2018 Sees Record Number of Online Retail Data Breaches

January 8, 2019 | Tony DeGonia

During the holiday season people logged on to make purchases through online retailers, like no other time of the year. While there was significant growth in many segments of society on a global scale in 2018, we also  saw a significant increase in online retail breaches where personally identifiable information was compromised at an alarming rate. With more and more people using online services for everything from ordering perishable food products to plane tickets and hotel reservations, 2018 proved to be a huge year for online/cybercriminals.

Here are some facts around some of the largest and most far-reaching retail breaches of 2018:

Dozens of security breaches have occurred in 2018. Many of them were caused by flaws in payment systems, either online or in stores. Data breaches are on the rise for both retailers and other businesses.

These data breaches are a real danger for both companies and customers and can affect the trust shoppers have in brands.

According to a study by KPMG, 19% of consumers would completely stop shopping at a retailer after a breach, and 33% would take a break from shopping there for an extended period.

Example Breaches

Cheddar's Scratch Kitchen

Darden Restaurant announced it was notified by government officials on August 16 that it had been the victim of a cyber attack.

Customers who visited Darden-owned Cheddar's Scratch Kitchen between November 3, 2017, and January 2, 2018, may have had their credit-card information stolen. Darden estimates that 567,000 payment card numbers could have been compromised.

Customers affected would have visited a Cheddar's location in any one of these states: Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, and Wisconsin.

Macy's

Macy's confirmed that some customers shopping online at Macys.com and Bloomingdales.com between April 26 and June 12 could have had their personal information and credit card details exposed to a third party.

Macy's did not confirm exactly how many people were impacted. However, a spokesperson for the company said the breach was limited to a small group of people.

Macy's said in a statement: "We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures. Macy's, Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services."

Adidas

Adidas announced in June that an "unauthorized party" said it had gained access to customer data on Adidas' US website. Currently, the company believes only customers who shopped on and purchased items from the US version of Adidas.com may have been affected by the breach.

The data that is potentially at risk include customer contact information, like email addresses and physical addresses, as well as login information, like usernames and passwords. The passwords were stored with encryption, however, which would need to be unencrypted before they could be used.

Adidas did not say exactly how many customers could have been affected by the breach, but an Adidas spokeswoman confirmed it is likely "a few million."

Sears

Sears alerted customers on April 4 of a "security incident" with an online support partner [24]7.ai that may have resulted in up to 100,000 people having their credit-card information stolen.

The incident affected shoppers who bought items online from September 27, 2017, to October 12, 2017

Delta

Delta used the same online support service as Sears and was also affected by the reported breach.

The airline said customer payment information may have been vulnerable but did not estimate how many of its customers were affected.

Best Buy

Best Buy was also affected by the breach of [24]7.ai, it told customers on April 5.

The retailer said only "a small fraction of our overall online customer population" was affected in the breach, which might have jeopardized payment information.

Saks Fifth Avenue

5 million records breached combined with Lord & Taylor.

Hudson's Bay, the parent company of Saks Fifth Ave, confirmed in April that a data breach compromised payment systems and therefore customers' credit and debit cards.

Estimates of the number of affected customers have not yet been released but could number in the millions. Online customers were not affected.

Lord & Taylor

5 million records breached combined with Saks.

Hudson's Bay also owns Lord & Taylor, and those stores were also affected by the breach.

Panera Bread

37 million records breached.

Panera Bread confirmed on April 2 that it was notified of a data leak on its website.

At the time, it said personal information, including names, addresses, and partial credit card numbers may have leaked, though the company says the investigation is ongoing.

Forever 21

Forever 21 alerted its customers in November that some of their information may have been stolen.

A flaw in the store's cashier terminals may have inadvertently exposed data like credit card numbers, expiration dates, and internal verification codes to hackers. Customers who shopped in stores from March through October 2017 are vulnerable.

PumpUp

6 million records breached.

On May 31, ZDNet reported that they had been contacted by security researcher Oliver Hough in regards to a backend server he had found exposed to the Internet with no password to protect it. The server belonged to the fitness app PumpUp, and it gave anyone who came across it access to a host of sensitive customer data including user-entered health information, photos, and private messages sent between users. The exposed data also contained Facebook access tokens and, in some cases, unencrypted credit card data including card numbers, expiry dates, and card verification values.

When ZDNet reached out to PumpUp, the company did not issue a response, but it did quietly secure the server. It is unknown how long the asset had been sitting exposed.

