• Mohammed Yusuf

Biggest Data Breaches of 2018 - So Far

The rise in data breaches is an incredibly scary thing for Small business owners. The sheer amount of information that has been compromised over the years continues to grow. Most of these are infamous and well known, so if you have an account with any of the companies listed below we suggest changing your password and applying a password change routine of every 30 to 60 days. Here’s a list of the biggest data breaches of 2018.

Saks, Lord & Taylor

5 million records breached

Date disclosed: April 3, 2018

Near the end of March, security firm Gemini Advisory came across an announcement from the JokerStash hacking syndicate offering five million stolen credit and debit cards up for sale. With the help of various financial organizations, Gemini Advisory traced the sale back to a total system compromise of luxury department stores Saks Fifth Avenue and Lord & Taylor. Hudson Bay, the owner of both of the department stores, learned about the incident and took steps to remediate it.


6 million records breached

Date disclosed: May 31st 2018

On May 31, ZDNet reported that they had been contacted by security researcher Oliver Hough in regards to a backend server he had found exposed to the Internet with no password to protect it. The server belonged to the fitness app PumpUp, and it gave anyone who came across it access to a host of sensitive customer data including user-entered health information, photos, and private messages sent between users. The exposed data also contained Facebook access tokens and, in some cases, unencrypted credit card data including card numbers, expiry dates and card verification values.

When ZDNet reached out to PumpUp, the company did not issue a response, but it did quietly secure the server. It is unknown how long the asset had been sitting exposed.

Sacramento Bee

19.5 million records breached

Date disclosed: June 7, 2018

In February, an anonymous attacker seized two databases owned and operated by The Sacramento Bee, a daily newspaper published in Sacramento, California. One of those IT assets contained California voter registration data provided by California’s Secretary of State, while the other stored contact information for subscribers to the newspaper. Upon hijacking those resources, the attacker demanded a ransom fee in exchange for regaining access to the data. The newspaper refused and deleted the databases to prevent additional attacks from leveraging them in the future.

According to The Sacramento Bee, the hack exposed 53,000 subscribers’ information along with the personal data of 19.4 million California voters.


27 million records breached

Date disclosed: June 7, 2018

On May 31, Ticketfly suffered an attack that resulted in the concert and sporting-event ticketing website being vandalized, taken down, and disrupted for a week. The hacker behind the attack had reportedly warned Ticketfly of a vulnerability and demanded a ransom to fix it. When the company refused, the hacker hijacked the Ticketfly website, replaced its homepage, and made off with a large directory of customer and employee data, including names, addresses, email addresses, and phone numbers for 27 million Ticketfly accounts.


37 million records breached

Date disclosed: April 2, 2018

On April 2, security researcher Dylan Houlihan reached out to investigative information security journalist Brian Krebs and told him about an issue he had reported to Panera Bread back in August 2017. The weakness resulted in Panerabread.com leaking customers’ records in plaintext — data which could then be scraped and indexed using automated tools. Houlihan attempted to report the bug to Panera Bread, but told Krebs his reports had been dismissed. The security researcher checked the vulnerability every month thereafter for eight months until finally disclosing it to Krebs, who published the details on his blog. Panera Bread took its website temporarily offline following publication of Krebs’ report.

Despite the company initially downplaying the severity of the breach and indicating fewer than 10,000 customers had been affected, the true number is believed to be as high as 37 million.


At least 87 million records breached (though likely many more)

Date disclosed: March 17, 2018

Who can forget the data scandal that rocked Facebook in March 2018? At that time, reports emerged of how a political data firm called Cambridge Analytica collected the personal information of 50 million Facebook users via an app that scraped details about people’s personalities, social networks, and engagement on the platform. Despite Cambridge Analytica's claim that it only had information on 30 million users, Facebook determined the original estimate was in fact low. In April, the company notified 87 million members of its platform that their data had been shared.

Unfortunately, with Facebook apps facing more scrutiny, it appears the Cambridge Analytica scandal may just be the tip of the iceberg. On June 27, security researcher Inti De Ceukelaire disclosed another app called Nametests.com had publicly exposed information of more than 120 million users.


92 million records breached

Date disclosed: June 4, 2018

A security researcher reached out to the Chief Information Security Officer of online genealogy platform MyHeritage on June 4 and revealed they had found a file labeled “myheritage” on a private server outside the company. Upon inspection of the file, officials at MyHeritage determined that the asset contained the email addresses of all users who had signed up with MyHeritage prior to October 26, 2017.

According to a statement published by the company, it also contained their hashed passwords but not payment information, as MyHeritage relies on third-party service providers to process members’ payments. Because the service also stores family tree and DNA data on servers separate from those that store email addresses, MyHeritage said there was no reason to believe that information had been exposed or compromised.

Under Armour

150 million records breached

Date disclosed: May 25, 2018

On 25 March, Under Armour learned that someone had gained unauthorized access to MyFitnessPal, a platform which tracks users’ diet and exercise. CNBC reported at the time that the criminals responsible for the breach accessed individuals’ usernames, email addresses, and hashed passwords. The incident did not expose users’ payment information, as Under Armour processes this data separately. Nor did it compromise Social Security Numbers or driver’s license numbers, as the apparel manufacturer said it doesn’t collect government identifiers.

Upwards of 150 million MyFitnessPal users are believed to have had their information compromised in the data breach.


340 million records breached

Date disclosed: June 26, 2018

Security researcher Vinny Troia discovered in June 2018 that Exactis, a marketing and data aggregation firm based in Florida, had left a database exposed on a publicly accessible server. The database contained two terabytes of information that included the personal details of hundreds of millions of Americans and businesses. As of this writing, Exactis has not confirmed the exact number of people affected by the breach, but Troia said he was able to find close to 340 million individual records. He also confirmed to Wired that the incident exposed affected consumers’ email addresses, physical addresses, phone numbers, and a host of other personal information, in some cases including extremely sensitive details like the names and genders of their children.


1.1 billion records breached

Date disclosed: January 3, 2018

In January, reporters with the Tribune News Service paid 500 rupees for login credentials to a service being offered by anonymous sellers over WhatsApp. Using the service, the reporters could enter any Aadhaar number, a 12-digit unique identifier assigned to every Indian citizen. Doing so would retrieve numerous types of information on the queried citizen stored by UIDAI (Unique Identification Authority of India). Those bits of data included name, address, photo, phone number and email address. An additional payment of 300 rupees to the sellers yielded access to software through which anyone could print an ID card for any Aadhaar number.

The data breach is believed to have compromised the personal information of all 1.1 billion citizens registered in India.

The number of records compromised in Q1 and Q2 2018 has already surpassed the total number of breached records for all of 2017, as identified in Identity Theft Resource Center's (ITRC) 2017 Data Breach Industry Summary report. For context, the list of breaches provided in this article is far from comprehensive. There were plenty of additional data breaches that took place in the first half of 2018, which means the number of compromised records could actually be much higher. Only time will tell whether this is the case.