It’s easy to think of hackers as masterminds that can crack the toughest defenses, but more often than not, hackers are just waiting for the everyday user to slip up. As it turns out, the everyday user slips up very often. In fact, 95% of data breaches can be attributed to human error. Human error can come in many forms, like accidentally clicking a phishing link, cloud misconfiguration, business email compromise, poor patch management, or an error in user privilege.
As the year comes to a close and we reflect on 2019 data breaches, we couldn’t help but notice many might have been prevented. Below are 12 major cybersecurity incidents reported in the last year alone that could have (and should have) been easily avoided.
A bug in Facebook password management systems left hundreds of millions of user passwords stored as plaintext in their internal system. This means that any Facebook employee could find user credentials. Passwords should never be stored in plaintext, and should be hashed and salted for extra security.
In March, the Federal Emergency Management Agency (FEMA) shared the sensitive data of 2.5 million disaster survivors with a third party. The overshared data includes banking information of the users that applied for temporary housing assistance over the last ten years.
3. Capital One
One of the most notable 2019 data breaches, the Capital One data breach discovered in July happened when a hacker exploited a misconfiguration in Capital cloud communications. Experts have warned us about this type of vulnerability over the years.
Adobe left a database containing 7.5 million Creative Cloud user records exposed publicly. By the time security researchers discovered the open database, it was indeterminable how long the records were exposed.
5. Georgia Tech
1.3 million records of Georgia Tech faculty and students, current and past, were exposed when an unknown entity was able to access the information through a vulnerability in a web app. The compromised data may have included names, addresses, social security numbers, and dates of birth.
Japanese media conglomerate Nikkei Inc. fell victim to a Business Email Compromise (BEC) attack when an employee at Nikkei America based in NYC transferred $29 million to an account of a hacker posing as a Nikkei executive.
7. Burger King
Burger King’s Kool King Shop customers had their data exposed on an unprotected database that was publicly accessible to anyone. The data included user names, dates of birth, phone numbers, passwords, and email addresses.
4.9 million customers and DoorDash drivers had their information stolen in an incident DoorDash blames on a third-party provider. It’s important that businesses properly evaluate and periodically assess any third parties and vendors with access to sensitive information.
9. Tech Data
The Fortune 500 tech giant Tech Data Corp was found to have a major security lapse that exposed customer data, including billing information. After security researchers disclosed this open database, Tech Data swiftly pulled it offline.
10. Facebook (again)
In another more recent Facebook privacy blunder, a researcher found over 419 million leaked data records of Facebook users on an exposed server that wasn’t password protected. The data included user IDs, names, genders, and phone numbers.
11. First American Financial Corp.
In yet another case of unprotected database, real estate giant First American exposed 885 million financial records and other sensitive information. First American has blamed the data leak on a “design defect” of its website.
A sacked Voova employee now faces jailtime after destroying his former employer’s servers. He reportedly did this using his former coworker’s credentials. Insider threats are becoming more frequent and are predicted to pose a bigger threat to organizations in 2020.
What can these incidents teach us?
It’s no simple task for any large enterprise to protect its data, but many of these 2019 data breaches could have been prevented. The best way to ensure there are no holes in your defenses or any vulnerabilities left unchecked is to ensure everyone in your organization or institution receives proper training, and that includes employees at every level, not just your tech department.
Cybint’s advanced training platform helps reduce the risk of incidents like the ones listed above by training users based on their role. We don’t believe one-size-fits-all approaches work. Get in contact with one of our cyber experts to see how our no-nonsense approach can quickly lower your risk.