Looking back on the top 10 Data Security Breaches in 2018

Companies informing their customers that their data may have been compromised and or their personal information affected seem to have been the prevailing state of affairs during 2018. The personal information of millions of people around the world was compromised during these data security breaches. Some of the biggest victims of these breaches include Facebook, MyHeritage, Quora, Google, MyFitnessPal and Exactis. Facebook alone dealt with major breaches and incidents that affected more than 100 million of their users.

Although some of these data security breaches were deliberate attacks, others were simply the result of neglected databases that were lying around the web, unsecure. Data security breaches can occur for a variety of reasons including but not limited to companies being hacked, data being misused or sold to third parties. Furthermore, weaknesses in a website’s security system can leave information unprotected and vulnerable to data security breaches.

So, let’s take a closer look at the top 10 data breaches in 2018:

1. Aadhaar

Amount of records breached: 1.1 billion

When it happened: 3 January 2018

In January, reporters with the Tribune News Service paid 500 rupees for login credentials to a service being offered by anonymous sellers over WhatsApp. It turned out that this service allowed the reporters to enter any Aadhaar number, a 12-digit unique identifier assigned to every Indian citizen by the Unique Identification Authority of India, and retrieve various types of information on such citizen such as name, address, photo, phone number and email address. An additional payment of 300 rupees furthermore secured access to software with which to print ID cards for any Aadhaar number.

2. Marriot Starwood Hotels

Amount of records breached: approximately 500 million

When it happened: 2014-September 2018

Hackers accessed the reservation database for Marriott’s Starwood hotels, and retrieved guest information including phone numbers, email addresses, passport numbers, reservation dates, and some payment card numbers and expiration dates. Marriott reported this incident to law enforcement, supported their investigation and also notified the regulatory authorities of the data security breach.

3. Exactis

Amount of records breached:340 million

When it happened: 26 June 2018

Vinny Troia, founder of Night Lion Security, uncovered that Exactis, a compiler and aggregator of business and consumer marketing data, left a database exposed on a publicly accessible server. This database contained two terabytes of data that comprised the personal details of hundreds of millions of individuals and businesses including email addresses, physical addresses, phone numbers, and, in some cases, extremely sensitive details like the names and genders of their children. According to Troia, “It seems like this is a database with pretty much every US citizen in it”. To date Exactis has not confirmed the exact number of people affected by this data security breach.

4. Under Armour

Amount of records breached: 150 million

When it happened: 25 March 2018

Under Armour discovered on 25 March 2018 that someone gained unauthorised access to MyFitnessPal, the company’s platform tracking users’ diet and exercise regimes. It was reported at the time that upwards of 150 million users’ usernames, email addresses, and hashed passwords were accessed, but no payment information, as this data is processed separately. Furthermore, data such as Social Security Numbers or driver’s license numbers were not compromised as Under Armour said that it does not collect government identifiers.

5. Quora

Amounts of records breached: 100 million

When it happened: November 2018

A malicious third party accessed one of Quora, a question-and-answer website’s systems and in doing so gained access to user account information such as names, email addresses, encrypted passwords, data from user accounts linked to Quora, and users’ public questions and answers, comments, upvotes and downvotes, questions, and direct messages.

6. MyHeritage

Amounts of records breached: 92 million

When it happened: 4 June 2018

When a security researcher contacted the Chief Information Security Officer of MyHeritage, an online genealogy website, on 4 June 2018 advising that they located a file labelled “myheritage” on an outside, private server, officials at MyHeritage established that this external file contained the email addresses of all users who had signed up with MyHeritage prior to 26 October 2017. The company admitted, in a statement, that the file also contained hashed passwords but ensured users that no payment information was accessed, since third-party service providers process these payments, and no family tree and DNA-related data had been exposed or compromised as these are stored on separate servers.

7. Facebook (Cambridge Analytica)

Amounts of records breached: At least 87 million, although likely more

When it happened: 17 March 2018

Who can forget the Cambridge Analytica scandal that shook Facebook in March 2018? Reports indicated that a firm, Cambridge Analytica, collected in excess of 50 million Facebook users’ personal information including details about their personalities, social networks, and engagement on the platform. At the time, Cambridge Analytica claimed that they only collected information on approximately 30 million users but, upon investigation, Facebook determined that the number was far more, and the social media giant subsequently, in April 2018, notified 87 million of its members that their data had been shared. This, of course, resulted in Facebook apps in general facing increased scrutiny and it seems the Cambridge Analytica scandal may just be the tip of the iceberg. A further data security breach was exposed on 27 June 2018 when it came to light that another app, Nametests.com, publicly exposed the information of more than 120 million Facebook users.  

9. TicketFly

Amount of records breached: 27 million

When it happened: 7 June 2018

TicketFly suffered a data security breach on 31 May 2018, which resulted in the concert and sporting-event ticketing website being vandalised and, ultimately, disrupted and taken down for a week. It was reported that the hacker behind this incident allegedly warned TicketFly of vulnerabilities in its system and demanded a ransom to fix it. The company refused, whereafter the Ticketfly website was hacked, its homepage replaced, and the hacker was able to appropriate a substantial directory of customer and employee data, including names, addresses, email addresses, and phone numbers for 27 million Ticketfly accounts. 

8. Google

Amounts of records breached: 53 million

When it happened: 2015-March 2018, 7-13 November 2018

A Wall Street Journal report revealed in 2018 that a software glitch resulted in the personal profiles of 500 000 Google+ users being exposed. A second data breach occurred during December 2018 that affected the personal data of 52.5 million users including name, employer and job title, email address, birth date, age, and relationship status. These breaches prompted Google to take the decision to shut down Google+ permanently in April 2019.

10. Saks, Lord & Taylor

Amount of records breached: 5 million

When it happened: 3 April 2018

Gemini Advisory, a security firm, discovered a data security breach in the form of an announcement from the JokerStash hacking syndicate wherein they offered for sale five million stolen credit and debit cards. Gemini traced the sale back to a complete system compromise of luxury department stores Saks Fifth Avenue and Lord & Taylor. When the owner of both department stores, Hudson Bay, learned about the incident he immediately took remedial steps. Despite these steps, a class action lawsuit was filed in April 2018 on behalf of all customers who used a payment card at these stores during the breach period (March 2017 – March 2018). In the lawsuit, the applicant stated that Lord & Taylor had “failed to comply with security standards and allowed its customers’ financial information and other private information to be compromised by cutting corners on security measures that could have prevented or mitigated the security breach that occurred.”

At the time of writing, it is only the third month of 2019 and substantial data security breaches already made headlines. Our next article will deal with the latest data security breaches in the first quarter of 2019.

Stage2Data is a professional cloud services company who specializes in Data protection, backup and recovery.

If you want to find out more about recovering from a data security breach and preventing a future data loss, please get in touch.