It’s tempting to believe that important data breaches only happen in the US and the figures tend to bear that out – the US accounts for the overwhelming majority of the really big data breaches that have been made public, some of them absolutely vast. But US laws and regulations force organisations to admit to
It’s tempting to believe that important data breaches only happen in the US and the figures tend to bear that out – the US accounts for the overwhelming majority of the really big data breaches that have been made public, some of them absolutely vast. But US laws and regulations force organisations to admit to data breaches involving the customer, something which is not true in all countries.
In the UK, the most important piece of legislation organisations must worry about was the Data Protection Act and the possibility of fines by the information commissioner (ICO). Now, with the General Data Protection Regulation in full force across the EU (and being mirrored by the UK with the Data Protection Bill), businesses found not to have adequately disclosed breaches or protected their users face enormous fines.
With credentials being bought and sold on the dark web for serious money, significant breaches – often in the millions, and sometimes including card data – seem to be more and more commonplace.
Below we offer what we believe are the most significant data breaches to hit the globe, not in all cases because they were particularly large but because of the type of attack or vulnerability involved or the sensitivity of the data compromised.
This list is in chronological order.
An EE customer was stalked by her ex-boyfriend who worked at the company after he accessed her personal data without permission.
Francesca Bonafede told the BBC that the perpetrator got hold of her home address and bank details, switched the number to a new handset, altered her account details and sent fraudulent documentation in her name to his own address.
The problems began in February 2018 when Bonafede’s phone suddenly stopped working. An EE call centre handler informed her that someone had visited one of the company’s shops, requested a new SIM card and moved the account to a new handset, registering it to an address that she recognised as that of her ex-partner.
All texts and calls made to her during the period would have gone to the man, who she also suspects accessed the photocopies of her passport and driving license that she had provided to EE.
Bonafede said that EE failed to take the incident seriously, forcing her to make a complaint to the police. Her ex-partner then repeatedly contacted her and turned up at her home in an attempt to persuade her to withdraw the complaint. An EE spokesman said that the company’s internal policies had not been followed and that the man no longer worked for the mobile network operator.
Anna Russell, VP at data protection and digital payments services provider Comforte AG, said such incidents of data abuse or theft by company insiders occur fairly regularly but are trickier to mitigate than cyber attacks from external actors.
“A research study from 2018 found that about one out of four data breaches are caused by employees rather than attackers from the outside,” she said.
“Many organisations are well prepared to defend their perimeter against unauthorised access, but very few are equally well prepared against the risk of unauthorised data access by an insider.
“Preventing such situations is absolutely possible and requires data-centric security. With this approach, all personal, sensitive data is de-identified by default all the time. Access to the actual personal information is only made available on a need to know basis with a clear business purpose after proper authentication.”
Parenting site Mumsnet reported itself to the Information Commissioner’s Office after an upgrade led users to see details of other accounts.
Mumsnet CEO and founder Justine Roberts explained in a message on the site that between 2pm on 5 February and 9am on 7 February any user logging into their account at the same time that another person was logged in could have had their account information switched. This would result in them accidentally logging into someone else’s account and gaining access to their email address, account details, posting history and personal messages, but not their passwords as the data is encrypted.
The company doesn’t know how many people were affected, but approximately 4,000 user accounts were logged in during the period in question, and 14 incidents had been reported so far.
A software change that occurred as part of a move to the cloud was suspected of causing the issue. That change has since been reversed, and a forced log out has been applied to ensure users have to log in again before posting to ensure they are no longer in someone else’s account.
Dan Pitman, principal security architect at Alert Logic, said session management such as this is a key web application vulnerability
“When users log into a website they are given some kind of unique reference on the server and possible on their local computer that identifies them for the duration of their browsing session on that site,” he said.
“In this case, it is most likely that a bug in bespoke software or a vulnerability from a third party component was introduced that caused people to receive someone else’s session management unique ID and the server proceeded to serve up the other individual’s data based on that.”
Largest data breach ever seen discovered
The largest collection of leaked data in history has been posted online by security researcher Troy Hunt, who discovered a dataset comprising more than 772 million email addresses and 21 million passwords in a package of 12,000 files
The 87GB trove was dubbed “Collection #1” by Hunt, who said he found it on both the MEGA cloud service – which has since removed the data – and on a popular hacking forum. It contains 1,160,253,228 unique combinations of email addresses and passwords, including “dehashed” passwords that have been cracked and converted back to plain text.
Hunt said that it was made up of numerous individual data breaches from thousands of different sources, and that the data would likely be used for credential stuffing, which cyber criminals can use to bulk test combinations of email addresses and passwords.
Sergey Lozhkin, security expert at Kaspersky Lab, advised anyone who uses email credentials for online activity to check if their accounts have been exposed at Hunt’s Have I Been Pwned service, to change the passwords for their sensitive accounts, and to implement two-factor authentication wherever possible.
“This massive collection of data harvested through data-breaches had been built up over a long period of time, so some of the account details are likely to be outdated now,” said Lozhkin. “However, it is no secret that despite growing awareness of the danger, people stick to the same passwords and even re-use them on multiple websites.
“What’s more, this collection can be easily be turned into a single list of e-mails and passwords: and then all that attackers need to do is to write a relatively simple software program to check if the passwords are working.
“The consequences of account access can range from very productive phishing, as criminals can automatically send malicious e-mails to a victim’s list of contacts, to targeted attacks designed to steal victims’ entire digital identity or money or to compromise their social media network data.”
Sensitive data about hundreds of German politicians were leaked online following a suspected social engineering attack.
The victims identified so far include national, regional, and EU politicians from every German political party except the far-right Alternative for Germany (AfD), according to BILD journalist Julian Röpcke, who studied the data. Left-leaning German journalists, satirists and musicians were also targetted by the hackers.
The leaked data includes personal phone numbers, email addresses, work correspondence, family conversations, holiday photos, photos of ID cards, bank account information and copies of identity cards.
