As 2018 draws to a close we look back at just a few of the biggest data breaches of the year.
Social media platforms took a battering in 2018 with many of the big players suffering from major breaches and the airline sector didn’t do too well either with some high-profile breaches making the news headlines. One thing is clear, any sector can be affected.
Here are a few examples from the first six months, notable for the amount of disruption they caused and/or by the amount of data stolen
In the United Arab Emirates (UAE) however, a data breach at Careem (the UAE version of Uber) saw the data of 14 million of its users being compromised. - https://techcrunch.com/2018/04/23/careem-data-breach/
Top 500 UK Law firms
Closer to home, a cybersecurity company studied 620 domains belonging to 500 of the UK’s law firms and found 1.16 million corporate email addresses on various sites that collect previously stolen or leaked credentials. The vast majority of the credentials were taken from third-party breaches where law firm employees had signed up with their work credentials. - https://www.computing.co.uk/ctg/news/3025074/one-million-email-credentials-from-the-top-500-uk-law-firms-found-for-sale-on-the-dark-web
Norwegian Healthcare authority
Norway's Health South East RHF authority came under sustained attack on January 8th with some security experts stating that the attack was likely a concerted and highly professional effort to target electronic patient data, connected to a NATO exercise called Trident Juncture 18 that took place in November. The breach raised concerns that half of Norway’s population may have had their data stolen. - https://www.itgovernance.eu/blog/en/breach-at-norways-largest-healthcare-authority-was-a-disaster-waiting-to-happen
A data breach of Under Armour’s MyFitnessPal application saw hackers compromise the data of an estimated 150 million users. As a result of the revelation of the breach the company’s share price fell by 3.8%. The affected data included email addresses and usernames. - https://www.theguardian.com/technology/2018/mar/30/hackers-steal-data-150m-myfitnesspal-app-users-under-armour
Atlanta City Government
The city of Atlanta government was knocked out of action in March after it was hit by the SamSam Ransomware variant. The ransom demanded the payment of $6,800 to unlock each affected device or $51,000 to provide keys to unlock all affected systems. The incident created significant disruption to services across the city. As a result, the city government spent more than $2.6 million on efforts to remove the malware. The hackers behind the attack have reportedly made millions from other affected organisations that have paid their ransom demands. - https://www.nytimes.com/2018/03/27/us/cyberattack-atlanta-ransomware.html
In April the number of leaked records surpassed 2,000,000,000 thanks to data breaches at a major Chinese hotel chain and other hacks. The biggest incident to occur in this month, however, was related to Facebook.
The Cambridge Analytica scandal forced Facebook to announce that malicious actors could have scraped the public profile information of tens of millions of its users. - https://breachlevelindex.com/top-data-breaches
It was another social media giant’s turn to make the headlines in May. This time Twitter revealed that a glitch exposed the credentials of more than 330 million of its users in plaintext. The vulnerability is reported to have persisted for several months prior to its discovery. Twitter said that no passwords had been stolen but advised all its users to change their passwords as a precaution. - https://www.theguardian.com/technology/2018/may/03/twitter-change-password-bug-discovered
In May Typeform, a Barcelona-based online software as a service company that specializes in online form building and online surveys announced that a hacker had managed to download a backup file from one of Typeform’s servers. The compromised file stored names, email addresses and other pieces of information submitted by users through Typeform forms. The breach affected many businesses from all over the world that use Typeform for carrying out online surveys. The breach wasn’t made public until July. - https://www.theregister.co.uk/2018/07/02/typeform_breach/
US-based concert and sports ticketing event website Ticketfly was hacked exposing the data of 27 million of its customers. Usernames, addresses, email addresses and phone numbers were exposed but no financial information was.
June saw a number of large breaches with the total number of records exposed numbering in the hundreds of millions.
A security researcher discovered that Florida based marketing firm Exactis accidentally exposed the details of 340 million people, a number far bigger than that of the Equifax breach of 2017. When it was brought to their attention, Exactis quietly shut the database down without comment and it is unknown whether the data was used for malicious purposes. - https://www.wired.com/story/exactis-database-leak-340-million-records/
Mobile security came to the fore in this incident where researchers discovered that the data of 100 million people were exposed by a flaw in Google’s Firebase service. App developers failing to properly secure their back-end Firebase endpoints led to hundreds of gigabytes of sensitive data being publicly accessible to pretty much anyone. The exposed data included plain text passwords, user IDs and locations and in some cases financial records. The researchers discovered that more than 3,000 apps—2,446 on Android and 600 on iOS were leaking databases. The vulnerable Android apps were also shown to have been downloaded 620 million times. - https://www.bleepingcomputer.com/news/security/thousands-of-apps-leak-sensitive-data-via-misconfigured-firebase-backends/
Popular Chinese video sharing platform AcFun was hacked. The attackers leaked the details of 10 million users. - https://technode.com/2018/06/13/acfun-security/
In the UK, electronics seller Dixons Carphone revealed that it had suffered a data breach that began back in July 2017. The attack reportedly affected 6 million payment cards. The long delay in discovering the breach was called ‘alarming’ by a cybersecurity provider. - https://www.bbc.co.uk/news/business-45016906
Ancestry website My Heritage was hacked exposing the data of 92 million of its users onto a server external to the company. - https://www.reuters.com/article/us-myheritage-privacy/security-breach-at-myheritage-website-leaks-details-of-over-92-million-users-idUSKCN1J1308
In part 2 we cover the months of July to November
For Further Reading -