Monday, July 15, 2024

Greatest Data Protection Fails By Massive Cyber Attack in 2019

Most of us should start to think more carefully about the data that we put online. It is becoming clear that no data we put online can ever be 100% safe, and 2019 had some of the worst data protection breaches yet.

WhatsApp Hack Used to Install Spyware

Any corporate cybersecurity breach is embarrassing for the business affected, but even more so when that business is one that trades so heavily on their focus on privacy and, in order to keep their customers safe, takes various security precautions (such as using VPNs or proxy networks).  When news broke back in May that WhatsApp had been used by hackers to install Israeli spyware on users’ phones, it seemed like very bad news for WhatsApp.

All the attackers had to do was call their targets through WhatsApp; it didn’t matter whether the targets answered or not. WhatsApp has been unable or unwilling to reveal just how many users might have been victims of vulnerability. But with a userbase of 1.5 billion, even 1% of their users would be 15 million people.

Israel has a history of working with domestic cybersecurity businesses to produce spyware, and malware, in this case, bore all the hallmarks of being built by a state actor or someone with experience of working with them. Among the users confirmed to have been targeted was a prominent human rights lawyer from the UK who has represented Palestinians throughout her career.

US Customs and Border Protection Hack

Crossing the US border has been a very different experience since 9/11. Customs and border agents now routinely copy data from travelers’ digital devices and have begun to request passwords and access to any computers they bring with them. This in itself has caused a lot of consternation among travelers but most had assumed that at the very least, the data that was taken from them would be kept safe.

That illusion was shattered when the Washington Post reported that images of up to 100,000 travelers’ faces and license plates had been taken. CBP has laid the blame at the feet of an anonymous subcontractor. This breach highlights that our data is increasingly being passed through multiple processors and it only takes one of them to drop the ball for our data to be compromised.


With more than 200 million users worldwide across all age groups and backgrounds, Fortnite is one of the most popular and profitable games in the world right now. However, even the best of us make mistakes sometimes. Fortnite developer Epic’s mistake was using an old, unsecured web page that was vulnerable to a basic XSS attack. All the attackers had to do was get their victims to click a link.

Compromising someone’s account for an online game might not sound very serious, but attackers were able to record audio of players without their knowledge, take over their accounts, and spend any virtual currency they held. Unlike most data breaches, this one impacted a lot of children, who make up a significant portion of the userbase. For a major tech business like Epic Games to publish such a vulnerable web page in 2019 is a huge embarrassment for the company.

Quest Diagnostics Data Breach

Aside from our financial data, our medical data is the most personal and sensitive information that other people hold on us. The importance of maintaining doctor-patient confidentiality in the digital age is reflected in HIPAA – the set of regulations that any business handling personal medical data has to adhere to. Breaches of HIPAA are taken very seriously, and lapses can lead to some very serious consequences.

In June, Quest Diagnostics announced that almost 12 million peoples’ data had been accessed by an unauthorized party. Not only did this include medical data but also credit card information and social security numbers. The hacker had access to the data for more than seven months before Quest Diagnostics discovered the breach.

This is another case where it transpired that a third-party contractor was responsible for the security lapse. The contractor in question ultimately lost four major clients following the revelations and filed for bankruptcy soon after.

Facebook’s Big Whoops

Poor Facebook seems to have no luck when it comes to granting third-parties access to its massive ocean of data. The Cambridge Analytics scandal highlighted Facebook’s generally lax attitude when it came to regulating how app developers handled user data. However, two incidents in 2019 demonstrate that nothing has changed since then.

First of all, an app developer based in Mexico left data for 540 million users on a publicly accessible server. This included user IDs, account names, likes, comments, and basically everything a hacker could want if they wanted to highjack a Facebook account.

Around the same time, Facebook was forced to admit that they themselves had “unintentionally” uploaded the email addresses of 1.5 million users without their permission. Security researchers also noted that Facebook wasn’t just asking new users for their email addresses, but also for the passwords to their email accounts, a widely-condemned practice.

These data protection fails to highlight that no data you put online is truly safe. Even if you are handing it over to someone who can be trusted with it, you never know exactly who else will be involved in the processing and storing of it. All it takes is one weak link in the chain to ruin your data security entirely.


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles