It’s difficult to quantify the damage done by a data breach. One could certainly rank 2019’s data breaches by records lost, or even by cost. But the reality is that the effects of a data breach are widespread and can take years to fully quantify. It makes more sense to try to learn from 2019’s mistakes by becoming familiar with the many different methods hackers employ against organizations.
Verizon’s 2019 Data Breach Investigations Report recorded 41,686 “security incidents” this year. Of those incidents, 2,013 were confirmed data breaches. The report names nine different attack patterns that dominated the threat landscape in 2019. Human error, phishing, outdated software, misconfigurations, and cyber espionage (traditional hacking techniques) topped the list.
Baltimore – A Rise in Government Targets
In 2019, attacks on public sector entities rose to 16 percent, more than any other sector, with more than 140 local governments, police stations and hospitals held hostage by ransomware attacks.
As recently as a few weeks ago, New Orleans declared a state of emergency when several of its computer systems were seized by ransomware. And Baltimore has spent almost $4.6 million this year recovering from a ransomware attack that occurred in May 2019. Mayor Bernard C. Young has refused to pay hackers a $76,000 ransom to unlock 10,000 computers frozen by a ransomware program known as RobbinHood. Instead, the city has elected to rebuild lost systems, a decision that will cost a projected $18.2 million in total.
AMCA – Third-Party Vendors Are Easy Prey
It’s not uncommon for organizations to outsource accounting and collections to third-party vendors, but when these vendors are breached, it has a domino effect on their clients’ data security. This was the case with the American Medical Collection Agency (AMCA) when an unauthorized attacker was able to access personal records for 12 million patients. Healthcare was the second-most targeted sector this year, making up 15 percent of all breaches.
The impact affected large clinical laboratories that used the AMCA, such as Quest Diagnostics and LabCorp. Personal data such as names, addresses, phone numbers, dates of birth, dates of service, balance information and treatment provider information were exfiltrated from the AMCA’s database. It was an eight-month-long breach that went unnoticed until a connection was made between fraudulent charges and credit card numbers used to pay healthcare debt. After the breach, the AMCA was forced to file for Chapter 11 bankruptcy when clients dropped them as a vendor.
Capital One – Small Configuration Mistakes Create Big Problems
When it comes to data breaches, the financial industry is targeted most often, with 927 recorded security incidents this year. However, with only 207 confirmed breaches the financial industry holds the number three spot for the number of data breaches in 2019, comprising 10 percent of all data breaches in 2019. Verizon’s report names “privilege misuse” and “web application errors” as the top attack pattern in 2019, and the top attack method for the financial industry specifically.
Capital One fell prey to this method in July, when an attacker found a misconfigured firewall protecting an Amazon Web Services (AWS) server. The firewall had too many permissions, so the attacker was able to use it to extract the personal data of 100 million Capital One customers stored on the server, and install crypto mining software in order to generate cryptocurrency. This tactic, called cryptojacking, has become more popular in the last few years because attackers are able to turn their efforts into a more immediate payout rather than selling private data on darknet markets. Forbes reports that the Capital One hacker also cryptojacked at least 30 other companies including the Ohio Department of Transportation, Michigan State University, and Vodafone.
Zynga – Stolen Usernames and Passwords Can Be Used in Other Breaches
The entertainment industry is not immune to attack. Zynga’s data breach was one of the largest in 2019 with over 170 million records containing usernames and passwords of players from its Words With Friends game. Stealing username and passwords for one service seems like it’s only a concern for the application in question, but hackers often target usernames and passwords to use in credential stuffing attacks, which involves using login information from one website on other websites, taking advantage of internet users’ tendency to recycle passwords.
Adobe – Repeating Past Mistakes
Adobe Flash was the de facto way of adding animation to a website just a decade ago, but a series of security flaws destroyed its domination in the web design industry, and browsers such as Chrome began blocking Flash to protect users from malware.
In October, Adobe reported that hackers stole over 7.5 million records from Creative Cloud. The hack was caused by human error – Adobe administrators deployed an Elasticsearch database to the cloud without proper authentication controls. Although payment data was not extracted, enough information, like email addresses and subscription information, was disclosed to leave Adobe customers vulnerable to phishing attacks.
This breach was one of the most significant in 2019, not because of its size, but because just six years ago, in 2013, Adobe lost 38 million records in a breach, as well as part of the source code to Photoshop. After a breach of that size, Adobe should have learned its lesson. The fact that it compromised the data of another 7.5 million users just half a decade later is a strong indication that the software company needs to reevaluate its cybersecurity protocols.
Doing Better in 2020
In 2020, organizations should resolve to make massive data breaches a thing of the past. Hackers will of course continue to find new ways to bypass the latest technology and take advantage of human error. But thanks to unprecedented data collected about the threat landscape, businesses have more tools to fight data breaches than ever before.
Fighting these threats starts with creating a plan to deal with attacks and begin recovery as soon as a breach is detected. It also means auditing cybersecurity defenses and systems, making sure data collection and protection practices meet the standards set by new laws like CCPA and GDPR, and making sure every employee receives regular and rigorous training. If these precautions aren’t taken, losses will mount, fines will accrue, and these year-end lists will only get longer.