Share this
Top 5 Worst Security Breaches of 2018
by Josh Lamb on Jul 28, 2019 12:00:00 AM
As we start the third fiscal quarter of 2019, it’s important to look back and learn from mistakes made last year. 2018 was rife with security breaches that put millions at risk of having their sensitive information exposed. Chances are you’ve heard of one or two high profile breaches from last year, but others might surprise you. All in all, there were over 1,200 data breaches in 2018 alone, with more compromised records being released per breach than ever before. Some breaches happened due to an organizational oversight, and some occurred because hackers took advantage of vulnerabilities in a site’s security.
Let’s take a look at the top 5 worst breaches of 2018 to see what went wrong.
1. Exactis: 340 Million Records Breached
If you’ve never heard of Exactis LLC before, you are not alone. This Florida-based data aggregation firm experienced a major data breach in June 2018 that exposed 340 million records, including email addresses, home addresses, and phone numbers. How did this happen? In short, Exactis uses cookies to collect user information from across the web. This sensitive information was kept on a publicly accessible server without any firewall. Exactis came under fire for its lack of proper security, especially considering the depth of information in the company’s possession. A New York law firm even filed a class action lawsuit against the LLC for failing to take adequate steps to protect sensitive information.
2. Under Armour/MyFitnessPal: 150 Million Records Breached
Under Armour’s fitness app, MyFitnessPal, discovered a breach of approximately 150 Million records in March 2018 that exposed usernames, emails, and passwords. This all happened because of weak security algorithms. It is standard security practice to secure passwords through a process known as “hashing”, where the original password is rendered unintelligible. When a user enters their password, it is then matched to the hash in the database. Unfortunately, Under Armour used a hashing function known as “SHA1”, which has been deemed vulnerable for over a decade.
3. British Airways: 380,000 Records Breached
In September 2018, British Airways revealed that personal and financial details of customers had been compromised by hackers. In this case, names, email addresses, and credit card information were stolen–including CVV numbers and expiration dates. This put customers at risk of dealing with unauthorized transactions. British Airways claims to not store CVV numbers, which is prohibited, leading security experts to speculate that hackers were able to obtain this information by intercepting a website script. This indicates either that their booking site or a third-party provider was compromised. This attack reinforces the need for companies to keep a close watch on “dependencies”, which is industry slang for third party code which is used in a company’s software.
4. Panera Bread: 37 Million Records Breached
In April 2018, Panera Bread Company revealed that its website had been leaking millions of records exposing customer information including names, addresses, birthdays, and the last four digits of credit cards. Moreover, these leaks took place for at least eight months before reaching a resolution, despite a tip-off from a concerned security expert and constant follow-up. The data could be found for any user who had signed up for a Panera account, accessible in plain text and easily searchable by automated tools.
5. DNSpionage : Unknown Number of Records Breached
Though by the end of the year many companies, government agencies, and other organizations had already been hit by major security breaches, there was still trouble to come. Near the end of November 2018, Cisco Talos discovered a cyber-espionage scheme targeting Lebanon and the United Arab Emirates (UAE) through .gov domains. Hackers were able to hijack DNS servers for their target and redirect all email and VPN tracking to their a domain under their control. With this access, hackers were able to get further access that allowed them to decrypt email and VPN credentials. Experts urge organizations to pay close attention to their DNS infrastructure to help combat DNS attacks, but this level of defense is often taken for granted.
What Can We Take Away From 2018’s Security Troubles?
One thing that these 5 breaches have in common is that they demonstrate the importance of protection against online threats. Cyber attacks on organizations are on the rise—particularly phishing and ransomware attacks—and they can come from all sides. This list illustrates how information was made vulnerable by using outdated security methods, as well as how hackers are using more sophisticated methods to gather information. Without taking the proper precautions, organizations are putting themselves and their customers at risk. Knowing this, companies must take precautions against vulnerabilities.
Small-midsize businesses (SMBs) are particularly vulnerable because they often assume that cybersecurity is only for the “big guys”. However, attackers view SMBs as easy prey. First, because they are often more lax with implementing security measures. Second, because they often lack the IT resources and budget of larger organizations.
DNSFilter recognizes the importance of accessible solutions for preventing security risks. We believe that security is a prime issue, but it doesn’t need to come at a premium price. By utilizing DNSFilter to protect against online threats, your organization is adding a vital layer to its security toolbelt at a time when protecting information isn’t only important, but imperative.
Want more lists of data breaches? Check out our list of the biggest data breaches in 2020.
Share this
Categories
- Featured (264)
- Protective DNS (21)
- IT (15)
- IndyCar (9)
- Content Filtering (8)
- Cybersecurity Brief (7)
- IT Challenges (7)
- Public Wi-Fi (7)
- AI (6)
- Deep Dive (6)
- Malware (4)
- Roaming Client (4)
- Team (4)
- Compare (3)
- MSP (3)
- Phishing (3)
- Tech (3)
- Anycast (2)
- Events (2)
- Machine Learning (2)
- Ransomware (2)
- Tech Stack (2)
- Secure Web Gateway (1)
Customer experience is the secret sauce that sets successful Managed Service Providers (MSPs) apart from the rest. In a market teeming with competition, you need to offer more than the best technology or the lowest prices. It's about how clients feel when they interact with your services. A stellar customer experience can transform a one-time client into a loyal advocate, while a poor one can send them running to your competitors. According to a ...
In July I published a blog on the DNSFilter website where I looked closely at our passive DNS data, highlighting early election trends in relation to threat domains.
The Children's Internet Protection Act (CIPA) is a critical law designed to ensure that students are protected from harmful online content. It requires schools and libraries to implement Internet safety measures, such as filtering and monitoring, to safeguard minors. Compliance with CIPA is essential for institutions seeking E-Rate program discounts for Internet access and internal connections.