EasyJet
In May 2020 EasyJet suffered a cyber-attack that affected 9 million customers. The majority had their email address and travel itinerary stolen, while more than 2,000 had their credit card details accessed.
At the time of publishing this article, EasyJet and the ICO are still investigating, however, it is expected that a fine could be significant.
British Airways
In September 2018, hackers were able to access over half a million records from the British Airways systems, almost 200,000 of which included payment details. A large part of the hack was as a result of website users being redirected to a fraudulent website where the data was harvested.
The Information Commissioner’s Office (ICO) has announced plans to fine BA almost £200m.
MySpace
In 2016, a hacker reported that they had access to email addresses, passwords, and usernames for over 360 million MySpace accounts. However, analysis of the data reveals that the hack may have originally taken place in 2008, meaning that MySpace was unaware of the breach for eight years.
The stolen information was put up for sale on the dark web for around $3,000.
LinkedIn
In 2012, LinkedIn reported that it had been subject to a cyber security breach. LinkedIn took steps to force affected users to change their passwords, but they did not reveal how many users had been affected.
It wasn’t until 2016 that a hacker claimed to have the stolen information and revealed that the details of 117 million LinkedIn users had been compromised.Just like the MySpace hack, the hacker that claimed to possess the stolen details put them up for sale, this time for around $2,200.
Adobe
In 2013, Adobe reported that hackers stole 3 million encrypted customer credit card records, as well as an uncertain number of logins. That number was quickly revised to 38 million active users. But some security specialists suggested that the number was closer to 150 million.
Adobe had recently transitioned to providing Software as a Service (SaaS) where customers made recurring payments to maintain access to Adobe software, rather than paying once for desktop software.
This move to cloud-based software resulted in a change of infrastructure at Adobe, but it also resulted in the hack, revealing the potential risks of cloud-based software.
Adult Friend Finder
In 2016, the Friend Finder network suffered a breach that saw 412 million accounts compromised. Hackers used a Local File Inclusion vulnerability, which enables someone to run malicious code on an affected server. The hackers used this code to tell the server to reveal login details including passwords, which were either in plain text or poorly encrypted. It seems that the majority of passwords could be cracked. The hack also revealed logins for 15 million “deleted” accounts that had not actually been removed from databases.
Adult Friend Finder had also suffered a separate breach the previous year that revealed the logins, birthdates, and sexual preferences of 3.5 million users.
Canva
In 2019, Canva caught a hacker in the act of trying to access login details for its users. They stopped the unauthorised access, but not before the hacker had made off with encrypted login details for 137 million customers. Although any passwords stolen were still encrypted, the hacker had a much more valuable prize: login tokens.
Canva, like many sites, allows users to register with their Google credentials rather than using an email address and password. While this makes the user’s life easier, it makes things easy for a hacker too; once they have a copy of this token, they can impersonate you online. They can log in to any Google-enabled accounts you might hold until you change your Google password. The problem is that these login tokens are poorly understood. A Canva user hearing of the hack might think they have nothing to worry about when, in fact, they have much more to worry about than the average user: the hacker has access to much more than just their Canva account now!
