents. The compromised information included SSNs, bank account numbers, names, addresses, ZIP codes, phone numbers, email addresses, and birthdates, although credit card numbers and login credentials were spared. Despite the number of jeopardized records, the SSNs endangered represented only one percent of those held on file.
What went wrong? – The flaw ended up being a misconfigured firewall on Capital One’s Amazon Web Services cloud server. Additionally, the hacker who took advantage of the vulnerability was a former employee at Amazon Web Services. Thus, the lesson learned is that firewall maintenance is key, as well as insider threat prevention.
Breach 4: Dubsmash Etc.
What happened? – Threat actors hacked 16 websites/apps exposing 617 million records publicly. The websites affected ranged from fashion to fitness with Dubsmash facing the worst breach, with 162 million compromised records: Closely following were MyFitnessPal, with 151 million, and MyHeritage, with 92 million. The other websites’ data loss ranged from 700,000 to 41 million records.
Cardholder names, emails, and passwords appeared on the Dark Web shortly after the breach; however, the hashed passwords still had to be cracked before becoming useful. For this reason, the fall out from this hack was less dramatic than the breaches that released bank information. Unfortunately, industry experts warned that algorithms likely allowed hackers to decrypt the weaker passwords, pair them with emails, and then access consumer accounts.
What went wrong? – Reports suggest some of the websites used outdated password hashing algorithms and the back-end PostgreSQL database software. This breach underscores the necessity of two-factor authentication, continuous scans for patches, and the utilization of strong passwords!
Breach 5: Zynga
What happened? – Zynga, the game developer that launched Words With Friends and Farmville, suffered a data breach that compromised the accounts of 170 million people. The hacker accessed passwords, usernames, full names, email addresses, phone numbers, and Facebook IDs. A Pakistani hacker claimed responsibility. The attack affected mobile users who downloaded Words With Friends, Draw Something, or the OMGPOP platform. It is believed the breach dates back to when the games launched, and the vulnerability spanned several years.
What went wrong? – CPO Magazine reported that, at the time, Zynga was using outdated SHA-1 cryptography. Furthermore, the hacker claimed many passwords were stored in plaintext. As with many other companies, Zynga failed to disclose the breach for several months and did not notify customers.
Breach 6: Marriott
What happened? – In January 2019, Marriot revealed hackers stole 383 million guest records. However, the initial attack began many months prior. The hackers gained access to Marriot’s data via the Starwood guest reservation database, managed by a third-party IT company. Investigations revealed a Remote Access Trojan (RAT) enabled the hackers to invade and control the database and then use a penetration tool (Mimikatz) to search for customer PII. The end result was endangered customer names, addresses, phone numbers, credit card information, emails, passport numbers, and travel details.
What went wrong? – Although the majority of passport and payment card information was encrypted, 5.25 million of the passport numbers were not. Additionally, Starwood lacked proper endpoint protection. Before the breach came to light, Marriot merged with Starwood after the initial intrusion into Starwood’s system, endangering not only Starwood’s systems but Marriott’s. In the aftermath of the attack, Marriot deployed better endpoint protection (for itself and third-party consultants), segmented the network, and implemented a whitelisting practice for database access. Moreover, the argument for a more in-depth review of potential mergers should be considered.
Breach 7: Facebook
What happened? – Facebook has over 3.3 billion users between its main website and Instagram. Unfortunately for those users, Facebook experienced numerous breaches in 2019. In early spring, Facebook revealed a breach of passwords that allowed employees to see and compile lists of unencrypted passwords. Soon after, Facebook dealt with another PR nightmare when news sources revealed the platform automatically imported contacts without asking for permission first. Then, Facebook announced a breach affecting 540 million-plus records. This time, the casualties were passwords, emails, and user IDs. The breach involved not only Facebook’s stored data, but also data Facebook hosted through Amazon’s servers.
What went wrong? – An investigation into Facebook’s initial breach revealed that internal data storage saved passwords in plain text. This flaw enabled Facebook employees to search those passwords and even keep a log of all unencrypted passwords. Moreover, privacy matters and companies must abide by GDPR regulations that require up-front disclosure of what information is collected.
Breach 8: First American Financial Corp.
What happened? – In May of 2019, the insurance company First American revealed customer bank account information, SSNs, images of drivers’ licenses, mortgage information, and tax records were exposed. According to security experts, 885 million records were accessible by altering the URL with no passwords necessary. The data exposure ranged from as early as 2003 to 2019.
What went wrong? – The alarming aspect of this breach is that no attacker penetrated First American’s systems. Instead, the information sat available for the taking by anyone who stumbled across the website design flaw. The design flaw stemmed from an error called Insecure Direct Object Reference (IDOR), whereby a link is created for use by a specific party, but there is no means to ensure limited access to the link. Once one link is discovered, it can be modified to access other related data.
Breach 9: Elasticsearch
What happened? – Four billion social media profiles, along with names, email addresses, and phone numbers, were exposed due to unsecured Elasticsearch servers. The compromised data was believed to be from two different data enrichment companies — People Data Labs (PDL) and OxyData.Io (OXY).
What went wrong? – According to security analysts Bob Diachenko and Vinny Troia, the server was not protected by either passwords or authentication. This scenario revealed the problem of data enrichment, the process of merging data stored by other companies with third-party data in order for these companies to be able to make more informed decisions. Data enrichment requires enormous amounts of data, and if that data is not properly secured, it allows hackers to obtain extensive profiles on individuals and begin extremely believable spear-phishing campaigns.
Breach 10: Russian citizen tax records
What happened? In October 2019, an unsecured server made a cluster of databases publicly accessible. The breach compromised the PII of 20 million records of Russian citizens from 2009 to 2016. In particular, two databases holding the names, addresses, residency status, passport numbers, phone numbers, tax IDs, employer names/telephone numbers, and tax values of Russian nationals were exposed.
What was the Fatal Flaw? – As the investigation into the breach proceeded, researchers discovered that the database was not protected by credential requirements or encryption. As the other breaches listed above highlight, database access must be limited. Companies must ensure limited access settings are in place prior to transferring sensitive data into a database.
So what are the lessons learned? The overwhelming number of breaches were involving unsecured databases and third parties. The suggestions below offer starting points for developing a holistic cybersecurity approach.
- Companies need to develop a third party security checklist and maintain limited access to databases.
- Encryption should not be viewed as optional. It should be utilized as the first line of defense for protecting massive data repositories.
- Insider threat prevention is essential, as an ex or current employees possess the most access and knowledge of how a company secures data.
- Consumers must take the initiative and employ strong, non-repetitive passwords.
These suggestions only scratch the surface of tackling 2020’s cybersecurity issues, but they highlight past weaknesses and show companies where they should focus on when developing new strategies for the coming year.
Data breaches are now a fixture in the cyber environment, and with that knowledge comes the responsibility to stay informed and strategize accordingly. With even larger and more complex breaches expected in 2020, companies should take stock of past mistakes, learn about best practices, and implement safeguards designed to combat and mitigate such threats. If you need help conducting a threat vulnerability assessment or determining how to best manage your security assets, contact RSI Security today.