Have you ever seriously considered the negative impacts of a data breach? Are you aware of the digital safety risks that lurk around the corners of the internet? And, did you know that cyberattacks may produce life-long consequences?

Nowadays, applications and websites have become so common that we consider them an integral part of our daily lives. And, because we have normalized it, individuals blindly share their private information with little thought given to the implications of doing so. 

We rarely ever stop to consider what happens to our personal data once we share it with large technology corporations. And that’s because we live with the illusion that our valuable or sensitive private information is safe. That cyber attacks cannot possibly reach us.

However, some serious privacy violations have occurred in the past several months. And they have exposed the severe effects of sharing personal information without proper caution to safety and privacy. 

Despite data breaches occurring on a daily basis, they aren’t discussed as often as they should be. Individuals who have not experienced such incidents may assume that they are immune to them. But anyone can fall victim at any time, and the consequences of a data breach can be irreversibly harmful.

In this article, ESelfKey aims to provide an in-depth analysis of data breaches, recent events, and the potential aftermath for individuals whose personal information is compromised. 

It is highly important to spread awareness about the possible consequences of data breaches. To attempt to prevent them from happening at all. With ESelfKey’s decentralized solutions, a safer digital future may await us.

Let us elaborate on these crucial aspects in the paragraphs below.

Highlights

• Defining data breaches: Meaning and Overview
• Factors contributing to data breaches: Why, Who, and for What?
• Caught Off Guard: When and Where Data Breaches Strike
• Victims of data breaches: Are you safe?
• Conclusions

Defining data breaches: Meaning and Overview

A brief, but fundamental introduction

Data breaches are serious security violations where confidential, protected or sensitive data is accessed, stolen or used by an unauthorized person or organization. These devastating incidents are also known as data spills, data leaks, or information disclosures, and they can occur in a variety of ways.

These digital attacks are typically well organized and initiated by malicious players, including organized crime, political activists, and national governments. However, even individuals who accidentally gain unauthorized access to systems with poor security configurations can cause data breaches.

The information that hackers may disclose can range from matters that may compromise national security to information that government officials want to keep hidden. When a person who has access to such information deliberately exposes it, for political reasons, it is usually referred to as a "leak".

The negative effects of a cyber attack: What happens after?

Data breaches can have far-reaching consequences, impacting a variety of information types including, but not limited to:

• financial data, such as credit card information and bank details.
• personally identifiable information (PII), such as full name, full address, IDs, birth certificate information, etc.
• personal health information (PHI), such as full name, home address, or dates related to the health or identity of individuals.
• trade secrets, and intellectual property. 
• sensitive or valuable information, like photos or videos.

Unstructured data, such as files, documents, and private information, can also become exposed and vulnerable if proper security measures are not in place to protect them.

These cyberattacks aren’t limited to organizations or powerful institutions, though. Anyone could be a victim. And, worst of all, the compromise or theft of the information listed above can lead to anything from:

• financial losses
• identity theft
• reputational damage
• legal repercussions

It's important for individuals and organizations to take steps to protect their sensitive information and implement strong security measures to prevent data breaches. 

ESelfKey understands the devastating consequences of data breaches and emphasizes the significance of implementing preventive measures. Responding promptly and adequately in case of such incidents is also highly important. 

Recent Data Breaches: The beginning of 2023

The frequency of data breaches has increased in recent years. Alarmingly, the past several months have seen a handful of significant incidents. 

• One such example is TikTok’s illegal processing of data belonging to 1.4 million children under 13, who were using its platform without parental consent. This breach highlights the importance of proper data management practices, particularly when dealing with children's information.
• Another example is the cyberattack on Yum! Brands, where attackers stole personal information belonging to some individuals, including names, driver's license numbers, and other ID card numbers. This kind of data is particularly sensitive and can be used to commit identity theft, among other crimes.
• Finally, the hacking of The Kodi Foundation resulted in the exposure of personal information and private conversations of over 400,000 users. Such incidents can have long-term consequences for the affected individuals, including reputational damage and financial losses. These breaches emphasize the need for better cybersecurity measures and data protection practices across industries.

Factors contributing to data breaches: Why, Who, and for What?

Cyberattacks have become a prevalent threat to our digital lives, and they occur on both personal and larger scales. While most people may assume that only organizations with weak security measures are at risk, individuals are also susceptible to data breaches. 

In fact, personal cyberattacks often happen due to a lack of caution when it comes to protecting oneself online.

Why do data breaches occur?

One of the most common ways individuals make themselves vulnerable to cyberattacks is by using weak or predictable passwords. This makes it easy for hackers to access their accounts and steal sensitive information. Additionally, using the same password on multiple accounts makes it even easier for hackers to gain access to a person's entire online presence.

Lack of proper security measures is another way individuals put themselves at risk. Failing to have anti-malware protection on their devices can allow malware to infiltrate and infect their system. Similarly, exposing personal information publicly online, such as on social media, can provide hackers with the necessary information to carry out attacks.

Clicking on or accessing suspicious links is another way individuals can become victims of cyberattacks. It is worth mentioning that bad players often use phishing emails to trick people into giving up sensitive information. These emails can appear legitimate, so it's important to be cautious and verify the source before clicking on any links or providing personal information.

Who is responsible for data breaches?

Anyone could carry out a cyberattack, if they have the necessary tools, and if that is their intention.

Data breaches are a serious concern for individuals, organizations, and governments alike. These breaches are often the result of bad players with malicious intent. Perpetrators can range from organized crime groups seeking financial gain to political activists looking to disrupt or expose sensitive information. 

In some instances, national governments have conducted data breaches for espionage or other motives. Regardless of the motive, it's important for individuals and organizations to take steps to protect themselves from potential breaches and to respond quickly and effectively if one occurs.

What are the intentions of those who initiate cyberattacks?

Malicious individuals typically have two main intentions: financial gain or causing damage to institutions for various reasons. 

In pursuit of these goals, they may carry out data breaches that can have serious consequences for their victims. These attacks can result in the exposure of personal information and sensitive data, which can lead to identity theft, financial fraud, and other types of harm. 

Sometimes, larger feuds between hackers and their targets can result in victims becoming collateral damage and suffering the consequences of attacks that were not specifically directed at them.

Caught Off Guard: When and Where Data Breaches Strike

Data breaches can happen every second and anywhere, from major technology companies to large financial institutions, and even in our own homes. 

Public places such as cafes or airports, which offer public Wi-Fi, can also provide opportunities for hackers to access personal data.

Recently, incidents involving Yum!Brands and TikTok have highlighted the vulnerability of powerful institutions to cyber attacks. However, individuals are also at risk in their personal lives. 

At any given moment, scam messages spread by viruses or hackers can target friends and family members. Weak personal security measures, such as predictable passwords and email addresses, can leave individuals vulnerable to attacks. As a result, the malware can spread to the victim’s circle of friends, family, or acquaintances via personal messages or emails.

One common method used by attackers is phishing emails. They appear to be legitimate messages from a trusted source but actually contain malicious links or attachments. Clicking on these links can result in the installation of malware on a device, allowing attackers to gain access to sensitive information. 

Victims of data breaches: Are you safe?

Who do bad players target?

The victims of data breaches can be anyone whose personal data was involved, regardless of age, gender, occupation, or level of power. 

This includes children, women, men, students, teachers, and employees who trust their employers with their personal information. It also includes clients, customers, and patients who share their data with businesses and healthcare providers. 

It's important to recognize that anyone who uses the internet is at risk of being affected by a data breach, regardless of how small or popular they are. Constantly searching for vulnerabilities and ways to exploit them, bad actors can breach even the most seemingly secure systems.

That's why it's essential to take the right security measures, such as using strong passwords, regularly updating software, and being cautious when sharing personal information online. By being proactive about data security, individuals and organizations can help protect themselves and minimize the potential impact of a breach.

How can Data Breaches affect you? 

Individuals can be affected by data breaches in two different ways:

1. At a large scale, when a centralized system is hacked, which can affect millions of people. 
2. On a personal level, when an individual's personal online accounts are hacked. In this case, the breach may only affect one person, but it can still have severe consequences, such as financial loss or identity theft. 

In both cases, it's crucial to take steps to protect yourself and your personal information. ESelfKey advises using strong passwords, enabling two-factor authentication, and regularly monitoring your financial accounts for suspicious activity.

Large Scale: Attacking Businesses

Large-scale data breaches can have far-reaching consequences that extend beyond the immediate victims. 

While companies, institutions, and organizations are often the primary targets of such attacks, individuals can also suffer the consequences on a personal level. Even if the attack was not personally directed at them, they could still become collateral damage if the company they have trusted their PII with falls victim to a data breach. 

The consequences of this kind of data breach can be severe and long-lasting, for instance:

• Companies can face financial losses, damage to their reputation, and even legal action.
• Institutions may lose the trust of their stakeholders and customers, leading to a decline in business. 
• Organizations may find it difficult to attract and retain talent if they cannot demonstrate that they take data security seriously.

Furthermore, large-scale data breaches can lead to a loss of trust in the digital economy. If people cannot trust that their personal information is secure, they may be less likely to use online services and conduct transactions digitally. This could lead to a decline in e-commerce and other digital industries, negatively impacting the overall economy.

All in all, the consequences of large-scale data breaches are not limited to the immediate victims. Companies, institutions, organizations, and individuals can all suffer the effects of these attacks.

Below, we will examine some of these negative impacts more thoroughly.

Temporary Shut Down

Data breaches can have a significant impact on companies, not only in terms of the immediate costs but also in terms of long-term consequences. When a company experiences a data breach, it may be forced to halt its activity temporarily, which can result in millions of dollars in damages.

According to industry surveys, Gartner concludes that the cost of operational downtime can be around $5,600 per minute, which translates to $300,000 per hour. This can add up quickly, especially if the breach is not resolved promptly. 

In addition to the financial costs, a data breach can also damage a company's reputation and erode the trust of its customers, leading to long-term consequences.

For example, Expeditors International is still dealing with the aftermath of a data breach that occurred in February 2022, which forced it to halt its activity temporarily. The company is likely to experience long-term consequences as a result, including a potential loss of business and damage to its reputation. 

It is therefore crucial for companies to take proactive steps to prevent data breaches from occurring and to have a solid plan in place for responding to them if they do occur.

Financial Loss

Financial losses can arise from two main sources following a cyberattack: 

• Ransomware
• Legal actions

Ransomware attacks can result in significant financial losses for organizations, as hackers can demand large sums of money in exchange for unlocking access to their encrypted data. 

The growth of ransomware attacks is a cause for concern, with experts predicting that the total cost of ransomware damages worldwide could reach $265 billion by 2031.

Legal actions can also result in substantial financial losses for organizations. The Equifax data breach in 2017 affected over 145 million people worldwide and has already cost the company more than $700 million in compensation to affected US customers. The breach also affected an estimated 15 million customers in the UK, who have launched their own separate legal action in the high court seeking £100 million in compensation. 

Legal actions can be costly and time-consuming, and the reputational damage caused by a data breach can have long-term consequences for an organization's financial performance.

Reputational Damage

Reputational damage is a major concern for companies that experience large-scale data breaches. Such damage can lead to revenue loss and have long-term impacts on the company. 

When a company's reputation is tarnished due to a history of data breaches, people are less likely to trust the company with their payment information, and they may choose to take their business elsewhere. 

This loss of trust can be difficult to overcome. Therefore, companies must take steps to protect themselves and their customers from data breaches. Additionally, they must try to maintain their reputation and ensure their long-term success.

Loss of Private Data

Sensitive data and intellectual property are two key areas that hackers target in a cyber attack. 

Sensitive data can include, but are not limited to:

• Personal information belonging to customers, patients, and employees.
• Private company emails that contain personal health history, home addresses, and payment information. 

When this type of data is breached, it can lead to significant financial losses and reputational damage for the company.

Intellectual property is another target of hackers, particularly designs, strategies, and blueprints. When intellectual property is stolen, the competition can take advantage of the leaked information. And this, in turn, may cause long-term damage to the company's competitive advantage.

Businesses within the manufacturing and construction industries are particularly vulnerable to these types of cyber threats. Therefore, many small businesses believe that they are unlikely to be targeted by hackers, but this is not the case. 

In fact, 60% of all hacks target small businesses because they are often easier to attack. It is therefore crucial for businesses of all sizes to take proactive measures to protect their sensitive data and intellectual property from cyber threats.

Personal Level: Targeting the Individual

Data breaches at a personal level often occur due to a lack of caution when operating in the digital world and inadequate security measures. 

People may accidentally share sensitive information, such as their social security number or credit card details, on unsecured websites. Alternatively, they could fall victim to phishing scams that trick them into revealing their login credentials. 

Additionally, using weak passwords and not updating software and operating systems can leave personal devices vulnerable to hacking. 

SelfKey’s decentralized solutions are centered around the individual’s privacy and security, with a strong emphasis on individuality. It is highly important for individuals to be vigilant when using digital platforms and take appropriate security measures to protect their personal data from cyber threats. 

Identify Theft

Identity theft is a serious crime that can have devastating consequences for its victims. 

When criminals gain access to a victim's personally identifiable information (PII), such as their full name, Social Security number, and birthday, they can wreak havoc on their financial and personal lives. 

Victims can have their bank accounts emptied, credit histories ruined, and valuable possessions taken away. In some cases, victims have even been wrongly arrested for crimes they did not commit. This is because the criminal may use the victim's identity to commit cybercrimes or other illegal activities, leaving the victim facing legal action and potentially a criminal record.

Notable examples of identity theft

1. The case of Nicole McCabe, an Australian woman suspected of murder after her passport was compromised and her identity stolen. 
2. Several victims of identity theft had to struggle with proving they were not responsible for the withdrawal of large amounts of cash from banks, or illegally attempting to obtain loans worth thousands. 
3. The terrifying story of Andorrie Sachs, whose medical identity was stolen by a pregnant woman who gave birth in Sachs' name and left the baby at the hospital, resulting in a $10,000 hospital bill. 

Local authorities mistakenly reported Sachs as an unfit mother and threatened to take her children away. This could also have lifelong implications for Sachs as the perpetrator had a different blood type, and uncorrected medical records could result in Sachs' death if she ever needed a blood transfusion. A healthcare provider could even prohibit Sachs from reviewing her own medical records as they might not be in her name.

This is one of the many reasons why ESelfKey strongly encourages individuals to take proactive steps to protect their personal information, such as:

• Using strong passwords.
• Regularly checking their credit report.
• Being cautious when sharing personal information online. 

By being vigilant and taking appropriate security measures, individuals can reduce their risk of falling victim to identity theft and the devastating consequences that can follow.

Personal Health Information

The theft of personal health information (PHI) is highly valuable on the Dark Web, as it can be worth more than 200 times stolen credit card information. 

This type of identity theft can have serious consequences, including, but not limited to:

• Obtaining illegal medical treatments or prescription drugs.
• Altering the victim’s medical history.
• Using up the victim’s medical benefits. 

