The 9 Worst Recent Data Breaches of 2020

In June, we compiled the biggest data breach stories from the first half of 2020, and now we’re wrapping up the year with a rundown of recent data breaches.

Many of the stories on this list feature familiar culprits: human error, compromised credentials, and determined hackers. Other stories are uniquely 2020 — they reflect a year that has created a host of cybersecurity challenges. This year, businesses had to adapt to an already fraught threat landscape that was made even more dangerous by world events. (For example, one study reported that 40% of all Coronavirus-related emails are malicious in nature.)

Despite the challenges, many of the stories here showcase companies stepping up to make amends in the wake of a breach and limiting the damage with smart data management policies. Each of them offers a lesson to businesses on how to defend against breaches — and how to respond to them when they occur.

1. SolarWinds Attack Devastates U.S. Government and Corporations

The story

December saw one of the worst breach stories in history. Hackers who are widely believed to be affiliated with the Russian government breached some of the most highly-guarded networks in American government, including the Departments of Defense and Treasury. According to NPR, 18,000 public and private networks were breached, including Microsoft’s source code.

The attack seems to have been designed to observe and gather intelligence rather than commit sabotage, but the damage is still severe, and the extent of it is not fully known.

How the breach happened

This massive hack was executed through malicious code inserted into widely-used SolarWinds software.

As Columbia University professor Jason Healey explained to Vox, “The Russians, knowing they would struggle mightily to get into hard targets — the U.S. government and also members of the Fortune 500 — instead found that they all used the same software for network management, made by a company called SolarWinds.”

This malware may have started circulating in March, so hackers had months to explore the infiltrated networks before being detected.

What data was compromised

At this juncture, it seems the hackers accessed the non-classified systems of multiple departments of the U.S. government, including the Energy Department’s nuclear arsenal.

However, more departments and companies are continuing to come forward to reveal the scope of the breach. On January 6, the Department of Justice revealed the attackers seized their Office 365 system and accessed some email accounts.

To quote Healey’s Vox interview again, “With the access that Putin had with the SolarWind software — and then, oh, my god, it’s even worse if they got into Microsoft — imagine the damage that Russia could do if it switched from espionage to disruption.”

The lesson for businesses

Today, our public and private sectors operate on an intricately connected web of software from different suppliers. This model, with its myriad moving parts, has the potential to make us more resilient because our systems aren’t monoliths. But, as this attack illustrates, this approach also means that every software update to every backend system can be a potential gateway for hackers.

The lesson here isn’t to wall off your networks and “trust no one,” but not to take a third-party solution provider’s security for granted. Conduct rigorous, ongoing security audits of your systems to be sure there’s not a nasty surprise hiding there.

2. Garmin Pays Millions in Ransomware Attack

The story

On July 23, Garmin, makers of smart wearables, GPS devices, and aviation technology, suffered an attack that brought down its website and some of its services.

In August, Sky News broke the story of what had happened: Garmin was locked out of its own systems by ransomware and paid the attackers millions of dollars for the decryption key. According to Sky News’ report, the attack was believed to have come from Evil Corp, a Russian-based crime syndicate currently under U.S. sanctions.

The first cybersecurity firm Garmin approached about paying the ransom refused due to the sanctions. They next went to another firm, Arete I.R., which agreed to handle the payment. (Arete I.R. maintains that Evil Corp may not be responsible for the ransomware.)

How the breach happened

We don’t have details on how exactly criminals inserted malware into Garmin’s systems, but we do know that it was a highly targeted operation, not a mere crime of opportunity. It’s part of a new wave of ransomware attacks that use highly sophisticated encryption, that it’s almost impossible for companies to decrypt themselves, especially while it puts business-critical operations on hold.

Notably, these hackers chose to go after customer-facing areas of Garmin’s business, forcing them to act quickly in order to minimize disruption.

What data was compromised

The goal of this ransomware attack wasn’t to steal Garmin’s user data but to render it inaccessible. As such, there’s no evidence at present that sensitive data was exposed to the outside world. However, the prospect of people’s GPS and fitness activity being used against them raises alarm bells for future attacks.

The lesson for businesses

Whenever a story like this happens, law enforcement officials and cybersecurity experts repeat the same admonishment: “don’t pay ransomware attackers.” And it’s true that every time a business ponies up to cybercriminals, it sends a message that ransomware is a lucrative business. However, businesses like Garmin find themselves in an impossible position, and the choice to pay up is understandable.

The real lesson is that it’s better to prevent ransomware attacks than to face the tough choice of how to deal with them. For a company like Garmin, that’s particularly challenging since their infrastructure is so vast and complex.

As TechBeacon wrote, “The more products and services offered by an organization, the less transparent an organization’s infrastructure can be. That lack of transparency can provide attackers with the cover they need to launch an attack.” For businesses like this, it’s vital to have a vigilant security posture toward every possible vector for attack.

