It has recently emerged that personal details from more than 530 million Facebook accounts have been posted to a hacking forum and are on sale for very little money. Information such as email addresses, phone numbers and dates of birth have been breached and, according to CyberNews, the data is likely to have been on sale since last June. It has been reported that 32 million of these accounts were based in the US, and 11 million in the UK. Facebook has responded by stating the data breach was related to an old hack, which was "found and fixed" in August 2019. But as most people don't regularly change email addresses or phone numbers, it remains a security risk for many. The leak could lead to a heavy fine in Europe, where the EU imposed strict General Data Protection Regulation (GDPR) rules from May 2018, unless Facebook can prove that the breach took place before those data regulations were put in place. Ireland's data protection agency launched its own investigation into the data breach last week.
But Facebook is not the only business to have a data breach come to light in the past year. Click or scroll through the major company and government hacks and data breaches that have put our valuable information at risk.
Before the COVID-19 pandemic hit last year and brought the aviation industry to a near standstill, UK airline easyJet was dealing with a major data hack. In January 2020, the low-cost airline became aware of the breach, which meant that the email addresses and easyJet account details of nine million customers had been accessed, including the full credit and debit card details of 2,208 customers. easyJet promised to notify all those affected by 26 May. It now faces legal action and a possible fine.
In February last year the Danish Government admitted to having accidentally exposed the personal identification numbers (CPRs) of 1.26 million of its citizens – that’s a fifth of the country’s population. An error on its online tax portal had been ongoing for five years before it was noticed in January 2020 following an audit. Officials reported that a bug existed in the portal which allowed a user’s CPR to be added to the website address each time they logged in. Those addresses were then collected by analytics services monitoring the sites, such as Adobe and Google, where they could have been intercepted by hackers, although there's no evidence that they were. A CPR is vital to anybody living in Denmark and is necessary for basic tasks, including opening a bank account and getting a phone number.
The integration of AI into our day-to-day lives has sparked privacy concerns, and those fears were stoked in February last year when data was stolen from Clearview AI, which creates the software behind facial recognition technology. Among the information taken was an entire list of the company’s customers, how many searches those customers had made and details from their accounts. Law enforcement agencies make up a large portion of Clearview’s clientele, and so any information garnered from its system is likely to be highly sensitive.
General Electric revealed that one of its service providers, Canon Business Process Services, had suffered a data breach in February last year, after an employee’s email account was hacked. Using the account, the unauthorised party gained access to documents about current and former employees and beneficiaries. Details included in those documents ranged from names and addresses to driver’s licence numbers and passport information. Canon offered identity protection and credit monitoring services free of charge for up to two years to anybody who was affected by the breach, and they were able to claim the offer until 30 June.
Blender brand NutriBullet was one of several companies to fall victim to so-called 'skimmer code crime' over a six-month period, which is where malicious code inputted onto a website exposes the payment card information submitted by customers during online transactions. Criminals can then access the data and use it to make fraudulent purchases or sell on people's information. The breach was first spotted on 20 February last year, and a cat-and-mouse game between security teams and hackers continued into March. NutriBullet has since tightened its security measures and brought in external cybersecurity specialists.
Since March 2020 there have been ongoing cyberattacks on US government agencies and big American companies. It's thought that a group of hackers, led by a wing of Russian Intelligence linked to other high-profile cyberattacks, has accessed sensitive information and monitored communications through products created by Solarwinds, an IT company that works for the US government and companies including Microsoft. Departments reportedly at risk include the Treasury, Commerce and Energy, as well as the Los Alamos National Laboratory, which deals with nuclear weapons. Former President Trump didn't say too much about the attack, but now that Joe Biden is in the top job he has put the blame of the Solarwinds attack on Russia's foreign intelligence service (the SVR) and this month he imposed sanctions on Russia that "will impose costs in a strategic and economically impactful manner on Russia" if it continues its "destabilising international action". America has also expelled 10 Russian diplomats.
In March 2020, communications giant T-Mobile revealed its second security breach within a six-month period. The cyberattack compromised both employees and customers via a staff email account, giving the hacker access to addresses, phone numbers, and phone contract information. T-Mobile did not specify how many people were affected, but customers received a text notification if their data had been impacted. Alarmingly, the incident was very similar to another T-Mobile breach that occurred in November 2019.
