Skip to content

The Biggest Hacks and Data Breaches

Business Continuity and IT Disaster Recovery Blog

Articles - BCP and IT DR

Data breach: Timehop

When?: July
How many people: 21 million
What happened?:
Timehop connects to social networks and surfaces nostalgic posts from the past. On Facebook, it shows users their previously popular posts in a bid to help people rekindle previous memories. However, the company detected an ongoing cyber attack in July and found names, email addresses and “keys” allowing access to previous posts had been taken. It delayed the tokens for accessing historic posts, it said.

Data breach: Polar Flow

When?: July
What happened?: The fitness app Polar Flow revealed the locations of military personal inside secret bases around the world. In similarity with the Strava data privacy issue in January, researchers found it has been possible to monitor the movements of soldiers. Changing a URL let anyone see a person’s workouts.

Data breach: MyHeritage

When?: February – June
How many people: 92 million
What happened?: DNA testing firm MyHeritage suffered a huge data breach affecting 92 million people. While DNA data wasn’t made public, emails and some password information were. The data was stored on a private server and whoever obtained it sent it to third-party security researchers.

Data breach: Ticketmaster

When?: February – June
How many people: 40,000
What happened?: Ticketmaster revealed that the login information, payment data, addresses, name and telephone numbers of 40,000 people was at risk. The data breach was first spotted by digital bank Monzo, which told Ticketmaster about the insecurities.

Data breach: Typeform

When?: May – June
How many people: millions
What happened?: Data collected through Typeform surveys was left unsecured and was taken by hackers. As a result, adidas, Monzo, Revolut, England’s Shavington-cum-Gresty Parish Council, Fortnum and Mason’s and more were forced to admit that data had been compromised.

Data breach: Dixons Carphone

When?: July 2017
How many people: 5.9 million payment cards
What happened?: Dixons Carphone revealed 5.9 million payment cards and 1.2 million personal data records were stolen in 2017. The cards haven’t been used maliciously as most of them were protected by chip and PIN. Names, addresses and email addresses of more than one million people were also taken in the breach.

Fined: University of Greenwich

When?: 2004
How much: £120,000
What happened?: The UK’s University of Greenwich exposed 19,500 student details – including names, addresses, phone numbers, signatures, health conditions, and dates of birth – through an insecure training website. The details were first published in 2004 but the Information Commissioner’s Office hit the university with a £120,000 fine.

Fined: Yahoo!

When?: April – June
How much: $35m
What happened?: Following Yahoo!’s colossal data breach in 2014 where billions of usernames, email addresses, phone numbers, birthdates, passwords, security questions were taken, regulators have hit the firm with fines. The US Securities and Exchange Commission slapped the firm, now called Altaba, with a $35 million fine in April. The UK’s data protection watchdog also fined it £250,000.

Data breach: MyFitnessPal

When?: February 2018
How many people: 150 million
What happened?: In March, sports retailer Under Armour revealed its fitness app MyFitnessPal had lost the usernames, email addresses, and passwords of 150 million people were stolen from its systems. Although, the passwords were encrypted.

Data breach: Equifax

When?: 2017
What’s new?: More victims
What happened?: In one of the worst data breaches of all time, Equifax lost the data of 145 million US citizens. It’s since emerged that another 2.4 million Americans also lost their data. Equifax said the data breach cost it $114m and separate investigations are still ongoing.

Data breach: Facebook

When?: 2014
Who’s responsible: Cambridge Analytica
What happened?: The birth of Facebook’s biggest scandal. The Guardian reported more than 50 million people (this later rose to more than 100 million) had data harvested for data profiling company Cambridge Analytica. Facebook found out in 2015 but the details didn’t fully come to light until this year. The data was harvested through a quiz app that collected people’s personal information, it was then shared beyond the original researchers who had created the app.

Data breach: OnePlus

When?: Between mid-November 2017 and January 11, 2018
How many?: 40,000 people
What happened?:  Chinese smartphone manufacturer admitted in January that 40,000 of its customers had data lost after a “malicious script was injected into the payment page code” of its website. The script collected people’s payment data and returned it to unknown attackers. Credit card numbers, expiry dates, and security codes entered at may have been compromised, the company said.

Data breach: Strava

When?: January
What happened?:  The huge public map of workouts from fitness company Strava revealed the locations of military personal and their movements. In rural locations heatmap data could show how people operated around military bases, plus it was possible to discover the names and heart-rates of individuals inside highly secretive bases.

Fined: Carphone Warehouse

When: August 2015
How Much?: £400,000
What happened?:  The UK’s data protection regulator, the Information Commissioner’s Office (ICO), hit Carphone Warehouse with a £400,000 fine after the details of three million customers were access in 2015. The ICO said there were “rudimentary” security flaws that allowed information to be accessed.

Data breach: US Homeland Security

When?: Between 2002-2014
Who’s responsible?: Unknown, but not a “cyber attack by external actors”
What happened?:  On January 3, 2018, the US department of Homeland Security told 247,167 of its employees there had been a “privacy incident” with one of its databases for those that worked there in 2014. During the period of 2002-2014, an undisclosed number of people who were being investigated were also affected by the data loss. The lost information includes names, social security numbers and staff job roles. Officials first discovered the breach in May 2017 but took time to confirm it.

Data breach: Aadhaar

When?: January 3, 2018
Who’s responsible?: Former employees
What happened?:  India’s giant one billion person public database has been compromised. The Tribune newspaper reported former staff members provided access to names, email addresses and phone numbers.

BRCCI – Business Resilience Certification Consortium International (

We are thankful to the author for allowing us to post this insightful article on our website. BRCCI provides a comprehensive training and certification program in business resiliency, continuity and IT disaster recovery planning:

1. 3-day CBRM (Certified Business Resilience Manager) is a comprehensive, all-in-one, 3-day Business Continuity Planning and Management Training and Certification course which is designed to teach practical methods to develop, test, and maintain a business continuity plan and establish a business continuity program.

2. 3-day CBRITP (Certified Business Resilience IT Professional) is a comprehensive training on how to assess, develop, test, and maintain an information technology (IT) Disaster Recovery Plan for recovering IT and telecommunications systems and infrastructure in the event of a disaster or business disruption. The training provides a step-by-step methodology to ensure a reliable and effective IT disaster recovery and continuity plan consistent with the industry’s standards and best practices.

3. 2-day CBRA (Certified Business Resilience Auditor) It provides 2 days of intensive, Business Continuity Audit training to enable students to determine the effectiveness, adequacy, quality and reliability of an organization’s Business Continuity Program. Students will learn an audit methodology to evaluate compliance of Business Continuity and IT Disaster Recovery Programs with the current industry’s best practices and standards including:

  • ISO 22301: Business Continuity Management Systems – Requirements
  • NFPA: Standard on Disaster/Emergency Management and Business Continuity Programs
  • ITIL: Information Technology Infrastructure Library

For information on the above program, please contact BRCCI (www.brcci.org1-888-962-7224).

On Key

Related Posts

ICR Standard

ICR Standard Author: Dr. Akhtar Syed Download PDF Section 1.0 – Introduction The Integrated Continuous Resiliency (ICR) standard, developed by BRCCI (, is a comprehensive

What is ISO 22301 standard?

What is ISO 22301 standard? Author: Andrea Patricia Sanchez Dominguez Download PDF 1. Introduction The Standard ISO 22301 was proposed in 2012 as a new