Countdown of 2018’s biggest data breaches

2018 was a year of massive data breaches. From tech giants to small businesses, no organization was immune. With the passing of the EU’s GDPR (General Data Protection Regulation), data privacy has become one of the most crucial issues worldwide. Here is a countdown of last year’s biggest data breaches.

  1. Facebook

Between July 2017 and September 2018, criminal hackers exploited vulnerabilities in Facebook’s code to gain full access to users’ accounts. 29 million accounts were affected. Compromised data included location, contact details, relationship statuses, recent searches, and devices used to log in.

  1. Chegg

Between April 29 and September 19, 2018, an unauthorized party obtained access to’s user data. 40 million users were affected, with information such as names, email addresses, shipping addresses, account usernames, and passwords exposed.

  1. Google+

Google+ experienced two data breaches in 2018. From 2015 to March 2018, a software glitch exposed the profile data of 500,000 Google+ users, and between November 7 and 13, a second data breach affected 52.5 million users. Information including usernames, employer names, job titles, email addresses, ages, and relationship statuses was exposed. Google+ will shut down in April 2019.

  1. Cambridge Analytica

In 2015, a personality prediction app on Facebook improperly transferred user information to third parties including Cambridge Analytica, which assisted Donald Trump’s presidential campaign through targeted ads using people’s voter data. The incident came to light in early 2018. Despite only 270,000 people using the app, it gathered the data of millions of their friends, exposing 87 million user accounts.

  1. MyHeritage

In October 2017, the email addresses and hashed passwords of users were discovered on a private server outside of the company. 92 million users were affected. The breach was announced in 2018.

  1. Quora

A malicious third party hacked into Quora’s systems and took names, email addresses, encrypted passwords, data from user accounts linked to Quora, and users’ public questions and answers. 100 million accounts were affected. The hack was discovered in November 2018.

  1. MyFitnessPal

In February 2018, an unauthorized party gained access to MyFitnessPal users’ data and stole usernames, email addresses, and encrypted passwords. 150 million user accounts were exposed.

  1. Exactis

In June 2018, a security expert discovered that a database containing U.S. citizens’ personal data was exposed on a publicly accessible server. This included phone numbers, addresses, and personal interests and characteristics, and affected 340 million accounts.

  1. Marriott

Between 2014 and September 2018, criminal hackers accessed Marriott’s Starwood hotels’ reservation database and copied and stole guest information. Phone numbers, email addresses, passport numbers, reservation dates, and some payment card numbers and expiration dates were exposed, affecting 500 million accounts.

  1. Aadhar

Discovered in March 2018, Aadhar, India’s government ID database, suffered a data leak on a system run by state-owned utility company Indane. Indane did not secure its API, allowing access to Aadhar information. Names, ID numbers, and information on connected services such as bank accounts were exposed. 1.1 billion people were affected.

Data breaches

In recent years, the number of significant data breaches has risen exponentially, and every organization is at risk. The GDPR applies to any organization processing and storing EU residents’ personal data, irrespective of the organization’s location or where the data is processed. North American organizations with any connection to the EU – whether through subsidiaries, customers, or suppliers – are likely affected. Organizations should, therefore, take steps to determine whether the GDPR is applicable and consider revising their information handling processes to ensure compliance.

In some cases, the GDPR compliance steps will supplement existing measures that many North American organizations adopt as a matter of good practice or to comply with sector or state privacy laws, e.g. HIPAA (Health Insurance Portability and Accountability Act).

GDPR training

To help organizations, IT Governance USA is running GDPR courses across the country.

Take advantage of our holiday sale and save up to $500

Take advantage of our special holiday offer:

Spend over $500 and receive $50 off
Spend over $1,000 and receive $100 off
Spend over $2,000 and receive $200 off
Spend over $5,000 and receive $500 off 

Offer applies automatically at checkout. No promo code is required.
Sale ends on January 31, 2019.  Save here >>