Biggest Data Breaches of 2020 – and What Developers Should Learn From Them

From the massive SolarWinds supply chain hack to the stealthy infiltration of Twitter‘s admin tools, 2020 was a brutal year for data breaches and cybersecurity incidents. By every metric, the volume and severity of successful attacks shattered previous records:

• 3,932 publicly reported data breaches, a 48% increase compared to 2019 (Risk Based Security)
• 37 billion records exposed, a 141% increase from 2019 and by far the most records compromised in a single year (Risk Based Security)
• Healthcare was the most targeted industry, with 484 breaches (Bitglass)
• Average total cost of a data breach reached $3.86 million (IBM)
• Personally identifiable information (PII) was the most frequently compromised data type, exposed in 80% of breaches (Identity Theft Resource Center)

Despite these grim statistics, there are vital lessons that software developers can take away from 2020‘s largest data breaches to evolve security practices and combat the rising threat tide. Let‘s dive into four of the year‘s most impactful security incidents and the key insights developers should internalize.

MGM Resorts Exposes 142 Million Guest Records

In February 2020, hotel and casino conglomerate MGM Resorts revealed that a data breach sometime in 2019 had leaked personal details of over 10.6 million guests. But a few months later in July, a dark web listing claimed to be selling a database of 142 million MGM guest records from the incident, a staggering increase in scale.

The hackers allegedly gained access by compromising a third-party cybersecurity vendor that MGM had relied on. This massive trove of sensitive customer data is treasure trove for criminals looking to launch large-scale social engineering scams, phishing attacks, and identity theft schemes.

Key lessons for developers

1. Encrypt sensitive database fields by default. Any personally identifiable information (PII) or confidential data should be encrypted at rest as a baseline best practice.
2. Adopt a zero trust mindset for third-party services. Carefully scrutinize and limit the level of data access and visibility granted to external vendors and partners. Continuously monitor their activity for anomalies.
3. Collect and store only the minimum necessary sensitive data. Inventory databases to classify sensitive information assets and purge any non-essential data to reduce breach impact. Apply data retention policies to delete data once it‘s no longer needed.

Nintendo‘s Legacy Login Flaw Enables Player Account Hijacking

During the COVID-19 pandemic lockdowns, Nintendo‘s Switch console experienced a major surge in popularity – but with that came increased attacker interest. In April, Nintendo disclosed that a legacy authentication flaw had enabled hackers to compromise up to 300,000 player accounts, complete with linked payment details.

The issue traced back to Nintendo‘s continued support for a deprecated, less secure login system from the earlier Wii U and 3DS consoles. Exacerbating the flaw, Switch players could link their legacy Nintendo Network ID (NNID) to their current account and keep using the outdated authentication method.

Key lessons for developers

1. Deprecate legacy authentication schemes as soon as possible. When more secure authentication methods like multi-factor authentication (MFA) become available, update software to make them mandatory for all users within a reasonable timeframe.
2. Resist the temptation to sacrifice security for backwards compatibility. Accommodating users clinging to less secure legacy sign-in options isn‘t worth the breach risk. Sometimes unpopular but necessary security improvements have to be forced.
3. Guide users through authentication upgrades. Provide clear communication and simple step-by-step instructions to ease the transition to newer and more secure login mechanisms. Most users will appreciate the extra protection.

SolarWinds Supply Chain Hack Breaches 18,000 Organizations

In December, IT management software maker SolarWinds disclosed that a likely Russian state-sponsored threat actor had carried out what many consider the worst hack in history. The attackers infiltrated SolarWinds‘ software build process and planted malware into updates for their Orion IT monitoring tool.

Those trojanized updates propagated to an estimated 18,000 SolarWinds customers, including prominent targets like Microsoft, Cisco, Intel, and nearly every US government agency. Infected organizations are still investigating the full damage as the stealthy backdoor enabled hackers to lurk in their networks for months.

