And here we are yet again. Another year and another array of data breaches to talk about over the course of the year. So what exactly defined 2018 when it came to data security?
In 2017 it was WannaCry and NotPetya, not to mention a plethora of other ransomware as a service attacks. This year Jeff Edwards and I had predicted at the beginning of the year that it would be cryptojacking especially considering how much Bitcoin was skyrocketing at the beginning of the year. However, we couldn't have been more wrong. Bitcoin and other cryptocurrencies have come back down to Earth with no sing of going back to the exorbitant values they were at back in January 2018. Although there has been a little uptick in the past week, regardless cryptojacking doesn't look as lucrative as it once did to cyber criminals.
This just goes to show you that predicting how each year will play out is a fool's errand, but fun nonetheless. This year was defined not by ransomware or cryptojacking, but rather by breaches of massive scale. There may be a few reasons for this. GDPR is now being enforced and we are hearing whispers of bi-partisan legislation in the US, so companies are taking data security seriously. This is because now more than ever their livelihood depends on it. Gone are the days of brushing data security aside.
My guess is that the reason there were so many massive security breaches discovered this year isn't because companies who notoriously were bad with data security are now having to come fourth to avoid hefty fines that could put their future earnings in jeopardy. And with that, we have reached the pinnacle of data security malpractice. Unless you live under a rock, you are effected. 2018 will be defined as the year that the conglomerates have been exposed for their poor data security practices. All of our personal data has been exposed and now big business needs to answer for it.
Here are the top data breaches of 2018 (that we know of so far).
1. Marriott: 500 Million Customers Effected
At Marriott, the world's largest hotel chain, hackers accessed Starwood guest reservation data base in the US, which remained undetected for 4 years (since 2014). The attackers accessed PII and financial info of 500 million customers, and the information accessed includes names, addresses, phone numbers, emails, passport #'s, DOB, for a total 327 million victims. Payment info was also accessed, but was encrypted. Marriott cannot say whether or not encryption keys were also accessed. Hackers encrypted data before exfiltrating, to trick DLP software. It's also important to note that Starwood had a previous breach of POS machines before it was acquired by Marriott in 2014.
2. Under Armour / MyFitnessPal 150 Million Customers Effected
The Under Armour owned nutrition and fitness tracker MyFitnessPal was hacked in March 2018. Hackers accessed usernames, email addresses, and hashed passwords of 150 million users. Payment info was not affected and to UNder Armour's credit the breach was disclosed in under a week. Most passwords that were grabbed were hashed in bcrypt, so should be very hard to break. But a significant amount were encrypted in SHA-1 which is easier to crack. A lawsuit was filed against the company in June 2018.
3. Quora: 100 Million Users
On Monday, December 6th, Q&A website Quora announced that intruders had accessed the account details of 100 million users. Quora said they discovered the incident on the previous Friday. Breached data included user IDs, email, and fully encrypted passwords. Quora logged out all users and pushed a password reset.
4. MyHeritage: 92 Million Customers
Israel based family networking and genealogy site MyHeritage leaked the data of over 92 million users, according to a disclosure made in June 2018. The breach took place on Oct. 26th, 2017 and hackers accessed email addresses and hashed passwords. The type of encryption used was not clear. Family tree and DNA info is stored on separate systems and was not accessed.
5. TicketFly (Eventbrite): 27 Million Customers
A May 2018 attack on ticketing site TicketFly knocked some of its servers down for a weekend. During the attack hackers also accessed the information of 27 million accounts, including names, addresses, email, and phone numbers. No credit card info or passwords were hacked.
6. Facebook: 30 Million Users Effected
Facebook suffered a number of setbacks in 2018 and *shocker* it seems like every week there is more info coming out about how Facebook has never really took user's data privacy seriously. In the beginning of the year, they came under fire for the Cambridge Analytica scandal, in which a voter profiling company harvested the private information of more than 87 million Facebook users without their permission, and used that data on its work for President Trump’s 2016 campaign.
On September 15th, Facebook discovered a data breach affecting nearly 50 million users. It took the company 11 days to resolved the breach. The attackers exploited three vulnerabilities in the Facebook View feature, which lets users see what their profile looks like to other users, by grabbing access tokens that could then be used to access user accounts.
The hack gave attackers full control of victims accounts. Facebook eventually downgraded the attack to 30 million users.