The top 10 data breaches of 2018
More than 2.5 billion people were affected in the most significant year for personal data abuse ever
In 2018 global companies seem to have been plagued by data breaches on a weekly basis, it seems no sector has escaped. Governments, airlines, hotel chains, healthcare and social media were equally targeted and the number of people affected worldwide is in the billions. The vulnerability of our personal data doesn’t seem to be improving, in fact it appears to be spinning out of control. Yesterday’s “Big Data” is today’s not-so-big data and the amount of personal data stored by corporations is mind boggling. While it’s now practically impossible for anyone to live off the grid and not provide personal data for even the most basic everyday needs, in 2018 our data seems to be less secure than ever before.
So what can you and your organisation do to protect data and customer confidence? Why not take advantage of our Christmas promotion to sign up for data security courses with the Southampton Data Science Academy. The SDSA, part of the Web Science Institute at the University of Southampton — a leader in the fields of web and data science — offers several online courses in the area of data security. Both non-technical and technical data security courses are available for sign-up for 2019, if you follow this link.
With only weeks to go until the new year, here are some of the data breaches with the biggest impact in 2018 so far.
1. Aadhaar
Client accounts affected: 1.1 billion (1 in 7 people on the planet!)
Date disclosed: 3rd January 2018
Launched 9 years ago, Aadhaar is a 12-digit unique identity number that can be obtained by citizens of India. As of early this year, over 1.1 billion citizens have applied for this ID number and the service was said to be absolutely safe and effective by the UIDA (Unique Identification Authority of India.) A mere two months after this ambitious statement, reporters of the Tribune News Service, following a lead, were able to connect with an anonymous seller on WhatsApp who offered login credentials to UIDA’s system for a mere 500 rupies (about 5 GBP or 7 USD.)
Using this login, within 10 minutes of the transaction, reporters were able to access any of the 1.1 billion Aadhaar numbers and gain access to any citizen’s name, address, photo, phone number and email address. Worse still, for an additional 300 rupies, sellers were offering software to print an ID card for any Aadhaar number, complete with photo and personal data. It’s practically impossible to estimate how many lucky buyers with the shadiest intentions took advantage of this hot deal, before the newspaper exposed it.
Needless to say, the trust in Aadhaar took a major hit. A few months later the Supreme Court of India ruled that the government and private companies (including mobile phone providers and banks) can no longer require individuals to provide an Aadhaar number for services.
2. Marriott
Client accounts affected: 500 million
Date disclosed: 30th November 2018
Marriott Hotels, a company that due to a recent acquisition now owns the Starwood Hotels chain (their brands include Sheraton, St. Regis, Westin, W Hotels amongst others) recently announced that its reservation system was hacked in a breach that dates all the way back to 2014. In this day and age when it’s practically impossible to get a hotel reservation without providing credit card details and personal data, nearly half a billion travelers who stayed at the world’s biggest hotel chain’s properties in the past four years were left exposed. Data compromised included names, telephone numbers, e-mail addresses, physical addresses and often passport numbers as well. CNN called it “the second biggest corporate data breach in history, behind one involving Yahoo”, referring to the gigantic Yahoo breach of 2013. As this is a developing story, we can’t be sure yet who was behind the hack and how the users were affected, but it sure raises some questions about companies that demand data for services, yet are unable to safeguard their databases and protect their clients.
3. Exactis
Client accounts affected: 340 million
Date disclosed: 26th June 2018
Security researcher Vinny Troia discovered this past summer that he was able to access the data on 340 million people and organisations, left carelessly on an open, publicly accessible server by Florida based Exactis, the marketing and data aggregation firm. Exactis might not be a household name, but their compromised database was nearly 2 terabytes in size, and as Troia said to Wired Magazine, ”it seems like this is a database with pretty much every US citizen in it.”
Consumer information left out in the open included individual’s names, addresses, e-mail addresses, telephone numbers, and even extremely sensitive personal information such as personal interests, hobbies and the names and genders of children. While Exactis boasts “Data is the fuel that powers Exactis,” it seems that they were unable to keep their biggest asset safe.
4. Facebook
Client accounts affected: a total of 257 million in 3 separate incidents
2018 was the year when users of the most widely used social media network had to realise again and again that their personal information, often freely and willingly shared in abundance for entertainment and social purposes was in unsafe hands. Facebook, a company that can boast of 2 billion active users, was targeted several times this year and the events put a significant dent into the media giant’s popularity.
Client accounts affected: 87 million
Date disclosed: 17th March 2018
In March of this year Facebook users were faced with the fact that their data was harvested and misused by Cambridge Analytica, a data analytics firm with strong ties to the 2016 American presidential election and also to the Brexit campaign. Working in collaboration with Donald Trump’s team, Cambridge Analytica had been collecting Facebook users’ personal information for years and used that information to target individuals with political advertising, therefore ultimately influencing the US election.
Client accounts affected: 120 million
Date disclosed: 27th June 2018
Just months after the Cambridge Analytical data leak, Facebook was in the spotlight again with yet another scandal in the middle of last summer. A personality test app dubbed “NameTests” passed on the information it gathered from its users (name, photograph, date of birth, statuses, friend list) to third parties and it did so for two whole years unnoticed. Even if the user deleted the app, it continue to leak data without the user’s knowledge.
