The Biggest Data Hacks of 2018
It felt that over the course of 2018, each week brought yet another news story of a company that had to notify its customers their personal data had been compromised.
There are a range of reasons that data breaches happen from planned cyber hacks and attacks to vulnerabilities in company software and databases to the mishandling of data. All of which highlight the growing need for individuals to take the utmost care when it comes to their online activity.
Below, we round up the biggest data hacks of 2018. Read on and prepare to be both shocked, and amazed – but not in a good way.
At the time this story broke, Facebook really could have done without the extra scrutiny. Already under fire over its processes and handling of user’s private data, it was then revealed that an attack on its network had compromised the personal information of millions of users.
For the 14 months between July 2017 and September 2018, 50 million Facebook users had their highly sensitive data scraped by hackers. The hackers managed to exploit the vulnerabilities in Facebook code and leverage ‘access tokens’ that gave them full access to users’ accounts. There were three software bugs that made this attack possible; two were introduced to improve the privacy of Facebook users. AWKWARD. The third was a tool that enabled users to upload birthday videos.
The data included contact details, recent searches (oh god!), location and relationship status. Among those who had their accounts broken into were Mark Zuckerberg and Sheryl Sandberg. Given the nature of the integrations and linked accounts to Facebook, once the cyber criminals were in, they could also go on to access apps such as Instagram and Spotify – and presumably discover your PJ and Duncan playlist.
Google+
Google+ has suffered multiple attacks due to a software glitch between 2015 and November 2018. A security bug meant third-party developers were able to access the profile data of users for three years before it was patched silently. THREE YEARS!
Yes, you read that correctly – Google decided to fix the issue, without letting the world know that there was a three-year gaping wound in its security arm.
Further to their own data being stolen, once a user had given permission for their to be profile accessed via the app, the developers were also able to pull their friends’ data too. This information included names, birth dates, email addresses, employers and job titles.
Exposed by a damning Wall Street Journal report, the tech giant announced that in April 2019, the platform would be shut down for good following the scandal that affected a total of 52.5 million users – more than the number of people that probably used it.
Cambridge Analytica
Of course, we couldn’t do a round-up and not include Cambridge Analytica. Although this was brought to light last year, it actually started way back in 2015, when *** developed a personality prediction app called ‘thisisyourdigitallife’.
This app was installed by 270,000 users, but Facebook had some preeeetty lax data sharing policies back in 2015, and the app was able to scrape information on friends and connections of those who installed the app – all 87 million of them.
It wasn’t necessarily the nature of the data that was taken that bothered most, but the way in which it was used that caused uproar. The user information was passed on to third parties, including data analytics firm Cambridge Analytica – these were basically the guys responsible for creating highly targeted ads based on voting tendencies for, you guessed it, Donald Trump’s presidential campaign.
MyFitnessPal
In February 2018, an unauthorised third party managed to access MyFitnessPal, a fitness and diet tracker app owned by Under Armour, and see how little we were actually running. This hack remained undetected for around one month.
A total of 150 million accounts were hacked, including information such as usernames, email addresses and encrypted passwords were compromised. Under Armour saw its shares drop by 4% once the press got its hands on the story.
Unlike its social media counterparts, MyFitnessPal and Under Armour proactively began to let their user database know what had happened. Progress of a kind, then.
British Airways
On 21st August 2018, a ‘sophisticated’ cyber hack compromised the card details of 380,000 individuals who were making or changing bookings via the airline’s website and app. The hack had been in place for 15 days before being noticed – while financial data was stolen, passport and travel details were safe.
BA was very cloak and dagger with regards to the technical details of the data breach, but cyber security experts have commented on possible methods.
It has been proposed that a piece of malicious code had been placed on the website, extracting customer data. This is a known problem for websites that embed third-party code for services such as payment authorisation or adverts.
British Airways proactively contacted its customers and took out full-page adverts in the national newspapers to apologise for the incident and offered full compensation for stolen money and financial hardship.
T-Mobile
In August 2018, a group of hackers from across the globe accessed the T-Mobile servers through an API, stealing personal data from customers’ accounts, such as name, phone numbers, address information and account information.
The company was quick to point out that while billing information was included, no financial data was compromised.
T-Mobile decided to downplay the attack, reporting that it only affected 3% of its customer base. That’s just a small number right? Not really a big deal?
Well, T-Mobile’s customer base is around 77 million users – 3% of that figure is around 2 million accounts.
So, kind of a big deal.
Security researchers have found a number of vulnerabilities in T-Mobile platforms, including a sub-domain used by staff that allowed access to customer data without any passwords and another that exposed customer data including billing and handset data. The mobile network has also been criticised for sharing customer data with third-parties.
Timehop
The geniuses over at Timehop decided not to protect its cloud-computing environment with multi-factor authentication, which meant that between December 2017 and July 2018, 21 million names, email addresses and phone numbers were accessed.
The attack was noticed on July 4th 2018 and the app was subsequently shut down two hours later, but not before millions of accounts had been breached.
The hacker managed to gain access to the firm’s cloud-computing platform in December 2017 using administration credentials that had been compromised. They then scoured all of the data for a few days that month, and again in March and June. Then, confident that the breach hadn’t been picked up on – the hackers swiftly launched the attack in July.
Timehop disclosed the breach in a company blog post, a week after it happened, and went on to deactivate the ‘keys’ used in the app that reads and delivers users’ social media memories, leaving users to re-authenticate the app.
Timehop has now seen the light (or the backlash) and decided to implement multi-factor authentication to secure access control in its cloud environment.
Marriott Starwood Hotels
While the hospitality chain detected the breach on 10th September 2018 via an internal security tool, shockingly cyber criminals already had access to its reservation database between 2014 and 2018 where they were able to view and copy guest information before encrypting and stealing it.
The information included phone numbers, email addresses, passport numbers, reservation dates, rewards information and card payment details from guests in the UK, USA and Canada.
The chain disclosed that while the card payment details had been encrypted, they couldn’t rule out the fact that the keys used to decrypt the information hadn’t also been stolen, further compromising the data.
The Marriot reported the incident to law enforcement officials, contacted those customers who had been affected and set up a website and free helpline to provide further information and guidance on the matter. They also offer a year-long subscription to a fraud-checking service to those affected, so individuals can monitor activity.
The Marriott will face the wrath of the EU’s GDPR ruling and looming penalties – despite its head office being state-side, it deals with a client base in the UK and EU, meaning it is obliged to comply.