Preventing Cybersecurity Disaster: Learning from the Top Security Breaches in 2018

March 27, 2019 | Views: 4030

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Looking back at 2018, it is difficult to ignore the chaos caused by the extensive incidents of data breaches that seemed to occur during each week of the year. Sensitive data and personally identifiable information of millions of individuals were exposed and made available on various platforms of the dark web for malicious users to buy and use. Data breaches are easily the single most worrisome trend in the world of cybercrime, and it does not look to be slowing down as we head into 2019.

Interestingly, where some data leaks are intentional attacks by hackers, other instances are merely down to databases being neglected. In case the organization is lucky, security auditors will unearth them living on an unsecured network asking for trouble.

Unfortunately, cybersecurity in the corporate world is not developing at a pace to match and counter attempts at data invasion. Business critical infrastructure hangs in the balance as does an organization’s network security. At the same time, state-sponsored hackers across the globe are getting emboldened with more sophisticated tools in their arsenal.

Many prominent, well-known organizations had to face the ignominy of a data breach during the past year where sensitive and personal data was leaked and users affected. However, some have stood tall by standing by planning resources up ahead for incident reporting and SIEM (Security Information and Event Management). We’ll have a look at that towards the end of the article.

Here is a countdown of some of the worst of these instances that took place in 2018.

British Airways: 380 thousand

  • How – Malicious code was injected into a less secure page on the company’s website to steal personal and payment information subtly.

  • What –

    • Names

    • Addresses

    • Email addresses

    • Payment Card Details

  • When – Aug 21, 2018 – Sept 5, 2018

  • Discovered – Sept 6, 2018

  • Reported – Sept 7, 2018

 

Orbitz: 880 thousand

  • How – An outdated company system (not orbitz.com) was accessed, and customer data was compromised.

  • What –

    • Names

    • Addresses

    • Phone Numbers

    • Email Addresses

    • Payment Card Details

    • Other Personal Information

  • When – Jan 1, 2016 – June 22, 2016, and Oct 1, 2017 – Dec 22, 2017

  • Discovered – March 1, 2018

  • Reported – March 20, 2018

T-Mobile: 2 million

  • How – Company servers were accessed via an API. The servers did not contain any sensitive or financial data.

  • What –

    • Names

    • Account Numbers

    • Email Addresses

    • Billing Information

    • Encrypted Passwords

  • When – Aug 20, 2018

  • Discovered – Aug 20, 2018

  • Reported – Aug 23, 2018

Saks and Lord & Taylor: 5 million

  • How – A hacking group managed in to infect the point of sale systems of retailers. The malware was able to steal credit card details of customers.

  • What –

    • Payment Card Details

  • When – May 2017 – March 2018

  • Discovered – Unknown

  • Reported – April 1, 2018

Cathay Pacific: 9.4 million

  • How – Unauthorized access was gained to select Cathay Pacific information systems. No further explanation was provided.

  • What –

    • Names

    • Nationalities

    • Date of Birth

    • Addresses

    • Phone Numbers

    • Passport Numbers

    • Credit Card Numbers

    • Frequent Flier Numbers

  • When – Unknown

  • Discovered – Early March 2018

  • Reported – October 24, 2018

Sacramento Bee: 19.5 million

  • How – The voter registration database that the Sacramento Bee had obtained was seized by hackers along with personal information of the Bee’s subscribers.

  • What –

    • Names

    • Email Addresses

    • Date of Birth

    • Addresses

    • Phone Numbers

    • Party Affiliations

    • Places of Birth

  • When – Jan 2017

  • Discovered – A week before public disclosure

  • Reported – Feb 7, 2018

Timehop: 21 million

  • How – A hacker gained access to the organization’s cloud computing environment that wasn’t protected with 2-factor authentication.

  • What –

    • Names

    • Email Addresses

    • Date of Birth

    • Phone Numbers

    • Other Personal Information

  • When – July 4, 2018

  • Discovered – July 4, 2018

  • Reported – July 8, 2018

Ticketfly: 27 million

  • How – A hacker accessed Ticketfily’s platform via a ‘malicious cyber attack.’ of the Bee’s subscribers.

    • What –

    • Names

    • Email Addresses

    • Addresses

    • Phone Numbers

  • When – May 2018

  • Discovered – May 30, 2018

  • Reported – June 7, 2018

Facebook: 29 million

  • How – Hackers exploited a loophole in the platforms ‘View As’ feature which allowed them to steal Facebook access tokens. They could then take over control of an individual’s Facebook account.

  • What –

    • Names

    • Email Addresses

    • Phone Numbers

    • Other Personal Information Collected by Facebook

  • When – July 2017 – Sept 25, 2018

  • Discovered – Sept 25, 2018

  • Reported – Sept 28, 2018

Panera Bread: 37 million

  • How – The exposure of customer records as a result of a database leak. Panera had earlier ignored repeated requests by researchers to fix the problem.

  • What –

    • Names

    • Email Addresses

    • Date of Birth

    • Addresses

    • Last 4 Digits of Credit Card Numbers

  • When – Aug 2, 2017 – April 2, 2018

  • Discovered – Aug 2017

  • Reported – April 2, 2018

Chegg: 40 million

  • How – Unauthorized access to a database containing user data. Forty million customer’s passwords were reset by the company. Chegg disclosed the leak to the SEC but not to the public.

