[BreachExchange] Biggest data breaches of 2019: Same mistakes, different year

Destry Winant destry at riskbasedsecurity.com
Wed Dec 18 10:04:32 EST 2019


The biggest recurrent motif among the major data breaches of 2019
wasn't the black-hooded hacker in a dark room, digging into a screen
full of green text. It was a faceless set of executives and security
professionals under the fluorescent lights of an office somewhere,
frantically dialing their attorneys and drafting public relations
apologies after leaving the front doors of their servers unlocked in

The words "unsecured database" seemed to run on repeat through
security journalism in 2019. Every month, another company was asking
its customers to change their passwords and report any damage.
Cloud-based storage companies like Amazon Web Services and
ElasticSearch repeatedly saw their names surface in stories of
negligent companies -- in the fields of health care, hospitality,
government and elsewhere -- which left sensitive customer data
unprotected in the open wilds of the internet, to be bought and sold
by hackers who barely had to lift a finger to find it.

And it's not just manic media coverage. The total number of breaches
was up 33% over last year, according to research from Risk Based
Security, with medical services, retailers and public entities most
affected. That's a whopping 5,183 data breaches for a total of 7.9
billion exposed records.

In November, the research firm called 2019 the "worst year on record"
for breaches.

How much does an average data breach cost an organization? According
to IBM's latest numbers, the tab can run up to $3.92 million after
investigation expenses, damage control, repairs, lawsuits and fines.
That's up 12% over five years, with no signs of slowing.

What's harder to quantify is how great a cost was borne by individual
consumers worldwide this year -- and how great a cost can be expected
of all of us in 2020. Passport numbers, medical records, bank account
details, social media credentials, Social Security numbers -- breaches
hit our most sensitive data in 2019, sending millions of people into
frenzied lock-down.

Calculating the hours and dollars spent by people trying to recover
from the shameful negligence of some of these companies would be
nearly impossible. Predicting future costs would be almost
unimaginable. Some would say that in the face of this rising tide of
breaches, the onus is on each of us to keep a watchful eye on our own
data. The truth is, until a suite of industry-shaping federal reforms
and regulations slap some accountability into US data brokerages and
communications companies while miraculously rolling back government
mass-surveillance programs, keeping one's data trail clean is about as
likely to save you from being part of a mega-breach as recycling your
coffee cup is to stop climate change.

But while we're all desperately tuning up our basic internet security
practices and shopping for the best identity protection services, it
seems fitting then to take a moment to honor the worst of the worst in
our 2019 Data Breach Hall of Shame.

Without further ado…


Marriott kicked off 2019 with a record-setting breach when the hotel
group announced that hackers accessed the records -- including some
passport numbers and credit card information -- of up to 383 million
guests. That's more than double the 147.7 million Americans impacted
by the Equifax breach. If that didn't raise your eyebrows high enough,
researcher Troy Hunt found 773 million user email addresses (along
with a mega-trove of other data) in a cloud-service file collection.


February was a brutal month for online security. In the most dramatic
breach, more than 617 million accounts were culled from 16 websites
and put up for sale on the dark web. Site owners Dubsmash, Armor
Games, 500px, Whitepages and ShareThis all saw their users' stolen
data sold for less than $20,000 in Bitcoin. Meanwhile, a crop of
smaller breaches offered a glimpse into the peculiar cruelty of
medical breaches: An attacker held up to 15,000 Australian patients'
files for ransom, unauthorized email access exposed 326,000
Connecticut patients' records, close to a million Washington patients'
information was left exposed in an open database, and 2.7 million
calls to a national Swedish health line were recorded and left out in
the open.


Hundreds of millions of Facebook and Instagram users saw a
less-than-happy St. Patrick's Day when their credentials were exposed
by the social media company's poor password storage management. By
comparison, the exposure of 250,000 legal documents stored in an open
database seems deceptively small.


