We periodically update this post with recent data breach statistics. Now that we’re into 2018, it’s time to look at the top security breaches in 2018, plus review 2017 and previous years.
At Revision Legal, we know that cyber-attacks are a constant threat. The number of data breaches is large and the amount of customers affected is staggering. Data breaches are bad for business and can be even worse for customers.
January 2018: 115 Cyberattacks
Winner: Health South-East RHF, a large healthcare management organization in southeast Norway — 2.9 million patients
On January 8, 2018, hackers or a group of hackers broke into the computer systems of Health South-East RHF, a healthcare organization that manages hospitals in Norway’s southeast region.
The hackers potentially stole — the extent of the theft is still undetermined — patient information on 2.9 million people, which is about half the population of Norway.
The information accessed included all electronically stored patient information including names, addresses, insurance providers and more. See report here.
Honorable Mention: Crypto-Jacking
The turn of the new year saw a new approach to evaluating cybercrime and the rise of a new method of making money from cybercrime – crypto-jacking. With respect to the first, it is being argued that a new approach to evaluating cybercrime is needed.
Rather than viewing cyberattacks through the lens of who has been attacked and what the losses are to the targets, a new focus is on the fact that, for the hackers, cybercrime is “… an extremely lucrative business” and “… a flourishing economy generating a staggering $1.5 trillion in revenues every year.” See recent report and estimate here.
The idea here mirrors the concept of profiling — to combat cybercrime, one must understand the motivations and incentive structures of those committing the attacks.
This focus suggests that cyberattacks will continue unabated because the cybercriminals can make large amounts of money with minimal effort and little risk of being caught/punished. In market-speak, cybercrime is lucrative because there are minimal barriers and low cost to entry, there are few downside risks and there is a high rate of return on investment.
In terms of ways to make money, the report identifies five main methods with a new sixth method on the rise:
- Illicit/illegal online markets — selling what has been stolen (documents, videos, photos, etc.) on various darkweb sites
- Data trading (a distinct subset of the first category) — specifically selling stolen data in various dark-web markets
- Trade secret and intellectual property theft — use of the stolen information
- Cybercrime as a service — being paid to conduct cybercrime for another
- Ransomeware — extortion and ransom moneys paid to restore access where cyberattack locks/encrypts owner’s access to data, files and/or systems
As many know, new bitcoin is released through a process called bitcoin mining. See here.
To successfully mine for bitcoin, one needs substantial computing capacity. Cyrpto-jacking is hacking another’s computer systems to use their systems to mine for bitcoin.
As this article suggests, crypto-jacking is going to be bigger than ransomware. Because of how cyberjacking is set up, it can run almost undetected on a users’ systems for years.
Because the only thing “stolen” is computing capacity and because only “victim” is the user, this crime is very low risk. The user need not report the hack, no customers are affected, etc. Unquestionably, cryptojacking will be on the rise.
February 2018: 133 Cyberattacks
Winner: GitHub’s successful defense of a massive DDoS attac
Sometimes cyberattacks are not intended to make the attackers rich; sometimes the attacks are just destructive or meant punish.
In general, this seems to be the purpose of distributed denial of service (“DDoS”) attacks. The method is to send vast amounts of data and/or data requests to a website/server with the purpose of crashing the system (or at least make the system unuseable for some period of time).
On February 28, 2018, a DDoS attack hit the developer platform called GitHub. The amount of data hitting GitHub was 1.35 terabits per second of traffic. That is/was a massive attack, indeed this report states that the attack was the largest DDoS recorded to date.
As reported, GitHub was able to defend itself by calling in the services of its DDoS mitigation service, Akamai Prolexic. As described, “Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets. After eight minutes, attackers relented and the assault dropped off.”
The whole event took about 18 minutes of real time.
Honorable Mention: English actress and model Jorgie Porter
Ms. Porter gets the honorable mention for February 2018 not because her case is unique, but because she became yet another victim of hackers who have been active for several years now and have been targeting celebrities around the world (mostly female actresses and models). The hackers were able to steal Ms. Porter’s intimate pictures and videos and post them online. he hackers do not typically seek money; so the motivations are unclear. But these types of hacks highlight the potentially personal and intimate nature of cybercrime.
March 2018: 98 Cyberattacks
Winner: MyFitnessPal, Under Armour’s food and nutrition app and website — 150 million users affected
On March 25, 2018, MyFitnessPal discovered a massive data breach involving 150 million user accounts.
MyFitnessPal is owned by Under Armour, one of the nation’s largest sports apparel and fitness companies. MyFitnessPal is the company’s food and nutrition application and website.
The breach occurred in late February 2018. Accessed information included usernames, email addresses, and hashed passwords. However, no government-issued identifiers (such as Social Security numbers and/or driver’s license numbers) were accessed since the company does not collect that information from users.
Payment card data was also not affected. See here.
Honorable Mention: United Kingdom National Lottery — 10.5 million users
On March 16, 2018, the National Lottery for the United Kingdom notified 10.5 million users/players of the lottery that a data breach had occurred and that they should change their passcodes.
As of the report, the National Lottery was only able to verify that 150 accounts were actually accessed, but the National Lottery advised all users to change their passwords since the breach accessed names, accounts, and passcodes.
The National Lottery reported that no one suffered a financial loss due to the hack.
April 2018: 99 Cyberattacks
Winner: Saks Fifth Avenue and Lord & Taylor stores — 5 million+ credit card users
In mid-April, Hudson’s Bay Company — the parent company for Saks and Lord & Taylor retail stores — announced that it was the victim of a security breach that compromised data on payment cards used at Saks and Lord & Taylor stores in North America.
The entire system for Lord & Taylor was compromised. For the Saks Fifth Avenue stores, only 83 stores were compromised mostly in the New York and New Jersey regions.
The hacking began as far back as the spring of 2017.
Details on five million credit cards/users were offered for sale on the darkweb in late March 2018. Card and user data may have been stolen for millions of more customers. See here.
Honorable Mention: Careem — 14 million users in the middle east
In late April 2018, it was announced by Careem, a ride-sharing app used in parts of the middle east, that a cyber attack compromised the data of 14 million users.
The hack was discovered in January 2018 and involved the loss of names, email addresses, phone numbers, and trip data.
The company reported that no passwords or credit card information was compromised. That information is/was held on external third-party servers not accessed during the attack. See here.
May 2018: 117 Cyberattacks
Winner: 50 small Japanese websites — 200+ million Japanese internet users
In the largest data breach/release so far in 2018, it was reported in early May 2018 that the user data for more than 200 million Japanese internet users were put up for sale on an underground cybercrime forum.
The data was hacked from and assembled from attacks on more than 50 Japanese websites in the retail, food and beverage, financial, entertainment, and transportation sectors.
The data stolen varies somewhat but, in general, the data includes real names, email addresses, dates of birth, phone numbers, and home addresses. The data was hacked from 2016 mostly, but some of the data/information dates as far back as 2013. See report here.
Honorable Mention: Ticketfly website ransomware attack/data leak — potentially 27 million accounts
In mid-May 2018, the Ticketfly website was attacked and an image of V from the film V for Vendetta was placed over the home page.
Ticketfly is a website for buying concert tickets and the like. According to reports, the hacker discovered a vulnerability in the website security and contacted Ticketfly.
The hackers demanded a one bitcoin ransom, but Ticketfly refused to pay.
As a result, the hacker then used the vulnerability to post the image of V, lock the system and then downloaded various spreadsheets and gained access to user information for Ticketfly customers.
Ticketfly has 27 million accounts. The downloaded spreadsheet files contained personal information about thousands of Ticketfly customers and employees of venues that use the service.
Ticketfly has not made public what other information was accessed, but it is assumed that information includes names, home addresses, email addresses, and phone numbers. See report here.
June 2018: 96 Cyberattacks
Winner: MyHeritage — 92 million users compromised
On June 6, 2018, MyHeritage, the genealogy website and DNA testing service, warned that the email addresses and hashed passwords of its customer database has been accessed and had been found on a private server. Approximately 92 million user accounts were affected. See report here.
Honorable Mention:Bithumb Crytocurrency Exchange — $31.5 million of crypto-coins stolen
In mid June 2018, a cyberhack of the South Korean cryptocurrency exchange Bithumb resulted in the theft of $31.5 million worth of virtual coins.
Bithumb gets the honorable mention because theft of virtual coins has seen a huge uptick in 2018.
