News

2020: The year's biggest hacks and cyberattacks

Patrick Mallory
November 23, 2020 by
Patrick Mallory

Just when you thought Halloween was over, it turns out there is something out there far scarier to security professionals around the world: the constant threat of a cyberattack.

Unfortunately, 2020 was no different than previous years. This year saw the continuing of trends where the number of cyberattacks have increased just as the sophistication and impact have caught the eyes of even the most casual of observers. Throw in the devastating public health and economic impact of the COVID-19 pandemic and it’s easy to see why folks are ready to turn the page on 2020.

Before we do, however, we’ll take a moment to look back at the year’s biggest hacks and cyberattacks. We’ll check in to see what each of the victim organizations have done since they took newspaper headlines for all the wrong reasons. 

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

The year in numbers

According to Fintech News, more than 80 percent of firms have seen an increase in cyberattacks in 2020, with a 600 percent increase in phishing attempts since February 2020 — yet another way that the coronavirus has impacted our lives. 

The average ransomware payment also rose 33 percent to $111,605 compared to late 2019, while cyber fraud jumped 20 percent in 2020, reaching 445 million attacks. Combined, it is estimated that the average cost of a data breach reached $3.9 million in 2019, while the average time to identify a breach occurred rose to seven months. 

While these are hard numbers to wrap our minds around, there are still ten cyberattacks in 2020 that were able to raise themselves above the rest. Here is our list. 

2020’s most notable hacks and cyberattacks

Garmin

In late July, the smartwatch, mapping and electronics company Garmin announced that it fell victim to a “cyber attack that encrypted some of our systems.” Users noticed that their website and many customer-facing services were offline and employees saw that internal communications were down. While Garmin did not share many details initially, it is clear that the company had their systems affected by ransomware. Several days later, Garmin officially notified the public that a cyberattack had taken place and confirmed that no sensitive customer or employee data was compromised. 

In the weeks that followed, news began to spread through the hacker community that a ransomware tool called WastedLocker was used, which encrypts a victim’s digital infrastructure without stealing any data. Although it was not confirmed by Garmin, it is thought that Garmin paid $10 million in ransom to have their services decrypted. 

The attack is believed to be linked to a small but growing Russian hacking group named “Evil Corp,” proving that no matter how big a company is, they can still be crippled by a relatively small group of malicious hackers. The ransomware attack was also notable as, on average, ransoms had been just over $100,000, marking a dangerous new chapter for a type of attack already known for grabbing headlines.

Twitter

It was a tough summer for Twitter. First, employees fell victim to a coordinated phishing campaign that eventually led to Bill Gates, Elon Musk, Uber, Apple, Kanye West and even Jeff Bezos’ Twitter accounts being compromised to further a bitcoin scam. In its wake, and in an attempt to thwart the bitcoin scam and any other further damage to their platform, Twitter administrators decided to silence all verified accounts (those marked with a blue check — and not just these high-profile accounts. 

Eventually, to close down the compromised accounts, Twitter security staff decided to slowly have the entire organization move to a “zero trust” privilege level until they worked their way down the management chain, having every employee change their password in front of their supervisor. After about a month and following a slew of new security protocols, Twitter finally was operating back to normal. 

To add salt to the wound, it was ultimately revealed that the attacker was a 17-year-old from Florida who was looking for a way to sell Twitter handles to the highest bidder before expanding the attack to include the cryptocurrency scam.

The second part of Twitter’s rough year began when the Federal Trade Commission (FTC) announced that it may levy a $250 million fine for the “improper use of users’ phone number and email addresses.” The fine would be the culmination of the platform’s inappropriate use of this information to fuel ads from 2013 to 2019 instead of just the “safety and security purposes” it was justified as to users. 

Although Twitter disclosed the practice to their users last year, the act at issue is actually in direct violation of a 2011 agreement with the FTC where Twitter agreed to no longer mislead consumers about how their information is used. There is no specific timeline on when the FTC complaint and fine will become official.

Capital One 

In a year with so many jaw-dropping statistics, we don’t blame you if you didn’t catch Capital One agreeing to pay US federal authorities an $80 million penalty in the devastating wake of their 2018 data breach. In addition to the penalty, Capital One had to create plans “to improve its security procedures within the next three months,” with the Office of the Comptroller of the Currency (OCC) noting that the international financial giant failed to establish appropriate risk assessment procedures relating to their cloud services.

The data breach saw personal information and financial data for over 100 million Americans and another six million Canadians — including 140,000 Social Security numbers and 80,000 bank account numbers — spill into the dark web. An additional one million Canadian social insurance numbers were also exposed. 

The hacker was later identified as former Amazon Web Services (AWS) employee Paige Thompson, who used employee access to Capital One’s backend services running on AWS to expose the data. As noted by the OCC, it is clear that although an organization can outsource and entrust their data to cloud services providers, their responsibility for maintaining the security and confidentiality of their customer’s data still lies with them.

Uber

In one of the year’s more interesting cyberattack stories, the former Chief Security Officer for Uber, Joseph Sullivan, was charged with obstruction of justice for paying hackers $100,000 in hush money following a 2016 attack. The 2016 intrusion resulted in at least 57 million Uber passengers and drivers having their sensitive data released.

As part of his charges, Sullivan is facing charges of misprision, which is the “the deliberate concealment of one's knowledge of a treasonable act or a felony,” to the Federal Trade Commission as well as Uber’s remaining management team. This stems from the fact that Sullivan initially stated that the vulnerability identified and the associated payment was linked to Uber’s bug bounty program, but it was eventually revealed that the money was paid to have the criminals delete the data as part of a cover-up scheme. 

