Biggest data breaches of 2019: Same mistakes, different year
We never want to hear the words "unsecured database" ever again.
The biggest recurrent motif among the major data breaches of 2019 wasn’t the black-hooded hacker in a dark room, digging into a screen full of green text. It was a faceless set of executives and security professionals under the fluorescent lights of an office somewhere, frantically dialing their attorneys and drafting public relations apologies after leaving the front doors of their servers unlocked in public.
The words “unsecured database” seemed to run on repeat through security journalism in 2019. Every month, another company was asking its customers to change their passwords and report any damage. Cloud-based storage companies like Amazon Web Services and ElasticSearch repeatedly saw their names surface in stories of negligent companies — in the fields of health care, hospitality, government and elsewhere — which left sensitive customer data unprotected in the open wilds of the internet, to be bought and sold by hackers who barely had to lift a finger to find it.
And it’s not just manic media coverage. The total number of breaches was up 33% over last year, according to research from Risk Based Security, with medical services, retailers and public entities most affected. That’s a whopping 5,183 data breaches for a total of 7.9 billion exposed records.
In November, the research firm called 2019 the “worst year on record” for breaches.
How much does an average data breach cost an organization? According to IBM’s latest numbers, the tab can run up to $3.92 million after investigation expenses, damage control, repairs, lawsuits and fines. That’s up 12% over five years, with no signs of slowing.
What’s harder to quantify is how great a cost was borne by individual consumers worldwide this year — and how great a cost can be expected of all of us in 2020. Passport numbers, medical records, bank account details, social media credentials, Social Security numbers — breaches hit our most sensitive data in 2019, sending millions of people into frenzied lock-down.
Calculating the hours and dollars spent by people trying to recover from the shameful negligence of some of these companies would be nearly impossible. Predicting future costs would be almost unimaginable. Some would say that in the face of this rising tide of breaches, the onus is on each of us to keep a watchful eye on our own data. The truth is, until a suite of industry-shaping federal reforms and regulations slap some accountability into US data brokerages and communications companies while miraculously rolling back government mass-surveillance programs, keeping one’s data trail clean is about as likely to save you from being part of a mega-breach as recycling your coffee cup is to stop climate change.
But while we’re all desperately tuning up our basic internet security practices and shopping for the best identity protection services, it seems fitting then to take a moment to honor the worst of the worst in our 2019 Data Breach Hall of Shame.
Without further ado…
January
Marriott kicked off 2019 with a record-setting breach when the hotel group announced that hackers accessed the records — including some passport numbers and credit card information — of up to 383 million guests. That’s more than double the 147.7 million Americans impacted by the Equifax breach. If that didn’t raise your eyebrows high enough, researcher Troy Hunt found 773 million user email addresses (along with a mega-trove of other data) in a cloud-service file collection.
February
February was a brutal month for online security. In the most dramatic breach, more than 617 million accounts were culled from 16 websites and put up for sale on the dark web. Site owners Dubsmash, Armor Games, 500px, Whitepages and ShareThis all saw their users’ stolen data sold for less than $20,000 in Bitcoin. Meanwhile, a crop of smaller breaches offered a glimpse into the peculiar cruelty of medical breaches: An attacker held up to 15,000 Australian patients‘ files for ransom, unauthorized email access exposed 326,000 Connecticut patients‘ records, close to a million Washington patients‘ information was left exposed in an open database, and 2.7 million calls to a national Swedish health line were recorded and left out in the open.
March
Hundreds of millions of Facebook and Instagram users saw a less-than-happy St. Patrick’s Day when their credentials were exposed by the social media company’s poor password storage management. By comparison, the exposure of 250,000 legal documents stored in an open database seems deceptively small.
April
Facebook again led the way in April, with 540 million records exposed after leaving users’ names, IDs and passwords out in the open on unprotected servers. The same month, Facebook admitted to storing millions of Instagram users’ passwords in dangerously insecure plaintext format. But let’s not let Facebook’s utter embarrassment overshadow another incredibly important breach that happened in April: 12.5 million medical records of pregnant women were exposed, thanks to a leaky server belonging to an Indian government healthcare agency.
May
Sure, the big headline from May was the hundred of millions of insurance documents leaked by real estate giant First American Financial Corp. But the month also saw a couple of weird online food fights worthy of this Hall of Shame. Burger King left a leaky database up which resulted in the exposure of nearly 40,000 customers of its online, kids-focused KoolKing Shop. Meanwhile, two Bay Area school lunch companies’ heated rivalry turned into cyberwarfare when one’s CFO got arrested for hacking the other’s site and exposing student data.
June
At least 20 million patients had their data exposed when…