Chancellor Angela Merkel had her email address and several letters published, while Greens leader Robert Habeck had private chats with family and credit card details exposed.
The data was posted on the Twitter account @—0rbit before Christmas in the form of an advent calendar, with a new window opening each day to expose a fresh batch of leaks. The account, which has since been suspended, had been tagged with the terms “security researching”, “artist” and “satire and irony” and as being based in Hamburg.
German authorities said they did not become aware of the hack until 3 January and that the identity of the perpetrators remained unclear.
“We do not know who is behind this attack or where the stolen data comes from. The national cyberdefense center has taken over the central coordination,” a spokesperson for Germany’s BSI federal cyber agency told CNN.
“There are no concerns that the government network has been affected, however we will continue to investigate,” the spokesperson added.
The incident is the second major hack of German politicians of recent years. In 2015, 16 gigabytes of data were stolen from the Bundestag parliament. Germany’s domestic intelligence agency claimed a hacker group suspected of working for the Russian state was responsible.
Town of Salem
More than 7 million users of web browser game Town of Salem have had their personal data compromised including, according to one analysis, usernames, email addresses, passwords, IP addresses, game and forum activity, as well as payment information.
The breach came to light when an unidentified person got in touch with data breach indexing service DeHashed with a copy of the compromised data.
The passwords were in phpass, WordPress and phpBBstolen.
However, the creator of the game, BlankMediaGames, said that payment information was not stolen.
As ZDNet notes, a staff member of Town of Salem creator BlankMediaGames, Achilles, said in a forum post: “To clarify, we do not handle money. At all. The third party payment processors are the ones that handle all of that. We never see your credit card, payment information, anything like that.
“We don’t have access to that information.”
BlankMediaGames has advised players to change passwords – but only on a forum post so far.
Forbes writes that many of the passwords have been decrypted already and posted online – publicly.
The community Q&A social website Quora has suffered a data breach that could have exposed the personal data of up to 100 million users as a “result of unauthorised access” to one of its systems by a “malicious third party”.
Almost the whole cache of user profile information could have been affected by the breach, including account information such as name, email address, hashed passwords and data imported from linked social networks, as well as public content and actions – including questions, answers, comments, and upvotes, as well as their non-public equivalents including direct messages.
However, questions and answers posted anonymously have not been affected by the breach according to CEO Adam D’Angelo, who said in a blog post that the organisation is “still investigating” the “precise causes” of the unauthorised access and is working with digital forensics and security specialists, as well as law enforcement, to find out more.
“The overwhelming majority of the content accessed was already public on Quora, but the compromise of account and other private information is serious,” he said.
Quora added that it is logging out all Quora users who could have been affected and if they used a password to log in would be invalidating those passwords.
The blog post also said that Quora believes it has “identified the root cause and taken steps to address the issue,” but did not say what this was.
Hotel group Marriott International has revealed a massive data breach affecting as many as 500 million guests.
The leaked information is believed to have come from an unauthorised party who gained access to the groups Starwood guest authorisation database.
Of the 500 million, around 327 million guests have had a combination of name, address, passport number and check-in and check-out information compromised.
The amount of credit card details accessed has not been specified but the hotel group confirmed that it is possible the hackers obtained the right tools to decrypt them.
The breach dates back to 2014, with hackers being able to access the Starwood network since then, although it was not until 8 September that the chain received a notification about an attempt to access the database.
Guests staying on or before 10 September 2018 are likely to be affected.
In a statement, Marriott International said: “Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorised access to the Starwood network since 2014. Marriott recently discovered that an unauthorised party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.”
More than 3.4 terabytes of data and 70 million documents from FIFA, containing numerous allegations of corruption, was leaked to German magazine Der Spiegel by the Football Leaks organisation in November.
Der Spiegel found evidence in the data that European clubs are still plotting to create a new “Super League” and that FIFA President Gianni Infantino helped Manchester City and Paris Saint-Germain avoid punishment for financial fair play violations and “watered down” the FIFA ethics code.
The 3.4 terabytes trove topped the 2.6 terabyte Panama Papers, which is often referred to as “the biggest whistleblower leak in history”. Der Spiegel called it “the biggest leak ever reported on by investigative journalists”.
Der Spiegel received the data from a whistleblower named only as “John”, who founded the Football Leaks organisation to expose corruption in the sport. John told Spiegel that a variety of sources provided him with the information, and that nobody involved is a hacker.
Others doubt that he could have obtained so much data from such a variety of sources without a cyber attack being involved. FIFA has acknowledged that its systems were hacked in March and that media outlets had later contacted the organisation about leaked information they had received.
The alleged attack occurred just months after Russian hacking group Fancy Bears leaked another trove of internal data from FIFA, including details of failed drug tests by footballers.
FIFA responded to the reports in a statement:
“It seems obvious from the ‘reporting’ carried out in some media outlets that there is only one particular aim: an attempt to undermine the new leadership of FIFA and, in particular, the President, Gianni Infantino, and the Secretary General, Fatma Samoura … For the avoidance of doubt, it also deserves to be pointed out that NONE of the “reports” contains anything which would even remotely amount to a violation of any law, statute or regulation. This is, beyond question, an immeasurable improvement on the past and something which FIFA is fully committed to going forward.”
Hong Kong-based airline Cathay Pacific suffered a major data breach affecting up to 9.4 million passengers this week.
The airline confirmed that a number of personal information from passengers was leaked including passport numbers, email addresses and some credit card details.
As yet, Cathay Pacific claims no personal data has been misused, and that it is launching a full investigation into the breach.
“We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves,” Cathay Pacific’s CEO, Rupert Hogg said in a statement. “We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised.”
The breach was spotted during an ongoing IT operation at the airline that showed unauthorised access to systems which held passenger data.
This comes after a a troublesome year as pressures to keep prices low from competing airlines in the region grow and the firm marks another annual loss.