Hackers can also sell stolen PHI to other criminals, who can use it for a range of illegal activities. 

Given these horrifying facts, ESelfKey strongly advises individuals to take steps to protect their medical identity, such as:

• Regularly checking medical records for errors.
• Checking for signs of fraudulent activity.
• Ensuring that their healthcare providers have proper security measures in place to protect their PHI.

Financial loss

Once malicious individuals obtain your PII, they could potentially use it to damage your credit score and commit financial fraud. 

A lowered credit score can make it challenging for the victim to:

• Obtain a personal loan.
• Secure a mortgage.
• Even impact job prospects. 

Additionally, individuals who commit identity fraud can open new bank accounts in your name, drain your existing accounts, and commit check fraud. They can also apply for credit using your information, and engage in a variety of other banking scams. All things considered, it’s important to be vigilant in safeguarding your PII. The long-term financial consequences of a data breach can be severe.

Impersonation on Social Media

Cybercriminals can use your digital identity to carry out various malicious activities that can cause significant harm. Here are only a few terrifying examples:

• They can use your digital identity to phish for credentials from your friends and family, leading to further attacks. 
• They can ruin your reputation by posting obscene or profane content online, damaging your personal and professional relationships. 
• They may look for sensitive photos and videos in your account and use them to extort you, leading to emotional distress and financial loss. 

As horrifying as this may sound, there are ways to prevent this kind of disaster from causing irreparable damage to your digital identity. For instance, ESelfKey’s AI-Powered Proof of Individuality methods may be the key to protect individuals against identity theft.

Emotional and Mental impact

A personal data breach can lead to significant mental and emotional distress. The harm caused can take a long time to recover from, depending on the extent of the damage done by the hacker. 

Along with reputational damage, victims may also have to spend a considerable amount of time and money to mitigate the fallout. And, the steps towards recovering from such a cyberattack could be draining in themselves. 

Victims may have to spend endless hours or days:

• Contacting their bank, lenders, and creditors.
• Securing all their online accounts.
• Replacing stolen identification documents.
• Canceling and replacing bank accounts and credit cards.
• Dealing with criminal charges made in their name. 

Victims will also need to remove malware and viruses from their devices, while constantly proving their identity and showing that it was stolen. A process which can be emotionally, mentally, and physically exhausting in itself. 

Worst of all, if affected individuals fail to repair compromised information or remove malware from their devices, they will risk falling victim to the same attacks over and over again.

The long-lasting consequences of a data breach can be devastating, particularly if your PII or PHI end up on the Dark Web. The information could be in circulation there indefinitely, making you vulnerable to further harm.

SelfKey’s visions for a safer digital future

Recent events have demonstrated the devastating impact that data breaches can have on individuals and organizations. That's why ESelfKey is emphasizing the importance of security when it comes to online interactions and digital identities. 

By developing decentralized solutions with Self Sovereign Identity in mind, ESelfKey is using the potential of modern technology in its aim to counteract these breaches. AI-powered proof of individuality is one solution that may fight against maliciously used AI, to prevent identity theft. 

It's important to raise awareness about data breaches and their potential consequences. To teach individuals and organizations about how to prevent them or how to respond in case one occurs. 

Conclusions

In this modern, digital world, we have normalized sharing our personal data online. However, this does not mean that our personal information is necessarily safe. 

In fact, data breaches are becoming more and more common, and the consequences can be severe and irreversible. That's why it's crucial for individuals and organizations to take caution when sharing and storing their personal data.

ESelfKey is focused on developing solutions which may prevent data breaches and enable individuals to operate safely in the digital world. At the heart of their approach is a commitment to the idea that privacy is a basic human right that should not be traded for convenience. 

By prioritizing privacy and security in their technology solutions, ESelfKey is aiming to help empower individuals to take control of their digital identities and protect their personal information.

Stay up to date with ESelfKey on Discord, Telegram, and Subscribe to the official ESelfKey Newsletter to receive new information!

Note:

We believe the information is correct as of the date stated, but we cannot guarantee its accuracy or completeness. We reserve the right not to update or modify it in the future. Please verify all information independently.

This communication is for informational purposes only. It is not legal or investment advice or service. We do not intend to offer, solicit, or recommend investment advisory services or buy, sell, or hold digital assets. We do not solicit or offer to buy or sell any financial instrument. 

This document may contain statements regarding future events based on current expectations. However, some risks and uncertainties could cause results to differ. The views expressed here were based on the information that may change if new information becomes available.

State of the industry - February 2020: As it stands, 2019 saw a record number of twelve crypto exchanges being hacked. That being said, across the board the amounts of crypto stolen were worth less. In total, $292,665,886 worth of cryptocurrency and 510,000 user logins were stolen from crypto exchanges in 2019.

One would hope that as time goes on cryptocurrency exchanges would become more secure. The unfortunate reality is that more exchanges are hacked every year. As cryptocurrency and exchanges remain largely unregulated, it is unclear as to who has jurisdiction over cryptocurrency markets. 

We’ve compiled a comprehensive list of cryptocurrency exchange hacks - you’ll be amazed at how much has been stolen over the years.

2020

February - Altsbit - 6,929 BTC, 23,210 ETH, 3,924,082 ARRR, 414,154 VRSC & 1,066 KMD

Italian cryptocurrency Altsbit had only been around for a few months before it was hacked. Initially, the exchange announced the hack stating that almost all funds had been stolen. After some more thorough research, it appears Altsbit only lost under half of the crypto it was storing. 

Altsbit has announced that it only has enough funds to issue partial refunds, and that they will be closing their doors in May 2020. Hacking group Lulzsec has claimed that they are responsible for the hack, though it is still unclear how they managed to pull it off. Approximately $70,000 worth of cryptocurrency was stolen.

2019

November - Upbit - 342,000 ETH

South Korean exchange suffered a massive breach when hackers made off with 342,000 ETH (valued at $51 million at the time of the hack). Rumors swirled that this was an inside job, as the stolen crypto had allegedly been taken from Upbit’s cold wallet. This turned out to be a false alarm. Thankfully, Upbit promised to cover the losses.

However, the story doesn’t end here. The stolen crypto has been on the move. Whoever took it has been moving it between wallets, although it is unclear what purpose this will serve. As of January 2020, Upbit has completed a major security update after a brief suspension of services.

November - VinDAX - $500,000 Worth of Cryptocurrency

Based in Vietnam, VinDAX is a relatively small crypto exchange that mainly conducts token sales for relatively unknown blockchain projects. Hackers don’t care about the size of the exchange, they just care about the money and they managed to steal half a million dollars worth of crypto from VinDAX.

In response, VinDAX emailed the projects that had been impacted by the theft asking for funds. It’s unclear if any of the projects accepted the offer or not. 

July - Bitpoint - 1,225 BTC, 11,169 ETH, 1,985 BCH, 5,108 LTC & over 28 million XRP

After noticing an error in its outgoing funds transfer system, Japanese exchange Bitpoint immediately suspended its services. However, it was too late. Thanks to a security breach, hackers made off with over $30 million worth of cryptocurrency.

Luckily, Bitpoint was able to recover $2.3 million of the stolen crypto from overseas exchanges. Bitpoint has said that they will compensate their users, but have not released a time frame as to when that will happen.

June - Bitrue - 9.3 Million XRP & 2.5 Million ADA

Bitrue is a Singapore-based cryptocurrency exchange that experienced a major hack to it’s hot wallet. Only 90 Bitrue users were affected, but the cryptocurrency that was stolen was worth almost $5 million. Luckily for users who lost their funds, Bitrue has reassured them that they will be fully repaid. 

June - GateHub - 23,200,000 XRP

This UK and Slovenia-based cryptocurrency exchange suffered from a large hack this summer where hackers made off with $10 million worth of Ripple. While it is still unclear as to how exactly the hacker(s) gained access to user funds, the culprit(s) managed to access encrypted secret keys. So far, GateHub has managed to make some progress in recovering the stolen funds.

May - Binance - 7,000 BTC

Despite the fact that we are now in 2019, hackers still managed to use a phishing scam and malware to hack into Binance. The malicious actors ran off with $40 million worth of Bitcoin. As a result, Binance promised to increase its security, but users are understandably wary.

It appears that customer data may have been stolen as well. In August 2019, someone started sharing customer verification information from Binance on a Telegram channel. It has been alleged that this data was also taken during the hack, and that up to 60,000 users may be affected. 

March - DragonEx - $7 Million Worth of Cryptocurrency

The Singapore-based crypto exchange DragonEx suffered an attack in which hackers made off with $7 million worth of cryptocurrency. The North Korean hacking group Lazarus was responsible. The hackers created a legitimate looking fake company and convinced DragonEx employees to download malware onto their computers through Telegram and LinkedIn messages.

DragonEx has taken full responsibility for the hack and will be issuing refunds to those who lost funds. The exchange is also working with the police to see if they can recover the stolen crypto.

March - Bithumb - 3 Million EOS & 20 Million XRP

This South Korean cryptocurrency exchange was the victim of a suspected insider job. It all started with a suspicious withdrawal, and the exchange immediately suspended all withdrawals on their platform, but it was too late. Who conducted the hack is still unknown, but since there is no evidence of outsider interference, many suspect that it was a Bithumb employee who stole the funds.

March - CoinBene - Unknown

Problems started to surface for CoinBene when funds began to mysteriously move out of the exchange’s hot wallet. Analysts were worried, especially since the exchange was down for maintenance, a typical post-hack response. Despite assurances from CoinBene that nothing had happened, the exchange was down for a whole month.

One of the more bizarre aspects of this hack is Coinbene’s unwillingness to admit that anything was wrong. The hack also came on the heels of a report by Bitwise Asset Manager which accused Coinbene of wash trading to manipulate the crypto market. The details are still extremely murky, but it is believed that over $100 million worth of cryptocurrency was stolen in the hack.

February - Coinbin - Unknown

In a bizarre turn of events, Youbit (formerly known as Yapizon) rebranded months later as Coinbin. Having already faced two massive hacks, you would think that Coinbin would be extra careful. However, this hack was an inside job.

It appears that the former CEO of Youbit was still working at Coinbin, and was embezzling company funds. This employee allegedly had access to private keys and was able to siphon off funds from multiple accounts. As a result, Coinbin filed for bankruptcy and shut down while still owing users $30 million.

February - Coinmama - 450,000 User Emails & Passwords

This is a slightly less conventional hack, because instead of stealing money the hackers just stole information. Coinmama is one of the largest cryptocurrency brokers with over a million active users. There appears to have been little fallout from this hack, as Coinmama informed users rapidly once they learned that user data was being leaked on the dark web. To date, no cryptocurrency has been stolen.

January - Cryptopia - 1,675 ETH

Unfortunately for Cryptopia, they suffered from another hack 15 days after the first one. That was the end of the New Zealand-based exchange - they are now going through the liquidation process.

2020 Update: Cryptopia is still undergoing liquidation, but it has now been revealed that the exchange was failing to meet anti-money laundering (AML) requirements when creating new user accounts. For over 900,000 active user accounts, there is no customer data beyond usernames and email addresses. 

Less than 1% of users had completed customer identification, a vital part of AML procedures which ensures that customers are who they say they are. Thousands of accounts which held over $3 million worth of cryptocurrency were traced back to uninhabited islands or physical addresses that didn’t exist. As it stands, many of those who lost funds in the hack aren’t eligible to be refunded by liquidators because there is not enough information on who owned what accounts. 

While it’s unfortunate that Cryptopia experienced two back-to-back hacks within a month, it’s clear that the exchange was not doing it’s due diligence. Given that most of the active users on Cryptopia were from outside New Zealand, more should have been done to enforce AML compliance measures.

January - Cryptopia - Min. 19,390 ETH

It all started with Cryptopia users having difficulty accessing their accounts, and it only went downhill from there. The company originally thought it was a technical issue, but later clarified on Twitter that it was a security breach. The exact amount stolen in the hack is still unknown.

2018

December - QuadrigaCX - 26,350 BTC

While this doesn’t quite qualify as a hack, it is too unbelievable to not include on this list. 

QuadrigaCX was Canada’s largest cryptocurrency exchange owned by Gerald Cotten. Cotten was the only person who knew how to access the cold wallets belonging to the exchange.

In December, while on his honeymoon in India, Cotten died and took any information on how to access the cold wallets to his grave. QuadrigaCX had already been struggling and rumors of bankruptcy had been floating around, and with Cotten’s passing the exchange collapsed. Conspiracy theories started popping up that Cotten wasn’t actually dead, he had just pulled a very elaborate exit scam.

As investigations started into QuadrigaCX’s finances began, things took a bizarre turn. Six cold wallets were identified to belong to QuadrigaCX. However, when investigators looked at the wallets, five of them had been emptied around April 2018. No one is really sure what has happened, and investigations are still ongoing. Cotten’s widow has voluntarily returned $9 million in assets from Cotten’s estate to repay users.

2020 Update: Over a year later, what exactly happened to QuadrigaCX is still very unclear. It continues to be alleged that Cotten isn’t actually dead and there have been multiple attempts to get his body exhumed. An initial request was denied, however a new one has been made by the lawyers representing those who lost their funds.

There are also alleged ties to a shadow bank in Panama called Crypto Capital. Lawyers of the exchange suspect some of the funds that are missing may be stored in Crypto Capital and have asked any former QuadrigaCX users for their assistance on the matter.

As of January 2020, the FBI is now involved. A victim specialist from the FBI has been reaching out to former users and directing them to a portal where they can obtain more information. It remains unclear if we’ll ever have the answers about what actually happened at the exchange.

October - MapleChange - 913 BTC

This hack is still up for debate as many believe it was part of an exit scam. MapleChange was a small, Canadian cryptocurrency exchange that began to see an uncommon spike in exchange activity starting in October. Later that month, the exchange announced that it had been hacked and that all funds (valued at $5.7 million) had been withdrawn. As a result, MapleChange announced it was closing its doors for good.

What made people suspicious was the immediate removal of the MapleChange website, social media accounts, and Discord and Telegram channels. The lack of communication has led many to believe that there was no hack despite MapleChange insisting they were just taking a break to decide how to proceed.

Instead of deciding to pay anyone back, the crypto exchange gave what little they had left to the developers who had created the remaining coins. The internet is still divided as to whether or not the whole thing was a hack or just another scam. 

September - Zaif - 5,966 BTC

This is yet another case where it’s unclear how hackers stole the funds. However, Zaif did file a criminal case with their local authorities, which makes it sound like they have an idea as to who did it. Either way, this Japanese exchange lost $60 million worth of cryptocurrency.

June - Coinrail - 1,927 ETH, 2.6 Billion NPXS, 93 Million ATX, 831 Million DENT Coins & large amounts of 6 other tokens

Despite the fact that Coinrail was a relatively small cryptocurrency exchange, it did a lot of business which drew the attention of hackers. Exact details of the attack are still unclear, and the exchange lost an estimated $40 million.

