As data breaches go, 2018 did not disappoint. While the year kicked off with the discovery of the Meltdown and Spectre viruses at the beginning of January, 2018 will be remembered as the year a dark shadow was cast over Facebook for having to announce not one…not two, but three breaches.
On March 17th, British political consulting firm Cambridge Analytica was exposed by the Guardian and The New York Times for harvesting the data of at least 87 million Facebook users without their knowledge after people participated in a quiz app. Cambridge Analytica sold the data to the Trump presidential campaign, which used it to target Facebook users with ads during the 2016 race.
But 87 million didn’t take the quiz—several hundred thousand did, noted Fast Company. The quiz app exposed a flaw in a Facebook API that allowed it to grab data not only from the people who took the quiz, but all their friends as well.
Then Facebook suffered a major data breach that was revealed in September, exposing the data of 50 million user accounts, including when they were born and their relationship status. Last week, the company disclosed the photos of 6.8 million users had been exposed, and Facebook could now face a multi-billion dollar fine for failing to comply with the EU’s GDPR.
There were 3,676 breaches in the first nine months of 2018, according to DarkReading, putting 2018 on track to become the second-most reported breaches in one year, and the third-highest number of records exposed since 2005. Here is a sampling of the data breaches in various industries in 2018; it is by no means all-inclusive.
Hotels, Retailers and Restaurants
It also wasn’t a particularly good year for Marriott, which announced earlier this month a massive data breach impacted its Starwood division, exposing the personal data of 500 million guests.
Retailers were hit hard, too. Security firm Gemini Advisory discovered that five million customer records were breached at luxury department stores Saks Fifth Avenue and Lord & Taylor. The firm estimated the breach started in May 2017 when the hacking syndicate JokerStash offered it would release over five million stolen credit and debit cards — for a price. Gemini Advisory estimates the compromise continued through March 2018.
Sportswear company Under Armour disclosed on March 25th that someone infiltrated its MyFitnessPal app, compromising the data of some 150 million users, including user names, email addresses and hashed passwords.
Between April 26th and June 12, “a small group of people” shopping online at Macys.com and Bloomingdales.com, had their personal information exposed to a third party, according to Business Insider.
Other retailers suffering data breaches that were reported this year included Adidas, Sears, Kmart and Best Buy, the site said. T-Mobile reported in August that it experienced a data breach, affecting approximately two million customers.
Among the restaurants suffering breaches this year was Panera, which was thrust into the spotlight after revelations on April 2nd that its Panerabread.com site leaked millions of customer records for at least eight months, according to KrebsOnSecurity, which credited security researcher Dylan Houlihan with making the discovery.
Google was also not immune. The search engine giant was forced to acknowledge its now-defunct Google+ social network exposed the data of as many as 500,000 users due to a security flaw.
Healthcare Firms, Airlines
A phishing attack compromised two employee email accounts at HealthEquity – its second suffered this year. The latest attack, reported in November, exposed the personal information of 190,0000 customers of HealthEquity, which provides health savings accounts and similar services to over 3.4 million people. In June, an employee’s email account was hacked, and some 160,000 customers had their data breached.
Also in November, Pennsylvania-based May Eye Care Center and Associates reported that 30,000 patient records were breached in a ransomware attack on July 29; and Florida-based Health First reported a data breach in which 42,000 patients had their data exposed.
The list of healthcare firms suffering breaches goes on, with UnityPoint Health announcing in July it was notifying 1.4 million patients that their records may have been breached — for a second time — after a phishing attack on its business email system. The first phishing attack occurred in April when staff email accounts were breached, exposing the data of 16,000 patients. The second UnityPoint breach holds the dubious distinction of being the largest health data attack in the U.S. this year “by a landslide,” according to HealthcareITNews.
Other healthcare firms reporting breaches in 2018 include LabCorp; Orlando Orthopaedics, Alive Hospice, CareFirst, St. Peters Surgery and Endoscopy Center, Coplin Health Systems, and BJC Healthcare, according to a compilation by the site and by Cyber Security Hub.
No industry, it seems, was immune. Cathay Pacific, one of Hong Kong’s major international airlines, reported in October that it suffered a data breach affecting 9.4 million customers. Like Facebook, the airline expects to face a stiff financial penalty from EU regulators under the GDPR.
Don’t expect things to improve in 2019, unfortunately. With a strain on relations between the U.S. and Russia and China, the latter two, along with hactivists, are the top three threat actors, ZDNet reported. Security firms told the site they predict there will be an increase in crime, espionage and sabotage by rogue nation states, and that state-sponsored cyber warfare will “take center stage.”
If there is any hopeful news, it is that the United Nations is expected to address the issue of state-sponsored cyberattacks by enacting a multinational Cyber Security Treaty, according to ZDNet, due to the increasing number of civilian victims impacted by these attacks. Although the UN has broached the topic before, the most recent incidents – coupled with new ones likely to surface in 2019 — will finally force the UN to come to some consensus, the site noted.
Happy New Year.