Virtual Armour Blue Logo

5 Major Companies Were Recently Breached: Where Are They Now?

Elise Silagy

October 4, 2021

2020 was a record-breaking year in the cybersecurity world, both when it comes to the amount of data lost in breaches as well as the eye-watering number of cyber attacks on companies, governments, and individuals. Ransomware attacks alone have risen 62% since 2019, and this trend doesn’t appear to be waning.

In this article, we will discuss five major companies that were attacked between 2019 and 2021, including the impact of those breaches and how these organizations responded.

If you have experienced, or are currently experiencing, a cybersecurity attack please contact our team immediately for assistance by calling (855) 422-8283 anytime 24/7/365 and consider reading our educational article Hacked? Here’s What to Know (and What to Do Next).

Capital One (2019) 

The Attack

The Capital One hack was first discovered on July 19th, 2019, but likely occurred at the end of March that same year and impacted credit card applications as far back as 2005. The attacker, Paige Thompson, was able to break into the Capital One server and access:

  • 140,000 social security numbers
  • 1 million Canadian social insurance numbers
  • 80,000 bank accounts
  • An undisclosed number of names, addresses, credit limits, credit scores, balances, and other personal information

This devastating attack impacted nearly 100 million Americans and an additional 6 million Canadians. In June of this year, the US Department of Justice announced that they were adding to the charges. Originally charged with one count each of wire fraud and computer crime and abuse, Ms. Thompson now faces six additional counts of computer fraud and abuse and one count of access device fraud.

Capital One’s Response

In an official statement to impacted customers on their website (last updated April 16, 2021, as of the writing of this article), CapitalOne lays out the damage done and the number of individuals impacted. They go on to stress that no login credentials were compromised.

The statement goes on to provide answers to some pressing questions in the Q&A section and offers practical advice about what Capital One cardholders can do to protect their accounts, including additional steps that individuals can take to protect themselves against fraud and identity theft. American cardholders can find additional information on this FAQ page.

The official FAQ page linked above goes on to mention that all affected Capital One customers will be provided with two years of free credit monitoring and credit protection. The FAQ states that impacted individuals should have received either an email or a letter outlining the enrollment process for this service, including an activation code.

The FAQ goes on to discuss what individuals should do if they received a possible scam email, call, or text related to the incident, which indicates scammers are piggybacking on this breach in an attempt to further victimize impacted individuals.

Capital One also agreed to pay an $80 million fine to US regulators over the incident.

Capital One did have a plan in place to recognize and respond to the breach (highlighting the importance of having an incident response plan). The incident was discovered via a vulnerability report, and once the incident was discovered, Captial One responded swiftly and worked hard to ensure impacted individuals were kept in the loop. Ms. Thompson was arrested a mere 12 days after the initial vulnerability report was released.

Facebook (2019) 

The Attack

The Facebook data breach was discovered in April 2019 when it came to light that two third-party Facebook app datasets had been exposed to the wider internet. This database (containing private information on 533 million accounts) was then leaked on the Dark web for free in April of 2021, increasing the rate of criminal exposure. 

The data exposed included phone numbers, DOB, locations, past locations, full names, and some email addresses tied to compromised accounts. In an official blog post, the company stated that “malicious actors” had scraped the data by exploiting a vulnerability in a now-retired feature that allowed users to find each other via phone number.

cybersecurity software that protects you and your business

Facebook’s Response

Facebook chose not to notify impacted individuals in 2019, and according to this NPR article published in April 2021, they still have no plans to do so. According to a company spokesperson, the company isn’t entirely sure which users would need to be notified and that the decision not to contact users stemmed at least in part from the fact that “the information that was leaked was publicly available and that it was not an issue that users could fix themselves.”

