1) UIDAI (Unique Identification Authority of India)
Date Disclosed: January 3, 2018
Records Breached: 1.1 billion
Details: Using a service promoted on WhatsApp, hackers were able to access personal data belonging to Indian citizens by entering a 12-digit unique identity number – assigned to all residents based on their biometric and demographic data.
2) Exactis (Florida-Based Marketing Firm)
Date Disclosed: June 26, 2018
Records Breached: 340 million
Details: A database of personal data was exposed on a publicly accessible server.
3) MyFitnessPal (Diet and Exercise App)
Date Disclosed: May 25, 2018
Records Breached: 150 million
Details: Someone gained unauthorized access to the database and stole usernames, email addresses, and hashed passwords.
4) MyHeritage (Online Genealogy Platform)
Date Disclosed: June 4, 2018
Records Breached: 92 million
Details: A file containing the account details of 92 million users was found on a private server.
5) Facebook
Date Disclosed: March 17, 2018
Records Breached: 87 million
Details: An application developed by Cambridge Analytica was used to scrape details about Facebook users, including their interests and behavioral characteristics.
6) Panera (a chain bakeries)
Date Disclosed: April 2, 2018
Records Breached: 37 million
Details: Customer records from Panerabread.com were leaked in plain text.
7) Ticketfly (Ticketing Website)
Date Disclosed: June 7, 2018
Records Breached: 27 million
Details: A hacker warned the company of a vulnerability in their website and demanded a ransom to fix it. Ticketfly refused to pay and so the hacker stole the data.
8) Sacramento Bee (a Sacramento Newspaper)
Date Disclosed: June 7, 2018
Records Breached: 19.5 million
Details: In February, a hacker seized two databases containing personal data, and demanded the newspaper pay a ransom to get their data back. They refused to pay the ransom and deleted the databases.
9) PumpUp (Health and Fitness Community)
Date Disclosed: May 31, 2018
Records Breached: 6 million
Details: A database was exposed to the Internet without any password protection.
10) Hudson’s Bay (Luxury Department Store Chain)
Date Disclosed: April 3, 2018
Records Breached: 5 million
Details: A hacking group called JokerStash, were able to obtain payment card information via phishing emails sent to company employees. Evidence suggests that the breach was initiated one year before it was disclosed.
Whether it be failing to restrict access privileges to sensitive data, or failing to identify a phishing attack, most of these breaches are in some way or another the result of human error. According to the following post by Itgovernance.co.uk, “4 of the 5 top causes of data breaches are because of human or process error.”
With the right tools, errors such as exposing sensitive data in plaintext, or failing to password-protect a database, can be easily avoided. Organizations need to ensure that they know exactly where their sensitive data is located and have assigned the necessary access controls to that data.
Data-Centric Audit and Protection solutions, such as Lepide Data Security Platform, provide organizations with a detailed overview of user permissions to sensitive data, as well as providing real-time alerts when changes are made to the data and the surrounding permissions. They can also detect, alert, report and respond to suspicious file and folder activity, anomalous logon failure, unauthorized mailbox access, and a lot more.