Google shuts down Google+
Earlier this year Google discovered a vulnerability in an API for the company’s social networking effort Google+, which made it possible for third-party app developers to access data from the friends of the app users – echoing the major Facebook data scandal relating to Cambridge Analytica.
According to documents reviewed by the Wall Street Journal, Google not only exposed this data but then it chose not to disclose it, fearing reputational damage.
In response, parent company Alphabet decided to shut down Google+ completely and for good.
Investigators reportedly discovered that a bug with the site was providing outside developers with access to Google+ profile data between 2015 and March 2018, when the issues was fixed. A memo seen by the Journal said that disclosing the problem would potentially cause “immediate regulatory interest” – and even compared the potential damage to the Facebook scandal that was unfurling at the time.
According to the Journal even chief exec Sundar Pichai had been briefed on the decision not to disclose the potential breach.
The potential repercussions are massive, and that regulators would be interested would appear to be a serious understatement. However, because the decisions were made before GDPR came into effect in May 2018, it is unclear if the company would face scrutiny under the new Europe-wide data law.
A spokesperson told the WSJ: “Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.”
Up to 90 million Facebook user accounts were exposed by a security breach in September 2018.
Attackers exploited a vulnerability in the code of Facebook’s “View As” tool, a feature that shows users what their profile looks like to other people. This allowed them to steal Facebook access tokens that they could then use to take over almost 50 million profiles. A further 40 million users who had interacted with the feature were also exposed.
The breach affected Facebook’s founder Mark Zuckerberg, its chief operating officer, Sheryl Sandberg, and its European vice-president, Nicola Mendelsohn and thousands of users in the UK. The perpetrators remain unknown.
Facebook responded by fixing the vulnerability, informing law enforcement, resetting the access tokens of all the affected accounts, and temporarily turning off the “View As” feature while the company conducted a security review
The breach sent Facebook stock tumbling but the real cost is yet to come. Under the terms of GDPR, the company faces a maximum fine of up to 4 percent of its global annual revenue from the prior year, which works out at $1.63 billion (£1.25 billion).
In September 2018, reports confirmed that ride-hailing firm Uber will pay £133m to settle all legal action over the cyber attack that exposed data from 57 million customers and drivers in 2016.
After numerous reports of the firm following this incident, Uber only revealed some information about the data breach in November 2017. It has now been confirmed that the company paid the hackers $100,000 (£761,71) to delete the data.
The payment of £133m that Uber will pay settles action by the US government and 50 states over the failure to disclose details about the data loss, according to BBC.
A technologically challenged summer for BA continued with a data breach affecting 380,000 transactions, involving stolen personal and financial information, but not passport or flight details. The data was compromised over a two-week period between 21 August and 5 September, during which a ‘sophisticated’ attack was carried out on both the company’s website and app.
“We’re extremely sorry. I know that it is causing concern to some of our customers, particularly those customers that made transactions over BA.com and app,” Alex Cruz, CEO of BA told the BBC’s Today programme.
“We discovered that something had happened but we didn’t know what it was [on Wednesday evening]. So overnight, teams were trying to figure out the extent of the attack.
“The first thing was to find out if it was something serious and who it affected or not. The moment that actual customer data had been compromised, that’s when we began immediate communication to our customers.”
He said that customers at risk are now being contacted and advised to ask their bank or credit card provider on how to manage the data breach.
At present, the Information Commissioner’s Office is investigating the breach and has suggested the airline could face a fine.
“Organisations like BA are strong targets for cyber criminals because they possess vast amounts of high-value personal data that gives hackers high return on investment,” said Rufus Grig, CTO at Maintel.
“Yet, every company is a target when it comes to cyber attacks, and there only needs to be a single vulnerability to enable a breach. While cybercriminals will always find new ways of gaining access, there are ways to reduce risk and minimise the loss of data.”
As many as 2 million T-Mobile customers based in the US may have had their account details compromised by hackers who got away with names, email addresses, account numbers, billing information and encrypted passwords – but the company did not disclose what these passwords were hashed with.
T-Mobile said in an announcement that there was an “unauthorised capture of some information”. Motherboard later confirmed that encrypted passwords were compromised as well.
Apparently company servers were breached through an API, by a group described as “international”. However, the spokesperson told Motherboard that the intrusion was detected on the same day, where it was “shut down very fast”.
The company said it was informing customers believed to have been affected by the breach. No financial data or social security numbers were stolen, according to the company.
The breach is thought to only have impacted US customers – EE acquired T-Mobile’s UK base and told the Register that it was not affected.
The ICO has confirmed it will be looking into a data breach at content aggregator Reddit. A spokesperson told Techworld: “We are aware of an issue concerning Reddit and will be looking to ascertain the scale and extent of any potential impact on UK citizens.”
Content aggregator site Reddit – which calls itself the ‘front page of the internet’ and has more active users than Twitter, with over 540 million monthly visits – has suffered a data breach and is refusing to disclose the scale.
Reddit was also late to disclose the breach – with the potential to draw the ire of European regulators under GDPR, which requires that organisations disclose breaches quickly and adequately.
A complete copy of an old database backup containing early Reddit data from 2005 to May 2007 was stolen, including username and hashed passwords, email addresses, and content, including private messages. Reddit will be messaging affected users.
More recently, email digest logs were stolen, connecting usernames to email addresses – and also suggested posts from the safe for work reddits those users subscribed to.
The content aggregator, which was founded in 2005, depends largely on anonymous visitors organised into various forums known as subreddits. Until 2017 Reddit was open source.
CTO Christopher Slowe posted a topic to the r/announcements subreddit that detailed some of the specifics of the breach. Slowe said that on 19 June, Reddit learned that between 14-18 June an attacker compromised employee accounts with their “cloud and source code hosting providers”.
“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication, we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Sloew said. “We point this out to encourage everyone here to move to token-based 2FA.”
Reddit is famously associated with anonymity, and the CTO warned that users who had their email addresses linked to their accounts should “think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address”.
