Support: 01 5241350

Complimentary IT Assessment | Get a Quote

5 Key Lessons from 2020 Breaches

Among many interesting findings, the 2021 SonicWall cyber threat report featured a section on the biggest data breaches of 2020 in terms of the volume of records leaked. With the ongoing HSE data breach crippling Ireland’s health system, now is the ideal time to increase security awareness by looking at other major global data breaches and their causes. This article takes a look at the top five data breaches in 2020 and provides some actionable insights on what you can learn from them in terms of your organisation’s IT security posture.

Data Breaches in 2020 and Why They Matter

As you’ll see, several of the companies that were victims of the biggest data breaches were huge companies. Therefore, it’s natural to wonder about the applicability of this information to a small or medium-sized business.

It’s important to realise first of all that malicious intruders don’t solely focus their efforts on large businesses. Businesses of all sizes can learn from the causes of these breaches and take reasonable steps to ensure they don’t repeat these failures.

Secondly, and arguably, more importantly, data breaches are extremely costly. You might not have a database of hundreds of million customers, but many smaller businesses can easily grow a database of 5,000-10,000 customers.

Multiplying the per-record cost of a breach of personality identifiable information (PII) at $150 (~€125) by the size of a small customer database, and you have a bill of well over €500,000 to pay, which will sink most businesses. That’s why this information matters.

1. Estee Lauder Breach: 400 Million Records

The American multinational skincare company Estée Lauder became the victim of 2020’s largest data breach when a security researcher revealed he accessed an exposed database belonging to the company. The database contained a large number of user email addresses in plain text format. Also viewable in the database were internal documents, including audit logs and reports.

Luckily for Estée Lauder, the records didn’t contain any customer information. What was striking about this breach was that it was such a basic security flaw that enabled anyone with an Internet connection to access the data. This breach reinforces the importance of basic information security practices, such as encrypting data and requiring passwords to access them.

2. Facebook 267 Million Records

In 2020, consumer tech website Comparitech revealed they partnered with security researcher Bob Diachenko to uncover a database of 267 million records belonging to Facebook users left exposed online. The data included unique Facebook profile IDs, phone numbers, and full names belonging mostly to users in the United States.

Such data is incredibly valuable for cyber hackers who can use it themselves or sell it on to groups who want to conduct large-scale spam or phishing campaigns. The takeaway message here is that no matter the size of your company, you must take a prudent attitude to always protect sensitive data belonging to customers.

3. Microsoft Breach: 250 Million Records

In January 2020, Microsoft revealed they experienced a major data breach that actually took place over the course of December 2019. The breach revolved around an entire database of “support case analytics” featuring logs of conversations between Microsoft support agents and customers. The database was publicly accessible via the Internet.

In a blog post highlighting what happened, Microsoft described how, “a change made to the database’s network security group on December 5, 2019, contained misconfigured security rules that enabled exposure of the data.” This breach serves as a telling reminder of how misconfigurations pose serious information security risks. Some basic steps for avoiding misconfiguration risks include:

  • Applying software updates/patches swiftly
  • Disabling default accounts
  • Use security scanning tools to look for misconfigurations
  • Encrypt your data

4. MGM Resorts 142 Million records

Midway through 2020, reports began to circulate online that data belonging to 142 million MGM Resorts hotel guests was listed for sale on the dark web. The dark web is a part of the web that requires specific software to access. A veritable underworld marketplace in stolen data exists on the dark web where cybercriminals list stolen email addresses, credit card details, and more for sale.

The breach occurred when a hacker compromised a cloud server belonging to MGM resorts and accessed the customer data. This incident again raises questions about the efforts companies are taking to properly secure their cloud resources. It’s vital to be as cautious about securing information in the cloud as it is on-premise. Hospitality is a sector particularly vulnerable to cyber attacks because service providers typically collect customer data that is both personal and financial.

5. Pakistan Mobile Subscribers 115 Million Records

In May 2020, personally identifiable information about mobile subscribers in Pakistan surfaced online. Included in the 115 million breach records were full names, home addresses, and mobile phone numbers. The data was eventually listed for sale on the dark web where an anonymous hacker tried to sell this information for 300 bitcoins.

In terms of its cause, this breach was somewhat mysterious because some records stretched back as far as 2013. Industry commentators speculated the breach took place when a hacker gained access to an old backup file or that it was stolen directly from a server. Whatever the cause, this incident shows that companies around the globe are targets for cyber attacks, not just developed nations.

Closing Thoughts

One key thing that stands out from 2020’s biggest data breaches is the sheer diversity of industries in which the affected companies operate. From skincare to software to hotels, it doesn’t matter what the nature of your business is. In an IT-powered world, the risk of a data breach transcends industries and sectors.

Lastly, it can be somewhat disheartening as an SMB to see that large corporations fall victim to these breaches. You may think, “if they can’t stop breaches with their gargantuan budgets, what hope have we got?”

A more optimistic outlook is also a realistic one, though, because your IT infrastructure is not as complex as that of large-scale enterprises. You don’t have to keep track of as many user accounts, network components, or computing resources.

If you put some basic security measures in place, then you’ve already won half the battle in protecting your valuable data. These basic strategies include:

  • Backing up data regularly and ensuring data completeness in backups
  • Having offline data backups such as tape storage that can’t be accessed via the Internet
  • Applying updates regularly to software, operating systems, and network device firmware.
  • Always ensuring you authenticate users before they access data.

      iPing can help your business implement these data security methods and avoid data breaches with our managed IT services. Contact us today to learn more.