While there is still time left in 2019, according to the recent Data Breach QuickView Report, there were 5,183 breaches reported just in the first nine months of 2019 exposing 7.9 billion records. Compared to Q3 2018, the total number of breaches was up 33.3% and the total number of records exposed more than doubled, up 112%. Per the report, hacking remains the top breach type for a number of incidents while Web has exposed the most records this year.
No two data breaches are exactly the same, but most occur due to a lack of a select group of missteps. These include: falling victim to phishing attacks, not installing software updates, general poor cybersecurity practices such as weak user name/password combinations, not training employees, falling victim to malware, and even inadvertently creating the breach by accidentally publishing or uploading records that ought to be kept secure.
The 2019 data breach numbers are daunting – and 2019 is possibly the worst year we had, in terms of data breaches. The sheer number of exposed records is astounding (up by 33% from last year). As a cautionary tale heading into 2020, here are some of the top publicly known data breaches from this year.
Date: Two breaches in April and the third one in September - all disclosed by a third party.
Type: Two breaches were bad security, the other was an accidental upload.
What happened: After spending 2018 answering for its Cambridge Analytica data scandal, the company seemingly has kept its head down over this year’s rolling series of data breaches.
The list begins with Facebook. Not because it suffered the largest exposure of records in any one breach, but because the social media giant allowed three disclosed data breaches in 2019. In April it was revealed Facebook harvested email contacts from 1.5 million users without their knowledge or consent when they opened their accounts. The privacy and security issue was discovered by a security researcher looking to a Facebook sign-up step that asked for users’ email passwords. It would then use those passwords to automatically harvest contacts from new users.
Before the privacy issue came to light, it was reported Facebook exposed the passwords of 540 million users by storing those records in a readable format internally. The plaintext passwords had been searchable by Facebook employees dating back to 2012 with the passwords viewable by up to 20,000 Facebook employees. In September another similar breach was uncovered with as many as 419 million user records found on an unprotected server.
First American Corp.
Date: May 2019 (disclosed by third-party)
Type: bad security
What happened: While Facebook’s data breaches were basically contained internally, real estate and title insurance company First American outdid Facebook in both volume and exposure. In May it was reported that 885 million sensitive customer financial records including social security numbers, driver’s license images, bank account numbers and statements, wire transaction receipts, and mortgage and tax documents dating back to 2013 were left available on the First American website for anyone to view.
Post-exposure of its lax cybersecurity practices, First American created a dedicated landing page for information about the breach and resulting investigation.
Capital One
Date: July 19, 2019
Type: hack
What happened: Data breaches around gaming companies and social media networks are concerning, but for consumers when breaches hit major banks, the news is chilling. In March a hacker gained access to the Capital One data because of a misconfigured web application firewall and as a result, the bank had 106 million customer accounts and credit applications stolen. The breach included 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers along with customer names, addresses, credit scores, credit limits, account balances, and other data.
Capital One fixed the issue and began working with federal law enforcement leading to the capture of the hacker by the FBI. It’s believed the data was recovered and never used for fraud or shared by the hacker.
Zynga
Date: September 12, 2019 (disclosed)
Type: hack
What happened: In September Zynga fell victim to a hacker attack that got away with 218 million records of the players of popular mobile games Words with Friends and Draw Something. Data fields impacted in the breach included players’ names, email addresses, login IDs, hashed passwords, password reset tokens, phone numbers, Facebook IDs and Zynga account IDs.
When announcing the breach, Zynga said it was taking steps to protect users’ accounts from invalid logins and had plans to further notify players as the investigation proceeded.
Canava
Date: May 24, 2019
Type: hack
What happened: In May it was reported that Canava, an Australian online web-design service, had data about 139 million users hacked. The record fields stolen in the hack included real names, usernames, email addresses and city and country information. Dates of birth and street addresses weren’t part of the hack, and to Canava’s credit, it had salted and hashed email passwords protecting those records from the cybercriminal.
Since the incident, Canava notified users of the hack, worked closely with cybersecurity consultants and introduced internal data protection changes.
No two data breaches are exactly the same and there’s no magic bullet to avoid becoming victim to cybercriminals. Some breaches are the result of bad luck or a determined bad actor, others are due to cybersecurity negligence or falling victim to social engineering, and others – such as Facebook’s two announced breaches this year – are completely self-created and self-owned.
There are steps and best practices every company should take to mitigate the risk of suffering a data breach resulting in a financial loss as well as a public relations hit. The first step is to regularly educate employees on security practices and ways they can avoid social engineering attacks. Employ and enforce strong login credentials and multi-factor authentication across all employee devices, and finally conduct regular security audits as well as encrypt business data. These best practices used in concert will go a long way in thwarting cybercriminals.
