5 Massive Data Breaches That Shook the Cybersecurity World in 2020

Security concerns are top-of-mind for every IT professional given the rise of COVID-19-related attacks and increased use of digital services that have exponentially upped data volumes. The year has been peppered with a wide range of cybersecurity incidents, both inadvertent and malicious. In some cases, the attack led to a direct financial loss, while others are yet to show any concrete negative outcome.

IBM foundOpens a new window that the global average cost of a data breach is a massive $3.86 million in 2020 and for mega breaches (involving 1 million+ records), this number can up by 12x to 100x times. Given the high stakes around cybersecurity, companies must reinforce their digital safeguards in 2020 and beyond. 

Let’s consider five of the biggest breaches and cybersecurity incidents from 2020 and how they should inform the cybersecurity posture in the future. 

Learn More: Know Your Company’s Enemy: 3 Different Types of Data Breaches 

2020’s 5 Biggest Cybersecurity Breaches and What They Tell Us

This list shares some of the most worrying incidents, spanning common threat types like ransomware, social engineering, vulnerability exploitation, massive scale customer data exposure, and third-party weaknesses. 

 Disclaimer: Please note that this is not an exhaustive list. It attempts to offer a holistic perspective on 2020’s cybersecurity landscape, as illustrated by some of the most unexpected, shocking, and high-value breaches reported so far, across different industries and threat types.  

1. Twitter sees a $1.3 billion dip in market value after an account takeover attack (ATO)

On July 15, 130 high-profile Twitter accounts were taken over by hackers in an attempt to fool Twitter followers into investing in a bitcoin scam. The hackers were able to send tweets from 45 high-profile accounts, access the direct messages for 36 accounts, and download account information from eight accounts. The incident was widely scrutinized as among the biggest breaches ever for a social media platform, which are regularly tasked with safeguarding billions of user data records. 

The event had several ramifications:

• To begin with, over 300 users were duped of approximately $1,20,000 in the first two hours of the attack
• The company’s market value dropped by over 4%, wiping off $1.3 billionOpens a new window in value 
• There are indications that the U.S.’ Federal Trade Commission could fine Twitter up to $250 million as disclosed by a public filingOpens a new window

What’s most interesting is that the attack was engineered by a 17-year old based out of Florida, helped by two other youths. The hacker targeted a company employee, convincing them that he was a co-worker at Twitter to extract employee access credentials. 

The incident highlights the urgent need for security awareness training among employees and zero-trust privilege, where employees have limited access to sensitive information. 

2. Nintendo hack compromises 300,000 accounts not using MFA

Earlier in April, reportsOpens a new window were going around suggesting that an unauthorized third-party might be accessing Nintendo user accounts. Several users received alerts that someone was trying to access their accounts, but in most cases, the attack was foiled by multi-factor authentication (MFA). But this didn’t cover every single customer. 

There were two ramifications for the event – first, Nintendo had to shut down its login via NNID (Nintendo Network ID) feature and reset all passwords. Second, approximately 300,000 accountsOpens a new window were breached with malicious intent, which is a sizable number, even if it comprises less than 1% of Nintendo’s user base. 

While Nintendo recommended MFA to its users, it wasn’t mandatory. This led to an entirely avoidable loss of brand reputation, not to mention financial losses from linked wallets and Paypal accounts. 

Admittedly, MFA does have its limitations and it isn’t foolproof. However, it is definitely the first and most foundational step in securing user profiles, and one that can (and should) be easily implemented. 

3. Software AG faces $23 million in ransom due to data theft

Software AG is Germany’s second-largest software vendor, serving about 70% of the world’s Fortune 1000 companies. Software AG witnessedOpens a new window a ransomware attack in October 2020, compromising highly sensitive information. The attacker used an advanced ransomware variant called Clop, threatening to release the entire dataset it possessed if the ransom wasn’t paid. 

