2018 Data Breaches: The List No One Wanted To Make

2018 data breach

So far this year (and there’s still one more day), Verizon reported that there have been 2,216 confirmed data breaches across 65 countries. Even more disturbing, perhaps, is that 68 percent of those breaches took months for the breached companies to discover. If that’s not disturbing enough, 28 percent of those incidents were perpetuated by insiders. More than half of those breaches by outsiders were done by members of organized crime.

According to the report, cybercrime touched nearly every sector throughout 2018, including those that may seem less obvious, like education or manufacturing — and for one obvious reason: the money. There were a few noteworthy headliners. For example, Marriott, Facebook and a database marketing firm by the name of Exactis exposed the records of roughly 300 million people. So, as we turn the page to 2019, a year that will no doubt see more of the same, here’s another look at those that made The Best Of The Worst Things To Happen In 2018 list.


Facebook’s 2018 regarding the stewardship of user data and privacy was one it would like to soon forget. The most eye-catching — and headline-generating — of those lapses was the Cambridge Analytica scandal, which saw the data of 87 million Facebook users end up in the hands of a political consultancy.

That incident, however, is not why Facebook makes this list. While the intricacies of how exactly Cambridge Analytica gathered the data are still somewhat contested, no one is disputing that it got access to customer data that it wasn’t supposed to have.

Facebook makes this list due to its late-September revelation that roughly 50 million of its users had their data exposed through an attack on its network. The social media giant found that attackers were able to take control of user accounts through a function within the platform’s code, according to reports. In the aftermath of the breach, about 90 million Facebook users had to log out while Facebook fixed the vulnerability and consulted the authorities.

“We’re taking it really seriously,” Facebook Chief Executive Mark Zuckerberg told reporters in a conference call. “We have a major security effort at the company that hardens all of our surfaces.”

Zuckerberg also told reporters, “I’m glad we found this. But it definitely is an issue that this happened in the first place.”

The hack worked by taking advantage of vulnerabilities in the code for Facebook’s “View As” feature, enabling hackers to abscond with access tokens that could then be used to hijack the target account. While the company knows the attack would have given hackers access to control over user accounts, there were no reports on what, if any, user information was accessed.

Department Store Hacks

While some say consumers rediscovered department store shopping in 2018, the same could also be said of cybercriminals — at least, at two big ones.

Retailer Hudson’s Bay got story started in early April with the disclosure that Saks Fifth Avenue and Lord & Taylor stores in North America had their payment cards compromised. The breach was believed to have seen 5 million cards compromised.

“HBC today [April 2] announced that it has become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks OFF 5th and Lord & Taylor stores in North America,” the company wrote in a statement. “While the investigation is ongoing, there is no indication at this time that this affects the company’s eCommerce or other digital platforms: Hudson’s Bay, Home Outfitters or HBC Europe.”

The company, at the time the news of the breach went public, did not comment as to whether or not its network was secure, though it did note in a statement that “it had identified the issue, and has taken steps to contain it.”

Hudson’s Bay also cautioned consumers to monitor their statements for suspicious activity, and noted it would offer free identity protection services, including credit and web monitoring.

Two and a half months later, Macy’s announced that hackers obtained names and passwords of online customers — and might have accessed credit card numbers and expiration dates. According to early reports, the data breach impacted 0.5 percent of customers who were registered on Macys.com or Bloomingdales.com.

“We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures,” Macy’s said in an emailed statement.

While personal data, including birthdays, may have been accessed, the retailer said that Social Security numbers were not. Customers that may have been impacted were offered consumer protection services.

Fitness Hacks

Sandwiched between the Hudson’s Bay and the Macy’s hacks came the adidas breach, which reportedly saw “a few million” customers’ information stolen by cybercriminals.

The breach was reportedly discovered when “an unauthorized party” contacted the company and claimed to have a large trove of consumer data. Verification of that data cache found it to contain contact information, usernames and encrypted passwords — though it did not seem to contain any credit card or health and fitness data.

“We are alerting certain consumers who purchased on adidas.com/U.S. about a potential data security incident. At this time, this is a few million consumers,” a spokeswoman said in an email, according to Bloomberg.

