Online PrivacyOnline Security

2019’s Worst Data Breaches: Lessons Learned

Story Highlights

  • Is Your Data Safe?
  • The biggest data breaches of 2019 so far
  • How to prevent data breaches
  • Strong passwords, encryption among possible solutions
  • The wrap-up

The IT industry is progressing at an exponential rate. The sad thing is, the advancing technology leads to an increase in the number and complexity of data breaches. These attacks are an unfortunate reality, and the year 2019 witnessed plenty of them.

According to the 2019 MidYear QuickView Data Breach Report, 3,800 publicly disclosed breaches took place in the first six months of 2019. The research, published by Risk Based Security, shows that these hacks exposed more than 4.1 billion records. Eight of these attacks compromised 3.2 billion files alone.

Yes, you might be the rare person who creates unique passwords and updates your software regularly. And you might also extensively use antivirus solutions and follow the latest practices in digital security.

But despite all of that, you are still vulnerable to data breaches. It is not you, but the entire digital landscape of the world that is problematic.


Content Overview


How Compromised Is Your Data?

Despite the security measures you take, your data will always be at risk. Social media platforms, banks, and ISPs are just some of the organizations that monitor or collect your sensitive information. Billions of people have experienced the leakage of their personal records due to massive database hacks.

“Compared to the midyear of 2018, the number of reported breaches was up 54% and the number of exposed records was up 52%.

Risk Based Security

Major 2019 Data Breaches

2019 looks set to become the worst year when it comes to data breaches. Below, you’ll find the worst ones that happened this year and the lessons that we can learn from them. 

Blur

The password management company Blur announced the first significant breach of 2019. The company’s unsecured server exposed a file containing 2.4 million user names, password hints, email addresses, encrypted passwords, and IP addresses.

Following the breach, Blur urged users to change their login credentials and enable two-factor authentication.


Town of Salem

The “Town of Salem” video game hack compromised the data of 7.6 million gamer after the company’s server was attacked. BlankMediaGames (BMG), the owner of the video game, announced that the hack revealed usernames, email addresses, game and forum activity, IP addresses, and purchased game features.


DiscountMugs.com

Online retailer company DiscountMugs.com announced details about its major data breach in the first half of 2019. A malicious card skimming code infiltrated its payment website and reportedly stole sensitive information for four months in the latter half of 2018.

That included card details, names, phone numbers, addresses, postal codes, and email addresses.


BenefitMall

An email phishing attack on payroll, HR, and employer service provider BenefitMall compromised employee login credentials in 2019. The exact number of stolen records has not been revealed yet. 

The emails reportedly leaked customer names, social security and bank account numbers, dates of birth, and information on insurance premium payments. 


Managed Health Services (MHS) of Indiana

A phishing attack on MHS Indiana reportedly leaked the personal health information of more than 31,000 patients in early 2019. Cybercriminals stole information like names, insurance ID numbers, medical conditions, and addresses.


Earl Enterprises

The parent company of Buca di Beppo restaurants, Earl Enterprises, announced a ten-month-long data hack that compromised payment information of their customers. The malware that caused the attack revealed credit card numbers and card-holder names.


BlackRock Inc.

The world’s largest asset manager, BlackRock Inc., reported that a security flaw in their company led to the release of 20,000 financial advisers’ personal information. The personal data included names, emails, and assets managed by the advisers.


Online Betting Sites

Three online betting sites copied 108 million records to Elasticsearch cloud storage earlier this year without securing them. This led to the leakage of users’ names, phone numbers, addresses, IP addresses, account balances, games played, and win-loss information.


Rubrik

Another major security breach that shook the IT sector was the Rubrik database leak. An Amazon Elasticsearch server with inadequate cyber protection was easily hacked. The attackers got their hands on some valuable customer information like names, contact information, and corporate account data.


Dunkin’ Donuts

Hackers used credential stuffing attacks to breach data that affected Dunkin’ Donuts rewards members. The company revealed its data breach for the second time in three months. According to widespread reports, hackers are selling the consumer data to the Dark Web for profits.


DowJones

The DowJones watchlist leak in 2019 included 2,418,862 identity records on government officials and politicians from every country in the world. It includes publicly available information on prominent individuals.


Facebook

Facebook publicly admitted that it improperly stored passwords of 600 million users since 2012. The company kept them in plain text, and over 20,000 employees had access to them.

Another Facebook hack this year exposed 540 million records, including account names, user activity, and Facebook ID because of a security flaw in its third-party application Cultura Colectiva. A similar incident involving the app At the Pool disclosed passwords along with photos, groups, events, and check-ins.


Federal Emergency Management Agency (FEMA)

A FEMA privacy incident reportedly exposed the personal information of over 2.5 million disaster victims. These individuals sought shelter assistance after hurricanes Maria and Irma, and the California wildfires. The leaked files included data such as names, addresses, and bank account information.


Microsoft Email Services

Microsoft admitted to a data breach of its non-corporate email services. The attack took place between January and March 2019 and allowed hackers to access email accounts with ease.


Docker Hub

Cloud-based service provider Docker Hub suffered from a significant data breach this year. Information concerning 190,000 account holders was stolen, including usernames, tokens, and hashed passwords.


AMC Networks

An attack on AMC‘s database made it accessible to the public. As a result, the personal information of over 1.6 million subscribers was exposed. The breach included email addresses, names, last four credit card digits, and subscription plans. 


WhatsApp

NSO Group, an Israeli government surveillance agency, infected WhatsApp with spyware. It allowed the attackers to spy on users through their phones’ cameras and microphones, as well as WhatsApp messages and connected apps.


