Top Data Breaches of 2020

This year has been a year like no other, with what seems to be a never-ending and always evolving set of headlines. At a glance, we’ve seen the evolution of the Coronavirus pandemic, the ongoing wildfires across not only the country but the world, the death of a basketball legend, Brexit finally coming to fruition, a civil rights uprising, and so much more.  

The state of cybersecurity this year has had just as many ups and downs. While research done by the Identity Theft Resource Center found that in the first half of 2020 there had been a 33% drop in the number of publicly reported data breaches as compared to the number reported in the first half of 2019, the number of records exposed has gone up significantly. Cyber attackers continue to exfiltrate data from the largest organizations in the world, finding novel ways to compromise sensitive data.  

Let’s explore some of the top data breaches of this year so far, focusing on why they happened and how they could have been prevented.

Company	Impact	How it Happened	Type of Data	How it could have been prevented
Slickwraps	330,000+ Customers	Remote Script Execution Vulnerability	customer photos, addresses, administrator account details, employee resumes	Security Assessments
Antheus Tecnologia	81.5 Million Records	Cloud migration misconfiguration	Biometric Information, Employee emails, admin logon information	Password Protection,
Execupharm	Unknown	Phishing Campaign	Employee emails, financial records (SSNs, Bank/Credit Card Numbers), database backups, employee documents	Employee Education
Marriott	5.2 Million Guests	Compromised Credentials	Contact Details, Account Information, Personal Information	Multi-Factor Authentication
EasyJet	9 million+ customers	Unknown	email addresses, names, travel records, and credit card details including the three-digit CVV	Unknown

Slickwraps, February 21, 2020 

Impact 

330,000+ customers 

What Happened 

The breach story of Slickwraps, an electronics accessory company, is one that begins with an individual who declared themselves a “white hat” hacker and tried to alert the company about their “abysmal cybersecurity”. When the company chose to overlook the warning, the hacker decided to publish a post about their experience, which was discovered by a second hacker who decided to not only exploit these vulnerabilities but emailed all customers letting them know that their data had been compromised. 

This exploit was able to occur due to a remote code execution vulnerability that existed in the phone customization tool. This tool allowed end-users to upload their custom photos, which the hacker was able to exploit by uploading a file that allowed them to ultimately execute shell commands. This vulnerability exposed customer photos, billing and shipping addresses, administrator account details, and employee resumes.  

How it could have been prevented 

This one is probably more obvious than others. If someone points out a vulnerability, don’t let the alert go unnoticed. More proactively though, organizations should ensure the security of their application by regular security audits, whether internal or external and penetration tests. This particular vulnerability is not uncommon and would be flagged by any number of scans or tests.

Antheus Tecnologia, March 11, 2020 

Impact 

81.5 Million Records 

What Happened 

Brazilian-based biometric solutions company Antheus Tecnologia had left sensitive information including data on 76,000 fingerprints exposed on an unsecured log server. This data was left exposed on the internet and discovered by the security research team at SafetyDetectives. In addition to the fingerprint data, other sensitive information was found such as facial recognition data, employee emails, telephone numbers, and administrator login information. 

The exposure to these types of biometric data is particularly alarming because of the fact that this data’s relevance does not diminish over time. Once stolen, the attacker has information that theoretically never goes bad and can be used for malicious purposes now or any time in the future.  

How it could have been prevented 

Organizations should ensure that the appropriate controls are put in place to secure access to sensitive data, whether this data exists on-premises or online. While this incident is likely due to a misconfiguration when transitioning data to the cloud, the migration of sensitive data between locations should be handled with care, using measures such as password protection or data encryption. This is especially important as companies are moving internal data to the cloud, which could potentially leave data exposed to anyone with the right IP address.