Client accounts affected: 50 million
Date disclosed: 25th September 2018
At the end of September almost 100 million Facebook users found themselves suddenly logged out of their accounts. The reason: another security breach at the world’s most popular social media network. 50 million accounts were affected and a further approximately 40 million were reset as a cautionary measure. The security flaw was in Facebook’s popular “View As” feature and intruders were able to steal users’ “access tokens” which allowed them to take over accounts.
5. Under Armour
Client accounts affected: 150 million
Date disclosed: 29th March, 2018
MyFitnessPal is Under Armour’s popular lifestyle and fitness activity tracker app that allows users to track intimate details of their daily regimes. Details tracked in the application include food consumed, steps taken, exercises completed, body measurements and blood sugar levels. The users can also link the app to their social media accounts. This past spring hackers were able to access 150 million MyFitnessPal accounts and the data breach affected user names, e-mail addresses and hashed passwords. Although Under Armour claims that none of the users’ financial data was compromised and the company doesn’t store data on identifications such as passports or government IDs, the breach drew attention to the vulnerability of our most private lifestyle data. All users were advised to reset their passwords and Under Armour company stock promptly went into a dive.
6. Quora
Client accounts affected: 100 million
Date disclosed: 3rd December 2018
A malicious third party broke into the social platform and question and answer site Quora, exposing 100 million users’ private messages and account information. The hackers also got hold of details about users’ activities, such as questions, answers, upvotes and downvotes.
Although the breach is unlikely to cause identity thefts, as Quora does not store credit card details or American social security numbers, the sheer size of the hack is an eye opener. Millions of people have logged into Quora using social media accounts such as Facebook and also through Google, therefore linking their account information. In fact, according to the New York Times, many users affected didn’t even realise that they had a Quora account. The moral of the story: be careful what you sign up for, because after you press that button, your data might live a life of its own.
7. MyHeritage
Client accounts affected: 92 million
Personal DNA testing and ancestry tracking has been a hot business in the past years. Celebrities and individuals alike have jumped on the bandwagon to find out who they really are, where they came from, and whether they’re vulnerable to particular illnesses. For the first time since Francis Crick announced that he discovered the double helix at The Eagle pub in Cambridge, everyday people can now have access to their genetic information for a relatively small fee from private companies. But can these companies be trusted with knowing our building blocks? They say yes. We say maybe. Nearly 100 million MyHeritage users were shocked to hear their data was compromised. A security researcher located an unprotected file on a private server outside the company that contained e-mail addresses and encrypted passwords of everyone who’s signed up through the years. According to a statement on MyHeritage’s blog, the information about the users’ DNA and family trees were stored in a separate system, safely. Although there’s been no evidence of the login data being used for anything sinister, no one can prove the opposite either. Basically, the data “made it out of there” and no one knows exactly why and what happened to it. Which is scarier than those dark branches of the family tree.
Client accounts affected: 9.4 million
Date disclosed: 24th October 2018
Just weeks after this summer’s BA data breach, another airline, Cathay Pacific had to come forward and admit that it was unable to keep its customers’ data safe. Amongst the stolen information were hundreds of thousands of names, passport numbers, Hong Kong identity card numbers and credit card numbers for both expired and valid cards. Controversy erupted when it was disclosed that the airline giant might have been aware of the data breach for a full seven months, since March, before they shared it with the public. Following the revelation, Cathay Pacific’s stock price plunged to a ten-year low and Reuters reported that the need to launch a compliance investigation to disclose data breaches was brought up by Hong Kong’s privacy commissioner.
9. SingHealth
Client accounts affected: 1.5 million
In an unprecedented cyber attack against Singapore’s leading healthcare provider, the personal records of one and a half million Singaporeans were stolen. SingHealth’s system was made vulnerable by multiple security inadequacies and 160,000 people also had their outpatient dispensed medicines’ records exposed.
Amongst the victims were several high profile politicians from different ministries, including the prime minister, Lee Hsien Loong. The prime minister’s records seem to have been “specifically and repeatedly targeted”, according to a joint statement by the ministries.
10. British Airways
Client accounts affected: 380,000
Date disclosed: 6th September 2018
British Airways, one of the most high profile companies in the United Kingdom was left red faced this September, when they were forced to apologise for leaving their customers vulnerable to a “sophisticated, malicious criminal attack”. Between 22:58 BST on 21 August and 21:45 BST on 5 September hundreds of thousands of personal and financial details were stolen from customers making or changing bookings through the airline. Under the new EU data protection rules (GDPR), for leaving their customers vulnerable BA might face fines up to 4% of its annual global revenue which was £12.226 billion for 2017.
We highlighted 10 data breaches based on the number of people they affected. Knowing the impact of these data breaches on people’s lives will likely take a lot more time and sadly these incidents above are just the tip of the iceberg. Even a small data breach can kill or harm a flourishing enterprise or reputation. It’s clear that all organisations, regardless of their size or industry, need to do much more to protect personally identifiable information. Data breaches don’t just cause an immediate loss of stock value in the market and a hit to business and profits, they also undermine long term confidence in brands. When customers and clients are reluctant to share their data with firms, both sides take a hit.
Bogi Szalacsi is a Senior Associate with infoNation, based in London. You can contact her at bogi@infonation.io.
