Photo by simosmme
We’re only halfway through 2018, but the scale of some of the data breaches that have already been reported is staggering. Think Facebook was the biggest one? Guess again.
Six months is a long time in infosec, so it’s no surprise that numerous data breaches have emerged in the first half of 2018. Below is a countdown of 10 of the biggest incidents reported thus far in 2018 in terms of total number of records compromised.
10) Saks, Lord & Taylor
Photo by Ronald Woan
5 million records breached
Date disclosed: April 3, 2018
Near the end of March, security firm Gemini Advisory came across an announcement from the JokerStash hacking syndicate offering five million stolen credit and debit cards up for sale. With the help of various financial organizations, Gemini Advisory traced the sale back to a total system compromise of luxury department stores Saks Fifth Avenue and Lord & Taylor. Hudson Bay, the owner of both of the department stores, learned about the incident and took steps to remediate it. But that wasn’t enough for one Bernadette Beekman, who in April 2018 filed a class action lawsuit on behalf of all customers who used a payment card at Lord & Taylor stores during the breach period of March 2017 to March 2018. In her lawsuit, Beekman stated that Lord & Taylor had “failed to comply with security standards and allowed its customers’ financial information and other private information to be compromised by cutting corners on security measures that could have prevented or mitigated the security breach that occurred.”
6 million records breached
Date disclosed: May 31, 2018
On May 31, ZDNet reported that they had been contacted by security researcher Oliver Hough in regards to a backend server he had found exposed to the Internet with no password to protect it. The server belonged to the fitness app PumpUp, and it gave anyone who came across it access to a host of sensitive customer data including user-entered health information, photos, and private messages sent between users. The exposed data also contained Facebook access tokens and, in some cases, unencrypted credit card data including card numbers, expiry dates and card verification values.
When ZDNet reached out to PumpUp, the company did not issue a response, but it did quietly secure the server. It is unknown how long the asset had been sitting exposed.
8) Sacramento Bee
Photo by Marcin Wichary
19.5 million records breached
Date disclosed: June 7, 2018
In February, an anonymous attacker seized two databases owned and operated by The Sacramento Bee, a daily newspaper published in Sacramento, California. One of those IT assets contained California voter registration data provided by California’s Secretary of State, while the other stored contact information for subscribers to the newspaper. Upon hijacking those resources, the attacker demanded a ransom fee in exchange for regaining access to the data. The newspaper refused and deleted the databases to prevent additional attacks from leveraging them in the future.
According to The Sacramento Bee, the hack exposed 53,000 subscribers’ information along with the personal data of 19.4 million California voters.
Photo by Corey Denis
27 million records breached
Date disclosed: June 7, 2018
On May 31, Ticketfly suffered an attack that resulted in the concert and sporting-event ticketing website being vandalized, taken down, and disrupted for a week. The hacker behind the attack had reportedly warned Ticketfly of a vulnerability and demanded a ransom to fix it. When the company refused, the hacker hijacked the Ticketfly website, replaced its homepage, and made off with a large directory of customer and employee data, including names, addresses, email addresses, and phone numbers for 27 million Ticketfly accounts.
Photo by Mike Mozart
37 million records breached
Date disclosed: April 2, 2018
On April 2, security researcher Dylan Houlihan reached out to investigative information security journalist Brian Krebs and told him about an issue he had reported to Panera Bread back in August 2017. The weakness resulted in Panerabread.com leaking customers’ records in plaintext — data which could then be scraped and indexed using automated tools. Houlihan attempted to report the bug to Panera Bread, but told Krebs his reports had been dismissed. The security researcher checked the vulnerability every month thereafter for eight months until finally disclosing it to Krebs, who published the details on his blog. Panera Bread took its website temporarily offline following publication of Krebs’ report.
Despite the company initially downplaying the severity of the breach and indicating fewer than 10,000 customers had been affected, the true number is believed to be as high as 37 million.
Photo by thoughtcatalog.com
At least 87 million records breached (though likely many more)
Date disclosed: March 17, 2018
Who can forget the data scandal that rocked Facebook in March 2018? At that time, reports emerged of how a political data firm called Cambridge Analytica collected the personal information of 50 million Facebook users via an app that scraped details about people’s personalities, social networks, and engagement on the platform. Despite Cambridge Analytica’s claim that it only had information on 30 million users, Facebook determined the original estimate was in fact low. In April, the company notified 87 million members of its platform that their data had been shared.
Unfortunately, with Facebook apps facing more scrutiny, it appears the Cambridge Analytica scandal may just be the tip of the iceberg. On June 27, security researcher Inti De Ceukelaire disclosed another app called Nametests.com had publicly exposed information of more than 120 million users.
92 million records breached
Date disclosed: June 4, 2018
A security researcher reached out to the Chief Information Security Officer of online genealogy platform MyHeritage on June 4 and revealed they had found a file labeled “myheritage” on a private server outside the company. Upon inspection of the file, officials at MyHeritage determined that the asset contained the email addresses of all users who had signed up with MyHeritage prior to October 26, 2017. According to a statement published by the company, it also contained their hashed passwords but not payment information, as MyHeritage relies on third-party service providers to process members’ payments. Because the service also stores family tree and DNA data on servers separate from those that store email addresses, MyHeritage said there was no reason to believe that information had been exposed or compromised.
3) Under Armour
Photo by Like_the_Grand_Canyon
150 million records breached
Date disclosed: May 25, 2018
On 25 March, Under Armour learned that someone had gained unauthorized access to MyFitnessPal, a platform which tracks users’ diet and exercise. CNBC reported at the time that the criminals responsible for the breach accessed individuals’ usernames, email addresses, and hashed passwords. The incident did not expose users’ payment information, as Under Armour processes this data separately. Nor did it compromise Social Security Numbers or driver’s license numbers, as the apparel manufacturer said it doesn’t collect government identifiers.
Upwards of 150 million MyFitnessPal users are believed to have had their information compromised in the data breach.
340 million records breached
Date disclosed: June 26, 2018
Security researcher Vinny Troia discovered in June 2018 that Exactis, a marketing and data aggregation firm based in Florida, had left a database exposed on a publicly accessible server. The database contained two terabytes of information that included the personal details of hundreds of millions of Americans and businesses. As of this writing, Exactis has not confirmed the exact number of people affected by the breach, but Troia said he was able to find close to 340 million individual records. He also confirmed to Wired that the incident exposed affected consumers’ email addresses, physical addresses, phone numbers, and a host of other personal information, in some cases including extremely sensitive details like the names and genders of their children.
1.1 billion records breached
Date disclosed: January 3, 2018
In January, reporters with the Tribune News Service paid 500 rupees for login credentials to a service being offered by anonymous sellers over WhatsApp. Using the service, the reporters could enter any Aadhaar number, a 12-digit unique identifier assigned to every Indian citizen. Doing so would retrieve numerous types of information on the queried citizen stored by UIDAI (Unique Identification Authority of India). Those bits of data included name, address, photo, phone number and email address. An additional payment of 300 rupees to the sellers yielded access to software through which anyone could print an ID card for any Aadhaar number.
The data breach is believed to have compromised the personal information of all 1.1 billion citizens registered in India.