  • What –

    • Names

    • Email Addresses

    • Shipping Addresses

    • Usernames

    • Passwords

  • When – April 29, 2018 – Sept 19, 2018

  • Discovered – Sept 19, 2018

  • Reported – Sept 25, 2018

Google+: 52.5 million

How – The breach occurred in two phases. The first phase the personal data for 500 thousand G+ users, first reported in Oct 2018. The second breach occurred in Dec. of the same year with 52.5 million users affected.

  • What –

    • Names

    • Email Addresses

    • Date of Birth

    • Other Personal Information collected by G+

  • When – 2015 – March 2018; Nov 7, 2018 – Nov 13, 2018

  • Discovered – March 2018; Not Provided

  • Reported – Oct 8, 2018; Dec 10, 2018

Facebook (via Cambridge Analytica): 87 million

  • How – A loophole in Facebook’s API was exploited by Cambridge Analytica to allow external developers to harvest user data from Facebook apps as well as individual’s friends’ networks on Facebook.

  • What –

    • Facebook User Profile Data

    • Facebook User Preferences and Interests

  • When – 2013 – 2015

  • Discovered – Unknown

  • Reported – March 17, 2018

MyHeritage: 92 million

  • How – A researcher identified a file with email addresses as well as hashed passwords held on a private server outside the MyHeritage domain. The company retroactively added a two-factor authentication option for users to prevent account takeover.

  • What –

    • Email Addresses

    • Encrypted Passwords

    • When – Oct 26, 2017

    • Discovered –June 4, 2018

    • Reported – June 4, 2018

Quora: 100 million

  • How – A third party was able to access Quora’s systems and compromise user data.

  • What –

    • Names

    • Email Addresses

    • Encrypted Passwords

    • Data Imported from Linked Networks

  • When – Unknown

  • Discovered –Nov 30, 2018

  • Reported – Dec 3, 2018

Under Armour (MyFitnessPal): 150 million

  • How – An unauthorized party gained access to data associated with user accounts for MyFitnessPal.

  • What –

    • Usernames

    • Email Addresses

    • Encrypted Passwords

  • When – Feb 2018

  • Discovered – March 25, 2018

  • Reported – March 29, 2018

Twitter: 330 million

  • How – The organization discovered a bug that was able to store unmasked passwords within an internal file. Twitter requested users to reset their passwords.

  • What –

    • Plaintext Passwords

  • When – Unknown

  • Discovered – Not Provided

  • Reported – Not Provided

Exactis: 340 million

How – The organization was informed of a comprehensive data leak. Exactis secured the database but didn’t publicly declare the breach. A New York-based national law firm, Morgan & Morgan filed a class action lawsuit against Exactis.

What –

  • Names

  • Email Addresses

  • Addresses

    • Phone Numbers

    • Other Misc. Personal Information

  • When – Unknown

  • Discovered – Early June 2018

  • Reported – June 27, 2018

Marriott: 500 million

  • How – An internal security tool informed Mariott about an unauthorized attempt to access the Starwood guest database. On investigation, the company unearthed unauthorized access of their database since 2014.

  • What –

    • Names

    • Addresses

    • Email Addresses

    • Phone Numbers

    • Passport Numbers

    • Date of Birth

    • Other Personal Information

  • When – 2014 – Sept 10, 2018

  • Discovered – Sept 8, 2018

  • Reported – Nov 30, 2018

Aadhaar: 1.1 billion

  • How –The Government of India ignored multiple attempts by security professionals to secure a database leak by an unsecured API endpoint that was connected to a state-owned utility company.

  • What –

    • Names

    • Unique 12 Digit Identity Numbers

    • Information regarding services they were connected to including bank details and related private information.

  • When – Unknown

  • Discovered – Not Provided

  • Reported – March 23, 2018

 

Conclusion

The question foremost in everyone’s mind is, ‘How do we protect ourselves in 2019?’ To begin, we must, at all costs, avoid succumbing to the same mindset of ‘another day, another data leak.’ The protection of personal information is of paramount importance.

 

For those of us who have ever submitted personal information to an organization, whether on the web or offline, we can all be possible victims of cybercrime. Instead of putting blind faith in an organization’s privacy policies and network security, individuals need to personally keep themselves abreast of the latest privacy and security tools available.

 

Here are a couple of other ways you can start –

 

Password Managers – This one is a no-brainer. Tools to manage passwords work across devices – desktops, smartphones, and tablets. By using them, individuals can assign a unique and complex password to each account their use. This will make sure that if a data breach involving your credentials occurs in any one account, the leaked information will not impact your other accounts.

In case you suspect that you may have been a victim of a possible data breach, you can search for your email address on aggregated stolen password sites Avast Hack Check. These sites will confirm whether or not your password has been leaked.

Activate Two-Factor Authentication – Two-factor authentication should be implemented wherever possible. In the chance that hackers may gain access to your username and password, without access to 2FA, they will continue to be locked out of your account. 2FA should be used for email accounts where possible.

 

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel