5 Biggest Data Breaches of 2020

By
Abey Koshy Itty
Published on
16 Sep 2020
7 min read
Data Security

A data breach affects businesses in a way that often includes a lot of costly damage and leaving the brand’s reputation at stake.

Data breaches can involve leakage of financial information such as credit card or bank details, personally identifiable information (PII), personal health information (PHI), intellectual property or any other sensitive information that ends up with an individual unauthorised to gain access to it.

Millions of user data get leaked every year as a result of data breaches, and it remains to be one of the major security concerns for large and small businesses alike.

Servers that store data are susceptible to various form of attacks and safeguarding it has to be given its due importance.

According to a study conducted by the Ponemon Institute, the average total cost for a company as a result of a data breach is $3.86 million.

Failure to take proper measures to fix security issues can cause serious damage as seen in the case of the Equifax data breach that happened in 2017. Private records of around 163.1 million people were compromised in the breach and it was made possible because Equifax failed to apply a patch to a third-party software vulnerability.

In today’s article, we’ll have a closer look at the 5 biggest data breaches of 2020.

Marriott data breach

Marriott was slowly getting its reputation back on track after a major data breach in 2018. During mid-January 2020, Marriott suffered another data breach when around 5.2 million guest records were stolen.

It happened when the network of a hotel chain got hacked and attackers gained access to the login credentials of two Marriott employees. Personal details such as names, mailing address, email address, birthdates, telephone numbers and loyalty account numbers were all compromised in the breach.

The attackers were able to siphon data for roughly a month before the breach was discovered and Marriot issued a public security incident notification later in March to bring it to the attention of their guests.

EasyJet data breach

EasyJet revealed in May 2020 that they were subject to a cyber attack that had about 9 million customer details stolen. It is one of the biggest data breaches to hit the airline industry. It is understood that the names, email addresses and travel records of these customers were exposed.

Additionally, the credit card details of around 2,208 customers were stolen including the CVV number on the backside of the card.

The carrier did not explain how or exactly when the data breach took place. Even though EasyJet had known about the attack in January and informed the Information Commissioner’s Office (ICO), they didn’t inform their customers for four months.

Customers were advised to vary of phishing attempts. EasyJet is currently facing an £18 billion class-action lawsuit over the data breach for failing to protect data and for waiting several months to inform customers about the breach. The lawsuit comes on the back of a difficult time for the airline industry as the coronavirus pandemic affected travel worldwide.

Under GDPR, and after ICO’s investigation, if EasyJet is found to have mishandled customer data, it could face fines of up to 4% of its annual worldwide turnover.

Tetrad data breach

Security researchers at UpGuard were able to discover a publicly exposed cloud database from marketing analysis company Tetrad that included personal data and behavioural profiles of about 120 million Americans.

The collection of data sets provided detailed information about Americans based on where they live, what they buy, how much they spend, how long their commute is and their opinions on a range of topics.

The data was publicly available on the internet because of a misconfigured Amazon S3 bucket and it contained about 747 GB of data. The data appeared to derive from Tetrad’s clients which included companies ranging across retail, real estate, healthcare, banking & finance, hospitality and more.

Even though Tetrad revoked public access within a week upon UpGuard’s notification, it is still largely unknown how long it was exposed for and whether anyone else got hold of the data.

Sina Weibo data breach

Weibo, China’s microblogging alternative to Twitter, was hit with one of the biggest data breaches of 2020 that impacted around 538 million users. The personal details of the users were available for sale on the dark web for as low as $250.

It contained personal details including real names, site usernames, gender and location. It also included the phone numbers of about 172 million users.

The hack is believed to have happened during mid-2019 but it didn’t appear for sale on the dark web until March 2020. It’s a huge relief that the hack did not leak any passwords or payment information.

While Weibo has acknowledged the breach and further investigations were ordered by the authorities, unclear responses from the company have led to questions if more information was exposed as part of the breach.

Instagram, Tik Tok and YouTube data leak

In a recent data breach, a database containing scraped data of around 235 million social media users on Instagram, TikTok and YouTube were exposed on the internet.

The data was spread across several datasets and based on the samples collected by the security research team at Comparitech, one in five records contained either a telephone number or email address.

Even though it is publicly accessible data, the fact that it was leaked in aggregate as a well-structured database makes it a valuable asset for cybercriminals to run phishing campaigns.

Among the 235 million social media profiles in the database, 191 million, 42 million and 4 million records were scraped from Instagram, TikTok and YouTube respectively.

The data leaked about the users included their profile name, real name, profile photo, age, gender, engagement statistics and more. According to the researchers, the data leak was from a company called Deep Social.

While web scraping is not illegal, it is prohibited by social networking sites as it puts the privacy of their users and their data at risk.

Conclusion

When we take a look back at some of the biggest data breaches of 2020, most of it happened due to the negligence from a particular company’s side to deal with a specific security issue thereby leaving a gaping hole for an attacker to exploit.

If you’d like to know more about some of the biggest data breaches in history, you can check out the list of data breaches published on Wikipedia. Yahoo holds the record for the largest data breach of all time when 3 billion user accounts were compromised and they didn’t know about it until 2 years later.

You can also find out if your personal or work accounts have been compromised in a data breach by checking on Have I Been Pwned.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Abey Koshy Itty
Abey Koshy Itty
Marketing Manager
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.