With the massive shift to remote work due to COVID-19 – with upwards of 42% of US employees now working remotely according to Stanford professor William D. Eberle – there’s been an uptick in security breaches. It seems reasonable to expect this trend to continue as working from home is normalized and more employees use personal devices to access the infrastructure necessary to perform their duties.
Here’s a quick rundown of the largest data security breaches from last year:
SolarWinds
In one of the biggest and most sophisticated cyber espionage attacks ever seen, SolarWinds reported that around 18,000 of its customers were infected, including several US federal agencies. The hackers, which many believe to be Russian intelligence, hid their malicious code inside a routine software update, otherwise known as a supply-chain attack. When the update was installed, so too was the malware.
The attack reached both the public and private sectors. At least six federal agencies, including the departments of State, Homeland Security, Commerce and Energy, were hacked as part of the campaign. Cisco, Intel, Nvidia, VMware and Belkin were also victims of the attack, having installed the software on their systems. Many more are likely to be discovered as security agencies continue to investigate.
Perhaps the largest victim was Microsoft, who confirmed on Dec. 17 that it found indicators of the malware in its systems. Microsoft said it had identified more than 40 customers that were targeted in the hack.
Marriott
After a data breach 2018, Marriott says a security breach may have compromised the personal information of 5.2 million guests. The exposed data is thought to include names, addresses, phone numbers, loyalty member data, and dates of birth.
The previous data breach affected Starwood, a Marriott subsidiary, and resulted in a fine of $123 million dollars.
The investigation is still ongoing but it’s safe to say that Marriott has suffered a massive blow to its reputation.
EasyJet
Towards the end of May 2020, EasyJet, a British budget airline group, reported that it was “the target of an attack from a highly sophisticated source” that resulted in a data breach.
This breach resulted in the exposure of the email addresses and travel information of 9 million customers and the credit card details of 2,208 more.
Even though the exact cause of the breach hasn’t been released, one can safely assume that cybersecurity gaps were exploited. And even with top of the line cybersecurity solutions, these solutions are only as good as employee training and organizational processes. With a majority of employees working from home, many lack the IT support and infrastructure available in-office.
Nintendo
Approximately 300,000 Nintendo accounts were breached back in June. Currently, Nintendo has no “evidence pointing towards a breach of Nintendo’s databases, servers or services.” It appears that unauthorized actors gained access with login ID and passwords that were “obtained illegally” from other services.
Zoom
With COVID forcing employees to work remote, the quick solution to web conferencing is Zoom. With the massive injection of users, it’s difficult to be surprised by Zoom’s latest security snafu: the surfacing of at least 500,000 accounts for sale on a dark web forum. For $0.0020 you could audit some university classes or sit in on Chase Bank meetings.
These accounts seemed to have been gained through credential stuffing, the use of credentials that were obtained in past breaches of other organizations. While Zoom could have checked registered usernames and passwords against a list of known compromised credentials, and should be justly criticized, it’s also necessary for end users to protect themselves with strong and unique passwords for different accounts along with two-factor authentication.
CAM4
Perhaps one of the more embarrassing data leaks this year, around 7 TB, or 10 billion records were leaked due to a misconfigured server that held the user information for CAM4, a live-streaming adult website. Much of this information consists of full names and email addresses. Given the sensitive nature of this leak, compromised users could be targets of phishing emails and blackmail.