Top 5 Worst Security Breaches of 2018

As we start the third fiscal quarter of 2019, it’s important to look back and learn from mistakes made last year. 2018 was rife with security breaches that put millions at risk of having their sensitive information exposed. Chances are you’ve heard of one or two high profile breaches from last year, but others might surprise you. All in all, there were over 1,200 data breaches in 2018 alone, with more compromised records being released per breach than ever before. Some breaches happened due to an organizational oversight, and some occurred because hackers took advantage of vulnerabilities in a site’s security.

Let’s take a look at the top 5 worst breaches of 2018 to see what went wrong.

1. Exactis: 340 Million Records Breached

If you’ve never heard of Exactis LLC before, you are not alone. This Florida-based data aggregation firm experienced a major data breach in June 2018 that exposed 340 million records, including email addresses, home addresses, and phone numbers. How did this happen? In short, Exactis uses cookies to collect user information from across the web. This sensitive information was kept on a publicly accessible server without any firewall. Exactis came under fire for its lack of proper security, especially considering the depth of information in the company’s possession. A New York law firm even filed a class action lawsuit against the LLC for failing to take adequate steps to protect sensitive information.

2. Under Armour/MyFitnessPal: 150 Million Records Breached

Under Armour’s fitness app, MyFitnessPal, discovered a breach of approximately 150 Million records in March 2018 that exposed usernames, emails, and passwords. This all happened because of weak security algorithms. It is standard security practice to secure passwords through a process known as “hashing”, where the original password is rendered unintelligible. When a user enters their password, it is then matched to the hash in the database. Unfortunately, Under Armour used a hashing function known as “SHA1”, which has been deemed vulnerable for over a decade.

3. British Airways: 380,000 Records Breached

In September 2018, British Airways revealed that personal and financial details of customers had been compromised by hackers. In this case, names, email addresses, and credit card information were stolen–including CVV numbers and expiration dates.  This put customers at risk of dealing with unauthorized transactions. British Airways claims to not store CVV numbers, which is prohibited, leading security experts to speculate that hackers were able to obtain this information by intercepting a website script. This indicates either that their booking site or a third-party provider was compromised. This attack reinforces the need for companies to keep a close watch on “dependencies”, which is industry slang for third party code which is used in a company’s software.

4. Panera Bread: 37 Million Records Breached

In April 2018, Panera Bread Company revealed that its website had been leaking millions of records exposing customer information including names, addresses, birthdays, and the last four digits of credit cards. Moreover, these leaks took place for at least eight months before reaching a resolution, despite a tip-off from a concerned security expert and constant follow-up. The data could be found for any user who had signed up for a Panera account, accessible in plain text and easily searchable by automated tools.

5. DNSpionage : Unknown Number of Records Breached

Though by the end of the year many companies, government agencies, and other organizations had already been hit by major security breaches, there was still trouble to come. Near the end of November 2018, Cisco Talos discovered a cyber-espionage scheme targeting Lebanon and the United Arab Emirates (UAE) through .gov domains. Hackers were able to hijack DNS servers for their target and redirect all email and VPN tracking to their a domain under their control. With this access, hackers were able to get further access that allowed them to decrypt email and VPN credentials. Experts urge organizations to pay close attention to their DNS infrastructure to help combat DNS attacks, but this level of defense is often taken for granted.

What Can We Take Away From 2018’s Security Troubles?

One thing that these 5 breaches have in common is that they demonstrate the importance of protection against online threats. Cyber attacks on organizations are on the rise—particularly phishing and ransomware attacks—and they can come from all sides. This list illustrates how information was made vulnerable by using outdated security methods, as well as how hackers are using more sophisticated methods to gather information. Without taking the proper precautions, organizations are putting themselves and their customers at risk. Knowing this, companies must take precautions against vulnerabilities.

Small-midsize businesses (SMBs) are particularly vulnerable because they often assume that cybersecurity is only for the “big guys”. However, attackers view SMBs as easy prey. First, because they are often more lax with implementing security measures. Second, because they often lack the IT resources and budget of larger organizations.

DNSFilter recognizes the importance of accessible solutions for preventing security risks. We believe that security is a prime issue, but it doesn’t need to come at a premium price. By utilizing DNSFilter to protect against online threats, your organization is adding a vital layer to its security toolbelt at a time when protecting information isn’t only important, but imperative.

Want more lists of data breaches? Check out our list of the biggest data breaches in 2020.

Get a free trial of DNSFilter today.