June- Bithumb - $31 Million Worth of XRP

Unfortunately Bithumb’s hacking problems didn’t start in 2019. The exchange was hacked in 2018 as well (and you will see them again on our list), with hackers making off with substantial amounts of Ripple. This hack appears to be orchestrated by a group of North Korean hackers known as the Lazarus Group, who have been responsible for a number of cryptocurrency hacks over the years. Luckily for Bithumb users, the exchange promised to pay back any stolen funds.

May - Bitcoin Gold - $18 Million Worth of BTG

This is probably one of the stranger hacks on our list, as a cryptocurrency exchange wasn’t hacked but a cryptocurrency was. Bitcoin Gold was an offshoot of the original Bitcoin, which took a hard fork from Bitcoin as an attempt to decentralize (ironic given that Bitcoin is already decentralized). 

Bitcoin Gold became the victim of a 51% attack, a rare occurrence where hackers managed to gain control of more than 50% of the networks computing power. From there, attackers can prevent confirmations, allowing them to effectively stop payments between users and make changes to the network’s blockchain ledger. This type of attack was thought to be rare, if not impossible, until the Bitcoin Gold incident.

Using some complicated maneuvers, hackers put their Bitcoin Gold onto exchanges, traded them for other cryptocurrencies, then withdrew the amount. And because they had control of Bitcoin Gold’s blockchain ledger, they could simply return the original Bitcoin Gold back into their own wallet, essentially stealing money from exchanges.

May - Taylor - 2,578 ETH

Taylor is a cryptocurrency trading app, that raised a successful initial coin offering (ICO) in order to get funding. Unfortunately, not long after, hackers managed to gain access to a company device and took control of a password file. The malicious actors stole all of the Ethereum raised in the ICO, valued at $1.5 million. There were concerns that this was just another exit scam, but it appears that Taylor has slowly managed to rebuild. 

April - CoinSecure - 438 BTC

CoinSecure, an Indian cryptocurrency exchange, lost Bitcoin valuing $3.5 million at the time of the hack. However, it seems like this one was an inside job. The owners of CoinSecure believe their former Chief Security Officer stole the funds. It seems they may have been onto something, as he was later arrested. 

February - Bitgrail - 17,000,000 NANO

Over $170 million was stolen from the Italian exchange Bitgrail, and the details are a little fuzzy. While the owner, Francesco Firani, announced the hack, other Bitgrail employees denied it and said there was nothing wrong. People are skeptical as to whether this was an actual hack, or an attempt at an exit scam.

January - Coincheck - 523,000,000 NEM

Coincheck was the leading exchange in Japan, but the hack showed how remarkably unsecure the platform was. The hackers managed to spread a virus through email that allowed them to steal private keys. After that it was remarkably easy, as Coincheck did not use smart contracts or multi-signatures, and all coins were stored in the same wallet. The total value of cryptocurrency stolen is one of the highest ever, valued at $533 million at the time of the hack. 

Remarkably, the cryptocurrency exchange is still in business. It began offering full services again in November 2018. Although the hack was believed to have been carried out by North Korean hackers, the malware originated from Russian hacking groups.

2017

December - NiceHash - 4,736 BTC

NiceHash is a cryptocurrency mining marketplace that allows miners to rent out their hash rate to others. Their payment system was compromised, causing the contents of users Bitcoin wallets to be stolen. The exact amount stolen was never confirmed by NiceHash, but it is strongly believed to be 4,736 worth of Bitcoin, worth about $62 million at the time. This story ends on a happy note though, as NiceHash managed to return 60% of the stolen funds to users.

December - Youbit - Unknown

Youbit (formerly known as Yapizon) was a relatively small South Korean cryptocurrency exchange that had experienced a hack earlier in 2017. This time, hackers made off with 17% of the exchange’s holdings. This marked the end for Youbit, they filed for bankruptcy the same day.

July - Bithumb - $7 Million Worth of BTC & ETH

Bithumb makes yet another appearance on this list. At the time of this hack, Bithumb was the fourth largest cryptocurrency exchange by volume worldwide. An unknown hacker managed to gain access to an employee’s personal computer and stole the details of over 30,000 Bithumb users. Not long after, users started to notice their accounts being drained. 

April - Yapizon - 3,800 BTC

Before Yapizon changed their name to Youbit, they experienced their first hack. Malicious actors managed to run off with $5 million worth of Bitcoin and Yapizon did it’s best to mitigate the damages.

2016

August - Bitfinex - 120,000 BTC

This Hong Kong-based cryptocurrency exchange had claimed to be the most secure exchange in the world. Unfortunately, that proved to be very untrue. Hackers made off with a large amount of Bitcoin through Bitfinex’s processing service - BitGo. The price of Bitcoin plunged as a result of the hack.

May - GateCoin - 250 BTC & 185,000 ETH

GateCoin was one of the first regulated cryptocurrency exchanges at the time, and its popularity made it a prime target for malicious actors. Hackers managed to gain access to user wallets and stole cryptocurrencies valued at $2 million. That was the nail in the coffin for GateCoin - the exchange never recovered. 

April - ShapeShift - $230,000 Worth of Cryptocurrency

Over the course of a month, the cryptocurrency exchange ShapeShift was hacked three separate times. According to a detailed report by ShapeShift CEO Erik Voorhees, a former employee was responsible for all three hacks. The cryptocurrency pledged to rebuild, and they are one of the few who has managed to do so successfully. 

2015

February - BTER - 7,170 BTC

This China-based exchange had it’s cold wallet hacked, leading to a loss of over $1.5 million worth of Bitcoin. Users on Reddit were very suspicious, as it is extremely difficult to hack a cold wallet, and hypothesized that the hack was an inside job.

February - KipCoin - 3,000 BTC

You’ll see Linode further down on our list, but it was a hosting server for a few cryptocurrency exchanges.  It was hacked again in 2014, which this time caused a security breach on the KipCoin server. The hackers managed to gain control of the entire platform by changing passwords internally. A month-long struggle ensued, in which the administrators managed to regain control of the exchange, but the hackers still lurked. At the time of the hack, KipCoin did not tell users what was happening in light of the Bitstamp hack and only later revealed the information.

January - Bitstamp - 19,000 BTC

Bitstamp was the first licensed cryptocurrency exchange in Europe. It was compromised when hackers sent a malicious email to Bitstamp employees, and it only took one employee to follow the link and expose the whole exchange. The attackers made off with Bitcoin valued at $5.1 million at the time.

January - LocalBitcoins - 17 BTC

While this was a relatively small hack, it proved a point when it came to spending money on cybersecurity. Attackers used the LocalBitcoins live chat to distribute malware then made off with a relatively small profit. 

January - 796 - 1,000 BTC

It was not a good start to the year for cryptocurrency exchanges in 2015. Chinese exchange 796 had its server compromised, and hackers tampered with withdrawal addresses to trick users. It worked, and major shareholders footed the bill so users didn’t have to lose funds themselves.

2014

October - MintPal - 3,700 BTC

MintPal experienced their second hack in October (scroll down to read about the first one in July), but this one had a lot more twists and turns. Not long after the hack in July, MintPal was purchased by a company called Moolah (also known as Moopay Ltd), owned by Ryan Kennedy alias Alex Green.

After a failed relaunch of MintPal, Moolah announced it was closing its doors but users would be able to still use MintPal. However, user accounts were locked and users were able to track funds being removed from wallets and then watch them be sold on another platform. Kennedy was the only one with access to customer funds, and he was currently on the run. 

Kennedy was arrested in 2016 for rape changes and is now in jail. He is now also facing charges of fraud from the UK police for his involvement in the MintPal hack. 

July - Cryptsy - 13,000 BTC & 300,000 LTC

A trojan virus was inserted into the code of Cryptsy by a hacker going by the name of Lucky7Coin. As a result, Lucky7Coin (and potentially others) walked away with a staggering amount of cryptocurrency. The owner of Cryptsy, Paul Vernon, was accused of destroying evidence and stealing Bitcoin himself and the exchange declared insolvency. Vernon was successfully sued for $8.2 million in a class-action lawsuit.

July - MintPal - 8 Million VRC

Before MintPal’s unfortunate takeover by Alex Kennedy, they experienced another hack. The hacker found a weak point in the withdrawal system on the exchange, and managed to authorize a withdrawal from the Vericoin wallet. The sites Bitcoin and Litecoin wallets were also targeted, but nothing was stolen. The hack resulted in the loss of 30% of all Vericoin, which caused the Vericoin development team to decide on a hard fork in order to mitigate the damages.

March - Mt.Gox - 850,000 BTC

You might be surprised to see this name again, and attached to what is one of the biggest hacks of all time. The investigation is still ongoing and the situation is far from clear, but it appears that when Mt.Gox was originally hacked in 2011, some private keys were also stolen by malicious actors. The hackers gained access to a large number of Bitcoin and started emptying wallets.

Purportedly due to an error in the Mt.Gox systems, the exchange was interpreting these withdrawals as deposits for nearly two years. It was a huge error, costing users a total of $45 million and marking the end of the cryptocurrency exchange. Mt.Gox filed for bankruptcy within the month, and as a result the price of Bitcoin dropped 36%. The former CEO of Mt.Gox was arrested in 2015 after it was discovered he had $2 million worth of Bitcoin that had allegedly been stolen in the hack.

In November 2017, a Russian national by the name of Alexander Vinnik was arrested by US authorities for playing a key role in laundering the Bitcoin that had been stolen in the hack. The story still isn’t over, but there also doesn’t seem to be a clear resolution in sight. 

March - Poloniex - 97 BTC

In the same month, hackers managed to take advantage of an incorrect withdrawal code of this US-based cryptocurrency exchange. While the company did not report exactly how much was stolen, the figure has been explained on the Bitcointalk forum. There is still some speculation as to whether the hack was an inside job or not.

2013

November - BitCash - 484 BTC

The Czech-based exchange Bitcash lost Bitcoin after a hack on their servers. The attackers gained access to emails and sent out a phishing scam, pretending to be Bitcash to obtain customer information, which they then used to steal funds.

May - Vicurex - 1,454 BTC

While the hack of Vicurex has never exactly been confirmed (leading some to believe it was an inside job), the cryptocurrency exchange announced it had lost most of its reserve funds to attackers. Vicurex, claiming near bankruptcy, froze all withdrawals, leading several former customers to sue the company for withholding their money.

2012 

September - BitFloor - 24,000 BTC

At the time of the hack, BitFloor was the fourth largest exchange on the US market. Attackers managed to gain access to the servers and found unencrypted backup wallet keys. From there, they simply siphoned out the funds, worth a cumulative $250,000. 

May - Bitcoinica - 18,457 BTC

Unfortunately for Bitcoinica, they suffered another hack just two months after their initial hack. This led many to suspect that the original security issues from the Linode attack in March had never actually been effectively dealt with. The site was immediately shut down and the exchange was ultimately closed for good.

March - Linode - 43,000 BTC from Bitcoinica & 3,000 BTC from Slush

This one is a little complicated. Linode is a web hosting provider, and they hosted the cryptocurrency exchanges Bitcoinica and Slush. Linode itself was hacked, and the attackers managed to steal significant amounts of Bitcoin from both exchanges.

2011 

June - Mt.Gox - 2,643 BTC

While at the time this was a relatively modest hack, it was just the beginning of problems for Mt.Gox. In this hack, attackers were able to gain access to a computer belonging to an auditor at the cryptocurrency exchange. The malicious actor changed the price of Bitcoin to $0.01, purchased them at the artificially low price and made off with a small fortune.

October - Bitcoin7 - 11,000 BTC

In this case, hackers from Russia and Eastern Europe managed to gain access to Bitcoin7’s servers. This also gave them access to the exchange’s main BTC depository and two backup wallets. Bitcoin7 continues to exist with an obviously spammy website (steer clear!).

Conclusion

Cryptocurrencies are relatively safe, but take a look at this list to make sure the cryptocurrency exchange you use isn’t on it! Exchanges are always at risk of attack, especially when they are doing a lot of business. It’s important that cryptocurrency exchanges take security seriously, and put a number of measures in place to prevent security breaches. 

Any decent cryptocurrency exchange should outline what security measures they have in place. If they don’t, and fail to adequately justify their reasons for withholding that information,  then that’s a red flag you would do well to pay attention to.

Hackers are never going to stop targeting crypto exchanges as long as it remains profitable. While a good cryptocurrency exchange will have multiple security measures in place, users need to do their homework too. Do your due diligence when signing up for an exchange to make sure that you don’t become a victim. 

Unfortunately, most people do not understand the gravity of the problem until it personally affects them through identity theft or other malicious activity. Unsurprisingly however, the rate of identity related crime is exploding, and a recent study claims that there is a new victim of identity theft every 2 seconds in the United States alone.

On top of that, Experian has published statistics showing that 31% of data breach victims later have their identity stolen. Keeping in mind that the number of records exposed through data breaches is so high, this is alarming news.

One important reason for the malaise is that data breaches have seemingly become an inevitable part of modern life. We have to register for online accounts in order to participate in a modern society, and have to swallow the fact that the centralized databases containing our information will sooner or later suffer a breach.

That is why ESelfKey is working on an end-to-end self-sovereign identity management system which will do a much better job of protecting you from data breaches.

You can learn more about our solution here, but for now, let's take a closer look at the damage.

State of the breach June 2020: AT LEAST 16 billion records, including credit card numbers, home addresses, phone numbers and other highly sensitive information, have been exposed through data breaches since 2019. The first quarter of 2020 has been one of the worst in data breach history, with over 8 billion records exposed.

Check out Have I Been Pwned to see if your accounts have been compromised by a data breach.

Undisclosed Number of Users – Samsung, July 2022

Samsung, in August 2022, admitted that a security incident in their U.S systems led to unauthorized third-party access and a data breach that affected an undisclosed number of users has happened. Samsung officially confirmed that personal information, including contact, DOB, and product registration information, was stolen. This was the second data breach for Samsung in 2022, as in March, the company reported that a hacker group had gained access to some of their confidential source code, including a biometric lock algorithm. 

5.4 Million Users – Twitter, January 2022

Twitter suffered a data breach in January 2022. This time the hackers exploited a security vulnerability to build a database of personal information, including email addresses and phone numbers of 5.4 million users. Twitter acknowledged the incident in early August.

533 Million Users – Facebook, April 03, 2021

Facebook was associated with large data breaches more than a few times in the past. Being one of the largest social media platforms, the data breaches happening for Facebook have always proved critical. The most recent data breach of Facebook has exposed the personal data of 533 Million users. The data exposed included phone numbers, DOB, locations, past locations, full name, and in some cases, email addresses.

Over 1 Million - OneClass, June 29, 2020

Online learning platforms have become increasingly popular targets for data breaches over the past few months as the education world has gone digital. Unfortunately, OneClass is no exception and left the data of over a million North American students (many of them minors) exposed on an unsecured Elasticsearch server. The data exposed included students’ full names, email addresses, schools/universities, phone numbers, account details and school enrollment details.

Over 2 Billion - BlueKai, June 19, 2020

US tech giant Oracle owns BlueKai, a company very few have heard of outside of marketing circles but it possesses one of the largest banks of web tracking data outside of the federal government. The company uses website cookies, and other tracking technology, to follow your activities on the web then sells that data to companies and marketing firms. 

For an unknown period of time, all of that web tracking data was left exposed on a server without a password. Billions of records were unsecured for anyone to find. The data exposed included names, home addresses, email addresses and other identifiable data including web browsing activity. The details are still fuzzy. Oracle says that they have taken care of the problem but haven’t offered up any information as to how this happened and who was affected. 

At Least 8 Million - Postbank, June 14, 2020

The Postbank in South Africa has had to replace over 12 million bank cards after an unencrypted master key was stolen by employees. The master key granted anyone complete access to the bank’s systems and the ability to change information on any of the bank’s 12 million cards. The breach specifically affected between 8 and 10 million beneficiaries who receive social grants every month. It’s still unclear if any funds were stolen, and exactly what data was exposed.

5 Billion - Keepnet Labs, June 9, 2020

Keepnet Labs is a UK security company that initially experienced a breach back in March 2020 when a database was exposed containing data that had been previously been exposed in other data breaches. After being notified, Keepnet Labs quickly took the data down but refused to acknowledge the breach. They even went as far as to pursue legal action against at least one tech reporter who had written about the breach.

The breach was finally acknowledged this month when Keepnet Labs issued a statement saying that they were not directly responsible, but rather a third party provider was. Although no new data was exposed, it’s ironic that a security company would experience a data breach.

329,000 - Chartered Professional Accountants of Canada, June 4, 2020

Chartered Professional Accountants of Canada (CPA) experienced a cyberattack early in the month that allowed unauthorized third parties to gain access to the personal information of over 329,000 members and stakeholders. The stolen information was mostly related to the distribution of the CPA Canada magazine and included personal data such as names, addresses, email addresses, and employer information. 

Passwords and credit card numbers were also exposed, but CPA Canada says they were all protected by encryption. Anyone affected by the breach has been notified by the company, and CPA Canada notified the relevant authorities.

47.5 Million - Truecaller, May 27, 2020

The personal data of 47.5 million Indians was found for sale on the dark web for $1,000, and is claimed to have originated from the popular caller ID and spam blocking app Truecaller. Personal information such as phone numbers, service providers, names, genders, and more was made available. 

However, Truecaller denies there was a breach at all. Truecaller suffered a previous data breach in May 2019, and the company suggests that it is the same data set that is for sale. If Truecaller has suffered a breach this month, then it’s a case of gross negligence, or it could just be criminals trying to make a quick buck.

26.3 Million - LiveJournal, May 27, 2020

For years rumors have circled that blogging platform LiveJournal suffered from a data breach, and many users have reportedly received extortion letters tied to their LiveJournal accounts. The breach was finally confirmed this month by multiple hackers who are selling the user data on the dark web. It’s unclear what year the breach actually took place, but the details weren’t revealed until this month when Have I Been Pwnd? received a copy of the leaked user database.

The data that was breached included usernames, emails, and plaintext passwords of over 26 million users. LiveJournal and it’s parent company, DreamWidth, have yet to acknowledge the breach despite users complaining of having their data stolen for years.

8.3 Billion - AIS, May 25, 2020

Thailand’s largest cellphone network pulled a database containing billions of Thai internet users offline after discovering records were being leaked for over two weeks. The passwordless database was discovered by security researcher Justin Paine who quickly notified AIS about the massive breach. 

AIS has come out saying that no personal information was made available, but unfortunately, that’s just not true. The leaked data included DNS queries, which have the potential to let authorities and hackers know who was visiting which websites and from where. This is particularly problematic as Thailand has incredibly strict censorship laws, and if the authorities get ahold of the leaked data, it could lead to arrests.

25 Million - Mathway, May 25, 2020

A popular website for helping students and children learn mathematics suffered from a data breach, resulting in more than 25 million records being exposed. The breach was only discovered when the records were being sold on the dark web earlier in May. So far, it is believed that only emails and hashed passwords were exposed.

Over 1 Million - EHTERAZ, May 22, 2020

While many governments have talked about using an app to track the spread of COVID-19, only a handful of countries have actually created one. In Qatar, the app used by the government to track COVID-19, EHTERAZ, is compulsory. Unfortunately, due to inadequate security measures, the app suffered a data breach exposing the sensitive personal information of over one million residents.

Information such as names, birth dates, national ID numbers, location, and health status were all made available. It is unknown how long this data was exposed for, but luckily the Qatari government was quick to act.

2.3 Million - Indonesia, May 22, 2020

The private data of over two million voters in Indonesia was found for sale on the dark web, along with a threat to release a further 200 million records. It’s unclear exactly where the data came from, and how it got stolen, but some of the records date back as far as 2013. Information such as home addresses, names, and national ID numbers were breached. The investigation is still ongoing.

9 Million - EasyJet - May 19, 2020

European budget airline EasyJet suffered a major breach that began in January 2020 but didn’t notify customers until April and May 2020. Emails and travel information were amongst the information that was breached, and over 2,000 customers had their credit and debit card details accessed.

EasyJet has declined to say how the attack happened, and who committed it. Thanks to the GDPR, EasyJet could face a major fine if they are discovered to have inadequate security measures in place.

9 Million - CDEC Express, May 14, 2020

Russian delivery company, CDEC Express, suffered a major breach when it was discovered that the records of 9 million customers were for sale on the dark web. CDEC Express has denied that they were the ones who were breached, stating that personal data is collected many companies and that they were not the source. Information such as the delivery of goods, buyer information, and tax ID numbers were all breached.

3.7 Million - MobiFriends, May 11, 2020

Millions of users of a popular online dating app, MobiFriends, were hacked early in May. The breached data includes dates of birth, gender, website activity, mobile numbers, usernames, email addresses and MD5 hashed passwords. The breach is believed to have originally taken place in January 2019, but the information has recently been available for sale (and now for free) on the dark web.

21,909,707 - Unacademy, May 3, 2020

One of India’s largest online learning platforms, Unacademy, suffered from a massive breach after a hacker gained access to a database and began selling account information of more than 20 million users. Names, emails, passwords, and account activity were among the data that was stolen. Hackers have claimed to have stolen more data than just user information, but what that may be (and if it’s true) remain to be seen.

91 Million - Tokopedia, May 3, 2020

Indonesia’s largest e-commerce platform, Tokopedia, began investigations after security researchers discovered a treasure trove of customer data for sale on the dark web. However, the initial breach turned out to be far worse than anticipated. The initial number of 15 million records ballooned up to 91 million after the investigation was launched.

While Tokopedia has stated several times that passwords were not included in the data that was leaked, plenty of other personal information was. Names, emails and birthdays were all available for sale, and there were at least two buyers of the information.

Unknown - ExecuPharm, April 27, 2020

Major US pharmaceutical firm ExecuPharm suffered a major data breach in March but didn’t notify the public until a month later. Malicious actors gained access to ExecuPharm’s servers and held them for ransom. Additionally, the hackers also sent out phishing emails to ExecuPharm’s employees.

It’s unclear exactly how many people were affected, but a large amount of sensitive data was leaked including social security numbers, taxpayer IDs, driver’s license numbers, passport numbers, bank account details, credit card numbers, and more. The hackers later went on to publish the stolen data on the dark web.

160,000 - Nintendo, April 24, 2020

Video game giant Nintendo experienced a breach that affected 160,000 users. The issues began in early April when hackers gained access to login IDs and passwords to Nintendo accounts. Malicious actors gained access to nicknames, emails, birth dates, and country of residence. Even worse, some accounts experienced fraudulent purchases.  

28,000 - GoDaddy, April 23, 2020

GoDaddy is one of the world’s largest domain registrars and a web hosting company that provides services to roughly 19 million customers around the world. While only 28,000 customers were affected, any breach for a company of this size is a big deal. The data breach itself took place in October 2019 but wasn’t discovered until April 2020. 

An unauthorized individual gained access to login credentials for SSH on hosting accounts, and as a result, the breach only affected hosting accounts. So far, it doesn’t appear like any personal information was leaked. That being said, the investigation is still ongoing.

5.2 Million - Marriott, March 31, 2020

This isn’t the first time hotel giant Marriott has suffered a data breach. Back in 2018, 383 million records were leaked. This time, hackers obtained login details of two employees and broke into the system in January 2020. Marriott has said that they have no reason to believe that any payment information was breached, just personal data of their customers (such as names, addresses, and contact information).

29,969 - Norwegian Cruise Line, March 20, 2020

March was already a bad months for cruise lines, and things got a lot worse for Norwegian Cruise Line when one of it’s databases was breached. The leaked information was only regarding travel agents, no guests were affected. Despite being notified of the breach earlier in the month, the company was slow to react and has since attempted to downplay the extent of the breach.

Unknown - Rogers, March 18, 2020

Canadian telecommunications giant Rogers experienced a data breach when one of their external providers inadvertently made information available online that provided access to a customer database. It’s unclear how many customers were affected, but the company has over 10 million wireless subscribers. Rogers stated that although personal information like names, addresses, and contact information was leaked, no payment information or passwords were compromised.

Unknown - Princess Cruises, March 13, 2020

It’s been a rather unfortunate month for Princess Cruises. First they had to suspend operations thanks to COVID-19, then they announced that they had experienced a data breach. The breach actually took place from April to July 2019 and discovered the breach in May 2019. It’s unclear why the cruise line waited so long to notify customers. 

An authorized party managed to gain access to employee email accounts and accessed personal information of employees, crew members, and guests. It’s unclear exactly how many people were affected, and Princess Cruises has been pretty quiet about the whole thing.

6.9 Million - The Dutch Government, March 11, 2020

In a rather bizarre turn of events, the Dutch government admitted to losing two external hard drives that contained the personal data of more than 6.9 million organ donors. The hard drives contained records from 1998 to 2010 and had been placed in a vault in 2016. When officials went to access them this year, they were mysteriously gone. So far, there is no evidence that anyone has attempted to use the data.

At Least 81.6 Million - Antheus Tecnologia, March 11, 2020

Brazilian biometric solutions company Antheus Tecnologia suffered from a significant data leak and other security flaws, which lead to an Elasticsearch server containing biometric data to be exposed. An estimated 76,000 fingerprints were on the server. Other records included employee company emails and telephone numbers.

201,162,598 Million - Unknown, March 5, 2020

The Comparitech security research team alongside security expert Bob Diachenko discovered an unprotected Google cloud server containing the personal data of 200 million US residents. The server was originally found in January, and the team worked to identify the owner of the server but couldn’t uncover who they were.

The server was finally taken offline in March, although the data was exposed for at least one month. Most of the data exposed contained personal, demographic, and property information. The majority of the information was incredibly detailed, including things like net worth, property value, mortgage details, and tax assessment info.

900,000 - Virgin Media, March 5, 2020

A Virgin Media database containing the personal information of 900,000 people was left unsecured online for ten months. The data breach is not the result of criminal activity, just negligence on the part of Virgin Media. The database was for marketing purposes and contained information such as names, phone numbers, emails, and home addresses.

The database was accessed by an unknown person while it was available on at least once. Virgin Media reported to incident to the ICO and has launched a full investigation. 

330,000 - Slickwraps, February 21, 2020

On the 25th of February The Verge reported that Slickwraps, a company that makes vinyl skins for phones, tablets and laptops, suffered a significant data breach affecting the personal information of over 330,000 customers. Worryingly, the hackers sent out an email blast to all affected users, mentioning their name, home address and an indictment of Slickwraps security measures.

Well that's a big old yikes from @SlickWraps pic.twitter.com/28SOEMIBZ9

— Toneman (@Toneman) February 21, 2020

Unknown - Defence Information Systems Agency, February 11, 2020

The US defence agency that handles secure communications for the White House suffered a data breach between May and July of 2019, but the breach wasn't discovered until February 2020. The Defence Information Systems Agency (DISA) is responsible for direct telecommunications and IT support for President Donald Trump, Vice President Mike Pence, their staff, the U.S. Secret Service, the chairman of the Joint Chiefs of Staff and other senior members.

The extent of the breach, including how many were affected and what data was compromised, is unclear as DISA has been extremely tight-lipped. The agency employs over 8,000 military and civilian employees according to their website.

Unknown - The United Nations, January 29, 2020

Hackers compromised dozens of UN servers in the summer of 2019, yet the world body kept it a secret, even from it's own employees. While the size of the breach is unclear, staff records, health insurance, and commercial contract data were compromised. As the UN is under diplomatic immunity, they are not required to divulge what data was taken or notify those affected. The UN was allegedly notified about several security issues years ago.

At least 10,000 - LabCorp, January 28, 2020

Clinical laboratory LabCorp suffered an earlier breach in July 2019 when 7.7 million records were stolen. Unfortunately, the security upgrades they must have made were not enough to prevent another breach at the end of January 2020. At least 10,000 patient records were exposed including names, addresses, and in some cases, social security numbers.

250 Million - Microsoft, January 22, 2020

Microsoft didn't have a great start to 2020. 250 million customer service and support records, going all the way back to 2005, were breached. Microsoft has said that only email addresses and IP addresses were exposed, but security researchers believe that it goes beyond that.

According to Microsoft, the records were not publicly available as they were stored on an internal data base and were only exposed for just under a month. The tech giant conducted an internal investigation and claims that there was no sign of malicious use.

2.4 Million - Wyze, December 30, 2019

The smart camera provider Wyze suffered two breaches at the end of December when databases were left exposed for over two weeks. So far, it appears that only email addresses were leaked. Smart cameras are starting to become a popular target for hacks.

Unknown - Wawa, December 19, 2019

Wawa is a convenience store chain on the east coast of the US, and suffered a massive data breach involving payment information starting in March 2019. The breach wasn’t discovered until December, and it is believed that thousands have been affected. Card numbers and customers names are amongst some of the data that was stolen.

267 Million - Facebook, December 19, 2019

Security expert Bob Diachenko discovered that a database containing personal information of more than 267 million Facebook users had been left exposed. The exposed data included names, phone numbers, and Facebook IDs. Hackers in Vietnam are believed to be responsible.

15 million - LifeLabs, December 17, 2019

In what is believed to be the largest breach in Canadian history, medical testing company LifeLabs suffered a hack in October that left 15 million records of patient data exposed. The breach wasn’t announced until December, and the company is now facing a billion dollar class action lawsuit.

Unknown - OnePlus, November 23, 2019

Indiatoday.in has reported that the popular Chinese smartphone manufacturer, OnePlus, has suffered a significant data breach.  According to the OnePlus security team, an unauthorized party managed to access customer information by exploiting a vulnerability in the OnePlus website. This information includes phone numbers, email addresses, first and last names, as well as shipping addresses. As of now payment information does not seem to have been compromised and it is not yet clear how many people have been affected.