The entire premise of secret-sharing app Whisper is that all content remains anonymous, as users post confessions and interact under randomly-assigned nicknames. The façade was shattered in March last year however, when two independent researchers came across Whisper data online – an incredible 900 million records dating back to the app’s launch in 2012. User names weren’t available at any point, but nicknames, location and group memberships, among other information, were easily accessible to hackers. On discovering the security flaw, Whisper restricted access and rushed to fix the error.
Back to America, where the Small Business Administration (SBA) was suspected of suffering a data breach in March last year. The portal affected is used by business owners looking to apply for emergency loans – a site undoubtedly experiencing a lot of traffic during the COVID-19 outbreak – and the breach appears to have impacted almost 8,000 people who applied for the Economic Injury Disaster Loan programme, which gives small businesses up to $10,000 in coronavirus relief loans. While personal details were made public to other applicants, there is no evidence to suggest that the data has been abused in any way.
On 31 March 2020, hotel chain Marriott announced a huge data breach which had compromised the data of more than 5.2 million guests who had used its loyalty card programme. The hackers had infiltrated the accounts of two employees to siphon data including names, dates of birth, telephone numbers, travel information and loyalty programme information for around a month before the breach was discovered. It’s thought that the employees’ information was discovered through a separate cyberattack or phishing.
Another company targeted by a skimming attack was global accessories retailer Claire’s. The breach of the Claire’s website was initiated on 25 April 2020 and continued until 13 June, according to Sansec researchers. The company was unaware of how many customers’ card details may have been accessed, but recommended that customers monitor their bank statements to look out for anything suspicious.
In April last year it came to light that some 44 million phone records in Pakistan, mostly associated with numbers linked to mobile operator Jazz (formerly Mobilink), had become available online. The leaked files featured names, addresses, phone numbers and subscription dates, and spanned back to late 2013. The data was part of a package of 115 million records that a hacker had attempted to sell for the equivalent of $2.1 million (£1.6m) in Bitcoin. It's unclear whether the data came from Jazz, a partner of the company, a government organisation, or a telemarketing firm.
As Zoom has gained in popularity in the past year, it’s become popular for fraudsters too and increasingly vulnerable to security threats. In April last year, it was reported that 500,000 stolen Zoom passwords were for sale on so-called 'dark websites', with some of the accounts’ credentials being given away for free. On top of this, victims’ personal meeting URLs and HostKeys were available too. Zoom said the details were the result of a data breach at another company and hackers had discovered that users had used the same username and password combination for their Zoom accounts.
In April last year Magellan Health reported that 365,000 patients had been affected by a sophisticated cyberattack. The hackers first used malware to steal employee login credentials, before employing a phishing scam to access Magellan’s systems, which meant they could steal employees’ login details, personal information, ID numbers and patient information.
Wishbone is an app that allows users to flick through pairs of cards and vote for their favourite of the two, for example a choice between different outfits or celebrities. The app is targeted at teenage girls, which only exacerbated the distress caused when a prolific hacker known as ‘ShinyHunters’ posted 40 million user records on the sharing and marketplace forum RaidForums in May last year. This came after another hacker was believed to be selling the data for thousands of dollars on the dark web, and the information included email addresses, mobile numbers and encrypted passwords. Wishbone had already suffered a data breach scandal in 2016, when 9.4 million records were accessed.
The Illinois Department of Employment Security (IDES) revealed a lapse in its security in May last year, which it put down to a “glitch” in a new system. The system had been introduced to process claims from citizens in the state who needed to file for unemployment benefits. Information including names, social security numbers and addresses were leaked through the website, and the mishap was only spotted when a business owner realised that she was able to see the details of other applicants. “Thousands and thousands” of records are said to have been visible, but the security on the site was stepped up within an hour of it being reported.
The University of York in England relies on third-party American company Blackbaud for its customer relationship management services, which became problematic when the cloud service was hacked in May last year. The firm manages a whole host of personal details of both staff and students on behalf of the university, and so decided to pay an unspecified ransom sum to hackers rather than risk the publication of the data. Encrypted information, such as passwords and bank details, wasn't affected. Blackbaud is now facing legal action in the US over the breach.