ExecuPharm, March 13, 2020 

Impact: 

Unknown 

What Happened 

The ransomware attack on this major US pharmaceutical firm actually took place in March but wasn’t disclosed to the public until a month later. Cyber attackers were able to gain access to servers through a phishing campaign targeted at ExecuPharm employees, and once inside, encrypted the data and demanded a ransom to decrypt it. When the cyberattackers didn’t receive the ransom that they had demanded, they published the stolen data on the dark web, which included thousands of employee emails, financial records, user documents, and database backups. These records potentially included personal information ranging from Social Security numbers to bank and credit card numbers.  

How it could have been prevented 

The importance of employee training on common cybersecurity attack vectors such as phishing and credential stuffing cannot be understated.  The IBM Security Cost of a Data Breach Report 2020 indicates that 19% of data breaches are caused by compromised credentials and cloud misconfigurations; scenarios that often exist due to a lack of employee awareness or administrative discipline. In addition, a study conducted by the Ponemon Institute concluded that 62% of insider threats are due to “negligent insiders”, inside actors that don’t even know that they are posing a threat! 

Phishing campaigns are on the rise, so it is extremely important that employees are familiar with common phishing language, how to spot suspicious links, and how to check if a website or email is legitimate. At the very least, they should know when to reach out and who to reach out to for help or clarification. Check out our blog post on how to identify phishing scams.  

Another key piece of the puzzle is having a monitoring system in place to detect and respond to ransomware attacks swiftly. Time is the most important asset in being able to gain back control and stop the propagation of ransomware throughout the network.  

In addition to having the appropriate monitoring technology in place, having a hardened Active Directory helps to prevent the ease with which attackers can escalate their privileges and move laterally across the network. Couple that with a Privileged Access Management solution, and now it’s even more difficult to compromise a privileged account.

Marriott, March 31, 2020 

Impact 

5.2 Million Guests 

What Happened 

Only 2 years after the massive data breach which stemmed from their acquisition of Starwood Hotels, Marriott announced that guest information had been accessed due to two employee credentials that had been compromised. The credentials allowed them to access an application used by the hotel franchise to help provide services to guests. While it is unclear how the hackers got access to the employee credentials, they were able to slowly pull data for a month before being discovered. This data includes contact details, loyalty account information, personal information (gender, birthday), linked loyalty programs and numbers, and preferences.  

How it could have been prevented 

If Marriott had been leveraging multi-factor authentication, the hackers would’ve required much more than a password to compromise the employee credentials, making it extremely difficult, if not impossible, for the hackers to get into the network. Another necessary measure that Marriott could have taken is leveraging tools to monitor user activity and behavior patterns in order to proactively identify anomalous behavior, especially as it pertains to sensitive data. In this case, they might have been able to notice employees accessing a large number of guest records, which is likely outside of their typical behavior, and would have been able to investigate and likely detect the attacker’s presence much sooner.

EasyJet, May 19, 2020 

People Impacted 

9 million+ customers 

What Happened 

While the attack on this European airline was discovered by the company in January, information about the attack was not disclosed to all impacted customers until May. This failure to protect data and delay in communication has landed them with intense criticism and a class-action lawsuit under the GDPR which could cost them up to £18 billion. While the company has yet to disclose how the attack was possible, email addresses, names, travel records, and credit card details including the three-digit CVV, were exposed.  

How it could have been prevented 

With the lack of detail around exactly what happened, it’s hard to say how the exploit itself could have been prevented. That being said, public perception and customer confidence are extremely important in order to rebound from a data breach. While financial damage may be inevitable in the case of a successful data breach, maintaining the reputation of your brand is still possible. In the case of EasyJet, while they informed the ICO as required under the GDPR, they failed to alert their customers until much later, therefore damaging their trust.

Stay Out of the Headlines! 

The IBM Security Cost of a Data Breach Report 2020 emphasizes the importance of having the appropriate data security measures fully deployed and automated, highlighting the increase in the cost of a data breach when these solutions have not been deployed.  

Learn more about how Stealthbits can help to automate a multitude of functions that contribute significantly to a strong security program, from security and configuration assessments, identification and remediation of access vulnerabilities, policy enforcement, privileged access activities, rollback and recovery of malicious changes, and threat detection and response.