Sacramento Bee

19.5 million records breached.

In February, an anonymous attacker seized two databases owned and operated by The Sacramento Bee, a daily newspaper published in Sacramento, California. One of those IT assets contained California voter registration data provided by California’s Secretary of State, while the other stored contact information for subscribers to the newspaper. Upon hijacking those resources, the attacker demanded a ransom fee in exchange for regaining access to the data. The newspaper refused and deleted the databases to prevent additional attacks from leveraging them in the future. According to The Sacramento Bee, the hack exposed 53,000 subscribers’ information along with the personal data of 19.4 million California voters.

Ticketfly

27 million records breached.

On May 31, Ticketfly suffered an attack that resulted in the concert and sporting-event ticketing website being vandalized, taken down, and disrupted for a week. The hacker behind the attack had reportedly warned Ticketfly of a vulnerability and demanded a ransom to fix it. When the company refused, the hacker hijacked the Ticketfly website, replaced its homepage, and made off with a large directory of customer and employee data, including names, addresses, email addresses, and phone numbers for 27 million Ticketfly accounts. 

Panera Bread

37 million records breached.

Panera Bread took its website temporarily offline following the publication of Krebs’ report.

Despite the company initially downplaying the severity of the breach and indicating fewer than 10,000 customers had been affected, the true number is believed to be as high as 37 million.

British Airways

380,000 records breached

On 6 September, British Airways informed its customers that details from around 380,000 booking transactions had been stolen, including bank card numbers, expiry dates, and CVV codes. It took the firm just one day to announce it had been hit by a cyber-attack between 21 August and 5 September.

“The credit card skimming campaign launched against hundreds of thousands of British Airways customers stood out due to its large scope and the effectiveness of the tactic employed: the modification of JavaScript code on BA’s website to effectively steal payment data while avoiding detection,” says Yonathan Klijnsma, head threat researcher at RiskIQ.  “By inserting just 22 lines of code, Magecart Group 6 was able to extract information entered into the airline’s online payment forms without disrupting the payment flow.”

Ticketmaster

40,000 records breached

When the personal data of 40,000 Ticketmaster customers was stolen by hackers, it emerged that a third-party supplier was involved. The company, Inbenta Technologies, which operates a chatbot on the Ticketmaster site, customized its product by modifying a line of JavaScript code.

“Just one month after GDPR came into full effect, Ticketmaster announced 40,000 customers’ data was accessed due to a malicious hack on a third party solution,” says Guy Bunker, SVP of Products, Clearswift.

The Giants of the List

Facebook

At least 87 million records breached (though likely many more).

Who can forget the data scandal that rocked Facebook in March 2018? At that time, reports emerged of how a political data firm called Cambridge Analytica collected the personal information of 50 million Facebook users via an app that scraped details about people’s personalities, social networks, and engagement on the platform. Despite Cambridge Analytica's claim that it only had information on 30 million users, Facebook determined the original estimate was in fact low. In April, the company notified 87 million members of its platform that their data had been shared.

Unfortunately, with Facebook apps facing more scrutiny, it appears the Cambridge Analytica scandal may just be the tip of the iceberg. On June 27, security researcher Inti De Ceukelaire disclosed another app called Nametests.com had publicly exposed information of more than 120 million users.

MyHeritage

92 million records breached

A security researcher reached out to the Chief Information Security Officer of online genealogy platform MyHeritage on June 4 and revealed they had found a file labeled “MyHeritage” on a private server outside the company. Upon inspection of the file, officials at MyHeritage determined that the asset contained the email addresses of all users who had signed up with MyHeritage prior to October 26, 2017. According to a statement published by the company, it also contained their hashed passwords but not payment information, as MyHeritage relies on third-party service providers to process members’ payments. The service also stores family tree and DNA data on servers separate from those that store email addresses, but MyHeritage said there was no reason to believe that information had been exposed or compromised. 

Quora

100,000,000 records breached.

In December, Quora suffered a massive breach of user data. The intrusion, discovered on November 30, included up to 100 million users’ names, email addresses, IP addresses, user IDs, encrypted passwords, user account settings, personalization data, public actions and content such as questions, answers, comments, blog posts, and upvotes.

“The breadth and potential value of the data compromised, like encrypted passwords and social media data, was notable,” says Andrew Tsonchev, director of technology, Darktrace Industrial.