As the BBC points out, American users are subscribed to the email digest by default, and that according to Reddit’s advertising metrics, 20 million people visit from the USA every day.
CEO at identity management software business Dashlane, Emmanuel Schalit, said that the breach should serve as a wake-up call to encourage proper cyber hygiene across all digital accounts, no matter how anonymised they might seem at surface.
“Reddit, the front page of the internet, has fallen victim to one of the internet’s oldest issues, hacking,” said Schalit. “With continued hacks, breaches, and data abuses, the fight to protect your personal data rages on.
“We will hopefully soon be in a world where private data remains private. Until then, make sure that all of your passwords are unique and complex, and that you change compromised passwords and associated passwords as soon as possible.”
Synopsys’ Travis Biehn added that the breach should also serve as a lesson to organisations – who should revisit their multi-factor authentication policies often.
“You can look at the timeline for SMS hijacking techniques – the first practical attacks were presented a few years ago – and now these are being increasingly commoditised for a wide array of attackers,” said Biehn. “Right now, the best users can do is rely on two factor authentication, which raises the cost for attackers, and use a password manager to reduce the risk of password re-use.”
Social app Timehop disclosed a major data breach on 7 July 2018 that impacted 21 million of its users, including names, email addresses and phone numbers.
In a blog post, Timehop told users that it detected a network intrusion on 4 July that occurred because credentials to its cloud environment were compromised, and that the cloud account didn’t have multifactor authentication.
It said that no social posts were accessed. Timehop is an app that accesses social accounts to remind you of the events that happened on the same day in previous years.
No private messages, financial data, or social media data were accessed, the company stated.
But it did say that keys that allow Timehop to read and show users their social media posts were compromised. “We have deactivated these keys so they can no longer be used by anyone, so you’ll have to re-authenticate to our app,” the company said.
It added that the damage “was limited” because of the company’s “long-standing commitment to only use data we absolutely need to provide our service”.
“Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don’t store copies of your social media profiles, we separate user information from social media content – and we delete our copies of your ‘Memories’ after you’ve seen them.”
Users who logged into Timehop using their phone numbers are advised to take extra security precautions such as adding a PIN to their accounts.
Timehop has listed the extra precautions it has taken and will continue to take, such as auditing and bringing in an incident response firm.
British retailer Dixons Carphone, which owns Currys, PC World, and more electrical brands in the United Kingdom and Europe, has admitted to an enormous data breach which took place in July 2017, with access to an estimated 1.2 million customer records containing personal data – and an attempt to compromise 5.9 million cards in the processing systems of Currys PC World and Dixons Travel shops.
In a statement, Dixons Carphone said that it has informed the Information Commissioner as well as the Financial Conduct Authority and the Police of the breach, which also compromised “approximately 105,000 non-EU issued payment cards” without chip and pin protection.
The retailer said: “5.8 million of these cards have chip and pin protection. The data accessed in respect of these cards contains neither pin codes, card verification values, nor any authentication data enabling cardholder identification or a purchase to be made.”
Personal records accessed include names, addresses and email addresses. Dixons Carphone added that it hadn’t discovered any evidence of the information leaving its systems or resulting in fraud “at this stage”.
However, Dixons Carphone confirmed in July 2018 that the breach actually affected 10 million customers, which is up a massive 8.8 million from its original estimate of 1.2 million.
Responding to the news, Mark Adams, Regional VP UK & Ireland at Veeam said: “Breaches can happen to any business, but the fact it has taken so long for the seriousness of this particular breach to be realised is worrying. A business suffering such a breach will really need to take a look at their processes and systems. To get the scale of a breach so vastly wrong is a concern, especially when the first number of customers was already one of the most sizeable breaches of a UK business to date.
“There’s a combination of approaches that can be taken here. Firstly we’d recommend delivering a company-wide employee training program on data protection and phishing attacks. Human-led errors are still the biggest weakness for a business. You’ve got to get that right and make employees more aware of their actions.”
This is the first major breach of its kind in the UK since the General Data Protection Regulation came into effect on 25 May this year.
Chief executive of Dixons Carphone Alex Baldock said: “We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”
Baldock said that the retailer has “promptly launched an investigation” as well as adding extra security measures and “engaged leading cyber security experts”.
The firm has confirmed that no bank details were taken and there has been no evidence that fraud had taken place.
Commenting on the news, Patrick Hunter, EMEA director for access management business One Identity said: “Yet again, the customer data has been on the balance with ‘cost to protect’ on the other side of the scale. Risk, were they betting on not being attacked or did they genuinely believe that they had best security practices in place?
“We can certainly suspect that there are companies out there doing just that, hoping their networks are not attacked, this is no longer good enough.”
More than 92 million MyHeritage user accounts were compromised when a data breach at the genealogy testing service website.
The breach occurred in October 2017 but wasn’t reported until the following June, when an unnamed security researcher informed MyHeritage’s CISO.
The researcher had found a file named “myheritage” on a private server containing a selection of email addresses and hashed passwords.
MyHeritage’s information security team reviewed the file and confirmed that the content was from 92,283,889 users who had signed up to its service up to and including October 26, 2017, the date of the breach.
The company found no evidence that the data was ever used by the perpetrators and believes that only user email addresses had been exposed due to the added security measures it uses to protect its other data.
MyHeritage earned praise for its prompt disclosure of the breach and plans to implement two-factor authentication. The proactive approach to sharing information with the public reduced the risk of collateral damage, as David Emm, Principal Security Researcher at Kaspersky Lab, explained.
“What was refreshing was the response from the company’s CISO,” said Emm. “Within hours of the breach being discovered, he had taken to the company’s website to explain what they had discovered, what steps they were taking to rectify the issue, and how they protected people’s data in general.
“Often when a breach happens, one of the biggest failings is that of honesty and disclosure from the victim, which ultimately leaves consumers even more vulnerable as they are unaware they need to take action.
