From the latest data breaches to the biggest data breaches, our Data Breach Survival Guide has all the info you need
2020 is off to a roaring start. And even in the midst of a global pandemic, the cybercriminals show no indication of slowing down. In fact, they’re ramping up. Not even halfway through the year, we’ve already seen some major breaches this year: Roblox, Zoom, EasyJet, and even some dating sites like MobiFriends.
The Roblox breach may be one of the more interesting stories of the year. It started with a hacker bribing a Roblox insider for access to the popular family-friendly game site’s customer support panel. Gaining that access, the hacker then had the personal information of over 100 million Roblox users at their disposal, with the ability to change passwords, reset security settings, manipulate game inventory, and more. After sharing screenshots of some high-profile members’ accounts with Roblox, the hacker told Vice, “I did this to only prove a point to them.” Yet despite this allegedly harmless objective, the hacker added that they changed the password for two accounts and sold their inventory items. The hacker then asked Roblox for a bug bounty, but was refused due to the seemingly less-than-noble intentions.
Video conference service Zoom was as surprised as the rest of the world when it suddenly became one of the planet’s most utilized apps in March as coronavirus restrictions forced millions to shelter-at-home. It was just a short matter of time before cybercriminals caught on and capitalized on the trend. All kinds of Zoom schemes and fraud ensued, including the Zoom data breach in April when researchers found over 500,000 hacked Zoom credentials selling on the dark web for less than a penny each. Experts believe the data was assembled by plying previously leaked credentials to Zoom accounts and finding those that work because the account owners have reused passwords.
Nine million customers of British airline easyJet have had their travel details and email addresses compromised, and over 2,000 of them have had their credit card details stolen. The easyJet breach, which the company calls a “highly sophisticated cyberattack,” occurred in January, and the company said all affected customers will be notified by May 26, the BBC reported. This is a concern, as hackers could already be using the leaked data in phishing campaigns aiming to trick victims by referencing their specific travel plans.
The MobiFriends data breach actually occurred in 2019, but its treasure trove of personal details on over 3.6 million users was just made public last month. Victims of the dating app breach had their email addresses, passwords, phone numbers, profile info, and more compromised. As ZDNet reported, these users are now vulnerable to spear-phishing attacks, extortion attempts, and other ruses that exploit their personal information.
Some of the larger data breaches from the past have left long trails of cautionary tales for consumers. Two of these are the Equifax and Capital One data breaches. Together, they affected almost 250 million people.
The 2017 Equifax data breach exposed the personal and financial information of 147 million people. After its widely denounced initial response to the breach, where Equifax executives first tended to their own exit strategies before alerting customers, the company reached a global settlement with the U.S. Federal Trade Commission, the Consumer Financial Protection Bureau, and all the U.S. states and territories. The settlement includes $425 million, divided up evenly amongst all victims who file a claim, and free credit reports and credit monitoring through 2026.
The 2019 Capital One data breach put the data of about 106 million people at risk. A hacker infiltrated the bank’s system and stole information from the credit applications of 100 million U.S. customers and 6 million Canadian customers. While no credit card numbers or login credentials were compromised, other precious data like Social Security numbers, Social Insurance numbers, and financial history were. In response, the company has offered free credit monitoring and identity protection to everyone affected.
So, what can we learn from these breaches? A couple of things. First of all, data breaches can occur anywhere, from the smallest local server to the largest global enterprise. Secondly, free credit monitoring is a common apology move from the compromised companies, but this gives cybercriminals another attack surface. If they know you were a data breach victim, they could launch phishing tactics at you where they pretend to be these helpful credit reporting entities. Always remember, cybercrime is inexhaustible.
Let’s take a step back: What is a data breach, anyway? A data breach is when protected information is infiltrated. It’s that simple. A breach is an opening that is not supposed to be there — a hole in the bottom of a boat, a tear in a protective wall, or an exploitable crack in your online security, to name a few. A data breach is when that unlawful opening leads to the compromise or theft of sensitive online information. Information stolen in a data breach could include your:
The breached company should alert you right away when your data has been compromised, but unfortunately this has not always been the case, such as in the Equifax instance. Constant vigilance over all your accounts can sound like a daunting chore, but it’s truly the healthiest habit we can all adopt, even if it means just glancing through the statements and movements of all your accounts once a week to make sure there are no surprises. Also, there are handy tools at your disposal such as the free Avast Hack Check site that aggregates the leaked data from known breaches so it can tell you instantly if your email address was compromised.
Information is the new gold, and cybercriminals have many lucrative options in terms of data breach information, some of which include:
In spring 2018, the General Data Protection Regulations (GDPR) took effect in Europe, marking the largest global reform yet on data breaches. The GDPR applies to companies and individuals that keep digital data on EU citizens, regardless of where that company is located. It protects consumers by mandating that these companies maintain certain high security standards and divulge any breach information within 72 hours of discovery. If a company breaks these rules, they are fined up to 4% of their annual revenue or €20 million ($24 million), whichever is larger. This serves as a frightening warning to IT departments around the globe, who are now even more inspired to protect their servers and personnel for fear they suffer the same fate as British Airways, who got slapped with a GDPR fine of £183 million for a breach of its customer data.
If your personal information has been compromised, use the following data breach response checklist:
On May 2, celebrate World Password Day by leveling up the strength and complexity of these most critical of security measures — your passwords.
Avast security experts explain the basics of staying safe on social media, public Wi-Fi, the internet of things, and more in ways that every parent can understand.