The biggest data breaches of the last 12 months – what can we learn from them?

Credit: weerapatkiatdumrong/iStock

There's still a month to go in 2018, but as the year draws to a close, it seems like a good time to take a look back over the past 12 months and ask what we've learned this year.

In particular, cyber security has inevitably been a big topic of conversation in 2018. Indeed, at times, it can now seem like barely a week goes by without news breaking of another company that has fallen victim to a data breach, as hackers become increasingly sophisticated and the potential rewards for them grow.

Indeed, just today (November 30th), hotel chain Marriott revealed up to 500 million customers may have had details compromised in a database hack. It may take a while to fully learn what was behind this latest attack, but this year has shown that some of the world's biggest brands are at risk, and even some of the giant tech firms who you might think would know a thing or two about cyber security aren't immune.

If there is a silver lining to these incidents, it should be that we can learn from them and take steps to ensure they do not happen again. We may not ever be able to completely stop the hackers, but we can at least make life more difficult for them. 

While we await more details on the Marriott hack, here are a few of the other higher-profile data breaches to come to light over the last 12 months, and some key takeaways for other companies to take note of.

Facebook – Small glitches can cause big problems

One of the biggest breaches of the year in terms of sheer amount of data compromised was at Facebook, which had to admit that around 50 million users – including founder Mark Zuckerberg and chief operating officer Sheryl Sandberg – had data potentially exposed as the result of a security flaw.

This was traced back to a tool known as View As, which is intended to be a privacy feature that allows people to see what their own profile looks to other users. However, hackers spotted multiple bugs in this that let them steal Facebook access tokens, which they could then use to take over people's accounts, regardless of how secure their passwords were.

However, the breach could have had much wider ramifications, as the access tokens can also be used to log into any other site that uses Facebook's system, including AirBnB, Tinder and Spotify. This may show how the current trend towards convenience and single sign-on can be taken advantage of by skilled hackers. By themselves, each of the bugs in Facebook's code may have seemed small – just a couple of lines of improperly-written code – but the impact the breach could have had was huge.

British Airways – pay attention to your website

By comparison, the breach that hit British Airways in September was relatively small, affecting around 380,000 people. However, what was taken – full personal and financial details including credit card numbers and CVV data – meant the impact on those affected could have been far greater.

CCV data is particularly hard to come by as it is not usually stored by companies, so experts suggested that the most likely way for this data to have been gathered was through a compromised website, where a script may have been added to the code that scraped data as users typed it in and sent it directly to the hackers. 

Cyber security expert Prof Alan Woodward at the University of Surrey told the BBC this is a particular problem for companies that rely on code from third-party suppliers within their website, as this creates an entry point for malicious hackers. He added that firms must continually vet such products to spot any potential vulnerabilities.

Uber – Don't try to cover things up

Uber's latest security breach actually happened long before this year, but we only found out about it about 12 months ago. And that in itself should be the big lesson that we can take from its incident, which saw hackers use compromised credentials to gain access to a database containing the data of 57 million customers and drivers.

But instead of doing the right thing, Uber tried to cover it up by paying the hackers $100,000 (£72,600) to destroy the stolen data, then kept quiet about what happened. Clearly, this didn't last, but it made the company look particularly bad after it was eventually revealed, indicating that it did not care about the security of its customers or drivers.

The company would eventually end up paying around $148 million in the US to settle federal charges brought as the result of the breach and the attempted coverup, while regulators in Europe were equally unimpressed, with the ICO describing its actions as highly inappropriate.

Under Armour – a good plan helps

In terms of the number of people affected, US sports brand Under Armour's data breach dwarfed even Facebook's, with around 150 million users of its MyFitnessPal app having usernames, email addresses and passwords potentially stolen. That's the scale of breach that could sink many companies' reputation, but Under Armour was at least able to mitigate some of the potential damage.

Unlike Uber, the brand informed its customers very quickly about the breach, along with recommendations for that users could do. The company also appeared to have used good encryption practices for its passwords and segmented its databases so more valuable details such as financial records were stored separately.

Security researcher Troy Hunt told the BBC: "To its credit, Under Armour appears to have made an announcement on this within four days, and its method of password storage is quite robust." He noted this is a "vast improvement" compared with previous high-profile breaches such as Equifax.