The two men who perpetrated the attack were also arrested. Sullivan faces up to eight years in prison.

Morgan Stanley

In 2020, Morgan Stanley finally faced their reckoning for their 2016 and 2019 data breach events with a $5 million class action lawsuit.

Proving that not all cyberattacks have to be sophisticated, the 2016 data breach followed the decommissioning of two data centers. The global financial firm thought that their contracted vendor appropriately wiped and handled all the data on their old devices. Unfortunately, the data was not fully cleared and was also left unencrypted, leaving personal data like Social Security numbers, passport numbers, birthdays, asset values, account information and other proprietary information vulnerable. 

The second incident occurred in 2019 when Morgan Stanley disconnected and replaced a computer server in a retail branch and failed to properly store and account for the device. Ultimately, criminals got a hold of the device and extracted data from it. 

The $5 million class action lawsuit claims Morgan-Stanley “failed to properly safeguard” the personally identifiable information in both situations and was otherwise “negligent and/or careless” in protecting customers’ data. 

Regardless of the result of the lawsuit, this case serves as a reminder of the responsibility of organizations to validate their contractors’ work, utilize encryption consistently when handling sensitive information and emphasize the need for proper data handling and device decommissioning procedures. 

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Social media database breach

A staggering 235 million users of social media platforms TikTok, Instagram, and YouTube saw their profile data exposed when a database was released in the late summer.

Unlike other cyberattacks that saw hackers breach security systems, this database breach involved data collected from website scraping, where user information was pulled and compiled from public-facing websites. For example, profile information, pictures and other self-identified information was compiled from across the different platforms and consolidated into one large database. Over time, 235 million records were created and left exposed on the internet with no password information. 

One publication, Comparitech, noted information ranged from full real name to user engagement statistics and age and gender. Some also included contact information associated with the user.

First recorded cyberattack-related death

2020 also saw what could be the first cyberattack-related death, a grim milestone during an already challenging year. 

The incident occurred when the University Hospital of Düsseldorf (UKD) was attacked with ransomware in early September. This caused IT systems to fail and a patient to die as they were being transported to a different hospital for care. 

Germany’s cybersecurity authority reported that the hackers exploited a well-known vulnerability in a version of Citrix VPN software, which the authority actually warned organizations of in January 2020. 

Making matters worse, the ransomware was actually intended to be directed at Heinrich Heine University, according to the note left behind by the attackers.

As soon as authorities notified the perpetrators, the demand was removed and the decryption key was provided. The case, however, is still being investigated as a homicide, according to the BBC.

Universal Health Services 

Unlike the University Hospital of Düsseldorf attack, cyber thieves meant to attack one of the biggest hospital systems in the United States when they put ransomware on the Universal Health Services’ computer systems in September.

Affecting more than 400 locations, the ransomware attack forced the healthcare provider to use paper and pencil to fill out patient information and records and marked one of the biggest cyberattacks in United States history. Universal Health Services initially said systems were offline “due to an IT security issue,” but it quickly leaked that there was something far more malicious behind the outage. 

Staff on-site during that weekend recalled computer systems just shutting down on their own. Fortunately, patient medication information was kept on separate systems that were backed up daily. 

H&M’s record GDPR fine 

Rounding out this year’s most notable cyber incidents is international retailer H&M’s eye-popping and record-setting $41.3 million General Data Protection Regulation (GDPR) fine, leveled by the European Union via its new data protection law.

The fine is the conclusion of an investigation by the Data Protection Authority of Hamburg (HmbBfDI) after H&M was found monitoring several hundred employees at their Nuremberg customer service center, beginning in 2014. In fact, the Authority noted that employees were subject to "extensive recording of details about their private lives." Examples included recordings about personal vacations, medical treatments and illness information conducted in what were called “Welcome Back Talks.”

The extent of the data collected was exposed in October 2019 when the database was inadvertently made available to the internet for several hours, following a configuration error. The $41 million fine is the second largest ever handed down in the EU following the passage of the GDPR, following Google’s $57 million fine in 2018. H&M took “full responsibility” for the action and issued an apology to the affected employees.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Looking ahead

Although these data breaches and cyberattacks make for interesting reading, they should also serve as grim reminders that a hack occurs around the world every 39 seconds. Whether you are a small brand or a global conglomerate, these examples prove that no organization is safe. 

Instead, use these events as case studies and as inspiration to invest in timely system upgrades, sound security policies and robust user and customer data protections. While no organization can ever be completely immune from a cyberattack, adequate preparation and comprehensive security awareness training can stop many potential scams and hacks or limit them before they wreak serious havoc. 

Unfortunately, given the trends of 2020 and the ongoing effects of COVID-19, it is clear that security threats will only continue to grow. So use this time to be thankful and plan accordingly so 2021 doesn’t find your organization falling victim itself.

Sources

Patrick Mallory
Patrick Mallory

Patrick’s background includes cyber risk services consulting experience with Deloitte Consulting and time as an Assistant IT Director for the City of Raleigh. Patrick also has earned the OSCP, CISSP, CISM, and Security+ certifications, holds Master's Degrees in Information Security and Public Management from Carnegie Mellon University, and assists with graduate level teaching in an information security program.

Patrick enjoys staying on top of the latest in IT and cybersecurity news and sharing these updates to help others reach their business and public service goals.