weerapat1003 - stock.adobe.com

Data breaches affected more than a billion people in 2018

The personal information of more than a billion people was compromised in 2018 as companies holding the data failed to keep it safe

More than one billion people were affected by the loss of personal data through 13 data breaches at 11 different companies in the past year, according to personal virtual private network service provider NordVPN.

The biggest breach of the year exposed the data of half a billion customers of the Marriott hotel group’s Starwood properties, including the St Regis, Westin, Sheraton, Aloft, Le Meridien, Four Points and W Hotel brands.

Marriott said hackers had broken into its booking system and accessed customer data over the past four years. Stolen data included customers’ names, addresses, phone numbers, card numbers, passport numbers and even information about where and who they were traveling with.

“Because this information wasn’t used for any known financial gains or identity thefts, there are rumours that it could have been a state-sponsored attack,” said Daniel Markuson, digital privacy expert at NordVPN

“As a former British intelligence officer said, the aim of this attack could have been to get valuable information on spies, diplomats and military officials who have stayed in Marriott hotels over the years. It is strange that the attack remained unnoticed for such a long time and that none of the information was monetised.”

The second largest breach was at Twitter, affecting 330 million users when a software bug exposed passwords in plain text. Twitter said there was an issue with its password hashing system, which failed to encrypt passwords and was saving them in plain text.

“Twitter’s investigators claimed that no one had actually accessed the data, but if any of the affected accounts had been hacked, their passwords would have been visible to the attacker,” said Markuson. “Their information could then be used to access other accounts.”

Twitter advised a number of users to change their passwords as a precaution and said the bug had been fixed.

Next up is My Fitness Pal, a food and nutrition app owned by Under Armour, which leaked the data of 150 million users.

“Once the company noticed the breach, it notified its users in almost record time compared with other companies of just four days,” said Markuson.

Under Armour said hackers accessed usernames, email addresses and hashed passwords, but other information, such as credit card numbers, was not compromised because it was stored separately from generic user information.

It is still unknown how hackers broke into the systems, but Under Armour said it was working with data security firms to investigate the attack and take precautionary measures to avoid further break-ins.

Read more about data breaches

Firebase, a Google-owned development platform, leaked the sensitive information of over 100 million users during the year. “The platform might not be well known to everyone, but it is widely used by mobile developers,” said Markuson.

Appthority researchers scanned 2.7 million iOS and Android apps that connect to, and store, their data on Firebase. They found that more than 3,000 of those apps were connected to a misconfigured database that could be accessed by anyone.

“These apps with ‘leaky back-ends’ had been downloaded on the Google Play Store over 620 million times and could have exposed highly sensitive data, including user IDs, plaintext passwords, users’ locations, bank details, bitcoin transactions, social media accounts and even health records,” said Markuson.

The question-and-answer website Quora was also hacked, putting 100 million users at risk. Quora representatives said they had noticed that a “malicious third party” had accessed sensitive information on the database. Compromised data included users’ names and IP addresses to their Q&A history, access tokens and private messages.

“Quora claimed that none of its partners’ financial information or any anonymous Q&As had been affected,” said Markuson. “The attack is under investigation, and no further comments have been made by the company.”

My Heritage, a company that can test people’s DNA to find their ancestors and build their family trees, leaked the email addresses and hashed passwords of more than 92 million users.

The attack was noticed in June when the company’s security researcher found users’ data sitting in a private server that does not belong to the company.

My Heritage said the most sensitive user data, such as DNA information and family trees, is stored on separate systems that were not compromised.

Facebook breaches

One of the biggest brands hit by data breaches in 2018 was Facebook, with 147 million accounts exposed in three breaches.

The first came to light in March, when it emerged that political consulting firm Cambridge Analytica was given permission to use more than 50 million Facebook profiles for “research purposes”, but instead collected user information to create psychographic profiles to influence the US presidential campaign in 2016.

“This data mining and data analysis company was employed by Donald Trump and helped him shape and predict the votes,” said Markuson.

