The common theme in many security breaches in 2020 has been a lack of proper protocols in place to prevent or detect vulnerabilities like misconfigurations or attacks from malicious hackers. Additionally, stolen credentials have proven to be a security challenge many organisations and consumers alike are facing.
Just in the first half of 2020 alone, data breaches were reported in 81 global companies across 81 countries. 80 percent of these data breaches have been the result of brute force attacks or stolen credentials, and between 1 January and 1 August, nearly 16 billion records were exposed.
Here’s a glance at some of the world’s top security breaches of 2020:
In January, it was reported that 250 million Microsoft customer records were exposed, spanning 14 years. These records were uncovered in an online database across five servers with no password protection. While these tended not to be hyper-confidential pieces of personally identifiable information, much of the compromised records included plain text data of customer email addresses, IP addresses, geographic locations, and information about customer service and support claims.
The exposed records were discovered by threat intelligence search engine BinaryEdge and quickly reported. Although investigators discovered no malicious use of these records, it’s still a very loud wake-up call for the world of cyber security.
This exposure was the result of a security misconfiguration, and as Paul Bischoff, an editor at Comparitech, stated in an article for Forbes: "It's a common mistake in any environment where data is stored. Security groups set firewall rules that decide who can access what from where (or what device)." Organisations should have some kind of mechanism in place to root out misconfigurations, and “If a misconfiguration is detected, security staff should be notified immediately so it can be remedied."
We learned at the end of April that Zoom, the video and phone communication platform that skyrocketed in popularity amidst social distancing, had an attack where hackers stole 500,000 Zoom account credentials like usernames and passwords, which were posted on dark web crime forums. Some were given away for free. Some were sold for a penny apiece.
However hackers were able to get a hold of this information, it caused such damage to Zoom’s reputation that organisations like SpaceX and New York City’s school district banned the use of the popular video platform.
On 15 July of this year, attackers targeted several Twitter employees using a social engineering scheme; manipulating them to perform specific actions and divulge confidential information about the company. This attack was conducted through a phone spear phishing attack, granting attackers access to the company’s internal support tools. Through their credentials, these attackers targeted 130 Twitter accounts, including that of former U.S. President, Barack Obama and an elected official in the Netherlands.
Of these accounts, hackers were able to reset passwords, log into accounts, tweet, and download account user data, and even attempted to sell some of the usernames.
Following this attack, Twitter conducted an enterprise-wide investigation to determine the extent of the damage, and in the days and weeks following the discovery of this attack, the social media giant was forced to take a hard look at employees’ internal access to company data and had to stop some of these accounts from tweeting until they had the situation under control.
At the end of February, the hotel company Marriott discovered that a large volume of guest data was accessed using the login credentials of two employees at a franchise property beginning mid-January of this year. These login credentials were disabled, an investigation started, and heightened monitoring measures were put into place, but not before 5.2 million guests were affected.
Although no account passwords, PINs, payment card information, passport information, national IDs, or driver’s license numbers were compromised, the following kinds of information were involved:
In May of this year, EasyJet disclosed that they fell victim to a highly-sophisticated cyber attack that affected around 9 million customers. While email addresses and travel details were among the most common pieces of data accessed, for 2,208 customers this cyberattack included the access of the details of their credit cards and debit cards, including the CVV, three-digit security code on the back of the card.
All 9 million of these passengers were notified of the attack and were warned to be on the lookout for phishing scams.
At the end of April, Nintendo informed users that 160,000 Nintendo Network ID accounts were compromised via “unauthorized logins.” Days later, this number grew to 300,000 accounts breached. Less than 1 percent of these compromised accounts were used to make fraudulent purchases, but the damage to the reputation and the sharing of secure account information is still a major blow to the gaming company.
While there’s no clear evidence to show that Nintendo itself was hacked, there’s plenty of evidence to suggest that these accounts were accessed through one or all of these routes:
After confirmation of massive account fraud in 2016, Tesco made the news again in March when 620,000 Clubcard accounts were attacked using stolen passwords—the same week that Boots Advantage cardholders experienced similar breaches.
Tesco responded by having all affected customers change their account passwords. No financial data was accessed and the systems were not hacked, but access to affected accounts was blocked as a security measure, causing inconvenience to customers and undeniable damage to Tesco’s reputation.
Early in March, Virgin Media came forward with the news that they discovered that one of their databases was left unsecured for 10 months. The result was that the personal details of 900,000 people were left accessible online for that entire period.
This data breach was not the result of a hacking or criminal attack but instead was caused by a misconfiguration in the database. Based on their own investigation, Virgin Media shared that the database was accessed on one occasion, but they did not know the extent to which information was accessed or used.
In December, FireEye reported an attack by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead them to believe it was a state-sponsored attack.
FireEye have since confirmed that the hackers gained access to their network as a result of a supply chain attack on SolarWinds.
SolarWinds also confirmed that they had experienced a 'cyberattack to their systems that inserted a vulnerability within certain software builds of their SolarWinds® Orion® Platform which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run.'
The FireEye attacker targeted and accessed certain Red Team assessment tools that FireEye uses to test their customers’ security. These tools mimic the behaviour of many cyber threat actors and enable FireEye to provide essential diagnostic security services to their customers in a non-destructive manner. None of the tools contain zero-day exploits, but they are now in the hands of threat actors who are likely to make use of them for less benign purposes.
Further information will continue to be released about these breaches as we enter into 2021 as the attack not only affected FireEye and SolarWinds customers but the wider cyber security community as a whole.
If you have concerns around any of the breaches highlighted above please contact us to arrange a meeting with some of our expert team to discuss further.