1 Million - T-Mobile, November 22, 2019

T-Mobile, the multi-national wireless network operator, suffered a major data breach, reportedly affecting over 1 million customers. The exposed data includes phone numbers, billing addresses, T-Mobile account numbers, names, and details about rates and plans.

The news comes at a particularly bad time, as customers suffer a heightened risk of identity fraud during the holidays, while T-Mobile's attempted merger with Sprint may now face more intense scrutiny.

1.2 Billion - Unknown, 22 November 22, 2019

An unprotected server containing 1.2 billion records of personal data was found by security researchers. Renowned security experts Vinny Troia and Bob Diachenko found the Elasticsearch server and soon concluded that the data had been sourced by a data enrichment company. This would explain the breath-taking size of the breach, which exposed 622 million unique email address, as well as social media profiles, phone numbers, employers and even job titles.

3 Million - UniCredit, October 28, 2019

3 Million customers of the Italian Bank UniCredit have had their sensitive information exposed by a major data breach. The compromised information includes the names, telephone numbers, email addresses and even cities where clients were registered. ZDNet reports that, although UniCredit operates internationally, all exposed records related to Italian customers.

Yet unknown - 7-Eleven, October 25, 2019

The 7-Eleven fuel app was taken offline on Thursday after customers reported that they could access the personal information of other app users. The information reportedly included the amount of money in their account, names, email addresses, phone numbers and their date of birth. According to the Guardian, the app has been downloaded over 2 million times.

Yet unknown - Web.com, October 16, 2019

On the 16th of October the domain name registration service Web.com announced a serious data breach. According to the disclosure notice an unauthorized third-party gained access to a limited number of their computer systems in late August. According to the statement no credit card data was compromised as a result of the incident.

XX Million - Malindo Air, September 18, 2019

Malindo Air, the low-cost Indonesian Airline, has confirmed a significant data breach affecting millions of passengers. The information, including names, home addresses, phone numbers and even passport numbers, has already been leaked on public forums meaning that those affected, likely already face a much higher risk of identity theft and fraud.

20 Million - Novaestrat, September 16, 2019

A massive data breach has reportedly affected almost the entire population of Ecuador. Security company vpnMentor was the first to identify the breach, when their research team found a Miami-based Elasticsearch server run by the Ecuadorian company Noaestrat.

The breach is particularly damaging, due to the extensive quantity of information stored about each individual. This includes birth dates, names, contact information, national identification numbers, tax payer identification numbers, driving records and bank account balances. The information was seemingly compiled by several Ecuadorian government registries, automotive associations and the Ecuadorian national bank. Among the affected are reportedly six million children.

50,000 - Get, September 9, 2019

According to the Guardian, the personal details of around 50,000 university students have been exposed. An app designed to facilitate payments for university clubs and societies, called Get, apparently allowed unauthorized users to get access to other users' data, including names, email addresses, date of birth and phone numbers.

14 Million - Hostinger, August 25, 2019

Techcrunch reported that the popular web hosting service Hostinger suffered a major data breach affecting millions of users. According to the report, a hacker gained access to the company's systems  including an API database. That database contained customer usernames, email addresses and passwords.

Hostinger has said that the API database stored roughly 14 million customers' records.

1 Million - Suprema, August 14, 2019

One of the leading biometrics companies, Suprema, left the fingerprints, facial recognition information, unencrypted usernames and passwords of over 1 million people on an unencrypted database.  The Guardian broke the story, reporting that Suprema's data is used by the UK Metropolitan police and 5,700 other organizations.

23 Million - CafePress, August 5, 2019

The personal information of over 23 million CafePress customers has been exposed according to multiple reports. The custom T-shirt and merchandise company has yet to issue a statement but the exposed data has been circulating in hacker forums for weeks. The data breach involved the names, usernames, email addresses, passwords, and physical addresses.

50 Million - Poshmark, August 1, 2019

The US-based fashion platform Poshmark suffered a significant data breach according to a blog post on their site.  An unauthorized third party managed to access the email addresses, names, user names, and even clothing size preferences of Poshmark users.

It is still unclear how many people are affected but Poshmark is said to have around 50 million users.

100 Million - Capital One, July 29, 2019

The New York Times is reporting that a former Software Engineer hacked the database of Capital One and obtained the personal information of more than 100 million people. Federal prosecutors have named it one of the largest data breaches in history with potentially devastating consequences.

In addition to millions of stolen credit card applications - Capital One is the third largest issuer of credit cards in the US - the breach also compromised one million Canadian social insurance numbers.

300,000 - QuickBit, July 22, 2019

On the 22nd of July, Coindesk reported that the Swedish cryptocurrency exchange QuickBit suffered an extensive data breach. According to the report, the digital asset platform unknowingly leaked the data of 300,000 customers via an unprotected MongoDB database.

The exposed data included full names, addresses, email addresses, user gender, and dates of birth.

5 Million - Bulgaria's National Revenue Agency, July 17, 2019

Bulgaria suffered a devastating data breach and the largest in its history according to The Next Web. Hackers managed to breach the National Revenue Agency and access highly sensitive information of 5 Million citizens. Bulgaria's population stands at 7 Million, meaning that almost everyone is affected.

The compromised data includes personal identifiable numbers, addresses, and even income data. The hackers sent a download link to local media and stated: "The state of your cyber-security is a parody." An investigation into the extent and ramifications of the data breach are under way.

14,600 - Los Angeles County Department of Health Services, July 10, 2019

CBS Los Angeles reported that malicious actors managed to use a phishing attack to access highly sensitive personal information of 14,600 patients. 2019 has been a horrific year for customer privacy in the medical industry, with breaches occurring on an almost weekly basis.

According to reports, the Los Angeles County Department of Health is in the process of notifying patients. The phishing attack happened in March 2019, and the hackers seemingly had access to employee accounts for several hours. Among the exposed information is: names, addresses, phone numbers and patient information.

78,000 - Maryland Dept. of Labor, July 6, 2019

According to Yahoo News, 78,000 people may have had their personal information exposed, due to a data breach affecting Maryland's Department of Labor. The data reportedly occurred earlier this year and no evidence of malicious activity was found. Nevertheless, the Department is offering all affected customers two years free credit monitoring.

Mars Mission Data - NASA, June 24, 2019

On the 24th of June it was reported that NASA had experienced a significant security incident. According to this report, an unauthorized individual managed to access NASA's Jet Propulsion Laboratory, making off with highly sensitive information. The hacker supposedly went undetected for 10 months and had access to many critical projects - including details about NASA's Curiosity Rover.

11 Million - Emuparadise, June 10, 2019

ZDNet has reported that 11 million user accounts of the popular gaming emulator Emuparadise were exposed after a recent data breach. The user passwords were stored as salted MD5 hashes, a form of encryption deemed unsafe since 2012, and were easily cracked. The full extent of the breach is still unknown, although ZDNet claims that passwords, email addresses, IP addresses and usernames are involved.

7.7 Million - Labcorp, June 4, 2019

Just a day after Quest Diagnostics announced its breach, another company dealing with highly sensitive medical records announced a major security incident. According to USA Today, Labcorp was also using the collections firm American Medical Collection Agency (AMCA), which experienced a supposed breach earlier this month. Specifics are hard to come by, but names, addresses, dates of birth, and balance information are likely among the compromised data.

11.9 Million - Quest Diagnostics, June 3, 2019

Quest Diagnostics, a clinical laboratory company, announced that an "unauthorized user" gained access to the medical records and social security numbers of up to 12 million customers.  Information is still sparse, but it appears that AMCA, a billing vendor used by Quest, was exploited for the attack. All parties are working closely together to understand the full scope of the data breach.

Unknown - Checkers Restaurants, May 30, 2019

ZDNet reported that hackers breached the security systems of Checkers Restaurants and installed malware which infiltrated the restaurant chain's point of sale software. As a result, the hackers managed to steal customers' payment card number, cardholder name, expiration date and card verification code.

Hundreds of locations have been affected although the total number of impacted customers is still unknown.

Unknown - Flipboard, May 29, 2019

The popular news aggregation app Flipboard announced that it had detected unauthorized  access to some of its databases between June 2, 2018 and March 23, 2019. It's still unclear how many of the 145 million monthly users are affected, but names, email addresses and cryptographically protected passwords are among the exposed data.

139 Million - Canva, May 28, 2019

Marketingland reported that the leading graphic design tool Canva had experienced a cyber attack which affected up to 139 million users. According to the report, the attack targeted usernames, email addresses and passwords, although luckily credit card details were not compromised. Canva is particularly popular among entrepreneurs and online marketers from all over the world.

885 million - First American, May 25, 2019

Renowned cyber security experts Krebs on Security reported that Fortune 500 giant First American Financial Corp exposed customers' bank account numbers, statements, mortgage as well as tax records through its faulty website. 885 million highly sensitive records were leaked to anyone who knew where to look, with the records going back to 2003.

49 Million - Chtrbox, May 20, 2019

An unsecured database seemingly belonging to Chtrbox, a Mumbai-based social media marketing firm, was discovered online. TechCrunch reports that the database contained more than 49 million records comprising bio info, email address, phone number, and profile picture of millions of Instagram users.

1.5 Million - Freedom Mobile, May 9, 2019

The VPN Mentor research team discovered a data breach which exposed the personal information of 1.5 million Freedom Mobile users. Worryingly, the data included credit card numbers and CVV numbers, meaning that significant financial damage will likely be incurred as a result.

1.6 Million - AMC Networks, May 1, 2019

Renowned security expert Bob Diachenko discovered a publicly available MongoDB instance exposing the data of 1.6 million AMC network subscribers. The subscriber information contained names, emails, subscription plan details and more personally identifiable information. This is another alarming example of failure to meet the very lowest security standards.

Unknown - Atlanta Hawks, April 23, 2019

Struggling Basketball teams are just as vulnerable to data breaches as governments, businesses and Universities. On April 23, CNet reported that the Atlanta Hawks eCommerce store had been infected with malware designed to steal the payment information of customers. Expert Willem De Groot identified the notorious hacking group Magecart as the culprit and the Atlanta Hawks are still investigating the full extent of the hack.

9 Million - Bodybuilding.com, April 22, 2019

One of the biggest service providers in the fitness industry, bodybuilding.com, suffered a serious hacking attack potentially impacting its 9 million users. According to Forbes, a sophisticated phishing attack had allowed hackers to gain access to the highly sensitive data including billing addresses, names, email addresses and birth dates.

Unknown - Microsoft Email Services, April 15, 2019

Popular email services msn.com, hotmail.com and outlook.com were affected by a significant data breach according to TechCrunch. The vulnerability seemingly existed between January 1st and March 28 2019, and allowed hackers to access email accounts.

540 Million - Facebook, April 2, 2019

Mark Zuckerberg was in the news for all the wrong reasons in April 2019. The (so far) newest addition to the litany of blunders involved exposing the personal records of over 540 million Facebook users. According to TechCrunch, cybersecurity experts found the data on an unsecured, publicly accessible database.

1.3 Million - Georgia Tech, April 2, 2019

Universities are just as likely to get hacked as a business or government organization. On April 2nd, a host of highly sensitive personal information managed by Georgia Tech was accessed by a hacker. The information of 1.3 million faculty members, students and employees was affected according to patch.com. Social Security Numbers, birth days, names and addresses were breached.

980 Million - Verifications.io, March 29, 2019

Towards the end of March 2019, cybersecurity expert Bob Diachenko found an unsecured database containing 982 million email addresses along with names, genders, employers and home addresses. The server was unsecured and available to anyone who knew were to look. Upon notification verifications.io, the company seemingly behind the database, shut down its website and ostensibly ceased to operate.

2 Million - Earl Enterprises, March 29, 2019

The credit card information of more than 2 million customers of Earl Enterprises was stolen and later sold according to krebsonsecurity.com. Criminals managed to install sophisticated malware on the company’s point of sale software, allowing them to syphon off the highly sensitive payment information.

1.8 Million - Federal Emergency Management Agency, March 22, 2019

Data breaches are particularly harmful when they affect vulnerable people. In March 2019, the Washington Post reported that 1.8 million disaster survivors had their banking information plus their home addresses accidentally shared with contractors. These people had primarily sought shelter after wildfires and hurricanes.

2 Million - Oregon Department of Human Services, March 21, 2019

Government organizations are just as likely to suffer data breaches as hospitals, businesses and two person startups. On March 21st, the Oregon Department of Human Services announced that poorly trained employees had fallen for a phishing attack, comprising highly sensitive personal information of roughly 1.6 million people. This includes emails, addresses, names and much more.

600 Million - Facebook, March 21, 2019

Facebook has a long history of privacy abuses and data scandals. At the end of March 2019, the social media giant admitted that it had failed to secure the passwords of 600 million users since around 2012. Thousands of Facebook employees had access to the millions of unsecured records, which were stored in a plain text file.

1.5 Million - Gearbest, March 14, 2019

In March, the VPN Monitor research team reported that Gearbest, a highly successful Chinese eCommerce company, had a completely unsecured database. The VPN Monitor team managed to access a database containing 1.5 million records. Alarmingly, the information contained payment information, billing address, order history and much more highly sensitive information.

2.4 Million - Dow Jones, March 1, 2019

One of the most significant data breaches ever occurred on March 1st, when more than 2 million identity records including government officials and politicians was leaked online. According to reports from Zdnet, the information was stored, alarmingly, on a publicly accessible database.

1 Million - UW Medicine, February 20, 2019

February 20th was a particularly bad day for the personal data of medical patients as both Advent and UW Medicine reported significant data breaches. In the case of the UW Medicine data breach, nearly 1 million people were affected by a simple bug: A problem with the platforms server indexed highly sensitive data on search engine’s, meaning that patient’s financial history, passwords, social security and more were available with a simple Google search.

42,000 - Advent Health, February 20, 2019

Data breaches affecting medical records are particularly hazardous. In February, the Advent Health Medical Group notified its members of a 16-month long data breach exposing medical histories, social security numbers and a host of highly sensitive information. According to reports, 42,000 individuals were affected.

14.8 Million - 500px, February 15, 2019

The popular photo sharing site 500px was hacked, exposing the data of 14.8 million users. Information such as names, usernames, emails, locations, gender, and birth dates were revealed. The website notified its users and forced a password reset, although the hack happened in July 2018 and they weren’t aware of it until February 2019.

6 Million - Coffee Meets Bagel, February 14, 2019

In a case of ironically poor timing, the dating app Coffee Meets Bagel announced a data breach just in time for Valentine’s Day. While only names and emails of users were exposed, the breach impacted approximated 6 million people.

Unknown - Dunkin’ Donuts, February 12, 2019

Dunkin’ Donuts announced a data breach for the second time in three months, affecting DD Perks rewards members. Hackers used credential stuffing attacks to gain access to customer accounts, then sold them on the Dark Web for profit. The first of these attacks happened at the end of November, and although the company didn’t say how many customers had been affected, there are currently 10 million DD Perks members.

