Data Breaches 2019
The Biggest Data Breaches and Hacks of 2019: As a new year begins, it’s time to begin reflecting on what has been observed and what has been learnt. It’s estimated that over 10 billion records have been breached in 2019; comprised of thousands of hacks, security failures and breaches, it seems as though the issue of information security is a long way from being fixed.
Far from an exhaustive list, the following are some of the biggest and most disastrous data breaches and hacks of 2019:
In September, the records of around 419 million Facebook users were discovered stored on a database with no password protection in place. The records contained users unique Facebook ID, their phone numbers, and in some cases users’ names, genders and locations.
Though the ‘owner’ of the database is unknown, it’s possible that the user data was obtained legitimately through the Facebook API and then stored without the proper precautions.
Despite the records not containing any explicitly sensitive information, exposed data can be used by cyber-criminals to launch phishing campaigns and even exploit the information via a sim-swap attack.
Facebook stated: “The data set has been taken down and we have seen no evidence that Facebook accounts were compromised”.
First American Corporation
In one of the most sensitive of recent data breaches, the First American Financial Corp. leak exposed an astounding 885 million documents relating to 16 years of mortgages, including bank details, tax records, social security numbers and even driver’s license images.
Shockingly, no authentication was required to view these documents and the company cited a “design deficit” that allowed attackers access to a purported tiny portion of the exposed documents.
According to the company, it has since only been able to identify 32 customers whose private information was ‘potentially accessed’ without authorisation.
Capital One
In July of this year, 80,000 bank account numbers, over 1,140,000 social security numbers and millions of credit card applications of Capital One customers were stolen.
Potentially costing the company more than $300 million, this breach shows that even the company which would appear to have the most to lose from a hack, can’t always protect themselves perfectly.
What’s unusual about this breach is the fact the hacker responsible made little effort to conceal their action, even boasting about activities on Twitter and Slack.
As a former worker at Amazon Web Services, the hacker was able to gain access to Capital One data by exploiting their technical expertise and knowledge of the internal security of AWS, before being quickly caught.
Zynga
You may not have heard of Zynga, but you’ll probably recognise their game, Words with Friends. In September, more than 200 million players accounts, including email addresses, login details and names were stolen by a hacker by the name of 'Gnosticplayers'.
As one of the most popular US-based social gaming companies, Zynga has since hired third-party data forensics firms as well as contacting law enforcement about the hack and contacting affected users.
Canva
Details from around 139 million user accounts were taken from a Canva database this May. Of these, 61 million password hashes were reportedly stolen, though it may not be as devastating as it sounds.
All of these passwords were hashed with the very secure bcrypt algorithm, and though this information will likely be sold on the black-market, it’s unlikely that many accounts will be directly compromised.
As with the Zynga breach, the Canva attack was also perpetrated by the hacker Gnosticplayers. Ultimately, the identity of Gnosticplayers is unknown and may even be a hacker collective.
Most strange, is that the hacker alerted a media outlet about the breach only hours after, a pattern which has been repeated within the community.
In November again, another entity going by the name 'A_W_S' stole the information of 21 million Mixcloud users, shortly followed by an announcement of their achievement to several journalists.
If you’d like to learn more about how you can protect your greatest assets with unique and engaging information security awareness training. click the link below.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Featured
Google Chrome Goes for Gold in Password Security
Google Chrome introduces new password safety features. Cybersecurity blog by Information Security awareness training provider Hut Six.
What is Pseudonymisation?
What is pseudonymisation, and why it important to GDPR compliance? Blog from information security awareness training provider Hut Six.
NSA Discloses Severe Windows 10 Security Flaw
An extremely serious Windows 10 Security Flaw has been exposed by the NSA. Blog by cyber security awareness training provider Hut Six.
Top 5 WiFi Safety Tips: The Guide to Staying Secure
How safe is WiFi? Use these WiFi safety tips to help keep you secure online. Blog from cyber security awareness training provider Hut Six.
Travelex Ransomware Attack Enters Its Third Week
Travelex enters its third week of shutdown at the hands of a ransomware attack. Cyber Security blog by cyber security awareness training provider Hut Six.
Malware, Stalkerware – Beware: The Growing Market for Privacy Invading Apps
Malware is a persistent threat that can affect every aspect of our digital lives. Identifying, avoiding and removing it are essential to your information security.
Sending Simulated Phishing Attacks to Employees
How can simulated phishing attacks improve your organisation's security awareness? Blog from information security awareness training provider Hut Six.
Information Security Principles: What is the CIA Triad?
The CIA triad consists of three principles upon which professionals typically focus. Blog by Information Security awareness training provider Hut Six.
Suspicious Certificates, Transparency and HTTPS
Will Certificate Transparency Help to Rebuild Confidence in Certificate Authorities? Blog by information security training provider Hut Six Security
Information Commissioner’s Office Mining Crypto
In 2018 it was discovered thousands of websites had been hijacked by crypto-mining code, known as a "Cryptojacking" attack. Including UK Gov and ICO websites.