Key lessons for developers

1. Attacks can come from any vector, even trusted sources. Avoid blind trust in any third-party dependency or infrastructure by subjecting everything to rigorous integrity checks and monitoring. Implementing a "zero trust" security model is more critical than ever.
2. Apply DevSecOps principles to harden the software supply chain. Integrate automated security testing and code signing into CI/CD pipelines to enforce security standards. Analyze build processes for weaknesses a malicious insider or hacker could exploit.
3. Have an incident response playbook ready before a breach occurs. Proactively develop a step-by-step plan for investigating, containing, and recovering from a potential breach. Include procedures for secure logging and evidence preservation to aid forensic analysis.

Theft of FireEye Red Team Tools Arms Hackers With Potent Exploits

Hot on the heels of the SolarWinds news, cybersecurity firm FireEye revealed that suspected Russian hackers had broken into their network and stolen proprietary red team tools. These tools replicate real-world attacks to probe client networks for vulnerabilities and are now in the hands of an adversary likely to use them maliciously.

While FireEye said the stolen tools didn‘t contain any "zero-day" exploits, they still provide advanced capabilities for hackers to hide their intrusion activity and complicate investigations. The theft could fuel a new wave of stealthy attacks throughout 2021 if companies don‘t move quickly to shore up defenses.

Key lessons for developers

1. Strengthen operational security for sensitive data and tools. Adopt multi-layered defenses and strict access controls for crown jewels like red team tools, penetration testing exploits, customer data, and intellectual property.
2. Redouble efforts to patch every known vulnerability. Lax patching of older flaws is even more dangerous with battle-tested exploit code floating around. Triage and remediate vulnerabilities based on risk, not just the latest shiny zero-day.
3. Beef up detection capabilities to spot breach attempts faster. Invest in solutions for security information and event management (SIEM), endpoint detection and response (EDR), user and entity behavior analytics (UEBA), and other detection technologies.

Rising to the Challenge With a Developer-Driven Security Revolution

While the deluge of high-profile breaches makes it clear that 2021 will be an even more treacherous year for cybersecurity, there are reasons for hope. Software developers have a central role to play in adapting security practices and shifting to a proactive, adversarial mindset that can help turn the tide against threats.

By internalizing the lessons from 2020‘s major incidents and committing to security as a core requirement, developers can pioneer approaches that make successful breaches far more difficult and costly for attackers:

• Encrypt sensitive data everywhere both at rest and in transit
• Embrace zero trust as the new security model and default posture
• Phase out deprecated legacy authentication schemes and security controls
• Promptly patch known vulnerabilities to eliminate attack surface
• Make multi-factor authentication (MFA) mandatory across the board
• Treat third-party code dependencies as untrusted by default
• Collect, store and grant access to the bare minimum data needed

But beyond these time-tested security hygiene practices, developers should also keep an eye on emerging technologies reshaping the data protection landscape:

• Confidential computing to protect data in use through hardware-based trusted execution environments (TEEs)
• Homomorphic encryption enabling computation on encrypted data without decrypting it
• Secure multi-party computation (MPC) allowing multiple parties to jointly compute on combined data without any individual party seeing the full dataset
• Post-quantum cryptography to develop encryption algorithms resistant to cracking by future quantum computers

The unrelenting pace of major breaches isn‘t inevitable. As the creators and guardians of the software that powers our digital world, developers have outsized power to meaningfully improve its security properties. While perfect security will always remain an elusive ideal, significantly raising the bar is achievable if developers lead the charge in making it a non-negotiable priority.

It won‘t be an easy journey, as sophisticated hackers will continue to exploit the paths of least resistance and the stakes couldn‘t be higher. But by absorbing the painful lessons of 2020 and relentlessly striving to bake security into software from the start, developers can pioneer a proactive and adversarial mindset that makes malicious hackers‘ missions markedly harder. The future of cybersecurity is in developers‘ hands, and now is the time to rise to the occasion.