“Of course, the data is still at risk, and it’s especially concerning when you consider the type of data – including DNA – this site holds. But, by acting swiftly and definitively, MyHeritage has allowed its customers to regain some control of their personal data by changing passwords, checking for suspicious activity on accounts, and exercising caution; all actions, that, if had been kept secret whilst the company investigated or gave itself time to ‘stage manage’ its public response, would have left them even more at risk from fraudsters.”
Roughly 150 million users of the MyFitnessPal app owned by Under Armour have had their personal details leaked in a data breach including usernames, email addresses and passwords.
In a written statement issued on 29 March, Under Armour said that it became aware of the breach on 25 March, though it actually occurred in late February 2018.
A joint investigation with law enforcement and data security firms revealed that the affected information includes usernames and email addresses, as well as passwords, but these were hashed with bcrypt encryption. Payment card data was not affected, and neither were government-issued identifiers like driver’s licences or social security numbers.
The app is predominantly used in the USA but the odds are that some of the 150 million users affected will be in other regions.
Although health and running activity data was not specifically accessed, the hack opens up the possibility of attackers gaining access to this – and in theory being able to collate highly personal profiles of affected individuals.
Evgeny Chereshnev, CEO of Bilink.Tech, commented: “If these hackers were able to match these stolen login credentials to the users’ actual fitness data, just imagine what could happen. Having this level of data would allow hackers to know that ‘Mr Smith’ has a very specific and predictable pattern of behaviour. Fitness trackers don’t only track calories and the number of steps a person walks in a day, it also knows where people are and at what time.
“For hackers wanting to specifically target a certain person, this data is a gold mine.”
Under Armour seems to have responded particularly quickly to the breach, especially when set against other high-profile incidents in recent years. For instance, the Yahoo email data leak took that company years to identify the full extent of that attack – eventually disclosing that ‘all three billion’ accounts were affected.
A subsidiary of delivery and logistics multinational FedEx has stored extremely sensitive customer data on an open Amazon S3 bucket, essentially making all the information public.
The tranche of data was discovered by Kromtech security researchers on 5 February. The culprit looks like it was a company called Bongo International LLC, a package-forwarding business set up to make buying American goods easier for global customers, which was bought by FedEx in 2014.
It included thousands of scanned documents for citizens in America and globally – with passports, driving licences and security IDs all open for access in the bucket, as well as home addresses, postal codes and phone numbers.
Researchers pointed out that the data seems to have been from 2009 to 2012, before the company was bought out.
Kromtech’s Bob Diachenko commented that anyone who used Bongo International during that era is at risk of having had their documents online for years.
“[It] seems like that bucket has been available for public access for many years in a row,” Diachenko said. “Applications are dated within the 2009-2012 range and it is unknown whether FedEx was aware of that ‘heritage’ when it bought Bongo International back in 2014.”
An open MongoDB-hosted database owned by custom keyboard app Ai.Type exposed 577GB of customer data and was available to anyone who cared to look, potentially revealing the information of 31 million customers.
Security researchers at Kromtech uncovered the breach in December 2017, putting it down to a Tel Aviv-based Ai.Type having misconfigured a MongoDB database.
Type.Ai provides keyboard themes for Android users, but as Bob Diachenko writes in MacKeeper, researchers were shocked to find the app requested full access to a personal device – including “all keyboard data past and present”.
“This is a shocking amount of information on their users who assume they are getting a simple keyboard application,” he writes.
The tranche of data included more than six million records from users’ contact books including names and phone numbers, and more than 373 million records scraped from users phones in total, including contacts that were synced to the linked Google account.
Ai.type founder Eitan Fitusi seemed to dismiss the gravity of the leak. Speaking with the BBC, Fitusi said it was a “secondary database” and that IMEI information was not gathered and geo-location data wasn’t accurate. He also said user behaviour collected by the company was based only on ads that they clicked. The database has been shut down.
Click here for a potted history of MongoDB database leaks – including a spate of ransomware attacks earlier in the year, and a large cache of data hosted by a children’s toy company, CloudPets, that had no authentication and could be found on IoT search engine Shodan.
British shipbroker Clarksons has warned shareholders that it may face a data breach in the coming weeks following its refusal to pay a ransomware demand.
London-listed Clarksons, founded in 1852, brokers boats for cargo that ranges from petrochemicals, crude or petroleum, to dry cargo and gas, as well as serving offshore field development, offshore rigs, dry cargo and products like cars.
In its warning notice posted 29 November Clarksons said it was responding to a cybersecurity incident, and said: “As soon as it was discovered, Clarksons took immediate steps to respond to and manage the incident.
“Our initial investigations have shown the unauthorised access was gained via a single and isolated user account which has now been disabled.
“Today, the person or persons behind the incident may release some data.
“The data at issue is confidential and lawyers are on standby wherever needed to take all necessary steps to preserve the confidentiality in the information.”
The statement went on to say it is working with security specialists for further investigation and that it was in the process of conducting a “wider review” of cybersecurity that began earlier in the year.
Shares dropped 2.71 percent in yesterday’s afternoon trading following the announcement.
Uber concealed a hack that affected 57 million customers and drivers worldwide and 2.7 million users in the UK, the company has confirmed.
The breach – which took place in 2016 – was kept under wraps by the taxi-hailing firm, which paid hackers $100,000 (£75,000) to delete the data.
Uber confirmed that names, email addresses and mobile phone numbers of customers were exposed and of the 57 million impacted, 600,000 drivers had their names and licence details compromised.
And while the drivers have been offered free credit monitoring protection, the firm is yet to offer anything to affected customers.
According to Bloomberg, Uber’s former chief executive Travis Kalanick knew about the breach over a year ago. The firm’s chief security officer Joe Sullivan has left the company.
In a written statement, Uber CEO Dara Khosrowshahi said: “While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.
“None of this should have happened, and I will not make excuses for it.”
