Data Breach Trends of 2018

By Catherine Traini | January 16 2019

It seems almost inevitable these days that data breaches will happen, even to governments and companies with seemingly more than enough money for strong cybersecurity. Still, there are lessons to be learned from every breach, and far better to learn from the mistakes of others than your own. Instead of just looking at the largest breaches of last year by size, this review will take a quick look into some noteworthy trends and lessons-learned as we start 2019.

#1: The Data Mines

                      Image result for facebook                           Image result for google+

                      50 Million Accounts Exposed                  Nearly 53 Million Users Affected

The abundance of personal information stored by social media companies make them among the richest targets for hackers on the Internet. These data mines know they are aggressively targeted and therefore have well-establish cybersecurity teams and practices. The biggest takeaway from the data exposures experienced by Facebook and Google+ is the privacy conversation around the data retention and management policies that have been sparked, especially with the advent of the UK's GDPR regulation.

#2: Health Without Safety

Image result for myfitnesspal Image result for Pumpup Image result for Strava
150 million records breached 6 million records breached Sensitive military locations revealed

 

Image result for myheritage
113.5 million records breached 92 million records breached

2018 saw breaches of multiple fitness tracking apps and software, through mobile applications, tracking software for gyms and wellness scheduling. With the rise of smart watches, Fitbits, and other wearable devices that help track or evaluate physical health, there is a large amount of data on people’s physical health being held by these companies. Although MyHeritage, a DNA testing company, is in an entirely different industry, there’s an important connection between all of them: all are outside of the health care industry, potentially holding important personal information on your health, without the legislative oversight which applies to the health care industry.

#3: Security? Why Bother?

                Image result for exactis        Image result for localblox

                   340 million records breached                     48 million records breached

                 Image result for veeam                     Saverspy

                      445 million records breached                      11 million records breached

The common thread between these data breaches is that not a single one of these companies was hacked. All four exposed this information themselves by misconfiguration of cloud-based servers that allowed anyone download the contents, instead of allowing that access only to its employees. In the particularly egregious case of Exactis, a server was uploaded without any firewall or security at all.

 

#4: Still In It For The Money

Related image         Image result for saks 5th avenue lord and taylor logo       Image result for delta

37 million records breached      5 million records breached          Unknown number 

       Image result for orbitz logo   Image result for british airways logo

              880,000 records breached                               380,000 records breached

Only a few years ago, cybercrime was primarily related to financial data, with attackers mostly interested in unearthing credit card numbers to use or sell. Now cybercrime seems to revolve around phishing, with personal information as their main currency. This hardly means financial malware is no longer a threat, just that criminals are always looking for the easiest target. Still, as these breaches illustrate, compromising payment information is still a focus for many criminals. Older breaches of stores tended to be targeted at point-of-sale systems, using malware that quietly collected credit card information as people shopped (think of the Target breach). More modern breaches frequently employ phishing, seeking to compromise an employee with access to the financial systems instead of the system itself.

 

#5: Good Enough for Government Work

Image result for iran flag Image result for china flag Image result for russia flag
300+ universities and other targets hacked Marriott breach of 500 million records Infiltration of US power companies

If the past few years have proven anything about hacking to the governments of the world, it’s that the return on investment is amazing. An oversized political and financial impact can be gained by a comparatively modest investment compared to flexing political or military muscle. Think of Russia, which doesn’t have the budget to posture militarily as much as they used to but have had considerable foreign policy impacts through underhanded means like disinformation campaigns and carefully targeted phishing. On the other hand, Iran’s current actions have made it clear they’ve learned that hacking is considerably cheaper than research and development, stealing billions of U.S. dollars’ worth of intellectual property. China’s alleged breach of Marriott, which took place back in 2014 but only came out recently, illustrates how financial and personal data are all too frequently held by the same targets. Marriott, the top hotel lodging provider to the U.S. Government, was likely targeted for its clientele’s personal information and that of the U.S. Government, but they were able to steal a great deal of Marriott’s financial data in the process.

 

Recent Posts