Worst data breaches of 2019: Is your data safe online? (Not so much.)

Imagine if your personal and private information was exposed to the world.

Then again, perhaps it already has been!

So far in 2019, the data of more than a billion people has been exposed online. This leaked or stolen data is a virtual goldmine for hackers because it contains bank account numbers, credit card numbers, social security numbers, tax details, employment records, and other personally identifiable information (PII).

This article features a list of the top 20 data breaches that have taken place to date in 2019 in chronological order. As you will see, many of the 2019 data breach incidents we discuss in the article were detected by security researchers and ethical hackers before a data theft or ransom attack could take place. Thankfully! We have intentionally included those incidents to show how careless some business organizations and government institutions are in storing personal and private data. It is sheer luck that the security researchers were one step ahead of hackers in finding such leaky databases.

Top 20 Data Breaches of 2019

#1: vpnMentor: 20 Million Ecuadorian Citizens Breached

In September 2019, ethical hackers at vpnMentor found a leaky database that contained the sensitive data of more than 20 million Ecuador citizens. The unprotected database, which was owned by an Ecuadorian data analytics company Novaestrat, contained a variety of information, including: 

  • Employment information such as employer names and locations, employer tax identification numbers, job titles, salary information, job start dates, and job end dates. 
  • Account and account holder information for the Ecuadorian national bank, Banco del Instituto Ecuatoriano de Seguridad Social (BIESS), including account statuses, account balances, amounts financed, credit types, locations, and contact information.
  • Automotive records of Ecuadorian car owners such as vehicles’ license plate numbers, makes, models, dates of purchase, most recent registration dates, and other technical details.  
  • Personal identification information (PII) such as full names, genders, dates of birth, places of birth, home addresses, email addresses, home, work and cell phone numbers, marital statuses, marriage dates (if applicable), dates of death (if applicable), and levels of education. 

Interesting fact: Ecuador’s total population is around 17 million people, and the insecure data contained the information of 20 million Ecuador citizens, including the data of millions of deceased individuals. This is a rare data breach in which the data of virtually all the citizens of a country is exposed in a massive data leak simultaneously due to a single unprotected database!

#2: 24.3 Million Patient Records

In September 2019, Greenbone Networks found 590 leaky PACS servers (Picture Archiving and Communication Systems) spread over 52 countries, containing 24.3 million patient records. They reported that around 400 million X-rays, CT scans, and MRI images are linked to the internet and can be easily downloaded by anyone!

This data can be exploited by cybercriminals to conduct phishing attacks, ransomware attacks, and identity theft. The most affected countries are the U.S., U.K., Brazil, Italy, India, and Turkey.

Interesting fact: Greenbone researchers also found that 39 systems containing patients’ sensitive records were using an unencrypted HTTP web viewer. These records have an estimated value of more than one billion U.S. dollars on the Darknet! The lesson here is that system administrators must always use data encryption tools — which generally cost less than $50/year — to protect sensitive data.

#3: 20 Million Russian Citizens Compromised

Also in September, Comparitech and the security researcher Bob Diachenko reported that the data of 20 million Russian citizens was publicly available on an Amazon Web Services (AWS) Elasticsearch cluster. The data included details such as full name, physical address, passport number, phone number, tax ID number, tax amount, and employment details. The data, which was unencrypted and left exposed for more than a year and could be accessed without any passwords or credentials.    

The data was taken off by the owner — a Ukrainian — after Diachenko reported the breach. 

Interesting fact: A combination of PII and tax details exposure is exploited by attackers to commit tax-related cybercrimes. The attackers can impersonate tax officers or use the information to convince victims to transfer the tax money online via phishing emails. Needless to say, such funds would be transferred to the phishers’ bank accounts.

#4: Asurion Paid a $300,000 Ransom

In August 2019, Asurion, a leading phone insurance and tech support company, paid at least a $300,000 ransom after a data theft incident. The data was stolen by a former employee Nicholas Burks, who claimed to have 100 terabytes (TB) of sensitive information.

The data contained thousands of employees’ bank details and social security numbers, as well as the PII of more than a million customers. This data includes information such as names, email addresses, phone numbers, physical addresses, and account numbers. 