Though Facebook claims to have addressed the vulnerability that allowed attackers to access this data, that is cold comfort for Facebook users. “Scammers can do an enormous amount with a little information from us,” said CyberScout founder Adam Levin when interviewed by NPR. “It’s serious when phone numbers are out there. The danger when you have phone numbers, in particular, is a universal identifier.” Phone numbers are frequently used to connect users to their digital presence, including using them as additional identifiers via two-factor authentication text messages and phone calls. 

As a response to the incident, the US Federal Trade Commission fined Facebook $5 billion for violating an agreement the company had with the agency to protect user privacy. Facebook CEO Mark Zuckerberg will also be held personally liable by the FTC for any future privacy violations.

If you are concerned that your personal information may have been leaked during the breach, you can use the data tracking tool HaveIBeenPwned to learn whether your Facebook account or other digital accounts, including email, have been compromised.

SolarWinds (2020)

The Attack

Cybersecurity company FireEye first discovered the back in December 2020. The attackers, which are believed to be affiliated with the Russian government, used a supply chain attack to push malicious updates to FireEye’s popular network monitoring product. 

Impacted FireEye customers include

  • Multiple US government departments
  • 425 of the US Fortune 500 companies
  • The top ten US telecommunications companies
  • The top five US accounting firms
  • All branches of the US military
  • The Pentagon
  • The State Department
  • Hundreds of universities and colleges worldwide 

The total extent of the damage may never be known, but this attack continues to impact affected organizations. For example, in July 2021, attackers were able to gain access to the Microsoft Office 365 email accounts of 27 US Attorneys’ offices. The accounts were originally compromised during the SolarWinds attack.

FireEye’s Response

The larger attack was discovered when FireEye’s internal team of investigators was investigating the original, smaller, FireEye attack. During this investigation, the backdoor within the SolarWinds code was discovered, prompting the FireEye team to contact law enforcement. Though the SolarWinds attack was devastating, the fact that the attackers decided to use FireEye as a vector might have actually lessened the damage. According to Charles Carmackal, senior vice president and CTO of Mandiant, FireEye’s incident response arm, “one silver lining is that we learned so much about how this threat actor works and shared it with our law enforcement, intelligence community, and security partners.” 

FireEye took the crucial step of publicly reporting the attack (instead of waiting for impacted customers to discover the issue), conducted a thorough review of the incident, and made sure to share all their information with law enforcement and the US government. As such, the extent of the attack was learned quickly, so impacted companies and government bodies could take appropriate steps. If FireEye had tried to hide the attack from their customers, the damage could have been even worse.

Keepnet Labs (2020)

The Attack

Keepnet Labs is a threat intelligence company that collects and organizes login credentials exposed during other data breaches. If a customer’s details are discovered, Keepnet Labs notifies impacted individuals and offers advice on steps they should take to best safeguard their data and minimize damage.

The Keepnet Labs incident is a little unusual in that it wasn’t actually Keepnet Labs user data that was exposed. Instead, Keepnet Labs had compiled a database of usernames and passwords that had been leaked during a variety of cybersecurity incidents between 2012 and 2019. Attackers were able to exploit a vulnerability in this Elastisearch database, which was (according to Keepnet) actually maintained by a contractor, not Keepnet Labs themselves. 

While performing scheduled maintenance, an employee of the contracted company briefly turned off a firewall to speed up the process, inadvertently exposing the sensitive data for about ten minutes. However, in that short window of time, the database had already been indexed by BinaryEdge, a security-focused company that acquires, analyzed, and classifies internet-wide data. The vulnerability itself was discovered by Bob Diachenko, who accessed the data via BinaryEdge.

As such, the leak wasn’t technically as bad as others mentioned on this list since all the data exposed had already been exposed in previous incidents. However, Keepnet Labs’ handling of the incident was far from ideal.

Keepnet Labs’ Response

After discovering the vulnerability, Diachenko published a security report, which was picked up by a variety of cybersecurity news outlets and blogs which were covering the leak. However, Keepnet Labs felt that a number of these publications had made misleading statements and contacted several reporters to ask them to edit their articles. 

Graham Cluley, a popular security blogger, received one such email from Keepnet. Though he felt his representation of the facts was fair, he was willing to give Keepnet the chance to tell their side of the story. However, instead of an official statement or a chance to speak to a company spokesperson, he instead was contacted by Keepnet’s lawyers, who threatened him with legal action if he didn’t edit his article and remove the company’s name. 

This heavyhanded reaction was only one of several failings on the part of Keepnet to manage the fallout of the attack. It took almost three months for the company to release an official statement to set the record straight, and they refused to work with reporters and bloggers like Cluley to provide accurate facts. Though the security incident itself may tarnish Keepnet’s reputation, their poor handling of the aftermath is likely to cause far more damage.

While performing scheduled maintenance, an employee of the contracted company briefly turned off a firewall to speed up the process, inadvertently exposing the sensitive data for about ten minutes. However, in that short window of time, the database had already been indexed by BinaryEdge, a security-focused company that acquires, analyzed, and classifies internet-wide data. The vulnerability itself was discovered by Bob Diachenko, who accessed the data via BinaryEdge.

As such, the leak wasn’t technically as bad as others mentioned on this list since all the data exposed had already been exposed in previous incidents. However, Keepnet Labs’ handling of the incident was far from ideal.

Microsoft Exchange (2021)

The Attack

The attack was first discovered on March 2, 2021, when Microsoft detected multiple zero-day exploits in their on-premises versions of Microsoft Exchange Server, which were being actively exploited by attackers. Over the following days, nearly 30,000 American organizations were attacked using these vulnerabilities, which allowed attackers to gain access to email accounts and install web shell malware to provide attackers with ongoing administrative access to the victim’s servers.

On the day the attack was first discovered, Microsoft announced that they suspected the culprit was a previously unidentified Chinese hacking group dubbed Hafnium. According to the Microsoft Threat Intelligence Center (MSTIC), this group is suspected to be based in China, state-sponsored, and focused on primarily targeting organizations based in the United States that depend on leased virtual private servers (VPSs).

The actual purpose of the attack is more nuanced. According to Garner analyst Peter Firstbrook, the attackers are really looking to test the defences of organizations and discover which organizations are lagging behind security-wise. Most organizations that use Microsoft Exchange Servers have moved away from on-premises models to the online Exchange, which means organizations still using on-premises solutions are likely to be late adopters or less security conscious, making them excellent targets.

It has also been speculated that the attacker’s real endgame is not the on-premises servers they are currently targeting but more of a fact-finding mission to help them set up future attacks on high-value targets with connections to those servers. This may include using these email servers to impersonate trusted individuals and use those email accounts to send phishing emails to sensitive targets such as the Defense Department. Much like the SolarWinds attack, the companies currently being attacked may not be the actual target.

cybersecurity on your laptop

Microsoft’s Response

Microsoft has released security updates addressing Exchange Server versions 2010, 2013, 2016, and 2019 to address the software vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065). 

Microsoft has also gone out of their way to try and get everyone to pay attention to this attack, particularly since impacted individuals and organizations may be relying on IT generalists (instead of specialized admins) and may not understand what this attack could really mean. If impacted organizations don’t take action, it could have widespread and devastating consequences for the sensitive companies and organizations (such as the Defense Department) that they do business with. Should someone at the Defense Department or another government body fall for a phishing scam perpetrated using these compromised servers, it could compromise US national security. 

An unfortunate truth about the modern security landscape is that it is no longer a question of if your organization will be targeted but when. Security incidents such as the ones listed above can have widespread consequences for the organizations that have been targeted, as well as the organizations and individuals that do business with them. 

The best thing you can do to safeguard your organization and its digital assets is cultivate a robust yet flexible cybersecurity posture, which starts with an incident response plan.

For more information about cybersecurity, or to get started shoring up your defences, please contact our team today.

Additional Reading

Knowledge is Power: Our Cybersecurity Predictions for 2021

Post Categories

Related Posts