Every month in 2018, there have been successful cyberattacks against cryptocurrency exchanges resulting in the theft of cybercurrency. I
ndeed, the largest theft took place back in January with $524 million in virtual coins being stolen from Coincheck, a Japanese exchange. See here.
2017 High-Profile Breaches
Cyber-attacks are happening in 2017 at double the rate of 2016. According to Hackmageddon.com, there are dozens of cyber-attacks each month, affecting the personal and user information of literally billions of internet users worldwide.
Below is a list of the biggest 2017 security breaches and hacks month-by-month from records tabulated and compiled by Hackmageddon.com.
January 2017 – 89 Cyber-attacks
Winner: The Big Asian Leak
185 billion customers were affected by these hacks. Technically, these hacks took place from October 2015 to the end of 2016.
However, the data was first offered for sale on the dark web in January 2017 by the vendor “DoubleFlag.” DoubleFlag offered to sell account information hacked from the most popular Chinese websites including NetEase, Inc, 126.com, 163.com, Yeah.net, QQ.com, Tom.com, Sina.com/Sina.com.cn, Sohu.com and eYou.com.
Listed for sale were names, addresses, usernames, passcodes, other personal information and some financial information for 1.85 billion customers — yes, billion. See report here.
The companies owning or running the websites have either denied they were hacked or have refused to comment.
Honorable Mention: DC Police Department
In late January, the District of Columbia Police reported that ransomware was in 70% of the storage devices that record data from D.C. police surveillance cameras eight days before inauguration day.
As reported here, city officials announced that the ransomware incapacitated police cameras between January 12 and January 15 and affected 123 of 187 network video recorders for public spaces across the city.
Law enforcement had to frantically reinstall software for all the cameras in the lead-up to the inauguration.
February 2017 – 76 Cyber-attacks
FunPlus, the company that makes a popular free-to-play mobile game called “Family Farm Seaside,” was hacked, compromising information on 3.3 million users.
The hacker also stole product source code from the company. The hacker reportedly talked to reporters for Vice.com and said: “I decided I’m just gonna publish everything and let their investors see what a joke their security and s**t is.”
Runner-Up: Hitachi Payment Services
Hitachi Payment Services confirmed that, in mid-2016, malware hacked its servers and stole personal and financial data for 3.2 million customers in India including credit card information. This data breach was first reported in February 2017.
The hack was particularly problematic because the malware securely deleted various tracing/tracking information making it impossible to know exactly what data was exfiltrated by the malware.
The breach led to a massive downturn in credit card use and significant damage to revenues and profits.
March 2017 – 64 Cyber-attacks
Winner: Dun & Bradstreet.
According to report, a 52GB database was stolen containing information on 33.7 million people. The data was arranged in searchable fields and contained specific details about each of the people involved from job title to email address, etc.
According to the report, the employees in the database were from thousands of companies and government agencies, representing a large swath of the US corporate and government population.
For example, the Department of Defense had over 100,000 employee records on the database, followed by the US Postal Service with over 88,000. AT&T, Boeing, Dell, FedEx, IBM, and Xerox were among the most named companies in the database, with tens of thousands of employee records each.
The database was used by marketers for targeted email promotions. So the data was not necessarily particularly personal in nature. But it was a sizable and large financial loss to Dun & Bradstreet to have the database stolen.
April 2017 – 85 Cyber-attacks
More than a million accounts were hacked and compromised from the servers of the online gaming company. Leaked data included usernames, passwords, email addresses, IP addresses, and other optional record fields, such as instant messenger IDs, birthdays, and Facebook related details. See report here.
May 2017 – 67 Cyber-attacks
Winner: WannaCry Ransomware
While not a data breach, no 2017 cyber-attack list would be complete without listing WannaCry. The ransomware infected computers and servers in 74 countries, millions of users across the world, and, affected hospitals, businesses like Fedex, rail stations, universities, at least one national telco, etc. See report here.
June 2017 – 64 Cyber-attacks
According to reports, 8Track, the most popular internet radio service provider, suffered a data breach which compromised 18 million user accounts.
The data hacked included usernames, email addresses, and partially encrypted passwords. According to the owner of 8Tracks, the only accounts compromised were accounts authenticated through Github without two-factor authentication activated.
Reports indicate that 8Track accounts authenticated via Google or Facebook authentication were not affected by the hack.
