Biggest Data Breaches of 2018

posted by

Illustration of old hollywood style robbers physically stealing data from a desktop computer and smartphone.

Cybersecurity continues to be one of the most important assets for any organization. The nonprofit organization Identity Theft Resource Center recorded 1,244 reported data breaches nationally in 2018 alone. That’s nearly three per day, and they exposed 446,515,334 sensitive records.

Not only are data breaches frequent, they’re costly. The costs associated with data breaches are up 6.4 percent from 2017. A report sponsored by IBM from the Ponemon Institute found that the individual cost of a data leak rose to $3.86 million. In addition to monetary losses, organizations suffer reputational consequences, as well. Businesses often see diminished trust with their customer base, as well as other stakeholders in the organization.

The surge of hacking and data breaches impacted many organizations over the past year. It’s important to understand what went wrong and how to best protect against future cyberattacks. Here’s a look at some of the data breaches that had the biggest impact in 2018.

Biggest Data Breaches in 2018

Marriott International/Starwood

Marriott subsidiary Starwood Hotels and Resorts suffered one of the biggest data breaches in history. Between 2014 and 2018, hackers found a vulnerability in Starwood’s cyber defenses and gained access to the company’s reservation database. The database included all brands under the Starwood umbrella, including Westin, Sheraton, W Hotels, Aloft, and St. Regis, among others.

In a statement on its website, Marriott explained that in a database of roughly 500 million guests, hackers acquired data about approximately 327 million. The data stolen included names, addresses, emails, and even some passport information. In addition, Marriott believed that credit or debit card information on file became compromised.

In response to the breach, Marriott is facing investigations both in the U.S. and abroad. AIR Worldwide, a risk management firm, has estimated that Marriott could suffer revenue losses between $200 and $600 million.

In his opening testimony to a U.S. senate subcommittee, Marriott chief executive officer Arne Sorenson revealed the third-party investigators the hotel giant had hired discovered a remote access trojan, a type of malware that allows hackers to access data without being noticed. It’s likely that an internal employee accidentally clicked on a link or email that was designed to look like it came from a trusted source, opening the door for the malware to enter the Starwood system.

According to Symantec, the clandestine nature of trojans makes it difficult to be noticed by cybersecurity professionals, but updated antivirus software and an intrusion prevention system (IPS) can help keep out malware. Per Google, prevention software monitors and detects cyber threats and malicious activity on a network.

Under Armour/My Fitness Pal

In March 2018, Under Armour disclosed a data breach in its health and exercise app MyFitnessPal. The hack, which had been discovered a month before the disclosure, compromised the data of 150 million people and included usernames, email addresses, and even some encrypted passwords.

Luckily for users, Under Armour kept payment information separate from login information, but users’ privacy was still violated. According to a report from The Register, account information from the MyFitnessPal hack went up for sale on the dark web, a community of websites that requires special software to access. It is likely purchasers wanted the information to use a technique called credential stuffing, which is particularly dangerous for people who use the same password for multiple accounts.

Under Armour admitted that some passwords were protected by a weak password encryption mechanism called SHA-1. Compared with the “bcrypt” mechanism that Under Armour also used, SHA-1 is much easier to crack and break in to. Having better internal security and password safeguards may have prevented the data breach.

Under Armour’s stock fell as much as five percent in the days following the announcement of the hack. Markets Insider suggested the bad press surrounding the data breach played a role in the company’s stock price dropping.

Pursue a career in IT management or Cybersecurity

Interested in helping protect against crippling data breaches? Consider earning your online bachelor’s in information technology from King University. The flexible online program is designed for working adults and offers choice of tracks: cloud computing and systems administration, cybersecurity, digital business and game development, and information systems.

Explore Degree

Facebook

In October 2018, Facebook suffered the worst security breach in its history, one that compromised the personal information of around 14 million accounts. This information included usernames, hometowns, followed pages, and more.

