In the internet age, there’s an implicit deal between corporations and their customers. Individuals hand over their private data to websites and online companies in return for access to the services they provide, on the assumption that personal details will be safeguarded. That deal is based on trust, but throughout 2020, businesses have repeatedly let down their end of the bargain.
With database leaks and mass hacking scandals on the rise, let's learn about the biggest data breaches of 2020.
A data breach takes place when a company or institution leaks private information, as a result of hacking attacks or basic human errors. Cybercriminals are often involved in the incidents; they may initiate a breach, or just extract user data after the fact.
The stolen details could include passwords, payment information, and even social security numbers. Hackers can then use these to take over accounts and credit cards, access banking systems, launch phishing attacks, or sell the data on to other criminals.
However, not all data breaches are the work of cybercriminals. Sometimes they can happen due to human error or a deliberate inside job. But the end result is similar – your data gets out in the open and can quickly land in the wrong hands.
2020's digital landscape was truly unprecedented. Due to the Covid pandemic, people spent more time than ever online. The public became reliant on online services, stored massive amounts of data digitally, and worked remotely. And the hackers had a field day.
The global online shift may be one of the factors driving the scope and magnitude of the year's breaches. 2020 saw leaks involving giant corporations and affecting billions of users. The average cost of a data breach rose to $3.86M.
There are lessons to be learned from these painful events, however, so we’re going to take you back through the biggest data breaches of 2020. We ranked them according to the data volume they affected. Some of the breaches happened earlier, but surfaced only in 2020.
An adult webcam platform CAM4 accidentally misconfigured its production server and left its data unprotected, without any password security. As a result, seven terabytes of data — containing a staggering 10.88 billion records — were exposed. Millions of users were put at risk as the records covered highly sensitive data, including full names, email addresses, credit card info, sexual orientation details, messaging and email correspondence, passwords, and payment logs. Though there is currently no evidence that cybercriminals have used the data, there is still a risk of future exploits. CAM4 fixed the server issue and has claimed that no one improperly accessed the data.
Advanced Info Service, Thailand's mobile operator, experienced their own CAM4-situation back in May. One of its databases was left open, exposing four terabytes of data (8.3 billion records). While the affected data did not include any personal details, anyone who accessed it could have seen the websites its users visited and the apps they used. The company immediately fixed the database issue after the discovery of the breach.
Keepnet Labs, a UK cybersecurity company, confirmed that one of its contractors temporarily exposed a database of 5 billion emails and passwords from previous data breaches. The contractor disabled the firewall for 10 minutes while migrating the database, leaving a vulnerable window for cybercriminals to snatch the data.
Keepnet stored the breach data to notify its customers in case someone compromised their business domain. This is standard practice for many cybersecurity companies.
Whisper is a secret-sharing app, but back in March 2020, it wasn’t doing a great job of keeping its users’ secrets. 900 million user records became publicly accessible via an unprotected database. Not only could anyone see its users' intimate confessions and personal correspondence, but they could also access all the metadata tied to those messages, including location info. Armed with this data, hackers could identify individual senders.
The company stated that the leak was due to improper querying of their database.
In March 2020, a hacker tried to sell the data of 538 million Weibo users on the dark web. A person claimed to have infiltrated Weibo in 2019 and snatched the information from the company's database. The data included personal details, such as names, usernames, gender, location, and phone numbers. As the passwords were not included, you could buy the data relatively cheaply, at only 250$. The company didn't provide a clear explanation on how the hackers managed to steal their data.
Jeremiah Fowler, a security researcher, discovered an unprotected database belonging to the cosmetics giant Estée Lauder, including more than 440 million records. The company claimed that it didn't contain any customer data. However, the researcher stated that the database was a content management system with references to internal documents, sales data, email addresses, and IP addresses. The company closed the database once it found out about the issue.
In October 2020, the communications company Broadvoice experienced a leak exposing 350 million records of personal voice transcripts, names, and phone numbers. The organization accidentally left the database cluster unprotected and accessible to everyone, without any need for authentication.
Back in July 2020, security researchers discovered a leaked database with more than 268 million unique emails and passwords. It also included users' IDs, names, IP addresses, and locations. The breached SQL database belonged to Wattpad, a platform for publishing user-generated stories. The hack exposed the platform's users to the risks of various cyberattacks such as spear-phishing and extortion.
The software giant suffered a significant data leak due to their misconfigured server security rules. As a result, 250 million customer records were exposed. They included email and IP addresses as well as support case details. The company swiftly fixed the configuration faults.
In January, researchers discovered a database containing more than 200 million units of personal data, hosted on a Google Cloud server. To this day its owner is unknown. The database contained highly sensitive information on US residents, including names, addresses, credit ratings, income details, and property values. Google took down the exposed server. We still don’t know if anyone made use of the information exposed.
While complete protection from data breaches is a hard promise for companies to keep, there are still steps that individuals can take to minimize the risks. Here are a few tips for improving your own security and limiting the threats posed by data leaks:
Stay safe. And let's hope that 2021 will be a less fruitful year for hackers.
To learn more about cybersecurity, subscribe to our monthly blog newsletter below!