We’re now more than halfway through 2018 but the scale of some of the data breaches that have already been reported is staggering. This year has seen more third-party services being breached and customer data stolen from multiple companies in one go.
We’ll only be looking at the bigger ones, and some may not have happened this year – its common for cyber security incidents not to be disclosed for months, or even years.
You still think Facebook was the biggest one? Look no further. This countdown of 10 of the biggest incidents reported thus far in 2018 in terms of total number of records compromised will, without doubt, change your surmise.
6 million records breached
Date disclosed: May 31, 2018
On May 31, ZDNet reported that they had been contacted by security researcher Oliver Hough in regards to a backend server he had found exposed to the Internet with no password to protect it. The server belonged to the fitness app PumpUp, and it gave anyone who came across it access to a host of sensitive customer data including user-entered health information, photos, and private messages sent between users.
The exposed data also contained Facebook access tokens and, in some cases, unencrypted credit card data including card numbers, expiry dates and card verification values.
21 million people affected
Date disclosed: July
Timehop connects to social networks and surfaces nostalgic posts from the past. On Facebook it shows users their previously popular posts in a bid to help people rekindle previous memories. However, the company detected an ongoing cyber attack in July and found names, email addresses and “keys” allowing access to previous posts had been taken. It delayed the tokens for accessing historic posts, it said.
8. Fined: Yahoo!
In April – June 2018
$35m fine imposed
Following Yahoo!’s colossal data breach in 2014 where billions of usernames, email addresses, phone numbers, birth dates, passwords, security questions were taken, regulators have hit the firm with fines. The US Securities and Exchange Commission slapped the firm, now called Altaba, with a $35 million fine in April. The UK’s data protection watchdog also fined it £250,000.
27 million records breached
Date disclosed: June 7, 2018
On May 31, Ticketfly suffered an attack that resulted in the concert and sporting-event ticketing website being vandalized, taken down, and disrupted for a week. The hacker behind the attack had reportedly warned Ticketfly of a vulnerability and demanded a ransom to fix it. When the company refused, the hacker hijacked the Ticketfly website, replaced its homepage, and made off with a large directory of customer and employee data, including names, addresses, email addresses, and phone numbers for 27 million Ticketfly accounts.
At least 87 million records breached (though likely many more)
Date disclosed: March 17, 2018
Who can forget the data scandal that rocked Facebook in March 2018? At that time, reports emerged of how a political data firm called Cambridge Analytica collected the personal information of 50 million Facebook users via an app that scraped details about people’s personalities, social networks, and engagement on the platform. Despite Cambridge Analytica’s claim that it only had information on 30 million users, Facebook determined the original estimate was in fact low. In April, the company notified 87 million members of its platform that their data had been shared.
5. Under Armour
150 million records breached
Date disclosed: May 25, 2018
On 25 March, Under Armour learned that someone had gained unauthorized access to MyFitnessPal, a platform which tracks users’ diet and exercise. CNBC reported at the time that the criminals responsible for the breach accessed individuals’ usernames, email addresses, and hashed passwords. The incident did not expose users’ payment information, as Under Armour processes this data separately. Nor did it compromise Social Security Numbers or driver’s license numbers, as the apparel manufacturer said it doesn’t collect government identifiers.
Upwards of 150 million MyFitnessPal users are believed to have had their information compromised in the data breach.
92 million records breached
Date disclosed: June 4, 2018
A security researcher reached out to the Chief Information Security Officer of online genealogy platform MyHeritage on June 4 and revealed they had found a file labeled “myheritage” on a private server outside the company. Upon inspection of the file, officials at MyHeritage determined that the asset contained the email addresses of all users who had signed up with MyHeritage prior to October 26, 2017. According to a statement published by the company, it also contained their hashed passwords but not payment information, as MyHeritage relies on third-party service providers to process members’ payments. Because the service also stores family tree and DNA data on servers separate from those that store email addresses, MyHeritage said there was no reason to believe that information had been exposed or compromised.
3. US Homeland Security
An unknown person responsible but not a “cyber attack by external actors”
On January 3, 2018, the US department of Homeland Security told 247,167 of its employees there had been a “privacy incident” with one of its databases for those that worked there in 2014. During the period of 2002-2014, an undisclosed number of people who were being investigated were also affected by the data loss. The lost information includes names, social security numbers and staff job roles. Officials first discovered the breach in May 2017 but took time to confirm it.
340 million records breached
Date disclosed: June 26, 2018
Security researcher Vinny Troia discovered in June 2018 that Exactis, a marketing and data aggregation firm based in Florida, had left a database exposed on a publicly accessible server. The database contained two terabytes of information that included the personal details of hundreds of millions of Americans and businesses. As of this writing, Exactis has not confirmed the exact number of people affected by the breach, but Troia said he was able to find close to 340 million individual records. The incident exposed affected consumers’ email addresses, physical addresses, phone numbers, and a host of other personal information, in some cases including extremely sensitive details like the names and genders of their children.
1 billion records breached
Date disclosed: January 3, 2018
In January, reporters with the Tribune News Service paid 500 rupees for login credentials to a service being offered by anonymous sellers over WhatsApp. Using the service, the reporters could enter any Aadhaar number, a 12-digit unique identifier assigned to every Indian citizen. Doing so would retrieve numerous types of information on the queried citizen stored by UIDAI (Unique Identification Authority of India). Those bits of data included name, address, photo, phone number and email address. An additional payment of 300 rupees to the sellers yielded access to software through which anyone could print an ID card for any Aadhaar number.
The data breach is believed to have compromised the personal information of all 1.1 billion citizens registered in India.