Cybersecurity Breaches of 2018 (So Far)
With Cybersecurity Awareness Month in full swing, what better time to note some of the data breaches that made headlines in 2018 (so far!).
A cybersecurity breach, or data breach, is the exposure of private information to an untrustworthy environment. These companies either experienced or discovered a breach in 2018, as sometimes significant time can pass before a breach is discovered.
1.) Macy's and Bloomingdale's
In July 2018, Macy's was in the spotlight for a cybersecurity breach that occurred between April 26 - June 10 of 2018. The suspicious activity was discovered on June 11. Macy's stated that hackers had gained access to names and passwords of customers, and potentially had access to credit card information, including expiration dates. This breach allegedly only affected 0.5% of registered macys.com and bloomingdales.com (Macy's sister chain) users. Macy's and Bloomingdale's investigated the matter and addressed the cause by implementing additional security measures.
2.) Saks and Lord & Taylor
Hudson's Bay Company, popular owner of two popular department stores Saks and Lord & Taylor, also suffered a data breach that exposed data on credit cards used in-store in North America. The breach was announced in late March of 2018. According to the New York Times, the hackers gained access to over five million credit and debit card numbers. The data was stolen using software that was implanted into the cash register system at the stores through malware. The breach lasted nine months total, though the company claimed there was no longer any risk as of late April 2018. In Hudson's Bay Company's official statement, they acknowledged the breach and took steps shortly after to contain it. They offered those affected by the breach free identity protection services, as well as credit and web monitoring.
3.) Sears and Delta
A service provider for both Sears and Delta called 7.ai suffered a breach that exposed the information of thousands of Sears and Delta customers who made purchases online between September 27 and October 12 of 2017. Delta claimed that the malware on 7.ai's system may have exposed several hundred thousand users' payment data, but only data that was manually typed in. Any data that auto-populated with saved credit cards were not affected. Delta also assured customers that no passport or government identification was impacted. 7.ai refused to provide the names of other clients that were affected, allowing their clients to come forward on their own.
4.) Under Amour
MyFitnessPal, a popular fitness app owned by Under Armour, learned of a breach on March 25th, 2018. According to Under Armour's official statement, "an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018." On March 29th, MyFitnessPal contacted users regarding the breach, and required them to update passwords. The breach affected 150 million users' usernames, email addresses and passwords, but luckily no payment information was affected. In June, MyFitnessPal was sued by a user for breach of contract, negligence, invasion of privacy and violating certain data privacy laws in California.
2017 saw a dramatic increase in university and college data breaches, which continued into 2018. In March 2018, the Department of Justice charged 9 Iranian hackers on attacks on over 300 universities worldwide, including 144 US universities. These bad actors also targeted the United Nations, the US Federal Energy Regulatory Commission, and the states of Indiana and Hawaii. These hackers stole over $3 billion worth of data using spear phishing emails to trick university affiliates into providing their university login and password information. At Eze, we often talk about the importance of phishing and social engineering training for employees. Click here to watch our recent webinar on the topic.
6.) Panera Bread
Panera was in hot water this year due to their data breach, which actually happened and was discovered in 2017. Although they became aware of the data breach in 2017, they didn't alert customers or fix the bug, allowing the data exposure to continue into April of 2018. The panerabread.com website was breached, exposing data from their loyalty program, which included customer names, email addresses, street addresses, birthdays and the last four digits of payment cards. The cybersecurity researcher who found the vulnerability in 2017 contacted the company and was ignored for months, which led him to go public, exposing Panera and their lack of response to the breach. This became one of the best examples of how NOT to handle a data breach.
7.) Last, but definitely not least, Facebook
Another company that's found themselves in hot water this year is Facebook, for not one, but two data breaches.
Facebook's first data breach of 2018 was announced in March, but actually occurred in 2013. According to Facebook, a researcher gained access to 270,000 users' information through a personality quiz. The hacker then passed the information on to Cambridge Analytics, who sold the psychological profiles of Americans to political campaigns in hopes of influencing the 2016 election. In April of 2018, Mark Zuckerberg, Facebook Founder and CEO, faced the United States Senate to address the scandal as well as the overarching issues of privacy and security on Facebook.
The latest attack, which was discovered only last week, compromised data from nearly 50 million accounts and exposed data on an additional 40 million. We still don't have all the details on this latest breach. It is still undetermined who is responsible, who was affected, and exactly what data was stolen.
All this said, it is crucial to note that not all cybersecurity incidents are the same, they can range in severity, and depending on the situation, the response to these incidents will vary. To learn more about the policies and procedures around cybersecurity incidents and breaches, register for our webinar on October 18th, Cybersecurity Incident Response: Before, During and After.