Image: Shutterstock.

What were 2018’s worst breaches? By year’s end, more than 1,200 breaches affected over 560 million reported records. But some sources brought the total even higher by including estimated unreported records.

CU Times looked at the statistics compiled by the San Diego, Calif.-based Identity Theft Resource Center (which was still tallying the damage at press time) to compile this list of 2018’s 12 most damaging breaches. But we also enlisted feedback from other sources, such as the Panama-based virtual private network provider NordVPN.

The ITRC’s compilation of data breaches uses reports confirmed by various media sources and/or notification lists from state governmental agencies. Some breaches did not yet have reported statistics or remained unconfirmed.

The ITRC defines a data breach as an incident exposing an individual name − plus a Social Security or driver’s license number, medical or financial record (credit/debit cards included) – that potentially puts personally identifiable information at risk.

In March 2018, reports revealed data analysis firm Cambridge Analytica acquired and misused Facebook data. In a December blog, the ITRC stated, “While Facebook and the Cambridge Analytica events were not classified as traditional data breaches, they were nonetheless an eye opener for social media users who value their privacy. Most recently, the Marriott International announcement of a 500 million-guest breach of its Starwood Hotels brand has opened consumers’ eyes about the types of information that hackers can steal.”

“If your data wasn’t leaked this year, you’re lucky. The information of over a billion people was compromised in 2018 as many of the companies we trust failed to protect our data,” Daniel Markuson, digital privacy expert at NordVPN, said.

Gene Fredriksen, chief information security strategist for the St. Petersburg, Fla.-based CUSO PSCU, pointed out last year that fallout is not limited to the breached company. “The truth is that the aggregate information from a series of breaches can build an extensive personal profile.”

Here is our dirty dozen of 2018’s data breaches or events:

1. Starwood Hotels & Resorts Worldwide, LLC (Marriott International): 383 to 500 Million Records

Marriott International announced a breach compromised the personal data of guests staying at Starwood properties dating back to 2014. The information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, birthdates, gender, arrival and departure information, reservation dates and communication preferences. Originally, the Bethesda, Md.-based chain said the incident potentially involved up to 500 million guests. However, in December 2018, Marriott revised that to 383 million records, which included 5.25 million unencrypted and 20.3 million encrypted passport numbers.

2. Facebook-Connected Incidents: 184 Million Records

“Of course, no ‘naughty’ list this year would be complete without Facebook,” Markuson said. Even though the Cambridge Analytica episode, which involved up to 87 million users’ data, does not fit the ITRC breach definition, there were too many Facebook-connected data incidents in 2018 to overlook. In September, Facebook made headlines again for the compromised security of almost 90 million users when a bug in its “View As” feature let hackers steal usernames, genders and hometown information. Another bug, announced in December, revealed hundreds of third-party apps had unauthorized access to seven million users’ photos.

3. My Fitness Pal: 150 million Records

Hackers stole data from more than 150 million users of the popular tracking app MyFitnessPal as announced by its parent company Under Armour on March 29. The company began alerting users about the breach via email and in-app messaging four days after it noticed an unauthorized party accessed the data in February (record notification time compared to other incidents). The company confirmed hackers obtained usernames, email addresses and hashed passwords. MyFitnessPal stated other information that was stored separately, such as credit card numbers, was not compromised.

4. Quora: 100 Million Records

Quora, one of the largest Q&A internet portals, said hackers breached its servers and obtained information belonging to about 100 million users, almost half of its customer base. The Mountain View, Calif.-based company said the potentially compromised information included encrypted passwords, names, email addresses, data imported from linked networks, and an assortment of public and non-public content and actions. The company acknowledged the overwhelming majority of the content accessed was already public, but the compromise of account and other private information was serious.

5. Firebase: 100 Million Records

Firebase, a Google-owned development platform, leaked the sensitive information of more than 100 million records (113 gigabytes) from unsecured databases. “The platform might not be well known to everyone, but it’s widely used by mobile developers,” Markuson said. Analysis of the exposed data revealed 2.6 million plain text passwords and user IDs; more than four million protected health information records (including chat messages and prescription details); 25 million GPS location records; 50,000 financial records including banking, payment and bitcoin transactions; and more than 4.5 million Facebook, LinkedIn, Firebase and corporate data store-user tokens.

6. Ticketfly: 27 Million Records

Ticket-selling service Ticketfly confirmed on June 7 its customer database was hacked, with details from 27 million accounts stolen. The stolen information included names, addresses, telephone numbers and email addresses of registered Ticketfly users, including both ticket buyers and ticket sellers. Ticketfly said hackers did not steal credit card details or passwords of registered ticket buyers, but they might have obtained encrypted passwords of Ticketfly clients.

7. Government Payment Service Inc. ( 14 million Records

In September, KrebsOnSecurity alerted the Indianapolis, Ind.-based GovPayNet, which serves about 2,300 government agencies in 35 states, its site was exposing at least 14 million customer receipts dating back to 2012. displays an online receipt when citizens use it to settle state and local government fees and fines via the site. Two days after the notification, the company said it addressed a potential issue by not adequately restricting access to unauthorized recipients.

8. Cathay Pacific: 9.4 Million Records

In October, the Hong Kong, China-based airline Cathay Pacific acknowledged a compromise of its computer system that lasted at least seven months, and exposed the personal data and travel histories of as many as 9.4 million people. The breach involved PII including phone numbers; birthdates; frequent flier membership, passport and government ID numbers; and information on passengers’ past travels. Later the Philippines’ National Privacy Commission said the incident affected some 102,000 Filipino passports and credit cards.

9. Hudson Bay Company: 5 Million Records

The Toronto, Canada-based owner of several luxury retail chains on April 1 confirmed a breach at some of its Saks Fifth Avenue, Saks OFF 5th and Lord & Taylor stores that began as early as July 1, 2017 and was contained on March 31, 2018. A ring of cybercriminals planted malware into HBC’s cash register systems to collect customer transaction information, including cardholder names, payment card numbers and expiration dates.

10. Jason’s Deli: 3.4 Million Records

A family food chain with 275 delis in 28 states discovered criminals deployed RAM-scraping malware on several of its point-of-sale terminals at various corporate-owned restaurants starting on June 8, 2017. In December 2017, payment processors notified the deli that a large quantity of its payment card information had appeared for sale on the dark web. The data possibly included cardholder names, credit or debit card numbers, expiration dates, cardholder verification values and service codes.

11. AccuDoc Solutions, Inc. (Atrium Health): 2.7 Million Records

In November, the North Carolina-based Atrium, which operates more than 40 hospitals and 900 healthcare facilities in the U.S., said attackers gained unauthorized access to a patient database hosted by third-party payment processor AccuDoc Solutions between Sept. 22 and 29, 2018. Information potentially accessed included certain PII about patients and guarantors, including first and last names, home addresses, birthdates, insurance policy information, medical record numbers, invoice numbers, account balances and service dates. For some, the data may have also included Social Security numbers.

12. T-Mobile: 2 Million Records

T-Mobile announced that on Aug. 20, 2018, the company was hacked for access of PII from roughly two million customers, including names, billing zip codes, phone numbers, email addresses, account numbers and account types. According to the company, more sensitive information − financial data, Social Security numbers and passwords − weren’t compromised. T-Mobile noted the hack affected “about” or “slightly less than” 3% of the carrier’s 77 million customers.