The 25 Biggest Data Breaches and Attacks of 2020

2020 has become the year of change and challenge.

During the COVID-19 pandemic, business has changed radically for nearly every organization across the world. They are faced with overwhelming, competing challenges as they continue to navigate the crisis.

Data breaches are challenges that concern businesses amidst the uncertainty. While organizations have focused on newly pressing concerns-employee well-being, finance availability, and operational resilience—cybersecurity threats and attacks have escalated rapidly.

RiskBased Security’s publication of the 2020 Data Breach Report listed 2020 as the ‘worst year on record‘ by the end of the second quarter in terms of the number of records exposed due to data breaches.

As per the report, the number of records exposed in the first three quarters of 2020 reached a staggering 36 billion, with the three months of Q3 adding 8.3 billion records.

Here are some of the world’s most devastating data breaches that made headlines in 2020:

Infographic: Top 25 Massive Data Breaches in 2020

1) Estee Lauder Data Breach

In January, cosmetics giant Estée Lauder exposed its database containing over 440 million records on the internet. As per the company, the database was from an “education platform,” which did not contain consumer data.

  • Date: January 2020
  • Records exposed: 440,336,852

The exposed data contained:

  • User emails
  • IP Addresses
  • Ports
  • Pathways
  • Storage information

2) Microsoft Data Breach

On January 22, 2020, the tech giant Microsoft disclosed a data breach that occurred on December 5, 2019, due to the misconfiguration of an internal customer support database.

According to ZDNet, the breach exposed 250 million records containing information such as email addresses, IP addresses, and support case details.

“Upon notification of the issue, engineers remediated the configuration on December 31, 2019, to restrict the database and prevent unauthorized access. This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services,” said Microsoft.

  • Date: January 2020
  • Records exposed: 250 million

3) Unacademy Data Breach

Unacademy, one of the popular online education platforms in India, was hacked in January this year. The security breach led to the exposure of data of around 20 million of its users.

The malicious actor gained access to the entire database of Unacademy and had put the stolen data on sale in the hacker forum for USD 2,000.

  • Date: January 2020
  • Records exposed: 20 million

The compromised user data including:

  • Usernames
  • SHA-256 hashed passwords
  • Date joined
  • Last login date
  • Email addresses
  • First and last names

The exposed database also included numerous accounts using corporate emails of Infosys, Wipro, Google, Cognizant, and Facebook.

4) Tetrad Data Breach

In February this year, market analysis firm Tetrad left data of 120 million customers exposed in Amazon S3 storage. The exposed data comprised sensitive information from providers Claritas/Nielsen’s PRIZM and Experian Mosaic and Tetrad customers like Kate Spade, Chipotle, and Bevmo.

Three text files with Mosaic data, each over 10 GB, contained a total of 130 million rows of data on US households. These files included household addresses, names of the head of the household, gender, and Mosaic group ID.

  • Date: February 2020
  • Records exposed: 120 million

5) MGM Grand Data Breach

In February 2020, MGM Grand notified a massive data breach that occurred last year. The breach exposed records of over 10 million hotel guests, including Justin Bieber, Twitter CEO Jack Dorsey, and many prominent government officials.

The malicious actor uploaded the personal information of 10.6 million hotel guests on a hacker forum for free. However, in later findings, the stolen records reached nearly 142 million.

  • Date: February 2020
  • Records exposed: 10.6 million

The personal information of guests published on the hacker forum included:

  • Names
  • Home addresses
  • Phone numbers
  • Email addresses
  • Dates of birth

6) Marriott Data Breach

On March 31, 2020, the American hospitality company Marriott International disclosed a cybersecurity breach that exposed the data of over 5.2 million hotel guests who used the company’s loyalty application.

The malicious actors acquired the login credentials of two Marriott employees to access the guest information.

