Worst Data Breaches of 2018
2018 Gave Us Plenty of Hacker News and More Concerns About the Security of Our Personal and Financial Data
A major breach of consumer data (your information!) and other troublesome and massive hack attacks are nothing new—and it’s sad we’re getting used to data breach stories.
But 2018 saw a surge in reported breach incidents affecting ordinary people through companies we associate with. It seemed like every week a new company notified its customers that their data may have been compromised.
By the end of the year, billions of people around the world either had their sensitive information stolen or exposed—we’re talking about every day, normal people who one day decided to eat lunch at Panera, connect through social media or use a fitness app to track their calories.
And it cost them.
Let’s look back at seven data breaches and that made hacker news in 2018 and explore what they could mean for cybersecurity in 2019.
AADHAAR (1.1 billion affected)
India’s government ID database suffered a serious security breach and data leak on a system run by a state-owned utility company Indane. Indane hadn’t secured their API which gave anyone access to Aadhaar information: a 12-digit unique identifier assigned to every Indian citizen.
In January, reporters with the Tribune News Service paid 500 rupees ($7 USD) for login credentials to a service offered by anonymous sellers over WhatsApp. Using the service, the reporters could enter any Aadhaar number and retrieve information stored by UIDAI (Unique Identification Authority of India) including name, address, photo, phone number, email address and information on connected services, such bank accounts. An additional payment of 300 rupees ($4 USD) gives access to software to print an ID card for any Aadhaar number.
MARRIOTT STARWOOD HOTELS (500 million affected)
On November 30th, Marriott revealed its Starwood division’s guest reservation database suffered a massive breach affecting the records of up to 500 million customers. The stolen data included names, addresses, email addresses, phone numbers, passport numbers, gender, payment information, etc. In an update on January 4th, 2019, Marriott said that cyberattack was smaller; they said the breach affected 5.25 million passports.
According to Ian Thornton Trump, head of cyber security at Amtrust International, the breach was not just about Marriot failing to secure their data but “it’s a failure of governments to insist identity documents are treated with the same requirements as credit card data.”
EXACTIS (340 million affected)
Security researcher Vinny Troja discovered in June 2018 that Exactis, a marketing and data aggregation firm based in Florida, left a database of 340 million individual records of Americans and businesses exposed on a publicly accessible server. Although it’s unclear whether any hackers accessed the information, the incident exposed affected consumers’ personal information, email addresses, physical addresses, phone numbers, and in some cases, extremely sensitive details like the names and genders of their children.
FACEBOOK (50-120 million affected)
Because of Facebook’s global profile, this made major headlines worldwide. Facebook reported three major security breaches (that we know of). In March 2018, it was reported that political data firm Cambridge Analytica collected the personal information of 87 million users via an app that scraped details about people’s personalities, social networks, and engagement on the platform. Then on June 27, security researcher Inti De Ceukelaire disclosed that another app on Facebook, Nametests.com, had publicly exposed information of more than 120 million users. And finally, on September 28, Facebook announced that hackers exploited a critical vulnerability in its “View As” feature and the culprits, who remain unidentified, stole access tokens of 50 million users and highly sensitive personal data including names, email addresses, date of birth, phone numbers, device types, location, searches, contact details, people and pages you follow, education and relationship status.
Joan Pepin, Chief Information Security Officer at Auth0 (an authentication service for apps) was quoted as saying, “The latest hack combined several features in concert, which QA (quality assurance) never thought to test. It was a failure of imagination and an outcome of the incredible complexity of their product.”
GOOGLE+ (52.5 million affected)
In October, a Wall Street Journal report revealed that between 2015 and March 2018, a bug present in the API for the consumer version of Google+ allowed 3rd party developers to access not just the personal data of over 500,000 users, but also of their contacts and friends. Then in December, Google revealed it had experienced a second data breach that affected 52.5 million consumer and enterprise customers. The search engine giant now plans to shut down Google+ for good in April 2019.
PANERA Bread (37 million affected)
Security researcher Dylan Houlihan reported to Panera Bread back in August 2017 that a weakness in Panerabread.com resulted in leaking customers’ records in plaintext—data that could then be scraped and indexed using automated tools. Panera Bread dismissed Houlihan’s reports, but the security researcher continued to monitor the website for eight months. It wasn’t until Houlihan reached out to security journalist Brian Krebs, and the latter published the details on his blog in April 2018, that Panera took its website offline temporarily. The company then tried to downplay the severity of the breach, saying fewer than 10,000 customers had been affected.
BRITISH AIRWAYS (380,000 affected)
In September, British Airways informed its customers that information from around 380,000 booking transactions had been stolen, including bank card numbers, expiration dates—and CVV Codes. What’s that? It’s the “Card Verification Value” three-digit number on the back of your credit cards and debit cards. It’s there for security purposes to help prevent fraud!
A Russian hacking group associated with Magecart—a cyber-theft movement—was selling the details in the dark web for around $10 a card, and is believed to have netted the cyber-thieves $12M from the hack.
That’s not all.
Other notable breach events in 2018 included MyFitnessPal, Uber, T-Mobile, Cathay Pacific, Ticketfly, Sacramento Bee, TimeHop, Saks, Lord & Taylor, Orbitz, San Diego Unified School District, Quora, Adidas, SingHealth, Coincheck, MyHeritage and Ticketmaster.
Cybersecurity in 2019
What can you take away from this unsettling news?
Data is money!
More to the point, YOUR data is worth something to crooks. Your personal information, taken in aggregate with thousand and millions of others like you, has tremendous value to cyber thieves.
More than that, “malicious actors”—bad people intent on doing damage—will do a lot to get their hands on your data.
Therefore, don’t take it lightly when an app, website and social networking site asks you to “Allow” them to access your profile, phone, contacts, etc. If we learned anything in 2018, it’s that even the biggest companies are incapable of, or unwilling to, do all that they can to protect your data.
That’s why it is more important than ever to stay educated on data privacy and to be aware of what kind of information you are putting out.
Breach stories are a part of the cyber landscape these days. It up to us to protect our own data as best we can.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Online Privacy
- Online Safety
If you don't want a website or your internet provide to know what websites you visit, you...[Read More]
VoIP (Voice over Internet Protocol) exists to help people with their voice-based communication using the Internet –…[Read More]