It’s fair to say that 2018 has been the year of the data breach. Billions of people around the world have had their personal data stolen or exposed, and there has been a notable increase in the frequency and severity of breaches taking place.
A recent report conducted by digital security company Gemalto, revealed that 945 data breaches led to a staggering 4.5 billion data records being compromised in the first half of 2018. This is the highest number of breaches ever recorded in a single six-month period and a 133% increase since the same time last year.
Regulators across Europe, including the UK’s Information Commissioners Office, have noted a steep increase in the number of data breaches being reported since the GDPR came into force on the 25th May.
Under the GDPR, organisations are now duty bound to report any data breaches to the relevant authorities within 72 hours of detection or face hefty fines of up to 4% of annual global turnover or 20 Million Euros.
The new legislation will ensure greater levels of transparency, accountability and responsibility in how organisations are storing and using personal data.
Data is a valuable commodity and cybercriminals are keen to capitalise on this data to make money and commit fraudulent activities. Identity theft is the main driver behind all attacks and accounts for 65% of breaches and over 3.9 billion of the compromised data records this year.
External hackers have been behind the majority of all data breaches and Phishing remains the number one attack method. 72% of data breaches are related to employees receiving phishing emails, closely followed by accidental loss of data.
Data breaches have affected every industry and corner of the world and below are 5 examples of the most prominent security breaches to have hit the headlines this year:
In one of the largest data breaches in history, Florida based marketing and data aggregation firm Exactis, exposed a database containing nearly 340 million individual records.
The breach was discovered in June when a security researcher found the data exposed on an unprotected server that allowed public access. The data included 230 million consumer records and 110 million business contacts. The number represented essentially every adult in the United States of America.
The data didn’t contain social security numbers or credit card information. However, it did include other types of Personally Identifiable Information (PII) such as phone numbers, home addresses, and email addresses. All the information needed by a criminal to commit identity theft.
Each consumer record also contained more than 400 variables that could be used to build a detailed personal profile of the individual. This included information such as hobbies, purchasing habits, marriage status, religious and political affiliations, vices and pet ownership.
In September 2018, Facebook announced that an attack on its computer network exposed the personal data of over 50 million users. According to Facebook, hackers were able to gain access to the system by exploiting a vulnerability in the code used for the ‘View as’ feature.
Once this feature was exploited, the attackers were able to steal ‘access tokens’, which could be used to take over user’s accounts and gain access to other services. The breach also affected third party apps connected to Facebook, and as a precautionary measure, the company logged 90 million users out of their accounts and reset the access tokens.
The security breach is the largest in the company’s 14-year history and topped off a very turbulent year which saw the company deal with the fallout from the Cambridge Analytica scandal and the ongoing allegations that the platform was used in Russian disinformation campaigns.
The Irish Data Protection Commission has subsequently opened a formal investigation into the breach which could result in a fine of up to $1.63bn for the social media giant.
3. Cathay Pacific
Hong Kong based airline Cathay Pacific suffered the world’s biggest aviation security breach after the data of up to 9.4 million passengers was exposed.
The breach was announced in October but took place in March this year when hackers gained access to 860,00 passport numbers, 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 card numbers with no CVV card verification codes.
Full data exposed in the breach included passenger names, nationality, date of birth, address, telephone number, email address, passport number, identity card number, frequent flyer membership number, customer service comments noted on accounts and historical travel information.
The airline faced severe criticism for its 7-month delay in reporting the breach and Hong Kong's privacy commissioner has since launched a compliance investigation, stating the carrier may have violated privacy rules.
4. Dixons Carphone
In June 2018, Dixons Carphone revealed a major data breach involving 5.9 million bank cards and the personal data of up to 10 million customers. The hacked data included names, addresses and email addresses.
The electronics retailer announced that in a review of its systems, it uncovered an attempt to gain unauthorised access to 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel Stores.
The group said there was no evidence of fraud as the majority of cards were protected by Chip and Pin and card verification value (CVV) systems, however around 105,000 non-EU cards without Chip and Pin were compromised in the attack.
When the group first reported the breach, they estimated that the data of up to 1.2 million customers was compromised, but the number has now jumped up to ten times more than initially thought.
5. British Airways
In yet another attack on the aviation industry, British Airways announced that a major security breach had exposed the personal data of 380,000 customers. The airline confirmed that over a two-week period, the personal and financial details of customers making or changing bookings had been compromised.
The breach took place between 21 August and 5 September 2018, and within this time frame, hackers were able to gain access to names, addresses, email addresses, credit card numbers, expiry dates and security codes. Travel and passport details were not affected by the breach.
The airline recently disclosed that the data of a further 185,000 customers who made reward bookings between 21 April and 28 July was also exposed, bringing the total number of affected customers to 565,000.
MetaCompliance specialises in creating the best Cyber Security awareness training available on the market. Our products directly address the specific challenges that arise from cyber threats and corporate governance by making it easier for users to engage in Cyber Security and compliance. Get in touch for further information on how we can help transform Cyber Security training within your organisation.