The Worst Data Breaches of 2018

Wednesday, October 24, 2018

In 2017, the world witnessed more data breaches than any year prior. There were total of 1,293 data breaches, compromising more than 174 million records. As we end the near of October, this disturbing trend has nothing but continued this year as well.


As employees and business consumers, we shall be concerned about these threats and our most precious assets. Protecting user data has become increasingly important amid stricter regulation implementation.


Companies are no longer just required to announce that their systems have been breached but also pay fines that can reach up to 4 percent of their annual turnover. The increasing sophistication of cyber-attacks coupled with the overall lack of cybersecurity has led to the greatest data breaches and the loss of data records on a global scale.



This year, big names such as Google, Facebook, Nadra, Uber, Careem, and British Airways have joined the ever-growing list of breach victims. Data breaches can result in loss of millions, even billions, of private records and sensitive data, affecting not just the breached organization but also the concerned victims whose critical assets may have been stolen.



As we end the near of 2018, it’s time to tally up this year’s breaches. Below we offer what we believe are the most significant data breaches to hit the globe, not in all cases because they were particularly large but because of the type of attack or vulnerability involved or the sensitivity of the data compromised. This list is not in order of rank.






Earlier this year Google discovered a vulnerability in an API for the company’s social networking effort Google+, which made it possible for third-party app developers to access data from the friends of the app users.





According to the Wall Street Journal, more than 500,000 Google Plus users had their data exposed this past spring through a third-party application. Google not only exposed this data but then it chose not to disclose it, fearing reputational damage.


Exposed data included names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status.
In response, parent company Alphabet decided to shut down Google+ completely and for good.






Facebook security breach which was discovered in September 2018, was the largest in the company’s 14-year history. The attackers exploited a feature in Facebook’s code to gain access to user accounts and potentially take control of them, exposing accounts of nearly 50 million users.




The vulnerability was introduced on the site in July 2017, but Facebook didn’t know about it until September 16, 2018, when it spotted an unusual activity. This could potentially mean the hackers could have had access to user data for a long time, as Facebook is not sure right now when the attack began.


Zuckerberg said that the attackers were using Facebook developer APIs to obtain some information, like “name, gender, and hometowns” that’s linked to a user’s profile page.






Earlier this year, we witnessed the biggest data breach in the history of Pakistan as reports claimed that Punjab Information Technology Board (PITB) is responsible for creating vulnerable mobile applications directly connected with the API of NADRA, which can request details of any Pakistani citizen using different means.




According to WikiLeaks and Julian Assange, American and British intelligence agencies acquired access to NADRA’s database and got hold of the identification records of Pakistanis.

According to an Information Security expert Faiz Ahmed Shuja, the CEO of Rewterz, the data was leaked due to unregulated e-governance apps, such as those that sold online tickets of cricket matches in Pakistan.


NADRA provides access to different government organizations, for example, when you go to buy a mobile phone SIM, you provide your fingerprints, that are used to match with your NADRA data to verify your identity.


He further said:

NADRA had given this kind of access to different government departments as well as the Punjab Information Technology Board (PITB) who launched an application to sell cricket match tickets. People would give their ID credentials and get their tickets; these applications have been misused. The authority should provide only what is required to government apps instead of giving them complete access to all its data.”





In September 2018, reports confirmed that ride-hailing firm Uber will pay £133m to settle all legal action over the cyber-attack that exposed data from 57 million customers and drivers in 2016.
Hackers stole personal data including names, email addresses and phone numbers, as well as the names and driver’s license numbers of about 600,000 drivers in the United States.



After numerous reports of the firm following this incident, Uber only revealed some information about the data breach in November 2017. It has now been confirmed that the company paid the hackers $100,000 (£761,71) to hide the data breach.



British Airways



British Airways revealed on 6 September that the passengers who made a booking or updated the booking from or the BA app became victim of a data breach affecting 380,000 transactions, involving stolen personal and financial information, but not passport or flight details.



The data was compromised over a two-week period between 21 August and 5 September, during which a ‘sophisticated’ attack was carried out on both the company’s website and app.


We’re extremely sorry. I know that it is causing concern to some of our customers, particularly those customers that made transactions over and app,” Alex Cruz, CEO of BA told the BBC’s program today.

The first thing was to find out if it was something serious and who it affected or not. The moment that actual customer data had been compromised, that’s when we began immediate communication to our customers.



He said that customers at risk are now being contacted and advised to ask their bank or credit card provider on how to manage the data breach.


“Yet, every company is a target when it comes to cyber-attacks, and there only needs to be a single vulnerability to enable a breach. While cybercriminals will always find new ways of gaining access, there are ways to reduce risk and minimize the loss of data.”






Careem, in a public statement issued on April 23, said that it “has identified a cyber incident involving unauthorized access to the system we use to store data”. The breach involved access to Careem’s data storage system for 14 million riders and 558,800 captains.




The breach affects all customers and captains who signed up with the service before January 14, 2018. Close to three out of every four users have been a victim of this breach.



On January 14 of this year, we became aware that online criminals gained access to our computer systems which hold customer and captain account data. Customers and captains who have signed up with us since that date are not affected,” stated the company on its ‘blog’ section.

IT experts and customers are now accusing the company for its neglectfulness and not reporting this incident until more than three months.


The company has also warned users to take safety measures on their own, and be vigilant over their bank account usage and credit card transactions, hinting that there could be a possibility of misuse. It has also asked users to “update” passwords and implement “good password management.”

Data Sheets

Corporate Brochure

Our Story



Managed Security

Upcoming Rewterz Trainings/Events

Rewterz News

  • 11, October 2019 Rewterz Threat Alert – Kimsuky Group – IOC’s
  • 11, October 2019 Rewterz Threat Advisory – CVE-2019-10936 – Siemens PROFINET Devices Denial of Service Vulnerability
  • 11, October 2019 Rewterz Threat Advisory – CVE-2019-10923 – Siemens Industrial Real-Time (IRT) Devices DoS Vulnerability
  • 10, October 2019 Rewterz Threat Alert – Another Agenttesla campaign using a compromised Iraq Government site

Copyright © Rewterz. All rights reserved.