Then, in September, Facebook hit the headlines again when it compromised the security of almost 90 million users. A bug in Facebook’s “View As” feature was discovered that could be used to steal users’ access tokens, which keep the user logged into a website or an app during a browsing session.

“Access tokens do not save the user’s password, so Facebook logged out everyone potentially affected to restore the security,” said Markuson. “However, hackers still managed to steal usernames, genders, and information about their home towns.

“Facebook claims that, so far, it has not noticed any suspicious behaviour on compromised accounts. However, this doesn’t mean this data won’t be used at a later date.”

In December, user confidence in Facebook was shaken even further when another bug was announced. “It appears that hundreds of third-party apps had unauthorised access to seven million users’ photos,” said Markuson. “Worst of all, these included pictures people might have started uploading but never posted.

“It is unknown whether anyone had seen these photos or used them in any malicious way. However, this shows how much data Facebook collects and how little control they have over their cyber security.”

Hefty fines for Uber

Although Uber admitted in November 2017 that it had covered up a data breach in 2016 that affected 57 million customers and drivers, Markuson said the company is worth a mention because of the resultant fines in 2018.

Lack of communication with its users and failing to follow the procedures of the ‘bug bounty reward scheme’ resulted in Uber receiving a hefty fine of $148m in the US and £385,000 in the UK,” he said.

Also in 2018, event ticketing website Ticket Fly was breached by a hacker calling himself IsHaKdZ who stole the data from 27 million accounts.

The hacker broke into Ticket Fly’s systems and replaced its homepage with an image from the V for Vendetta film depicting the fictional British anarchist who protests and fights the fascist government.

The hacker then asked Ticket Fly for a one bitcoin ransom and warned it that its security was poor, threatening to publish the database after his next attack.

“However, even though the hack disrupted many events taking place in the US, the company refused to speak to the hacker or pay the ransom,” said Markuson. “The hacker never released the data publicly, but Washington Post journalists spoke to the hacker and confirmed that the data was authentic. Despite the havoc, the website was back up and running in about a week.”

A bug recently found in the Google+ platform gave third-party developers access to 500,000 accounts, which included users’ full names, birth dates, genders, profile photos, occupations and even places where they lived.

“What is surprising is that the bug wasn’t noticed for three years,” said Markuson. “Eventually, when Google found it and patched it, it decided not to inform the public because it feared another scandal just like Cambridge Analytica. Google said 438 apps had access to sensitive information, but that there was no evidence developers had misused this data.

“Unlike other social media platforms, Google+ struggled to get new users. With the latest data leak, they decided it is now time to shut down the platform completely.”

British Airways attack

The last significant data breach in 2018 concerned British Airways, with 380,000 transactions made between 21 August and 5 September on the BA website and app being compromised. The attackers accessed customers’ names, addresses, emails and payment details. The airline assured passengers that passport and travel details remained secure.

“The technique used in this attack was like a digital version of credit card skimming,” said Markuson. “It allowed hackers to copy users’ information as it was being typed into a data entry form. Such attacks tend to target companies that have poor security.

“In this case, hackers found a loophole in BA’s booking page, injected malicious code, and instantaneously sent customer data to their own server. The attack didn’t involve hackers penetrating the servers, which is why they only managed to gather the information over a very specific timeframe and why they got data not normally stored by the airline, such as credit card CVV numbers.”

Looking ahead to 2019, Markuson said the scope of breaches in the past year shows that even the biggest corporations are vulnerable and are prone to errors.

“This means that it’s becoming more difficult to trust them as we never know when our data is going to end up in the wrong hands,” he said. “Unfortunately, we have little to no control over when the next company will be hacked.”

However, Markuson said end-users can take steps to protect their data, which include:

  • Using strong and unique passwords.
  • Thinking twice before posting anything on social media because this information can be used against those posting it.
  • Using a credit card for online shopping because there is less liability for fraudulent charges if financial information leaks.
  • Providing companies only with necessary information. The less information they have, the less they can leak.
  • Looking out for fraud. If notified that data has been leaked, change passwords and take the steps advised by the company that compromised your data.

Read more on Privacy and data protection

Data Center
Data Management