13 min read

2018 – A Year of Data Breaches in Review

Graham Cluley

December 14, 2018

2018 – A Year of Data Breaches in Review

As 2018 draws to a close, we inevitably take the opportunity to take a look back at the year it has been, and make predictions about what 2019 might bring for cybersecurity.

Week after week, month after month, 2018 saw organisations and companies struck by massive and damaging data breaches, putting the personal details of innocent members of the public at risk.

In fact, the headlines about data breaches are so regular nowadays that it’s easy to forget what’s happened.  Let’s take a look, month by month, at some of the most memorable incidents of 2018.


The year was only a few days old when India’s Tribune newspaper reported that criminals were selling unlimited access to the country’s vast biometric database over WhatsApp.

For the equivalent of about eight dollars, Tribune reporters were able to gain access to names, email addresses, phone numbers and post codes of over one billion individuals.  And as if that weren’t bad enough, the newspaper claimed that for an extra five dollars they were offered a unique Indian ID card – known as an Aadhaar card – used to pay for government services including free school meals and fuel subsidies.

Ironically, the Aadhaar cards were part of the Indian government’s biometric ID program designed to help stamp out corruption and fight fraud. 

The groups behind the breach appeared to have gained access to the database through crooked former employees.


In February, global delivery company FedEx was revealed to be one of the many companies that had left customer information exposed to the world on an unsecured Amazon AWS server.

Security researchers stumbled across a publicly accessible server containing more than 119,000 scanned documents – including names, addresses, phone numbers, and scans of passports, driving licenses, and utility bills.

Like far too many other breaches involving unsecured cloud buckets, the hackers were not even asked for a password to gain access to the sensitive data.


March brought online privacy and the sometimes sloppy way that tech companies treat their users’ data into the spotlight, as the name Cambridge Analytica came to the attention of the general public.

A Facebook personality quiz was revealed to have scooped up personal information from the 270,000 people who ran it *and* details of some 50 milion of their online friends.

Facebook app developers aren’t supposed to share users’ personal data with third parties, but the data harvested by the online quiz was shared with Cambridge Analytica.  When Facebook discovered the data had been accessed, it demanded that it be destroyed – but not everyone kept their word.

Technically, this wasn’t a Facebook data breach.  It would be more accurate to call it a Facebook data policy breach.

But I would argue that the fact that this is how Facebook is supposed to work actually makes it worse than any data breach.

Meanwhile, another famous tech firm realised it had suffered its own security breach that put its users at reach.  But, with Facebook dominating the headlines, Google decided to not go public with details of a serious bug until October 2018.


150 million users of the MyFitnessPal app discovered that their personal details had been compromised after hackers stole usernames, email addresses, and hashed passwords.

The fact that hashed passwords had been accessed was particularly troubling for users who might have had a commonly-used password such as a dictionary word, as hackers would most likely be able to use rainbow tables to unlock credentials.

Once again, users were reminded of the importance of choosing strong, hard-to-crack passwords and – crucially – to ensure that they were using different passwords on different websites.


May should have been a good month for data security, with the introduction on 25 May 2018 of Europe’s GDPR legislation sending a shiver down the spine of any company that was being careless with private data.

For the first time, authorities had within their power to hit firms with significant financial penalties if they were lax at security.

But you would be wrong to think that with GDPR just days away we would see the end of data breaches.

The myPersonality Facebook, for instance, was found to have put six million users’ sensitive private data at risk by posting their data publicly for anyone to see on GitHub… for four years.

Facebook responded by suspending the app, and approximately 200 others for using “large amounts” of profile information.


Six months into the year, and the data breaches keep on happening.

In June it was the turn of Ticketmaster, who warned that customer details may have been exposed after malicious code was found running on its website.  The compromised information included names, addresses, email addresses, telephone numbers, payment details and login details.

The source of the problem was third-party code that Ticketmaster had placed on its payment page.  Worryingly, digital bank Monzo contacted Ticketmaster in early April believing that security on the ticket website had been breached, but Ticketmaster failed to confirm the problem until June.


Customers of popular UK high street stores Currys PC World, Carphone Warehouse, and Dixons Travel were put on high alert in the summer of 2018 as it was revealed that approximately 10 million of them were impacted by a breach that saw hackers steal payment data details and personal records.


All 1.7 million users of Air Canada’s mobile app had their passwords reset by the company following a security breach which saw hackers compromise up to 20,000 accounts in August 2018.

How serious could a breach of a mobile app be?

Well, in Air Canada’s case it meant that hackers now had their hands on customers’ names, email addresses, phone numbers, Air Canada account numbers, passport numbers, passport country of issuance, passport expiration data, nationalities, NEXUS numbers, gender, countries of residence, and dates of birth.

Losing such sensitive personal data is serious, as fraudsters could use the information to set up accounts with insurance firms, mobile phone operators, banks and the like if they do not require sight of a physical passport.

In the worst cases, victims might find themselves with a ruined credit score, and bills for goods and services that they have not purchased.


No summing-up of a year can be complete without a few mentions of Facebook, and September saw the social media giant admit to a serious vulnerability that could allow hackers to gain access to accounts and even third-party apps that use Facebook for login.

According to Facebook, approximately 50 million accounts were left exposed.

High profile victims of the so-called “View As” security breach were said to include Mark Zuckerberg and Facebook chief operating officer Sheryl Sandberg.


30,000 military workers and civilian staff had their credit card data and personal information exposed following a security breach impacting the Pentagon.

The security breach occurred at an unnamed third-party vendor which provides travel management services to the Department of Defense.

Fortunately, classified information was not impacted as a result of the breach.  But that will be little consolation to those individuals who had their personal data fall into the hands of hackers.


One of the biggest data breaches ever became public in November, with the announcement from the Marriott hotel group that 500 million guests listed in its Starwood guest reservation database were at risk.

Exposed information included name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, and reservation date.

For some customers, the leaked data was also said to include encrypted payment card numbers and payment card expiration dates.

With 500 million customer records compromised, the data breach is perhaps the second-biggest data breach in history.


It took until October 2018 (despite discovering the problem in March) for Google to finally admit that there had been a serious privacy hole in its Google + social network.  In response, the company said it would shut down Google + by the end of August 2019.

But if Google thought was the end of its data privacy problems for 2018 it was mistaken.

In December 2018 it revealed it had been hit by another privacy flaw, this time affecting approximately 52 million Google + profiles.

The API bug, introduced by Google just weeks before, allowed the personal information of users to be accessed without permission by third-party apps and developers.

And so, we reach the end of the year filled with hacks and leaked records.  And although there were scores of serious data breaches that we didn’t have room to include here, I think there is actually some room for optimism.

Although the breaches keep happening, and show little sign of stopping, GDPR has encouraged firms to own up to their security incidents more readily, more promptly, and – in some cases – with an impressive degree of transparency.

Whether we will have to wait for a business to be hit by a substantial fine by a regulator in order to see even more maturity from the firms that store our data remains to be seen.

I wish you good luck as we leave 2018 and enter 2019.  Remember that the less data you give an organisation, the less they have to lose.  And that the impact of a breach on your life or business can be reduced if you have taken the sensible step of enabling two-factor authentication and never reusing passwords.



Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

View all posts

You might also like