As 2018 draws to a close, we inevitably take the opportunity to take a look back at the year it has been, and make predictions about what 2019 might bring for cybersecurity.
Week after week, month after month, 2018 saw organisations and companies struck by massive and damaging data breaches, putting the personal details of innocent members of the public at risk.
In fact, the headlines about data breaches are so regular nowadays that it’s easy to forget what’s happened. Let’s take a look, month by month, at some of the most memorable incidents of 2018.
The year was only a few days old when India’s Tribune newspaper reported that criminals were selling unlimited access to the country’s vast biometric database over WhatsApp.
For the equivalent of about eight dollars, Tribune reporters were able to gain access to names, email addresses, phone numbers and post codes of over one billion individuals. And as if that weren’t bad enough, the newspaper claimed that for an extra five dollars they were offered a unique Indian ID card known as an Aadhaar card used to pay for government services including free school meals and fuel subsidies.
Ironically, the Aadhaar cards were part of the Indian government’s biometric ID program designed to help stamp out corruption and fight fraud.
The groups behind the breach appeared to have gained access to the database through crooked former employees.
In February, global delivery company FedEx was revealed to be one of the many companies that had left customer information exposed to the world on an unsecured Amazon AWS server.
Security researchers stumbled across a publicly accessible server containing more than 119,000 scanned documents including names, addresses, phone numbers, and scans of passports, driving licenses, and utility bills.
Like far too many other breaches involving unsecured cloud buckets, the hackers were not even asked for a password to gain access to the sensitive data.
March brought online privacy and the sometimes sloppy way that tech companies treat their users’ data into the spotlight, as the name Cambridge Analytica came to the attention of the general public.
A Facebook personality quiz was revealed to have scooped up personal information from the 270,000 people who ran it *and* details of some 50 milion of their online friends.
Facebook app developers aren’t supposed to share users’ personal data with third parties, but the data harvested by the online quiz was shared with Cambridge Analytica. When Facebook discovered the data had been accessed, it demanded that it be destroyed but not everyone kept their word.
Technically, this wasn’t a Facebook data breach. It would be more accurate to call it a Facebook data policy breach.
But I would argue that the fact that this is how Facebook is supposed to work actually makes it worse than any data breach .
Meanwhile, another famous tech firm realised it had suffered its own security breach that put its users at reach. But, with Facebook dominating the headlines, Google decided to not go public with details of a serious bug until October 2018.
150 million users of the MyFitnessPal app discovered that their personal details had been compromised after hackers stole usernames, email addresses, and hashed passwords.
The fact that hashed passwords had been accessed was particularly troubling for users who might have had a commonly-used password such as a dictionary word, as hackers would most likely be able to use rainbow tables to unlock credentials.
Once again, users were reminded of the importance of choosing strong, hard-to-crack passwords and crucially to ensure that they were using different passwords on different websites.
May should have been a good month for data security, with the introduction on 25 May 2018 of Europe’s GDPR legislation sending a shiver down the spine of any company that was being careless with private data.
For the first time, authorities had within their power to hit firms with significant financial penalties if they were lax at security.
But you would be wrong to think that with GDPR just days away we would see the end of data breaches.
The myPersonality Facebook, for instance, was found to have put six million users’ sensitive private data at risk by posting their data publicly for anyone to see on GitHub… for four years.
Facebook responded by suspending the app, and approximately 200 others for using “large amounts” of profile information.
Six months into the year, and the data breaches keep on happening.
In June it was the turn of Ticketmaster, who warned that customer details may have been exposed after malicious code was found running on its website . The compromised information included names, addresses, email addresses, telephone numbers, payment details and login details.
The source of the problem was third-party code that Ticketmaster had placed on its payment page. Worryingly, digital bank Monzo contacted Ticketmaster in early April believing that security on the ticket website had been breached, but Ticketmaster failed to confirm the problem until June.
JULYCustomers of popularUKhigh street stores CurrysPCWorld, Carphone Warehouse, and Dixons Travel were put on high alert in the summer of 2018 as it was revealed that approximately 10 million of them were impacted by a breach that saw hackers steal payment data details and per