It’s tempting to believe that important data breaches only happen in the US and the figures tend to bear that out – the US accounts for the overwhelming majority of the really big data breaches that have been made public, some of them absolutely vast.
But US laws and regulations force organisations to admit to data breaches involving the customer, something which is not true in all countries.
In the UK, the most important piece of legislation organisations must worry about was the Data Protection Act and the possibility of fines by the information commissioner (ICO).
Now, with the General Data Protection Regulation in full force across the EU, businesses found not to have adequately disclosed breaches or protected their users face enormous fines.
With credentials being bought and sold on the dark web for serious money, significant breaches – often in the millions, and sometimes including card data – seem to be more and more commonplace.
Below we offer what we believe are the most significant data breaches to hit the globe, not in all cases because they were particularly large but because of the type of attack or vulnerability involved or the sensitivity of the data compromised.
This list is in chronological order.
A technologically challenged summer for BA continued with a data breach affecting 380,000 transactions, involving stolen personal and financial information, but not passport or flight details.
The data was compromised over a two-week period between 21 August and 5 September, during which a ‘sophisticated‘ attack was carried out on both the company’s website and app.
At present, the Information Commissioner’s Office is investigating the breach and has suggested the airline could face a fine.
As many as 2 million T-Mobile customers based in the US may have had their account details compromised by hackers who got away with names, email addresses, account numbers, billing information and encrypted passwords – but the company did not disclose what these passwords were hashed with.
T-Mobile said in an announcement that there was an “unauthorised capture of some information“. Motherboard later confirmed that encrypted passwords were compromised as well.
Apparently company servers were breached through an API, by a group described as “international”.
However, the spokesperson told Motherboard that the intrusion was detected on the same day, where it was “shut down very fast“.
The ICO has confirmed it will be looking into a data breach at content aggregator Reddit.
A spokesperson told Techworld: “We are aware of an issue concerning Reddit and will be looking to ascertain the scale and extent of any potential impact on UK citizens.“
Content aggregator site Reddit – which calls itself the ‘front page of the internet’ and has more active users than Twitter, with over 540 million monthly visits – has suffered a data breach and is refusing to disclose the scale.
A complete copy of an old database backup containing early Reddit data from 2005 to May 2007 was stolen, including username and hashed passwords, email addresses, and content, including private messages.
Reddit will be messaging affected users.
A subsidiary of delivery and logistics multinational FedEx has stored extremely sensitive customer data on an open Amazon S3 bucket, essentially making all the information public.
The tranche of data was discovered by Kromtech security researchers on 5 February.
The culprit looks like it was a company called Bongo International LLC, a package-forwarding business set up to make buying American goods easier for global customers, which was bought by FedEx in 2014.
It included thousands of scanned documents for citizens in America and globally – with passports, driving licences and security IDs all open for access in the bucket, as well as home addresses, postal codes and phone numbers.
Researchers pointed out that the data seems to have been from 2009 to 2012, before the company was bought out.
Please like, share and tweet this article.
Pass it on: Popular Science