According to Risk Based Security’s report, almost 8 billion records were exposed in the first nine months of 2019. There were more than 5,000 data breaches during that time, which is 33% higher as compared to last year. Six out of those 5000 breaches exposed 100 million records. This made 2019 one of the worst years as far as cybersecurity is concerned.
If that trend continues, 2020 could be even worse for businesses. If businesses want to turn things around and make 2020 as their best year as far as cybersecurity is concerned, then they should learn from their mistakes in 2019 and improve their cybersecurity.
In this article, you will learn about seven key takeaways from some of the biggest data breaches in 2019, which would help you stay safe in 2020.
Here are seven key takeaways from data breaches in 2019.
Verifications.io, an email verification service provider, left their MongoDB database with more than 808 million records exposed. This means that anyone with an internet connection can access their database. The records include personal information such as email addresses, date of birth, phone numbers and physical addresses of employees. Some records even contained information about IP addresses and business leads. This clearly shows that organizations that are storing and using large amounts of user data are a prime target for hackers.
As more and more business migrates to the cloud, we will see the cloud will become the next target for cyber attackers. Add to that the increased risks of insider threat and you will start to think twice before migrating to the cloud. This was evident when sensitive data of more than 100 million US citizens and 6 million Canadian citizens were accessed by an employer of AWS. The data belongs to people who have applied for a Capital One credit card. What’s even worse is the fact that the data also contains social security numbers and bank account details of secured credit card customer of Capital One.
A misconfigured firewall might be the main reason behind it as it enabled attackers to execute privileged commands to access the cloud server, which was hosting the data. Although, this might not have happened if your data was stored on the best dedicated servers inside your premises, which is why some businesses are still reluctant to migrate all their data to the cloud.
Back in June 2019, American Medical Collection fell victim to a massive data breach when they were collecting overdue payments from two of their biggest customers. They realized that some unauthorized users are trying to access sensitive data of millions of patients. More than 20 million records were compromised (11.9 million belong to Quest Diagnostics and 7.7 million belong to LabCorp). After the breach, many customers sued the AMCA and they had to file for bankruptcy protection.
This is the best example for companies who are unaware of third-party risks. It brings to light the fact that your business partners, stakeholders, vendors and third parties you are interacting with should all follow cybersecurity best practices otherwise, you will have to pay the price for someone else mistakes. Irrespective of how good your cybersecurity defenses are, if your third-party vendors don’t have the right security postures, your data is always at risk.
This one is for those who take internal threats lightly. An insider at Federal Emergency Management Agency shared personal details of more than 2.3 million survivors of Hurricane Harvey, Irma and Maria and California Wildfire with a third-party contractor. FEMA was only required to share name, date of birth and last four digits of social security number so the contractors can easily verify the eligible candidates for disaster relief, but they ended up sharing physical addresses and even banking details of those survivors. Due to the oversharing of information, the risk of identity theft and fraud increased drastically.
Earl Enterprises, a parent company of multiple restaurants such as Planet Hollywood, Buca di Beppo and Earl of Sandwich was attacked by unknown malware. The hackers were able to steal more than 2 million payment card numbers from customers. The worst part, the data breach was underway for ten months from May 2018 till March 2019 and no one knew about it.
This clearly shows that complying with PCI-DSS is not enough to protect you against data breaches. Such data breaches usually take advantage of back end systems that are responsible for handling payment processing. This happens when your back-end server responsible for handling credit payments is used for other unintended purposes.
Cybercriminals love to target web applications because they are vulnerable and can easily be compromised. The latest victim being Macy’s website which was hacked in October 2019. Data related to people shopping on Macy’s website such as name, address, payment card details, phone numbers were compromised. A group of Magecart attackers were successful in injecting malicious card skimming code on the checkout pages and were able to get their hands on financial and sensitive personal data of users.
Keeping this in view, online retailers should beef up their cybersecurity and fix all the loopholes in web applications. Many hackers implement tactics such as SQL injections, cross-site scripting, session management, and broken authentication and you should protect your web application against these attacks. Research conducted Positive Technology on web app security paints a gloomy picture. According to the study, 33% of web applications have extremely poor security and the number of critical flaws in web applications almost tripled as compared to last year. It also showed that 63% of attacks on E-commerce businesses targeted web services.
Hackers belonging to Advanced Persistent Threat (APT) group used a combination of techniques such as phishing emails, penetration testing tools and legitimate red team to compromise more than 100 systems at Wipro. Wipro is one of the largest outsourcing firms in India. Cybercriminals did not stop there. They installed trojans, which gave them remote access to these systems and used advanced tools to get access to a dozen of Wipro’s customers’ systems.
With several Fortune 500 customers under its belt and the ability to provide access to other companies, it made them a lucrative target. Hackers knew that if they successfully intrude into their systems, they can also access data of other companies as well without having to target those companies directly with cyber-attacks.
Which cybersecurity lesson did you learn from data breaches in 2019? Let us know in the comments section below.