2018 was a big year for privacy – lots of big data breaches, Facebook scandals, and international security concerns, just to name a few.
Here are the biggest data breaches this year worth capturing and keeping in mind as we go into 2019.
5 Biggest Data Breaches of 2018
Aadhaar Data Breach: When the government can’t protect its 1 billion citizens (January 2018)
Aadhaar, a 12-digit unique identity number for residents of India based on their biometric and demographic data like fingerprints and iris scans, was breached sometime in 2017.
It was a matter of national security that left 1 billion citizens of India vulnerable to intrusions of privacy such as identity theft, possible phishing scams, and hacks on personal information.
In November 2017, the Unique Identification Authority of India (UIDAI) assured residents that their personal data on the Aadhaar was secure and that there had been no data breach.
However, an investigation by the Tribune revealed that it was extremely easy to enter any Aadhaar number and obtain information such as names, email addresses, phone numbers, and other confidential information upon payment of a mere 500 rupees (500 Rs) through a portal provided by an anonymous “agent.” These agents operated on WhatsApp groups to sell this access.
Consequently, the recent breach has heightened unease over the inability of the Indian government to protect the privacy of its citizens, as government websites in the past have also accidentally leaked information.
MyFitnessPal: Data breach of 150M users due to lack of verification (March 2018)
In February, MyFitnessPal, a health and fitness app acquired by Under Armour in 2015, was hit by a data breach which involved roughly 150 million of its users.
After the company discovered this breach, its CEO and founder Kevin Plank announced in late March that “the investigation indicates that the affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords.”
Under Armour prompted its users to change their passwords immediately. It also encouraged users to monitor their accounts for any suspicious activity in connection with the said breach. UA’s shares experienced a roughly 5% drop – which is the average figure following a breach of this kind, according to a study by Ponemon.
This follows similar breaches on companies like Equifax and Yahoo, where the barrier to entry is low for hackers to gain access to the user database.
Cambridge Analytica: How much power is too much? (March 2018)
Earlier this year, Facebook revealed that data analytics firm Cambridge Analytica used personal information obtained from its users in early 2014 to build a system that targeted certain US voters with personalized political propaganda.
An app called “This Is Your Digital Life,” built by Cambridge University academic researcher Aleksandr Kogan, was responsible for the data breach.
In a Facebook post, founder and CEO Mark Zuckerberg told its users that “in 2015, we learned from journalists at The Guardian that Kogan had shared data from his app with Cambridge Analytica. It is against our policies for developers to share data without people’s consent, so we immediately banned Kogan’s app from our platform, and demanded that Kogan and Cambridge Analytica formally certify that they had deleted all improperly acquired data.”
It wouldn’t be an exaggeration to say that this was the biggest scandal of 2018, as it raised questions over Facebook’s role and influence as a tech giant that’s much more than just a social media platform.
Marriott Starwood Hotels: Cyberwar with China continues, 500M guests affected (November 2018)
In a massive breach that affected up to 500 million guests, Starwood Hotels and Resorts, a hotel chain owned by Marriott International, announced in November that hackers had had access to their guests’ reservation database for the past four years.
The extent of the data breach included names, mailing addresses, phone numbers, email addresses, passport numbers, guests accounts, and other vital information such as travel locations and dates.
Since then, the United States connected the breach to possible hacking by Chinese intelligence authorities. The speculation is fueled by stringent relations between the two countries, as China’s involvement in data breaches is nothing new, starting with the hacking of Google in 2009, as well as the U.S. government in 2015.
As a result, US lawmakers are currently considering the proposal of a bill which would ban government employees from using phones manufactured by telecommunication companies Huawei and ZTE, both based in China.
Quora: Finishing the year with a bang – 100M users(December 2018)
Big data breaches continued on towards the end of the year when Quora, a question-and-answer website founded in 2009, was affected by a data breach through unauthorized access on its system by a “malicious third party.”
In its blog post entitled “Quora Security Update,” it disclosed that the account information of 100 million users, including name, email address, encrypted password, data imported from linked networks when authorized by users, public content, and actions may have been at risk.
It advised its users to change passwords immediately and has maintained a system of updating its users on the investigation through email.
Close on the heels of MyFitnessPal, this type of data breach will become more and more common as companies with massive user bases don’t have adequate security measures to guard against potential attacks.
5 Biggest Privacy Wins of 2018
Now, to end on a more positive note, while there have been numerous data breaches in 2018, there were also instances where privacy marked its victory.
