By KC Canlas
Data breaches seemed to be on the rise because these are now reported not only by the media but by the affected companies as well. The European Union has also put its General Data Protection Regulation (GDPR) into effect this year, which requires companies to immediately inform affected users of any data breach within the prescribed period.
This year saw large companies from various sectors hacked with millions of user data compromised. Back End News compiled some of the biggest data breaches in terms of the number of users affected.
Data of about 500 million Starwood clients may have been compromised in a breach that might be happening since 2014, according to the advisory posted by Marriott International. The investigation revealed that the incident happened “on or before September 10, 2018” where details of about 327 million Starwood guests were taken. The data includes “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival, and departure information, reservation date, and communication preferences.”
MyFitnessPal by Under Armour
In late February, hackers breached Under Armour’s MyFitnessPal app where they obtained the information of about 150 million users. The data breach included access to usernames, passwords, and email addresses. On March 25, after roughly a month since the breach, the company discovered the hacking and disclosed it to the public after a week.
On Sept. 25, Facebook engineers discovered some unusual activity on the social networking site, which resulted in what is considered as the biggest security breach in the tech company’s history. According to the company’s news release, the breach has affected about 50 million accounts and the hackers may have obtained access to almost all the information from these affected accounts. The breach was due to the vulnerability of the “View As” feature on the social media platform. This feature allows the user to see their profile as other people would see it. The vulnerability of this feature allowed hackers to steal access tokens from the social media platform, which were used to take over millions of accounts. Facebook implemented a fix where they had to reset the access tokens of 50 million accounts and an additional 40 million more who were deemed vulnerable to the breach. Affected users were logged out of their accounts and were required to log back in. The company says that the attackers could see everything in a victim’s profile. Just this month, Facebook again reported that 6.8 million users’ photos were exposed in a new leak.
Hackers were able to access names, addresses, birthdays, ID, passport numbers, and even travel history of the 9.4 million Cathay Pacific Airways Ltd. customers in the hacking that was reported in October but happened in March. The Hong-Kong carrier also confirmed another unauthorized access to its customers’ data that happened in May.
In July, Singapore Prime Minister Lee Hsien Loong reported that he was among the 1.5 million patients of SingHealth, whose non-medical data were compromised in a cyber attack. Hackers were able to harvest outpatient medical data of 160,000 people at the attacks which “was exfiltrated” from June 27. SingHealth is Singapore’s largest group of healthcare institutions. The hackers managed to steal patients’ basic information that includes name, address, date of birth, gender, national identification number, and race, who visited member clinics and hospitals of SingHealth between May 1, 2015, and July 4, 2018.
In September, British Airways informed its customers about the data breach that affected 380,000 card payments on its website and app which happened between Aug. 21 and Sept. 5. The airline said personal information and “financial details” that were provided during booking were leaked. However, it also told its customers that no passport or travel details were stolen.
In February, it was discovered that a legacy Amazon S3 storage server used by FedEx that contains about 119,000 customer data was left open without a password. Kromtech Security Center was able to detect it and revealed the details of the “possible” breach. Information stored in the said server includes names, home addresses, phone numbers, passport numbers, driver’s licenses, and even handwritten signatures.
The end of Google+ was triggered by a massive security breach that exposed private information of over 500,000 accounts in the struggling social media site. The security vulnerability had been open since 2015 and it was only detected in March 2018. The security vulnerability was found in one of Google+’s People APIs that gave third-party developers access to information to the affected accounts, which includes details such as usernames, email addresses, occupations, birthdates, profile pictures, and gender-related data. After Google revealed the details of the vulnerability, it announced the shutdown of Google+. Aside from the breach, the failure of Google+ to get significant traction among users is also seen as a reason for its demise.
Ticketfly by Eventbrite
In May, events ticketing company Ticketfly owned by Eventbrite experienced a security breach when a hacker with handle “IsHaKdZ’ changed the homepage of its website with an image of the character V from the movie “V for Vendetta.” Under the image posted were the hacker’s email address and the message that said: “Your Security Down im Not Sorry. Next time I will publish the database ‘backstage’.” In this security breach, about 27 million users were compromised. Information such as usernames, phone numbers, home addresses, and email addresses were accessed. Eventbrite assured its users that payment information including credit and debit card numbers were kept secure.
Data breaches not only cost companies millions of dollars but also damage brand trust. While security breaches are seen as a major threat to companies, Gartner reported that only 65 percent of organizations have security officers. What would it take for companies to make data security a priority?
Image from Pixabay