10 highest-profile data breaches of 2020
In 2020, businesses both large and small have suffered from major data breaches as millions have been working remotely due to the covid-19 pandemic. From phishing to credential stuffing to social engineering attacks, we’ve seen cybercriminals exploit every opportunity to cash in on global fear.
No matter the reason, data breaches can be devastating financially and cause serious damage to a company’s reputation. With the average cost of a data breach now at $3.86M, and remote work still very prominent, taking all the necessary precautions to keep your corporate network safe has never been more important.
Read on to learn about the highest-profile data breaches of 2020.
CAM4 (10.88 billion)
The adult live-streaming website CAM4 had accidentally left an unsecured database with 10.88 billion records of highly sensitive information. Luckily, security researchers from SafetyDetectives discovered the leak earlier this year and immediately informed the company.
CAM4 reported that the unsecured database was taken down before cybercriminals could steal customer data and that only a small amount of exposed information could’ve been traced to specific individuals.
The data leak exposed around 7TB of personally identifiable information, including full names, email addresses, sexual orientation, credit card types, and chat transcripts. As a result, millions of users were left at risk of identity theft, fraud, and blackmail attempts.
Twitter (350 million)
On July 15, Twitter suffered a major breach involving a Bitcoin scam that targeted some of the world's most prominent figures. Joe Biden, Barack Obama, Elon Musk, and Bill Gates were among those compromised, with a total of 130 high-profile accounts affected by the breach.
Hacked accounts sent out a series of tweets promising users they'd get double the amount they sent to a certain Bitcoin address. Cybercriminals managed to steal $121,000 worth of Bitcoin within a few hours.
Twitter announced that this was a “coordinated social engineering attack”, claiming that cybercriminals successfully targeted a small number of employees who had access to internal systems and tools.
Antheus Tecnologia (80+ million)
In March, the security research team at SafetyDetectives discovered a massive leak in Antheus Tecnologia’s database, a Brazilian biometric solutions company. Over 80 million records were accessible on the internet, including employees’ contact details and 76,000 unique fingerprint records.
The leak occurred because the company failed to password protect and encrypt a database.
The misconfigured server on which the database was stored didn’t contain actual fingerprint scans, but a binary stream, which is a string of ones and zeroes. Nevertheless, researchers claimed that cybercriminals could use the available data to recreate a full biometric fingerprint image.
Since fingerprint records are now in the public domain, compromised individuals might face security issues in the future, when biometrics become a more common authentication method.
These kinds of security breaches highlight the importance of implementing strong password and encryption policies, as the consequences can be disastrous.
Wishbone (40+ million)
Wishbone, a popular social polling app among youngsters, fell victim to a data breach earlier this year. An entire database with personal data of more than 40 million users was reported to be available on the dark web. Such data breaches are particularly troubling given the young age of most of Wishbone's users.
The database was leaked by a group of cybercriminals called Shiny Hunters. The group is known for other high-profile breaches, but it's unclear whether they merely leaked the records or committed the initial breach.
Cybercriminals exposed sensitive data, including names, contact details, geolocation, gender, and hashed passwords. Cybersecurity researchers claim that the breach could've been avoided if data was properly encrypted.
LiveJournal (26 million)
In May, 26 million account credentials stolen from the blogging platform LiveJournal were offered for sale on various dark web marketplaces, and later, even shared for free on hacker forums.
Though reports about the breach have been circulating since 2014, the stolen records have only been shared and distributed broadly this year. The incident exposed a database of compromised LiveJournal accounts that contained usernames, email addresses, and plain text passwords.
LiveJournal failed to notify its users about the breach, leaving them vulnerable to credential stuffing, blackmail, and targeted email-based extortion. Changing passwords and enabling multi-factor authentication could help affected users tackle risks and stay safe.
easyJet (9 million)
In the first half of the year, the low-cost airline easyJet suffered a security breach caused by a “highly-sophisticated attack”, in which the personal data of 9 million customers was stolen. The breach exposed customers’ names, email addresses, and travel records. To make matters worse, roughly 2,200 people had their credit card details, including CVV, stolen.
easyJet didn’t reveal how the breach occurred but confirmed that they reported the incident to the National Cyber Security Centre and other regulatory authorities. However, the company still faced criticism for waiting several months to inform its customers.
Following the breach, the law firm PGMBM filed a class-action lawsuit against easyJet for $23 billion. Some critics say that the company will face a lighter penalty since the airline industry is fighting for its survival due to the pandemic.
Marriott (5.2 million)
The hotel chain Marriott suffered a massive data breach on March 31, which affected an estimated 5.2 million of its customers.
Using stolen employee credentials, cybercriminals gained access to a wide range of personal data, including contact details, date of birth, gender, and loyalty account information. Fortunately, Marriott stated that no payment data had been stolen.
Implementing basic security controls like multi-factor authentication could have helped prevent the breach, as stolen employee credentials wouldn't have been enough to breach the system.
Magellan Health (1+ million)
The healthcare giant Magellan Health discovered that an unauthorized third party had gained access to private data of over 1 million individuals stored in its database.
The company fell victim to a ransomware attack when a Magellan employee responded to a spear-phishing email in April. Cybercriminals were able to access Magellan’s internal server, exposing personal information of both employees and customers.
The compromised data included full names, contact details, employee ID numbers, social security numbers, physical addresses, treatment information, and other health-related details.
In the first week of April, more than half a million Zoom account credentials were found for sale on the dark web. Usernames and passwords were sold for less than a penny or even given away for free, alarming millions of users that have flocked to Zoom during the pandemic.
The breach also contained personal information including contact details, hostkeys, and personal meeting URLs. This enabled cybercriminals to join business meetings and access confidential information shared in them. In terms of confidential data being leaked, this meant that the total number of impacted users is even greater than the number of credentials exposed.
The data appears to have been collected via credential stuffing, using usernames and passwords obtained in past breaches of other companies.
In April, Nintendo announced that 160,000 accounts had been compromised in a credential stuffing attack. After further investigation, the company found out that the actual number of compromised accounts was 300,000.
Stolen account information allowed cybercriminals to make digital purchases through the company’s network and access sensitive user data, including email addresses, birth date, and country.
Following the breach, Nintendo disabled logins through Nintendo network ID and encouraged users to enable multi-factor authentication for added security.
What should you do next?
This year, businesses across the globe fell victim to highly sophisticated cyber attacks that have affected billions of people. 2020 has clearly shown that no business is immune, and with millions working remotely, building a robust security infrastructure will be crucial for any company going forward. Here are some ways you can strengthen your cybersecurity defenses:
Use remote work security solutions to combat digital threats.
Implement regular security training to educate your team about the latest threats and digital hygiene.
Always update and patch your software.
Make sure all data is encrypted and secure.
Use multi-factor authentication and strong passwords to keep your accounts safe.
Protect your business with cybersecurity news that matters
Join our expert community and get tips, news, and special offers delivered to you monthly.
Free advice. No spam. No commitment.