The total number of breaches was up 33% over last year, according to research from Risk Based Security, with medical services, retailers and public entities most affected. That’s a whopping 5,183 data breaches for a total of 7.9 billion exposed records.
In November, the research firm called 2019 the “worst year on record” for breaches.
How much does an average data breach cost an organization? The tab can run up to $3.92 million after investigation expenses, damage control, repairs, lawsuits and fines. That’s up 12% over five years, with no signs of slowing.
What’s harder to quantify is how great a cost was borne by individual consumers worldwide this year – and how great a cost can be expected of all of us in 2020. Passport numbers, medical records, bank account details, social media credentials, Social Security numbers – breaches hit our most sensitive data in 2019, sending millions of people into frenzied lock-down.
But while we’re all desperately tuning up our basic internet security practices and shopping for the best identity protection services, it seems fitting then to take a moment to honor the worst of the worst in our 2019 Data Breach Hall of Shame.
Without further ado…
January
Marriott kicked off 2019 with a record-setting breach when the hotel group announced that hackers accessed the records – including some passport numbers and credit card information – of up to 383 million guests. That’s more than double the 147.7 million Americans impacted by the Equifax breach in 2017.
February
February was a brutal month for online security. In the most dramatic breach, more than 617 million accounts were culled from 16 websites and put up for sale on the dark web. Site owners Dubsmash, Armor Games, 500px, Whitepages and ShareThis all saw their users’ stolen data sold for less than $20,000 in Bitcoin. Meanwhile, a crop of smaller breaches offered a glimpse into the peculiar cruelty of medical breaches: An attacker held up to 15,000 Australian patients’ files for ransom, unauthorized email access exposed 326,000 Connecticut patients’ records, close to a million Washington patients’ information was left exposed in an open database, and 2.7 million calls to a national Swedish health line were recorded and left out in the open.
March
Hundreds of millions of Facebook and Instagram users saw a less-than-happy St. Patrick’s Day when their credentials were exposed by the social media company’s poor password storage management. By comparison, the exposure of 250,000 legal documents stored in an open database seems deceptively small.
April
Facebook again led the way in April, with 540 million records exposed after leaving users’ names, IDs and passwords out in the open on unprotected servers. The same month, Facebook admitted to storing millions of Instagram users’ passwords in dangerously insecure plaintext format. But let’s not let Facebook’s utter embarrassment overshadow another incredibly important breach that happened in April: 12.5 million medical records of pregnant women were exposed, thanks to a leaky server belonging to an Indian government healthcare agency.
May
Sure, the big headline from May was the hundred of millions of insurance documents leaked by real estate giant First American Financial Corp. But the month also saw a couple of weird online food fights worthy of this Hall of Shame. Burger King left a leaky database up which resulted in the exposure of nearly 40,000 customers of its online, kids-focused KoolKing Shop. Meanwhile, two Bay Area school lunch companies’ heated rivalry turned into cyberwarfare when one’s CFO got arrested for hacking the other’s site and exposing student data.
June
At least 20 million patients had their data exposed when bill collector American Medical Collection Association was hacked. The damage? Multiple class-action lawsuits were filed against AMCA and its contracting clients over the breach of patients’ payment data, Social Security numbers, medical information, birth dates, phone numbers, addresses and more. The result? The medical debt collectors were in so much debt they filed for bankruptcy.
July
Oh, Capital One. It feels like a million years ago, doesn’t it? Hard to believe it was only about six months ago that the bank exposed 100 million credit card applications, 140,000 social security numbers and 80,000 bank account numbers – including such personalized data as names, addresses, ZIP codes, phone numbers and birth dates. The breach left Capital One reeling and led to an FBI arrest of tech worker-turned-hacker Paige A. Thompson. Remarkably, the breach happened the same month Equifax settled with regulators for $700 million over its industry-shaking 2017 breach, and Facebook settled with the FTC for a record $5 billion following the Cambridge Analytica scandal.
August
Beyond price-spiking tickets and auto-subscribing customers, MoviePass users got more bad news in August when an investigation discovered that 160 million MoviePass records were left unencrypted in a company database without password protection, leaving customer credit card data out in the open. Meanwhile, in the UK, a massive leak exposed 27.8 million biometric staff records held by the Metropolitan Police, banks and enterprise companies.
The biggest heartbreak, though? Dating apps Grindr, Romeo, 3Fun and Recon all got nailed for security flaws that leaked locations of its users and other sensitive data.
September
More than 218 million Words with Friends player accounts were affected – including players’ email addresses, names, login IDs and more – when a hacker got into one of the games databases and targeted users who’d installed the game app prior to a crucial update. While those affected were fewer in number, a potentially more dangerous breach occurred in September when an open, misconfigured government database leaked 20.8 million Ecuadorian user records – that’s in a country whose official population is about 17.5 million – including birth data, marital status and national ID numbers, as well as full home addresses, children’s information, phone numbers and education records.
October
A show-stopping 4 billion social media profile records were exposed to the public on an unsecure Elasticsearch server, for a mind-blowing total of 1.2 billion unique people exposed originating from two data enrichment companies. That’s one of the largest single-source exposures we’ve ever seen. Adobe left 7.5 million Creative Cloud customer records on an unsecure database. Meanwhile in the Motherland, over 20 million Russian citizen tax records were left sitting on an open database for anyone to see, showcasing information collected from 2009 to 2016.
November
In November’s laundry list of leaks, hacks, breaches and exposures, a couple of tech employee incidents stand out. Facebook was back in the headlines after about 100 app developers were given inappropriate access to profile data. A previous breach came to light this month, detailing the account of a rogue employee at cybersecurity firm Trend Micro, who stole the personal data of about 70,000 of the firm’s customers and later used it to scam customers.
December
Some 100 women who were the victims of an explicit photo leak were expecting a present on Christmas Eve when the offending leaker, a former Dutch politician, stood for sentencing. Prosecutors have asked the judge to hand down at least three years of hard time after the disgraced Nederlander was found to have hacked the women’s personal iCloud accounts with credentials found in earlier public database breaches.
Data breaches are scary. Scariest of all is that they can come at any time. Hackers take advantage of loopholes in institutions’ servers and security protections to steal your most personal and sensitive information – credit and debit card numbers, Social Security data, your birth date and maybe even where you live. If you want to learn more about how you can be proactive in keeping your information secure, contact Datum Consulting to learn how we help organizations protect critical assets.
