2019 was a year of massive data breaches—some of the largest on record. It was also a year of data breach denials.
Disney Plus refused to get thrown under the bus by media coverage, saying that they show no evidence of the big data breach they were accused of in November. Similarly, State Bank of India (SBI), India’s largest bank, claims that they experienced no data breaches this year, and errors with its server were erroneously reported.
So what are the biggest data breaches that did—as far as we can tell—actually take place? The largest examples this year come from First American, Facebook, and Capital One 360, all of whom admitted to compromising the data of hundreds of millions of customers.
What is a data breach?
A data breach is when sensitive data was accessed by unauthorized parties, or when it was potentially accessible, even if misuse is undetected.
There are many types of data breaches. They can happen not only because of hacking, but also the mishandling of company data, gaping holes in website security, and when data is resold to less-than-benevolent third parties.
Let’s take a closer look at 2019’s biggest data breaches.
First American – 885 million accounts breached
Timing: In May of 2019, Krebs on Security, a security news website, reported that First American was storing sensitive data (dating back to 2003) on an open, unsecured server.
What happened: A real estate developer contacted journalist and cyber crime expert Brian Krebs about a First American data breach. After investigating and confirming the breach, Krebs got in touch with the company to allow them time to secure the server before announcing the leak on his KrebsOnSecurity website.
The article revealed that all mortgage transactions from the past 16 years could be easily accessed by anyone who had ever received a document link via email by an employee of First American.
Krebs reported that digitized records including bank account numbers, social security numbers, and drivers license scans were accessible on an open server. Shortly after the KrebsOnSecurity article, First American was served a class action lawsuit.
Pro Tip: When using forms to collect sensitive data such as social security numbers and birthdays, SSL protection is advised.
Facebook – 600 million accounts breached
Timing: The data security breach was discovered in January, but affects accounts and logins dating back to 2012.
What happened: During routine security checks, Facebook discovered that the passwords for 600 million Facebook and Instagram accounts were being stored in plain text on their servers. This made passwords easily accessible to all Facebook employees. There is no evidence of Facebook employees using or selling this data. Due to the security risk, they chose to notify affected users.
Capital One 360 – 100 million accounts breached
Timing: The hack was discovered by Capital One 360 on July 19, 2019, but could affect credit card applications dating back to 2016.
What happened: Paige Thompson, a former software engineer once employed by Amazon AWS, has been indicted for hacking into a Capital One 360 server. She gained access to 100 million credit card applications and accounts, including 140,000 Social Security numbers and one million Canadian Social Insurance numbers. Capital One 360 says there’s no evidence of the perpetrator sharing data before being caught by the FBI.
American Medical Collection Agency – 25 million accounts breached
Timing: In early May of 2019, American Medical Collection Agency (AMCA) filed a breach with the Securities and Exchange Commission, reporting they were hacked between August 1, 2018 and March 30, 2019.
What happened: AMCA is a billing services vendor, and 25 million patients from different companies were affected, including Quest Diagnostics, LabCorp, BioReference, and a number of community health centers and small laboratories. The hacked system held personal and financial data, including Social Security numbers. AMCA’s parent company filed bankruptcy in the wake of the data breach, while Quest and LabCorp now face lawsuits.
MixCloud – 20 million accounts breached
Timing: The data breach happened in early November, but was discovered in late November.
What happened: 20 million user accounts were hacked, and the data was offered for sale on the dark web. The data includes usernames, email addresses, IP addresses, profile pictures, and country of signup. Luckily, passwords were scrambled using MixCloud’s SHA-2 algorithm, and could not be unscrambled.
Undisclosed Indian Healthcare Company – 6.8 million accounts breached
Timing: In February, FireEye, a US-based cybersecurity firm reported the hack.
What happened: A hacker stole the data of 6.8 million patients from an Indian healthcare company, a client of FireEye that has remained unnamed. It is believed that this healthcare data is being targeted to sell to pharmaceutical firms, cybercriminals, and nation state groups. China is reportedly buying up medical research in an effort to lower cancer rates as it moves towards universal health coverage in 2020.
StockX – 4 million accounts breached
Timing: StockX, a site for buying and trading sneakers and watches, announced that they were hacked in August of 2019, but the hack is thought to have occurred a few months prior.
What happened: Four million username and password combinations were being sold for a couple dollars per account on the dark web. The company came under fire for requiring users to reset their passwords without admitting that a data breach was the motivator.
StockX now faces a lawsuit from a user who claims the company was too slow to alert users to the fact that their information was available on the dark web. The company is also accused of lacking the proper security systems needed to prevent data breaches.
Flipboard – Unknown number of affected accounts (150 million total users)
Timing: In late May, Flipboard revealed that some accounts (the amount has not been disclosed, but the company has 150 million total users), were the victims of unauthorized access between June 2018 and April 2019.
What happened: Upon commissioning a private security investigation, the company announced that a portion of accounts had been accessed by an unauthorized individual, who was able to access usernames and email addresses. Passwords set before March 14, 2012 may have been accessed due to a lack of encryption. Despite only a portion of users affected, Flipboard required all passwords to be reset.
Fortnite – Unknown number of affected accounts (200 million total users)
Timing: In January of 2019, Fortnite announced a data breach that may have occurred over the previous months.
What happened: Fortnite disclosed that an unknown number of accounts had fallen prey to a fatal flaw in their system which allowed hackers to gain access to sensitive account data and even purchase in-game currency. Because Fortnite is a popular game among kids, parents could have been the victim of erroneous credit card charges without being aware of it. Hackers could also have pretended to be a player and eavesdropped on group conversations. In August of 2019, Epic Games, the creator of Fortnite, was hit with a class action lawsuit.
Read Next: Our top articles on data security
The way you collect, share, and store data is more important than ever before. Hackers are out there watching for vulnerabilities and lapses in security. As 2020 becomes reality, don’t let a data breach be part of your new year! Take time now to audit your data security to minimize potential risks and avoid getting on this list in 2020.