  • Date: March 2020
  • Records exposed: 5.2 million

The hackers stole a wide range of sensitive data, including:

  • Names
  • Mailing addresses
  • Email addresses
  • Phone numbers
  • Loyalty account information
  • Gender
  • Dates of birth

7) CAM4 Data Breach

Adult video streaming website, owned by Irish company Granity Entertainment, inadvertently left its database available for public view without any adequate security measures.

A security team from SafetyDetectives has discovered the significant data leak stretching into billions of records and alerted the company.

  • Date: March 2020
  • Records exposed: 10.88 billion
  • Server size: 7 TB

According to SafetyDetectives, the Personally Identifiable Information (PII) exposed in the breach included:

  • Full names
  • Email addresses
  • Country of origin
  • Sign-up dates
  • Gender preference and sexual orientation
  • Device information
  • Payment logs including credit card type, the amount paid, and applicable currency
  • User conversations
  • Transcripts of email correspondence
  • Chat transcripts between users and CAM4
  • Password hashes
  • IP addresses

Cybercriminals could have exploited this data to conduct identity theft, phishing scams, website attacks, and blackmailing. The blackmail scams are possibly the most significant risk as most users prefer to stay anonymous on such websites.

Also Read: Cyber Security Threats and Attacks

8) Advanced Info Service (AIS) Data Breach

Advanced Info Service (AIS), a major Thailand-based mobile network operator, left its database exposed and publicly accessible. The unsecured database contained a combination of DNS query logs, NetFlow logs, and other data related to the customers’ internet usage patterns.

  • Date: March 2020
  • Records exposed: 8.3 billion
  • Server size: 4.7 TB

9) Keepnet Labs Data Breach

In March 2020, Keepnet Labs, a UK-based security firm, announced a data breach that exposed over 5 billion records.

As a part of its ‘threat intelligence service’ offerings, Keepnet collects and stores publicly known data-breach information in its own Elasticsearch database. In March, the company started performing scheduled maintenance and was migrating the ElasticSearch database.

Regrettably, the engineer responsible disabled the firewall for about 10 minutes to speed up the process. During this window, the internet indexing service BinaryEdge indexed the data, making it publicly accessible. The exposed data contained information about reported data breaches from 2012 to 2019.

  • Date: March 2020
  • Records exposed: Over 5 billion

The leaked data included information about:

  • Source of the breach
  • Year the breach was made public
  • Breached email address
  • Breached password or hash
  • Format of the breached password

10) Sina Weibo Data Breach

In March this year, the Chinese social media platform Weibo suffered a data breach that exposed the data of over 500 million users.

The hacker gained access to a database that contained the details of 538 million users and sold the data for USD 250 on the dark web.

  • Date: March 2020
  • Records exposed: 538 million

The stolen data contained PII, such as:

  • Real names
  • Site usernames
  • Gender
  • Location
  • Phone numbers of 172 million users

11) Antheus Tecnologia Data Breach

Antheus Tecnologia, a Brazil-based biometrics company specialized in developing Fingerprint Identification Systems (AFIS), left sensitive information, including 76,000 unique fingerprint records, exposed on an unsecured server. The exposed server contained 2.3 million data points, which could be reverse-engineered to rebuild each original fingerprint.

Apart from the fingerprint data, the vulnerable server also exposed 81.5 million records that included administrator login information, employee phone numbers, email addresses, and company emails.

  • Date: March 2020
  • Records exposed: 76,000 fingerprints

12) Nintendo Data Breach

In April 2020, Nintendo announced that it suffered a cyberattack, and 160,000 user accounts have been compromised. Upon further investigation, the compromised accounts reached 300,000. The hackers used the stolen accounts to buy coveted digital items.

Following the incident, Nintendo stopped allowing users to log in with their Nintendo Network ID (NNID). The company also advised the users to enable two-factor authentication.

  • Date: April 2020
  • Records exposed: 160,000

The compromised data included:

  • Account passwords
  • Account owner names
  • Dates of birth
  • Email addresses
  • Country

13) Zoom Data Breach

Amid the remote working culture triggered by the pandemic, the Zoom video conferencing app has become the most used application for virtual meetings and online collaboration. When the Zoom sign-ins were reaching their peak in April 2020, cybercriminals launched a series of credential stuffing attacks on the app and stole more than half a million accounts.