A similar situation played out at San Francisco’s School of Medicine on 1 June last year. Malware was found on the University of California institution's IT systems, which revealed that hackers had accessed crucial data, including research carried out by the university about COVID-19. It's rare that institutions that fall victim to cybercrime respond to blackmail threats, but university officials entered negotiations because of the importance of the files. The hackers demanded $3 million (£2.2m), which was countered with an offer of $780,000 (£577k) by the university – the eventual deal fell somewhere in the middle at $1,140,895 (£844k). In return for the money, the hackers provided a decryption tool and agreed to delete all information already stolen from the servers.
Thousands of US-based actors find roles through the site MyCastingFile.com, and in May last year hackers successfully hacked the website for valuable data. Information on more than 260,000 users was leaked, including addresses, work histories, physical profiles and details of vehicle ownership. The agency only learnt of the infiltration on 11 June, but was able to secure the site almost immediately.
In July a huge data breach saw high-profile Twitter accounts including Barack Obama, Elon Musk and Bill Gates get hacked. Out of a total of 130 accounts targeted, the hackers managed to alter the passwords of 45 users. The hackers proceeded to send tweets from the accounts asking users to send money to an unknown Bitcoin address, and managed to get a total of $121,000 (£90k) in Bitcoin from 300 transactions.
Now read about the cost of cancelling 2020
The CouchSurfing site allows travellers to find free accommodation around the world but in July the site was targeted by hackers, who stole the details of 17 million users and went on to sell the data on one-way messaging groups and hacking forums. According to a data broker who deals in hacked information, the CouchSurfing data was selling for $700 (£520), as reported by ZDNet. Luckily the stolen data did not include passwords, but user emails can be added to spam lists and used for malware distribution operations in the future.
In November last year, a notorious ransomware group called Maze announced that it would be shutting down, but that wasn’t before it caused some serious damage earlier in the year. The hackers leaked 50.2GB of data from LG’s internal system, and 25.8GB from Xerox in August and, if these incidents are similar to others carried out by the cyberattack group, the publishing of the private data would have come after the companies refused to pay ransom money. When contacted by ZDNet, both companies declined to provide further information.
Silicon Valley giant Intel was subject to a security breach in August when 20GB of internal documents, some marked “confidential” or “restricted secret”, were uploaded to the file-sharing site MEGA. The data was published by a Swiss software engineer called Till Kottmann, who received the stolen information anonymously and regularly uploads leaked information to the site. The compromised files included product guides, manuals and technical specifications for the company’s central processors, but no sensitive data about employees or customers was made public by the hacker.
In August, the University of Utah admitted that it had been forced to pay a ransomware gang $457,059 (£337k) to prevent it from publishing students’ information online. The hackers stole sensitive files and encrypted everything they could find on the university’s IT system, preventing administrators from gaining access, and demanded money in exchange for decrypting the files. Had the university refused to pay, those files would then have been made available online. This is a typical format when it comes to cyber extortion, and a very lucrative one at that.
International credit reporting agency Experian operates in 37 countries, and in August 2020 the South African branch of the business was affected by a cyberattack. A fraudster was given customer details after posing as a client and it was estimated that 24 million South Africans and 793,749 businesses were affected by the breach. Luckily none of the data was used for fraudulent purposes before it was deleted.
This past year has been particularly difficult for the cruise ship industry. On top of the coronavirus pandemic, the world’s largest operator, Carnival, also had a ransomware attack to contend with. In August, the company revealed that hackers had accessed and encrypted a portion of one of its brand’s information technology systems, which likely included the personal data of both customers and employees. This was the second such announcement in 2020: in March, the company revealed that a hacker had gained access to its internal network between April and June 2019, and again managed to steal personal information of some of its customers.
Following a hack at the end of August, the personal information of thousands of students in Nevada was published online a month later when officials from Clark County School District refused to pay ransom money to a group of hackers. The school district serves more than 320,000 students and is the fifth largest public school district in America. Employees and students have been informed if their names and social security numbers were listed on the impacted system.
