At the beginning of the year, people celebrated the turn of the decade and readied themselves to strike off the “Things-to-Do” from their bucket list. The year looked promising in the first two months, but little did anyone anticipate they would spend the rest of the year confined within their homes and end up extending their list furthermore. The COVID-19 pandemic made 2020 rather bleak.
The forced lockdown saw a greater shift towards remote working and the uptake of technologies that facilitated this framework. Adoption of cloud and collaboration platforms skyrocketed and gave impetus to rapid digital transformation. However, every coin has two sides, and the flip side was worse. The expanded threat landscape made the already fragile cybersecurity aspect of several businesses cave-in, resulting in greater hacks and data breaches. In fact, a recent report from Risk Based Security revealed that 36 billion records were exposed in data breaches in 2020.
By Mihir Bagwe, Technical Writer, CISO MAG
So, as this eventful year draws to an end, let us sit back and have a look at the top nine data breaches that made it to the headlines and taught us a lesson or two.
1The Twitter Data Breach
Impact of Data Breach: 130 accounts
The Twitter data breach grabbed alarming attention not because of the number of accounts hacked but for the prominent names that were targeted, this is why it makes the cut in our list of the top data breaches of 2020. The micro-blogging platform was left red-faced in July 2020, with an account hacking incident that compromised nearly 130 accounts including handles of global celebrities like Kanye West (Rapper) and wife Kim Kardashian (T.V. Celebrity), Jeff Bezos (Amazon CEO), Bill Gates (Microsoft Co-Founder), Barack Obama (the former U.S. President), and a few of the Twitter’s top employees.
The FBI later tracked down three individuals involved in the “Greatest Twitter Hack” and pressed felony charges against the trio on several counts, which involved computer intrusion, wire fraud conspiracy, and money laundering conspiracy, among others.
2MGM Resorts Data Breach
Impact of Data Breach: 142 Million guest accounts for sale on the dark web
The MGM Resorts, in February 2020, reported a data breach that affected nearly 10.6 million of its guests. The company sought help from two cybersecurity firms to probe the incident and correspondingly beefed-up the security lines to avoid such breaches in the future. However, in July, it was discovered that a cybercriminal was selling details of 142,479,937 MGM Resorts’ guests, which might have been originally leaked during the first MGM Resorts data breach that took place in the summer of 2019. The offer price of this data on the dark web was placed at $2,939.76.
Although the compromised data did not involve any financial details and/or personal IDs like the SSN (social security number) or license and passport numbers, MGM Resorts advised its guests to perform a password reset and be watchful of any suspicious activities.
3Marriot International Data Breach
Impact of Data Breach: 5.2 Million guest accounts breached
In March 2020, hospitality group Marriott International announced that it had been hit by a data breach that exposed the personal information of around 5.2 million of its guests. In an official release, the company stated that the breach began in mid-January 2020 and was discovered only at the end of February 2020. The incident exposed contact details, including names, addresses, birth dates, gender, email addresses, employer name, room stay preferences, and loyalty account numbers. However, Marriott clarified that passport information, payment details, and passwords were not exposed in the breach.
Investigations confirmed that the exposed data had been accessed by an unknown third-party using the login credentials of two employees at a group hotel, which was operated and franchised under Marriott’s brand. Marriott notified the incident to the relevant authorities for further investigation and informed those affected in the breach. The hospitality giant also set up a website to help the impacted guests in the incident.
4Zoom Credentials Data Breach
Impact of Data Breach: 500,000+ Zoom login credentials
With millions of office workers using the Zoom video conferencing platform from home, opportunistic hackers reportedly stole 500,000+ Zoom credentials and sold them for as little as $0.002 per record on the dark web. The affected accounts were related to colleges such as the University of Vermont, University of Colorado, Dartmouth, Lafayette, University of Florida, and even well-known companies such as Chase, Citibank, and more.
The stolen credentials included email addresses, passwords, personal meeting URLs, and host keys that allowed threat actors to enter meetings and carry out Zoomboming attacks.
5Wishbone
Impact of Data Breach: 40 Million user records
An unidentified hacker group was discovered selling Wishbone.io database on darknet forums. The leaked database contained over 40 million records of Wishbone users–a social platform that allows users to compare social content via voting poll.
The exposed database contained users’ personal data including, email addresses, names, usernames, phone numbers, geographic locations, genders, social media profiles, hashed MD5 passwords, Facebook and Twitter access tokens, gender, date of birth, and profile images, etc.
6Unacademy
Impact of Data Breach: 22 Million user records
Cybersecurity firm Cyble revealed that India-based online learning platform, Unacademy, suffered a data breach that exposed details of 22 million of its users. Cyble’s researchers found that the unknown hackers kept 21,909,707 user records for sale at $2,000 on darknet forums. The compromised information included usernames, hashed passwords, date of joining, last login date, account status, email addresses, first and last names, and other account profile details.
7EasyJet Data Breach
Impact of Data Breach: 9 Million user records
On May 19, 2020, EasyJet admitted that it had been a target of a cyberattack from a highly sophisticated source. It first learned of the attack in January 2020 and stated that the threat actors accessed the email addresses and travel details of more than 9 million customers. However, the company clarified that out of the 9 million affected customers, only 2,200 customers’ credit card details were compromised. EasyJet added that there was no evidence of any misuse of customer information; however, it urged its customers to change passwords, monitor their credit card accounts, and be vigilant of any phishing emails.
8Nintendo Data Breach
Impact of Data Breach: 300,000 affected accounts
Japanese consumer electronics and video game giant, Nintendo, had initially admitted that over 160,000 of its gamers’ accounts had been breached by cybercriminals. However, further internal investigations confirmed that another 140,000 user accounts were compromised, taking the tally to 300,000 affected accounts.
Nintendo has a unique NNID (Nintendo Network ID) for all its users. NNID acts like a user ID, which can be linked to the Nintendo account and used optionally for login purposes. However, the cybercriminals exploited this NNID login system, and illicitly gained access into the Nintendo accounts linked to it. The cybercriminals further had access to users’ nicknames, birth dates, countries, email addresses, and other information linked to the NNIDs, which posed a severe identity theft threat.
9SolarWinds Hack
Impact of Data Breach: 18,000 high-profile customers including multiple U.S. Government Agencies and tech companies like Microsoft, FireEye, Boeing and many more.
The last-minute entrant to our list of top data breaches for 2020 is the SolarWinds Hack. Just a few days back, the White House acknowledged that a Russian state-sponsored group known as the Cozy Bear or APT 29 carried out a targeted cyberattack on several U.S. Government agencies through a vulnerability in its IT management software called SolarWinds Orion.
The impact of the hack picked up like a raging tornado, sucking up everything and growing larger with every passing moment. SolarWinds, in its SEC filing, acknowledged that nearly 18,000 of its customers were affected in their software hack and that they were all notified about it. However, no customer names were disclosed, and it took down the client list post the disclosure of the hack. However, due to mandatory data breach disclosure procedures of the governments and data regulators, multiple agencies and companies are still coming forward, revealing they were hacked.
About the Author
Mihir Bagwe is a Tech Writer and part of the editorial team at CISO MAG. He writes news features, technical blogs, and conducts interviews on latest cybersecurity technologies and trends.