UK government website cryptojacking
February: Over 4,000 websites, including UK government, US, and Australian services, all experienced the same security issue at once due to a vulnerable third-party plugin used for website accessibility. Countless website visitors became victims of cryptojacking, in which their CPU power was used without consent to mine for cryptocurrency.
Ticketmaster
February -- June: Third-party code on Ticketmaster's web domain was compromised, leading to the implant of credit card skimming malware on the domain. Up to 40,000 UK and international customers are believed to have been affected, with information including names, addresses, email addresses, telephone numbers, payment details, and Ticketmaster login details involved in the breach.
Researchers later connected the cyberattack to the Magecart campaign.
Under Armour
March: Under Armour, a seller of fitness apparel, revealed that the firm's MyFitnessPal mobile app had been hacked, leading to the compromise of 150 million accounts. Usernames, email addresses, and hashed passwords were stolen, and while financial data was not affected, users were required to immediately change their passwords.
Aadhaar
March: Aadhaar, India's national ID database, contains the information of at least 1.1 billion Indian citizens. A data leak which originated from a state-owned utility company allowed anyone to download information belonging to all Aadhaar holders, including their private data and financial details.
Facebook, Cambridge Analytica
March: The Facebook -- Cambridge Analytica scandal was one of the largest this year with severe consequences that are still being felt by the companies and regulators alike.
In total, information belonging to up to 87 million users was improperly shared by a developer with Cambridge Analytica for the purpose of voter profiling. It has been suggested that this may have been used to spread propaganda and help elect US President Trump.
British Airways
April -- July: British Airways leaked data belonging to hundreds of thousands of customers who used a credit card to make reward bookings between April and July. The compromised information included names, billing addresses, email addresses, and payment information including card numbers, expiry dates, and CVV security codes.
The leak was uncovered following the Ticketmaster breach. It is believed the hack was the work of Magecart, which has also claimed victims including Newegg, Feedify, and broadcaster ABS-CBN.
Rail Europe
May: Rail Europe, a company which sells tickets for trips around the bloc, suffered a three-month-long data breach caused by credit-card skimming malware. Credit card numbers, expiration dates, and CVV card verification codes were all stolen during the covert campaign, and while the company did not reveal exactly how many customers were involved, Rail Europe accounted for five million customers last year.
TeenSafe
May: TeenSafe. a mobile app which touts itself as a "secure" monitoring app for iOS and Android aimed at parents, was responsible for two servers which were publicly exposed, leaking parental email addresses, child Apple IDs, device names, and device identifiers.
Dixons Carphone
June: Dixons Carphone uncovered a data breach which at first appeared small, despite going undetected for roughly a month. The company thought that 1.2 million customers had been affected but this number was later revised to 10 million. Personal and payment card information was stolen.
Ticketfly
June: Ticketfly pulled its website offline on the basis that the event seller believed there had been a cyberattack -- a premise which turned out to be correct. The company said that information had been leaked which belonged to roughly 27 million customer accounts and included names, email addresses, physical addresses, and phone numbers.
A hacker believed to be responsible attempted to blackmail Ticketfly a single Bitcoin to keep the data from spreading.
MyHeritage
June: In June, MyHeritage revealed the discovery of a file containing 92.2 million account records, including email addresses and scrambled passwords which was made public and published online. The data related to all user accounts up to and including to October 26, 2017, but the hack was not uncovered until much later.
Exactis
June: You would be forgiven for not knowing of Exactis, a marketing and data aggregation company, but the firm's name became somewhat well-known following a data breach which exposed 340 million records on a publicly accessible server.
Close to two terabytes of information were available in the public domain, including a range of data on US citizens and businesses.
SingHealth
July: Singapore suffered the "most serious" data breach in the country's history this year when healthcare institutions group SingHealth's networks were compromised.
In total, over 1.5 million healthcare patient records, including one belonging to Prime Minister Lee Hsien Loong, were stolen. Data including patient names, national identification numbers, addresses, genders, and dates of birth were compromised.
Hackers go old school
July, give or take a decade: Yale University disclosed a security breach which impacted 119,000 members of Yale, alumni, faculty members, and staff -- but the incident took place between 2008 and 2009. Names, Social Security numbers, physical addresses, and dates of birth were all exposed.
Timehop
July: Timehop, a past social media content display platform, revealed a security breach which exposed information in a database belonging to 21 million users. In total, 4.7 million phone numbers were breached, alongside usernames and email addresses.
Polar Flow
July: Polar Flow, a popular fitness application, contained a security flaw which permitted anyone to improperly query a developer API. It was later discovered that this security hole could be used to track military personnel who made use of the mobile app.
Student medical records
August: A data breach deemed "appalling" affected students at a Melbourne high school, in which their confidential medical and behavioral records were published online. Over 300 records were leaked, and in some cases, contained descriptions of medical conditions, medication, and learning difficulties.
Air Canada
August: Air Canada experienced a security problem with its mobile app, in which an unauthorized threat actor was able to compromise the system. As a result, information belonging to roughly 20,000 customers was exposed -- and this included passport numbers.
T-Mobile
August: T-Mobile detected unauthorized entry into the carrier's network, and although the intruder was quickly booted out, this was not before the attacker was able to access customer data. Roughly three percent of its 77 million customers -- or approximately 2 - 2.5 million customers -- were impacted, with information including customer names, billing ZIP codes, phone numbers, email addresses, account numbers, and account types exposed.
Facebook's network breach
September: If dealing with the aftermath of Cambridge Analytica was not enough, a vulnerability in Facebook's code permitted attackers to steal authentication tokens. Information including names, contact details, cities, device types, places of work, and more was also stolen from some users.
Original estimates pegged the theft as impacting 50 million users, which were later revised to 30 million.
ISP, web traffic hijacks
October -- November: During these months, a spate of ISP and Internet infrastructure attacks emerged. Researchers claim that China has been hacking the backbone of the Western Internet for years, Cambodian ISPs were struck with some of the largest Distributed Denial-of-Service (DDoS) attacks in the country's history, Google traffic was hijacked by a small ISP in Nigeria, and Telegram traffic was attacked in Iran.
Canada Post
November: Information relating to roughly 4,500 customers of the Ontario Cannabis Store (OCS) was improperly shared and leaked, including the names or initials of nominated signatories, postcodes, dates of delivery, reference numbers, Canada Post tracking numbers, and OCS corporate names and business addresses.
While the breach was small, the sensitive subject matter -- and the recent decision to make recreational cannabis legal in Ontario, Canada -- made the incident stand out. It may now be legal, but that does not mean smokers would be happy with others knowing about their recreational use.
Amazon
November: As is often the case with the most well-known companies, if a security incident occurs, they will often give out information which is necessary -- but no more. Amazon followed this pattern, admitting that a "technical error" had exposed the names and email addresses of some customers, but did not go any further into detail.
Despite a lack of concrete information, when a company such as Amazon has a security lapse, it is certainly of note.
Google+
In late December, Google revealed a fresh bug in the Google+ API which had the potential to permit attackers to steal private data belonging to close to 52.5 million users. This discovery pushed the Google+ closure data forward from August to April 2019.
Read on: ZDNet