The Electronic Frontier Foundation (EFF), a leading non-profit organization, which champions user privacy, free expression, and innovation, has led some of the biggest privacy wins of 2018.
Want Location Tracking Data? Get a Search Warrant
Earlier in June, the Supreme Court of the United States ruled that the Fourth Amendment, which prohibits unreasonable searches and seizures, also applies to cell phone tracking.
The 119-page opinion by Chief Justice Roberts states that the location information collected by telecommunication service providers offers “an intimate window into a person’s life, revealing not only his particular movements, but through them his “familial, political, professional, religious, and sexual associations.”
Such intrusive search now requires a validly obtained search warrant, and rightly so.
Sharing Your Password With Your Family is Definitely Not a Crime
We’ve all skipped reading a website’s terms of use. Who really has the time to pore through a long, dry legal document that lawyers get paid to read? Even privacy maniacs need a break!
Unfortunately, this act of negligence has turned innocent, albeit slightly lazy, users into criminals under an overly broad definition of cybercrime. Even simple actions like sharing a password with a family member, or using a fake or incomplete name would violate certain websites’ terms of use. But by no means should users be charged with criminal intentions because of them.
To combat this travesty, the EFF submitted a brief in 2017 stating that allowing criminal liability under the law for terms of use violations turns a vast number of ordinary individuals into criminals. In January of this year, the Ninth Circuit decided that these innocuous acts certainly don’t violate California or Nevada’s cybercrime laws.
We’re All Equal Under the Law, Even the Government
The EFF has long been wary of Facebook’s policies regarding the use of real or authentic names. It believes that the ability to speak anonymously is one of the great advantages of free speech and that forcing people to disclose their identity through this policy defeats such purpose.
Sometime in July, the American Civil Liberties Union (ACLU) of Tennessee filed a civil rights lawsuit against the Memphis Police Department. The lawsuit uncovered evidence that the police used a fake account on Facebook to gather intelligence on activists.
Fortunately, Facebook recognized the potential threat that this practice will bring to protected speech. In a letter to the Memphis Police Department, it stated that law enforcement authorities are also subject to the policies of the company. Since the fake accounts are in violation of such policies, they have disabled the fake accounts that they identified in their investigation.
Stopping Illegal Device Searches at the Border
In September 2017, the EFF filed a lawsuit with its co-counsel ACLU, challenging border device searches on the violation of the right to freedom of speech and unreasonable searches and seizures.
Not surprisingly, the federal court ruled that government searches of cell phones, laptops, and other electronic devices without a warrant when someone crosses the border may violate the First and Fourth Amendments.
“A cell phone search would typically expose to the government far more than the most exhaustive search of a house,” the federal court stated in an opinion.
Right to Free Speech in Domain Names
Yes, you heard that right. The protection of free speech extends even to the use of domain names.
When Jeremy Rubin registered his Internet domain name, “fucknazis.us” for wanting to speak up about white supremacist groups in the US, the government took away his domain name, which meant the shutdown of his website.
A government agency shutting down an Internet domain based on the contents of its name runs counter to the right protected by the First Amendment. The EFF, together with the Cyberlaw Clinic, helped Rubin get back his domain, and prevented the government from banning “dirty words.” His domain has since returned to full operation.
Details of the case can be found directly at https://fucknazis.us/.
With all these things in mind, what can we expect in 2019?
Each year, companies aim to protect the privacy of its users, only to fail miserably. At the end of the day, it’s about business. Money speaks, and while privacy is of paramount concern, exploitation for financial gain will inevitably continue unless it’s prevented by regulation.
Government involvement will only increase, as more and more people become aware of how unprotected their data is on the web. This means we can expect to see more of this participation in 2019. There will be more consumer action in a tangible way.
However, the coming year will also see more data breaches, possibly on an even greater scale. Lawmakers haven’t caught up yet, and too many companies have weak or non-existent security measures. It’s all too easy to fool unsuspecting users into selling their data.
In the 21st century, the measure of a government’s power will include its ability to protect its citizens’ data from both cybercriminals and foreign agents. As we take more of our systems online, we’re ever more vulnerable to major damages caused by hacking.
Overall, 2018 was a pretty good year for regulation. Privacy is finally recognized and accorded the priority it deserves. Further legislation is in the works, and governments around the world are finally catching up to technology.
It can only get better from here. We may be in for a long ride, but at least we’re on the right path.
