The most disastrous web and mobile application security breaches and security incidents of 2018 (so far).
Application security is one of the most crucial areas of data security, especially as more businesses move to cloud-based computing and make web applications a core focus of their functionality. Web applications are increasingly being used to process and store customer data in the cloud, so weak application security is a very attractive target to attackers. Here are ten of 2018’s biggest, most damaging or highest-profile application security data breaches:
10. Sears, Delta Airlines, Kmart and Best Buy (via 7.ai)
When: September 2017-April 2018
The damage: over 100,000 payment card records
On April 4th, SaaS-provider 7.ai issued a press statement disclosing a prior cybersecurity attack “potentially affecting the online customer payment information of a small number of our client companies”. The complete list of affected companies is not known, but includes at least Sears, Delta Airlines, Best Buy and Kmart. Technically, the underlying incident occurred over September-October 2017, but 7.ai left the incident undisclosed for 5 months. Under article 33 of the GDPR, any company trading in Europe must disclose a personal data breach within 72 hours of becoming aware of it. Had the incident itself occurred after 25 May 2018 (when GDPR came into force), such a delay would likely be treated harshly by EU regulators.
9. British Airways’ breach caused by credit card skimming malware
The vector: malware injected onto British Airways’ site
In September, British Airways discovered an ongoing malicious attack on their website which had begun towards the end of August. The attack resulted in the personal and payment information of affected customers being compromised.
8. Google+ suffers from years-old API bug When: 2015-October 2018
The vector: a years-old API bug
In March, Google found a bug in an API used in its Google+ social media platform which would allow third-party developers to freely access the personal details of Google+ members. Google left this vulnerability undisclosed until October, saying that the damage from the bug did not pass public disclosure thresholds. However, the Wall Street Journal revealed that the lack of disclosure was at least partially motivated by a desire to avoid negative publicity in the wake of the Cambridge Analytica scandal.
While the potential damage from this bug extends to 500,000 users, Google claims to have found ‘no evidence’ the data was misused or accessed maliciously. In security, absence of evidence is definitely not evidence of absence, and however much or little data was accessed, it was exposed for years and then covered up for months. Google+ as a consumer platform is now due to shut down in August 2019.
7. T-Mobile breach hits 2 million When: August 2018
The vector: insecure API
In an attack carried out against T-Mobile, hackers were able to gain access to servers holding customer information including names, email and physical addresses and phone numbers. T-Mobile did not disclose the exact number of affected customers, but stated that it was ‘about’ or ‘slightly less than’ 3% of its userbase of 77 million. This attack was possible thanks to an unspecified backend API.
T-Mobile’s official statement said that ‘no passwords were compromised’, but it later emerged that password information was included in the breached data. T-Mobile didn’t count them as compromised because ‘they were encrypted’.
6. Organizations using TypeForm When: June 2018
The vector: malicious access to Typeform’s servers
Another example of how poorly-secured SaaS-providers can create the widest-reaching data risks, TypeForm’s fast response still left a long list of companies affected after an attacker gained access to a data backup from June. Despite being able to cut off the attacker’s access within 30 minutes of the breach’s discovery, a long line of organizations came forward to disclose that the breach may have affected their customers.
5. Cathay Pacific Airways is the largest airline hack ever When: March-October 2018
4. GovPayNet sees 14 million receipts exposed When: September 2018
The vector: Broken access control allowing anyone to access any user’s receipt
GovPayNet provides services across 35 US states allowing citizens to pay government-related fees or fines. It provides its users access to online receipts, which include names, addresses, phone numbers and the final four digits of payment card numbers. In September, security researcher Brian Krebs notified GovPayNet that their web application would allow anyone to bypass access control and view any receipt.
Although access control was implemented for customers wishing to view their receipt, manually changing the URL would allow for this control to be bypassed. The exposed records were stored in sequential order, numbering at least 14 million and dating back to 2012.
3. Timehop breach started back in December 2017 When: July 2018
The vector: Compromised admin credentials
An attacker was able to gain access to Timehop’s cloud computing environment using compromised admin credentials. While Timehop successfully stopped the attack while in progress, data was still lost. In the process, API keys that allowed Timehop’s app access to users’ social media content were also compromised, but these were reset by Timehop in the breach’s aftermath.
Timehop’s official statement has shown a great deal of transparency, offering a full breakdown of the breached records (including the number it considers to be subject to GDPR) and a timeline of the attack. It became apparent that malicious probing and reconnaissance for the attack had begun in December 2017, highlighting a need for stronger internal access control.
2. Panera Bread customer information to easy to access When: August 2017-April 2018
Panera claimed that under 10,000 customers had been affected by the data leak, but with customers’ personal data so freely accessible, it would be impossible to know exactly who has accessed it and how much has been stolen. Security blogger Brian Krebs demonstrated that the damage could potentially extend up to 37 million users.
1. Facebook suffers from web-app insecurity When: September 2018
Facebook’s initial statement was that 50 million accounts were compromised, but later reduced this estimate to 30 million. However, Facebook asked 40 million additional users to log out and reset their access tokens as a precaution, bringing the maximum potential reach of the security issue to 90 million users.
That was our version of the top 10 application security breaches of 2018. We purposefully omitted cryptocurrency incidents that will probably be compiled in a dedicated post. If you know about other significant breaches not mentioned in this article, leave your comment below.