By Logan Strain
If it seems like the words “leak,” “compromised data,” and “breach” are constantly in the news, it’s not just you. The frequency of major data breaches is increasing. According to the Identity Theft Resource Center, the number of breaches is expected to top 1,500 in 2017. That’s a 37 percent annual increase over 2016, which itself was a record year for exposed personal data.
But while most data breaches are small and contained, this year saw a handful of spectacularly bad security fails. Here are the most massive sets of compromised data and data breaches of 2017.
Let’s start with the Mother of All Breaches.
Equifax, one of the four major credit reporting agencies, revealed in September that cybercriminals had penetrated their network. The breach exposed the data of 143 million Americans—basically, every single adult in the country. Exposed information included names, social security numbers, birthdates, addresses and, in some instances, driver’s license numbers.
It gets worse. Credit card numbers for about 209,000 consumers and documents related to credit reporting disputes for 182,000 people were also exposed.
In response, Equifax offered a suite of identity theft protection services to all Americans, regardless of whether they were impacted or not. The services, which include up to $1 million in ID theft insurance and social security number monitoring, are free for anyone who signs up by January 31, 2018. (Though we doubt the efficacy of these identity theft protection services and don’t recommend people purchase them.)
This data breach actually occurred in 2016. But due to general shadiness on Uber’s part, we didn’t learn about it until November of this year. Compromised data included the names, email addresses, and phone numbers of 50 million Uber customers. The personal data of about 7 million drivers were also exposed, including around 600,000 driver’s license numbers.
Hackers pulled off the data heist by first getting access to a private GitHub site used by Uber engineers. From there, they learned Uber’s Amazon Web Services login credentials and accessed the personal data. The hackers then used the data to blackmail Uber. In an attempt to keep the incident under wraps, Uber executives paid the hackers $100,000 to delete the data and keep quiet.
The incident only came to light after new Uber CEO Dara Khosrowshahi discovered it and reported the incident to regulatory authorities.
In a blog post, Khosrowshahi said that “None of this should have happened, and I will not make excuses for it.”
Adults aren’t the only ones getting their info compromised. In May, Motherboard reported that social learning platform Edmodo was hacked. The service, which is used by educators and students, has around 78 million users—and a hacker named “nclay” claimed that he acquired the account data of 77 million of them.
The data was put up for sale on the Dark Web, but apparently, accounts for a site that is primarily used to assign homework and create lesson plans aren’t particularly valuable. The hacker priced the entire database of data at just over $1,000.
Did you call Verizon customer service in the first six months of 2017? Then it’s possible your data was inadvertently exposed.
ZDnet reported that Nice Systems, an Israel-based company, failed to secure an Amazon S3 storage server that contained records for 14 million Verizon customers. The compromised records include customer names, cell phone numbers, and account PINs.
Fortunately, Verizon was able to protect the data before anyone else could access it. In a statement to CNBC, a Verizon spokesperson said, “We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.”
5. Deep Root Analytics
The data analytics firm Deep Root Analytics, which was contracted by the Republican National Committee, revealed that they the exposed data of 198 million citizens. That means almost two out every three Americans were impacted. Exposed information includes names, birthdates, phone numbers, and, most troubling, voter registration details.
The breach was discovered by security researcher Chris Vickery on June 12. His analysis revealed that the firm’s database was stored on an Amazon cloud server without password protection for about two weeks. Anyone had the ability to download the 1.1 terabytes worth of data.
6. Sonic Drive-In
Millions of customers who only wanted to order a cheeseburger and a shake may have inadvertently gave their credit card info to identity thieves.
The fast-food chain Sonic Drive-In acknowledged that an unknown number of restaurant payment systems were compromised and customer credit card information was breached. Security researcher Brian Krebs revealed that stolen credit card numbers made their way to underground markets where cybercriminals buy and sell sensitive financial data.
7. All WiFi devices
In 2017 we also discovered that essentially all data transmitted over WiFi networks is vulnerable. Computer scientist Mathy Vanhoef announced that a vulnerability in WPA2 encryption protocol made WiFi networks accessible without login credentials. Hackers are able to access WiFi data through a key reinstallation attack, or KRACK. It’s unknown if any data was actually stolen using this method, but the vulnerability has existed since the beginning of WiFi.
Fortunately, tech companies started releasing patches shortly after the problem was discovered. Earlier this month Apple fixed the security hole for all iPhones. And several routers manufacturers have released updated firmware that protects against KRACK attacks.
The growing number (and size) of data breaches indicates that threats are outpacing security measures taken by organizations. Until companies can improve their security posture, the responsibility for keeping data breaches from doing serious damage will fall on individuals.
Guest post by Logan Strain, author for Crimewire
Father, writer, and reformed Usenet troll. Lives in San Diego. Doesn’t surf, but should learn.
Follow Logan on Twitter @LM_Strain