At least 530,000 Zoom accounts were listed for sale on the dark web and hacker forums.

  • Date: April 2020
  • Records exposed: 530,000

The exposed account details including:

  • Usernames
  • Passwords
  • Registered email addresses
  • Host keys
  • Personal meeting URLs

The malicious actors not only gained access to the accounts but also to the contents of any meetings the users have either hosted or participated in.

14) Magellan Health Data Breach

Magellan Health, a Fortune 500 company, fell victim to a ransomware attack in April 2020, where over 365,000 patient records were compromised.

Initially, the hackers installed malware to acquire employee login credentials. Then, by impersonating a Magellan client in a phishing attack, they gained access to a corporate server and implemented their ransomware.

The malicious actors could steal employees’ login credentials, personal information and ID numbers, and sensitive patient details such as W-2 information, Social Security numbers, and taxpayer ID numbers.

  • Date: April 2020
  • Records exposed: 365,000

15) Easyjet Data Breach

Easyjet, the UK-based low-cost airline, experienced a highly sophisticated data breach that exfiltrated 9 million customers’ data. The compromised data included email addresses, travel details, and credit card information of 2,200 customers.

  • Date: May 2020
  • Records exposed: 9 million

16) Wattpad Data Breach

Wattpad, the most popular website for writers to publish new user-generated stories, suffered a massive data breach that exposed almost 271 million records.

The stolen Wattpad database was initially sold in private sales for over USD 100,000 and then sold on hacker forums for free.

  • Date: June 2020
  • Records exposed: 271 million

The data breach exposed personal information, including:

  • Usernames
  • Names
  • Hashed passwords
  • Email addresses
  • Geographic location

17) Twitter Data Breach

The most popular microblogging platform Twitter suffered a security breach through a phone spear-phishing attack in July this year. The threat actors used specific employee credentials to gain access to Twitter’s internal systems. They targeted 130 Twitter accounts, including that of high-profile US personalities like Barack Obama, Joseph R. Biden Jr., Bill Gates, Elon Musk, Kim Kardashian, and many more.

The threat actors were able to tweet from 45 accounts, access the DM inbox of 36, and download the Twitter Data of 7.

“I am giving back to the community. All bitcoin sent to the address below will be sent back doubled! If you send USD 1000, I will send back USD 2000. Only doing this for 30 minutes,” read one of the tweets by hackers.

The tweet reached at least 350 million users, and the attackers swindled USD 120,000 worth of bitcoin through at least 300 transactions.

  • Date: July 2020
  • Records exposed: 130 user accounts

Also Read: Ransomware Hits Largest US Fertility Clinic

18) Mailfire Date Breach

Mailfire, an email marketing firm, suffered a massive data breach that exposed users of over 70 adult dating and e-commerce websites, all using Mailfire software.

The hacker gained access to the software through Mailfire’s unsecured Elasticsearch server and acquired around 320 million data records of over 100,000 users.

  • Date: September 2020
  • Records exposed: 320 million

The exposed data included:

  • Notification contents
  • Personal information including names, DOB, gender, and age
  • Private messages
  • Authentication tokens and links
  • Email content
  • IP addresses
  • User profile pictures
  • User bio descriptions

Also Read: American HealthCare Provider Experiences Cyberattack, 295,617 Patients’ Data Exposed!

19) BigBasket Data Breach

India’s biggest online grocery store BigBasket suffered a massive data breach in October 2020 that exposed 20 million users’ data.

The hackers exfiltrated users’ sensitive information and put it up for sale on the dark web for USD 40,000. Though the breach was identified on October 14, the company notified the public on November 7.