July 2017 – 69 Cyber-attacks
Winner: Reliance Jio
The largest breach of personal data ever in India happened when 120 million customers of Reliance Jio, one of India’s largest mobile phone carriers, had their personal data hacked.
Among the data stolen were customer names, mobile numbers, email addresses, and the unique ID number of the phone. This information was then listed for sale. See report here.
Honorable Mention: HBO
Hackers obtained 1.5 terabytes of data from the computers of HBO.
The hackers claimed to have released then-upcoming episodes of Ballers and Room 104. The hackers also claimed to have released a script from a then-upcoming episode of Game of Thrones.
No ransom was demanded. See report here.
August 2017 – 90 Cyber-attacks Tabulated
Winner: Misconfigured Spambot
User data was leaked with respect to 700 million web users worldwide on many and various worldwide internet platforms. See report here.
Essentially, a misconfigured spambot left an open door to anyone who knew or noticed that the door was there.
It is unknown how many times the data was accessed. Data leaked was email addresses, passwords and lesser amounts of personal contact information associated with the email addresses.
September 2017 – 76 Cyber-attacks
143 million customers of the credit reporting service had their personal and financial information stolen. The hack occurred over several weeks in May and June 2017 and was disclosed in late July.
October 2017: 90 Cyber-attacks
Winner: Malaysian telcos and mobile virtual network operators — 46.2 million cellphone users
According to reports, computer systems for the largest Malaysian telephone companies and mobile network operators were hacked, revealing information for 46.2 million phone users.
The information included phone numbers, names, addresses and included both paid and prepaid numbers, as well as sim card information and the IMEI and IMSI numbers. See report here.
Honorable Mention: Disqus — 17.5 million users
In October 2017, Disqus, the internet’s largest provider of hosted posting comments for blogs and websites, announced they were the victim of a data breach in the summer of 2012. See report here.
During the hack, an unknown attacker stole user account details including email addresses, usernames, sign-up dates, and last login dates in plain text and SHA-1 hashed passwords for about one-third of the service’s 17.5 million users.
According to reports, Disqus took less than 24 hours to assess, confirm, and respond to the security breach – one of the best response times ever recorded. So “kudos” to Disqus and their cyber-attack response team.
November 2017: 84 Cyber-attacks
Winner: Uber Technologies — 57 million accounts
In October, 2016, 57 million Uber drivers and customers had their personal details accessed by a hacker group.
The hackers first gained access to a private software repository then used those credentials to gain escalated access privileges to more sensitive information. As the stolen information included drivers license numbers Uber was legally required to report the data breach. See here for a discussion of the Montana notification law.
However, Uber’s security team took the unusual step to offer the hackers $100,000 to keep the story quiet.
In November, 2017 the story of the cyber-attack and payoff became known and was another public relations quagmire for the company. Bloomberg has the story here.
Honorable Mention: Google Play Store and Android App Users
Four separate reports surfaced in November of 2017 related to cyber-security for users of Android mobile apps that are normally downloaded from Google Play Store.
First, infecting just 1,300 devices, Google revealed the details of spyware dubbed “Tizi.” This infected at least one app available on Google’s Play Store. It was a spyware for Android with extensive data-stealing capabilities. Google removed the relevant app from its Play Store immediately.
Second, the malware dubbed ToastAmigo was reportedly downloaded by more than 500,000 Android users. Once loaded, ToastAmigo is able to download other malware and engage in self-protection and self-hiding actions. See report here.
Third, it was announced the Google Play Store had eight apps that contained malicious multi-stage malware called Android/TrojanDropper.Agent.BKY. In the final stage of the malware, fake screens are loaded in place of legitimate website screens wherein users input personal and payment information which is then sent to the hackers. See here.
Finally, it was reported that at least 17.4 million Android users have downloaded a Trojan dubbed Grabos found in 144 separate mobile applications.
Grabos increases the rate of “recommended apps” that are offered to the user. Many users enjoy that feature and end up downloading the recommended apps. The apps are real, so Grabos is not particularly malicious.
The Grabos creator apparently makes money when the recommended apps are downloaded.
December 2017: 90 Cyberattacks
Winner: PayPal and its newly acquired subsidiary TIO Networks — 1.6 million users
In July of 2017, PayPal acquired a company called TIO Networks, a publicly traded payment processor. In early December, PayPal suspended the operations of TIO after a review of TIO’s network identified a potential security breach of personally identifiable information for approximately 1.6 million customers.