Burks also claimed to have information relating to thousands of recorded phone calls, customer service records, and training documents. He threatened to leak this information on media and pass it to competitors if Asurion didn’t pay a ransom of $350,000.

Interesting fact: Incidents like this demonstrate how insiders can be bigger threats than outside threats such as unaffiliated hackers. While external hackers need to exert more effort to break into your company’s system, your employees may already have access to employees’ and customers’ sensitive data at their fingertips. Hire one wrong employee, and your company may find itself the target of an insider threat’s data breach.

It is understandable that employees can’t perform their duties without proper information available to them. But to mitigate this threat, limit employee access to data and systems to only those who need it to perform their jobs. You can also encrypt the data when no one is working on it.

#5: Capital One Breach: 100+ Million Records

In July 2019, Capital One bank declared on its website that an unauthorized individual had gained access to information for 100 million American and six million Canadian credit card holders and applicants:  

  • Approximately one million Social Insurance Numbers of Canadian citizens. 
  • 140,000 social security numbers of American credit card customers. 
  • Credit card applicants’ names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
  • Credit card customers’ credit scores, credit limits, balances, payment history, and contact information. 
  • About 80,000 linked bank account numbers of secured credit card customers. 

#6: Honda’s Unprotected Database

In July 2019, a security researcher named Justin (who goes by the username “xxdesmus”) published a blog post stating that Honda had an unprotected ElasticSearch database, exposing 134 million rows of employees’ computer data from across its global network. The database included employee email addresses, departments, machine types, IP addresses, MAC addresses, hostnames, operating system versions, endpoint security states, and patch details.  

The database also exposed the CEO’s PII and other details such as CEO’s email address, MAC address, which Windows KB/patches had been applied, Operating system’s version, endpoint security status, IP, and device type.

However, reportedly no data theft took place. When xxdesmus informed Honda about the data leak, they took prompt action and quickly secured all of the data. 

Interesting fact: This sort of data breach is highly risky in nature because it was exposing which machines were using outdated software, hadn’t yet been patched, and which ones didn’t have endpoint security software enabled. This information makes it extremely easy for hackers to spot and target the vulnerable machines and get access to the system.

 #7: Florida Ransomware Attacks

Florida governments became a victim of cyber attacks three notable times in 2019. Ransomware attacks are result of data breaches, where data is stolen and encrypted and hackers demand ransom to decrypt the data.

In June 2019, Riviera Beach paid $600,000 in Bitcoin to hackers to regain access to its computer systems when a ransomware attack deactivated the email system, phone service, and 911 dispatch system.

Interesting fact: The Riviera Beach’s cyberattack took place when an employee of the local police department opened a malicious email, which enables hackers to install the malware in the entire system! This incident demonstrates that all it takes is a tiny bit of employee negligence for hackers to cripple your organization’s IT systems. As such, it’s high time for all businesses and government organizations to provide at least basic cyber security training to their employees. For example, teach them how to recognize phishing scams and determine whether a website is legitimate or a scam.

#8: Baltimore Shut Down By Attack

In May 2019, Baltimore was hit by a major ransomware attack, which shut down the city’s primary government servers and online facilities.  

The hackers demanded a ransom of approximately $76,000 in Bitcoin to give back the access to encrypted files and hijacked systems.  

Baltimore officials refused to pay the ransom and decided to restore the system on their own, which ultimately cost them $18.2 million.  

The city officials also approved a purchase of $20 million cyber insurance to protect themselves against future cyber-attacks.  

Interesting fact: One of the main reasons Baltimore suffered such a high recovery cost is that the city didn’t have a proper data backup infrastructure. It was using old fashioned servers instead of cloud systems to back up the data. A large portion of data had no backup at all! An important lesson to take away from this is that you must give the highest priority to data backup. So, in an unfortunate hacking event, if the original data gets encrypted by the hackers, you can quickly restore it from the backup files.   

#9: 275 Million Indian Citizens Compromised

In May 2019, security researcher Bob Diachenko found an unprotected MongoDB database containing 275,265,298 personal records of Indian citizens. The data included personally identifiable information (PII) such as names, mobile phone numbers, dates of birth, email addresses, genders, employment histories, education levels and area of specialization, professional skills/functional areas, current employer, and salaries. 