In September, a hospital in Düsseldorf, Germany was struck by a ransomware attack, which not only put confidential data at risk and compromised the entire digital infrastructure behind the hospital, but was also linked to a patient’s death. A 78-year-old woman was in desperate need of medical attention but was turned away from her local hospital because of reduced capacity following the network problems. Her ambulance was then diverted to a hospital 32 kilometres (20 miles) away, which delayed her treatment by an hour, and she died shortly afterwards. Following a two-month investigation, legal teams concluded that there wasn’t enough evidence to show that the death was directly caused by the ransomware attack, but the case did highlight the very real-life implications of cybercrime.
Nobody wants to have their data leaked online, but in a high-risk industry such as law enforcement the stakes are even higher if there is a security breach. In September, more than 1,000 high-ranking police officers in Belarus saw their personal details, including names, dates of birth and job titles leaked via a Google spreadsheet. It is likely that the hack was in retaliation to the violent police crackdowns against anti-government demonstrations following the country’s presidential election in August. Belarusian news agency Nexta published the information and threatened that more data would be made public if the police violence continued.
In September yet another company fell prey to a card skimming attack. Phone operator Boom! MOBILE saw its US site compromised, which allowed customer information to be collected by hackers. Transparency and ease-of-use are two main selling points to customers of Boom! MOBILE, but ease of access appeared to be the main attraction for cybercriminals looking to infiltrate the site.
At the beginning of October, the United Nations International Maritime Organization (UN IMO) revealed that it had suffered a breach of its public website and other web-based services the week before. Affected sites were up and running again by 2 October after the attackers had overcome “robust security measures” to access the systems in the first place. It has not been specified whether it was a ransomware attack, a website defacement or part of a 'watering hole attack', where fraudsters guess which websites are often used by organisations and infect them with malware, rather than targeting a company directly.
In October, US bookseller Barnes & Noble confirmed that a ransomware group had impacted its e-book service Nook, which may have led to customer data being exposed. Virtual libraries were littered with glitches, online purchases vanished and at times customers couldn’t log onto their Nook accounts at all. Even cash registers in brick-and-mortar stores were malfunctioning. While there is no evidence that customer details were taken during the intrusion, Barnes & Nobles acknowledged that there was a possibility that information was visible during the breach.
Ubisoft and Crytek are two of the biggest gaming companies around, and both were attacked in mid-October by ransomware gang Egregor. The cybercriminals leaked 20MB of data from Ubisoft and 300MB from Crytek, including resources and information about the companies’ games. Egregor then went on to leak the source code for Watch Dogs: Legion in November, a game which Ubisoft released in late October.
Data breaches aren’t always a result of malicious hacker activity, sometimes it just comes down to human error. Insurance software provider Vertafore admitted to a data leak in November, which had accidentally given a third party access to the details of 27.7 million drivers in Texas. It’s believed the incident took place between 11 March and 1 August last year, when three files were unintentionally stored in an unsecured external storage service. The files contained details from drivers’ licences issued before February 2019, and those affected were contacted by Vertafore.
Italian beverage retailer Campari came under fire from the hacking gang RagnarLocker on 1 November 2020 and was threatened with sensitive data being leaked online. RagnarLocker followed the standard method for cyber extortion and offered to decrypt the files it had locked in exchange for a ransom payment, which was reportedly around $15 million (£11m). Campari refused to give in, however, and the hackers then created Facebook adverts targeting Campari employees reminding them of the hack, using the Facebook account of one of the people impacted by the attack. This seemed to confirm that personal data was likely to have been included in the hack. So far there has been no report of the company meeting the ransom demands while it tries to retrieve the files and restore its IT systems.
American digital media platform Mashable reported that information from its database had been copied and posted on the internet on 4 November last year. Hackers infiltrated the function that allowed users to easily share content via social media platforms, and details acquired included names, location, IP addresses, social media details and email addresses. Mashable suspended the affected accounts after learning of the attack as a precautionary measure, but there wasn’t any evidence to suggest that the information had been used by a third party.
While not exactly a hack, around 500 million LinkedIn profiles have been scraped as hackers found a way to collect profiles' publicly available personal information on a huge scale. The information has been put up for sale on a hacker forum, and even though the information is already being openly shared by users, it would enable hackers to better target those whose data has been collected in this way.
Now read about the biggest scams of 2020