Over a billion people’s data was compromised in 2018, offering a glimpse of what the cybersecurity and privacy landscape looks like in 2019 and what we could do to mitigate the risks of data breaches.
If your data wasn’t leaked last year then you were lucky. The information of over a billion people was compromised in 2018 as many of the companies we trust failed to protect our data.
From credit card skimming to bugs and ‘leaky’ backends, Daniel Markuson, Digital Privacy Expert at NordVPN reviews the most significant and worst data breaches the world faced in 2018.
Would you be as fortunate this year?
British Airways (380,000 accounts)
380,000 transactions made between August 21st and September 5th were compromised on the British Airways (BA) website and app. The attackers accessed customers’ names, addresses, emails, and payment details. The airline assured passengers that passport and travel details remained secure.
The technique used in this attack was like a digital version of ‘credit card skimming’. It allowed hackers to copy users’ information while it’s being typed into a data entry form. Such attacks tend to target companies that have poor security.
In this case, hackers found a loophole in BA’s booking page, injected malicious code, and instantaneously sent customer data to their own server. The attack didn’t involve hackers penetrating the servers, which is why they only managed to gather the information over a very specific time frame and why they got data not normally stored by the airline, like credit card CVV numbers.
Google+ (500,000 accounts)
A bug recently found in the Google+ platform gave third-party developers access to 500,000 accounts, which included users’ full names, birth dates, genders, profile photos, occupations and even places where they lived.
What’s surprising is that the bug wasn’t noticed for three years. Eventually, when Google found it and patched it, they decided not to inform the public because they feared another scandal just like Cambridge Analytica. Google says that 438 apps had access to sensitive information, but that there’s no evidence that developers misused this data.
Unlike other social media platforms, Google+ struggled to get new users. With the latest data leak, they decided that it’s now time to shut down the platform completely.
Ticket Fly, owned by Eventbrite (27 million accounts)
Ticket Fly, an event ticketing website, was hacked by a cybercriminal calling himself IsHaKdZ who stole the data from 27 million accounts. The hacker broke into Ticket Fly’s systems and replaced its homepage with an image from the ‘V for Vendetta’ film depicting the fictional British Anarchist who protests and fights the fascist government.
He then asked Ticket fly for a one bitcoin ransom and warned them that their security is poor threatening to publish the database after his next attack. However, even though the hack disrupted many events taking place in the US, the company refused to speak to the hacker or pay the ransom.
The hacker never released the data publicly, but Washington Post journalists spoke to the hacker and confirmed that the data was authentic. Despite the havoc, the website was back up and running in about a week.
Uber (57 million users)
This revolutionary taxi company isn’t immune to hacking either. In November 2016, hackers accessed Uber’s cloud servers and downloaded the data of almost 35 million users, including their full names, phone numbers, email addresses and the locations where they first signed up for the service.
If this happened two years ago, why are we talking about this now? Because Uber brushed it under the carpet and failed to notify its customers (and the 3.7 million drivers whose trip summaries, weekly payments, and even driver’s license numbers were also exposed). Instead, Uber paid the hacker a $100,000 ransom, called it a ‘bug bounty,’ and waited for a year to start monitoring the affected accounts.
Lack of communication with their users and failing to follow the procedures of the ‘bug bounty reward scheme’ resulted in Uber receiving a hefty fine of $148m in the US £385,000 in the UK. Director of Investigations at Information Commissioner’s Office UK, Steve Eckersley said:
“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable. Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.” – Steve Eckersley, ICO Director of Investigations
Facebook (147 million accounts)
Of course, no ‘naughty’ list would be complete without Facebook:
50 million users in March
Cambridge Analytica, a British political consulting firm, were given permission to use more than 50 million Facebook profiles for “research purposes.” However, they instead collected user information to create psychographic profiles to influence the US presidential campaign in 2016. This data mining and data analysis company was employed by Donald Trump and helped him shape and predict the votes.
90 million users in September
In September, the social media giant hit the headlines once again as they compromised the security of almost 90 million users. A bug in Facebook’s ‘View As’ feature was discovered that could be used to steal users’ access tokens, which keep the user logged into a website or an app during a browsing session.
Access tokens do not save the user’s password, so Facebook logged out everyone potentially affected to restore the security. However, hackers still managed to steal usernames, genders, and information about their hometowns.
Facebook claims that, so far, it hasn’t noticed any suspicious behavior on compromised accounts. However, this doesn’t mean that this data won’t be used at a later date.
7 million users in December
As if this wasn’t enough to lose trust in Facebook, another bug was announced only a few days ago. It appears that hundreds of third-party apps had unauthorized access to 7 million users’ photos. Worst of all, these included pictures people might have started uploading but never posted.
It’s unknown whether anyone had seen these photos or used them in any malicious way. However, it shows once more how much data Facebook collects and how little control they have over their cybersecurity.
“A lot of people who are worried about privacy and those kinds of issues will take any minor misstep that we make and turn it into as big a deal as possible. We realize that people will probably criticize us for this for a long time, but we just believe that this is the right thing to do.” – Mark Zuckerberg, CEO of Facebook