It’s fair to say that 2020 is a year that we won’t forget in a hurry. The Coronavirus pandemic has completely transformed our lives and created an ideal environment for cyber attacks and security breaches.
Any hopes that cyber attacks would have taken a back seat during the crisis have been dashed, and it’s become increasingly apparent that cybercriminals will continue to exploit the pandemic for financial gain.
Data is a valuable commodity and cybercriminals are keen to capitalise on this data to make money and commit fraudulent activities. According to the 2020 Verizon Data Breach investigations report, 86% of this year’s breaches were driven by financial gain, up 15% from 2019.
This year is by no means over yet so we can expect to see more cyber attacks and data breaches in the weeks and months to come. Below are 5 examples of some of the most prominent security breaches to have hit the headlines in 2020.
Top 5 Security Breaches
In March 2020, leading hotel chain Marriott announced that they had suffered a serious security breach that exposed the data of more than 5.2 million guests. By using the login credentials of two employees who had access to the company’s loyalty scheme, hackers were able to steal the data from a third-party app. The personal information included names, addresses, email addresses, phone numbers, loyalty account information, company, gender, birth dates, linked airline loyalty programs and numbers, and guest preferences.
The company was quick to state that no payment card information, passport information, national IDs, or driver’s license numbers were exposed in the breach; however, investigations into the incident are still underway.
This is the second time that Marriott has been breached within two years. In November 2018, hackers exposed the personal data of up to 500 million guests. The ICO has since fined the company $124 million due to system security shortfalls. The latest breach is likely to cause further reputational damage and undermine consumer confidence in the hotel chain.
In May 2020, EasyJet revealed that it had been the target of a highly sophisticated cyber attack. The airline confirmed that the email addresses and travel details of approximately nine million customers were accessed and that 2,208 of these customers had their credit card details and CVV security codes exposed. The company initially claimed that there was no evidence that the compromised customer data has been misused, but information obtained from Action Fraud suggests that as of May 2020, there were 51 reports of fraudulent activity made in relation to the EasyJet breach.
Despite the attack taking place in January, it took four months for the airline to publicly disclose the breach. Under the GDPR, organisations are legally bound to report a data breach within 72 hours of detection. EasyJet claimed the lag in reporting time was due to the sophisticated nature of the attack and the time taken to identify who had been impacted and what data had been accessed.
It’s likely the company will face significant fines for the breach; however, in light of the Covid-19 pandemic, the ICO has stated that it would take an ’empathetic and proportionate’ approach to assessing reported incidents. This has led some to speculate that the airline will receive a lighter fine due to the mounting pressures that the aviation industry is currently under.
3. MGM Resorts
In July 2019, MGM Resorts suffered a massive security breach after a hacker gained access to one of the hotel’s cloud servers. News of the breach only came to light in February 2020 when hackers leaked the personal details of 10.6 million hotel guests on the dark web. The data included names, home addresses, phone numbers, emails, and dates of birth of former hotel guests. High profile guests affected by the breach included Justin Bieber, Twitter CEO Jack Dorsey, and many government agency officials.
It has since emerged that the data leak was much bigger than initially reported with the personal details of over 142 million guests being sold for $2,900 on an online cybercrime marketplace. The company has confirmed that they have notified affected guests and are confident that no financial, payment card or password data was involved in the breach.
In April 2020, Nintendo announced that 160,000 accounts had been breached in a suspected credential stuffing attack. Using previously exposed user IDs and passwords, hackers were able to gain access to user accounts, enabling them to purchase digital items using stored cards and view sensitive data including name, email address, date of birth date, gender and country.
The gaming giant has been conducting investigations into the breach and has since announced that they believe a further 140,000 accounts were compromised in the attack, bringing the total number of hacked accounts to 300,000. The company has reset the passwords for all affected customers and urged users not to use the same password across multiple accounts and services.
At the start of April, when employees were settling into their new working from home environment, it emerged that virtual meeting app Zoom had suffered a humiliating security breach that exposed the login credentials of over 500,000 users.
In yet another credential stuffing attack, hackers appear to have gained access to the accounts by using username and password combinations obtained in previous data breaches. The information was then sold on dark web hacker forums for as little as 1p.
Compromised data included login credentials, email address, personal meeting URLs, and Host Keys. This enabled criminals to log in and join meetings or use the harvested information for other malicious purposes.