Data Breaches: Here’s Your Ready Reckoner

data privacy

The WhatsApp privacy rules controversy has brought the vital issue of data privacy back in the news, forcing the general public to sit back and take note of what’s happening in the way data is collected and used by various agencies and whether precious user information is safe in the hands of the companies. Here’s a list of instances where hackers had a ball with private data.

“Ultimately, saying that you don’t care about privacy because you have nothing to hide is no different from saying you don’t care about freedom of speech because you have nothing to say” — Edward Snowden, in his autobiography Permanent Record

There are more than 730 crore people in the world. More than half of them are on social media. At the last count, nearly 400 crore people have social media accounts. About 480 crore people have access to the Internet now and most of them are interacting with the web almost regularly. With more users come more data, more engagements and platforms where people share (more) personal information online.

Obviously, data privacy concerns are a hot by-product of the digital revolution. With some of the major data breaches in recent history featuring behemoths such as Facebook (using which the data analytics firm Cambridge Analytica obtained personal information of over 8.7 crore users, without consent, for purposes such as political campaigning), the question of data privacy is getting more attention than ever. 

The latest controversial privacy rules from WhatsApp (parts of which the Facebook-owned firm rolled back following a global outcry), put the spotlight back on the data scandals involving Big Tech. For the uninitiated, here’s a list of the major data breaches and their costs. 

Facebook-Cambridge Analytica scam

British company Cambridge Analytica accessed 8.7 crore Facebook profiles using an app, ‘thisisyourdigitallife’. This was illegal. The issue came to light after a former Cambridge Analytica employee, Christopher Wylie, broke the news to the media in March 2018. Cambridge Analytica worked with the 2016 Trump election campaign. It used data to create ads that target people’s psychological characteristics. 

About 300,000 users had downloaded ‘Thisisyourdigitallife’. This enabled the firm to get access to the users’ Facebook friend list too. Facebook CEO Mark Zuckerberg apologised for the abuse. He had to testify before the US Congress on the matter. The US Federal Trade Commission slapped a fine of $5 billion on Facebook. In 2019, FB had to pay half a million-pound to the UK’s Information Commissioner’s Office. This was fine for the exposure of users’ data. The authorities said Facebook used the data in favour of a Russian oil company and for a pro-Brexit campaign. The multi-national scam forced Cambridge Analytica to close operations in 2018.

The Yahoo breach

One of the biggest data breaches in history. Yahoo was hacked twice: in August 2013 and late 2014. The 2014 breach came to light only in 2016. It affected 500 million Yahoo user accounts. This was exposed after hackers posted stolen data in underground forums and online marketplaces. The one in 2013 was reported in October 2017. It affected some 300 crore users. Yahoo said the acts were state-sponsored. But it did not name any country. Some reports linked Russian intelligence to the breach. Yahoo is now facing several lawsuits and government actions over the breach. In fact, the data leak hit the company’s future where it hurt. Verizon Communications, which bought Yahoo, reportedly paid $350 million less than had agreed. 

The First American data expose

In May 2019, a security researcher revealed that insurance biggie First American Financial had exposed crucial documents of 88.5 crore people. The company said the leak was accidental. The documents were related to mortgage deals from 2003. Brian Krebs, the security researcher, said the leaded data included bank account details and statements, social security numbers, tax and mortgage details and identity proofs. Anyone could get hold of the data through firstam.com. Shockingly, the information was not password-protected. Security experts blamed a website design error for the mishap. The company fixed the error soon, and luckily for them, the data was not misused by anyone. The US Securities and Exchange Commission (SEC) is looking into the issue to see if First American had violated any security laws.

Aadhaar breaches

Several reports have emerged revealing how Aadhaar, India’s 12-digit unique identity number for residents, has been compromised. In 2018, digital security firm Gemalto said almost one billion records were compromised. The firm, which had a tie-up with Aadhaar’s manager UIDAI, later rolled back on the claims. It apologised for the report after India said it would end using Gemalto’s products. Aadhaar critics maintain the claim has some truth. In 2019, a raid in an IT firm in Hyderabad found 7.82 crore exposed Aadhaar details. An anonymous French researcher also claimed many government websites are leaking Aadhaar details. Media reports said websites of Jharkhand government exposed Aadhaar details of 166,000 workers in 2019. The UIDAI, though, says Aadhaar data is fully secured.

