A list of the biggest data leaks over the last six months
News of data breaches exposing the personal information of customers of big companies such as Facebook, Under Armour and Equifax seems like a monthly occurrence nowadays – because is it.
Over the last year, there has been a massive data breach involving big outlets every month. And this month alone, there have already been four massive breaches involving Saks, Lord & Taylor, Panera Bread, Sears Holdings, and Delta.
Here are some of the biggest data breaches over the last six months.
April 2018
Delta
April 4—The airline released a statement alerting customers that hackers may have accessed names, addresses and credit card numbers from “several hundred thousands” of its users through an online support service from Sept. 26 to Oct., 12, 2017.
“At this point, even though only a small subset of our customers would have been exposed, we cannot say definitively whether any of our customers’ information was actually accessed or subsequently compromised,” Delta said. The company, however, added that other information, such as passports, government IDs, security and SkyMiles data, was not accessed.
Sears Holdings
April 4—The Sears and Kmart owner released a similar statement to Delta, saying the same online support service may have exposed information of its customers as well.
“We believe this incident involved unauthorized access to less than 100,000 of our customers’ credit card information,” Sears said. “As soon as [24]7.ai informed us in mid-March 2018, we immediately notified the credit card companies to prevent potential fraud, and launched a thorough investigation with federal law enforcement authorities, our banking partners, and IT security firms.”
Panera Bread
April 2—The website of bakery-cafe chain Panera Bread leaked customer records for at least eight months, according to cybersecurity blog KrebsonSecurity. A blog post said the data leak included names, email and postal addresses and the last four digits of credit card numbers of millions of customers who order food online. Panera, however, said the issue has been resolved and “there is no evidence of payment card information nor a large number of records being accessed or retrieved.”
Saks, Lord & Taylor
April 1—Hudson’s Bay Company, which owns Saks and Lord & Taylor stores, confirmed that hackers stole the credit and debit card information of more than 5 million shoppers. The company said in a press release that it has "identified the issue and has taken steps to contain it.”
It added: “Once the Company has more clarity around the facts, it will notify customers quickly and will offer those impacted free identity protection services, including credit and web monitoring."
March 2018
Under Armour
March 29 — Under Armour announced its health and fitness app, MyFitness Pal, suffered a data security breach that exposed the personal data of roughly 150 million users. The company said the breach occurred in February, exposing usernames, hashed passion and email addresses related to user accounts.
March 17 and March 18 — Both The New York Times and Observer broke the news that 50 million profiles of Facebook users were “harvested” without their consent to a consulting firm, Cambridge Analytica, that was hired by Donald Trump’s 2016 campaign. Days later, Facebook CEO and co-founder Mark Zuckerberg admitted to the leak and said that the company failed its users.
December 2017
eBay
Dec. 10 — Ebay announced that due to a customer privacy leak, the personal information of many eBay customers, including usernames, first and last names, and purchase history, were made available via a Google’s Shopping platform. The company said the breach was due to “an improper feed signal” between the two companies and the purchased histories that were leaked “revealed very sensitive products, such as HIV home test kits, pregnancy test, and drug testing kits.” However, within a couple days, the users’ real names were masked with dashes.
Alteryx
Dec. 19 — Forbes first reported the news that California-based data analytics firm Alteryx was found culpable of not protecting the personal information of more than 120 million American households and openly harvested it on an Amazon Web Services cloud storage bucket. According to the report, the company had purchased the data from Experian, a giant credit reporting agency similar to Equifax. After the news broke, the company said it took action and secured the database from public view.
November 2017
Uber
Nov. 21 — Ride-sharing service Uber revealed that in late 2016 it became aware of a data breach that could potentially expose the personal information of more than 57 million Uber users and drivers but admitted that it chose to keep the leak a secret and pay the hackers off instead. The company said the hackers did not gain access to its internal systems, but rather got access to GitHub, a service that Uber’s engineers use to collaborate on software code.
Forever 21
Nov. 14 — LA-based retailer Forever 21 announced that some of its customers may have been affected by a data breach. After launching an investigation, it found certain point-of-sale devices were compromised — likely between March and October of 2017. The company said it encourages customers to keep an eye on their payment accounts and look for fraudulent charges.
September 2017
Whole Foods Market
Sept. 28 — Whole Foods Market — who at the time was just recently acquired by Amazon — announced that it discovered a breach in its payment systems but individuals who shopped in the company’s grocery stores were likely not affected. The company said it believes the unauthorized access occurred in Whole Foods Market locations with taprooms and full table-service restaurants.
Sonic
Sept. 26 — KrebsOnSecurity reported that it found a breach at fast-food chain Sonic after discovering a “fire sale” of millions of stolen credit and debit card numbers on the internet. Sonic said it later learned of the breach when its credit card processor notified them of unusual activity on customer payment cards.
Equifax
Sept. 7 — Credit reporting firm Equifax suffered one of the worst security breaches in history when it announced that sensitive data — including Social Security numbers and driver’s license numbers of more than 147 million consumers were exposed to hackers from mid-May to July. The company is still reeling from the after-effects of the breach after many high-ranking executives have since left. State and federal investigations into the matter have been launched, and numerous class-action lawsuits have been filed against the company.