Data breaches in 2020 continued to hit the headlines and cause crippling consequences for organisations around the world. Since the start of the year, the Covid-19 pandemic completely transformed our lives and created an ideal environment for cyber attacks and security breaches.
In 2020 so far, there have been as many as 726 million cyber attacks, exposing an eye-watering 16 billion records. Whilst many industries came under attack, security researchers found the healthcare sector was particularly vulnerable and accounted for 12.3% of reported data breaches in 2020.
Sensitive information is a valuable commodity and cybercriminals are keen to cash in on exposing vulnerabilities to make money and commit fraudulent activities. According to the 2020 Verizon Data Breach investigations report, 86% of this year’s data breaches were driven by financial gain, up 15% from 2019.
Below are 5 examples of some of the most prominent security breaches of 2020.
The Top 5 Security Breaches of 2020
In March 2020, hotel chain Marriott announced that they had suffered a serious security incident that compromised the data of more than 5.2 million guests. By using the login credentials of two employees, hackers were able to steal sensitive information from a third-party app. The personal information included names, addresses, email addresses, phone numbers, loyalty account information, company, gender, birth dates, linked airline loyalty programs and numbers, and guest preferences.
The company stated that no payment information, passport information, national IDs, or driver’s license numbers were exposed in the data breach.
This is the second time that Marriott has suffered a data breach within two years. In November 2018, hackers exposed the personal data of up to 500 million guests. The ICO has since fined the company $124 million due to system security shortfalls. The latest breach is likely to cause further damage and undermine consumer confidence in the hotel chain.
In May 2020, EasyJet revealed it had been the target of a cyber attack that exposed the email addresses and travel details of nine million customers. The airline also confirmed that 2,208 customers had their credit card details and CVV security codes accessed.
Initially, Easyjet claimed that there was no evidence the compromised customer data has been misused. However, information obtained from Action Fraud suggests that there were reports of fraudulent activity and identity theft as a result of the EasyJet breach.
Despite the attack taking place in January, it took four months for the airline to publicly disclose the data breach. Under the GDPR, organisations are legally bound to report a data breach within 72 hours of detection. EasyJet claimed the lag in reporting time was due to the sophisticated nature of the attack.
It’s likely the company will face significant fines for the data breach. However, in light of the Covid-19 pandemic, the ICO has stated that it would take an ’empathetic and proportionate’ approach to assess reported incidents. This has led to speculation that the airline will receive a lighter fine due to the mounting pressures that the aviation industry is currently under.
3. MGM Resorts
In July 2019, MGM Resorts suffered a massive security breach after a hacker gained access to one of the hotel’s cloud servers. News of the data breach was revealed in February 2020 when hackers leaked the personal details of 10.6 million hotel guests on the dark web. The records exposed included names, home addresses, phone numbers, emails, and dates of birth of former hotel guests. High profile guests affected by the breach included Justin Bieber, Twitter CEO Jack Dorsey, and many government agency officials.
It has since emerged that the data leak was much bigger than initially reported. The personal details of over 142 million guests have appeared for $2,900 on an online cybercrime marketplace. The company has confirmed that they have notified affected guests and are confident that no financial, payment card or password data was involved in the breach.
In April 2020, Nintendo announced a data breach of 160,000 accounts. The security incident was the result of a suspected credential stuffing attack. Using ID numbers and passwords from a previous cyber attack, hackers were able to gain access to user accounts. This then allowed them to purchase digital items and view sensitive data including name, email address, date of birth date, gender and country.
The gaming giant has since announced that a further 140,000 accounts were compromised in the attack, bringing the total number of hacked accounts to 300,000. The company has reset the passwords for all affected customers and urged users not to use the same password across multiple accounts and services.
In April, it emerged that virtual meeting app Zoom had suffered a data breach that exposed the login credentials of over 500,000 users.
In yet another credential stuffing attack, hackers appear to have gained access to the accounts by using username and password combinations obtained in previous data breaches. The information appeared for sale on dark web hacking forums for as little as 1p.
Compromised data included login credentials, email addresses, personal meeting URLs, and Host Keys. This enabled criminals to log in and join meetings or use the harvested information for other malicious purposes.