Top 10 Data Breaches of 2019 (And the Lessons We Learned)

In April 2019, UpGuard researchers learned that two Facebook app databases had been exposed to the public internet. One of the databases came from the Cultura Colectiva – a media company based in Mexico. The database contained more than 540 million records which included information such as comments, account names, and Facebook IDs.  The other third-party app that was exposed was “At the Pool”. This was delivered to the public internet via an Amazon bucket. The breach reminds us that backing up information and data on the cloud isn’t a set-it-and-forget-it process. Companies need to think carefully about where they store their backups and how they preserve that information. 

Although the actual breach that happened with Earl Enterprises likely happened in 2018, the information about this issue wasn’t revealed until the middle of 2019. The issue allowed unknown attackers to use malware within Point of Sale systems to steal credit and debit card data. According to reports, the thieves stole over 2 million payment card numbers from customers at various locations around the US. The data theft also went unnoticed for a period of at least 10 months.  This data breach teaches us how important it is to understand the requirements of the latest Payment Card Industry security standards, or PCI DSS. This standard continues to be a work in progress for many companies keen to upgrade their privacy efforts.  

Here is another example of a large government company getting hit by cybersecurity issues. The Federal Emergency Management Agency, or FEMA, announced a breach in March 2019, which allowed access to millions of points of data about survivors of the California wildfires. The organisation accidentally shared information with a third-party contractor, including home addresses and bank information. In this case, the company inadvertently sending too much data to a contractor, leading to a breach. Here, we learn that not all breaches are the result of malicious third-parties. Sometimes, human error is the biggest threat that any business can overcome. 

Popular American company, Macy’s, was one of the many brands hit by a cybersecurity attack in 2019. The breach compromised the addresses, names, phone numbers, and payment details of shoppers on the Macy’s website. Members of the umbrella Magecart group placed code for skimming cards into the checkout and order pages of the company’s website to capture crucial information.  In this case, the lesson to learn is that web applications with poor security are still a significant risk for many companies worldwide – particularly retailers. Businesses must carefully consider cross-site scripting, SQL injections, and other digital threats in the years ahead. 

The American Medical Collection Agency (AMCA) disclosed information about a security breach in May 2019. According to the company, two of its largest customers, LabCorp and Quest Diagnostics, were alerted about unauthorised users accessing the AMCA system and uncovering private data. The breach made a tremendous amount of information vulnerable, including social security numbers, credit, bank account information, and medical information belonging to over 11 million patients.  The AMCA breach was a classic lesson in making sure that you’re partnering with the right companies and dealing only with third-parties that share your strategies when it comes to protection, defence, and data analytics. 

In September 2019, the US government began investigating a breach at a government technology contractor site that had access to several systems put up for sale in the cybercrime landscape. The contractor was hit by a form of malware called Emotet, which has been frequently described as one of the most dangerous malware on the market today.  This breach shows us how important it is for even the biggest and most significant companies to have the right malware protection in place. Constant software updates are crucial in any environment if you want to protect yourself from the latest dangers on the web. 

At the beginning of 2019, a cybersecurity expert and researcher found a MongoDB database featuring millions of records about Chinese job candidates. The data included information on the skills and backgrounds of the applicants. In particular, it included details such as work experience, phone numbers, email addresses, and a lot more. The database was only secured a week after the breach was discovered. This data breach example teaches us how important it is for leading companies to keep a close eye on their data and where it’s stored. Companies shouldn’t be waiting for third-parties to track down breaks in their data strategy. All companies need a plan for how to protect themselves on a day-to-day basis. 

The marketing firm Exactis left more than 340 million user records exposed when they stored information on a server that wasn’t secure. A data researcher uncovered the mistake, which means any hacker could have easily come along an gain access to Exactis's private information.  This cybersecurity slip up is an excellent insight into why corporations need help from the right partners. Choosing the right secure server for your data will reduce the amount of work you need to do to protect yourself. 

Another massive data breach in 2019 was that of ElasticSearch. An online casino group leaked information about more than 108 million bets. As well as this, the group leaked details about personal customer information, withdrawals, and deposits too. The data came from an exposed online ElasticSearch server that was without a password.  This recent data breach shows us how important it is to use basic security strategies. Despite having advanced firewalls and encryption tools, you still need the right password/username combination. 

Capital One made the headlines in 2019 when a massive data breach exposed thousands of data points, including credit card applications, bank information, and social security numbers. One of the last places that any customer wants a data problem to be is their bank. Crucially, Capital One proved that many brands, including financial institutions, can reduce their exposure to disaster by implementing the “principle of least privilege.”  When users only have access to the information they need and nothing else, there’s less risk of a breach. Stringent controls can protect, contain, and defend sensitive information.