The biggest data breaches of 2018

We investigate some of the year's largest data breaches

Advertisement

Norton Security defines a data breach as a “security incident in which information is accessed without authorization,” which is a very simple definition for a very complicated problem. These breaches can expose customers’ private information, everything from their address to their credit card numbers. This year has seen a high number of serious breaches and hacks on major companies, some of them getting more coverage than others.

This is by no means a comprehensive list, but rather an overview of some of the largest breaches this year. And even if none of these have affected you, you should still read up on how to protect yourself in the future.

Facebook

Facebook has been hit twice by data breaches so far this year. First, of course, is the infamous Cambridge Analytica scandal from this spring, which went down in the history books as the most entertaining time to read the comments on Mark Zuckerberg’s Facebook posts. This particular event put the data 87 million accounts into the hands of the political data analytics firm, and the public was reasonably furious.

And just like pretty much everyone predicted, that was just the tip of the iceberg. Just last month, Facebook was hacked, and another couple million accounts were compromised. The hackers made off with the email addresses and phone numbers of nearly 30 million accounts, and the gender, age, location, hometown, work and education history, relationship status, and the ten most recent “check-ins” for 14 million accounts.

This is still an ongoing investigation, though Facebook claims to have fixed the issue that permitted the hack.

On a completely unrelated note, is anyone interested in a Portal? The Facebook-made device that can let Facebook see the inside of your house.

READ NEXT: NHS data breach reveals almost 10,000 patient records - are you affected?

TicketFly

TicketFly is a US-based ticketing website that was breached back in May. After a hacker discovered a security issue with TicketFly’s website, they anonymously reached out to the company and demanded 1 bitcoin (worth around £5,844 at the time,) in exchange for the details on the vulnerability. When there was no reply, the hacker hijacked the website and replaced its homepage with exactly what you’d expect: A picture from V for Vendetta.

But, unfortunately, it didn’t end there. The hacker also managed to make off with the information associated with 27 million TicketFly accounts, including customer and employee names, addresses and phone numbers. TicketFly responded by shutting down their website for a week, and the websites of several associate nightclubs and venues also went down.

MyHeritage

The consumer genealogy website was hacked back in 2017, but it didn’t make headlines until this June. The issue was made known when the company’s chief security officer was sent a file simply named “myheritage,” which included the email addresses and encrypted passwords for 92,283,889 accounts. Out of those 92 million, over 1 million had their DNA information uploaded onto the website. However, MyHeritage was quick to assure panicked users that DNA information is stored “on segregated systems and are separate from those that store the email addresses, and they include added layers of security.”

Exactis

The American marketing firm Exactis is so good at staying out of the public view that the only descriptive sentence on its Wikipedia page is “Exactis is a data broker.”

That is, until a security researcher named Vinny Troia discovered that Exactis had a publicly accessible database of nearly 340 million individuals, which included names, phone numbers, family members and addresses for just about every United States citizen.

While the database did not include social security numbers or financial information of any kind, some of the entries did go into a spooky amount of detail, such as if a person prefers dogs or cats, if they have an interest in plus-sized clothing, and whether or not they smoke. Troia stumbled upon this database by accident, and it’s unknown if the information had ever been used for malicious purposes. When it was brought to their attention, Exactis quietly shut the database down without comment.

READ NEXT: How to stop over 400 sites logging everything you type

British Airways

I flew British Airways this September, but luckily, I booked my ticket a month in advance. I say “luckily” because hundreds of thousands of customers who booked a flight between 21 August and 5 September were affected by a massive data breach, caused by just 22 lines of malicious JavaScript code.

It was originally estimated that 380,000 customers had their financial details compromised during the breach, though the company stressed that passport numbers and travel details remained safe. However, the airline recently announced that another 185,000 customers who made reward bookings between 21 April and 28 July may have had their credit card information compromised as well, bringing the grand total up to 565,000.

It’s believed that the breach was the product of the group Magecart, and that they used a skimming technique to access customer’s credit card information from the compromised BA site.

Cathay Pacific

Speaking of airlines, Chinese airline Cathay Pacific was recently hit with an enormous data breach that exposed the details of over 9 million customers. Discovered in March and confirmed in May, the hackers were able to access 860,000 passport numbers, 245,000 Hong Kong identity card numbers, 403 expired credit card numbers, and an additional 27 credit card numbers with no CVV.

Additionally, customers also had their personal information exposed, such as their names, nationalities, birthdates telephone numbers, email and physical addresses, and travel history.

Despite the fact that Cathay Pacific is a Chinese company, it is still being investigated by the GDPR, due to the massive amount of time between the discovery of the breach and the announcement to the public, which was only made earlier this month.

Marriott 

The year may be coming to a close, but the data breaches certainly aren't. Hotel giant Marriott recently announced that a whopping 500 million customers' data has been stolen, thanks to a four-year hack into its systems. Back in September, Marriott was informed of a potential breach, but only relayed this information to its customers in late November. 

How bad is the damage? An inconceivable 327 million had information stolen that included gender, date of birth, trip details and passport number. A further 173 million had thier names and address or email address stolen. While the scope of the breach speaks for itself, it's the superlatives that are truly shocking. The data breach is the largest ever in a non-digital business, as well as being one of the longest; four years' access from the hackers having done some real damage. 

Quora 

Quora, the popular question and answer site, revealed that hackers stole information on 100 million of the site's users. Users are being prompted to reset their passwords, after the breach was detected on 30 November. 

No monetary transactions are made on Quora, so no credit card information was stolen, leaving some scratching their heads as to why the site was targeted. However, given that many users use the same password for multiple sites, it's likely the hackers were trying to glean passwords to gain access to other sites. I guess the site's tagline – "a place to gain and share knowledge" – is true to form, in a roundabout way. 

Read more about: