Recent data breaches: the scope, the impact, and the implications

The number of data breaches has doubled or even tripled year-on-year in the last decade. But not in 2020. The year that very few people will remember fondly saw a significant decline in data breaches. In this article, we look at the reasons why data breaches in 2020 dropped and compare it to what we have been seeing in 2021.

2020 in cybersecurity, or “the new normal”

2020 was a year of change. Based on the reports from Risk Based Security, data breaches dropped by 50% in 2020, following years of upward trends. However, this is not because hackers suddenly decided that data privacy matters. Despite the decline in publicly reported data breaches, the number of records exposed blew up by 141%, from 15 billion exposed records in 2019 to 37 billion in 2020. Keep in mind that this number was a “mere” 5 billion in 2018.

Not only that but companies also prefer to keep information about their cybersecurity incidents and unencrypted databases under wraps. So, thousands of breaches, or about 50%, never disclose the number of exposed accounts. We’ll look at some of these breaches from 2020 next.

Recent data breaches (that didn’t disclose the numbers publicly)

1,923 data breaches in 2020 did not report how many records were exposed. Here are three of them:

• Clearview AI. One of the world’s most controversial companies, Clearview AI, announced that they suffered a data breach in February of 2020. The facial recognition company received a lot of criticism over scraping the web for photos to add to their 3-billion-picture database. Around the same time, hackers broke into Clearview AI’s network and stole the company’s client list. Clearview AI didn’t disclose whether any other data was stolen.
• T-Mobile. When all related files are stored in the same folder, it’s much easier to work with them. This way, you don’t need to jump from one directory to another to find what you’re looking for.
• BlueKai. BlueKai, Oracle’s data collection startup, reportedly exposed “billions of records” including names, home addresses, email addresses, and more. A security researcher found the database unprotected and reported it to Oracle. It’s unclear how long the database had been unprotected or who had accessed that data.

Recent data breaches also include cases like Google’s Garmin. In July, the company suffered a ransomware attack that took their infrastructure down for four days. Eventually, the company caved in and paid a multi-million ransom to get the decryption key. It’s important to note that Garmin is one of the many companies that paid a ransom for their data in 2020 and that, often, these companies can’t know whether hackers stole anything in the process.

Biggest data breaches in 2020

Based on the Risk Based Security 2020 report, 23 data breaches in 2020 exposed over 100 million records. Unfortunately, the biggest breaches of the year exposed much more. Here are the top 5 biggest breaches that happened in 2020.

Weibo, 538 million

The Chinese social network giant Weibo has confirmed a data breach after ads surfaced on the dark web selling the data of 538 million users. The database contains users’ logins as well as real names, location, and gender. Around 30% of the accounts also include the users’ phone numbers.

Whisper, 900 million

Whisper is a secret-sharing app, where people can anonymously talk about their experiences. In March 2020, the company left the confessions of 900 million users exposed online. While the data does not include names or addresses, the posts and their metadata, like the location coordinates, could have been enough to identify the person behind the secret. The company claims to have removed access to the database but it is unclear whether anyone managed to steal the data before it was secured.

Keepnet, 5 billion

In March 2020, Keepnet Labs, a cybersecurity company from the UK, exposed a database with 5 billion emails and passwords. The database was a collection of data breach information from 2012-2019, or around 900 gigabytes of data. According to the company, third-party contractors responsible for migrating the database turned off the firewall to speed up the process. While it took only 10 minutes, it was enough for BinaryEdge to index the information. According to a security researcher, Bob Diachenko, he had found the data and downloaded it via an “unprotected port” to verify.

AIS, 8 billion

Advanced Info Service, or AIS, is a mobile phone operator from Thailand. Researchers found that one of their ElasticSearch servers containing 4 terabytes of data, or 8.3 billion records, was left unprotected. AIS admitted to flawed procedures but said that the server was unprotected for about three weeks and likely no information was stolen. However, just as concerning is the fact that the researchers claimed to have contacted AIS multiple times before the company took action.

CAM4, 10.8 billion

One of the largest databases to have ever been exposed came from CAM4, an adult entertainment site launched in 2007. Researchers found an unprotected ElasticSearch server that contained 10.88 billion records including names, sexual orientation, emails, IPs, payments, password hashes, and more — 7 terabytes of data in total. There were no signs that someone stole all that data but it’s also unclear how long the server was unprotected or who had accessed it before the issue was fixed.

Recent data breaches that happened in 2021

Unfortunately, the familiar cybersecurity story continues in 2021. In six months, three were a number of large social media data breaches, ransomware attacks against Electronic Arts and the Colonial Pipeline, and more.

While it is too early to compare 2020 and 2021 in terms of the biggest security incidents, if several recent breaches are any indication, this year is probably going to be very similar to 2020. Here are the biggest data breaches in 2021 so far:

The social media nightmare (leaks from Facebook, Instagram, LinkedIn, and Parler)

These are actually two separate cybersecurity incidents but both happened on January 11 and in both millions of social media users had their data exposed. The first included at least 214 million accounts with Facebook, Instagram, and LinkedIn usernames and passwords, geolocation data, emails, phone numbers, and more. This happened because Socialarks, a Chinese social media management company, left an unprotected database. In the case of Parler, a hacker stole 70TB of user data including posts and media.

Facebook and LinkedIn, again.

In April 2021, two data breaches took place, each exposing over 500 million accounts. The leaked database from Facebook contained 533 million account data with passwords, addresses, numbers, location, and more. And, almost simultaneously, researchers found a LinkedIn database for sale on the dark web with personal data from 500 million accounts. In fact, LinkedIn is one of the worst companies in terms of cybersecurity because their troubles go beyond 2012, when data from over 160 million accounts was leaked.

It’s not always about the size

Data breaches are not always about the quantity of accounts. One data breach that will have a lasting impact happened to SolarWinds. The software company that has 33,000 business clients was hacked and, to make matters worse, sent out a security patch with a malicious code, exposing even more accounts. Because of this, news about new data breaches connected to SolarWinds keep surfacing even several months after the malware was discovered.

Regardless of the type of the attacks, companies must start putting cybersecurity at the forefront of their growth strategy. Because, without it, we will continue to see cyber attacks that expose personal data, put cities to a halt, and cost millions to repair.

How to prevent data breaches?

Protecting online databases is no small feat. They contain a lot of information and are highly sought after by hackers. So, how do you prevent a data breach? While we can’t give a definitive, one-size-fits-all answer, there’s one constant that you should never forget: hackers almost always pick the easiest target. Don’t let your database become it.

• Don’t cut corners. Cybersecurity is as strong as its weakest component. If you’re going to build a citadel for the data you collect, make sure you leave no open windows.
• Always password-protect your data. Surprisingly, still too many companies leave their databases unprotected. Use passwords, multi-factor authentication, or whatever you have to, and encrypt your users’ data.
• Limit data collection. You can’t expose what you don’t collect. It’s as simple as that.
• Promote education. Some people have never heard terms like “social engineering” and could never imagine that the delivery man roaming around your offices is actually a hacker in disguise. Teach people in your company how to protect their physical devices and online accounts.
• Establish clear guidelines. We’ve already mentioned not cutting corners but there’s only one way to ensure this is the case — clear and straightforward cybersecurity guidelines and procedures. Cybersecurity often comes down to a checklist, so make sure yours is clear.