24,000 - EyeSouth Partners, February 6, 2019

An unauthorized third party gained access to an employee email account of Georgia-based EyeSouth Partners. Over 24,000 patients had their data compromised, such as names, health insurance information, and account balance information.

Unknown - Huddle House, February 4, 2019

The US-based casual dining and fast food restaurant chain, Huddle House had their point of sale system compromised, giving hackers the ability to install malware to steal the payment information of customers between August 2017 and February 2019. How much damage was done is still unclear as Huddle House is continuing their investigation.

20,000 - Catawba Valley Medical Center, February 4, 2019

Phishing scams seems to be a popular and effective cyberattack in the medical industry, as three employee email accounts at Catawba Valley Medical Center were hacked by one in the summer months of 2018. An estimated 20,000 patients of the North Carolina-based medical facility had their names, birth dates, social security numbers, and personal health information exposed in the attack.

Unknown - Houzz, January 31, 2019

To finish off January, the popular home improvement website Houzz announced a data breach affecting users of their platform. While Houzz did not disclose how many people were affected by the breach, the site has approximately 40 million users. The company stated that public profile information such as names, locations, usernames, and hashed passwords were taken by an unauthorized third party.

23,000 - Critical Care, Pulmonary & Sleep Associates, January 31, 2019

Employees of the Critical Care, Pulmonary & Sleep Associates (CCPSA) fell for a phishing attack that led to approximately 23,000 patients having their data breached. The Colorado-based healthcare facility realized that the hacker had access to names, dates of birth, addresses, medical information, social security numbers, and driver’s licenses for three months

100,000 - Alaska Department of Health & Social Services, January 23, 2019

Alaska’s Division of Public Assistance was the target of a cyberattack that exposed data of at least 100,000 people. It is still unknown who the attacker was, but they were able to access the names, birth dates, addresses, social security numbers, health information, and income of people who had applied for government programs.

24 Million - Ascension, January 23, 2019

The data analytics company Ascension, based in Fort-Worth, Texas, left more than 24 million mortgage and banking documents unprotected in an online database for at least two weeks. According to a report from TechCrunch, the documents included people’s names, addresses, dates of birth, social security numbers, and financial information.

108 Million - Various Online Betting Sites, January 23, 2019

Four different online betting sites stored data on Elasticsearch cloud storage without securing it. Approximately 108 million records were breached including names, addresses, emails, phone numbers, usernames, birth dates, IP addresses, account balances, games played, and win and loss information. If you’ve placed bets via kahunacasino.com, azur-casino.com, easybet.com, or viproomcasino.net, your information was likely exposed.

12,000 - Graeters Ice Cream, January 22, 2019

The Cincinnati-based purveyor of sweets, Graeter’s Ice Cream notified approximately 12,000 online customers that their data had been compromised. Malicious code was discovered on the company’s checkout page which captured customer data such as customer credit card details, names, addresses, phone numbers, and fax numbers.

20,000 - BlackRock Inc., January 22, 2019

The world’s largest asset manager, BlackRock, accidentally leaked the information of as many as 20,000 financial advisors. The company had posted confidential spreadsheets which contained information related to the advisors who work with BlackRock’s iShares unit. The names, emails, and assets managed by advisors were amongst the information that was exposed.

773 Million - Collection #1, January 17, 2019

On the same day, security researcher Troy Hunt discovered a massive database of leaked data on a cloud storage site called MEGA. The database contained over 773 million emails and 22 million passwords, amalgamated from thousands of different data breaches dating back to 2008. The information was also shared on a popular hacking forum, so it is unknown who exactly accessed the data. Needless to say, it doesn’t look good. If you are worried that your credentials have been compromised, you can check on Have I Been Pwned?

Unknown - Oklahoma Department of Securities, January 17, 2019

The Oklahoma Department of Securities (ODS) left millions of government files exposed and unprotected on an open server belonging to the agency. Amongst the exposed files were records pertinent to FBI investigations. The oldest records that were exposed dated back to 1986, and range from personal data to login credentials and internal communications records. The ODS is currently investigating how many records were exposed, who may have accessed them and the potential damage this data breach may have caused.

Unknown - Fortnite, January 16, 2019

The popular online video game Fortnite was found to have exposed players to being hacked. A security firm called Check Point discovered the vulnerabilities in the game and alerted Fortnite to the threat. The vulnerabilities could have allowed malicious actors to take over the account of any player, view their personal information, purchase V-bucks (the in-game currency), and listen in to game chatter. While it is unknown just how many users were affected, Fortnite has 200 million users worldwide of which 80 million are active each month.

31,000 - Managed Health Services of Indiana, January 11, 2019

A phishing attack on the Managed Health Services of Indiana (MHS) exposed the health information of more than 31,000 patients in 2018 and was not discovered until January. The compromised data included names, insurance ID numbers, dates of birth, addresses, and medical conditions. While the MHS says there has been no evidence that the data has been misused, patients were obviously upset.

Unknown - OXO, January 10, 2019

The New York-based manufacturer, OXO discovered that they had been hacked in two separate incidents over the past two years. Both hacks exposed customer information entered on their website. OXO found unauthorized code on their website which collected customer names, addresses, and credit card information. The company has declined to announce the number of customers who were affected by the breach.

Unknown - BenefitMall, January 7, 2019

BenefitMall, a US provider of HR, payroll, and employer services, announced a data breach that occurred after an email phishing attack compromised employee login credentials. The exact extent of this breach is unknown as the company has not released the exact number of records that were affected by the attack. That being said, the stolen information could include customer information such as names, social security numbers, addresses, bank account numbers, dates of birth, and information about their insurance premiums.

Unknown - DiscountMugs.com, January 4, 2019

A major online retailer of custom mugs and apparel, DiscountMugs.com was hacked over a four-month period during the latter half of 2018. Although the company did not disclose how many customers were affected by the breach, it is believed to be upwards of several thousand. A malicious card skimming code had been placed in the company’s payment section of their website and hackers were able to steal full card payment details, names, emails, phone numbers, and addresses.

7.6 Million - BlankMediaGames, January 3, 2019

In almost no time at all, the next great data breach occurred the day after Blur announced their breach. This time, the information of 7.6 million gamers had been stolen during a hack of the game Town of Salem by BlankMediaGames (BMG). According to BMGs announcement, the server had been compromised and emails, usernames, IP addresses, in-game purchases, and in-game activity had been exposed.

2.4 Million - Blur, January 2, 2019

It didn’t take long for the first major breach announcement of 2019. Blur announced a breach after an unsecured server exposed a file containing 2.4 million user names, email addresses, password hints, IP addresses, and encrypted passwords. The password management company urged their users to change their Blur login credentials and enable two-factor authentication.

The system was first proposed in 2014 and was meant to roll out this year, but it will likely be another couple of years before it is fully operational. In this article, we outline what exactly China’s Social Credit System is, how it works, the criticisms it has faced, and the implications it has on big data and online identity. Let’s dive in.

What is China’s Social Credit System?

China’s Social Credit System is similar to how a regular credit score functions. Now a normal credit score only deals with your current financial state and financial history. A typical credit score is decided by five different factors: payment history, utilization, length of credit history, recent activity, and overall capacity. However, China’s social credit score expands the typical credit score system into all ways of life.

According to the Chinese government, the system is designed to monitor and engineer better behavior on an individual level and a business level. The system awards good behavior, which leads to a higher score, and punishes bad behavior, which leads to a lower score. China already has the bones of this system in place (some cities and provinces have created their own version of SCS to curb what is deemed to be negative behavior) but the SCS takes this activity to a whole new level. 

How the SCS works

The SCS has a few different functions. There is one system for citizens, one for businesses and other organizations, and one for government officials. While the full system has not been rolled out yet, here’s what we know so far from pilot systems and reports. Do keep in mind that there is no unified Social Credit System yet; different regions are currently using different methods. 

For citizens, everyone starts with the same score (the city of Rongcheng gives citizens 1000 points to start). Citizens are then closely monitored in all areas of life and are rated on how they behave. Users can increase their points by doing things such as making donations, praising the Chinese government online, and helping the less fortunate. Having more points means that users are more likely to receive a promotion at work, get priority status for their children’s school admissions, tax breaks, and better access to loans and other financial services. Doesn’t sound too bad, right?

However, having a lower score can lead to disastrous consequences, and losing points is easy. Users can lose points by not visiting their elderly parents, traffic violations, cheating in online games, failing to sincerely apologize for crimes committed, and spreading rumors on the internet. Having a lower score can mean that users are not able to travel by plane or train, aren’t eligible for certain jobs, can be subject to public shaming, and can be denied full access to public services.

For businesses, the SCS focuses more on ensuring that the laws are followed, taxes are paid on time, and that product and service quality are adequate. According to the Chinese government, the goal is to create a fair, transparent, and predictable business environment. However, the corporate side of SCS poses some difficult problems. 

For instance, businesses need to take responsibility for their business partners. Even if a company meets all of the legal requirements, they can still be penalized if another company they work with is on a blacklist. Because of this, companies with a lower score will have an incredibly difficult time forming partnerships with reputable businesses. 

Companies with a lower score on the SCS face more frequent and intense auditing, the possibility of public shaming, and may even be excluded from public procurement opportunities. Businesses can land on a blacklist from either having a low score, or for a particular type of violation.

The third part of the SCS, for government officials, focuses on how well government orders are carried out. Essentially, the Chinese government wants to ensure that officials are politically loyal, performing well, and corruption-free.

It is important to note that all three branches within the SCS function differently. Individuals are scored differently from businesses, who are scored differently from government officials. So far, no regional government has enforced all three aspects of the SCS.

Criticisms of the SCS

Why so many are scared of the SCS is because  some of the “crimes” are incredibly ambiguous (how do you know if someone’s apology is insincere?), and the punishments are extreme and take away basic human rights from Chinese citizens. For example, in 2016 a Chinese lawyer was not allowed to buy a plane ticket because an apology he had issued was deemed to be insincere. Judging how sincere someone’s apology is is incredibly subjective, and not something that should prevent a person from having basic rights. 

That being said, Chinese citizens are already under an incredible amount of government surveillance and there have been no criticisms of the SCS from within the country. Probably because its citizens are too scared to speak up.

There are also doubts that the SCS will ever be rolled out on a national level. The program was supposed to start this year, and while individual cities and provinces have laid some groundwork, the Chinese government has yet to introduce anything nationally. The full roll out of the program could be years away simply due to the vastness of China. However, four provincial level governments already have their own version of the SCS.

The Chinese government faces other problems too, specifically regarding corruption. The whole purpose of the SCS is to share information and be transparent. If people are focused on their own interests over the government’s, that’s a big power struggle waiting to happen. 

How the SCS impacts online identity

One of the biggest implications of the SCS is the sheer amount of data that the Chinese government will have access to. The SCS is perpetual surveillance, and a massive collection of personal information will be available about each citizen. The system effectively strips Chinese citizens of any rights to their online identity.

Unfortunately, this isn’t anything new for China. The internet is already heavily censored in China, and law enforcement in the country has been using facial recognition software and drones to identify citizens who are breaking the law. The control Chinese citizens have over their online identity is negligible right now, but with the SCS, it disappears completely.

It’s a disturbing realization. In the Western world, we spend a fair amount of time and effort trying to keep our online identity from falling into the wrong hands. Although data breaches are a regular occurence, ultimately we can choose what to delete and use tools to help keep our personal information safe. In China, these options don’t exist. Under the SCS, the government watches your every move both online and offline. Online identity is public, and can be used against you if you make a wrong decision in the eyes of the government.

And then there is the issue of how all of this data is protected. The regional versions of the SCS combine both traditional and digital monitoring. Some believe that China’s current technological capabilities have been overestimated. In fact when news network ABC Australia contacted the government agency tasked with creating the SCS for a statement, they were asked to send their request by fax. Which makes you wonder, how protected is all of this personal information online and how vulnerable is it to hackers? We might not get the answers to these questions until the country suffers a massive data breach.

Conclusion - China’s Social Credit System and Online Identity

China’s Social Credit System is frightening in more ways than one. Much of it feels like an episode of Black Mirror, and that presumption isn’t wrong. Not only does the SCS limit personal freedoms on a system that is astoundingly arbitrary, but it prevents Chinese citizens and businesses from regaining a positive status. 

Online identity is something that is already incredibly fragile in China right now. When the SCS comes into effect, any personal control is gone. It is already incredibly difficult for Chinese citizens to speak out against their government today. Citizens can disappear, be placed under house arrest, forced to stay in the country, or have their family threatened for expressing dissent. Once the SCS is in place, dissent becomes nearly impossible.

While the SCS has yet to roll out, and it’s unclear when that will happen, it will fundamentally alter the concept of not only online identity, but also human rights. The implications are frightening, and it’s unclear what, if anything, can be done to prevent it. 

The data collected in data breaches can be incredibly valuable to hackers. They can sell it to other hackers, use it to drain your bank accounts, or impersonate you. In this article, we outline the best ways to protect your data so that when a data breach does happen, your data is not exposed.

1. Separate your emails

Your email address is one of the most common pieces of information that can be exposed in a data breach. It might not seem like much, but hackers can discover a large amount of information about you from just this one piece of information. Additionally, your email may be easy to find already through social media accounts.

As a result, you should create a separate email for important accounts and another for less essential ones. For example, you can use one email address for all of your entertainment accounts (such as Netflix, Spotify, Youtube, Steam, social media, online games, etc.) and another for more important accounts (such as banking, taxes, finances, etc.). By keeping this information separate, you reduce the chances of valuable information falling into the wrong hands.

2. Use a password manager

Most people have a very bad habit of using the same password for multiple websites and apps. This means that if hackers get access to one password, they can usually access multiple accounts. In order to prevent this, experts say that you should have a unique password for each website and app that you use. Additionally, your password should not be a word in the dictionary, and should contain symbols, numbers, and uppercase and lowercase letters.

While it may seem overwhelming to keep track of unique, individual passwords for each account, password managers solve this problem. A password manager stores all of your passwords in one place. Some password managers can even generate completely random passwords for you (usually a long, random, case-sensitive string of numbers and letters). In some cases, the password manager may have a browser extension which automatically enters your password for you. In others, you have to open the app or website each time to copy and paste your password.

While password managers are a target for hackers because they contain a lot of sensitive information, they are better than any current alternative. If someone manages to hack into a password manager’s server, the data they can access is generally useless. The data will not make any sense unless the malicious actors also have the master password, and obtaining a master password is even more difficult.

When looking for a password manager, something to keep in mind is that a good password manager should not allow master password recovery. If a hacker can get a hold of your master password, it puts all of your online personal data at risk.

3. Enable two-factor authentication

You might employ this already, but two-factor authentication (2FA) puts another wall between your personal information and hackers. In essence, 2FA requires you to provide two different authentication factors when logging into an account. Typically, one of these factors is your password and the other is a notification on your smartphone or email.