Finland’s Vastaamo leak

This happened in Finland in October 2020. Tens of thousands of clients of a private psychotherapy centre called Vastaamo saw their data go public via hacking. The hackers used the sensitive information to demand a ransom from the clinic (40 bitcoins, then worth €450,000). Each patient had to cough up €200-€500 to buy the silence of the hacker. The intruders leaked details of around 300 patients on a Tor site. The incident, which shocked the entire Scandinavia, is still being probed. Finland’s Cyber Security Centre and the National Bureau of Investigation are at it as we speak.

Adobe breach

In 2013, a data breach into software MNC Adobe exposed user data of 38 million users. Adobe said hackers had stolen nearly three million credit card information and logged in data. The source code for Adobe Acrobat and Reader and the ColdFusion web application platform were also compromised during the hack.

Adult Friend Finder

In October 2016, more than 40 crore accounts were impacted when sensitive data was stolen from the casual hookup and adult content websites of the Friend Finder Network. The stolen data includes six databases of 20 years, names, email addresses and passwords.

Zynga scandal

In 2019, social game giant Zynga saw a data breach from a hacker. The Pakistani intruder said he exposed about 22 crore user accounts, from Zynga’s Words With Friends mobile app. The Farmville creator confirmed that the hacker had stolen email addresses, usernames, login ids, Facebook ids, phone numbers, and (even) hashed and salted passwords.

Sina Weibo

In march 2020, Sina Weibo, China’s Twitter (well, sort of), experienced a data breach. The Chinese microblogging site saw some 54 crore accounts being impacted in the hack. The hackers posted data including names, usernames, gender, location and phone numbers of the users on the dark web for sale. A probe is on the hacking. The company says the breach didn’t compromise anything the users should be worried about.

Myspace

Before the emergence of Facebook, MySpace was the leader in social networking service with more than 10 crore users a month. In 2013, as it’s popularity was on the decline, 36 crore user accounts were breached. The data went on sale in the dark web market for six bitcoins. The compromsied data included email addresses, passwords and usernames of users from the old Myspace platform before February 2013.

Marriott International

In 2018, hospitality giant Marriott International announced a data breach where sensitive information including customer records, credit card and passport numbers of 50 crore customers were compromised. The cyber-attack had started in 2014 in the Starwood hotel chain and continued during the period Marriott acquired Starwood in 2016. The breach was discovered two years later. A report in The New York Times suggested the hackers were sponsored by a Chinese intelligence group targeting US citizens’ details. In October 2020, the UK’s Information Commissioner’s Office fined the hotel group £18.4 m for compromising user data.

My FitnessPal

In February 2018, American sports major Under Armour’s MyFitnessPal app saw a major data breach. Over 150 million user accounts were hacked. Usernames, email addresses, IP addresses, SHA-1 and bcrypt-hashed passwords were stolen by the hackers. The data was put up for sale the next year. MyFitnessPal gathers data such as users’ calorie intake, exercise regimes, and such. It also has a database of more than two million food items. 

LinkedIn

LinkedIn faced multiple data breaches over the last eight years. In 2012, passwords of nearly 6.5 million users were stolen, allegedly by Russian cybercriminals. In 2016, LinkedIn announced an additional 100 million user data from the 2012 attack were out for sale in the dark web. Yevgeniy Nikulin, a Russian hacker was arrested in 2016 from Prague in connection with the hack. He was sentenced to 88 months in prison in September 2020. In January 2021, it is reported that a social media management company ‘Socialarks’ suffered data leak of more than 408 GB personal data for around 214 million Facebook, Instagram and LinkedIn accounts worldwide.

(The list is not exhaustive. Have we left out anything you think worth mentioning here? Tell us below.) 

Also Read: Are Social Media Algorithms Racists and Body-Shamers?

Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.