We had reported earlier how the first quarter of 2018 was quite significant in terms of data breaches and cyber attacks. Well the second quarter didn’t disappoint either. The total number of 2018 breaches identified by the ITRC as on 14th August, 2018 is around 790 data breaches and the total number of records exposed has crossed more than 27 million records (27,318,503 to be precise).

The following comprises of the more significant data breaches and cyber attacks of Q2 2018.

Facebook

Date disclosed: March 17, 2018

Date of occurrence: Facebook said it had learned of the misuse in 2015 but failed to notify the public before mid of March 2018.

In various statements by Facebook and its executives, the company has claimed that there was no “data breach” involved, but that user data was used in an unauthorized manner by Cambridge Analytica. This distinction is important for legal and ethical reasons.

(Image Source)

What exactly happened?: Cambridge Analytica is accused of improperly gaining access to the personal data of more than 50 million Facebook users. Mark Zuckerberg said that the research firm had received the data from Cambridge University researcher Aleksandr Kogan, whose psychology quiz app collected data from nearly 300,000 Facebook users and their friends.

Zuckerberg on Cambridge Analytica: ‘We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you’. (Source)

Panera Bread

Date disclosed: April 2, 2018

Date of occurrence: KrebsOnSecurity had first learned about the Panera Bread breach on April 2nd, 2018 after being contacted by security researcher Dylan Houlihan, who said he initially notified Panera about customer data leaking from its Website back on August 2, 2017.

Exactly eight months to the day after Houlihan first reported the problem — and data shared by Houlihan indicated that the Panera Bread site was still leaking customer records in plain text. The worst part was that the records could be indexed and crawled by automated tools with very little effort.

What exactly happened?: In a written statement, Panera said it had fixed the problem within less than two hours of being notified by KrebsOnSecurity. But Panera did not explain why it appears to have taken the company eight months to fix the issue after initially acknowledging it privately with Houlihan.

Almost minutes after story was published on KrebsOnSecurity, the company gave a statement to Fox News downplaying the severity of the data breach and stating that only 10,000 customer records were exposed. Though the true number is believed to have exceeded 37 million records.

Under Armour

Date disclosed: April 4, 2018

Date of occurrence: Touted as one of biggest data breaches and cyber attacks of 2018, the Baltimore company disclosed that an intruder grabbed the email addresses and login information during a February break-in affecting about 150 million users of MyFitnessPal – its food and nutrition website.

What exactly happened?: Under Armour says the hacker didn’t obtain any payment information, Social Security numbers or driver’s license numbers. That means this break-in is unlikely to require credit and debit cards to be replaced or raise the specter of identity theft, as happened with big breaches affecting retailer Target and credit reporting agency Equifax that resulted in the departures of their CEOs. Still, Under Armour says it is requiring all MyFitnessPal users to change their passwords.

Cyber security experts say health information, like the kind stored in My Fitness Pal, is fast becoming more valuable than credit cards to hackers. Stolen health identities can lead to fraudulent insurance claims that yield thousands of dollars or drugs.

Aadhaar Seeding Portal

Date disclosed: May 2, 2018

Date of occurrence: Back in January, the Aadhaar data breach  was the talk of every town when the database was up for grabs for as little as Rs 500. This time again, it was the center of attention when the Aadhaar-seeding portal of the Employees’ Provident Fund Organisation (EPFO) was shut down, after the Intelligence Bureau (IB) flagged concerns of possible data theft by hackers.

In a letter dated March 23 2018, central provident fund commissioner V.P. Joy wrote to Common Service Centre (CSC) CEO Dinesh Tyagi, warning him that data may have been stolen by hackers through the ‘aadhaar.epfoservices.com’ website.

What exactly happened?: “It has been intimated that the data has been stolen by hackers by exploiting the vulnerabilities prevailing in the website (aadhaar.epfoservices.com) of EPFO,” the letter, which makes reference to an IB note warning of data theft on the same issue. Possible data that was expected to be leaked included the Aadhaar numbers, demographic information and employment details of millions of formal sector employees.

Commonwealth Bank

Date disclosed: May 2, 2018

Date of occurrence: In what seemed as one of the largest financial services privacy breaches ever to occur in Australia, the Commonwealth Bank lost the personal financial histories of 12 million customers, and the worst part is that they chose not to reveal the breach to its consumers.

The banking statements of customers from 2004 to 2014 were lost by the country’s largest bank when a subcontractor lost several tape drives containing the financial information in 2016.

What exactly happened?: The Backup magnetic tape drives of the financial statements were believed to have been sent to be destroyed. But when a “destruction certificate” for the data wasn’t found on 9 May 2016, the Commonwealth Bank initiated an investigation to find out what happened to the data. The bank notified the  Office of the Australian Information Commissioner (OAIC) – which regulates privacy in Australia – on 20 May 2016 and told the regulator what had occurred.

Ticketfly

Date disclosed: May 31, 2018

Date of occurrence: In late May 2018, Ticketfly was the target of a malicious cyber attack. They discovered unauthorized access to the Ticketfly platform on May 30, 2018.

What exactly happened?: Their internal investigation confirmed that financial information, including credit and debit cards, was not accessed. Information, including names, addresses, email addresses and phone numbers, connected to approximately 27 million Ticketfly accounts was accessed.

MyHeritage

Date disclosed: June 4, 2018

Date of occurrence: Oct 26, 2017

What exactly happened?: On June 4, 2018, the company’s Chief Information Security Officer received a message from a security researcher that he had found a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage.

Their Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords. The file was determined to be legitimate and included the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach.


In our continuous efforts to keep businesses and consumers aware and proactive towards the evolving cybersecurity ecosystem, we have curated a list of our best cybersecurity resources that includes the top cybersecurity breaches of this year, industry reports, biggest cybersecurity mergers and acquisitions, billion dollar investment deals, top cybersecurity blogs and influencers to follow and the latest trends and happenings in the cybersecurity world. Here’s the LINK.