As we roll into the first few days of 2019, many Cybersecurity professionals are taking stock as to the damage that occurred back in 2018. If anything, it has been deemed to be the worst year for Cyberattacks, in terms of the total number of people being affected by Phishing, Malware, Business E-Mail Compromise (BEC), Ransomware, Crpytojacking, Credit Card Skimming, you name it.
In fact, it has been estimated that more than 1billion people worldwide were affected by something, whether it is was from having their computers frozen, their passwords hacked into, or having their credit card information stolen. This aggregate number not only just reflects the individuals that were impacted, but also the hundreds of businesses and corporations that were impacted as well.
So, here is a rundown of the worst Security Breaches to occur in 2018:
*British Airways: 380,000 accounts hacked into
This occurred in between August 21st and September 5th, where the PII of British Airway’s customer base was stolen. This was done by exploiting a vulnerability on their website as well as their mobile app. Apparently, there was a backdoor in the booking component of the website, and thus, the Cyberattacker was able to launch a SQL Injection Attack.
Google+: 500,000 accounts hacked into
The Cyberattack here went on for three years, unnoticed. The only information that was stolen were things like birthdays and occupations of the various subscribers. There was no proof that was ever produced to show malicious intent by the software developers at Google. But never the less, this Social Media site has been shut down by Google forever now.
Ticket Fly/Eventbrite: 27 million accounts hacked into
The Cyberattacker who launched this attack goes by the name of the “IsHaKdZ”. This person even replaced the homepage of Ticket Fly with an image of the letter “V” from the movie Vendetta.
Uber: 57 million accounts hacked into
The compromised PII included that of the names and telephone numbers of Uber customers worldwide. There were about 7 million accounts that were further hacked into, where much more sensitive information and data were compromised. To make things even worst, Uber even tried to pay off the Cyberattackers so that they would promise not to use the compromised PII to launch subsequent Identity Theft attacks.
Facebook: 147 million accounts hacked into
It all started back in March, when Cambridge Analytica got illegal access to the PII of Facebook’s subscriber base. Hacks continued twice more later in the year, with both of them occurring in September and December.
MyHeritage: Data Leakage of 92 million users
This was not deemed to be a Cyberattack per se, but the company accidentally leaked out the E-Mail addresses and passwords of large chunk of its customer base.
Quora: 100 million accounts hacked into
This hack was caused by a malicious third party that Quora entrusted.
Firebase: 100 million accounts hacked into
This is a platform that is actually owned by Google, and is not known by many people. It is used mostly mobile app developers, and it was a misconfigured data base that led the accounts to be hacked into.
My Fitness Pal: 150 million accounts hacked into
This was another data leakage issue, it is not known if it was caused by a Cyberattacker or not. But this was one of the very few instances where an impacted company actually notified their customers that their PII might be asked, the turnaround time was just four days.
Twitter: 330 million accounts hacked into
Out of all of the Social Media sites so far, Twitter has remained relatively unscathed from a large scale Cyberattack, that is until last year. Apparently, a third-party vendor accidentally released the PII of its subscriber base.
Marriott: 383 million accounts hacked into
This has probably been deemed to be one of the worst Cyberattacks to occur in 2018. The compromised PII included the names, addresses, phone numbers, card numbers of its customers. To make matters even scarier, it does not appear yet that the Cyberattackers were motivated by financial gain. So, it appears, that this could be the work of a nation state actor, still unknown yet.
So, there you have it. The worst of the worst Security Breaches to occur in 2018. Whether it was caused by a misconfigured server, an improperly set database, or a lack of trust with a third-party vendor, the fact is that over a billion innocent lives were affected. But these impacted individuals were mostly either customers or employees of an organization, in which the survey found the latter to be most impacted.
Corporate America knows what it needs to do in order to beef up their lines of defenses. This does not mean that Cyberattacks won’t continue to happen, unfortunately they will keep happening for who knows how long. But the bottom line is that the C-Suite, whom is ultimately responsible for the safety and security of their organization, must be held accountable and take an active stance in the Cybersecurity of their own businesses.
But one piece of advice I can give to the American consumer or employee: Give as minimal of PII that you have to give out. But of course, this is easier said than done. For example, we are a society that is always in a rush. Instead of having to enter our credit card number manually each and every time that we make a purchase, we like to have it stored for the sake of convenience. This is just another attack surface for the Cyberattacker.
If they are proactive, then the rest of the employees will be as well. It all starts from the top down. Let’s all hope that 2019 will be a much better year, in that the total number of innocent people being impacted will be much lower, when I write this same blog again in January, 2020.