5 Shocking IT Security Blunders of 2020 (So Far)

Amidst all the hype around increasing cyberattacks, one trend is often swept under the rug — a huge portion of security incidents are caused by accident, negligence, or human error. Despite no malicious intent from either an internal or external threat, several companies end up exposing confidential data and letting in the risk of attacks. 

In a 2020 surveyOpens a new window , 78% of IT leaders said that employees accidentally caused data breaches, and 68% of the surveyed employees admitted to a similar trend. Analysts estimate that as many as 10 billion data records could be lying vulnerable even as we speak, simply due to IT security blunders.

In a highly connected world like the one we live in, IT needs to be aware of the security implications of digital modernization. As we switch to Zoom, Slack and other cloud applications, there is a greater potential for a new vulnerability at every step of progress. 

Here, we take a look at some of the notable IT security blunders from 2020 that could have been easily avoided but ended up playing out in the public domain. 

 Learn More: CTO Perspective: 3 Biggest Lessons From Twitter Hack 

1. Home Depot’s email blunder exposes hundreds of customers’ order data 

Recently, Home Depot Canada mistakenly sent out order pickup reminders to its entire customer list instead of the customers who had ordered the product. Each user received 600+ reminder emails, including personal data. The last four digits of a credit/debit card, the exact details of the product purchase, order number, customer name, and even address were all mentioned in the email. 

On the surface, it might seem like a mere inconvenience for the accidental email recipients – but the implications are far more treacherous. For example, if a malicious entity got hold of this information, it could perform targeted phishing attacks using the exact product details as bait. 

The Lesson: Cybersecurity can no longer exist as a walled kingdom. The same protocols, standards, and best practices have to be followed across non-IT business units – marketing, supply chain, sales, etc. cybersecurity leaders need to collaborate with team leaders to drive home the gravity of the threat. 

SourceOpens a new window

2. Microsoft’s backend misconfiguration exposes technical details of 30 billion search queries 

Microsoft has mostly managed to avoid cybersecurity incident headlines, owing to its keen focus on regular patches, vulnerabilities scanning, and bounty programs. However, this year a misconfigured serverOpens a new window caused a massive volume of Bing search queries to get exposed. To be specific, the server contained over 6.5TB of log files or 30 billion records. 

A Microsoft IT employee neglected to password protect a Bing backend Elasticsearch server, opening it to third-party access for a limited time. Fortunately, no Personally identifiable information (PII) was exposed – but technical details such as the user’s system, geo-location, coupon codes, etc., were all visible. 

The Lesson: Often, robust security comes down not to the strength of your measures but how consistently they are applied. Basic measures like password protection, firewalls, and VPN systems can be extremely effective in securing your data systems. It requires little investment and a conscious effort from all employees involved.

 

SourceOpens a new window

3. Social media blunder lets an unauthorized entity into a top-secret defense meeting

A third-party was able to hack into a secret virtual conference between the E.U. defense ministers due to a social media blunder. Here’s what happened: 

• Several defense ministers across the European Union were scheduled to meet virtually for a confidential consultation
• In the process of sharing/copy-pasting the meeting details, Dutch Minister Ank Bijleveld inadvertently posted a screenshot on his Twitter account 
• A journalist named Daniel Verlaan spotted the screenshot and got hold of the meeting details before it could be redacted from social media 
• The journalists could successfully login “to everyone’s surprise,” but no harm was caused as there was no malicious intent

The scenario would have been very different had it been a hacker instead of a responsible journalist who got hold of the meeting details. 

The Lesson: Remote collaboration and exchange of high-value information through digital channels is here to stay, at least for the next couple of quarters of 2021. IT teams must look after users’ digital literacy to prevent such blunders – especially in industries like healthcare, science, and the public sector. 

@danielverlaanOpens a new window told VICE World News the Dutch ministry said it was not possible to join the call with just the PIN as there was an extra security step, but then he suddenly joined while on the phone with a colleague

“It was really unexpected.”

— Matthew Champion (@matthewchampion) November 22, 2020Opens a new window

Learn More: Top 5 Tips for Safe Internet Browsing in 2021 

4. Hosting provider negligence causes 63 million user records to become publicly available 

Third-party application hosting providers are responsible for how customer data is routed, utilized, and stored. Recently, a Texas-based provider called Cloud Cluster admitted that it had left a sensitive database open to the public internet. 

It included usernames and passwords for up to 63 million people. There is a possibility that other data types like Magento credentials, WordPress account details, backups, monitoring logs, etc., were also exposed. Cloud Clusters is yet to respond to the event or share the exact details – but there is early evidence of a Meow bot attack, which is a malicious script for deleting data could be the reason for the data leak. 

The Lesson: Whom you trust to host your data is as important as your internal defense mechanisms. The process of third-party selection must involve cybersecurity personnel to carefully assess the vendor’s track records, security policies, and contingency plans. 

Hosting Provider leaks over 60 million records that include passwords and login details. Check out the full story here: #dataOpens a new window #infosecOpens a new window #CyberSecOpens a new window #databreachOpens a new window #DataLeakOpens a new window #techOpens a new window #TechNewsOpens a new window #newsOpens a new window #SecurityOpens a new window

— Jeremiah Fowler Security Researcher (@yoda69) November 9, 2020Opens a new window

5. Virgin Media’s misconfigured database exposes 900,000 customers’ PII

Telecom giant Virgin Media came under scrutiny for weak defense mechanisms on one of its servers. The company said an incorrectly configured database left consumer records exposed for up to 10 months or more. At least one third-party accessed the data during that time – but the real extent of the damage is yet to be assessed. 

The vulnerable database contained up to 900,000 customers’ PII, including names, home addresses, email IDs, and phone numbers. It was immediately shut down once the security incident was reported. 

The Lesson: Your servers and databases need regular audits, patches, and upgrades to be truly secure. An “archive and forget” model makes the system a sitting duck for attackers as the data is already out in the open.  Create a chain of ownership rather than holding one employee responsible and accountable. 

Hi Neal, we’re sorry this has happened. To reassure you, the database didn’t include financial details or passwords. We’re contacting affected customers in the next 24-48 hours. There’s more info here: ^PDe

— Virgin Media (@virginmedia) March 6, 2020Opens a new window

Learn More: Preparing for the Next Wave of U.S. Data Protection Regulations 

Closing Thoughts 

The global health crisis has accelerated our dependence on technology, creating a potential cybersecurity minefield. In 2021, IT teams must stay vigilant and approach cybersecurity as a proactive function and not merely defend against external attacks. After all, prevention is always better than cure, particularly in a space where the “cure” often costs millions in recovery and unquantifiable damage to business reputation. 

Are there other security blunders that IT should avoid?  Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!