Under Armour's MyFitnessPal app

150 million records breached

While Under Armour's store systems or online store wasn't affected, the retailer confirmed in March that data from its MyFitnessPal app was accessed by an "unauthorized party."

Payment information was not released, but Under Armour says usernames, emails, and encrypted passwords were affected. More than 150 million people's information was likely compromised.

Exactis

340 million records breached.

Security researcher Vinny Troia discovered in June 2018 that Exactis, a marketing and data aggregation firm based in Florida, left a database exposed on a publicly accessible server. The database contained two terabytes of information that included the personal details of hundreds of millions of Americans and businesses. As of this writing, Exactis has not confirmed the exact number of people affected by the breach, but Troia said he was able to find close to 340 million individual records. He also confirmed to Wired that the incident exposed affected consumers’ email addresses, physical addresses, phone numbers, and a host of other personal information, in some cases including extremely sensitive details like the names and genders of their children.

Marriott

500,000,000 records breached

At the end of November, hotel group Marriott admitted it had suffered a massive data breach affecting the records of up to 500 million customers. The firm revealed its Starwood division’s guest reservation database had been compromised by an unauthorized party. Information accessed included payment information, names, mailing addresses, phone numbers, email addresses, and passport numbers.

“Regardless of who the finger is being pointed at, it’s clear this stealthy attack meant the perpetrator had unrestricted access, across multiple IT systems for a very long time," says Glasswall’s Henderson. "Presumably with many elevated privileged accounts compromised, the attackers were clear to traverse customer data held in different locations and likely cleared their tracks as they went.”

Aadhaar

1.1 billion records breached.

In January, reporters with the Tribune News Service paid 500 rupees for login credentials to a service being offered by anonymous sellers over WhatsApp. Using the service, the reporters could enter any Aadhaar number, a 12-digit unique identifier assigned to every Indian citizen. Doing so would retrieve numerous types of information on the queried citizen stored by UIDAI (Unique Identification Authority of India). Those bits of data included name, address, photo, phone number, and email address. An additional payment of 300 rupees to the sellers yielded access to software through which anyone could print an ID card for any Aadhaar number. 

The data breach is believed to have compromised the personal information of all 1.1 billion citizens registered in India. 

A Troubling First Half of the Year

The number of records compromised in Q1 and Q2 2018 has already surpassed the total number of breached records for all of 2017, as identified in Identity Theft Resource Center's (ITRC) 2017 Data Breach Industry Summary report.  For context, the list of breaches provided in this article is far from comprehensive. There were plenty of additional data breaches that took place in the first half of 2018, which means the number of compromised records could actually be much higher. Only time will tell whether this is actually the case.

In Conclusion

The cyber threat landscape is ever changing and while technological innovation is growing at the speed of light. The abilities of cybercriminals to take advantage of those new innovations is just as broad. Cybercriminals have an advantage of not having to “play by the rules” which makes things more difficult for those who try to protect business and society from those who wish to do criminal things.

Other things to account for is the passion with which cyber-criminal operate, having not only a knack for what they do but almost a savant-like nature in their activities. Whether the attack comes from a single criminal or a group of hackers, it is evident that business and society as a whole will have to endure these issues for the indefinite future. Most corporate security teams work diligently to prevent attacks such as those mentioned in this article, however, many lack funding and support from the executives. Security is often put on the back burner as an expense that can be avoided until it is needed. In fact, this could not be further from the truth. Creating a cyber-threat and action plan is essential to keeping corporations and society, as a whole, safe. Until executives at the heights of power can be convinced of the importance of creating a secure environment, the scourge of cybercriminals will continue to run rampant and grow organized crime across every aspect of the global economy.

References

Tony DeGonia

About the Author: Tony DeGonia, AlienVault

Tony DeGonia is an AT&T Cybersecurity Technical Sales Consultant. He has over 20 years in experience working as a Voice, Network and Security engineer. During that time he gained experience by maintaining, managing, designing and providing advanced voice, network and security solutions to customers in the SMB, Mid-Market, and Enterprise Sectors throughout the U.S. Tony is also well versed in the security requirements around HIPAA, PCI-DSS and Law Enforcement at the Municipal, State and Federal level. Tony regularly blogs and hosts podcasts through various channels.

Read more posts from Tony DeGonia ›

‹ BACK TO ALL BLOGS

Get the latest security news in your inbox.

Subscribe via Email

Watch a Demo ›
Get Price Free Trial