Instagram

Instagram saw a colossal security scandal in 2019 when the contact information of over 49 million brands, celebrities, and influencers was exposed. An Indian social media marketing company did not secure the data on the Amazon Web Services database, thus leading to the security leak.

The data included the bio, location, profile photo, verification, email address, and phone number of victims.


Canva

Popular online design tool Canva also came under attack this year. The hack compromised usernames, email addresses, and real names of 139 million users. Therefore, the company had no choice but to urge its clients to change their passwords.


Ascension

The data breach of data and analytics company Ascension exposed 24 million mortgage and bank loan documents from major American lenders. An unsecured online server with no password protection caused the hack.

The attackers were able to access info like names, addresses, social security numbers, mortgages, loan agreements, and amortization schedules.


Coinmama

Crypto brokerage Coinmama reported a data breach affecting 450,000 of its users. The leak included email addresses and hashed passwords. The company immediately notified users and advised them to reset their passwords upon login. 


The US Customs and Border Protection

On its way to becoming the worst year for data breaches, 2019 saw the data breach affecting the US Customs and Border Protection. About 100,000 people’s faces and license plates were compromised. The stolen data was leaked to the Dark Web.


Coffee Meets Bagel

Six million users of the dating app Coffee Meets Bagel were victims of a data breach that exposed their names, email addresses. The company informed customers of the attack via email sent on Valentine’s Day. It also called on them to stop revealing personal information through the app.


Evernote

Evernote’s Web Clipper Chrome extension was also on the receiving end of a cyber attack. Hackers had access to online data of 4.6 million users and got their hands on financials, authentication, and private communications. The company fixed the problem, but the extent and severity of the breach remain unknown.


American Medical Collection Agency

The American Medical Collection Agency breach has to be one of the most concerning corporate attack of 2019.

The massive health-care-related debt collector discovered malicious software infesting their online security from August 2018 to March 2019. The breach led to the exposure of 12 million records, including names, dates of birth, addresses, phone numbers, and dates of medical services.


First American

The real estate and title insurance firm First American’s data security incident is proof that not all security incidents are breaches.

The sensitive financial records of 885 million customers were available on the company’s website. However, it is still unknown if anyone stole this information and used it for cybercrime. The records included driver’s license images, bank account numbers, Social Security numbers, tax documents, and mortgage papers.


Lessons Learned From 2019 Data Breaches

Several takeaways can help make the rest of 2019 better when it comes to data security. Businesses must improve data protection practices and bring their security act in place.

According to Forbes, 67% of the reported breaches and 84.6% of the exposed records are from the business sector. It is clear for everyone that it falls behind when it comes to deploying safe data security practices.

Therefore, companies must get the basics right before moving on to extensive AI-driven and blockchain-enabled product promises.

Turn to Strong Passwords.

The data breach of Ascension is a clear example of how organizations are neglecting the basics of data privacy and protection.  

A strong password is the first and minimum line of defense against cyber threats. And if you get it wrong, there is always room for error. All companies must understand the importance of using robust and unique passwords for each account or server.


Make Disposable Email Addresses.

If there’s a lesson to learn from the data breach of Coffee Meets Bagel, it’s that companies must introduce disposable emails. Users who have multiple applications on their device would benefit a lot from this feature.

That’s because using a disposable email for dating and gaming apps, for example, would reduce the possibility of hacking attempts. Moreover, consumers should avoid using their work email addresses for personal accounts.


Invest in Vulnerability Scanning

Coinmama’s data breach of 2019 gives a different perspective on securing critical user data. The company’s systems had untracked vulnerabilities, which later caused a significant security breach and massive repercussions.   

To avoid a similar fate to Coinmama, companies should extensively implement vulnerability scanning solutions and release patches of their websites and systems regularly. They should also provide users with tips on how to recognize and avoid suspicious emails.


Adopt End-to-end Encryption

The Earl Enterprise data breach highlights the importance of end-to-end encryption. Financial and payment companies should encrypt user data during the entire transaction. If Earl Enterprise had done so earlier, all the information in its point-of-sale systems would have been safe.


Invest in Security Awareness Training

Another necessary data protection process that most companies ignore is security awareness training. All breach patterns show that insider actions, both malicious and unintentional, lead to the exposure of sensitive records year after year.

According to the Egress Insider Data Breach Survey:

  • 60% of 4,856 personal data breaches reported in the first half of 2019 were a result of human error.
  • 43% of the data breaches happened due to incorrect disclosure.
  • 20% of attacks were successful because of faxing or sending data to the wrong recipient.

Organizations generally fixate on external threats, often forgetting that human error and internal risks are all too common. Of course, not all insider breaches are the result of reckless employees and blunders.

But the point is that corporations must invest in technology that works alongside the user to mitigate the threat coming from the inside. Apart from that, companies must invest time, effort, and money in security awareness training.

It is the ideal way to inform workers about the effects of negligence on the organization.

Prevent-data-breach

Conclusion

In conclusion, data breaches can happen to any company at any time. With the advent of technology, attacks are getting more advanced by the day.

The data breaches of 2019 show that the number of malicious attacks is increasing exponentially. Therefore, it is crucial to understand how each breach occurred, and how to protect the company from similar incidents in the days to come.

Do you know another data breach that occurred this year? Share your thoughts with us in the comment box below.

Show More

Ralph Peterson

Ralph was bitten by the tech bug from an early age. Today, he is a cybersecurity geek who is obsessed with online privacy. Peterson is also a hardcore streamer of the latest TV shows and sports tournaments. We constantly hear him shouting at his screen whenever there's a live Premier League match (or a bad ending to a TV series like GoT).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Articles

Back to top button