Security from the ground up
Since the Equifax breach in September 2017, the general public is increasingly aware of how vulnerable their personal information has become. As we pass the halfway point in 2018, the increase in data leaks evokes critical questions about the nature of cybersecurity. Digital technology is becoming more normalized through mobile devices and connected appliances, and the consequences of hacking data are now part of our physical world and daily lives.
As technology and its consequences proliferate, responsibility and security towards data have not. We allow corporations to collect massive amounts of personal data, but they rarely demonstrate the competence to protect it, causing billions of records to be leaked each year. Whereas the dangers of hacking may have begun to reach our general attention, the magnitude of data leaks has not. We are only about halfway through 2018, and we have already suffered over 600 major breaches. Here are what we consider to be the top ten of the most egregious data breaches of 2018:
10. Panera Bread—customer records (system design failure)
10,000 reported/37 million estimated
Over eight months, a hole in Panera’s data process leaked an estimate of millions of its customers records including names, addresses, emails, and credit card information. Security researcher Dylan Houlihan reported to Panera about the data leak in 2017, stating that “Panera Bread uses sequential integers for account IDs” making it simple to collect information by incrementing through accounts. Panera has now fixed this issue, but downplayed it, stating only around 10,000 records were leaked while evidence indicates the actual number may be much higher.
9. Jason’s Deli—credit card information (hack)
3.4 million reported
In December 2017, Jason’s Deli was informed that a large amount of credit card information had been placed for sale on the dark web. Investigation revealed that hackers used RAM-scraping malware to find credit card information on their point-of-sales terminals, obtaining information from around 3.4 million people.
8. Los Angeles County 211—emergency call data (human error)
3.5 million reported
A nonprofit that operates Los Angeles County’s 211 social services hotline leaked records for 3.5 million calls and a large amount of personal information being stored online. This included critical information such as social security numbers, names, and addresses. The nonprofit contracted with Amazon for storage, but incorrectly configured the permissions for the files, resulting in files being accessible for public download.
7. Saks Fifth Avenue—credit card information (malware)
5 million reported
Luxury retailers Saks Fifth Avenue and Lord & Taylor were subjected to the loss of over five million credit card numbers. Malware was implanted into cash register system, obtaining credit card information until March 2018. Malware was predicted to have been implanted by the use of phishing emails sent to the company’s employees.
6. Sacramento Bee—voter records (human error)
19.5 million reported
Local California newspaper, the Sacramento Bee, exposed approximately 19.5 million voter records after failing to restore the firewall protecting its database during security maintenance. This resulted in the entire database being easily compromised by a ransomware attack.
5. Localblox—user profiles (inadequate system design)
48 million estimated
Localblox leaked approximately 48 million user profiles including names, addresses, employment information, and job histories. Localblox scrapes information from public sources including Facebook, LinkedIn, Twitter, and Zillow, collecting metadata without user consent. Localblox stored collected data in an insecure Amazon container. The breach was discovered by Chris Vickery, an ethical data breach hunter.
4. MyHeritage—emails, passwords (hack)
92.3 million reported
Online genealogy platform, MyHeritage, informed users in June 2018 of a data breach including email addresses and passwords of 92.3 million users, after discovering it on June 4th. A private server containing email addresses and passwords from MyHeritage was discovered by a security researcher. However, the passwords were hashed using a cryptographic process, making them less vulnerable.
3. Firebase—user data (system design failure)
100 million reported
Firebase, an application development platform acquired by Google, found a security flaw in their architecture involving infrastructure that allowed critical user data to be leaked from unsecured Firebase databases, affecting many organizations. When JSON URLs were accessed directly in apps connected to Firebase, the app’s data was available to be used directly.
2. Under Armour/MyFitnessPal—user data (hack)
150 million reported
In March 2018, popular fitness community MyFitnessPal notified users of an unauthorized party acquiring data from user accounts in February 2018. Information included usernames, email addresses, and hashed passwords. No payment information was collected.
1. Exactis—personal information (inadequate system design and general FUBAR, human error)
340 million reported
The leading miscreant this year, in the biggest breach since Yahoo made 3 billion user accounts vulnerable, Exactis, made nearly 340 million records on a publicly accessibly server. This information included phone numbers, addresses, email addresses, personal interests, and more. Exactis, an obscure market research company, in Florida, had collected metadata with highly detailed personal information. Although financial and social security information weren’t leaked, the magnitude of data collected could easily allow hackers to profile individuals by their personal information.