Looking back on 2018, it’s been a memorable year for data privacy. From the launch of the General Data Protection Regulation (GDPR) in Europe to the federal investigation into Facebook’s data-sharing practices, we’ve seen more and more attention focused on data security and privacy.
Unfortunately, the past year also brought some high-profile data breaches from major companies, affecting millions of people in America and worldwide.
Here is our list of the top five worst data breaches of 2018:
1. Marriott Hotels
In November, Marriott Hotels announced that unknown entities had hacked the Starwood reservation system for Marriott properties worldwide, accessing the personal data of hundreds of millions of hotel guests going back to 2014. The information included names, mailing addresses, phone numbers, email addresses, credit card numbers, and even passport numbers, travel partners, and travel locations with arrival and departure dates.
Affected guests include any who stayed at Starwood properties such as Aloft, Four Points, Le Meridien, Sheraton, St. Regis, Westin, and W Hotels between 2014 and 2018. With up to 500 million people impacted, this data breach remains one of the biggest in history.
Earlier this year, the world discovered that data analytics firm Cambridge Analytica had harvested 50 million Facebook profiles in early 2014 in order to build a sophisticated software system targeting U.S. voters with personalized political advertisements – so as to influence the outcome of the 2016 presidential election.
In September 2018, another 50 million Facebook profiles were exposed to hackers, who were able to scrape all profile information and even take over accounts using access tokens. Then in November, a glitch allowed other websites to read Facebook users’ Likes, interests, friends’ interests, religions, and more.
On top of that, in December, Facebook revealed that a Photo API bug had allowed third-party app developers to receive users’ unposted photos and any images uploaded to Facebook Stories, Marketplace, etc. The bug was fixed after 12 days, but up to 6.8 million users were affected.
In March, Google discovered a vulnerability – active since 2015 – that exposed 500,000 Google+ users’ personal data (usernames, email addresses, ages, etc.) to a third-party application. Rather than report the bug immediately, Google kept it secret for over six months in order to avoid negative press in the wake of Facebook’s Cambridge Analytica scandal at the time – and more importantly, to avoid “immediate regulatory interest” from the federal government.
Another bug on the social network was identified just weeks ago, caused by a software update with a vulnerability affecting a Google+ API. Google says it has no evidence that app developers took advantage of unauthorized access to users’ personal information, but nonetheless, up to 52.5 million Google+ users were impacted.
Upon public disclosure of these data leaks, Google made the decision to shut down the consumer version of the Google+ social network four months earlier than originally intended.
One of the biggest data breaches of the year remained mostly under the radar. Marketing and data aggregation firm Exactis exposed a database containing 340 million individual records comprising nearly 2 terabytes of data. The exact number of affected individuals isn’t known, but the database did include personal information about hundreds of millions of American adults on a publicly accessible server – and security researcher Vinny Troia noted that it seems to involve “pretty much every U.S. citizen”.
Most alarmingly, the database goes into incredible detail for every listed individual – from phone numbers and home addresses to the person’s interests, habits, and the number, age, and gender of their children. The records even specify granular details like religion, whether the person is a smoker, and the type of pets they have.
Ticketmaster suffered a major data breach in June, when malicious software on third-party customer support product InBenta Technologies allowed hackers to gain access to Ticketmaster customers’ payment information.
Originally it was believed that the breach only affected UK customers who bought tickets between February and June 2018. However, it turns out that the hack was much broader than that – with 17 different Ticketmaster sites affected over a longer period of time – and Ticketmaster was just one of approximately 800 e-commerce sites (including some of the largest brands in the world) hit by this massive credit card-skimming operation. At this point, it’s hard to say how many consumers may have been affected, whether hundreds of thousands or even millions.
So What’s Next?
Overall, it’s clear that major companies worldwide have a problem handling customer data responsibly. Whether due to poor security practices, technical bugs, or just plain human error, data breaches seem to be a fact of life nowadays. But it doesn’t have to be that way.
At Amber, we’re forging a new path in data storage. Our privacy-driven model places your security as the chief concern, so you’ll never again have to sacrifice privacy for convenience. We strive to be the pioneers in a new paradigm of digital storage – where data breaches are a thing of the past.