3. Twitter Spear-Phishing Attack Nets World Leaders

The story

In July, the Twitter accounts of some of the world’s most influential people — including Barack Obama, Joe Biden, Elon Musk, and Kanye West — all posted suspicious tweets asking for Bitcoin.

The hack prompted an immediate panic and questions about how so many high-profile accounts were simultaneously hijacked. The unlikely mastermind turned out to be Graham Ivan Clark, a 17-year-old from Florida, who was quickly apprehended, along with a handful of associates. The attackers scammed Twitter users out of a little over $100,000 but caused an even bigger scandal.

How the breach happened

According to the WSJ, the Twitter hack was the culmination of a strikingly elaborate spear-phishing scheme that targeted Twitter employees. Clark spoofed an employee’s phone number by SIM-swapping (tricking a phone carrier into assigning another person’s number to a new device). He also created fake Okta login pages for Twitter employees and even convinced one over the phone that he was with company I.T. As a result, he successfully obtained login credentials to Twitter’s secure systems, and from there, hijacked accounts.

What data was compromised

The hackers seized control of 130 accounts, according to prosecutors. Clark hijacked 17 accounts himself and sold access to others, using the OGUsers forum as their hub to connect with the account takeover community.

While the breach was certainly serious, what’s more, alarming is how much worse it could have been had the hackers tried something more than a fairly transparent scam. They could have tanked the stock market, started a war or used private messages to commit blackmail against some of the world’s most powerful people.

The lesson for businesses

Your employees are your company’s biggest vulnerabilities for data breaches. IBM’s 2020 Cost of a Data Breach Report found that the most expensive data breaches of the past year were the result of compromised employee credentials. So ensuring that access to your sensitive data is restricted to only the necessary individuals is basic and critical security control. And make sure that list stays current by performing regular access reviews and automating the employee offboarding process.

To protect against sophisticated social engineering attacks like spear phishing, it’s critical that you put strong authentication protocols in place, like multi-factor authentication (MFA). You should also provide ongoing training and testing for employees on how to guard against attacks, particularly now that so many businesses have gone remote for the COVID-19 pandemic.

4. GEDMatch Exposes DNA to Law Enforcement

The story

GEDMatch is a website that lets users find relatives and ancestors by uploading their DNA. It’s famous for having led authorities to the Golden State killer in 2018. But in the wake of that event, the site offered users the ability to opt out of sharing data with law enforcement.

Then, on July 19 and 20, GEDMatch suffered two data breaches, in which hackers reset user privacy settings, so everyone who had opted out of sharing their data with law enforcement was automatically opted back in.

Days later, MyHeritage, another genealogy site, reported that its users were being emailed in a targeted phishing campaign. The only affected users were those who also had GEDmatch accounts, indicating that the attackers didn’t just change privacy settings; they stole data.

How the breach happened

The company only shared that the attack was “orchestrated through a sophisticated attack on one of our servers via an existing user account.” Some have speculated that the hackers had an ideological rather than monetary motive, given how specific their goal seems to have been.

What data was compromised

The hack exposed the profile data of roughly 1.4 million people, albeit only for a few hours.

However, the CEO of Verogen, GEDMatch’s parent company, issued a statement that the damage wasn’t as bad as it first appeared: “We can assure you that your DNA information was not compromised, as GEDMatch does not store raw DNA files on the site. When you upload your data, the information is encoded, and the raw file deleted. This is one of the ways we protect our users’ most sensitive information.”

The lesson for businesses

Take a hard look at your data deletion policies to ensure you’re not retaining data that could hurt you in a breach. It looks from the outside that GEDmatch had followed good practice and had layers of security controls, meaning the failure of one control did not lead to the attackers progressing beyond their initial intrusion.

If you can avoid storing highly sensitive data — such as passwords, payment information, or biometric data — on your own servers, do so. Deleting raw DNA data helped minimize the damage to GEDmatch in this breach.

Secondly, prepare for biometric and genetic data to get a closer look from regulators. As Elizabeth Joh, a Law Professor at UC Davis, told TechCrunch: “A privacy breach in a genetic genealogy database underscores the woefully inadequate regulatory safeguards for the most sensitive of information, in a novel arena for civil liberties.”

5. Zoom Faces Scrutiny After Waves of Attacks

The story

Zoom’s cybersecurity troubles are really several stories rolled into one. It’s a tale about a company that was unprepared to become the world’s default meeting host in a global pandemic.

In April 2020, half a million Zoom passwords were found being sold on the dark web. Hackers collected these passwords through credential stuffing and then packaged the successfully compromised accounts into a new database. The size of this collection doesn’t speak well of Zoom’s security. As CPO Magazine reported: “the sheer number of Zoom accounts that were compromised in this way indicates that the video conferencing service has not been checking registered usernames and passwords against lists of known breached account credentials.”