In 2018, adidas was the second big health and fitness firm targeted. Under Armour got the year off to a bang with the revelation that it had been on the receiving end of one of the biggest hacks in history — data from 150 million users of its MyFitnessPal diet and fitness app was compromised in February.

“On March 25, the MyFitnessPal team became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018,” the company wrote in a statement. “The company quickly took steps to determine the nature and scope of the issue, and to alert the MyFitnessPal community of the incident.”

The stolen data included account usernames, email addresses and scrambled passwords for the MyFitnessPal mobile app and website. As was the case with adidas, Social Security numbers, drivers’ license numbers and payment card data were not compromised.

Exactis Hack

Exactis was the biggest hack of the year, and was the easiest to quickly forget — since Exactis isn’t exactly a household name. However, given that it managed to leak 340 million Americans’ data to hackers in late June 2018, the company earned its spot on this list.

The marketing and data aggregation firm uses a database containing files on hundreds of millions of Americans, which it left unsecured and accessible on the open internet where anyone could view the files. The data included personal information on millions of adults in the country, and millions of businesses. Sensitive information, such as credit card account or Social Security numbers, does not seem to have been available in the database. Yet, the hack exposed close to two terabytes of data, including phone numbers, addresses, emails and other information such as interests, habits and a person’s number of children.

“It seems like this is a database with pretty much every U.S. citizen in it,” said Nick Troia, founder of Night Lion Security. Troia discovered the breach and said he was able to find nearly every person he searched for in the database. “I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen,” he added.

Troia noted that while it’s not clear if any hackers have accessed the database, it’s not too difficult to find — he did so with Shodan, an internet search tool. He was interested in the security of Elasticsearch databases, and quickly uncovered the unprotected Exactis database.

“I’m not the first person to think of scraping Elasticsearch servers,” he said at the time. “I’d be surprised if someone else didn’t already have this.”

Marriott Hack

The details of the Marriott breach were bad enough on face — as many as 500 million guests’ data was accessed through a breach of the Starwood hotel guest reservation database. According to reports, an alarm was first raised in September when an internal security tool found attempts to access guest information.

However, further investigation found that unauthorized access had been ongoing since 2014. Unauthorized parties had been able to copy and encrypt information that was found, in November, to have resided in the aforementioned Starwood database.

The story got worse as reports emerged that the hackers behind the data breach at Marriott may have been working for the Chinese government as part of an intelligence-gathering effort.

According to reports, private investors looking into the breach found hacking tools, techniques and procedures that have been associated in the past with Chinese hackers. The discovery of the tools means it’s possible the attackers were looking for information for spying purposes, not for financial gain.

The sources noted that although China is viewed as a lead suspect in the hack, there is a chance that someone else pulled it off — others have access to the same hacking tools. What’s more, Reuters noted that pinpointing the person or government behind the hack could be more difficult because multiple hacking groups may have been inside the Starwood reservation system since 2014.

China, for its part, has denied any involvement in the hack. Geng Shuang, spokesman for the Chinese Foreign Ministry, did not comment directly on the Marriott reports, but did reaffirm that China opposes any type of hacking.

“If the relevant side has any evidence, they can provide it to the Chinese side, and relevant authorities will investigate in accordance with the law,” he told a daily news briefing. “But we resolutely oppose gratuitous accusations when it comes to internet security.”

Marriott Spokeswoman Connie Kim declined to comment, saying “we’ve got nothing to share” when asked about involvement of Chinese hackers, noted Reuters.

The accusations of cyber-espionage come as the U.S. and China are engaging in difficult and, at times, tense trade negotiations.

Other Hacks

While PYMNTS could not make space for everyone, we would like to at least include one honorable mention. Google was not technically hacked, but it did expose user data that was supposed to be hidden to 500,000 developers, due to a security bug. That was followed by news that it had accidentally made 50 million accounts’ worth of data vulnerable — for about six days before the security bug was found.

“No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way,” said Google’s Vice President of Product Management for G Suite David Thacker in a blog post.

So, not a breach — technically, but not quite a proud security moment for 2018 either. Given the ubiquity and persistence of hackers, less-than-proud security moments are going to happen.

Will they happen less in 2019? We’d like to hope so, though we don’t think hackers are going to be any less interested in stealing data they ought not have. We’ll keep all posted on the best ideas and innovations for keeping them frustrated enough to stop trying.