Facebook again led the way in April, with 540 million records exposed
after leaving users' names, IDs and passwords out in the open on
unprotected servers. The same month, Facebook admitted to storing
millions of Instagram users' passwords in dangerously insecure
plaintext format. But let's not let Facebook's utter embarrassment
overshadow another incredibly important breach that happened in April:
12.5 million medical records of pregnant women were exposed, thanks to
a leaky server belonging to an Indian government healthcare agency.


Sure, the big headline from May was the hundred of millions of
insurance documents leaked by real estate giant First American
Financial Corp. But the month also saw a couple of weird online food
fights worthy of this Hall of Shame. Burger King left a leaky database
up which resulted in the exposure of nearly 40,000 customers of its
online, kids-focused KoolKing Shop. Meanwhile, two Bay Area school
lunch companies' heated rivalry turned into cyberwarfare when one's
CFO got arrested for hacking the other's site and exposing student


At least 20 million patients had their data exposed when bill
collector American Medical Collection Association was hacked. The
damage? Multiple class-action lawsuits were filed against AMCA and its
contracting clients over the breach of patients' payment data, Social
Security numbers, medical information, birth dates, phone numbers,
addresses and more. The result? The medical debt collectors were in so
much debt they filed for bankruptcy.


Oh, Capital One. It feels like a million years ago, doesn't it? Hard
to believe it was only about five months ago that the bank exposed 100
million credit card applications, 140,000 social security numbers and
80,000 bank account numbers -- including such personalized data as
names, addresses, ZIP codes, phone numbers and birth dates. The breach
left Capital One reeling and led to an FBI arrest of tech
worker-turned-hacker Paige A. Thompson. Remarkably, the breach
happened the same month Equifax settled with regulators for $700
million over its industry-shaking 2017 breach, and Facebook settled
with the FTC for a record $5 billion following the Cambridge Analytica


Beyond price-spiking tickets and auto-subscribing customers, MoviePass
users got more bad news in August when an investigation discovered
that 160 million MoviePass records were left unencrypted in a company
database without password protection, leaving customer credit card
data out in the open. Meanwhile, in the UK, a massive leak exposed
27.8 million biometric staff records held by the Metropolitan Police,
banks and enterprise companies.

The biggest heartbreak, though? Dating apps Grindr, Romeo, 3Fun and
Recon all got nailed for security flaws that could expose a would-be
Lothario's locale.


More than 218 million Words with Friends player accounts were affected
-- including players' email addresses, names, login IDs and more --
when a hacker got into one of the games databases and targeted users
who'd installed the game app prior to a crucial update. While those
affected were fewer in number, a potentially more dangerous breach
occurred in September when an open, misconfigured government database
leaked 20.8 million Ecuadorian user records -- that's in a country
whose official population is about 17.5 million -- including birth
data, marital status and national ID numbers, as well as full home
addresses, children's information, phone numbers and education


A show-stopping 4 billion social media profile records were exposed to
the public on an unsecure Elasticsearch server, for a mind-blowing
total of 1.2 billion unique people exposed originating from two data
enrichment companies. That's one of the largest single-source
exposures we've ever seen. Adobe left 7.5 million Creative Cloud
customer records on an unsecure database. Meanwhile in the Motherland,
over 20 million Russian citizen tax records were left sitting on an
open database for anyone to see, showcasing information collected from
2009 to 2016.


In November's laundry list of leaks, hacks, breaches and exposures, a
couple of tech employee incidents stand out. Facebook was back in the
headlines after about 100 app developers were given inappropriate
access to profile data. A previous breach came to light this month,
detailing the account of a rogue employee at cybersecurity firm Trend
Micro, who stole the personal data of about 70,000 of the firm's
customers and later used it to scam customers.


Some 100 women who were the victims of an explicit photo leak are
expecting a present on Christmas Eve when the offending leaker, a
former Dutch politician, will stand for sentencing. Prosecutors have
asked the judge to hand down at least three years of hard time after
the disgraced Nederlander was found to have hacked the women's
personal iCloud accounts with credentials found in earlier public
database breaches.

More information about the BreachExchange mailing list