The Worst Cyber Attacks of 2019
These big data breaches had expensive consequences. Is your organization adequately protecting itself?
This year Campus Safety has reported on a large number of malware, ransomware and other types of cyber attacks against our nation’s schools, institutions of higher education and hospitals. But healthcare and education weren’t the only sectors affected.
Hackers also kept many of the world’s largest corporations on their toes this year. According to CS sister publication, My Tech Decisions, the worst cyber attacks in 2019 could have been avoided if everyone in those victim organizations had been on the same page.
The series of errors that led to the largest cyber attacks of 2019 are basically the same no matter what the victim org’s size. This means if you read the below list thinking, “these are mega-companies; the risk of a data hack at my organization is much smaller” … you’re in dire need of a reality check!
Here are some of the worst cyber attacks of 2019 in no particular order:
Almost every Ecuadorian citizen (20 million people affected)
One of the largest data breaches in 2019 happened in Ecuador, where the personal information of about 20 million people, including their president and Julian Assange, founder of WikiLeaks who was granted asylum by the nation.
It’s reported by security firm and breach discoverer vpnMentor that the exposed data came from the Ecuadorian national bank, Ecuadorian government registers, and an automobile organization.
Everything from date of birth to personal identification numbers and even driving records were involved in the incident.
First American Corporation (~885,000,000 files)
This hack of the American real estate title insurer First American Corporation’s website leaked over three quarters of a billion mortgage deal documents, including bank account numbers, tax records, Social Security numbers, wire transaction receipts, and driver’s license images, says KrebsOnSecurity.
Krebs says it was tipped off by a real estate developer who “said anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link.”
The 885,000,000 files, which date as far back as 16 years, were available to view without authentication requirements.
Oklahoma Department of Securities (potentially millions of breached files)
The Oklahoma Department of Securities recently dealt with a breach of millions of files, some of which were involved with FBI investigations.
According to UpGuard data breach research, a storage server – with records dating as far back as 1986 –was exposed. It is unclear how long the records were publicly accessible, but an IP address search engine first registered it in November of 2018.
“The data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services, allowing any user from any IP address to download all the files stored on the server,” the UpGuard report says.
Trend Micro (about 70,000 people affected)
ZDNet reported an attack on “fewer than one percent” of security firm Trend Micro’s customer base was the alleged work of a former employee. Names, email addresses, support ticket numbers, and some telephone numbers were taken in the breach and used to conduct scams, ZDNet says.
The firm was made aware in August that customers were receiving phony calls from people claiming to be with Trend Micro.
“It is believed the information was sold on to a third-party, but the identity of the threat actor — or group responsible — is not yet known,” ZDNet’s report says.
Flipboard (150,000,000 people affected)
Content aggregation app Flipboard announced earlier this year that unauthorized access to databases containing Flipboard user information happened between June 2, 2018 and March 23, 2019, and between April 21, 2019 and April 22, 2019.
Those databases contain names, usernames, email addresses and cryptographically-protected passwords, the company says. It is not yet known how many accounts were affected, but Flipboard reportedly serves 150,000,000 app users, and said in their announcement that not all of whom were involved.
While the fact that the hacked passwords were “cryptographically-protected” typically means more difficulty for the hacker, Flipboard did also report that passwords created or changed before March of 2012 were protected with a weaker algorithm, says a Forbes article about the data breach.
What’s more, the digital tokens used to connect Flipboard with social media accounts “may have” also been stored in the databases.
Facebook (more than 540,000,000 people affected)
This is the news that prompted some tech publications to encourage all Facebook users to change their passwords. In April 2019, UpGuard reported on two third-party Facebook apps holding large datasets, which left their data exposed to the public — one of the biggest data breaches in social media history.
The breach from media company Cultura Colectiva’s app contains more than 540 million records, including FB id’s, likes, reactions, and more.
Another Facebook app backup titled “At the Pool” also contained user id’s, as well as columns for fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests, and much more, according to UpGuard. This affected at least 22,000 users.
“The data sets vary in when they were last updated, the data points present, and the number of unique individuals in each. What ties them together is that they both contain data about Facebook users, describing their interests, relationships, and interactions, that were available to third party developers. As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access.” — UpGuard report
Fortnite (potentially 200,000,000 accounts affected)
One of the most prominent games in pop culture lately, Fortnite sees roughly 200 million users worldwide vie to be the last player standing.
But Check Point Research found vulnerabilities, which “could have allowed a threat actor to take over the account of any game player, view their personal account information, purchase V-bucks, Fortnite’s virtual in-game currency and eavesdrop on and record players’ in-game chatter,” according to the report.
It isn’t uncommon for cyber criminals to create fake landing pages surrounding these popular online games that advertise ways to earn in-game currency while phishing for credentials.
Check Point Research didn’t need to create a fake website to recreate the breach, though. They didn’t even need a user to hand over log in information whatsoever.
The researchers found a weakness in Fortnite’s sub-domains which allows an XSS attack if the user only clicks on a link sent by the attacker.
Read More Articles Like This… With A FREE Subscription
Campus Safety magazine is another great resource for public safety, security and emergency management professionals. It covers all aspects of campus safety, including access control, video surveillance, mass notification and security staff practices. Whether you work in K-12, higher ed, a hospital or corporation, Campus Safety magazine is here to help you do your job better!