We're only halfway through 2018, but the scale of some of the data breaches that have already been reported is staggering. Think Facebook was the biggest one? Guess again.
Six months is a long time in infosec, so it's no surprise that numerous data breaches have emerged in the first half of 2018. Below is a countdown of 10 of the biggest incidents reported thus far in 2018 in terms of total number of records compromised.
10. Saks, Lord & Taylor
- 5 million records breached
- Date disclosed: April 3, 2018
Near the end of March, security firm Gemini Advisory came across an announcement from the JokerStash hacking syndicate offering five million stolen credit and debit cards up for sale. With the help of various financial organizations, Gemini Advisory traced the sale back to a total system compromise of luxury department stores Saks Fifth Avenue and Lord & Taylor. Hudson Bay, the owner of both of the department stores, learned about the incident and took steps to remediate it. But that wasn’t enough for one Bernadette Beekman, who in April 2018 filed a class action lawsuit on behalf of all customers who used a payment card at Lord & Taylor stores during the breach period of March 2017 to March 2018. In her lawsuit, Beekman stated that Lord & Taylor had “failed to comply with security standards and allowed its customers’ financial information and other private information to be compromised by cutting corners on security measures that could have prevented or mitigated the security breach that occurred.”
- 6 million records breached
- Date disclosed: May 31, 2018
On May 31, ZDNet reported that they had been contacted by security researcher Oliver Hough in regards to a backend server he had found exposed to the Internet with no password to protect it. The server belonged to the fitness app PumpUp, and it gave anyone who came across it access to a host of sensitive customer data including user-entered health information, photos, and private messages sent between users. The exposed data also contained Facebook access tokens and, in some cases, unencrypted credit card data including card numbers, expiry dates and card verification values.
When ZDNet reached out to PumpUp, the company did not issue a response, but it did quietly secure the server. It is unknown how long the asset had been sitting exposed.
8. Sacramento Bee
- 19.5 million records breached
- Date disclosed: June 7, 2018
In February, an anonymous attacker seized two databases owned and operated by The Sacramento Bee, a daily newspaper published in Sacramento, California. One of those IT assets contained California voter registration data provided by California’s Secretary of State, while the other stored contact information for subscribers to the newspaper. Upon hijacking those resources, the attacker demanded a ransom fee in exchange for regaining access to the data. The newspaper refused and deleted the databases to prevent additional attacks from leveraging them in the future.
According to The Sacramento Bee, the hack exposed 53,000 subscribers’ information along with the personal data of 19.4 million California voters.
- 27 million records breached
- Date disclosed: June 7, 2018
On May 31, Ticketfly suffered an attack that resulted in the concert and sporting-event ticketing website being vandalized, taken down, and disrupted for a week. The hacker behind the attack had reportedly warned Ticketfly of a vulnerability and demanded a ransom to fix it. When the company refused, the hacker hijacked the Ticketfly website, replaced its homepage, and made off with a large directory of customer and employee data, including names, addresses, email addresses, and phone numbers for 27 million Ticketfly accounts.
- 37 million records breached
- Date disclosed: April 2, 2018
On April 2, security researcher Dylan Houlihan reached out to investigative information security journalist Brian Krebs and told him about an issue he had reported to Panera Bread back in August 2017. The weakness resulted in Panerabread.com leaking customers’ records in plaintext — data which could then be scraped and indexed using automated tools. Houlihan attempted to report the bug to Panera Bread, but told Krebs his reports had been dismissed. The security researcher checked the vulnerability every month thereafter for eight months until finally disclosing it to Krebs, who published the details on his blog. Panera Bread took its website temporarily offline following publication of Krebs’ report.
Despite the company initially downplaying the severity of the breach and indicating fewer than 10,000 customers had been affected, the true number is believed to be as high as 37 million.
- At least 87 million records breached (though likely many more)
- Date disclosed: March 17, 2018
Who can forget the data scandal that rocked Facebook in March 2018? At that time, reports emerged of how a political data firm called Cambridge Analytica collected the personal information of 50 million Facebook users via an app that scraped details about people’s personalities, social networks, and engagement on the platform. Despite Cambridge Analytica's claim that it only had information on 30 million users, Facebook determined the original estimate was in fact low. In April, the company notified 87 million members of its platform that their data had been shared.
Unfortunately, with Facebook apps facing more scrutiny, it appears the Cambridge Analytica scandal may just be the tip of the iceberg. On June 27, security researcher Inti De Ceukelaire disclosed another app called Nametests.com had publicly exposed information of more than 120 million users.
- 92 million records breached
- Date disclosed: June 4, 2018
A security researcher reached out to the Chief Information Security Officer of online genealogy platform MyHeritage on June 4 and revealed they had found a file labeled “myheritage” on a private server outside the company. Upon inspection of the file, officials at MyHeritage determined that the asset contained the email addresses of all users who had signed up with MyHeritage prior to October 26, 2017. According to a statement published by the company, it also contained their hashed passwords but not payment information, as MyHeritage relies on third-party service providers to process members’ payments. Because the service also stores family tree and DNA data on servers separate from those that store email addresses, MyHeritage said there was no reason to believe that information had been exposed or compromised.
