Every week we get news of another massive data breach. While some commentators are suggesting that this is the new normal, and that data leaks and hacks are an inevitable part of our connected world, it’s worth looking at the largest data breaches to see what they have in common – and what they can teach us about data security for 2019.
1: Aadhaar (1.1 billion)
Who?
India’s national personal identity card system contains information on Indian residents, including biometric data, names and information on connected services, such as bank accounts.
How?
A state-owned utility company called Indane was tapping into the Aadhaar database using an unsecured API. Hackers cracked the API and gained access to more than a billion records.
2: Marriott Starwood (500 million)
Who?
Marriott is the world’s largest hotel chain. Their Starwood brand operates a rewards scheme, and this database was accessed by hackers. While the breach was reported in 2018, it is believed to be a long-running data leak, stretching back to 2014.
How?
While details of the hack have not been released, the US government has laid the blame at the door of Chinese state hackers.
3: Exactis (340 million)
Who?
Exactis is a marketing and data aggregation firm. They hold comprehensive data on most US citizens, including information about preferences, interests and family connections.
How?
Exactis was storing more than 2 terabytes of personal data on a publicly accessible server. The exposed data was detected by a security researcher, who notified the FBI and Exactis, who have since protected the database. The researcher found the open database by using a scanning tool to find unshielded ElasticSearch instances.
4: MyFitnessPal (150 million)
Who?
MyFitnessPal is a fitness and diet-tracking app owned by Under Armour, the athletic clothing company.
How?
Details are lacking. The company has only said that an unauthorised person accessed data. While some user passwords were stolen in the hack, they were encrypted with a hashing function called bcrypt, which means the information is protected.
5: Quora (100 million)
Who?
Quora is a hugely popular question-and-answer site, with millions of active users.
How?
The company has not released details yet, and have only stated that an unauthorised person accessed user records. Quora also stated that they are engaging a forensic technologist to help them trace the cause of the breach and prevent future hacks.
6: MyHeritage (92 million)
Who?
MyHeritage is an online genealogy and DNA testing service.
How?
They don’t know. One of the firm’s security team found a trove of MyHeritage data on an external server. The database includes 92 million records, including names, email addresses and hashed passwords. MyHeritage has engaged an external security consultant to identify the source of the breach.
7: Cambridge Analytica (87 million)
Who?
A Facebook game called ThisIsYourDigitalLife passed user data to several third parties, including Cambridge Analytica, a data analytics company that worked with the Trump presidential campaign to target ads to swing voters.
How?
Because of Facebook permission settings at the time, the game allowed the developer to harvest information on their users, and their users’ friends and contacts. This meant that only 270,000 people installed the app, but the developer was able to pass data on millions of people to Cambridge Analytica.
8: Google+ (52 million)
Who?
Google+ is a social network. In March, Google announced that some Google+ app developers had accidentally been given access to user data. In December, Google announced that a second data breach, which they may have tried to hide, affected 52.5 million users.
How?
The Google+ hack seems to have been caused by a glitch that made user profile information available to app developers. Google is now planning to close their social network.
9: Chegg (40 million)
Who?
Chegg is an online store offering textbooks, tutors and online study support.
How?
An unauthorised third party was able to access a company database that included customer data for Chegg and some of their other brands.
10: Facebook (29 million)
Who?
The world’s largest social network was hacked, exposing sensitive user data including contact information, searches and usage history.
How?
Hackers exploited vulnerabilities in Facebook’s code to get access tokens, which then gave them full access to users’ details.
How can you avoid a data breach?
There are a few patterns in the top 10 data breaches of 2018:
Weak software. Many of these breaches were caused by vulnerabilities or weaknesses in the systems used.
Glitches. Hackers have a keen eye for glitches in software that have unintended consequences. These are ruthlessly exploited to access data that is usually hidden.
Mystery losses. A worrying trend from the top 10 is the number of ‘unknowns’. At the time of reporting, a number of companies have been unable to confirm how the hack was perpetrated.
The main lesson to learn from these examples is that hackers are creative and flexible, and that data leaks from organisations in many different ways.
Internal agents, external criminals, weak software, outdated software connections and APIs, weak passwords, clumsy security practices, social engineering – these are all common components of data breaches.
This suggests that organisations have a lot of work to do to protect every corner of their castle. Hackers look for weak spots in many different areas, and so organisations must address every aspect of their security: software, hardware, people, processes and culture.