  • Date: October 2020
  • Records exposed: 20 million

The compromised personal information of users including:

  • Full names
  • Email addresses
  • Dates of birth
  • IP addresses of user devices

20) Broadvoice Data Breach

In October 2020, a cluster of databases belonging to the Voice over IP (VoIP) telecommunications vendor Broadvoice was left publicly accessible on the internet, without any need for authentication.

Comparitech’s security experts discovered the unprotected database cluster, which contained more than 350 million records.

  • Date: October 2020
  • Records exposed: 350 million

The exposed database contained information, including:

  • Full caller names
  • Caller identification numbers
  • Phone numbers
  • Locations
  • Voicemail records
  • Dates of birth

21) Vertafore Data Breach

Vertafore, a US-based insurance software solutions provider, fell victim to a massive data breach that exposed the data of 27.7 million Texas drivers. The threat actors gained access to three data files inadvertently stored in an unsecured external storage system. The exposed files contained information on driver’s licenses issued before February 2019.

  • Date: November 2020
  • Records exposed: 27.7 million

The exposed data contained:

  • Driver license numbers
  • Names
  • Dates of birth
  • Addresses
  • Vehicle registration histories

22) Home Depot Data Breach

The Home Depot, Inc., the largest home improvement retailer in the US, has reached a USD 17.5 million settlement with 46 states and Columbian District for the data breach it suffered in 2014. The breach exposed the payment card information of around 40 million consumers across America. The cybercriminals gained access to the company’s network and deployed malware on the self-checkout Point-of-Sale (PoS) system.

  • Lawsuit settlement date: November 2020
  • Records exposed in 2014 breach: 40 million

23) FireEye Data Breach

FireEye, the world’s leading cybersecurity firm, disclosed that they were attacked by a highly sophisticated malicious actor. The company informed that the attacker stole their Red Team assessment tools that they use to test their customers’ security. They believed that it was a state-sponsored attack based on the attacker’s discipline, operational security, and techniques.

“Based on my 25 years in cybersecurity and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years,” said FireEye CEO Kevin Mandia.

  • Date: December 2020
  • Red Team assessment tools stolen

24) HMRC Data Breach

HM Revenue and Customs was branded “breath-taking incompetence” after it experienced a dozen serious personal data breaches over the course of 2019-20. UK’s tax authority reported 11 incidents that impacted 23,173 customers, with one incident alone affecting around 18,864.

  • Date: December 2020
  • Impacted 23,173 customers

25) Leonardo SpA Data Breach

Leonardo SpA, the largest defense contractor globally, experienced a malware attack that exfiltrated data up to 10GB. Two former employees of the Italian company were arrested for allegedly compromising the corporation’s network by deploying malware.

  • Date: December 2020
  • Records exposed: 100,000 files or 10GB data

The exfiltrated data contained information about:

  • Security and defense strategy
  • HR
  • Product distribution
  • Component design for civil and military aircraft
  • Employee credentials

Download Data Breaches and Attacks of 2020 PDF

Also Read: 34 Million User Records Stolen From 17 Companies Put For Sale Online

In Conclusion:

Clearly, 2020 has been so far quite challenging for organizations in terms of cybersecurity along with the adoption of new normal changes. As the uncertainty unfolds, organizations that have yet to experience a cyberattack still have the luxury of time to prepare.

Unfortunately, most organizations are still ill-equipped to handle a significant cybersecurity incident, much less amid a crisis like a pandemic. According to the Ponemon Institute, 76% of organizations don’t have a Computer Security Incident Response Plan (CSIRP) applied consistently across the enterprise.

Thus, organizations without a CSRIP must build one, and those that have already created one should take the opportunity now to assess the CSIRP for any vulnerabilities based on their COVID-19 security posture.

IT Business Support

Experiencing a cyber incident? StealthLabs can help you!

At StealthLabs, we focus on helping clients thrive in the face of cyber uncertainty. With a wide range of information security service offerings, we assist you in:

  • Aligning your security strategy with your business demands
  • Securing your digital assets, users, and data
  • Managing your defenses against growing risks

Contact Us

More Cyber Security Articles: