If we observe the cybersecurity landscape closely, we discover that when it comes to data security, unfortunately, the good guys are still miles behind the crooks. A report from the Identity Theft Resource Center referred to 2018 as the year of data breaches as the organizations around the globe witnessed a record jump in data leaks and around half a billion consumer records were either stolen or exposed. The trend of escalating cyber threats continues in 2019 also and a number of major data breaches have been observed in the first quarter of the year itself. We have highlighted some of the top cybersecurity data breaches that were observed in the first quarter of 2019.
Top Cybersecurity Data Breaches of 2019 (So Far)
Blur Data Breach
Date of Occurrence: January 2nd, 2019
As soon as 2019 commenced, the Blur data breach news shook the entire cybersecurity world. A file containing sensitive private information like usernames, email addresses and password hints of about 2.4 million Blur users was left exposed on unsecured servers. After the breach came to light, Albine, the company that manages passwords for Blur, urged the concerned users to change their account passwords and enable multi-factor authentication.
MEGA ‘Collection #1’ Breach
Date of Occurrence: January 17th, 2019
This massive data breach was revealed by a security researcher Troy Hunt when he found an enormous database on the cloud storage website called MEGA. The ‘Collection #1’ folder contained approximately 1 billion email and password records and was later uploaded to several hacking portals and forums. Interestingly, the hackers had cracked the protective hashing of the exposed passwords and could use it do serious damage to the concerned users.
Cebuana Lhuillier Data Breach
Date of Occurrence: January 19th, 2019
Addresses, date of births, and other sensitive information of more than 900,000 customers of the Philippines based financial-services company Cebuana Lhuillier were exposed when the company faced a data breach that affected its email servers. However, the important transaction details of the customers were safe as the company’s main servers were not affected.
BlackRock Inc. Client Information Breach
Date of Occurrence: January 22nd, 2019
World’s largest asset management company BlackRock Inc, accidentally shared links to spreadsheets containing sensitive asset related information of around 20,000 advisor clients on its iShares ETF website. The shared sheets were dated from December 5th, 2018 and contained names, email addresses, and asset details of the advisor clients who had invested in iShares ETFs. On an interesting note, the company had classified its clients into several categories like ‘dabblers’, ‘power users’ and so on.
Dunkin’ Donuts Credential Stuffing Attack
Date of Occurrence: February 12th, 2019
Dunkin’ Donuts faced a data breach for the second time in approximately three months when hackers gained access to their customer’s accounts through credential stuffing attacks. The hackers got access to DD Perks reward accounts by using credentials which were previously leaked on other sites. Reportedly, they have been selling the reward account details containing usernames, email addresses, DD Perks account number and QR code on Dark Web forums.
500px Data Breach
Date of Occurrence: February 15th, 2019
The major photo-sharing platform 500px had its servers hacked and personal information of around 14.8 million of its users was stolen. Although the hack had happened in July 2018, the company came to know about it only later. The information that was stolen included usernames, email addresses, birth dates and geographical locations of the account holders. Luckily, the passwords of the users were encrypted and were safe from the attackers.
Advent Health Year-long Data Breach
Date of Occurrence: February 20th, 2019
In a year-long data breach, personal data of around 42,000 patients of the Florida based health company Advent Health Medical Group was compromised. The data breach exposed the sensitive personal information of patients like names, social security numbers, health data, email addresses, and phone numbers. After the incident, the company pledged to offer free identity monitoring services to the patients whose information had been stolen.
UConn Health Data Breach
Date of Occurrence: February 22nd, 2019
UConn Health suffered a major data breach when an unauthorized third party got access to its employee email accounts. As a result, the personal information of around 326,000 of its customers was exposed. Social security numbers of around 1500 people were also compromised. The health center had to immediately secure the impacted accounts and investigate on the matter to avoid further damages.
Dow Jones Watchlist Leak
Date of Occurrence: February 27th, 2019
A Dow Jones watchlist containing sensitive information useful to financial institutions was found exposed on a public server by a security researcher named Bob Diachenko on February 22nd, 2019. The incident was reported on February 27th, 2019. The leaked database contained sensitive financial and political identity records of around 2.4 million individuals. The individuals were mainly government officials and people with political influence from countries all over the world. Financial companies rely on this data to determine the financial risks associated with these people.
Facebook’s Unprotected Passwords Incident
Date of Occurrence: March 21st, 2019
In a security review, Facebook found that the passwords of around 600 million users were stored as plain texts since 2012 and on storage systems which were accessible to thousands of its employees and developers. The company issued a statement accepting the fault and also said that they will notify the affected users to change their passwords as a precaution.
Toyota Data Breach
Date of Occurrence: March 29th, 2019
In a second data breach incident in just five weeks, hackers accessed Toyota servers containing information of about 3.1 million Toyota and Lexus customers. The hackers breached the IT systems of Toyota and stole data belonging to several sales subsidiaries. The breach happened in Toyota Japan’s dealerships on March 21st and was reported on March 29th, 2019. The company confirmed that no credit card related information of its customers was stolen, but they also did not mention the type of data that was exposed.
Georgia Tech University Data Breach
Date of Occurrence: April 2nd, 2019
Over 1.3 million people were affected as hackers got access to the central databases of the renowned Georgia Tech University. According to the officials, the breached datasets contained personal information likes names, addresses and social security numbers of students, professors, student applicants, and other staff members.
Microsoft Email Services Data Breach
Date of Occurrence: April 15th, 2019
Using a Microsoft customer support agent’s login credentials, hackers gained access to their customers’ web-based email accounts. The breach lasted from January 1st to March 28th, 2019 and affected the email services like @hotmail.com and @msn.com. The company told in its statement that only “a limited number of customer accounts” were affected and the issue was resolved by disabling the hacked user credentials. The users were also urged to change their passwords as a precautionary measure.
JustDial Data Leak
Date of Occurrence: April 17th, 2019
Personal information of around 100 million JustDial users was found exposed on unprotected and publicly accessible servers. The leaked datasets contained mobile numbers, addresses, date of births and other sensitive user information. The exposed data was part of the company's old API endpoint which was forgotten and left exposed on the unprotected servers.
Bodybuilding.com Data Breach
Date of Occurrence: April 22nd, 2019
Bodybuilding.com, the largest online player in the fitness industry, disclosed a data breach which may have impacted its entire user base of around 7 million users. The hackers gained unauthorized access to the company’s IT systems when a company employee fell prey to the hackers’ phishing email in July 2018 and the breach went public on April 19th, 2019. The company notified its users of the breach and alerted them to change their user credentials.
Although the majority of the top cybersecurity data breaches we saw in the first quarter of the year were deliberately planned by hackers, others happened as a result of sheer negligence of employees and a simple lack of attention. The organizations need to minimize such incidents and as the year progresses, it will be interesting to see how such efforts change the data protection landscape.