All the Ways Your Data was Stolen in 2018
2018 wasn’t a great year for Web2 companies. What happens when we’re forced to trust intermediaries with our information? Let me count the ways.
I promise you, your information is out there.
I promise you, you don’t know where it is.
I promise you, you cannot get it back.
Yet.
Aadhaar
January, 2018. 1.1 billion records compromised.
Aadhaar is an Indian government agency providing 12-digit unique identifiers to every Indian citizen. Journalists discovered they could pay 500 rupees to an anonymous WhatsApp user and enter any Aadhaar number to access name, address, photos, email addresses, and phone number. 1.1 billion Indian citizens were vulnerable.
FedEx
February 2018. 119k records compromised.
An unsecured AWS cloud server exposed the drivers’ licenses, names, home addresses, and phone numbers of over 100,000 FedEx customers.
Rail Europe
November 2017 — February 2018. Unknown number affected.
A three month data breach of Rail Europe gave attackers the credit and debit card numbers, verification codes, and expiration dates of some customers who booked during that time.
Hudson Bay
March, 2018. 5 million records compromised.
In late March 2018, Hudson Bay — owner of Saks Fifth Avenue and Lord & Taylor — disclosed that five million records were accessed by outside attackers, including customers’ credit and debit card information.
Under Armour / MyFitnessPal
May, 2018. 150 million records compromised.
In May, Under Armor revealed that attackers had accessed the records 150 million users of MyFitnessPal, including usernames, email addresses, and hashed passwords.
PumpUp
May, 2018. 6 million records compromised.
In May, PumpUp — a health and fitness app — revealed that six million records had been retrieved in a hack. Users’ health information, photos, private messages, and credit card data was accessed.
Sacramento Bee
June, 2018. 19 million records compromised.
In June, the California-based local newspaper The Sacramento Bee revealed an attacker seized two databases. Between the databases, the attacker accessed the personal voter information of over 19 million California residents.
TicketFly
June, 2018. 27 million records compromised.
In early June, an attacker warned TicketFly of a weakness and demanded a ransom. TicketFly refused, and the attacker seized employee and customer information, including names, addresses, emails, and phone numbers.
MyHeritage
June, 2018. 92 million records compromised.
In June, a vulnerability in the MyHeritage site exposed the email addresses of anyone who signed up prior to October 26, 2017. Luckily, no ancestry or DNA information was compromised.
SingHealth
July 2018. 1.5 million records compromised.
Over three years, 1.5 million patients who visited SingHealth centers in Singapore had their personal information susceptible and/or stolen, including the Prime Minister.
T-Mobile
August 2018. 2 million records compromised.
An exposed API on the T-mobile website exposed the full name, address, billing account information, and occasionally tax ID number of roughly 2 million customers.
September, 2018. 50 million records compromised.
In September, Facebook reported that hackers had accessed information to at least 50 million user accounts, possibly more. Specifically, the access tokens of users had been stolen.
British Airways
August — September, 2018. 380k records compromised.
In September, British Airways reported its servers were vulnerable to outside attackers for two weeks between August and September. During the time frame, names, email addresses, and credit card information was stolen from anyone who made or changed bookings online.
Marriott International
September 2018. 500 million records compromised.
Between 2014 and September, 2018, attackers had unauthorized access to the Marriott Starwood database. For hundreds of millions of the records compromised, the information includes names, address, phone number, email address, birth date, gender, and/or reservation dates.
Quora
December 2018. 100 million records compromised.
An unknown hacker retrieved the usernames, email addresses, and hashed passwords of 100 million Quora users.
This is the reality of the Internet today. The security of our information is not a priority for Web2 companies. We are dependent on these intermediaries and susceptible to their shortcomings. We need to control our own information, and teams around the world are working on blockchain-based solutions to empower us with a brighter data future.
In the face of market hype, price fluctuations, dapp doubt, and information overload, we should not forget that the future of our security relies on solutions such as blockchain. The picture is bigger than crypto market caps and non-fungible game tokens. We are building to ensure the future of our own security.
Disclaimer: The views expressed by the authors and contributors above do not necessarily represent the views of Consensys AG. ConsenSys is a decentralized community with ConsenSys Media being a platform for members to freely express their diverse ideas and perspectives. To learn more about ConsenSys and Ethereum, please visit our website.
