Over the past few years, cybersecurity attacks such as data breaches have become more common and more dangerous. Data breaches can cause financial and reputation loss; IBM estimates that in 2018, the average cost of a data breach was estimated at $3.86 million.
Alarmingly, the 2019 Global Risks Report by the World Economic Forum lists cyber attacks and data breaches as the fourth and fifth most serious global risks today.
It is always useful to learn from past security incidents and breaches. Look at known data breaches and see how they occurred to learn how attackers operate and prevent your organization from becoming the next victim of a cyber attack or data breach.
To help you get started, we have compiled a list of the top 5 data breaches that took place in 2018 and the top data breaches of 2019 (so far).
The Top 5 Data Breaches in 2019
Smaller organizations often cannot afford to deploy comprehensive security solutions, and thus “are forced to accept a high level of risk,” as Eyal Gruner of Cynet puts it. However, while you might expect small- and medium-sized companies to cut corners when it comes to security, it is far from unheard of to find inadequate defenses among even the biggest companies, often with catastrophic results.
For example, Epic Fortnite, Facebook and Whatsapp were some of the organizations affected in 2019’s most devastating breaches.
1. Epic Fortnite
When it happened—January 16, 2019
How many users were affected—unknown number, Fortnite has 200 million users worldwide with 80 million active users each month.
Compromised data—fortnite contained a vulnerability that could have provided users with access to other users’ accounts. If ill-intentioned persons had found the vulnerability, they could have used it to view personal account information and purchase in-game currency.
How it happened—a flaw in the online game discovered by security firm Check Point.
2. Facebook exposed datasets
When it happened—April 2, 2019
How many users were affected—540 million users
Compromised data—Facebook ID, account names and user activity records were leaked by “Cultura Colectiva”. “At the Pool” disclosed passwords and information related to photos, groups, events, and check-ins.
How it happened—a flaw within two third-party applications: “Cultura Colectiva” and “At the Pool”
3. Facebook password scandal
When it happened—March 21, 2019
How many users were affected—about 600 million users
Compromised data—user passwords
How it happened—Facebook admitted that since 2012 it hasn’t taken the necessary security measures to encrypt user password. The passwords were stored in simple text format, so all the Facebook employees had access to and could read these passwords.
4. Collection One
When it happened—January 17, 2019
How many users were affected—about 773 million
Compromised data—773 million email addresses and 22 million passwords
How it happened—a database stored on cloud storage site MEGA which contained information from data breaches dating back to 2008 was shared in a popular forum for cyber attackers.
When it happened—May 14, 2019
How many users were affected—unknown, potentially around 1.5 billion users worldwide?
Compromised data—users were exposed to spyware that enabled attackers to spy on the camera and microphone of the devices of Whatsapp users.
How it happened—NSO Group, an Israeli surveillance agency, infiltrated Facebook’s Whatsapp application and inserted spyware.
Review of 2018 Top 5 Data Breaches
When it happened—October 26, 2017, discovered and disclosed to the public on June 4, 2018
How many users were affected—100 million
Compromised data—names, encrypted passwords, email addresses, and additional data from networks connected to Quora, such as Facebook.
How it happened—attackers breached Quora’s system and accessed compromised user data.
2. Under Armour – MyFitnessPal
When it happened—February 2018, discovered on March 25
How many users were affected—150 million
Compromised data—user names, email addresses, encrypted passwords.
How it happened—attackers breached Under Armour’s app and accessed data that remained unprotected.
When it happened—unknown, discovered and disclosed to the public on June 27
How many users were affected—340 million
Compromised data—names, home, and email addresses, phone numbers, and other personal information such as habits and hobbies.
How it happened—unknown, security researcher Vinny Troia informed Exactis about the leak and they secured it without informing the public. National law firm Morgan & Morgan filed a class action lawsuit against Exactis following the incident.
When it happened—started in 2014 but discovered only on September 10, 2018.
How many users were affected—500 million
Compromised data—names, home, and email addresses, phone numbers, passport numbers, dates of birth, and other personal information.
How it happened—a security tool alerted Marriot when there was an attempt to access the Starwood guest reservation database. Marriot conducted an investigation into the incident and discovered that an unauthorized party had gained access to the Starwood guest reservation network and copied encrypted information.
5. Aadhaar – India’s ID database
When it happened—unknown, disclosed to the public on March 23
How many users were affected—1.1 billion
Compromised data—name, ID, and private information like bank details.
How it happened—the Indian government ignored warnings from security researchers that claimed the Indian government portal of storing resident and biometric information “Aadhaar” was not secure.
Cybersecurity threats like data breaches pose a financial and security threat to organizations and users alike. Even the strongest tech companies in the world, with substantial security budgets, like Facebook and Google, are not immune.