Zoom also got into hot water for failing to adequately encrypt its software to prevent hackers from crashing meetings by “Zoombombing.” Researchers also discovered that Zoom shared user data with Facebook without getting consent to do so. In addition, some users were upset to learn that data was being stored on servers in China, which the company said was an error brought on by the unprecedented spike in demand.

Zoom has at least made efforts to address these issues, and its CEO has publicly accepted blame, saying, “I really messed up.” In response to these issues, the FTC ordered Zoom to implement specific and comprehensive data security measures.

How the breach happened

In the case of the credential stuffing attacks, hackers used sophisticated bots to get around Zoom’s brute force protections, testing stolen credentials until they found matches.

Meanwhile, Zoombombing hackers engaged in session hijacking, which is a form of broken authentication attack. Opportunistic hackers could easily find unprotected Zoom URLs just by Googling until the company tightened security and introduced waiting rooms.

What data was compromised

The frightening thing about the Zoom data breach is that trolls interrupting meetings with inappropriate comments are probably just the tip of the iceberg. We don’t know how many private conversations hackers eavesdropped on unbeknownst to the meeting participants, nor whether any data was improperly accessed by Chinese state officials.

The lesson for businesses

Treat any third-party tool you use for business operations with caution, even if “everyone else” is using it. Any piece of software that touches sensitive data is a potential attack vector, and it doesn’t get much more sensitive than private meetings. The University of Toronto’s Citizen Lab issued a report warning that complacency could lead to serious fallout:

The rapid uptake of teleconference platforms such as Zoom, without proper vetting, potentially puts trade secrets, state secrets, and human rights defenders at risk. Companies and individuals might erroneously assume that because a company is publicly listed or is a major household name, that this means the app is designed using security best practices.

6. Credential Stuffing Attacks Hit Insurance Portals

The story

In 2018, the MyFitnessPal app suffered a massive breach that compromised user data, including passwords. In 2020, this story came back to haunt two insurance companies: Independence Blue Cross and AmeriHealth New Jersey. Both companies reported that their member portals had been improperly accessed by hackers reusing the credentials stolen in the 2018 attack.

This is just one of many examples of credential stuffing in 2020, but the fact that it occurred on two insurance websites is noteworthy. Aside from an individual’s health data being extremely private, the fact that hackers are interested in this data (which has no immediate cash value) raises troubling questions.

How the breach happened

Like all credential stuffing attacks, these hackers started with a database of passwords stolen in other cyberattacks. They then plugged these passwords into the insurance portals, letting them impersonate anyone who was still using the same password they used for MyFitnessPal in 2018.

What data was compromised

Independence Blue Cross reported that intruders could have accessed members’ names, I.D. numbers, and claim information.

The lesson for businesses

People aren’t going to stop reusing passwords anytime soon, but businesses can still guard against credential stuffing. One crucial step is to implement step-up or adaptive authentication, which asks users for more credentials if their behavior is suspicious. In this case, it could have noticed that members were logging in with new I.P. addresses or at an unusual time of day and asked them to confirm their identity.

Breached password protection is another way to combat credential stuffing. Auth0’s anomaly detection tool tracks breaches and maintains a database of compromised credentials. If an individual uses a password from the database, Auth0 will notify the site’s host and give them the opportunity to notify the affected user.

7. U.S. Election Cyberattacks Stoke Fears

The story

Concerns about a digital assault on American elections have been running high since (at least) 2016. However, for the most part, neither homegrown hackers nor state-sponsored cybercriminals made much of an impact on the 2020 elections.

That isn’t to say there were no incidents. On October 22, officials in Hall County, Georgia, announced that a ransomware attack disrupted their systems, including a database of voter signatures. It’s doubtful that this attacker meant to tamper with the election results; they simply exploited the urgency of an election in order to demand money. It’s the same reason hospitals and public services are so vulnerable to ransomware attacks: They’re more likely to pay up because the cost of downtime is so high.

However, many cybersecurity experts worry that the Georgia hack will motivate other bad actors to try the same thing: “Attack-path validation is a key step in any attack sequence, and testing it on small-scale scenarios always makes sense,” warns Netenrich CIO Brandon Hoffman. “If security professionals working with voting technology were not already extra-vigilant, there’s no time to waste in getting over-prepared.”

How the breach happened

As of this writing, we don’t have details as to how the attackers got in.

What data was compromised

Apparently, several county systems were down for the course of the attack. But in the case of the voter rolls, poll workers could access paper registration forms to cross-reference signatures. It’s a good reminder that there’s still a place for analog backups in a digital world.

