The 10 Worst Data Breaches of 2018

  • November 14, 2018

    The 10 Worst Data Breaches of 2018

    It is shopping season, which means credit cards and bank transactions are flying at a whirlwind pace. For bankers, it is just another year and another busy season that they have been trained to manage. For banking customers though, it can be quite an ordeal just keeping up with our own spending.

    It is critical that we watch our accounts though, not just to keep from overspending ourselves, but also to make sure someone has not hacked their way into our account and done some spending of their own. It is not just small companies that lack the necessary security that we need to beware. Some of the most significant breaches this year were from major companies that we all use. Here is a list of the top ten data breaches from 2018.

    1. Aadhaar
    1.1 billion records breached
    Date: January 3, 2018
    The most significant breach of 2018 was in India through the company Aadhaar. Names, addresses, photos, phone numbers, and email addresses were leaked through a service sold through WhatsApp, which allowed you access to this information and, for an additional cost, ID cards could be printed for any Aadhaar number. This was essentially a nationwide breach that leaked the personal info for the entire 1.1 billion population of India.

    2. Exactis
    340 million records breached
    Date: June 26, 2018
    Exactis is a Florida-based marketing and data aggregation firm. Earlier this year they left a database exposed to a server with public access. It contained two terabytes full of info about the personal details of approximately 340 million Americans and their businesses. The details leaked here included names and contact info for these people, but also, in some cases, personal info like the names and genders of their children.

    3. Under Armour
    150 million records breached
    Date: May 25, 2018
    Under Armour has a unique platform called MyFitnessPal, used to track diet and exercise. This platform was hacked last May, exposing usernames, email addresses and hashed passwords. Thankfully, this platform did not request any social security or other government identification information, so the initial damage was minimal, although it affected close to 150 people.

    4. MyHeritage
    92 million records breached
    Date: June 4, 2018
    MyHeritage, one of the nations top genealogy companies discovered a file on a private server outside the company which contained email addresses for every user who had registered with the company before October 26, 2017. The record also included hashed passwords, but no information related to payments – which are handled by a third-party service for MyHeritage. DNA and genealogy information is also stored on separate servers, so none of that personal information was leaked by this breach.

    5. Facebook
    At least 87 million records breached
    Date: March 17, 2018
    It is a common occurrence for individual Facebook accounts to be hacked, and users are strongly cautioned against accepting friend requests from strangers or from people they have already “friended.” However, in March, a political data firm, Cambridge Analytica, acquired the personal information from an initial estimate of 50 million Facebook users through an app. It was then reassessed in April and suspected that the number of people affected was closer to 87 million. After further investigation, a second app, called was revealed to have exposed more data, bringing the total count of people affected up to 120 million (which would push Facebook up to the #4 worst breach of 2018).

    6. Panera
    37 million records breached
    Date: April 2, 2018
    Some companies are quick to report breaches and alert customers to change their passwords. Others are not. Panera’s website had a weakness in 2017 which began leaking customer records out in plaintext, a format that can be harvested by automated tools. Panera was alerted to this problem in August 2017, but the report was ignored for eight months. After this report was published in April 2018, Panera temporarily took its website down. They claimed that it affected fewer than 10,000 customers, but the more accurate number could be as high as 37 million customers.

    7. Ticketfly
    27 million records breached
    Date: June 7, 2018
    Last May, Ticketfly’s website was hacked, vandalized, taken down, and disrupted for a week. This attack was a deliberate digital assault that started with a ransom notice. The hacker who perpetrated this attack contacted Ticketfly and demanded a ransom to fix the website vulnerability they discovered. When Ticketfly refused, the hacker took over the Ticketfly website, installing a fake homepage, and stole a directory of data from customers and employees with contact information for 27 million Ticketfly users.

    8. Sacramento Bee
    19.5 million records breached
    Date: June 7, 2018
    This daily newspaper published in Southern California was breached by an anonymous attacker who made off with two databases from the Sacramento Bee. The attacker then demanded a ransom in exchange for renewed access to the data. The Sacramento Bee refused and deleted the databases. One of these databases had contact info for subscribers, affecting about 53,000 people, but the second database contained voter registry data, which affected a much larger 19.4 million voters in California.

    9. PumpUp
    6 million records breached
    Date: May 31, 2018
    Many of these breaches are limited to exposing the names, emails, and contact information for customers. There were some however that also exposed credit card information. Last May, Oliver Hough, a security researcher, found an exposed server from PumpUp that allowed public access to very sensitive information from their customers. This data included contact information, health information, private messages and photos, Facebook access, as well as unencrypted credit card numbers, expiration dates, and verification numbers. PumpUp did not issue a public response when informed about this breach, but they quietly secured that server. It is estimated that 6 million records were breached, but it is not apparent how long the server was exposed.

    10. Saks, Lord & Taylor
    5 million records breached
    Date: April 3, 2018
    The last breach was picked up from an online hacking announcement of 5 million stolen credit and debit cards. Gemini Advisory, along with a team of other financial organizations, traced this hack back to a compromised system of Saks Fifth Avenue and Lord & Taylor. Hudson Bay, who owns both of those stores took immediate steps to remedy the problem, but they were still sued in a class action lawsuit by the customers affected by this breach. Up to 5 million credit and debit card records were leaked and potentially “sold” in this breach.

    Shop safely. Check the news for recent breaches and think twice about companies who have reported breaches but do not respond to them.