Dixons Carphone, Facebook, Ticketmaster and Adidas were just some of the high-profile victims of data breaches in 2018 as hackers ran riot

Cyber security (1)

Hackers barely left a stone unturned as they ran riot with a wave of data breaches in 2018.

From Adidas and Costa to Facebook and Ticketmaster, companies from a range of industries fell victim to cyber-attacks that left their customers’ identities vulnerable to online criminals.

Here, we look at some of the biggest data breaches of the year, including some historic attacks that were only discovered in 2018.


Data breaches 2018: Adidas

On June 26, the German sportswear giant became aware that the data of potentially millions of its customers was hacked.

Usernames, encrypted passwords and contact information were all leaked in the breach, but Adidas assured its customers that no payment details or fitness data was stolen.

Adidas store

The company alerted the public to the hack two days after it realised what had happened, but it remains unclear just how many were affected.

Its statement:

“On June 26, Adidas became aware that an unauthorised party claims to have acquired limited data associated with certain Adidas consumers.

“Adidas is committed to the privacy and security of its consumers’ personal data. Adidas immediately began taking steps to determine the scope of the issue and to alert relevant consumers.

“Adidas is working with leading data security firms and law enforcement authorities to investigate the issue.”


Data breaches 2018: Costa

An online recruitment system belonging to Costa’s parent company Whitbread was hacked in May, leaking the details of up to two million existing employees, as well as prospective job applicants.

Australian software firm PageUp runs the hacked system and announced its breach last month, which left names, phone numbers, employment information, addresses and email addresses exposed.

PageUp is currently investigating the issue to determine the identity of the hackers and find more information about what was leaked and who was affected.

data breach

Its statement:

“At Whitbread, we take protecting your data very seriously and we are very sorry that this has happened.

“We choose our partner organisations very carefully and take every possible step to ensure your data is always kept secure.

“We value all our job applicants and we want to repeat that we are very sorry that this has happened.”


Data breaches 2018: Ticketmaster

Last month, it became public knowledge that about 5% of US ticket sales and distribution company Ticketmaster’s customers suffered a breach.

Roughly 40,000 users of its UK site were affected, with some people claiming they’d been scammed out of money as a direct result.

The customers’ login information, payment data, addresses and phone numbers were put at risk, with the company advising users to change their details on the website at their earliest convenience.

Its statement:

“Based on our investigation, we understand that only certain UK customers who purchased or attempted to purchase tickets between February and 23 June 2018 may have been affected by the incident.

“Information which may have been compromised includes: name, address, email address, telephone number, payment details and Ticketmaster login details.

“We recommend that you monitor your account statements for evidence of fraud or identity theft.

“If you are concerned or notice any suspicious activity on your account, you should contact your bank(s) and any credit card companies.”


Data breaches 2018: Dixons Carphone

In July, Dixons Carphone announced ten million customers were affected by its data breach the previous year, rather than the original estimate of 1.2 million.

It admitted that personal information, addresses and email addresses may have been accessed last year but said no bank details were hacked and that it found no signs of fraud.

The breach did result in the hackers accessing 5.9 million payments cards, but almost all were protected by their chip and pin feature.

The parent company of Carphone Warehouse and Currys PC World said it had been looking into the hack since it was uncovered in June.

Its statement:

Dixons Carphone chief executive Alex Baldock said: “Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right.

“That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today.

“As a precaution, we’re now also contacting all our customers to apologise and advise on the steps they can take to protect themselves.”


Data breaches 2018: Fortnum & Mason

Thousands of Fortnum & Mason customers had their personal data stolen between May and June this year, according to the retailer.

It announced in early July that the names, social media details, addresses and email addresses of about 23,000 people had been exposed by the breach.

Typeform is the survey company Fortnum & Mason uses for its various awards sections on its website and those affected included any who voted in the TV Personality of the Year category.

Its statement:

“At 5.26pm on Friday 29 June, Typeform, a company that provides services that we have used in the past to collect survey responses and voting preferences, notified us that they had suffered a data breach and unfortunately some of our data had been compromised.

“The data of approximately 23,000 competition and survey participants who inputted into a Typeform form has been involved in this breach.

“For the majority of people, only the email address has been exposed. For a smaller proportion of customers, other data such as address, contact number and social handle has been included.

“These forms did not request bank or payment details, or require passwords.”


Data breaches 2018: Facebook

In 2014, information harvested by data profiling firm Cambridge Analytica saw the details of more than 50 million people – and eventually about 100 million – accessed without authorisation.

A quiz app collected people’s personal information surreptitiously to then be shared with third parties separate from the original researchers.

Facebook learned about the breach in 2015 but the incident did not become public knowledge until this year.

The company has since been fined £500,000, the maximum penalty allowed, by the Information Commissioner’s Office in the UK.

Read Facebook founded and CEO Mark Zuckerberg’s full statement here.

data breach
Facebook co-founder and CEO Mark Zuckerberg


Data breaches 2018: SingHealth

It was announced on 20 July that SingHealth, Singapore’s largest healthcare group, was the victim of a cyber attack which resulted in the exposure of about 1.5 million patient records.

The breach occurred between late June and early July this year and affected those who visited the company’s clinics between 1 May 2015 and 4 July 2018.

Hacked information included patient names, addresses, genders, races, dates of birth and National Registration Identity Card (NRIC) numbers.

Meanwhile, the medical prescription records of 160,000 were also stolen.


Data breaches 2018: US Homeland Security

Between 2002 and 2014, about 240,000 employees at the US’ Department of Homeland Security were affected by a “privacy incident” involving one of its databases.

A further undisclosed number of people could have been affected though this has not yet been confirmed

Lost information includes names, social security numbers and staff job roles and DHS officials first discovered the breach in May last year but did not reveal it until 2018.

Read the full DHS statement here.


Data breaches 2018: Quora

In late November 100 million users of public question and answer service Quora were affected by a data breach, engineered by a “malicious third party.”

Account information such as names, email addresses, encrypted passwords may have been put at risk, the company said, but no financial details were leaked.

Regional director for Northern Europe of cyber security firm Check Point Andy Wright said: “Hackers are deliberately targeting companies and websites which hold massive amounts of customer data – as we’ve seen with the recent major attacks against airlines and hotel chains.

“While it’s not known how Quora’s systems were breached, the attackers could have exploited any one of several vectors to get access.

“Organisations need to protect themselves against sophisticated fifth-generation threats which spread across networks, endpoints, mobiles and cloud services, and prevent them from being able to impact on their business.

“Luckily, there was no financial information associated with the exposed user data, and the stolen passwords were encrypted, but users should consider changing their passwords on other accounts if they have used the same password as for their Quora account.

“They should also be suspicious of emails claiming to be related to the Quora breach, as these could be phishing attempts to try and extract more sensitive information.”


Data breaches 2018: Under Armour

In March this year, fitness and clothing brand Under Armour discovered an unauthorized user had gained access to MyFitnessPal, the platform used by the company to track its users’ activity.

The breach hacked the usernames, email addresses and passwords of 150 millions users, but did not affect any financial data, which Under Armour processes separately.

Condemning the attack, US Representative Bobby L. Rush said: “This industry’s lack of regulation has made everyone vulnerable to their data being placed in the wrong hands.

“We cannot let this industry continue to police themselves.  They are not prepared to handle this ongoing threat and protect our most personal information. “