Uber confirmed to the Information Commissioner that 2.7 million – over half – of Uber’s UK users had been affected. The National Cyber Security Centre suggested “vigilance” against email phishing or scam phone calls in light of the hack.
Pizza Hut has revealed that its website and app were hacked on 1 October, with personal information for an undisclosed amount of customers being jeopardised.
The hack is thought to have compromised billing information including delivery addresses, email addresses and payment card information containing account numbers, expiration dates and CVV numbers.
Pizza Hut has sent out emails to customers informing them of the breach, which reveal Pizza Hut knew of the breach two weeks before disclosing it.
In the email, the company said: “Pizza Hut has recently identified a temporary security intrusion that occurred on our website. We have learned that the information of some customers who visited our website or mobile application during an approximately 28-hour period (from the morning of October 1, 2017, through midday on October 2, 2017) and subsequently placed an order may have been compromised.
“Pizza hut identified the security intrusion quickly and took immediate action to halt it.”
It’s unclear how many customers have been affected by the hack, but a figure of 60,000 US customers has been reported by Slashdot.
Yahoo has disclosed that all of its 3 billion email users were likely compromised in a 2013 breach that it disclosed last year, breaking its own record for largest ever potential data breach.
The initial breach was disclosed in mid-2016 when Yahoo thought it had affected as many as 500 million accounts. This figure climbed to 1 billion by the end of the year, and as many as 3 billion today.
In a statement posted to a help page, Yahoo said: “Based on an analysis of the information with the assistance of outside forensic experts, Yahoo has determined that all accounts that existed at the time of the August 2013 theft were likely affected.
“It is important to note that, in connection with Yahoo’s December 2016 announcement of the August 2013 theft, Yahoo took action to protect all accounts.
“The company required all users who had not changed their passwords since the time of the theft to do so. Yahoo also invalidated unencrypted security questions and answers so they cannot be used to access an account.”
Yahoo previously said it believed hackers gained access by creating forged cookies, letting attackers into accounts without needing a password.
“We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on 22 September 2016,” the company said.
One of the world’s biggest accountancy firms, Deloitte, has been hit by a cyber attack, The Guardian revealed today (25 September 2017).
The hackers may have gained details from the organisation’s blue-chip clients, including usernames, passwords, personal details and even confidential emails detailing private plans and documents.
The attack – which could have been going on unnoticed for months – is said to have compromised Deloitte’s global email server and via an administrator’s account, granting the hackers access to restricted areas and information.
It is also believed that Deloitte did not have two-step verification set up, with access requiring only a single password.
Six unnamed clients of Deloitte have been told their information was ‘impacted’ by the hack, according to The Guardian, although further details are bound to be revealed as the matter continues.
“In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte,” a spokesman told The Guardian.
“As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators.
“Our review enabled us to determine what the hacker did and what information was at risk as a result. That amount is a very small fraction of the amount that has been suggested.”
Although the breach is thought to affect mainly US customers, the impact on the UK is yet to be revealed.
Global information solutions company, Equifax, reported a major cybersecurity incident, earlier this year, affecting 143 million consumers in the US.
The breach – initially discovered on 29 July – is thought to have revealed the names, Social Security numbers, birth dates and addresses of almost half the US population.
Also compromised was the credit card numbers of 209,000 consumers and the personal identifying information of 182,000.
Equifax, with investments in 23 other countries worldwide, initially reported that some customers in the UK were also affected, estimating around 400,000.
However, the company admitted today (11 October 2017) that the data of some 694,000 UK customers was compromised.
The credit firm went on to say that up to 15,000 UK customers have had their financial information and passwords stolen, including partial credit card information.
Equifax had previously denied that any UK customers personal and financial information was stolen.
“This is clearly a disappointing event for our company and one that strikes at the heart of who we are and what we do,” said CEO Richard F. Smith in a statement after the initial breach. “I apologise to consumers and our business customers for the concern and frustration this causes.”
Equifax, shared with other credit monitoring companies Experian and TransUnion, have assigned a dedicated website and phone line for victims and free identity theft insurance for all US consumers.
Perhaps an understatement considering the company’s share price visibly plummeted 13 percent and is expected to fall further.
Three Equifax executives sold their shares soon after the incident, before the company’s disclosure, for a combined $1.8 million. The breach put victims at a high risk of identity theft and consumers were told to watch their credit score and stay alert.
One of Britain’s largest retail franchises, CEX, disclosed it has been hit by a data breach that could have compromised the information of as many as 2 million customers – including personal details like names and addresses.
In a statement posted to its website, CEX said that despite its best efforts at “robust security” a “sophisticated” attack compromised the data of up to 2 million customers. These details included names and surnames as well as email addresses and phone numbers.
A “small number” of encrypted credit card details were thought to be at risk as well, but the company, which owns the WeBuy.com website, noted that these would only be expired cards as the business stopped storing financial data in 2009.
CEX advised affected customers – who were notified by email – change their passwords as a precautionary measure.
Commenting on the breach, chief scientist at McAfee Raj Samani said: “Given the increasing amount of reported data breaches, it would be simple to shrug off the news as just another in a long line of companies impacted by digital crime.
“However, two million people will now be wondering just what the lasting impact of their personal data being disclosed will have on them. This concept of breach fatigue is a very real issue, and until further data becomes available that will determine whether CEX implemented the appropriate controls, we should be careful before apportioning any blame.”
CEX did not disclose any further details of the breach but said it had introduced additional security measures and is working with the appropriate authorities, including the police.
A security researcher in Paris has unearthed an open web server hosted in the Netherlands that contains as many as 711 million usernames and passwords.
Infosec researcher and blogger Troy Hunt was contacted by cybersecurity researcher Benkow who pointed Hunt towards a machine that the “Onliner Spambot” was making use of to deliver the Ursnif banking malware. The data on the server is a mixture of email addresses on their own, which are used to send spam to, and email addresses with passwords, which are designed to get into an SMTP server to send out the spam, as Benkow goes into depth about here.