Interesting fact: Diachenko immediately notified the Indian Computer Emergency Response Team (CERT) about the data leak. However, the CERT didn’t take any actions for a week until a hacker group known as Unistellar got all the data, deleted it, and left a message: “Restore? Contact: [redacted email address]”! 

Image Courtesy of Security Discovery 

#10: 16 Years of Mortgage Files Exposed

In May 2019, KrebsOnSecurity revealed that the First American Financial corporation’s website is exposing approximately 885 million files, containing customers’ mortgage-related data from the year 2003 to the present (May 2019). The data was unencrypted and available to anyone without any authentication or credentials. The digital documents included customers’ bank account numbers, bank statements, wire transaction details, social security numbers, mortgage and tax records, and driver’s license imagesthe present (May 2019). The data was unencrypted and available to anyone without any authentication or credentials. The digital documents included customers’ bank account numbers, bank statements, wire transaction details, social security numbers, mortgage and tax records, and driver’s license images.  

The data leaked was first discovered by a real estate developer, Ben Shoval. First American gave him a link which contained nine digits long reference number for one of his transactions with the company. When he modified the reference number in the URL, the website kept fetching other people’s records!

10 More Notable Data Breach Incidents in 2019

  1.  In September 2019, Demant, a leading hearing aid manufacturer, had to shut down its entire IT systems across multiple sites and business units following a cyber-attack. The company is expected to have a reduced profit of approximately $ 95 million due to this incident.
  2. In August 2019, a white hat hacker at WizCase found a leaky database containing the personal information of 14 million Chilean citizens, including personal data belonging to their prime minister! Along with PII, the data included RUT numbers, which are similar to the social security numbers in the United States.
  3. In August 2019, the Rockville Centre School District in New York paid a $100,000 ransom to hackers to get back access to its day-to-day work data and past emails. The hackers used ransomware to encrypt all the district’s data and demanded the payment in Bitcoin to decrypt the data.
  4.  In July 2019, an audit report revealed the shocking fact that the Maryland Department of Education had stored 1.4 million students’ and 230,000 teachers’ PII and social security numbers “inappropriately.” The data was stored in plaintext, unencrypted, which was easily accessible to anyone.
  5. In July 2019, the data of Air New Zealand’s 112,000 Airpoints customers was exposed when two employees became victims of phishing attacks. The data included names, email addresses, and Airpoints numbers. Air New Zealand asked the data breach victims to beware of phishing emails as a potential effect of this data breach.
  6. In June 2019, Comparitech found an unprotected, unencrypted MongoDB database containing 188 million people’s PII from Pipl.com and LexisNexis. The data also contains information such as court and bankruptcy notes, social media profile links, political affiliations, past and present employers, and ownership details of automobiles and property.
  7. In June 2019, LabCorp’s 7.7 million patients’ and Quest Diagnostics’ 11.2 million patient’s data were exposed from American Medical Collection Agency (AMCA)’s systems. The breached data contained LabCorp patients’ first and last names, dates of birth, physical addresses, phone numbers, dates of service, service providers, balance information, credit card numbers, and bank account details.

    Quest Diagnostics’ data breach was even more serious in nature, as it exposed patients’ health records and social security numbers along with other financial details.
  8. In March 2019, Motherboard reported that ASUS’s automatic software tool had been signed by hackers to install backdoor malware in thousands of users’ computers. ASUS confirmed that it has unknowingly pushed the malware via its automatic software update to its thousands of users. Hackers used two legitimate ASUS code signing certificates to sign and authenticate the malicious software updates.
  9. In March 2019, hackers broke into Toyota’s IT system and gained access to 3.1 million customers. The hackers attacked servers of Toyota’s eight different sales subsidiaries or their affiliates. In the year 2019, Toyota’s subsidiaries in Australia, Thailand and Vietnam became victims of data breach.
  10. In February 2019, security researcher Bob Diachenko found an open, unprotected database that exposed about two billion customers’ email addresses, phone numbers, physical addresses, dates of birth, IP addresses, mortgage amounts, interest rates, and estimated credit scores. The database, which belongs to the email marketing firm Verifications.io, also contained 6,217,358 records of business leads.