The TIO computer network had been kept segregated from the PayPal’s, so no PayPal systems were compromised. This is a public relations downside for PayPal since the company never wants to see the word “PayPal” in the same headline as “data breach” and it appears there may have been a lapse in diligence before the acquisition.
Finally, this is a good lesson on how to prevent a data breach from spreading throughout a system: quarantine new systems until the fully vetted.
Honorable Mention: Nissan Canada Financing — 1.1 million customers
At the end of 2017, on December 22nd Nissan Canada announced that its computer systems were compromised on the 11th, with “unauthorized person(s) gaining access to the personal information of some customers that have financed their vehicles through Nissan Canada Finance or Infiniti Financial Services Canada.” See report here.
Revealed in the public admission was that 1.13 million customers were affected. The exposed data includes at least customer names, addresses, vehicle makes and models, vehicle identification numbers (VINs), credit scores, loan amounts and monthly payment figures but, reportedly, did NOT include personal banking information, such as card numbers.
In response, Nissan Canada offered offering 12 months of free credit monitoring to its customers.
Reflecting on Hacking Statistics From 2015 and 2016
Data from the two previous years clearly indicates a pattern in which cyber security breaches are occurring ever more frequently. In 2015, for instance, there were more than 177,866,236 personal records exposed via 780 data security breaches, according to the ITRC Data Breach Reports.
In 2015, hacks occurred in every single state in the US, and the breakdown of the breached targets by type of entity is as follows:
- Businesses were the target of 40% of the security breaches (312 breaches).
- Medical and Healthcare entities made up 35.4% of data breach targets (276 breaches).
- Government or military targets made up 8.1% of cybersecurity breaches (63 breaches).
- Educational institutions accounted for 7.4% of data breaches (58 breaches).
In 2016, hackers not only logged an uptick of 38% in their use of phishing type security attacks according to “Key findings from the Global State of Information Security® Survey 2017” by PricewaterhouseCoopers, but it also became well-known that hackers were finding devices to target beyond computer systems and networks.
Unsecure wireless medical devices, mobile devices, and even cloud architecture all came under attack in 2016.
With security breaches arising on multiple fronts, companies, healthcare systems, governmental and educational entities, and individuals started to realize how real the threat of cyber security attacks was. In order to combat attacks, people began to increase their use of data security protection measures in 2016:
- 52% of individuals, businesses and entities use intrusion detection tools.
- 51% actively monitor and analyze security information for their vulnerable systems.
- 48% conduct vulnerability assessments.
- 47% utilize security information and event management tools.
- 47% regularly conduct cyber security threat assessments of their systems.
- 45% subscribe to a threat intelligence service.
- 44% engage in data system penetration testing.
Take Steps to Protect Your Business From Cyber Security Breaches
We shouldn’t be surprised at the number of security breaches that occurred in 2018. Nor should we be surprised at how rapidly cybersecurity attack techniques evolve to affect more computers and devices than ever before.
Hackers’ reaches will only keep expanding as time goes on.
Most data security breaches are the result of an oversight somewhere in the system.
Companies large and small are being hacked due to vulnerabilities in their computer systems that are identified and exploited by hackers. Companies need to follow cyber security best practices to protect themselves and their customers’ personal information.
They need to give cyber security the time and resources necessary to rebuff cyber attacks and to neutralized cyber threats or face growing liability and higher fines.
Since the area of cyber-security is constantly changing and evolving, cyber-security needs to be regularly evaluated to determine whether particular defensive measures are effectively addressing threats and risks. Only through diligent and consistent efforts can business rise to the challenge posed by hackers invading their computer systems.
Contact Revision Legal
Cyber security breaches are a real threat, whether it is to your business, the institution that you work for, or to your own personal computer system and devices. When you are hacked, or information that was entrusted to you was potentially accessed in a data security breach, you must act quickly to understand your rights and obligations concerning notification of potential victims. You should retain the assistance of an experienced cyber security attorney like the professionals at Revision Legal. Contact us today using the form on this page or by calling us at 855-473-8474.
Editors note: this was originally published in December, 2016, and updated in October, 2017. It has been updated in March, 2018, and August 2018 for clarity and comprehensiveness.