While not all online accounts offer 2FA, you should enable it wherever you can, in particular for accounts that may contain more personal information. Your social media accounts, email, online banking, and online marketplaces (such as Amazon) should all have 2FA enabled if possible.

4. Use platforms with strong security

It’s vital that the platforms you use have a good system in place to protect your data in the event of a breach. Some companies are extremely committed to security, while others aren’t fussed. One good way to get an idea of how good a platform’s security protocol is is to check if they’ve ever experienced a data breach, and what their response was (take a look at the latest data breaches here).

Repeat offenders and platforms that have a delayed (or non-existent) response to a data breach are places where you don’t want your personal data to be. It very well may be in your best interest to delete accounts and remove yourself from the platform. Consider Facebook, which experienced five separate data breaches )affecting nearly nearly 2 billion user accounts) in 2019 alone. While the social media company has said that they are making changes, the numbers speak for themselves. It might be time to get off Facebook (including Instagram and WhatsApp, also owned by Facebook) or at least severely limit your presence on the platform.

Ultimately, it’s up to you if you want to completely remove yourself from a platform, but in some cases it could make a big difference. We also recommend that you do your due diligence before joining a new platform. Check to see if they’ve dealt with data breaches in the past and how it played out. If it doesn’t look good, don’t make an account.

5. Monitor your accounts regularly

You might be able to spot a data breach before a company does if you keep a regular eye on your accounts. In particular, your bank account can be a tempting target for hackers. It’s important to actively monitor your financial statements. If possible, check your bank account and credit card statements online at least once a week. If checking your statements online isn’t possible, make sure you are monitoring your monthly statements. You can also go the extra step of freezing your credit.

Another great tool is Have I Been Pwned?, which allows you to see if any of your accounts have been subject to a data breach. You can even sign-up to receive notifications in the event that one of your accounts is breached. Additionally, if you’ve had data exposed in a breach, you can see exactly what company was involved so you can take action from there.

6. Clean up your accounts

How many of you have an inbox that is full of old emails? If they contain any sensitive information, that could be used against you in the event of a data breach. By keeping your inbox empty and deleting any old emails containing your personal details, you’re ensuring that there is nothing of value in the event that your account is hacked.

Additionally, malicious actors can hack into your email and threaten to release personal information (in particular explicit photos and messages) to the public for a ransom. If you don’t pay up, your reputation could sadly be ruined. Naturally, this data is even more valuable if the victim is a public figure, such as when the National Enquirer allegedly threatened to release photos of Jeff Bezos and his mistress.

You should consider updating any old accounts too. Payment methods you don’t use anymore, old addresses, and more can be extremely valuable. If you don’t use an account anymore, consider deleting it entirely or at least strip any personal identifying information off of it. 

7. Increase your privacy settings

Is your Facebook profile public? What about Instagram? Who can see your posts? If there’s any information you don’t want to be publicly available, delete it and increase your privacy settings on social media. By removing information and making it harder for people to find you, you stand a better chance of weathering a data breach.

It’s also a good practice to be critical of anyone (friends or not) who randomly starts messaging or calling you asking for seemingly random information or funds. This is called social engineering and is a popular way for hackers to make off with your personal information and your money too. Additionally, familiarize yourself with phishing scams and what they look like.

Conclusion - Surviving a data breach

Data breaches are inevitable, but with the above tools, you are well on your way to making sure that your personal data is protected. Unfortunately, most people do not understand the gravity of the problem until they are personally affected. Taking a proactive approach to your personal data is incredibly important in this day and age, especially when you consider that there is a new victim of identity theft every 2 seconds just in the United States.

While we can hope that companies will begin to take a more proactive approach to user security, that may be a way off. For now, the responsibility lies with the individual to ensure that they are doing all they can to protect themselves. The situation isn’t ideal, but hopefully change is on the horizon.

This is why ESelfKey is working on an end-to-end self-sovereign identity management system which will do a far superior job of protecting you from data breaches. You can learn more about our solution here.

Want to learn more about ESelfKey? Check out this third party review.

Since then, hackers have evolved and become more malicious. From hacking major companies, to stealing millions of dollars and revealing government secrets, hackers are now a major part of modern society. Here’s a look at the most notorious hacking groups of all time and what they’ve done.

7. Lizard Squad - Active

The Lizard Squad originally announced that it disbanded in 2014, but it actually didn’t go anywhere. This hacking group appears to mostly be run by teenagers and young adults. They have mainly hacked gaming-related services like League of Legends and PlayStation. 

The group has claimed responsibility for hacks against Facebook, although Facebook denies that they were ever hacked. In general, the Lizard Squad has a reputation for claiming to have performed hacks when they haven’t actually done anything. They even made a false bomb threat against a Sony executive. The group did manage to successfully hack Taylor Swift’s Twitter account though, but nothing came of it.

Several members of the Lizard Squad have been arrested and charged for their activities. However, that hasn’t stopped the group from continuing to hack. Most recently, they attacked the Labour Party in the United Kingdom.

6. Carbanak - Active

Very little information is known about this mysterious hacking group, but so far it has managed to steal millions from banks. Carbanak (also known as Fin7) started in 2013 and has been one of the most successful hacking groups to date. So far, the group has managed to steal $1 billion from banks around the world. 

The alleged mastermind behind the group was arrested in 2018 along with two other high ranking members. However, Carbanak has carried on successfully without them. A recent report from Bitdefender alleges that the group is still alive and well. Carbanaks modus operandi seems to be to remain unnoticeable; so far they have managed to stay in the shadows. 

5. Syrian Electronic Army - Active

The Syrian Electronic Army emerged in 2011 as a pro-Assad group of hackers. Given the group’s avid support of the Assad regime, it is widely believed that the group has government ties, and Assad has publicly stated his support of the hacking group.

The hackers have primarily focused on targeting US media outlets and social media pages. The Washington Post was a victim of the hacking group (twice), as was the New York Times. Their most notorious attack was when they hacked the Associated Press’s Twitter account, claiming that the White House was under attack and that then President Barack Obama had been injured.

Over the past few years, the Syrian Electronic Army has stayed out of the headlines as it has focused on targets closer to home. However, in 2018 it was discovered that they have been developing malware for Android phones. To date, only one member of the hacking group has been arrested, while others are wanted by the FBI.

4. Lazarus Group - Active

The Lazarus Group (also known as Guardians of Peace) is a group believed to be run by the North Korean government, and it has been very successful. The hacking group seems to have started in 2009, and mostly uses malware in its attacks. 

However, in 2014 the Lazarus Group caught the world's attention when it hacked Sony Pictures in retaliation for the movie The Interview being released. It is also responsible for Wannacry, a ransomware software that requires users to pay to have their data given back to them.

The Lazarus Group has also had a large amount of success with cryptocurrency. So far they have managed to steal $471 million from different cryptocurrency exchanges, and they are responsible for nearly bankrupting the Japanese crypto exchange CoinCheck. The United States government currently has sanctions placed on the hacking group and has frozen any known financial assets associated with them. 

3. Fancy Bear - Active

While the name may sound cute, this hacking group certainly is not. Fancy Bear (also called Sofacy) is a Russian hacking group that is firmly believed to be working under the Russian government. They tend to target foreign governments, embassies, media companies, defence organizations, energy companies, Russian dissidents, and even the Olympic games.

The hacking group got its start in 2008 when it targeted the Georgian government and has been going strong ever since. Fancy Bear was allegedly responsible for the Democratic National Convention hack prior to the last presidential election in the United States. They have also been responsible for the recent attacks on the German Parliament, and tried to influence the French elections in 2017. The group’s members remain largely unknown, and they show no sign of stopping. 

2. Equation Group - Active

If this name doesn’t sound familiar, you’ve probably heard of the organization it is allegedly tied to - The National Security Agency (NSA). Kapersky first announced its discovery of the Equation Group in 2015, lauding it as the most advanced hacking group it had seen to date.

The Equation Group only came to light because it’s members made a number of errors over the years. Given that the group was mostly targeting countries and governments considered to be enemies of the United States (such as Russia and Iran) and that the group seemed to have an unlimited budget, suspicions arose that the Equation Group had government ties.

While it has never been confirmed that this hacking group is working under the NSA, there is strong evidence that it probably is. Obviously, the NSA isn’t going to confirm this connection. Very little is known about the Equation Group, and they likely intend to keep it that way.

1. Anonymous - Inactive

This is probably the most recognizable hacking group on our list. Known for wearing Guy Fawkes masks, the Anonymous group has been behind some of the largest hacks of the 2000s. The group emerged out of 4chan in the early 2000s, and are some of the most well-known “hactivists” to date. 

Anonymous has been involved with a large number of hacks including the Church of Scientology, the Occupy Wall Street movement, the Canadian government, the Westboro Baptist Church, ISIS, and many more. While some of the group’s reasoning for their attacks was questionable at best, most people think of Anonymous as a Robin Hood-esque group of hackers, helping to better the world.

What has made the group so successful is that it is largely decentralized; members do not often know the identities of others in Anonymous. Anonymous has been responsible for 45% of all hacks in the last four years, however, the group now seems to be defunct… or at least very quiet

Honorable Mention: Legion of Doom - Inactive

No list of hacking groups would be complete without The Legion of Doom. This legendary hacking group is no longer active, but it is a hacking group that has gone down as being the most influential of all time. The group was active through the mid-80s to early 2000s, but they are mostly known for their work from 1984-1991. The group is also responsible for penning the infamous Hacker’s Manifesto.

At the time, the most common type of hacking was that of phone companies. This included setting up phone lines that could not be billed by phone companies. The Legion of Doom feuded with another hacker group called Masters of Deception, and their battle royale to decimate one another became known as The Great Hacker War. 

In comparison to the hacking we see nowadays, their activities seem very tame, but it was some of the biggest cyber warfare at the time. Most of the members are still largely unknown.

Conclusion

Since hackers emerged, they have become more and more nefarious. Hacking groups have gone from setting up free phone lines to attempting to destroy whole governments. We have certainly seen a rise in government-sanctioned hacking groups. While protection against cyber warfare is a necessity in today’s age, it would be nice to see governments focus more on preventing attacks instead of initiating them.

Individuals are very rarely the targets of hacking groups (unless you are a high profile individual). However, that doesn’t mean there isn’t potential for your personal data to be compromised as the result of a hack. Major companies and social media platforms are amongst the most common targets.

If you’ve been the victim of a data breach or hack (you can check on the website Have I Been Pwned?), it’s important to know what could happen to your personal data afterwards. Most people aren’t able to prevent a hack, but there are a number of things you can do to protect yourself, and it’s vital that you do your due diligence. If anything, hacking groups are only going to become more advanced as time goes on.

It’s an innovative way that malicious actors gain access to your personal data, and also money, that is incredibly difficult to prevent. In this article, we will dive into what social engineering actually is, the most common types of hacks, and how you can avoid being a victim.

What is social engineering?

The term social engineering originates from the famous hacker Kevin Mitnick, although the technique itself has been around for a long time. In essence, social engineering is the art of manipulating people into giving up valuable personal information or access to devices and buildings. In these cases, hackers are usually trying to get your log-in details or bank/credit card details so that they can take your money.

Criminals use social engineering because it is far easier to manipulate someone's trust than it is to hack into someone’s computer or execute a data breach. Our natural inclination is to trust someone; it is the backbone of many aspects of our lives, and it is surprisingly easy to manipulate. 

A social engineering hack usually goes like this. The hacker will first prepare the ground for their attack. This may involve doing some research into their target, including determining the best method to conduct their approach. 

Next the criminal will begin deceiving their victim using a foothold, usually some type of story. Sometimes the hacker will take a long term approach, and interact with their victim several times before executing their hack. Once the hacker has the information they want, they bring their scheme to a natural end and remove all traces of what they’ve done.

What makes social engineering so effective is that it relies on human error rather than technology. Human mistakes are a lot harder to thwart than malware.

Common social engineering hacks

There are three types of social engineering hacks: in-person, on the phone, and digital. We’re going to cover each one, including the most common types of hacks.

1. In-Person Social Engineering

These tactics are normally used to gain access to a building or devices. Typically the criminal will pretend to be an employee or service technician of some kind. The perpetrator will then be able to enter a secure building and/or be able to access computers, phones, servers, etc.

The hacker will then directly use devices to install things like malware. Alternatively, they may also leave something behind like a USB with malware on it. Most people will plug in a USB to see what is on it, and by the time they do, their computer has been compromised.

2. Phone Social Engineering

You have probably already experienced this type of hack. A criminal will call you pretending to be someone in a position of authority, a relative, your bank, or an employee from a service company or charity. They will then convince you to hand over sensitive information like your bank details, login information, passwords, and more. Occasionally, the criminal will catfish their victim, maintaining a relationship in order to get their victim to send them money.

This is a scam that overwhelmingly targets senior citizens, and unfortunately, they are quite successful. The most common is when a criminal pretends to be the grandchild of their target and requests money in order to get out of a tricky situation like jail or being stuck in another country.

Recently, the FBI helped take down a ring of criminals who were phoning people and telling them that they had kidnapped their child. Victims were told that they needed to pay a large sum of money to get their child back. What made it so effective was another person in the background screaming for help. While it didn’t work every time as the criminals were cold calling people, it worked well enough for them to walk away with a large profit.

3. Digital Social Engineering

This type of social engineering hacks are probably the most common these days. We’ve all received suspicious emails asking us to download something or submit personal information. Most of the time, we know to ignore them, but criminals are getting better at hiding their methods.

Phishing scams are by far the most common. Generally, hackers will email you from a seemingly legitimate email address. They might even use the logo of the company they are trying to impersonate, and model their emails closely on the ones you normally receive. The key here is to check the email address. Usually there is some small typo, an extra character, or change in domain (for example .biz instead of .com).

What makes phishing scams work (some of the time) is that they create a sense of fear, urgency, or curiousity. These are powerful emotions. If you receive an email that looks like it is from Netflix telling you that you need to update your billing information, your natural inclination is to do what the email says. Malicious actors are counting on you not taking a closer look.

There is another type of phishing called spear phishing. The premise is the same, but requires a lot more work on the part of the hacker and has a great reward. Spear phishing is personalized to the victim of the attack, and the criminal puts in a lot of time and effort into making themselves appear legitimate. Criminals find all the personal information they can about their target in order to trick them into installing malware or handing over personal data.

Another common digital social engineering hack is scareware. This involves victims being bombarded with warnings and false alarms claiming that there is some type of threat. Typically, victims are told that their computer is infected with some type of malware and that they need to install some type of software to fix the problem.

