Data breaches affect over 1bn users in 2018

Read time 7min 40sec
Social media ranked top for the highest number of data breaches in 2018.
Social media ranked top for the highest number of data breaches in 2018.

The information of over one billion people was compromised in 2018, as many global companies such as Facebook, Google, Marriott International and Liberty failed to protect consumer data.

This is according to a report conducted by virtual private network service provider, NordVPN, which reviewed the most significant and worst data breaches the world faced in 2018.

"Credit card skimming, bugs and 'leaky' back-ends led to some of the biggest data breaches of 2018," explains Daniel Markuson, digital privacy expert at NordVPN.

"The scope of 2018 cyber attacks shows that even the biggest corporations are vulnerable and are prone to errors. This means that it's becoming more difficult to trust them as we never know when our data is going to end up in the wrong hands."

Social media ranked top for the highest number of records breached due to the high-profile customer data compromises by Facebook, Twitter and Google+.

Facebook fails

Three major Facebook security breaches occurred last year, exposing a total of 147 million user accounts, according to NordVPN.

* Fifty million Facebook users affected in March

Cambridge Analytica, a British political consulting firm, was given permission to use more than 50 million Facebook profiles for "research purposes". However, the news broke in March 2018 that instead, the company collected user information to create psychographic profiles to influence the US presidential campaign in 2016, explains Markuson.

* Ninety million Facebook users affected in September

In September, the social media giant hit the headlines once again, as it compromised the security of almost 90 million users. A bug in Facebook's 'View As' feature was discovered that could be used to steal users' access tokens, which keep the user logged into a Web site or a mobile app during a browsing session.

"Access tokens do not save the user's password, so Facebook logged out everyone potentially affected to restore the security. However, hackers still managed to steal usernames, genders, and information about their hometowns," explains Markuson.

* Seven million Facebook users affected in December

As if this wasn't enough to lose trust in Facebook, another bug was announced only a few weeks ago. It appeared that hundreds of third-party apps had unauthorised access to 7 million Facebook users' photos.

"It's unknown whether anyone had seen these photos or used them in any malicious way. However, it shows once more how much data Facebook collects and how little control they have over their cyber security," notes NordVPN.

Massive Marriott breach

The biggest data breach of the year (if not ever) exposed the data of half a billion users. Global hotel chain, Marriott International, said hackers broke into its booking system and accessed customer data from the last four years.

Cyber criminals stoleMarriott-owned Starwood Hotels & Resort's customer names, addresses, phone numbers, card numbers, passport numbers and even the information of where and who they were traveling with.

"Because this information wasn't used for any known financial gains or identity thefts, there are rumours that this could have been a state-sponsored attack. A former British intelligence officer said that the aim of this attack could have been to get valuable information on spies, diplomats and military officials who've stayed in Marriott hotels over the years," according to NordVPN.

Liberty hack affects locals

In June, financial services company Liberty informed its South African clients in an e-mail that it had been subjected to illegal and unauthorised access to its IT infrastructure. The company noted an external party illegally obtained data from Liberty and demanded payment.

"Liberty was alerted of the intrusion into its network late on the evening of 14 June. Liberty specialist teams immediately began investigating the incident, prioritising the protection of customer details and of the security of the company's IT systems. The relevant authorities were also alerted," according to the e-mail.

While Liberty did not reveal the number of South Africans affected by the data breach, security experts estimated that millions of consumers may have been affected.

BA attack compromises accounts

Russian hackers made millions of dollars selling credit card details stolen from British Airways customers during a major cyber attack in August.

Around 380 000 transactions made between 21 August and 5 September were compromised on the British Airways Web site and mobile app. The attackers accessed customers' names, addresses, e-mails, and payment details.

"In this case, hackers found a loophole in British Airways' booking page, injected malicious code, and instantaneously sent customer data to their own server. The attack didn't involve hackers penetrating the servers, which is why they only managed to gather the information over a very specific time-frame and why they got data not normally stored by the airline, like credit card CVV numbers," according to Markuson.

Google+ breach proves fatal

A bug found in the Google social networking site, Google+, gave third-party developers access to 500 000 accounts, which included users' full names, birth dates, genders, profile photos, occupations and even where they lived.

"What's surprising is that the bug, which was announced in October, wasn't noticed for three years. Google says that 438 apps had access to sensitive information, but that there's no evidence that developers misused this data," explains NordVPN.

"Unlike other social media platforms, Google+ struggled to get new users and decided to shut down the platform completely."

Twitter bug exposes passwords

In May, Twitter urged its more than 330 million users to change their passwords, after a glitch caused some users to be stored in readable text on its internal computer system. The security bug exposed users' passwords, all in plain text.

"Twitter stated that there was an issue with their password hashing system. It failed to encrypt passwords and was saving them in plain text. Their investigators claimed that no one had actually accessed the data, but if any of the affected accounts had been hacked, their passwords would have been visible to the attacker. Their information could then be used to access other accounts," adds NordVPN.

Uber exposed

In November 2016, hackers accessed Uber's cloud servers and downloaded the data of almost 35 million users, including their full names, phone numbers, e-mail addresses and the locations where they first signed up for the service.

Uber brushed the incident under the carpet and failed to notify its customers and the 3.7 million drivers whose trip summaries, weekly payments, and even driver's licence numbers were also exposed. Instead, Uber paid the hacker a $100 000 ransom, called it a 'bug bounty,' and waited for a year to start monitoring the affected accounts.

"Lack of communication with their users and failing to follow the procedures of the 'bug bounty reward scheme' resulted in Uber receiving a hefty fine, last year, of $148 million in the US and £385 000 in the UK," notes NordVPN.

Ticket Fly breach affects 27m accounts

Ticket Fly, an event ticketing Web site, was hacked by a cyber criminal calling himself IsHaKdZ, who stole the data from 27 million accounts. The hacker broke into Ticket Fly's systems and replaced its homepage with an image from the 'V for Vendetta' film depicting the fictional British anarchist who protests and fights the fascist government.

My Fitness Pal stumbles

At the beginning of 2018, My Fitness Pal, a food and nutrition app owned by Under Armour, leaked the data of 150 million users.

The company confirmed hackers got hold of usernames, e-mail addresses and hashed passwords. My Fitness Pal said other information, such as credit card numbers, weren't compromised because they were stored separately from generic user information.

Other security incidents that affected consumers globally in 2018 included My heritage, a company that can test people's DNA to find their ancestors and build their family trees. The platform leaked e-mail addresses and hashed passwords of over 92 million users.

Firebase, a Google-owned development platform, leaked the sensitive information of over 100 million users, while Quora, a question-and-answer Web site, put 100 million users at risk when a malicious third party accessed sensitive information on its database in December.

Have your say
Facebook icon
Youtube play icon