2020 is off to a roaring start. And even in the midst of a global pandemic, the cybercriminals show no indication of slowing down. In fact, they’re ramping up. Not even halfway through the year, we’ve already seen some major breaches this year: Roblox, Zoom, EasyJet, and even some dating sites like MobiFriends.
The Roblox breach may be one of the more interesting stories of the year. It started with a hacker bribing a Roblox insider for access to the popular family-friendly game site’s customer support panel. Gaining that access, the hacker then had the personal information of over 100 million Roblox users at their disposal, with the ability to change passwords, reset security settings, manipulate game inventory, and more. After sharing screenshots of some high-profile members’ accounts with Roblox, the hacker told Vice, “I did this to only prove a point to them.” Yet despite this allegedly harmless objective, the hacker added that they changed the password for two accounts and sold their inventory items. The hacker then asked Roblox for a bug bounty, but was refused due to the seemingly less-than-noble intentions.
Video conference service Zoom was as surprised as the rest of the world when it suddenly became one of the planet’s most utilized apps in March as coronavirus restrictions forced millions to shelter-at-home. It was just a short matter of time before cybercriminals caught on and capitalized on the trend. All kinds of Zoom schemes and fraud ensued, including the Zoom data breach in April when researchers found over 500,000 hacked Zoom credentials selling on the dark web for less than a penny each. Experts believe the data was assembled by plying previously leaked credentials to Zoom accounts and finding those that work because the account owners have reused passwords.
Nine million customers of British airline easyJet have had their travel details and email addresses compromised, and over 2,000 of them have had their credit card details stolen. The easyJet breach, which the company calls a “highly sophisticated cyberattack,” occurred in January, and the company said all affected customers will be notified by May 26, the BBC reported. This is a concern, as hackers could already be using the leaked data in phishing campaigns aiming to trick victims by referencing their specific travel plans.
The MobiFriends data breach actually occurred in 2019, but its treasure trove of personal details on over 3.6 million users was just made public last month. Victims of the dating app breach had their email addresses, passwords, phone numbers, profile info, and more compromised. As ZDNet reported, these users are now vulnerable to spear-phishing attacks, extortion attempts, and other ruses that exploit their personal information.
Previous data breaches still resonate
Some of the larger data breaches from the past have left long trails of cautionary tales for consumers. Two of these are the Equifax and Capital One data breaches. Together, they affected almost 250 million people.
The 2017 Equifax data breach exposed the personal and financial information of 147 million people. After its widely denounced initial response to the breach, where Equifax executives first tended to their own exit strategies before alerting customers, the company reached a global settlement with the U.S. Federal Trade Commission, the Consumer Financial Protection Bureau, and all the U.S. states and territories. The settlement includes $425 million, divided up evenly amongst all victims who file a claim, and free credit reports and credit monitoring through 2026.
The 2019 Capital One data breach put the data of about 106 million people at risk. A hacker infiltrated the bank’s system and stole information from the credit applications of 100 million U.S. customers and 6 million Canadian customers. While no credit card numbers or login credentials were compromised, other precious data like Social Security numbers, Social Insurance numbers, and financial history were. In response, the company has offered free credit monitoring and identity protection to everyone affected.
So, what can we learn from these breaches? A couple of things. First of all, data breaches can occur anywhere, from the smallest local server to the largest global enterprise. Secondly, free credit monitoring is a common apology move from the compromised companies, but this gives cybercriminals another attack surface. If they know you were a data breach victim, they could launch phishing tactics at you where they pretend to be these helpful credit reporting entities. Always remember, cybercrime is inexhaustible.
How data breaches can affect you
Let’s take a step back: What is a data breach, anyway? A data breach is when protected information is infiltrated. It’s that simple. A breach is an opening that is not supposed to be there — a hole in the bottom of a boat, a tear in a protective wall, or an exploitable crack in your online security, to name a few. A data breach is when that unlawful opening leads to the compromise or theft of sensitive online information. Information stolen in a data breach could include your:
- Email address
- Home address
- Phone numbers
- Driver’s license info
- Credit card numbers
- Purchase history
- Bank account details
- Social Security number
How do you know if your data was breached?
