What we can learn from the 5 biggest data breaches of 2019
Last year was a brutal year for cybersecurity. It gave us some of the biggest data breaches in history, as well as some of the worst cyber-incidents. At this point, all any of us can really do is try to ensure that our own businesses and accounts don’t wind up compromised. And the best way to do that is to avoid repeating the mistakes of the organizations that suffered the biggest breaches last year.
You can learn a lot from your own mistakes, but you can learn just as much from studying the mistakes of others. And as an added bonus, you don’t need to suffer the consequences of said mistakes yourself. That’s why, as we move forward into 2020, I’m going to take a look back at some of the most egregious data breaches of 2019.
Dream Market Cyber-Souk
In February 2019, a massive treasure trove of hacked accounts appeared on the dark web. As reported by The Register, credentials for more than six hundred seventeen million logins were posted for sale on the now-defunct Dream Market. The compromised accounts were stolen from across sixteen hacked websites.
Compromised information primarily consisted of account names, email addresses, and passwords, though there was also some location data and social authentication tokens. This data dump was followed later in the same week by another one hundred twenty-seven million accounts from across eight sites, then again a few days later with another 92.76 million accounts.
All three dumps have been attributed to a hacker by the name of Gnosticplayers, according to tech publication ZDNet. In an interview, the hacker admitted to being financially motivated, but also to simply wanting to cause chaos for Americans. At the time of writing, it’s still unclear how the hacker gained such widespread access to so many user accounts.
The Takeaway: You cannot trust that every website which holds your login credentials is secure. It’s therefore important to use a unique password for every account and change those passwords on a regular basis. Given that such a task isn’t really humanly possible, I’d recommend using a password manager.
Towards the end of July, Capital One suffered a massive breach, compromising the financial details of more than 100 million US citizens and six million Canadians. As reported by CNet, former Amazon employee Paige Thompson was identified and arrested as the attack’s perpetrator. She allegedly gained access to the exfiltrated data by targeting a misconfigured firewall on Capital One’s AWS cloud server, accessing the server multiple times from March 12 to July 17.
Yes, this was ultimately caused by a misconfigured firewall. Worse still, Capital One had no idea it had happened. They weren’t even aware of the breach until someone sent an email to the company’s responsible disclosure access, pointing them to the GitHub page where Thompson had posted details about the hack.
The page had been active since late April.
The Takeaway: Pay attention. I can’t speak to Capital One’s network monitoring or cybersecurity processes, but given this incident, it’s clear to me that neither were sufficient. If you collect and store sensitive data of any nature, you need to be capable of determining exactly where it is, how it is being used, and by whom at any given time.
People Data Labs
Four billion. That’s how many social media profiles were exposed thanks to an unprotected, unsecured Elasticsearch database. The names, email addresses, employers, locations, job titles, phone numbers, and full social media profiles of more than one point two unique individuals were exposed to the public in this breach. As reported by CNet, the breached records were sourced from data enrichment company People Data Labs, which told the publication that it doesn’t own the server in question and that it likely belonged to a customer.
Most people familiar with the incident agree that it’s unlikely PDL was the responsible party here, with Wired noting that it would likely have been simpler for an attacker to just buy the data from the company directly.
The Takeaway: Even if your own organization is secure, your supply chain may not be. You need to hold your business partners to the same security standards as you hold your own organization. Otherwise, you may as well not bother.
In August, it came to light that movie subscription service MoviePass stored the personal and financial data of as many as one hundred sixty million users on an unencrypted database. This information wasn’t even password protected. Though only a few tens of thousands of people were impacted, this is still a serious gaffe.
The Takeaway: Data encryption and access controls are your friends, especially if you’re storing sensitive data.
Although the Trend Micro breach is the smallest on the list by volume, comprising only one hundred twenty thousand records, it’s noteworthy for the fact that this is a cybersecurity agency. Speaking to ZDNet, a Trend Micro Spokesperson informed the publication that the breach was the result of a rogue former employee abusing their access permissions. Exfiltrated data included names, email addresses, support ticket numbers, and telephone numbers.
Trend Micro disabled the employee’s account, fired them and notified law enforcement.
The Takeaway: External threats are not the only thing your organization must defend against. You need to be capable of monitoring, controlling, and locking down employee access to sensitive information at a moment’s notice. Trend Micro handled this breach as well as could be expected, and you should ensure you have the tools to do the same.
Above is just a sample of some of the worst breaches of the year. Learn from them, and avoid repeating the mistakes that caused them.