Year of the data breach: 2018 in review

    2018 proved to be the year of the data breach.  

    Throughout the year it seemed nearly routine that a different company was having to come forward to notify its customers that their user data may have been compromised, and that personal information had been left exposed. 

    Of course, that’s just the data breaches that the public even knows about, the ones that have made headlines; many more have happened that will never get any ink in the press. The reality is that no one that collects data about its customers is safe from a potential attack, and hackers are busier than ever trying to mine valuable data out of any organization or company they think shows signs of vulnerability to a breach. 

    Anyone from large hotel chains, government agencies, social media giants, credit bureaus, health insurance companies, retailers –you name it, they all were hit in 2018. And because of this far flung intrusion of personal information there are literally millions of victims of data breaches that are none the wiser about what has happened to them.  

    This has turned out to be an alarming era where too many companies have shown themselves unprepared or even reckless with protecting customer data. So, in an effort to be proactive with protecting user privacy, Golden Frog’s VyprVPN came to the decision to become a No Log VPN service. The transition to No Log means not only does VyprVPN offer users encryption for data shared over the internet, but VyprVPN is a now also a No Log VPN service. Which means that we do not record or retain any service usage data from our users. 

    Here’s a look back at some of the most egregious data breaches of the year, and why it has been a wakeup call for both companies and the general public about why more has to be done about protecting customers with reliable encryption. 

     

    Quora  

    Breach announced: December 3, 2018 

    Breach details: The crowdsourced question and answer website Quora, sheepishly announced that no less than 100 million of their users had their account information exposed to potential misdeeds. The breach is thought to have compromised email addresses, user names, encrypted passwords, as well as any data that users authorized Quora to import from social media platforms such as Facebook. Direct messages were also thought to have been hacked. 

    All Quora users were promptly directed to change their passwords and to be diligent about safeguarding themselves from any potential phishing scams in their email boxes since their Quora account information was potentially at large. 

     

    Marriott Hotels 

    Breach announced: November 30, 2018 

    Breach details: Marriot International saw their customers compromised in one of the most serious corporate data breaches in history when the data of as many as 500 million of their guests had their personal information swiped from them. The breach is believed to have occurred slowly, beginning in 2014 and being halted on September 10, 2018. Among the data thought to have been stolen were guest names, personal mailing addresses, phone numbers, email addresses, passport numbers, guest account information, birthdates, gender, arrival and departure information, reservation dates, and even communication preferences (which would aid a potential scammer in contacting a victim). Some unlucky guests also had their encrypted payment card numbers and payment card expiration dates exposed to fraudsters. 

     

    Facebook 

    Breach announced: September 28, 2018 

    Breach details: Facebook announced that at least 50 million user accounts had been compromised. Details are still being learned about what exactly fell into unwelcome hands during the breach, and to what extent that user data was violated, Facebook is continuing to investigate…hopefully they’ll be completely transparent about what they find out. In any event, the tech giant felt compelled to reset 90 million user accounts as a precaution. 

     

    T-Mobile 

    Breach announced: August 28, 2018 

    Breach details: Over 2 million T-Mobile customers had their personal information left vulnerable to hackers. The breach saw personal information such as customer names, billing zip codes, phone numbers, email addresses, account numbers, and other billing data left exposed. The company was able to combat the breach in time to secure sensitive data such as user passwords and social security numbers from becoming stolen. 

     

    Panera Bread 

    Breach announced: April 6, 2018 

    Breach details: More than 7 million Panera Bread customers are estimated to have had their ordering data swiped. Any customers who ordered online, or who used MyPanera in the 8 months leading up to the breach potentially had their names, email addresses, physical addresses, birthdates, and even their ordering habits, as well as the last four digits of their payment card exposed to potential fraud. 

     

    Google+ 

    Breach announced: March 1, 2018 & November 7, 2018 

    Breach details: In March Google announced it would be discontinuing Google+ after a Wall Street Journal article made the public aware of a software glitch within the platform that had exposed the personal profile data of more than 500,000 Google+ users. It happened again in November when Google was bombarded by a second data breach that exposed the information of 52.5 million users. Google has since announced intentions to shut down Google+ permanently by April of 2019, thus ending Google’s attempt to create a social media platform. 

     

    Saks Fifth Avenue 

    Breach announced: April 1, 2018 

    Breach details: Posh retail giants Lord & Taylor, Saks Fifth Avenue, and Saks OFF 5th fell victim to a sizeable data breach of their customer base on Easter. No less than 5 million customer credit and debit card numbers are thought to have been compromised. An audit of the breach estimates that every single North American location was put at risk. 

     

    MyFitnessPal 

    Breach announced: March 30, 2018 

    Breach details: In the spring the popular fitness app, MyFitnessPal, found out that 150 million user accounts were breached. Among the personal information put at risk was data about users’ step counts, diets, along with usernames, email addresses, and passwords. The company was hopeful that payment information was spared by hackers but were never able to verify it.  

     

    Orbitz 

    Breach announced: March 30, 2018 

    Breach details: The digital travel booking site Orbitz learned that hackers had accessed more than 880,000 credit and debit cards used by customers on their website. In addition to the payment card information, personal information such as birth dates, phone numbers, and email and billing addresses were all left exposed by the data breach.  

     

    Aadar 

    Breach announced: March 7, 2018 

    Breach details: More than 1.1 billion Indians saw their private information compromised, including their 12-digit ID numbers (the Indian equivalent of a Social Security number), and sensitive information such as bank account numbers and passwords. India’s government ID database, which is used to store a host of specific personal information about citizens, was left exposed by a state-owned utility company called Indane.  The fellow arm of government had failed to properly secure their software used to access the database, and inadvertently gave anyone access to Aadhar information that was trying to get a hold of it. 

     

    Preventing future breaches 

    We understand why some companies store user data to help improve customer service, but they better wise up when it comes to how they choose to do it, because no one signs up to have their private information given away to hackers on a silver platter. Taking proper steps to protect customers from cyber-criminals should be a top priority for 21st century companies. By mandating the encryption of all data transmissions, companies can help safeguard any data while it is in transit, which in concert with encrypted company email, and employing a VPN for any Wi-Fi networks can only help make things harder for hackers.  

    Whether it’s severely modifying the way they store user data and further restricting internal access to it or making sure they dump data after a certain timeframe, companies should feel absolutely obligated to make sure the sour record of data breaches in 2018 is never ever repeated again. And consumers should feel free to make sure businesses are paying attention, because if there’s one thing that will get a corporation’s attention more than a data breach it’s a data breach that costs them customers.