Biggest Breaches of 2019

by Sarah Harvey / December 17th, 2019

What Were the Biggest Data Breaches of 2019?

The data breaches of 2019 were enormous, with some of the biggest data breaches impacting over a billion people collectively. And, like in year’s past, hackers did not discriminate based on industry, size, or location of companies and continued to use advanced attacks to compromise user data – anything from generic, personal data to payment card information and protected health information. Let’s take a look at five of the biggest data breaches of 2019, how they happened, and what’s been done to mitigate them since they were discovered.

Fortnite ­– 200 million

Starting the year out, security researcher Check Point notified the public that popular gaming site, Fortnite, fell victim to a data breach after an old, unsecured web page was compromised, exposing Fortnite players to the risk of having their accounts being hacked, their audio recorded, and in-game currency used. While the attack happened in November 2018, Fortnite creator, Epic Games, did not acknowledge or attempt to fix the vulnerability until January 2019, two months after Check Point notified them of the security incident. Since the breach was announced, Franklin D. Azar & Associates has filed a class action lawsuit, arguing that while Epic Games is hunting down password dumps that may be used to conduct credential stuffing attacks and are “proactively resetting passwords for player accounts when they believe they are leaked online,” the gaming company isn’t doing enough to recover damages or protect users from future threats.

Facebook – 600 million

In the wake of the Cambridge Analytica scandal, Facebook faced its fair share of cybersecurity challenges throughout this year. Most notably, in a report published by KrebsOnSecurity on March 19th, it was discovered that Facebook had been storing passwords of between 200 to 600 million users in plain text, all of which were searchable by more than 20,000 Facebook employees, and in some cases, were accessible to employees since 2012. Facebook software engineer, Scott Renfro, told Brian Krebs, “We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data. In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.” This incident is separate from another reported Facebook data breach that impacted 50 million users in September 2019.

Capital One – 106 million

Perhaps one of the most startling data breaches announced this year comes from Capital One, where a malicious user, identified as a Seattle-based woman and former Amazon employee, Paige Thompson, illegally accessed and downloaded the PII of 106 million Capital One users, including 100 million US customers and 6 million Canadians. According to a statement released by Capital One, that data included approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers on U.S. consumers, and roughly 1 million Social Insurance Numbers (SINs) for Canadian credit card customers. Capital One explains that it has been determined that no credit card account numbers or log-in credentials were compromised; however, the investigation is still ongoing. To execute the attack, Thompson exploited a misconfigured web application firewall (WAF) and Server Side Request Forgery (SSRF) to exploit the vulnerability. Thompson has since been arrested and charged by the FBI.

American Medical Collection Agency (AMCA)  – 20+ million

Though much smaller in size in terms of people impacted, the American Medical Collection Agency data breach that occurred between August 1, 2018 and March 30th, 2019 is one of the most talked-about breaches of the year. Why? Because it highlights the pervasive lack of focus on cyber and information security in the healthcare industry. With more than 20 million patients impacted by the breach, AMCA’s partner organizations, including Quest DiagnosticsLabCorp, BioReference Laboratories, and many others have all since filed complaints with the SEC against AMCA and have cut ties with the company. AMCA has filed Chapter 11 protection.

Canva – 139 million

On August 10th, Canva, a popular design app, posted a notice on their website explaining that on May 24th a malicious hacker compromised their systems. According to the notice, the malicious individuals were able to access information from the Canva profile database containing the usernames, names, email addresses, country and other optional information of 139 million users. The hackers also accessed cryptographically protected passwords, briefly viewed files with partial credit card and payment data and claimed to have obtained OAuth login tokens. Canva was able to effectively stop the attack while it was happening and implemented their incident response plan immediately – notifying users and authorities right away that the breach occurred. In a June 1st notice, Canva explained the steps they took to mitigate this breach: notifying users, prompting users to reset passwords, resetting OAuth tokens, coordinating with partners, and partnering with 1Password to provide password management services for a year.

Staying secure in a data-centric world has become increasingly complicated, and that’s more than evident by these top data breaches of 2019. There are new threats and vulnerabilities discovered on a regular basis, and if organizations don’t make security a foundational part of their organization, they will likely see repercussions from this. Let KirkpatrickPrice be the partner you’ve been looking for when it comes to ensuring the security of your business. Contact us today to learn about our auditing, pen testing, and readiness and guidance services so you can stay protected against these types of data breaches and more in 2020.

More Cybersecurity Resources

How Much is Your Data Worth to Hackers?

Why Bother with an Information Security Program?

Executive Insight into the Importance of Penetration Testing