2019’s Biggest Internal Breaches


On March 22nd of this past year, a lone hacker broke through a misconfigured web application firewall to access personal data on over 100 million Capital One Bank customers.

Then in September, another lone hacker breached the internal databases at Zynga–one of the world’s biggest mobile game developers–eventually leaking account data on over 170 million users around the world.

Even if these were the only two cyber attacks that occurred in 2019, we’d probably still say that 270 million victims are too many. Of course, these were merely two in a deluge of corporate data breaches that occurred within a period of just 365 days. There was the WhatsApp hack,

Rather than attempt the challenging task of addressing, or even listing out all the important, publicly-known breaches of 2019, this article will focus on internal breaches: those caused by human error, simple mistakes courtesy of an employee or contractor.

Here are some of the biggest internal breaches that occurred in the past calendar year…

1. Quest Diagnostics

Quest Diagnostics is a laboratory testing company. They were hacked not directly, but through a company which handles their bill collections: the American Medical Collection Agency (AMCA). Other AMCA partners were affected, as well.

The single most remarkable fact in the Quest/AMCA hack was not how it occurred, but how long it occurred for. AMCA disclosed that its unauthorized actor had access to their systems beginning in August of 2018, through March of 2019. That means it took eight full months for the problem to be identified and addressed. In that time, the personal information–including social security numbers, credit card numbers and health records–of nearly 12 million people were exposed.

AMCA lost three of its other largest clients as a result of the breach, and subsequently filed for bankruptcy.

2. U.S. Customs and Border Patrol

If you’re a lone hacker, it’s a tall task to successfully breach a U.S. government entity. That’s especially true when that government entity is a security force, like U.S. CBP.

The individual who goes by the pseudonym “Boris the Bullet Dodger” would have known this when, last Spring, he targeted not CBP itself, but a provider of CBP tech.

Perceptics provides license plate readers to border patrols. Though their tech can be found across the U.S.-Mexico and U.S.-Canada borders, the company itself fits in a single building in Farragut, Tennessee. The smaller fish proved easy to catch, as Boris used Perceptics to access 400 gigabytes of CBP data, which he then leaked to the dark web.

For more on the Perceptics incident, see our article: Data breach at the border. Are your subcontractors an easy target?

3. First American Financial Corp.

First American is a real estate title insurance company. It’s not an obvious target for a hack. In fact, back in May, when hundreds of millions of internal documents–fifteen years worth of data–found its way onto the open internet, it was not the result of a hack. The company accidentally leaked the data, all on their own.

Included was everything Americans divulge in order to close a real estate deal–drivers license pictures, bank account information, social security numbers, mortgage, tax and other legal documents.

To reiterate: this was all left on the open internet, not the darknet. This meant that anybody with a web browser and knowledge of where to look could’ve found all such records with ease.

4. Palo Alto

Like Quest and CBP, Palo Alto Networks is a large, successful company that suffered from its own success. Among the many companies Palo Alto does business with, one leaked the personal information of seven of its current and past employees. The damage, ultimately, was miniscule compared with Quest and CBP. It was, mostly, a PR embarrassment, not least because it took a whistleblower employee to leak the story in the first place.

For more on the Palo Alto breach, check out: In Cybersecurity, is Bigger Better?

5. Unidentified Chinese Classifieds Company

Back in January Bob Diachenko, a cyber threat intelligence researcher, did to the internet what pirates used to do to abandoned tropical islands. After some focused digging, he came across a large MongoDB database left wide open on the web. It contained over 200 million records on, of all things, Chinese job seekers. Included was not just the usual personally identifying information one tends to find in leaked datasets, but also work experience, skills, even political leanings.

BJ.58.com, a Chinese classifieds company, may have appeared the obvious culprit. In response to the discovery, however, BJ.58’s security team claimed that the leak was not theirs. It was, rather, a third-party company that scrapes data from many different job-seeking sites.