Massive Data Breach: Security Threat That Catches The Headlines
Rarely does a week goes by without a large company or a government agency announcing a data breach and making the headlines.
According to a 2019 report entitled the RiskBased Data Breach QuickView Report 2019 Q3, there were a total of 5,183 breaches that exposed 7.9 billion records just by the end of September.
When compared to the previous year’s record, the total number of data breaches has increased a whopping 33.3 percent with the total number of records exposed doubled significantly up to 112 percent.
Here are just some of the biggest data breaches this year. Welcome to the Data Breach Hall of Shame 2019!
Capital One
Of all the 2019 data breaches, Capital One has probably the biggest breach in terms of future ramifications.
If you visit the website of Capital One, you’ll know that it is one of the largest banks in the US and Paige Thompson, a Seattle-based software engineer, was arrested for hacking the bank’s database. According to the US Department of Justice, Paige exploited a misconfigured web app firewall in order to gain access to the data.
Thompson completed the hack on the 2nd and 23rd of March and has since been arrested. The breach affected at least 100 million consumers in the US and approximately 6 million in Canada.
This breach was also a costly one. A report from CNN Business revealed that Capital One is expected to suffer $100 – $150 million in costs related to the breach. The costs were from notifying affected clients, defending itself against legal actions, providing free credit monitoring to customers, and upgrading their tech to fix the vulnerability.
Facebook
Users of the social media giant, Facebook, are constantly at risk of having their data breached and exposed to the public due to a large number of third-party programs and apps that have access to their data.
And not all these 3rd parties store user data on secured servers which leads to massive data breaches like the one in April.
A digital media company based in Mexico called the Cultura Colectiva left more than 540 million records of account names, user IDs, comments, and likes exposed on a publicly accessible server.
In addition, a smaller data breach that was more concerning was also discovered around that same time. The Facebook-integrated app “At the Pool” exposed more than 22,000 user passwords via a backup in an Amazon S3 bucket which stored the passwords as plain text. Because most users ten to duplicate passwords across app, cybercriminals could have easily gained access to their accounts via the exposed passwords.
American Medical Collection Agency
This agency collects overdue payments from medical labs such as Laboratory Corporation of America, Conduent, Quest Diagnostic and CareCentrix. Now, a long-running data breach exposed the over 20 million records of these laboratories’ customers including sensitive data like bank account information and Social Security numbers.
Gemini Advisory, a cyber-security firm, discovered this data on the dark web. The analysis was that the data was probably stolen from the agency’s online portal. The agency has since filed for bankruptcy protection and cited IT costs, the loss of business and possible lawsuits.
Fortnite
Boasting more than 200 million users globally, Fortnite had an old, unsecured web page that left its players exposed to the risk of having their user accounts hacked, the in-game currency used and audio recorded without hackers even typing their login information.
Fortunately, Check Point Research discovered it and reported it to Epic Games, securing the breach point immediately.
Oklahoma Department of Securities
A shocking report showed that a decades’ worth of data in a storage server that belongs to the Department of Securities in Oklahoma has been exposed for almost a week before the breach was discovered.
Shodan, a search engine, registered that the data was publicly accessible on the 30th of November 2018. Upguard analysts discovered on the 7th of December that the server contained sensitive content and called the agency the very next day, telling them to revoke public access to the sensitive data immediately.
The extent of the breach remains to be determined as the data left unsecured included internal communications records, personal information, and login data.