The lesson for businesses

Religiously patch your software to protect against the latest versions of ransomware. Just as importantly, help your workforce to do the same on the devices they use when working from home. This will likely require some hands-on labor from the I.T. team, but it’s well worth it, considering the alternative.

8. A Cybersecurity Company Infiltrates the Hacker World, then Gets Infiltrated

The story

This strange (but fascinating) story began in early 2020 when the world learned that the MGM resort in Las Vegas suffered a data breach that exposed the records of 10 million guests. Then, in July, the MGM breach grew 10-fold, to 142 million guest records, and ZDNet reported that this cache was being sold on the dark web for $2,900.

It seems that in the wake of the original breach, MGM retained the services of Data Viper, a cybersecurity startup that was itself hacked. The Data Viper hackers claimed to have stolen around 2 billion records worth of compromised credentials that Data Viper was storing. Data Viper’s founder, Vinny Troia, is alleged to have gotten these records in the first place by posing as a hacker on the dark web.

Troia blamed this breach on one of his developers, who mistakenly posted his credentials on public documents. However, it’s hard to take Troia’s stories at face value since he downplayed the severity of the threat, has a murky history with the hacker community, and, according to Krebs on Security, “previously staged a hack against his own site.”

How the breach happened

Matt Keil, Director of Product Marketing at Sequence Security, laid out the industry’s concerns regarding the Data Viper hack:

The scope of the breach and the technique used to highlight two areas of weak security practices. The first weakness is the fact that many of the databases collected by Data Viper were the result of poor cloud-based implementations — they had little or no access control and authentication configured, or the API keys were left exposed — so the data was freely accessible to anyone on the web. The second weakness is the developer error of leaving API credentials exposed, an all too common error made by many organizations that are moving (rapidly) to an API-based development methodology.

What data was compromised

The MGM only seems to have exposed guest contact information, not payment information or details about their stays. However, the extent of the other records hacked from Data Viper’s servers is not yet clear.

The lesson for businesses

There are two lessons here. The first is that you should be wary of inadvertently exposing data on the cloud and should conduct a security audit with a cloud-first security company. Businesses of all sizes have suffered devastating breaches in 2020 due to misconfiguration errors when migrating to the cloud. In MGM’s case, the damage was increased tenfold by partnering with a security firm that had its own cloud weaknesses.

The second lesson is that businesses should hold cybersecurity partners to a high level of scrutiny before trusting them with valuable internal data. As Krebs on Security wrote, “Data Viper offers a cautionary and twisted tale of what can happen when security researchers seeking to gather intelligence about illegal activity online get too close to their prey or lose sight of their purported mission.”

9. Twilio’s SDK Altered in “Malvertising” Scheme

The story

In July, cloud communications company Twilio revealed that someone broke into its unprotected AWS storage and altered its TaskRouter software development kit (SDK). These intruders inserted a line of code that can be used to inject malicious advertising (as part of phishing campaigns) or skim payment card information from users.

The code was only up for a few hours, but Twilio encouraged anyone who downloaded TaskRouter during that time to replace their copy with a new version.

How the breach happened

According to The Register, “The development kit was vandalized as part of an automated cyber-crime campaign that preys on JavaScript code in open S3 buckets to inject malicious ads into browsers.”

Had the attack been targeted, not automated, the damage could have been much worse.

What data was compromised

Twilio seems to have caught the breach soon enough that few users had a chance to download the infected SDK. If they hadn’t found the code, Twilio’s users could have implemented it on their applications, finally trickling down to end-users, where it could have compromised personal and financial data.

The lesson for businesses

Basically, every business relies on third-party SDKs to make their websites run, but this system requires a high degree of trust that you’re not downloading infected code. That means that software companies must have the highest level of access control over their SDKs, and their customers should demand transparency over any issues.

Twilio dealt with this incident quickly and was able to minimize the damage. But as Cyberscoop points out, “[these types of] have been a scourge for corporations around the world, with attackers inserting credit card skimmers on hundreds of websites last year.” They point to British Airways, which was fined over $200 million under GDPR for failing to identify this type of malicious code.

When It Comes to Protecting Data, We’re All in This Together

If there’s one overarching narrative in all these recent data breaches, it’s that cybersecurity failures don’t happen in isolation. A compromised database at one company will resurface as credential stuffing attacks at another. One successful ransomware attack emboldens more hackers to try the same thing.

Many of the companies on this list emphasized that their most sensitive data wasn’t exposed. And in some ways, that’s a sign of progress since it shows that companies are getting smarter about how they control access to data with the highest potential to do harm. But it doesn’t excuse treating less sensitive (but still personal) data with less care, as cybercriminals can compile it for use against future victims.

Businesses need to stop thinking of data breaches solely in terms of the immediate impact on themselves and start thinking of themselves as players in a larger information ecosystem. If enough businesses adopt that philosophy, maybe we can look forward to a shorter list of breaches in 2021.