Here are the ramifications: 

• Sensitive employee personally identifiable information (PII) was breached. This includes1 terabyte of passport numbers, photo IDs, healthcare information, contact lists, and even employment contracts 
• The hackers demanded a ransom of $23 million, which, if not paid, the data would be published – as per a screenshot posted on a dark web leak site 

Interestingly, there is no public indication that Software AG has paid the ransom. Instead, the company is investigating the eventOpens a new window and working to strengthen its internal systems in response. 

A robust business continuity and disaster recovery (BCDR) mechanism is an essential part of cybersecurity. It would allow companies to resume business as usual soon after an attack, securing internal systems without affecting customer-facing services. 

Learn More: Data Breaches Cost Over $1.8 Trillion to U.S. Firms in 2019: Survey 

4. Marriott sees 5.2 million customer data records getting compromised

In the last few years, Marriot has come under scrutiny for its cybersecurity vulnerabilities, and in March of this year, it experiencedOpens a new window a second large-scale attack. The company announced that an unexpected amount of guest information was exposed between January and February. Hackers were able to use two employees’ login credentials at a franchisee property to gain access to sensitive customer records. This has several ramifications: 

• Sensitive PII, including contact details, loyalty account information, identification details, partnerships/affiliations, and room preferences were exposed due to the attack 
• Marriot already faces an £18.4 million fine in the U.K. in link with an earlier data breach. This new attack could add on fresh fines, hitting Marriot at a time when it is already suffering due to the pandemic  

Interestingly, the exact vulnerabilities which led to the attack are yet to be shared with the public. The company is conducting an internal investigation and has launched a dedicated website for affected customers. The long-term impact of this 2020 data breach remains to be seen, even as the company reels from existing financial burdens from the previous breach that went unnoticed for four years. 

Employees continue to be a weak link. It is advisable to limit customer data access to a select few. Also, companies must adopt separate customer data security technologies on top of IT security budgets. 

5. Warner Music Group’s cybersecurity incident endangers $5 million+ in value

Warner Music Group (WMG) is a global multinational music publishing company responsible for several e-commerce and online shopping portals. In September 2020, WMG revealed that some of its U.S.-based e-commerce properties were breached between April and August. Across these months, an unauthorized third-party gained access to WMG’s e-commerce websites that were hosted by an external service provider. Any personal information that customers entered on the websites’ checkout pages were vulnerable. 

Hackers used the threat originated from Magecart, a cybercrime syndicate that specializes in payment fraud and transaction data theft. The attack had the following ramifications: 

• While the WMG hasn’t publicized which websites or customers were affected, the company now faces litigation in the state of New York. A class action complaintOpens a new window has been filed, demanding a trial by jury  
• The filing places the full value of the “matter” at $5 million, indicating the scale of the problem  

The filing notes several worrying impacts of the attack. The plaintiff has noted fraudulent charges, unusual card behavior, spam texts, and emails, etc., after entering his personal information on an e-commerce website called www.dead.netOpens a new window , run by WMG. 

The incident highlights the need for consistent cybersecurity and data governance across the entire enterprise landscape, including subsidiaries and externally managed properties. Otherwise, these less-monitored offshoots could lead to vulnerabilities, which ultimately are the onus of the company – both in the public as well as the law’s eyes. 

Learn More: Six Tips for Avoiding Data Breaches 

Preparing for 2021

These were among the biggest data breaches and cybersecurity attacks of 2020, revealing glaring holes in companies’ cybersecurity postures. Fortunately, several solutions are available in the market that could prevent similar attacks, keeping pace with the evolution of sophisticated threats. 

In 2021, companies need to look at this from two perspectives: compliance and security. Cutting corners in data privacy and compliance to get to market faster doesn’t pay in the long run. Finally, security technologies, training, and processes are integral to detecting and preventing a breach on time. 

Do you have a strategy in place to mitigate the threat of a data breach in 2021? Comment below or let us know on FacebookOpens a new window , LinkedInOpens a new window , and TwitterOpens a new window . We would love to hear from you!