2018 saw an unprecedented number of large scale hacks on companies that store our most personal data, and these data breaches threaten everyone’s finances, credit reputation, online reputation, and so much more. As we enter 2019, it’s important we look back at what was compromised, determine if there are any further individual security measures to take in the wake of these data breaches, and bolster ourselves against future cybersecurity threats.
A Brief History of Data Breaches
Over the past decade, we’ve seen a large number of Data Breaches take place, putting the personal information of millions at risk. According to a recent study from Shape Security, 2.3 billion user credentials were obtained by hackers in 2017 alone. These breaches are not only a potentially life-altering event for the individuals affected, but they can also be rather costly for the businesses targeted.
If proprietary data from your business is hacked, this can lead to a lot of expensive headaches. Anything you’re working on might fall into the wrong hands or into the hands of your competitors. If hackers get hold of customers’ personal information, this will lead to a loss of trust. Some of your customers might even stop paying for your products or services. Needless to say, data breaches are big trouble and must be prevented.
The Hacks of 2018
Though it’s hard to predict when the next breach will be and whom it will target, one thing is certain: the internet is constantly evolving, and hackers are getting increasingly smarter. Looking back at 2018, we saw some remarkable and devastating data breaches. Below are 10 of the largest attacks over the past year:
● Facebook (reported September 2018) – nearly 50 million users logins were acquired, exposing their personal information and allowing their social media profiles to be used as a platform to further spread malware and spam. This was the most massive attack the social media company has faced in its 14-year history, but certainly not the first one. Facebook identified two primary bugs in their code, as well as some compounding factors, that were exploited by the hackers to obtain user login tokens. Once identified, Facebook resolved these flaws quickly; however, the hackers still got away with user information. So, if you haven’t changed your Facebook password since September 2018, you could still be at risk, and you should update your login credentials right away.
● TicketFly (reported May 2018) – 27 million accounts were breached in May of 2018. A hacker infiltrated TicketFly’s website accessing usernames, home addresses, email addresses, and phone numbers; however, according to TicketFly, no passwords nor payment/financial information was stolen. The hacker initially breached the site and demanded bitcoin from TicketFly in exchange for “protection,” but TicketFly did not respond to the threat. The hacker, subsequently, disabled the website’s functionality and got away with the user information. TicketFly, eventually, regained control of the site and, as a precaution, forced all users to change their passwords. TicketFly has not released any information about how this hacker, self-identified as IsHaKdZ, infiltrated their site. So, it’s possible we could see similar attacks in the future.
● MyHeritage (reported June 2018) – 92 million user emails and hashed passwords were taken from the site. MyHeritage’s Information Security Team were alerted to the existence of a file, outside of the organization’s internal servers, with all of this sensitive user information. The team confirmed its authenticity but also confirmed that the accounts had not been accessed, most likely thanks to the passwords on the file being hashed/encrypted. Since MyHeritage stores the personal DNA information — extremely private information — of its users on their site, this breach had the potential to be a lot worse … to be truly devastating. Luckily, all the hacker obtained was email address information. It is possible these email addresses will be sold to research companies and, in turn, advertisers, but there is no way to know exactly what a hacker will do with acquired personal information.
● Exactis (reported June 2018) – the marketing firm, Exactis, exposed the extremely personal information of 340 million people by storing it on a readily available public database, which a security researcher came across accidentally. The researcher notified the firm and then the public. According to Wired, the information goes into “minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics,” ranging from “interests and habits to the number, age, and gender of the person’s children.” While financial information was not included on the database, this extent of nonpublic personal information is exactly what a hacker needs to execute impersonation or profiling schemes. After the researcher informed Exactis that this data was unsecured, they quietly removed the database. However, there is no way to know who or how many bad agents accessed the nearly 2 terabytes of information during the preceding months.
● British Airways (reported September 2018) – between August and September, 565,000 travelers’ financial information was compromised after a hacker group collected customers’ credit card information from the airline’s website.
● Marriott (reported November 2018) – this data breach persisted, unidentified, for over four years, during which time hackers had access to the reservation systems of many Marriott hotel chains, exposing the private details of up to 500 million customers. This is, so far, one of the biggest and longest data breaches in history, and particularly troubling in light of the kind of data that was stolen. In addition to standard personal information, hackers were able to obtain passport numbers, travel locations, as well as arrival and departure dates. Such data empowers hackers to pursue various criminal endeavors, including identity theft. If you have stayed at a Marriott hotel, or any Starwood hotel, in the last four years, it may be worth investing in a credit monitoring service or signing up for identity theft protection.
● Quora (reported December 2018) – 100 million users’ logins and passwords were stolen. It’s likely that hackers were looking for this information in an attempt to further attack users that may repurpose the same login credentials on more sensitive sites, such as online banking.
● Under Armour’s MyFitnessPal (reported March 2018) – 150 million usernames, email addresses, and hashed passwords were compromised by an unauthorized account in March.
● Hudson’s Bay (Saks Fifth Avenue and Lord & Taylor) (reported April 2018) – it’s estimated that millions have been compromised by this breach that took place from July 2017 until late March 2018. This breach compromised payment systems, thereby exposing customers’ debit and credit cards.
● 7.ai (reported April 2018) – 7.ai provides customer support services to many large companies, and this data breach was a hack in7.ai’s AI chat feature. They are contracted out by Delta Airlines, Sears, Kmart, and Best Buy, all of whom were affected. At Sear’s alone, upwards of 100,000 customers’ credit card details were accessed.
Common Internet Scams
The best way to prevent yourself from falling victim to a future data breach that could affect your personal and financial information is to educate yourself on the most common internet scams and protect your personal data against them.
This is one of the most common forms of data breaches. Phishing is a cybercrime that happens when hackers set themselves up to look like legitimate organizations, then target victims using email, telephone, or text message. Once they’ve gained your trust, these hackers lure you, their victims, into revealing your personal data.
Cyber attackers will often set up a fake website that looks identical to the site you are used to visiting. The difference, however, is often in a single character changed in the URL. They are hoping that you will think you’re on a site you trust and perform your usual shopping behavior, thus, entering personal information, including your credit card, into their system.
To avoid this scam, always double check the URL spelling, especially when arriving at a site through an advertisement or shared link instead of by typing in the URL yourself or navigating there via a bookmark. Also, look for a padlock symbol next to the site in the URL bar, which ensures you that you’re visiting a secure sockets layer (SSL) verified site.
Viruses & Malware
Data breaching is also perpetrated through viruses and malware. Hackers create viruses by developing software that can copy itself to a computer and then extract whatever information the hacker requires. Malware is similar, except it can disguise itself as a legitimate program or tool that you, the victim, believe you need to download in order to perform normal functions or desired actions on your computer or mobile device.
Keeping Information Safe Requires:
- A secure and private network/internet connection
- Digital hygiene and education- safety tips for children, teens, and the elderly with different needs and privacy concerns
- Selecting and installing parental control apps and antivirus software
- A strong and highly secure password
3 Tips for Users of New Devices:
- Enroll in an unlimited support plan that will cover both education and immediate support
- Startup and secure new tech before gifting it to someone
- Enable advanced security settings and protect new tech with unique passwords