Troy Hunt runs the Have I Been Pwned (HIBP) website, where users can crosscheck their email address with known breaches to see if their accounts might have been compromised.
The 711 million figure is by far the largest data dump that’s been pulled into HIBP.
“Just for a sense of scale,” Hunt writes, “that’s almost one address for every single man, woman and child in all of Europe.”
The data is likely to contain considerably fewer ‘real’ emails than 711 million, as the data also includes addresses with junk prefixes, poorly formed emails, or otherwise fake addresses that could have been scraped from the web. Nevertheless, the amount of potentially compromised accounts is enormous.
Bupa has suffered a data breach (13 July 2017) affecting 500,000 customers on its international health insurance plan.
The London-based private healthcare group said a Bupa employee inappropriately copied and removed information including names, dates of birth and some contact information, however no medical information was compromised.
In a written statement, Bupa said that 43,000 of the total number affected had a UK address and that those that bought their medical insurance abroad could also be affected.
“A thorough investigation is under way and we have informed the FCA [Financial Conduct Authority] and Bupa’s other UK regulators,” said Sheldon Kenton, managing director of Bupa Global. “The employee responsible has been dismissed and we are taking appropriate legal action.”
Zomato, which provides users with an online guide to restaurants, cafes and clubs, reported that data from 17 million users had been stolen, including email addresses and hashed passwords.
The Indian firm said that it had discovered the breach “recently” and subsequently logged affected users out of their accounts, as well as resetting passwords on the app and the website.
Zomato said in a security notice to customers that users logging in via OAuth services such as Facebook or Google were not at risk, meaning that 60 percent of Zomato customers won’t be affected by the breach.
‘Eddie’ reveals over 560 million passwords
The recent WannaCry ransomware infected 47 NHS England Trusts and hundreds of companies across the world. You’d think things couldn’t get any worse. Well, you’re wrong. While this isn’t a UK company, its effects could have a big impact here.
Security researchers at the Kromtech Security Research Center discovered a massive database of 560 million login credentials which is believed to come from up to 10 popular online services such as LinkedIn and Dropbox, obtained during previous data breaches.
The database was run on the ‘Have I Been Pwned‘ site, which lets users see if their accounts and personal information have been revealed in previous data breaches.
And while the author of the database is unknown, researchers are calling them ‘Eddie’ after a user profile discovered in the data.
Kromtech researcher Bob Diachenko, told Gizmodo that the database was running an insecure version of MongoDB’s open-source database software. He said it still remains active and unprotected.
Payday loan company Wonga has fallen victim to a large data breach that could have hit as many as 245,000 of its customers including bank account numbers and sort codes.
In a customer help page Wonga said it is “urgently working to establish further details and contacting those who we know have been impacted”. Along with the bank account number and sort codes, Wonga believes that full names, email addresses, home addresses, phone numbers, and the last four digits of debit card numbers have also gone amiss. The company thinks passwords are safe but recommends customers change these regardless.
It advises customers notify their banks and request that their accounts are put on alert for unusual activity. But Wonga also states that it believes accounts are now secure and no action is required. At the same time, it recommends being “extra vigilant” across “other accounts and online activity”.
Wonga’s statement finishes: “We take issues of customer data and security extremely seriously. Cyber attacks are, unfortunately, on the rise. While Wonga operates to the highest security standards, these illegal attacks are unfortunately increasingly sophisticated. We sincerely apologise for the inconvenience and concern this has caused.”
Commenting on the attack, James Thompson, regional director for EMEA at authentication company SecureAuth, said that it will serve as a “hefty reminder” to any organisation holding personal and financial data to “continually innovate security and authentication to keep ahead of attackers.”
“Recognising user behaviours that are out of character for an account is key to protecting against actors staying undetected within your network,” Thompson said. “Businesses need to be able to identify and flag deviations in user behaviour.”
A major breach of Three’s customer upgrade database revealed last November is worse than the network operator initially thought, it was disclosed this week.
The original hack – revealed in November 2016 – occurred when Three’s upgrade database was accessed using an employee login. At the time the company said that no financial information was stolen, but names, phone numbers, addresses and dates of birth were taken.
Three said that of its 9 million customers it believed the data of 133,827 people was compromised.
This week Three said 76,373 more customers had been breached. The investigation is ongoing but the company claimed no further customer breaches are expected.
Commenting on the disclosure, IT security specialist at ESET, Mark James, said: “As always with this type of data breach the focus seems to be on financial information not being obtained, but when you look at names, addresses, dates of birth and methods of payment, the bank details are the easiest to change.
“The type of information we either would not or could not change is being sold, traded, stored or accessed online by cybercriminals to build a profile of you, the victim. It is then reused much later down the line, often to get more information that can be used either for financial gain or identity theft.”
Sportswear retailer Sports Direct failed to tell its entire workforce that they might have had their personal credentials stolen in an internal security breach.
The Register reports that Sports Direct noticed its systems had been compromised in September 2016, but it wasn’t until December that they discovered the data breach – including names, email addresses and phone numbers.
The attacker reportedly gained access through an unpatched content management system running on the open source DNN platform.
Sports Direct did notify the Information Commissioner’s Office but avoided sharing details of the breach with staff – because there was no evidence that the data had been copied.
Sports Direct did not comment on the breach.
Three, one of Britain’s largest mobile operators, has revealed it has had a major data breach that could put millions of its customers at risk.
According to The Telegraph, hackers accessed Three’s customer upgrade database by using an employee login.
Three said that the data accessed did not include any financial information but did say that names, phone numbers, addresses and dates of birth of its customers were obtained.
Since the announcement of the breach (the evening of 17th November), police have arrested three men in connection with the breach.
In November 2016, Tesco Bank, the consumer finance wing of the British supermarket giant, froze its online operations, after as many as 20,000 customers had money stolen from their accounts.
