2020 has been a roller coaster of a year for many industries, and data security is no exception. Coronavirus radically changed the way we live and shop, forcing businesses to shift quickly to a digital model. This pivot to e-commerce also opened the door for hackers to take advantage of vulnerable businesses during a difficult time.
In 2019, the estimated number of private records breached was 164 million. Will data breaches in 2020 outpace this number? For now, it’s too early to tell, but it’s certainly possible. We’re only halfway through the year, and millions of records from a variety of industries have already been exposed.
From government entities to Fortune 500 corporations, here’s our roundup of the major data breaches of 2020 so far.
Records breached: Unknown
This massive data breach sounds more like a futuristic nightmare than real life. But sure enough, facial recognition company Clearview AI was hit by hackers in early 2020.
Clearview AI creates facial recognition software that enables organizations such as the FBI, Department of Homeland Security and ICE to track individuals using over 3 billion photos stored in the Clearview database. Not only did hackers obtain billions of photos used to identify people, they also gained access to Clearview’s client list — for better or worse.
While Clearview AI claimed only to serve law enforcement purposes, the tech company’s controversial client list included corporations such as Macy’s, Best Buy, Walmart and more, revealing that retailers are dabbling in using facial recognition for commercial purposes. The Clearview AI data breach stirred up controversy about personal privacy and showed that the dangers of facial recognition may outweigh the benefits.
Records breached: 5.2 million
This year’s breach is Marriott’s second in just two years. The leaked data included Marriott guests’ personal information, such as names, phone numbers, loyalty account numbers and birthdates. As of now, Marriott says that no payment information was breached.
The source of the leak: log-in credentials stolen by hackers from two employees. The 2020 Marriott cyberattack exemplifies the importance of training employees on cybersecurity best practices, including strong passwords and how to spot phishing messages.
Records breached: Unknown
In June 2020, Honda announced on Twitter that it was unable to accept Customer and Financial Service requests due to “technical difficulties.” As it turns out, it wasn’t just customer-facing services that went down. Honda’s production around the globe came to a halt when hackers attacked its internal systems.
Last year, security researchers discovered an exposed Elasticsearch database with over 40GB of data relating to Honda’s internal systems and devices. Opportunistic cyberthieves likely used this information to deploy a Snake ransomware in Honda’s systems, which would effectively shut down Honda’s network until the company pays the ransom or defeats the malware.
Records breached: 300,000
In April 2020, beloved gaming mogul Nintendo announced that customers’ Nintendo Network ID accounts had been stolen by hackers.
These accounts belonged to gaming consoles that are now defunct — the Nintendo 3DS and the Wii U — reducing the level of damage that would have been possible in a large-scale attack of the latest console, the Nintendo Switch. Still, some members’ stolen accounts were used to purchase items from the My Nintendo Store and eShop using stored card numbers and PayPal log-ins. This suggests that cyberthieves likely used credential stuffing, cracking weak passwords or gathering them through phishing.
Records breached: 900,000
For ten months, Virgin Media mistakenly left a database of 900,000 users online and unsecured. In this time, the database was accessed at least one time by an unknown party. The database included phone numbers, home addresses and emails, which were used for the company’s marketing efforts. No passwords or financial details were left exposed.
According to Virgin Media, the exposure occurred due to misconfiguration by an employee who was not following proper security practices. Once again, the Virgin Media data breach proves the importance of regular employee training and appropriate access controls in data security.
Unknown Entity (thought to be the US Census Bureau)
Records breached: 200 million
As demonstrated by the hacking of the Democratic National Committee in 2016, government data breaches are all too common in the United States — and they’re not slowing down. In 2020, security analysts at CyberNews uncovered an unprotected database with over 800GB of private data believed to belong to the US Census Bureau, including detailed records on over 200 million United States citizens.
CyberNews believed this data belongs to the US Census Bureau due to the presence of certain codes the bureau uses to classify information. The exposed data included full names and titles of individuals, their email addresses, phone numbers, birthdates, credit scores, home addresses, demographics, number and gender of children and detailed mortgage and tax records.
While it is not known whether the data was accessed by malicious parties, this type of unprotected information would be a treasure trove for both foreign parties and run-of-the-mill identity thieves.
Is Your Organization Safe from Data Theft?
One of the best ways to secure your data is by making sure clear-text information never traverses your system. Bluefin’s PCI-validated point-to-point encryption (P2PE) and tokenization solutions are designed to do just that.