The breached company should alert you right away when your data has been compromised, but unfortunately this has not always been the case, such as in the Equifax instance. Constant vigilance over all your accounts can sound like a daunting chore, but it’s truly the healthiest habit we can all adopt, even if it means just glancing through the statements and movements of all your accounts once a week to make sure there are no surprises. Also, there are handy tools at your disposal such as the free Avast Hack Check site that aggregates the leaked data from known breaches so it can tell you instantly if your email address was compromised.
What can cybercriminals do with the data they steal?
Information is the new gold, and cybercriminals have many lucrative options in terms of data breach information, some of which include:
- Selling the data
- Illicitly withdrawing money from bank accounts
- Using compromised payment cards to make purchases
- Using the personal information of others to register for new credit cards
- Access and manipulate tax filings
- Lock victims out of their bank accounts
- Lock victims out of their social media accounts
GDPR and data breaches
In spring 2018, the General Data Protection Regulations (GDPR) took effect in Europe, marking the largest global reform yet on data breaches. The GDPR applies to companies and individuals that keep digital data on EU citizens, regardless of where that company is located. It protects consumers by mandating that these companies maintain certain high security standards and divulge any breach information within 72 hours of discovery. If a company breaks these rules, they are fined up to 4% of their annual revenue or €20 million ($24 million), whichever is larger. This serves as a frightening warning to IT departments around the globe, who are now even more inspired to protect their servers and personnel for fear they suffer the same fate as British Airways, who got slapped with a GDPR fine of £183 million for a breach of its customer data.
What if I’m the victim of a data breach?
If your personal information has been compromised, use the following data breach response checklist:
- Determine what info was breached – Learn exactly what happened from the company that was breached. If they are not providing all the details, seek more information from the FTC, and take stock yourself of what you’ve shared with that company.
- Change your passwords – Create strong new passwords, and always use a different password for each different account. To help you keep track of them all, use a secure tool to remember them, such a password manager. And, if it’s offered, enable two-factor authentication, which automatically makes it at least twice as hard for a hacker to crack into your account.
- Beware of links in odd emails or texts – If you receive any emails or texts claiming to be related to the breach and providing a link to click or a file to download, be suspicious. These are often phishing attacks by cybercriminals attempting to capitalize on your confusion. Instead of clicking on the link or attachment, close the email and contact the company directly to see if the message came from them.
- For credit and debit card theft, contact your bank – If your credit card or debit card numbers were stolen, contact your bank to put a stop on those cards and to get new numbers issued. Also change your PIN. Talk to your bank about sending you text or email alerts if they detect any strange charges, purchases, or withdrawals.
- For Social Security info theft, contact a credit reporting agency – Your SSN allows cybercriminals to open new accounts in your name. To prevent this, put a fraud alert on your name at one of the three major credit bureaus below. (Ironically, Equifax is one of these companies.) Oftentimes, the company that is breached will offer free fraud alerts. Then, periodically check your credit report over the next several years to make sure nothing suspicious pops up. You can also consider getting a security freeze, which prevents anyone from seeing your credit report without your authorization. While it can delay some of your purchases (car loans, home loans, etc.), it does help prevent identity theft.
- Driver’s license or personal ID theft – In the U.S., report the theft to the Department of Motor Vehicles. Ask them for their recommendations and best practices to protect you. They may decide to issue you a new license or ID number, and they may even have certain fraud protection actions they recommend you follow.
- Use an antivirus software – Data breaches usually begin with phishing scams, as the hacker tries to find a way in. Protect yourself from malicious spam, infected links, and malware with a robust antivirus. Avast Free Antivirus is consistently rated “excellent” by industry experts. It’s trusted by millions of people worldwide, and it will keep you safe from the constant horde of hackers battering against all of our digital doors.