Chief executive Benny Higgins said in a statement published on the Tesco Bank website that 40,000 accounts had been compromised – and half of those had money stolen from them. Customers were told they would be able to use their cards for cash withdrawals, direct debit and chip and pin, but will not be able to make online transactions until the situation is under control.
Tesco Bank only confirmed that it was subject to criminal activity, and did not describe the attack.
The bank, which has over seven million customer accounts, said it would cover any financial costs of the breach. Higgins said: “Any financial loss that results from this fraudulent activity will be borne by the bank. Customers are not at financial risk.”
But one customer, Kevin Smith, from Blackpool, told the BBC that he had lost £500 from one of his accounts, while another claimed to have lost £600 and left without emergency funds from the bank.
Adrian Davis, Managing director for EMEA (ISC)2, the independent body for infosec professionals, said the breach was evidence of Tesco Bank losing control of operational risk.
“I believe we are at a point where, despite growing awareness of the issues, business leaders are losing control and visibility of core business risk,” Davis said. “They have not realised just how much their organisations have changed in the digital age and how this is leaving them vulnerable. They have not treated cyber risk as anything more than an IT problem, and now they, and we, are paying the price.”
Tesco paid its own price for the breach. On 1 October 2018, the Financial Conduct Authority (FCA) fined the company £16.4 million for the breach. the markets watchdog explained in a statement.
The markets watchdog explained in a statement that Tesco Bank had failed to exercise due skill, care and diligence to design and distribute its debit card, configure specific authentication and fraud detection rules, take appropriate action to prevent the foreseeable risk of fraud, and respond to the attack with sufficient rigour, skill and urgency.
The fine was the first one issued by the FCA for cyber failings. Tesco accepted the findings and agreed to pay the settlement in full.
As a FTSE-100 firm, the apparent insider attack admitted by accounting and HR software firm Sage could turn out to be one of the most important in UK data breach history if its scale is confirmed.
According to the firm, the employee data of up to 280 UK customers representing a large number of individual users could be at risk. “We are investigating unauthorised access to customer information using an internal login,” the firm said in a vague statement that will inevitably re-ignite the contentious issue of insider access.
Publicised in October 2015, TalkTalk initially struggled to confirm how many of its four million customers were affected after hackers exploited a reported weakness in the firm’s website.
TalkTalk CEO Baroness Dido Harding sounded disquietingly vague about the attack’s scale when interviewed on TV, and it later transpired that a ‘mere’ 157,000 personal records had been compromised.
Shockingly, the incident was the second (and possibly third) data breach affecting the company in under a year, which could mark it as the moment when dissatisfaction over the rising number of breaches becomes both political and mainstream in the UK.
Another biggie, a software flaw in the firm’s Android app let a researcher access the records of any Moonpig account holder he tried, in theory compromising a total of three million people.
As serious, the researcher reported the issue to the firm 18 months before going public in early 2015 after receiving an inadequate response. Significant partly because it involved a mobile app rather than the more common website breach.
Think W3 Limited
A serious attack in which a hacker was able to get his or her hands on 1,163,996 credit and debit card records from online holiday firm Think W3 by using an SQL injection attack to exploit a weakness on its website. The ICO described the incident as a “staggering lapse” and fined it £150,000.
A direct victim of the infamous and widespread Heartbleed SSL software flaw, the compromise allowed hackers to access anything up to 1.5 million user accounts on the hugely popular site, its owners revealed.
Although the data inside these accounts was less sensitive than for some of the other accounts, the hack revealed both the potency of big but undiscovered software issues affecting multiple sites and that even big brands could be affected.
An unusual example of the insider attack, the attacker published details of the firm’s entire workforce database online, 100,000 employees in all. An employee was eventually arrested for the incident and will presumably come to court at some point which could reveal more details of how the firm’s security was bypassed. Inside events are rare but particularly feared because they abuse privileged access that is hard to lock down. Some employees later launched legal action against Morrison’s.
It seems hard to pin down just one data breach spawning from Yahoo’s 22 years in business. Last year appeared to unearth a mammoth lack of security on Yahoo’s part with reports uncovering a breach affecting over 500 million Yahoo user accounts during 2014.
Another data breach was reported dating back to 2013, in which an unprecedented 1 billion user accounts were thought to have been affected, creating the largest ever recorded information breach. It’s believed that names, email addresses, telephone numbers, security questions (both encrypted and unencrypted) and their answers were exposed during the breach.
Yahoo is now facing numerous lawsuits after being criticised for not disclosing this information sooner, impacting its sale to Verizon, which reduced its bid by $350 million from the initial $4.8 billion price tag.
Most recently, Yahoo revealed this week that 32 million user accounts were compromised in the last two years. The accounts were said to have been accessed using forged cookies which enable an intruder to access an account without its password.
And while it’s not a UK-based company, Yahoo has a large number of UK customers, which its data breaches have impacted.
Brighton and Sussex University Hospitals NHS Trust
The Information Commissioner (ICO) ended up imposing a fine of £325,000 after sensitive patient data of thousands of people was discovered on hard drives sold on eBay.
An investigation found that at least 232 de-commissioned drives that should have been deep cleaned and destroyed by a contractor ended up being sold second hand.
Sony PlayStation Network
The largest data breach in history at the time, Sony’s disastrous 2011 breach saw hackers make off with the customer records of 77 million people relating to its PlayStation Network, including a small number revealing credit card numbers.
Apart from downing the company’s systems for an extraordinary 23 days, the breach crossed national frontiers, affecting people from all over the world, including the UK.
Britain’s ICO eventually issued a £250,000 fine for what will go down as the first big data breach to affect people across the globe.
Sales staff were caught selling customer records to brokers who used the information to market them as their contracts were coming to an end. It was never clear how many records were involved in this murky insider trade but it was believed to run from half a million to millions. Initially, the ICO refused to name the firm but was forced to after rival networks said they were not involved, leaving only one name.
In 2011, the two employees involved were fined £73,000 by the courts