Feature

Major Data Breaches that Happened During the COVID Pandemic

 

Sonit Jain CEO, GajShield Infotech

The COVID pandemic has caught everyone unaware. While we’ve all been busy adjusting to the new normal, cybercriminals have been making merry. They are taking advantage of the disrupted environment to carry out cyber attacks. This is evident as a recent study shows that the number of data breaches in 2020 has almost doubled with 3,950 confirmed breaches against 2,103 recorded breaches in 2019, with the year far from the end. About 80 per cent of the data breaches have occurred due to simple brute force attacks, which should raise serious concerns regarding data security. These cyber-attacks are also not limited to technologically weak enterprises but rather impacted big names that have strong data security measures in place. Here’s a look at six such enterprises that faced major data breaches during the COVID pandemic.

  1. Whitehat Jr.

Whitehat Jr. recently reported a data breach exposing data of 2.8 lakh students and teachers due to multiple vulnerabilities in their infrastructure in November 2020. The exposed data contained student names, age, gender, profile photos, user IDs, parents name, and progress reports of minor students forming a major part of the exposed data. Salary details of WhiteHat Jr employees, as well as its internal documents and dozens of recorded videos of online classes being conducted by the platform, were also exposed, according to the researcher.

  1. Big Basket

BigBasket, the popular Indian online grocery vendor was reported to have faced a data breach that affected the data of over  2 crore customers. As a result of this data breach, personal information such as email IDs, full names, IP addresses has been compromised and is reported to be put up for sale on the dark web. The data lost in the BigBasket breach, which was mostly that related to customers’ personal details, more than being critical to business operations warrant an extra degree of security. That’s because losing this data can not only be disastrous from a public relations perspective but can also land companies in legal trouble which can last for years and cost crores of rupees in damages.

  1. Twitter

The Twitter data breach occurred on the 15th of July 2020. Cybercriminals hacked verified accounts of influential and well-known personalities on Twitter. How influential and well-known, you ask? Well, the hacked accounts included the names of Elon Musk, Barack Obama, and Bill Gates, to name a few. The criminals behind the hack then proceeded to post fake tweets from the compromised accounts. The tweets promised USD 2,000 for every USD 1,000 sent to a Bitcoin address. The hackers had a big payday as they managed to make over a hundred thousand dollars in Bitcoin transactions.

  1. Marriott International

The Marriott data breach happened on March 31, 2020. The data breach exposed data of more than 5.2 million guests who used the hotel’s loyalty application. The attack was carried out by using the login credentials of two Marriott employees. These employees had access to the customer data regarding the hotel chain’s loyalty program. Hackers accessed names, birthdays, travel and loyalty program information data in the data security breach. This is the second such attack faced by the hotel chain. The company reported a data breach in 2018, which compromised the data of around 500 million guests.

  1. Zoom

Zoom, a video conferencing app, gained massive popularity during the pandemic. It simplified business meetings by allowing 100 participants for video conferencing at a time when enterprises over the world faced difficulties communicating with their workforce. This rising popularity made it the subject of a major data breach shortly. In the first week of April 2020, Zoom faced a major cyberattack. Around 500,000 Zoom account passwords were stolen and were available for sale on the dark web. Besides, the victims’ personal meeting URLs and HostKeys were available too.

  1. Clearview AI

Clearview AI, a major firm dealing with facial recognition technology, became a victim of a data breach on February 26. The perpetrator of the attack gained unauthorized access to the Clearview AI’s entire client list. The data breach also left exposed around 3,000,000,000 photos scraped by the firm from social media sites such as Facebook, Instagram, and YouTube. Moreover, the number of user accounts opened by clients and the number of searches they had conducted were also compromised. The firm’s clientele includes major law enforcement agencies in the US, including the FBI and the Department of Homeland Security, and other corporate firms. The firm is already mired in controversy regarding its use of facial recognition technology for matching social media images against suspected criminals’ photos provided by the police department. The data breach further adds fuel to the fire.

While most of the data security breaches were due to external cyber attacks, there were some instances where data breach was internal and unintentional. The main reason for these data breaches were poor data security standards that left the data exposed to unauthorized individuals. Let’s have a look at some of these instances.

  1. Social media accounts data breach

On August 1st, 2020 it was discovered that around 235 million Instagram, Tiktok and Youtube user profiles were compromised. This data security breach happened due to an improperly secured cloud database. A HongKong based company, Social Data was storing the data without password protection on their clouds. The data could be accessed by any individual easily as it was available freely on the internet. The data contained the following records:

  1. Profile name.
  2. Full real name.
  3. Engagement statistics.
  4. Number of followers.
  5. Age.
  6. Gender.
  7. Follower demographic.

While most of the data mentioned above are available publicly, what’s alarming is that the database contained about 20% of the records contained a phone number or an email address. Such private information is susceptible to cyberattacks, and hence, a cause of major concern.

2. Virgin media

A Virgin media database that contained personal details of 900,000 users were accessible online for about ten months before being discovered. The data security breach occurred due to an unsecured database, as it is reported that the database was ‘incorrectly configured’ by a staff member. The database contained information regarding the phone numbers, home and email address which were used for marketing purposes by the company.

Clearly, the year 2020 has been challenging for enterprises with regard to cybersecurity. However, we must learn from past incidents to prepare for the future. Enterprises need to strengthen their data security measures as much as possible. To avoid data breaches, enterprises need to take the following steps:

  1. Educate employees about cybersecurity practices.
  2. Update machines to the latest software.
  3. Destroy data before disposal.
  4. Use a strong data leak prevention system

The above stated breaches have one thing in common, and that is data. All of them lacks stronger data security approach which let these data leave these enterprises security infrastructure undetected. The problem here is the reliance on an older security approach that is limited to the perimeter and lacks data visibility to tackle newage security challenges in the given work infrastructure. These incidents could have been avoided if only their security solution had stronger visibility, deeper than the traditional layer 7 and the ability to monitor and control the use sensitive and practically enforce data handling policies over and above general verbal instructions.



 

To top