In a press release from Facebook, the tech giant said the data breach originated from within a group of Facebook accounts. Hackers exploited a bug in the social media network’s code to obtain access tokens, which identify the user and privileges related to login information.

The breaches have harmed both Facebook’s bottom line as well as its reputation with other businesses, governments, and consumers. As a result of the hack, the European Union’s General Data Protection Regulation (GDPR) could force Facebook to pay fines of up to $1.63 billion, per the Guardian. Furthermore, a survey from the Pew Research Center earlier in 2018 found that one in four U.S. adults had deleted the Facebook app from their phones in response to how the company has mishandled private data.

Since the breaches, Facebook has publicly made steps to improve its security and reputation. Tech-focused news website The Information reported in October 2018 that Facebook is interested in a purchasing a “major cybersecurity firm” to help better protect users’ data. With more cybersecurity experts performing tests and assessments on Facebook software and code, they may be able to catch bugs similar to the access token before criminals do.

British Airways

British Airways announced in a statement that hackers obtained personal and financial information of more than 380,000 travelers between August and September of 2018. The airline said it didn’t notice for more than two weeks that hackers were siphoning off information to another database. Risk IQ, a cybersecurity firm, said that’s likely because the malicious scripts used by the hackers totaled a miniscule 22 lines.

Still, those few lines facilitated the recording of names, credit card numbers, and passport information. Although there wasn’t a lot to look for, the scripts could have been easily caught if the right prevention steps had been implemented. According to cybersecurity software firm WhiteHat Security, one way to protect against a cyberthreat like this is to institute a content security policy, preferably one that can instruct a webpage on what to do and what not to do. It’s possible this type of policy could stop the transfer of information away from a webpage, even if a malicious link is clicked.

Because personal information was illegally obtained due to possible negligence, the European Union opened an investigation of British Airways and could fine the airline nearly $640 million for the incident, according to the BBC.

Google Plus

Google suffered two huge embarrassments in 2018, after a pair of coding errors compromised the data of millions of users on their social network application, Google Plus.

The first breach of privacy happened because a bug in Google Plus’ code allowed third-party vendors to access personal information, even if the user marked it as private, Google said in a statement. Back in March 2018, a bug in Google Plus’ Application Programming Interface (API) allowed developers who created applications that interacted with Google Plus additional access to information. A Google internal investigation revealed that an estimated 500,000 people had some personal information compromised, though Google stated it didn’t think anyone actually stole or misused the information.

In November 2018, another Google Plus API bug compromised 52.5 million accounts. This included names, email addresses, ages, and occupations. Google stated they created a patch for both bugs as soon as they found the error, and it’s unclear whether anyone accessed the information.

According to a report from Business Insider, Google is now under investigation by Ireland and Germany, and two former Google Plus users in California have filed a class action lawsuit. Even before the security breach, Google Plus was a struggling venture, and it was looking likely that it would be shuttered. After the first bug, Google announced that it would close its Google Plus site by late 2019. Following the second bug, the timeline was moved up to April 2019.

At its height, Google Plus had around 300 million “monthly active users,” according to the company. However, by 2018, Google admitted in a company blog post that 90 percent of activity on the site lasted “less than five seconds.” While Google likely didn’t want to close its program, it was forced to by the now-fatal data breaches and loss of consumer trust in the product.

How Companies Can Better Defend Against Data Breaches

So much data is stored electronically that it’s imperative that companies are proactive in protecting their systems instead of just providing damage control. There is a clear and growing need for more cybersecurity professionals, such as ethical hackers or penetration testers. These professionals provide companies with specific insight they can’t find anywhere else and are invaluable to organizations.

Interested in helping protect against crippling data breaches? Consider earning your online bachelor’s in information technology from King University. We designed this degree program for working adults like yourself. Thanks to our online format, you can balance your education with your busy life. As you pursue your degree at King University, you can attain a deeper focus with individualized tracks: cloud computing and systems administration, cybersecurity, digital business and game development, and information systems. With transfer credits, you can earn your degree in as few as 16 months!