Q3 Data Breach Roundup:

Q3 Data Breach Roundup:

The entire world may still contend with the pandemic, but cybercriminals have certainly not been resting. In fact, the upheaval in everyone’s’ day-to-day lives and the way business has been conducted in 2020 has provided a target-rich environment for both nefarious actors and mischief-makers.

On the relatively benign side of things, people have crashed Zoom calls, sometimes to embarrassing effect for televised or otherwise public meetings. But on a more serious note, because more people are working from home, much more sensitive data is being transferred over less secure connections and networks than ever before.

Per IT Governance, in July almost 78 million records were leaked in 86 incidents and the number of breaches increased in August to 99, but only 36,673,575 records were confirmed leaked which is the lowest figure recorded by IT Governance since May 2018.

Here are several notable Q3 breaches:

Twitter

What happened: After suffering data privacy issues in May and June, on July 15th Twitter had a large number of high profile user accounts hacked including those of Barack Obama, Joe Biden, Bill Gates, Elon Musk, Warren Buffet, Jeff Bezos and Apple which were among 130 hacked accounts.

The suspected cybercriminals used those prominent accounts to tweet a message redirecting people to a website where they were instructed to send bitcoin to a specific address and then expect double that amount in return. Per Engadget, people who fell for the cybercriminals’ scam lost a minimum of $121,000 and Twitter lost $1 billion in market valuation over a 24-hour period.
Like many successful hacks, Twitter had to look within to find the weak link in its cybersecurity. The malicious actors used social engineering to reach Twitter employees with access to internal systems and tools that allowed them to control the high-profile users’ accounts and send out the fraudulent tweets.

The FBI began an investigation of the hack on July 16, 2020.

Instacart

What happened: The popular food and grocery delivery app saw a spike in downloads as more people moved to have groceries delivered rather than making visits to the local store during a pandemic. In late July, it was reported 278,531 Instacart customer records were hacked and on sale on the dark web. The breached data included names, email addresses, order histories and the last four digits of credit card numbers.

Instagram initially denied being aware of a data breach and at the time a spokesperson told BuzzFeed News, “We take data protection and privacy very seriously. Outside of the Instacart platform, attackers may target individuals using phishing or credential stuffing techniques. In instances where we believe a customer’s account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password.”

Despite the denial, the Instacart records were confirmed on sale on the dark web for around $2 per Instacart customer.

Dave.com

What happened: The digital banking app had 7,516,625 user details published on a public forum after a breach at analytics platform Waydev’s network. Waydev was a former business partner of Dave. CrowdStrike was hired by Dave to investigate the breach.

“As the result of a breach at Waydev, one of Dave’s former third-party service providers, a malicious party recently gained unauthorized access to certain user data at Dave,” a Dave spokesperson told ZDNet. “As soon as Dave became aware of this incident, the company immediately initiated an investigation, which is ongoing, and is coordinating with law enforcement, including with the FBI around claims by a malicious party that it has ‘cracked’ some of these passwords and is attempting to sell Dave customer data.”

Dave user data was published on the hacking forum, RAID.

Uber

What happened: The US Department of Justice Northern District of California Attorney’s Office charged Joseph Sullivan, Uber’s ex-Chief Security Officer, with obstruction of justice for covering up a 2016 data breach that exposed 57 million user and driver records including around 600,000 records for the driver license numbers of Uber drivers.

Uber paid a $100,000 ransom to the hackers to remain silent and delete the stolen records. The DOJ contend “Sullivan took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the breach.”
US Attorney David L. Anderson said, “Silicon Valley is not the Wild West. We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush-money payments.”

Deputy Special Agent in Charge Fair added, “Concealing information about a felony from law enforcement is a crime. While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”

Data breaches have myriad causes from poor security to employees susceptible to social engineering, and sometimes a breach might not be the affected company’s blame if enough users have reused compromised user name/password combinations from previous breaches on other sites.

Meeting the challenge of improving cybersecurity means teaching and employing best security practices such as enforcing strong login credentials and multi-factor authentication across devices, conducting regular security audits, encrypting business data, and avoiding social engineering attacks.

To further defend against data breaches, organizations should take proactive action and sign up for Keeper’s BreachWatch™. BreachWatch™ is easy to set up and manage while offering enterprise-grade protection that scales with your business.