How to protect yourself from social engineering hacks

Social engineering plays off of your emotions, so it can be difficult to stop. That being said, there are a number of things you can do to prevent yourself from becoming a victim:

• Don’t open emails and attachments from suspicious sources. If you don’t know the sender, don’t open the email. If you do know the sender but the message seems off, it never hurts to do a bit of research. You can call the company (or person if you know them) to confirm whether they actually need this information or not. You can also check the email address; criminals will often make a small but important change to trick you.
• Be cautious of tempting offers. If it sounds too good to be true, it probably is. When in doubt, you can always do a quick Google search to determine if the offer is legitimate or not.
• Install an antivirus or security suite. It’s important that your computer can spot malware in case you miss it. Antivirus software could save you a lot of trouble when it comes to preventing malware.
• Keep your software up to date. Most updates for software and applications include important security patches. You can turn on auto updates to make it even easier.
• Take things slowly. Our natural instincts can sometimes hinder us. It’s natural to panic if you receive an email from the IRS asking you to pay more taxes. Take a deep breath and assess the situation. Is it normal for this service or agency to send important information by email? Usually that is not the case.
• Trust your email software. Most email providers are pretty good at spotting a suspicious email. If you feel like it isn’t doing enough to filter out spam, you can probably change your settings to increase the effectiveness of your spam filters.
• Enable two-factor identification. This is the easiest way to see if someone is trying to log into your accounts after you have shared personal information. It also makes it far harder for criminals to gain access to your accounts.

Conclusion

It is highly likely that social engineering hacks will continue to develop given their current effectiveness. In fact, the second half of 2018 saw an increase of over 500% in social engineering attacks. A big part of prevention is awareness, so it is important that we talk about social engineering and warn others about it. Given that the elderly are so susceptible to these types of attacks, more work should be done to inform and protect senior citizens.

Even government agencies can fall victim. In 2016 the Department of Justice fell victim to a social engineering hack which led to tens of thousands of employees having their data leaked. It’s hard to believe that a government body would fall for such a scheme just a few years ago.

Criminals are constantly adapting, and it is vital that we take a proactive approach to protecting our personal data. If not, you could end up not only losing control over your personal information, but could also lose a lot of money too.

For many, the question remains - what actually happens to your personal data once it’s been stolen? In this article we cover the typical use cases, including what type of data is most valuable and why hackers hack in the first place. 

Why hackers hack

There are a number of reasons why hackers steal data in the first place. The most popular and most obvious reason is financial gain. The majority of hackers want to make a profit, and they can easily do so by stealing information like bank or login details. They can steal your money from your accounts, apply for a credit card or loan under your name, or they can also resell your information to another criminal on the internet. The dark web is full of criminals buying and selling stolen personal information. 

In the past few years, there has been a new development in hacking for financial gain. It has become increasingly popular for hackers to break into your device and encrypt the data on it. It’s called ransomware, and malicious actors hold your files hostage until you pay the ransom within a certain period of time. If you don’t pay, the data is usually destroyed by the hacker. 

Surprisingly, not all hackers are in it for the money; some steal information and act as shadowy vigilantes. Known as “hacktivism”, groups or individuals work together to take down terrorist groups, oppressive regimes, governments, and trafficking rings. We’ve all heard of Edward Snowden, probably one of the most well known hacktivists, who leaked data from the National Security Agency. There’s also the Anonymous group, which has been behind 45% of hacktivism in the past four years. However, the group now seems to be defunct, or at least very quiet. 

A very small number of hackers just want to show off what they can do, and they have no intention of stealing information or making a profit. Sometimes they launch a hack to show how poor a corporation’s cybersecurity is. An example of this is the infamous Ashley Madison data breach, where the profiles of 32 million users were made publicly available. The hackers didn’t want money; they just wanted the website taken down. Ashley Madison is a dating platform for people seeking extramarital affairs, and the leak quite literally tore some families apart.

What data is the most valuable?

There are typically five types of data that malicious actors will want to steal:

1. Payment information - Given that financial gain is the primary reason why hackers hack in the first place, payment data is the most valuable. 
2. Authentication details - Once a hacker has gained access to one account, chances are they can get into others too. The more accounts they hack, the more information they collect.
3. Copyrighted material - Most software can be pretty pricey, and hackers would rather not pay. 
4. Medical records - This might come as a surprise, but medical identity theft is extremely common. Perpetrators will use your information to gain access to healthcare for themselves. 
5. Classified information - While this won’t affect most people, classified information is very valuable for blackmail purposes. 

What happens to your data after it’s stolen?

Once a hacker has your data, there are a few things they can do. The first step is to scan your data for important and/or valuable information like bank details, login information, photos, emails, or messages. The perpetrator will then decide whether they are going to keep the files or sell them to a third party (often called a “broker”). 

Typically, hackers will sell your data. This reduces risk for them, and also gives them an immediate profit. The price for stolen personal information depends on how valuable it is. For example, personal data from a government official or a celebrity is far more valuable than that belonging to the average person. 

As mentioned earlier, credit card and payment details are the most popular on the dark web, and clearing funds from your account is dead easy. Usually a “broker” will buy your card details on a marketplace and resell them to a “carder”. The carder will then get as much money out of your accounts as possible before you or your bank notices. 

They can generally replicate a card by printing one themselves, but more commonly they will use them for a gift card shell game. What happens is the carder will use your payment details to buy online gift cards, and then make purchases with the gift cards. Typically, they will purchase electronics because they are always in demand and can be easily resold, making them relatively low risk. 

The risk of losing your funds is very small with a credit card compared to the risk involved with debit cards. Banks usually have policies in place for credit card fraud and are quite good about spotting suspicious purchases. Debit cards are unfortunately a different story; not much can be done if your funds are stolen. Debit cards are far more common in Europe than in North America, and they are extremely valuable on the dark web. 

Personal information is far less valuable on the black market, since it is already widely available. Your name, birthday, address, and email can sometimes just be gathered by looking at your social media accounts. As a result, there has been a huge growth in extortion regarding personal data.

Malicious actors will obtain your personal information and threaten to release it to the public. This is very common with explicit photos and messages, as hackers will hold them for a ransom. If you don’t pay up, your reputation could sadly be ruined. Naturally, this data is even more valuable if the victim is a public figure, such as when the National Enquirer allegedly threatened to release photos of Jeff Bezos and his mistress. 

Companies, in particular financial organizations, have tried to fight identity and financial crime by implementing Know Your Customer (KYC) procedures. This requires companies to verify the identity of their users by using personal documents such as passports or other forms of government-issued ID. However, this has led to an increase in theft of personal documents, tax information, and insurance numbers. 

KYC information contains everything a malicious actor needs to commit fraud and steal your identity. By having your passport or driver’s license, they can apply for loans, and claim your tax credits and your insurance claims. While this type of hack is very difficult to orchestrate, it is one of the most valuable, making it more and more appealing to criminals. 

How to prevent your data from being stolen

Unfortunately, it is difficult to tell if your data has been stolen, but there are a number of preventative measures you can take. One crucial step is to use a password manager in order to create unique passwords for all of your individual accounts. This prevents hackers from being able to access more of your accounts if they gain access to one.

Blockchain technology can also be of use here. Decentralized identity (DID) gives you far more control over what data you share and who you share it with. Through DID, you prove your identity once to a trusted third party, and said third party handles all requests for identity and access so you don’t have to. Not only is it more convenient, it is far safer.

Lastly, keep an eye on your finances. They are likely to be the first target in any type of hack and you can do things like freeze your credit or place a fraud alert on your accounts for extra protection.

Conclusion

As we’re aware by now, having your personal information stolen is not a problem that is going to go away any time soon. Unfortunately, there is no true way to prevent your data from being hacked as long as you are not in charge of the security of your data. This is why digital identity management solutions like the ESelfKey Identity Wallet have become so popular - it puts you back in control of your own data. It’s not enough to blindly trust big corporations like Facebook anymore. 

If you are worried that your data has been breached (the answer is yes), you can check on the website Have I Been Pwned. You can also set up notifications so you are aware if your accounts have been compromised. 

Your data, and most of your life, is online. Every action you take or interaction you have could potentially put you at risk. It is vital to take a proactive approach when it comes to managing your personal data. It can be annoying, but it’s probably worth your time to understand how your data is protected on the websites and apps you use regularly. Be cautious and vigilant, because crime never sleeps.

What is identity theft?

The first step in preventing identity theft is understanding what that means and being able to recognize it. Identity theft (also known as identity fraud by law enforcement) is defined as all crimes against individuals where personal and/or financial information is obtained illegally by using fraud or deception. The most common motivation for identity theft is financial gain.

Once someone steals your identity, they can do a number of things:

• Withdraw money from your bank account
• Apply for loans or credit cards under your name
• Use your health insurance to obtain medical care
• Steal your tax refund by using your Social Security number (SSN)
• Sell your information to other criminals
• Impersonate you online (also called catfishing)
• Commit criminal activities under your identity (ex. terrorist activities, murder, etc)

Identity theft is illegal in most of the world, usually punishable by jail time and/or fines. If identity theft is used to conduct criminal activity, the punishment is usually heavier. The majority of identity theft affects consumers, with the most common being credit card fraud according to the Federal Trade Commission (FTC).

Signs that your identity has been stolen

Once someone has stolen your identity, the signs are usually easy to spot. Most of us, at some point, have received a call from our bank asking about suspicious transactions, but there are other signs to look for.

• You stop receiving household bills. This can be an indicator that someone has taken your information and used it to change your billing address. If this happens, it’s best to call your utility providers and put a password on your account for any future changes.

• You are rejected for a loan or line of credit. If you have a good credit history and are suddenly rejected, this could be a sign that your identity has been compromised. Additionally, if you are approved but with higher interest rates, this can be another sign of identity theft.

• You receive bills for medical services you did not use. While identity theft for medical services is less common, it does occur. If it does happen to you, you should get in touch with the hospital that billed you for the services. Also keep an eye out for being rejected by a health insurance provider for a condition you don’t have, or your healthcare provider rejecting your claim because you have already reached your benefits limit.

• You are billed for purchases you didn’t buy. This is probably the most common form of identity theft. Most banks will give you a call if they see suspicious transactions, but you can be proactive by regularly checking your own accounts.

• Your tax return is denied. If you receive a rejection letter from the IRS (or your country’s equivalent) after filing your tax return, this could mean that someone else has filed a return under your name.

• “Test charges” show up on your credit card statements. Some criminals will make small charges, usually under $5, to make sure the card is still active. If these transactions go through, then the thief knows that they can make larger transactions.

• You receive calls from debt collectors for debt that doesn’t belong to you. This is a sure sign that someone has stolen your identity.

• You receive a notification that a company you work for or have an account with has been hacked. Usually, the company in question will let you know what steps you will need to take, or if you simply need to update your password. Either way, it’s a good idea to change your passwords anyhow and monitor your credit card transactions if necessary.
• You get a court summons in the mail. This is a result of criminal activity, and is unfortunately quite hard to disprove. If you think you may be a victim of this type of identity theft, you should contact law enforcement immediately.

If you notice any of these signs, it is important to take action immediately. There are also a number of steps you can take to prevent your identity from being stolen in the first place.

Preventing identity theft

An important first step you can take to prevent your identity from being stolen is to actively monitor your financial statements. If possible, check your bank account and credit card statements online at least once a week. If checking your statements online isn’t possible, make sure you are monitoring your monthly statements.

Another step you can take is to freeze your credit. This makes it a lot harder for someone to open a credit card or take out a loan under your name, as the bank won’t be able to run a credit check. It’s also free, and you can temporarily lift it if need be. However, it can be a bit of a nuisance as there are three separate credit bureaus you have to contact to do this in the US. You can also enroll in a credit monitoring service, such as PrivacyGuard or Credit Karma, or place a fraud alert on your credit.

Making sure you have strong, diverse passwords on all of your accounts is also key. We all know not to use passwords like “password” or “12345”, but having a strong password goes a lot further than that. Not only should you avoid personal things like pets or family names, but you should even avoid using words that are in the dictionary. If you find remembering different passwords for every account difficult, you can use a service like LastPass to generate unique passwords and safely store them for login.

How blockchain technology can help protect your identity

In recent years blockchain technology has built a reputation for providing an unbreakable and un-hackable payments infrastructure. If you're not aware of how a blockchain works, it typically goes like this:

1. Alice wants to send money to Bob - so she performs a transaction
2. The transaction is timestamped and recorded on a digital ledger
3. Once a certain number of transactions have been performed, they are collected in a "block" and cryptographically linked to the previous block of transactions - called a confirmation.

In order to alter her transaction, Alice would need to break the cryptographic hash of each of the blocks that have been added since. Given the complexity of the hashing algorithm and the resource-intensive nature of hacking this kind of infrastructure, this rarely makes economic sense. In short blockchain technology is set up in such a way as to make hacking it both technically difficult and uneconomical.

Given these impressive features, the question becomes: how can we utilize the secure and distributed nature of the blockchain to protect individuals from identity theft.

Well, since 2017, the ESelfKey Foundation has been building an end-to-end identity management solution utilizing the Ethereum blockchain. This ecosystem will allow individuals and corporations to authenticate themselves online while minimizing the amount of personal information that needs to be shared.

As a simplified example, imagine going to the liquor store and having to show your driver's license to prove that you are of legal drinking age. The liquor store is legally compelled to ensure that you are of legal drinking age, but typical forms of ID contain much more information than is necessary at this junction. A US driver's licence for example contains:

• The full legal name
• Date of birth
• Photo
• Current residence
• Height
• Weight
• Gender
• Eye color
• Hair color
• Signature
• Document number

You can be sure that, in an online environment, all this information is stored and will be leaked in the case of a data breach.

But now imagine the same situation, but instead of an ID you show a notarized certificate simply showing a facial imagine and the sentence: "We, NAME OF NOTARY, hereby confirm that John Doe is of legal drinking age."

In this second scenario, you can see a simplified example of how the ESelfKey ecosystem will use certifiers in order provide evidence but not information. In the case of a breach or a hack, no valuable information would be shared. All a hacker might know is that there is a man called John Doe and he's over the age of 21.

Then you combine this approach with the security and transparency of the blockchain, alongside decentralized identifiers, and you start having a strong identity management system that improves on the current system in many important ways.

Conclusion - How to protect yourself from identity theft

Unfortunately, identity theft is a problem that is not likely to disappear anytime soon and often, we only realize that our identity has been compromised once it is too late. There needs to be a shift in public thinking to be far more proactive in preventing identity theft. Stronger passwords, credit monitoring, and fraud alerts are all good actions to take, but they don’t ultimately solve some of the bigger problems.

It’s become a worryingly frequent occurrence for companies to be hacked, and there are plenty of opportunities for malicious actors to get a hold of your data. Most of us are in the bad habit of not reading the terms and conditions, and privacy policy of every website we sign-up to. We are often giving away a lot of our personal information and may not even realize it.

The time has come for us to take back control of our identity instead of waiting for companies, organizations, and government bodies to lose it. Self-sovereign identity is a very real possibility in the future, but the general population has to make the shift. More awareness needs to be put in place, and we need better solutions that actively prevent identity theft. Your identity is the one thing that should belong exclusively to you, let’s put the power back in your hands and let you decide who gets access to what information.

Download the ESelfKey Identity Wallet and take the first step towards protecting yourself from identity theft.