3. Under Armour
- 150 million records breached
- Date disclosed: May 25, 2018
On 25 March, Under Armour learned that someone had gained unauthorized access to MyFitnessPal, a platform which tracks users’ diet and exercise. CNBC reported at the time that the criminals responsible for the breach accessed individuals’ usernames, email addresses, and hashed passwords. The incident did not expose users’ payment information, as Under Armour processes this data separately. Nor did it compromise Social Security Numbers or driver’s license numbers, as the apparel manufacturer said it doesn’t collect government identifiers.
Upwards of 150 million MyFitnessPal users are believed to have had their information compromised in the data breach.
- 340 million records breached
- Date disclosed: June 26, 2018
Security researcher Vinny Troia discovered in June 2018 that Exactis, a marketing and data aggregation firm based in Florida, had left a database exposed on a publicly accessible server. The database contained two terabytes of information that included the personal details of hundreds of millions of Americans and businesses. As of this writing, Exactis has not confirmed the exact number of people affected by the breach, but Troia said he was able to find close to 340 million individual records. He also confirmed to Wired that the incident exposed affected consumers’ email addresses, physical addresses, phone numbers, and a host of other personal information, in some cases including extremely sensitive details like the names and genders of their children.
- 1.1 billion records breached
- Date disclosed: January 3, 2018
In January, reporters with the Tribune News Service paid 500 rupees for login credentials to a service being offered by anonymous sellers over WhatsApp. Using the service, the reporters could enter any Aadhaar number, a 12-digit unique identifier assigned to every Indian citizen. Doing so would retrieve numerous types of information on the queried citizen stored by UIDAI (Unique Identification Authority of India). Those bits of data included name, address, photo, phone number and email address. An additional payment of 300 rupees to the sellers yielded access to software through which anyone could print an ID card for any Aadhaar number.
The data breach is believed to have compromised the personal information of all 1.1 billion citizens registered in India.
Other notable data breaches
In November 2017, fitness tracking application Strava intentionally published an interactive map containing 13 million data points from its users. The map provided insight into how people all over the world used Strava to meet their fitness goals. But as reported by Bleeping Computer in late January, it also served an unintended and unwanted purpose. Nathan Ruser, an analyst with the Institute for United Conflict Analysts, discovered in January 2018 that the map revealed the locations of military bases. It did so by displaying people’s physical movements in otherwise remote areas where military installations were known to be located. These included U.S. military bases as well as Turkish and Russian stations.
Health South East RHF
Early in the year, Norway’s national healthcare security center HelseCERT detected abnormal computer activity. It eventually traced this suspicious behavior back to Health South East RHF, one of Norway's four regional healthcare organizations. According to Security Affairs, HelseCERT found “professional” and “advanced” attackers were responsible for the activity.
Following HelseCERT’s disclosure of the incident, Norway’s Ministry of Health and Care clarified that the country had taken various security measures to address the issue.
The exact number of those affected by the breach remains unclear. But given the coverage of Health South East RHF, it’s possible that 2.9 million citizens — more than half the population of Norway — were victims of the incident.
The security firm Kromtech discovered in March 2018 that Walmart partner MBM Company Inc., which operates Limogés Jewelry, had improperly secured an Amazon S3 bucket. As reported by the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), New Jersey’s digital threat-sharing network, the asset contained customers’ information including their names, addresses, email addresses, plaintext passwords and payment information for all purchases they made between 2000 and 2018. Further investigation revealed that the bucket had been exposed since January 13, 2018 until Walmart closed off access to it later in the spring. The incident exposed 1.3 million customers’ data.
On April 4, Sears Holding Corporation and Delta Airlines both announced data belonging to hundreds of thousands of the companies’ customers had been exposed via a data breach at 7.ai, a third-party service that provides online chat support.
According to a statement from Delta, the breach is believed to have occurred from September 26, 2017 to October 12, 2017 and may have exposed credit card information for an undisclosed number of customers. The airline stressed that no other information, such as passport, government identification, or SkyMiles information, was impacted. Sears estimated that credit card information for less than 100,000 of its customers may have been exposed during the breach. A day later, retailer Best Buy announced a small portion of its customers may also have been affected by the breach.
On March 1, Orbitz discovered that someone had gained unauthorized access to one of its legacy travel booking platforms. The travel fare aggregator service believes the attacker had the permissions required to view sensitive information including customers' names, dates of birth, phone numbers, email addresses, billing addresses, gender, and payment card information. No evidence was found to suggest the incident exposed customers' passports, travel itineraries, or Social Security Numbers.
According to numerous reports, those responsible for the breach exposed the details of 880,000 customers' payment cards between October 1, 2017 and December 22, 2017.
A troubling first half of the year
The number of records compromised in Q1 and Q2 2018 have already surpassed the total number of breached records for all of 2017, as identified in Identity Theft Resource Center's (ITRC) 2017 Data Breach Industry Summary report. For context, the list of breaches provided in this article is far from comprehensive. There were plenty of additional data breaches that took place in the first half of 2018, which means the number of compromised records could actually be much higher. Only time will tell whether this is actually case.