<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

Security Lessons from the Worst Data Breaches & Cyber Attacks of 2019

Topics: Data Protection, GDPR, Encryption, Cyber Attack, General Data Protection Regulation

Posted: 25 November 2019

Picture a heist. Picture that heist involving a hundred million people or more. Picture how that may look; imagine how that might sound. You’d be forgiven for imagining simultaneous full-scale bank robberies with alarms blaring and guns blazing, but this isn’t what heists look like anymore. Heists are silent. Heists hit millions, even billions, at one time from one remote location.

Case in point: In 2018, India experienced a massive data breach involving a whopping 1.1 billion records — including names, addresses, and 12-digit ID numbers — that were made freely available online. A year removed, and we’ll see that these heists have not slowed down in severity or number, and have continued across industries and territories to this day. Here, we cover some of 2019's biggest data breaches and cyber attacks so far in hopes that there is something to be learned to prevent them from ever happening again.

[You may also be interested to read "Data Breaches and the GDPR - 1 Year Later"]



Data, for the past couple of years, has been the lifeblood of businesses. Organisations around the world cannot afford to operate without data, yet must be able to manage it well enough to protect assets and customers alike. To see it handled so recklessly, then, is indeed quite disheartening. A Verizon Connect analysis on asset utilisation emphasises how useful data is and indicates the importance of keeping track of these assets to avoid risks of theft and loss. But back in April social networking giant Facebook was reported to have suffered a data breach that affected 540 million people. The breach was due to third-party Facebook applications holding large datasets that lacked the necessary protection, thus exposing the data to the public. The breach resembles that of the not-so-distant Cambridge Analytica Scandal, putting Facebook’s issues regarding the policing of its developers and partners at the forefront.


A lesson that can be learned here is that of due diligence. Companies must be more responsible when securing user data, which for Facebook is not only critical in stakeholder welfare, but also in the company's business model itself. However, several reports reveal that Facebook as a company has been astoundingly careless in this regard. A recent report by Security Analyst Brian Krebs reveals yet another flaw: Facebook had apparently been storing hundreds of millions of user passwords in plain text, making the entirety of that data set accessible to over 20,000 Facebook employees.



Another cyber attack that made news earlier this year was the Toyota breach. An article in CPO Magazine claims that the information of over 3.1 million customers had been exposed, as hackers had targeted several Toyota subsidiaries. These include Lexus Koishikawa Sales, Lexus Nerima, and Toyota Tokyo Sales Holdings, among others. These subsidiaries were weak points due to their differences in security protocols from their parent companies, which made them convenient points of entry for the attackers.


To remedy this, companies must establish clear security policies with regard to their subsidiaries. When organisations set cyber security systems and policies in place, management and leaders must demand that the subsidiaries follow suit, as to protect user data and to minimise data theft or loss across the board. Establishing a uniform minimum security baseline would surely lessen the occurrence of events such as these.




According to Verdict’s report on the Canva data breach earlier this year, over 140 million users had been compromised in a malicious attack by a hacker known as Gnosticplayers. This prompted the company to inform its users to change their respective passwords for the site, and their passwords for other sites if the sites happened to share a password. Canva also informed its users that the hacker had also stolen partial credit card information, but assured them that this information was virtually useless and that Canva never stores its users’ full credit card details.


Now, while Canva took the necessary precautions to avoid a catastrophic event by ensuring that passwords were salted and hashed with bcrypt and not storing full credit card information, their major blunder lay elsewhere. What left much to be desired was the way they communicated the breach to their users. Instead of nipping the problem in the bud, Canva informed the users of the breach via an email that starts off with what can only be described as marketing fluff, instead of getting to the point and being clear with their compromised customers right off the bat. Remember that only by being transparent can companies prevent further damage to its users' safety and their own reputation if and when a breach or cyber attack does occur.

[You may also like "SMBs: Cybercrime's Number 1 Target"]


Post solely for the use of infinigate.co.uk

By Lindzi Guerra


Data Protection for Life GDPR Data Processing

Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts