2019 Data Breach Calendar

(To Carlo Mauceli)

End of the year. Moments of reflection and even detachment, albeit brief, from everyday life.

Skiing in the beautiful mountains of Val Badia, I find myself remembering the songs of my adolescence and among these these verses come to mind:

"Or days or months that you always go away, always similar to you is this my life, different every year and every year the same, the tarot hand that you never know how to play, that you never know how to play".

Many readers, perhaps, will remember it. This is the beautiful song, indeed, poetry would be said, by Francesco Guccini: The twelve month song, incredibly suitable for these days. And so, humming to myself, with the sound of skis underfoot and the white that cloaks these magnificent mountains, the images of this 2019 that is about to leave us pass before my eyes.

The roof of the Notre Dame cathedral devoured by the flames is the most iconic shot of 2019 that we are going to leave behind. The wound inflicted on one of the symbols of Christianity sparked a wave of emotion and prayer that pervaded the whole world, including the Amazon, where the fires, this time not accidental, devastated the first green lung on the planet.

Greta Thunberg, the sixteen year old Swedish green activist, did not miss her cry of pain for the burning forest, while on a sailing boat (zero emissions target), she sailed the ocean, from the United Kingdom to the United States, to participate in the summit of the United Nations on climate change.

Women protagonists this year also in space. Two American astronauts entered history after taking the first walk among the stars for women. Descending to Earth, 2019 saw Hong Kong governor Carrie Lam repress university student protests in blood (photo). So far she has managed to hold onto the chair, the one that, however, is likely to lose the President of the United States, Donald Trump, who ended up under impeachment because of the Ukraine gate. Big party in the British royal house for the birth of Archie, the eldest son of the Dukes of Sussex, Harry and Meghan. The whole of England rejoiced with them, hit by a second Islamist attack on London Bridge after the one in 2017. Three victims, including the attacker. The death toll in New Zealand is much heavier, where in March a neo-fascist shooter attacked two mosques. Fifty-one broken lives.
As always, therefore, the end of each year is the ideal time to look back, to sum up, to make an analysis of what has happened, to know what we have left behind and what the future holds. Many things have changed and many have happened but there is one that, unlike many others, remains a constant, ever more lasting, eternal, I dare say. Something towards which the human being, while becoming increasingly aware of it, seems to be unable to find the right weapons to know it in depth, to be able to cope with it and to prevent it from spreading as the worst of the epidemics.

"What is it about?" you may ask yourself, perhaps curious, perhaps a bit distracted spectators or operators in the sector grappling with the effects of this disease from which it seems you cannot heal.

Its name is cyber security or, better, "cyber insecurity" given what 2019 has also reserved for us. It's a bit like in Guccini's song: "Different every year but every year the same" and to use an effect title, especially in English, we could write: "Biggest data breaches of 2019: Same mistakes, different year".

At this point I said to myself: "Why not try to make a calendar whose protagonist is not a beautiful model or an author's painting or a wonderful photograph?" And here it is the "2019 Data Breach Calendar" data breach most significant that characterized 2019, strictly divided by month.

Before scrolling through the album of memories, however, let's start by saying that the recurring reason among the main data breaches of 2019 was not the hooded hacker, imagined in a dark room with a terminal in front of it that reflects green writing. No. None of this. If you believe this, you are deluded poor people. The recurring reason, however, was the set of faceless executives and the set of security professionals, placed under the fluorescent lights of an office located somewhere who, frantically, talked with their lawyers in order to draft a some public apology after realizing that he had suffered a violation.

Words like "unprotected database" repeated like a refrain during 2019. Each month, a new company asked its customers to change their passwords and report any damage. Companies belonging to the healthcare, hospitality, government, energy and oil markets and many other areas of public and private industry have left their customers' sensitive data unprotected in the "wild lands of the Internet". Data that was bought and sold by hackers who didn't even have to make great efforts to find them.

And it is not just the result that a manic media coverage has highlighted. Unfortunately, the data are there to testify to the fact that, in 2019, the total number of violations increased by 33% compared to 2018, according to a Risk Based Security research, with the most affected medical services, retailers and public bodies. We are talking about a huge value that is around 7,9 billion data records exposed. In November, the research firm called 2019 the "worst year" for violations.

So, after these premises, let's go over this year through what have been the most significant cases of data breach.


Marriott kicked off 2019 with a record violation, when the hotel group announces it has suffered an attack by making records of something like 383 million customers public, including some passport numbers and credit card information. This is more than double the 147,7 million Americans affected by the Equifax violation. And to make matters worse, researcher Troy Hunt finds 773 million email addresses, along with a mega-trove of other data, in a collection of files on a cloud service.


February was a horrible month for online security thanks to the biggest data breach ever in history. Over 620 million accounts are exfiltrated from 16 websites and offered for sale on the dark web. Dubsmash, Armor Games, 500px, Whitepages and ShareThis are the owners of the sites that helplessly observe the data of their users stolen and sold for less than $ 20000 in Bitcoin. In the meantime, a series of smaller violations gives an idea of ​​the value of data in the health sector:

The files relating to 15.000 Australian patients are stolen and put on sale;
In Connecticut, unauthorized access allows the exposure of 326000 patient records;
The information of about one million Washington patients is published in a public database;
2,7 million calls to a Swedish national health line are recorded and made public.


Hundreds of millions of Facebook and Instagram users spend the worst St. Patrick's Day in their history when it is revealed that their credentials have been exposed due to the mismanagement of the social media company's password storage. In comparison, the exposure of 250.000 legal documents stored in an open database seems unimportant.


Still Facebook rises to the headlines with 540 million records exposed after leaving the user names, IDs and passwords, safely, in the open on unprotected servers. In the same month, Facebook admits to storing millions of passwords from Instagram users in the clear. This would be enough and instead not. In fact, another terrible violation of an Indian government health agency makes 12,5 million medical records of pregnant women public. The reason? They were stored on an unsecured server.


The top step of the podium, in May, goes to the real estate giant First American Financial Corp with its approximately 100 million insurance documents made public. This month, however, also sees a couple of original attacks in the limelight, relating to the food market:

Burger King leaves exposed a database containing the personal data of nearly 40000 customers of its online store;
The business of two rival Bay Area school catering companies turns into cyberwarfare when the CFO of one of the two is arrested for hacking the other's site and making the student data public.


At least 20 million patients see their data made public when the American Medical Collection Association is hacked. The damage? Several are undertaken class action against AMCA. In the meantime, the data breach is huge as patient bills, social security numbers, medical information, birth dates, phone numbers, addresses and more are public. the result? Managers contract such a high debt to customers who file for bankruptcy.


For us it is summer and July, you know it's a hot month. In fact, the case of Capital One breaks out. It seems a century has passed, right? Hard to believe that just five months ago the bank exposed 100 million credit cards, 140.000 social security numbers and 80.000 bank account numbers, including personal data such as names, addresses, postal codes, telephone numbers and dates of birth. The violation leads to the arrest by the FBI of Paige A. Thompson, a hacker suspected of being the author of the attack. Capital One claims to have become aware of the data breach on July 19 and that the estimated cost of the security incident is between 100 million and 150 million dollars, especially for customer notifications, credit monitoring and expenses for legal assistance.


An investigation reveals that 160 million records of the MoviePass company have been left unencrypted in an unprotected corporate database, making their customer's credit card data public. Meanwhile, in the UK, a hacker attack causes the exposure of 27,8 million biometric records held by the Metropolitan Police of London.


A hacker enters one of the Words with Friends game databases and obtains the data of 218 million players, including the players' email addresses, their names, login IDs and more. In the same month, an attack that affects fewer people takes place in Ecuador, when a poorly configured government database generates a data breach of 20,8 million user records. If we consider that Ecuador has an official population of around 17,5 million inhabitants, we can understand the extent of the damage.


A "show-stopping" of 4 billion records related to social profiles is made public due to a violation of an Elasticsearch server. Numbers never seen before. In the same month, Adobe was reported to have left 7,5 million Creative Cloud customer records in an unsafe database. Meanwhile, over 20 million tax documents relating to Russian citizens showing the information collected from 2009 to 2016, being stored on an open database, are viewed by anyone.


In November, the list of losses, hacking, violations and exposures gets longer thanks to a couple of accidents due to employees of two companies. Facebook returns to the front page after about 100 app developers have had inappropriate access to user profile data. It turns out that a Trend Micro employee had previously stolen the personal data of about 70.000 of the company's customers and that this data had been used to defraud customers.


About 100 women, victims of photo theft, say personal, expect a Christmas gift from the Dutch police: the conviction of the person responsible for the theft. He had violated the victims' personal iCloud accounts thanks to the credentials found in previous violations of public databases. The trial ends with a three-year sentence of socially useful work for the accused.

Our trip in 2019 ends here. As you can see, it has been a year full of really important cases. Italy has not been mentioned but this does not mean that it has been exempt from it, quite the contrary. Our ancestral culture of not making attacks public is the main cause of the lack of information, although I like to underline that two Italian companies, Saipem and Iren, which have suffered significant attacks, have instead made "public disclosure" of what happened by embarking on a path of technological modernization starting from security. Path that involved all employees with courses and awareness on the topic.

Returning, however, to my companion on this journey, Francesco Guccini, the last verses of his song give me the strength to believe that there is always hope for improvement.

"Men and things leave slender lazy shadows on the ground,
but in your days the said prophets Christ the tiger is born, Christ the tiger is born ... "

With the hope that it will be a resurrection for all those who fight "cyber Insecurity".

Happy 2020!

Photo: web