X
Tech

The biggest hacks, data breaches of 2020

A pandemic is no reason for hackers to hold off cyberattacks against everything from government bodies to healthcare providers.
Written by Charlie Osborne, Contributing Writer

Cybersecurity may be far from many of our minds this year, and in light of a pandemic and catastrophic economic disruption, remembering to maintain our own personal privacy and security online isn't necessarily a priority. 

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

However, cyberattackers certainly haven't given anyone a break this year. Data breaches, network infiltrations, bulk data theft and sale, identity theft, and ransomware outbreaks have all occurred over 2020 and the underground market shows no signs of stopping.

As a large swathe of the global population shifted to work from home models and businesses rapidly transitioned to remote operations, threat actors also pivoted. Research suggests that remote workers have become the source of up to 20% of cybersecurity incidents, ransomware is on the rise, and we are yet to learn that "123456" is not an adequate password

Many companies and organizations, too, have yet to practice reasonable security hygiene, and vulnerabilities pose a constant threat to corporate networks. As a result, we've seen a variety of cyberattacks this year, the worst of which we have documented below.

Also: What is cyber insurance? Everything you need to know about what it covers and how it works 

January:

  • Travelex: Travelex services were pulled offline following a malware infection. The company itself and businesses using the platform to provide currency exchange services were all affected.
  • IRS tax refunds: A US resident was jailed for using information leaked through data breaches to file fraudulent tax returns worth $12 million. 
  • Manor Independent School District: The Texas school district lost $2.3 million during a phishing scam.
  • Wawa: 30 million records containing customers' details were made available for sale online. 
  • Microsoft: The Redmond giant disclosed that five servers used to store anonymized user analytics were exposed and open on the Internet without adequate protection.
  • Medical marijuana: A database backing point-of-sale systems used in medical and recreational marijuana dispensaries was compromised, impacting an estimated 30,000 US users.

February:

  • Estée Lauder: 440 million internal records were reportedly exposed due to middleware security failures. 
  • Denmark's government tax portal: The taxpayer identification numbers of 1.26 million Danish citizens were accidentally exposed.
  • DOD DISA: The Defense Information Systems Agency (DISA), which handles IT for the White House, admitted to a data breach potentially compromising employee records.
  • UK Financial Conduct Authority (FCA): The FCA released sensitive information belonging to roughly 1,600 consumers by accident as part of an FOIA request.
  • Clearview: Clearview AI's entire client list was stolen due to a software vulnerability.
  • General Electric: GE warned workers that an unauthorized individual was able to access information belonging to them due to security failures with supplier Canon Business Process Service.

March:

  • T-Mobile: A hacker gained access to employee email accounts, compromising data belonging to customers and employees. 
  • Marriott: The hotel chain suffered a cyberattack in which email accounts were infiltrated. 5.2 million hotel guests were impacted. 
  • Whisper: The anonymous secret-sharing app exposed millions of users' private profiles and datasets online.
  • UK Home Office: GDPR was breached 100 times in the handling of the Home Office's EU Settlement Scheme.
  • SIM-swap hacking rings: Europol made arrests across Europe, taking out SIM-swap hackers responsible for the theft of over €3 million.
  • Virgin Media: The company exposed the data of 900,000 users through an open marketing database.
  • Whisper: Millions of users' private profiles and datasets were left, exposed and online, for the world to see.
  • MCA Wizard: 425GB in sensitive documents belonging to financial companies was publicly accessible through a database linked to the MCA Wizard app.
  • NutriBullet: NutriBullet became a victim of a Magecart attack, with payment card skimming code infecting the firm's e-commerce store.
  • Marriott: Marriott disclosed a new data breach impacting 5.2 million hotel guests.

April:

  • US Small Business Administration (SBA): Up to 8,000 applicants for emergency loans were embroiled in a PII data leak.
  • Nintendo: 160,000 users were affected by a mass account hijacking campaign.
  • Email.it: The Italian email provider failed to protect the data of 600,000 users, leading to its sale on the Dark Web.
  • Nintendo: Nintendo said 160,000 users were impacted by a mass account hijacking account caused by the NNID legacy login system.
  • US Small Business Administration (SBA): The SBA revealed as many as 8,000 business emergency loan applicants were involved in a data breach.

May:

  • EasyJet: The budget airline revealed a data breach exposing data belonging to nine million customers, including some financial records.
  • Blackbaud: The cloud service provider was hit by ransomware operators who hijacked customer systems. The company later paid a ransom to stop client data from being leaked online.
  • Mitsubishi: A data breach suffered by the company potentially also resulted in confidential missile design data being stolen.
  • Toll Group: The logistics giant was hit by a second ransomware attack in three months. 
  • Pakistani mobile users: Data belonging to 44 million Pakistani mobile users was leaked online.
  • Illinois: The Illinois Department of Employment Security (IDES) leaked records concerning citizens applying for unemployment benefits.
  • Wishbone: 40 million user records were published online by the ShinyHunters hacking group.
  • EasyJet: An £18 billion class-action lawsuit was launched to compensate customers impacted by a data breach in the same month.

June:

  • Amtrak: Customer PII was leaked and some Amtrak Guest Rewards accounts were accessed by hackers.
  • University of California SF: The university paid a $1.14 million ransom to hackers in order to save COVID-19 research.
  • AWS: AWS mitigated a massive 2.3 Tbps DDoS attack. 
  • Postbank: A rogue employee at the South African bank obtained a master key and stole $3.2 million.
  • NASA: The DopplePaymer ransomware gang claimed to have breached a NASA IT contractor's networks. 
  • Claire's: The accessories company fell prey to a card-skimming Magecart infection.

July:

  • CouchSurfing: 17 million records belonging to CouchSurfing were found on an underground forum.
  • University of York: The UK university disclosed a data breach caused by Blackbaud. Staff and student records were stolen.
  • MyCastingFile: A US casting platform for actors exposed the PII of 260,000 users.
  • SigRed: Microsoft patched a 17-year-old exploit that could be used to hijack Microsoft Windows Servers.
  • MGM Resorts: A hacker put the records of 142 million MGM guests online for sale.
  • V Shred: The PII of 99,000 customers and trainers was exposed online and V Shred only partially resolved the problem.
  • BlueLeaks: Law enforcement closed down a portal used to host 269 GB in stolen files belonging to US police departments.
  • EDP: The energy provider confirmed a Ragnar Locker ransomware incident. Over 10TB in business records were apparently stolen.
  • MongoDB: A hacker attempted to ransom 23,000 MongoDB databases.

CNET: Russian and North Korean hackers are targeting COVID-19 vaccine researchers | The best outdoor home security cameras for 2020 | Android and iPhones are all about privacy now, but startup OSOM thinks it can do better

August:

  • Cisco: A former engineer pleaded guilty to causing massive amounts of damage to Cisco networks, costing the company $2.4 million to fix.
  • Canon: The photography giant was struck by ransomware gang Maze.
  • LG, Xerox: Maze struck again, publishing data belonging to these companies after failing to secure blackmail payments.
  • Intel: 20GB of sensitive, corporate data belonging to Intel was published online.
  • The Ritz, London: Fraudsters posed as staff in a clever phishing scam against Ritz clients.
  • Freepik: The free photos platform disclosed a data breach impacting 8.3 million users. 
  • University of Utah: The university gave in to cybercriminals and paid a $457,000 ransom to stop the group from publishing student information.
  • Experian, South Africa: Experian's South African branch disclosed a data breach impacting 24 million customers. 
  • Carnival: The cruise operator disclosed a ransomware attack and subsequent data breach.

See also: Black Hat: When penetration testing earns you a felony arrest record

September:

  • Nevada: A Nevada school, suffering a ransomware attack, refused to pay the cybercriminals -- and so student data was published online in retaliation. 
  • German hospital ransomware: A hospital patient passed away after being redirected away from a hospital suffering an active ransomware infection.
  • Belarus law enforcement: The private information of 1,000 high-ranking police officers was leaked. 
  • NS8: The CEO of the cyberfraud startup was accused of defrauding investors out of $123 million.
  • Satellites: Iranian hackers were charged for compromising US satellites. 
  • Cerberus: The developers of the Cerberus banking Trojan released the malware's source code after failing to sell it privately. 
  • BancoEstado: The Chilean bank was forced to close down branches due to ransomware.

October: 

  • Barnes & Noble: The bookseller experienced a cyberattack, believed to be the handiwork of the ransomware group Egregor. Stolen records were leaked online as proof. 
  • UN IMO: The United Nations International Maritime Organization (UN IMO) disclosed a security breach affecting public systems.
  • Boom! Mobile: The telecom service provider became the victim of a Magecart card-skimming attack.
  • Google: Google said it mitigated a 2.54 Tbps DDoS attack, one of the largest ever recorded.
  • Dickey's: The US barbeque restaurant chain suffered a point-of-sale attack between July 2019 and August 2020. Three million customers had their card details later posted online.  
  • Ubisoft, Crytek: Sensitive information belonging to the gaming giants was released online by the Egregor ransomware gang.
  • Amazon insider trading: A former Amazon finance manager and their family were charged for running a $1.4 million insider trading scam.

The worst IoT, smart home hacks of 2020 (so far)

November: 

  • Manchester United: Manchester United football club said it was investigating a security incident impacting internal systems.
  • Vertafore: 27.7 million Texas drivers' PII was compromised due to "human error."
  • Campari: Campari was knocked offline following a ransomware attack.
  • $100 million botnet: A Russian hacker was jailed for operating a botnet responsible for draining $100 million from victim bank accounts. 
  • Mashable: A hacker published a copy of a Mashable database online.
  • Capcom: Capcom became a victim of the Ragnar Locker ransomware, disrupting internal systems.
  • Home Depot: The US retailer agreed to a $17.5 million settlement after a PoS malware infection impacted millions of shoppers.
  • Embraer: The Brazilian aerospace company was struck by a cyberattack leading to data theft. 

TechRepublic: How remote working poses security risks for your organization | How phishing attacks are exploiting Google's own tools and services | Linux and open source: The biggest issue in 2020

December:

  • Leonardo SpA: Italian police arrested suspects believed to have stolen up to 10GB in sensitive corporate and military data from the defense contractor. 
  • Flight Centre: A 2017 hackathon launched by the company was found to be the source of a leak involving credit card records and passport numbers belonging to close to 7,000 people. 
  • Vancouver TransLink: A ransomware attack disrupted Compass metro cards and Compass ticketing kiosks for two days. 
  • Absa: A rogue employee at the South Africa-based bank is thought to be responsible for the leak of personally identifiable information belonging to customers. 
  • HMRC: The UK tax office was branded 'incompetent' due to 11 serious data breaches impacting close to 24,000 people.
  • FireEye: FireEye disclosed a cyberattack, suspected to be the work of a nation-state group. The cybersecurity firm said the hack resulted in penetration tools being stolen. 

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Editorial standards