Top 10 Data Hacks and Breaches of 2020
From a hack of a vaccine maker to Twitter, the breaches affected millions, including at least one former President
Hackers continued to do their best this year to go after people's data and details. In some cases, people made this easier by being home and using personal computers and home Wi-Fi setups, much less secure than those at the office, to network into work systems creating more open doors for hackers to walk through.
Comcast, which provides a pipeline into homes for internet, reported it blocked, on average, 108 attacks a month on their subscribers' networks. We logged a lot of attacks that made the news this year — more than 150 of them made our weekly Data Breach Report. But even among that crew, a few stood out to us for either their scope, or for what was taken in 2020.
Clearview AI admitted to a hack involving its client listGetty Images/iStock
We started the year with a hack of Clearview AI, a facial recognition company that had been profiled by The New York Times, notably for the fact it claimed at have more than three billion images of the public in its data bases. How did they get there? By being scraped from social media account on Facebook, Twitter, LinkedIn, YouTube and others. (Yes, that's in violation of those company's terms of service.) Clearview AI's client list, in this case, was stolen — to which the company said that data thefts like this are now "a part of life."
Eight million eBay and Amazon shopping records exposed
A database with shopping records from sites including eBay was exposedGetty Images/iStock
One thing we did a lot more of in 2020 was online shopping, especially as many of us went into quarantine and stores were harder to visit. In March, a database with eight million shopping records from Amazon, eBay, PayPal, Shopify and Stripe was exposed by an unnamed third-party firm conducting cross-border value-added-tax (VAT) analysis. A VAT tax is something people pay in countries including the UK and some in Europe, and in fact the majority of the data came from UK and European online shopping.
What was involved? Names, shipping addresses, email addresses, phone numbers, items purchased, payments, order IDs, links to Stripe and Shopify invoices, and the last four digits of credit card numbers.
Zoombombing, uninvited guests to Zoom calls, were a problem in 2020Zoom
Not all hacks involve data being stolen. Some result in a different kind of intrusion. And in 2020, one of the biggest involved Zoombombing, when uninvited people found ways to break into Zoom calls, filling the screens with sounds and even pornographic imagery, that's not always appreciated. To add insult, security researchers also found exploits, including one reported by TechCrunch that allows hackers to take over the webcam and microphone of Mac users.
Zoom even had to halt adding new features for 90 days while it worked to beef up security and privacy. Part of the problem, Zoom noted, is that its user base is up from about 10 million logging on everyday before the coronavirus pandemic took hold — to about 200 million.
Marriott had a data breach that involved more than five million of its guestsGetty Images/iStock
Hotels really took a hit this year with the cliff drop of travelers. And then Marriott suffered a data breach that affected more than five million guests, with details that included their names to birth dates of the guests. The breach took place between mid-January and February of 2020, and happened after someone used log-in details of two employees at a franchise of the hotel chain, said Marriott.
While financial details weren't impacted, like credit cards, guests' loyalty programs were involved and included airline frequent flyer details such as account numbers, and mailing addresses.
Bank of America
Customers who applied for PPP loans through Bank of America had some of their data exposedGetty Images/iStock
One of the ways people kept themselves afloat monetarily this year, was through a loan called the Paycheck Protection Program (PPP). Unfortunately, business clients who used Bank of America, may have found themselves victims of a data breach on April 22, when the bank uploaded PPP applications onto the US Small Business Administration's test platform.
The bank said application information may have been visible to other SBA-authorized lenders and their vendors from postal addresses to tax identification numbers, plus business owner's information like their name, address, Social Security number, phone number, email and citizenship status.
Twitter users including Barack Obama saw their accounts hackedGetty Images/iStock
Mid-way through the year, hackers decided they needed to play a little — perhaps cracking businesses for their data wasn't fun enough. So on July 15, accounts of famous Twitter users including Barack Obama, Joe Biden, Jeff Bezos, Bill Gates, Elon Musk and others were taken over through a bit of social engineering, which resulted in a tweet posted on these accounts about a bitcoin scam. Not only were accounts breached, but in some cases too, the private direct messages of 36 people as well.
Twitter initially said 130 accounts were targeted by the hackers, who are understood to have accessed system tools used by staff at the social media company. The attack not only sent off alarm bells — the hackers walked away with about $110,000 worth of bitcoin paid into a wallet they were using from the attack.
Instagram, TikTok and YouTube
TikTok user names and contact information were compromisedGetty Images/iStock
The names and contact information of over 230 million users of Instagram, TikTok and YouTube were compromised, after a breach of a company called Social Data, which sells details on social media influencers to marketers. Social Data says the data it held was publicly available, but social media companies have rules against so-called scraping, where public data is taken is huge quantities from user profile pages. The data, held in an unprotected database and discovered by Comparitech, included names, contact information, personal information, images and statistics about followers.
TikTok too got into a bit of hot water about the same time, after a report in The Wall Street Journal found that the social media site had been collecting MAC addresses — which are unique to a specific device — of Android users, and hiding the practice the entire time.
Booking.com, Expedia, Hotels.com and more
Details related to travel, including credit card numbers, were left exposedGetty Images/iStock
More injury to travel companies hit during 2020, when a huge data breach was reported involving an online hotel booking platform called Cloud Hospitality. Personal details, from names to unprotected credit card information, were exposed through the booking service used by companies including Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees, Sabre and others. Data that was left wide open and freely available (if you knew where to look) included full customer names, email addresses, national ID numbers and phone numbers, plus credit card numbers, cardholder names, CVV codes and expiration dates. The data even included reservation numbers, the dates of when customers stayed at hotels, special requests made by guests, the number of guests on a booking, and each of their names.
An online game for children was hacked, with usernames and other data takenGetty Images/iStock
A hugely popular children's online playground called Animal Jam suffered a data breach involving 46 million accounts. Animal Jam is an online environment where children, ages 7 to 11, build avatars and play together. More than 300 million animal avatars are said to have been created by users in the game's history, and the stolen database, which was only been partially shared by hackers, is believed to have contained 46 million player usernames (which do not contain a child's real name), plus 46 million hashed passwords, seven million email addresses of parents who have created accounts for their children, parents' IP addresses, and a smaller subset of parent billing addresses, plus player gender and birthdates.
Pfizer Covid-19 vaccine data
Documents related to the development of a Covid-19 vaccine were hackedGetty Images/iStock
Finally, just a day after the world's first Covid-19 vaccinations took place, drugmaker Pfizer and its partner BioNTech said documents related to the development of the vaccine has been "unlawfully accessed" during a cyberattack. Pfizer and BioNTech said they did not believe any personal data of vaccine trial participants had been compromised, but it was said that documents relating to the creation of the vaccine, which was first used in the UK, would be extremely valuable to other companies working to creating a Covid-19 vaccine.
Data on Covid-19 and the various vaccines in development has become a high-value target for hackers the world over. Allegations have previously been reported of hackers from North Korea, South Korea, Iran, Vietnam, China and Russia trying to steal information about the virus and treatment.