News

All the major data breaches of 2018

Retailers, airlines and hotels were among this year’s victims of cyber attacks.
Retailers, airlines and hotels were among this year’s victims of cyber attacks.

Data breaches continued to be a major issue for the public in 2018 with a series of serious cases ranging from retailers to social networks, resulting in millions of personal records being compromised.

2018 will be remembered as one of the most prolific in data security history, with everything from names and ages, to payment cards and passport details leaked.

Here are some of the notable cases to affect the UK and beyond:

MyFitnessPal

Popular diet and fitness app MyFitnessPal was hacked in late February, resulting in email addresses and passwords of around 150 million users globally being accessed.

The app, owned by US sportswear brand Under Armour, said that payment details were not jeopardised in the breach but urged all users to change their passwords immediately.

It became aware of the incident on March 25 and began informing users four days later.

Google+

Two breaches affecting Google’s failing social network were reported in 2018, although one had occurred years before.

The first issue was discovered in March but was only reported six months later, resulting in the personal information of up to 500,000 users being exposed – though it said at the time that it had no evidence that any of the affected personal information was misused.

As a result, the tech giant announced plans to close Google+.

In December, a second breach affecting 52.5 million users was revealed, leading Google to bring forward its planned closure of the social network from August 2019, to April.

Cathay Pacific

Cathay Pacific
(Steve Parsons/PA)

Hong Kong’s national airline Cathay Pacific was the subject of a data breach to its IT systems, jeopardising personal information of up to 9.4 million passengers.

The company said that it had no evidence that the information seized had been misused, nor that any travel or loyalty profiles were accessed in full.

Ticketmaster

Ticket sales giant Ticketmaster identified a breach in June, which may have affected up to 40,000 UK customers.

The source of the attack was understood to have come from malware in a third-party customer support product from Inbenta Technologies.

Dixons Carphone

Currys PC World
(Yui Mok/PA)

In June, Dixons Carphone, which owns Currys PC World and Carphone Warehouse stores, found that some of its systems had been accessed in 2017.

The firm initially thought that 1.2 million personal data records – including customer names, emails and addresses – were impacted by the incident but further investigations found that 5.9 million customer bank card details and 10 million personal data records may have been hacked.

British Airways

Airline BA was the victim of a data hack in August, which forced customers to cancel credit cards as a precaution.

Of the 380,000 payment card details first announced, the company later found that only 244,000 were affected and that it had no verified cases of fraud.

Superdrug

Superdrug was targeted by hackers in August, who contacted the retailer claiming to have the details of about 20,000 customers.

The perpetrators provided information of 386 accounts to try to prove they had sensitive information, but Superdrug heard nothing more from them after it refused to pay the ransom.

Butlin’s

Butlins hacked
(Anthony Devlin/PA)

British seaside resort Butlin’s announced that up to 34,000 guest records may have been obtained in August.

Data including names, home addresses, email addresses and telephone numbers were at risk but no financial details were accessed, the company said at the time.

Marriott

Hotel chain Marriott suffered the year’s biggest breach, after uncovering one of its systems containing up to 500 million guests’ details had been jeopardised.

The breach hit the system managing its Starwood portfolio, which includes Trump Turnberry in Ayrshire as well as London’s Park Lane Sheraton Grand, Westbury Mayfair and Le Meridien Piccadilly.

Information including passport numbers, dates of birth, names, addresses and phone numbers were contained in the database, which was attacked in 2014 but only came to light in November 2018.