Vulnerable data security lead to data breaches during COVID

The COVID pandemic has caught everyone unaware. And while all are busy adjusting to the new normal, cybercriminals have been making merry. They are taking advantage of the disrupted environment to carry out cyber attacks.

According to a recent study carried out, the number of data breaches in 2020 has almost doubled with 3,950 confirmed breaches against 2,103 recorded breaches in 2019, with the year far from the end.

Almost 80 per cent of the data breaches have occurred due to simple brute force attacks, which should raise serious concerns regarding data security. These cyber-attacks are also not limited to technologically weak enterprises but rather impacted big names that have strong data security measures in place. Here’s a look at six such enterprises that faced major data breaches during the COVID pandemic.

Whitehat Jr. recently reported a data breach exposing data of 2.8 lakh students and teachers due to multiple vulnerabilities in their infrastructure in November 2020. The exposed data contained student names, age, gender, profile photos, user IDs, parents’ name, and progress reports of minor students forming a major part of the exposed data. Salary details of WhiteHat Jr employees, as well as its internal documents and dozens of recorded videos of online classes being conducted by the platform, were also exposed, according to the researcher.

Big Basket is also among those who have faced data breach due to its vulnerable security power.

The breach affected the data of over 2 crore customers. As a result of this data breach, personal information such as email IDs, full names, IP addresses has been compromised and is reported to be put up for sale on the dark web. The data lost in the BigBasket breach, which was mostly that related to customers’ personal details, more than being critical to business operations warrant an extra degree of security. That’s because losing this data can not only be disastrous from a public relations perspective but can also land companies in legal trouble which can last for years and cost crores of rupees in damages.

Twitter also underwent the breach scanner on the 15th of July 2020. The verified accounts of influential and well known names were hacked by the cybercriminals. The accounts hacked were of Elon Musk, Barack Obama, and Bill Gates, to name a few.

The criminals behind the hack then proceeded to post fake tweets from the compromised accounts. The tweets promised USD 2,000 for every USD 1,000 sent to a Bitcoin address. The hackers had a big payday as they managed to make over a hundred thousand dollars in Bitcoin transactions.

Marriott International, data breach happened on March 31, 2020. The data breach exposed data of more than 5.2 million guests who used the hotel’s loyalty application. The attack was carried out by using the login credentials of two Marriott employees. These employees had access to the customer data regarding the hotel chain’s loyalty program. Hackers accessed names, birthdays, travel and loyalty program information data in the data security breach. This is the second such attack faced by the hotel chain. The hotel had reported a data breach in 2018, which compromised the data of around 500 million guests.

Zoom, a video conferencing app gained massive popularity during the pandemic. It simplified business meetings by allowing 100 participants for video conferencing at a time when enterprises over the world faced difficulties communicating with their workforce.

Zoom faced major cyber attack in the first week of April 2020.

Around 500,000 Zoom account passwords were stolen and were available for sale on the dark web. Besides, the victims’ personal meeting URLs and HostKeys were available too.

Clearview AI a major firm dealing with facial recognition technology became a victim of a data breach on February 26. The perpetrator of the attack gained unauthorized access to Clearview AI’s entire client list. The data breach also left exposed around 3,000,000,000 photos scraped by the firm from social media sites such as Facebook, Instagram, and YouTube. Moreover, the number of user accounts opened by clients and the number of searches they had conducted were also compromised.

The firm’s clientele includes major law enforcement agencies in the US, including the FBI and the Department of Homeland Security, and other corporate firms. The firm is already mired in controversy regarding its use of facial recognition technology for matching social media images against suspected criminals’ photos provided by the police department.

While most of the data security breaches were due to external cyber attacks, there were some instances where data breach was internal and unintentional. The main reason for these data breaches were poor data security standards that left the data exposed to unauthorized individuals. Let’s have a look at some of these instances.

Social media accounts data breach

On August 1st, it was discovered that around 235 million Instagram, Tiktok and YouTube user profiles were compromised. This data security breach happened due to an improperly secured cloud database. A Hong-Kong based company; Social Data was storing the data without password protection on their clouds. The data could be accessed by any individual easily as it was available freely on the internet. The data carries details like; Profile name, full real name, Engagement statistics, Number of followers, Age, Gender & Follower demographic.

While most of the data mentioned above are available publicly, what’s alarming is that the database contained about 20% of the records contained a phone number or an email address. Such private information is susceptible to cyberattacks, and hence, a cause of major concern.

Virgin media database contained personal details of 900,000 users were accessible online for about ten months before being discovered. The data security breach occurred due to an unsecured database, as it is reported that the database was ‘incorrectly configured’ by a staff member. The database contained information regarding the phone numbers, home and email address which were used for marketing purposes by the company.

The year 2020 has been challenging for enterprises with regard to cybersecurity. Enterprises need to strengthen their data security measures as much as possible.

Data was the common factor in all the stated breaches. And all of them have a vulnerable data security approach which lets these data leave these enterprises' security infrastructure undetected.

The problem here is the reliance on an older security approach that is limited to the perimeter and lacks data visibility to tackle new-age security challenges in the given work infrastructure.

These breaches could have been avoided if only their security solution had stronger visibility, deeper than the traditional layer 7 and the ability to monitor and control the use sensitive and practically enforce data handling policies over and above general verbal instructions.