2020’s biggest data breaches and lessons learned

Data breach graphic

This Jan. 28, 2021 marks 30 years since the signing of Convention 108, the first legally-binding treaty to address data privacy and protection for individuals. Since then, there has been exponential development in information security and how we protect ourselves.

The treaty and this ongoing growth are the reasons we celebrate Data Privacy Day internationally each year — to highlight the value and trends in data privacy.

Here are five big data breaches that made the news in 2020 and lessons learned:

Estée Lauder database exposed

In January 2020, more than 440 million database records belonging to Estée Lauder were exposed. The database reportedly housed internal documents, sales data, IP addresses and email addresses. Read this article to learn more about the Estée Lauder breach.

Takeaway: Though this case was not consumer-facing, it’s important to know that large companies get hacked too. Once hackers gain access to your information, you are more susceptible to cyber threats in the future. Review these University of Toronto (U of T) information security tips to learn how to protect yourself against personal attacks.

Nintendo user accounts compromised

In April 2020, 300,000 Nintendo user accounts were compromised due to a cyber attack. Hackers used the stolen account information, including passwords, birthdates and email addresses, to purchase digital items. As a response to the attack, Nintendo altered its Network ID (NNID) login method and advised users to enable multi-factor authentication (MFA). Read this article to learn more about the NNID breach.

Takeaway: Enabling MFA offers an extra layer of protection to accounts and data. It is good practice to enable MFA where possible to avoid these types of attempts. Read this article about U of T’s MFA service called UTORMFA.

Thousands of Zoom accounts stolen

In April 2020, criminals gained access to more than 530,000 Zoom user accounts and listed them for sale on the dark web. They accessed details such as passwords, email addresses, host keys and personal meeting URLs. Read this article to learn more about the Zoom breach.

Takeaway: Cyber criminals take advantage of trends. Since most of the world switched to online learning and working in March, Zoom accounts were strategic targets. Cases like this are a reminder to use different passwords for different accounts so that if one of your accounts is hacked others may still be protected. Read this article for U of T’s tips on password best practices.

Hackers access EasyJet customer personal information

In May 2020, a “highly-sophisticated” malicious actor gained access to the personal data of nine million EasyJet customers. This included email addresses, names and travel records. An additional 2,200 customer files were accessed, which included customers’ credit card information. Read this article to learn more about the EasyJet data breach.

Takeaway: These customers are likely to face phishing attempts in the future based on the information the hackers now have. Educate yourself on what phishing attempts look like and how to deal with them, here.

SolarWinds Orion breach triggers White House security meetings

Throughout 2020, there were ongoing threats and reactions to the SolarWinds cyber-espionage campaign, which began in September 2019. The breach targeted numerous government agencies and private organizations including the world’s leading cyber security firm, FireEye. Read this article to see a timeline of the SolarWinds hack.

Takeaway: Anyone, even cyber security firms and the State, can get hacked. Review U of T’s Information Security-approved tips for working securely online, here.