The 5 biggest data hacks of 2019

Hackers have accessed over 7.9 billion consumer records so far this year, with experts predicting that over 8.5 billion accounts will be exposed by the end of the year.

The majority of the over 5,000 data hacks this year Risk Based Security has tracked so far consisted of only a few million accounts. Yet there were a few mega hacks that involved hundreds of millions.

The Identity Theft Resource Center provided CNBC Make It with a ranking of the biggest data breaches announced in 2019, based on the number of accounts compromised. ITRC ranked only breaches that it could confirm the number of records affected. Several companies, such as 7-Eleven, WhatsApp and Fortnite, reported security flaws that could have exposed millions of customers' data, but the extent of the accessed data was not reported.

Here's a look at the biggest data breaches of 2019, as well as tips on how to protect your accounts.

5. Quest Diagnostics

Number of records hacked: 11.9 million

In early June, lab-testing company Quest Diagnostics announced that it found a data breach affecting its billing and collections vendor, the American Medical Collection Agency. The breach exposed the medical, financial and personal information of about 11.9 million customers over the course of eight months. That included credit card numbers, bank account information, medical information and Social Security numbers.

The AMCA hack also affected LabCorp, which said personal and financial data on 7.7 million of its consumers was also exposed. Just weeks after the breaches were announced, AMCA filed for bankruptcy, citing "enormous expenses" the company racked up notifying customers of the breach and the fact that several of its biggest customers decamped. LabCorp and Quest Diagnostics both dropped AMCA after they learned of the breach, as well as Conduent and CareCentrix.

4. Houzz

Number of records hacked: 48.9 million

Home design website Houzz kicked off the year by informing customers hackers had accessed usernames and encrypted passwords, as well as publicly visible profile information. The company's FAQ on the breach was vague, but ITRC reports 48,881,308 accounts were affected. No financial information was taken, Houzz said, adding that it became aware of the breach in December 2018.

3. Capital One

Number of records hacked: 100 million

Capital One announced a massive data breach in late July, reporting that a hacker accessed the information of over 100 million Americans and 6 million Canadians who have applied for credit cards since 2005.

The company says the applications the hacker accessed were from 2005 through early 2019 and contained consumers' personal information including names, addresses, zip codes, email addresses, phone numbers and dates of birth. Bank numbers and Social Security numbers were compromised for roughly 140,0000 U.S. credit card customers and about 80,000 secured credit card customers who had their linked bank account numbers accessed.

Unlike other major hacks, the data accessed during the Capital One breach included sensitive data, such as Social Security numbers.

2. Dubsmash

Number of records hacked: 161.5 million

In February, video messaging app Dubsmash announced that hackers nabbed nearly 162 million users' account holder names, email addresses and hashed passwords. Hashed passwords are encrypted, so they must be cracked before they can be used.

The breach actually occurred in December 2018, but cyber thieves posted that the data was for sale on the dark web in February. It was part of a data dump that included over 600 million accounts from 16 hacked websites.

1. Zynga

Number of records hacked: 218 million

Mobile game producer Zynga announced in October that a hacker had accessed account log-in information on Sept. 12 for customers who play the popular "Draw Something" and "Words with Friends" games.

In addition to the log-in credentials, the hacker accessed usernames, email addresses, log-in IDs, some Facebook IDs, some phone numbers and Zynga account IDs of about 218 million customers who installed iOS and Android versions of the games before Sept. 2, 2019.

How to protect your data

While the hacks listed above are the biggest ITRC verified, there were a number of smaller data breaches that made headlines from major companies such as DoorDash, Evite and Georgia Tech, as well as government agencies such as the Federal Emergency Management Agency (FEMA).

Consumers need to be vigilant about suspicious activity regardless of whether they were impacted by a recent data breach. "The best an individual can do is keep an eye open for scammers contacting them," says independent computer security analyst Graham Cluley.

In addition to being alert, here are several other steps you can take to protect yourself.

1. Check to see if your accounts are involved

Even if you weren't involved in the five biggest data breaches, it's worth checking to see if your information has been compromised in other hacks. The website Have I Been Pwned? has a comprehensive look-up.

The average consumer has been involved in six data breaches, says Larry Ponemon, founder of the data protection and security think tank Ponemon Institute. "Most people don't realize they've become a victim of a data breach," he tells CNBC Make It.

2. Reset your password

Good password hygiene is important, Ponemon says. "The basic blocking and tackling issues, like changing your password, using a complex password — those things do work," he says. If you haven't updated or reset your passwords recently, or if you're using a common, easy-to-hack option, make changing it a priority on your end of the year to-do list.

If you use Google Chrome, the company recently installed an update that makes it easier to reset passwords. The browser now automatically tells you if a password may have been compromised and prompts users to reset it.

For a more long-term solution, consider getting a password manager like Dashlane (free limited version, unlimited password plan is $4.99 a month). These programs will automatically generate unique, secure passwords for all your accounts and remember them for you.

3. Set up credit monitoring

While many of the biggest hacks in 2019 didn't involve full payment data, you may want to set up credit monitoring if you don't already have it in place. You can set up a free monitoring service through sites like Credit Karma or Credit Sesame, which will send you alert emails about any recent activity on your TransUnion or Equifax credit reports.

4. Freeze your credit

If you want to freeze your credit reports and haven't already done so during a previous data breach, you need to contact the three major credit bureaus, Equifax, Experian and TransUnion, separately. Keep in mind that you will need to unfreeze your credit (it's free) if you're applying for any credit products in the future, such as a personal loan, credit card or mortgage.

A credit freeze will stop anyone from taking out a credit card or loan in your name, but it's not a complete solution. A credit freeze doesn't do much for identity theft that is not related to opening up a credit account, such as health care or insurance fraud.

5. Track your response

Last year, there were 1,244 data breaches reported, according to the Identity Theft Resource Center. Each one of those hacks could lead to class-action lawsuits and investigations by regulators, like in the case of Equifax. While not all data breaches will result in a settlement, it's good to be prepared.

Because of that, it's important for consumers to take breach notifications seriously and document what they do in response, Charity Lacey, VP of communications at the ITRC, tells CNBC Make It. The Identity Theft Center's ID Theft Help app has a case log manager tool that can help you track any actions you take in response to a breach.

Like this story? Subscribe to CNBC Make It on YouTube!

Don't miss: Here's everything a cyber criminal can do if they steal your credit card

Source: Read Full Article