Cambridge Analytica was the scandal that started it all.
But the global data privacy crisis has taken on a life of its own, churning out an increasing number of victims every year, with each case more severe and far-reaching than the last.
We present to you this year’s seven worst data scandals, listed in order of the number of users affected:
Honorary mention: Singhealth – 1.5 million citizens + 1 Prime Minister
- The Straits Times
Compared to the rest of this list, 1.5 million users seems a trivial number – but hackers who broke into the systems of Singapore’s largest healthcare institution in July managed to make away with the patient records and medical prescriptions of the country’s Prime Minister, Lee Hsien Loong – whose data authorities found was “specifically and repeatedly targeted”.
Other information that was illegally accessed and copied included citizens’ names, identity numbers, addresses, gender, race and dates of birth.
#7. Facebook – 50 million users
Facebook admitted in April this year that “most” of its 2 billion users could have had their personal data scraped by “malicious actors”, thanks to a loophole in the site’s search function.
The search tool – which allows people to look up any user’s public profile information, like gender and birth date – was used to obtain details like names, hometowns and birth dates.
Then on September 25, Facebook confirmed that 50 million users had potentially been compromised by a bug in the site’s “View As” feature that let hackers steal access tokens which could be used to log in to people’s accounts.
In response, the social media giant reset a total of 90 million accounts and access tokens, and disabled the feature.
#6. Google+ – 52.5 million users
Google announced on Dec 10 that it was pulling down the shutters on Google+ by April 2019, after finding a second bug in the system that exposed user data including names, email addresses, occupations, and ages.
In October, a Wall Street Journal report found that Google had discovered an earlier software glitch exposing hundreds of thousands of users’ personal data – but did not inform the public.
Google said it has fixed the bug and will cut off API access to Google+ by January.
#5: Quora – 100 million users
The popular question and answer site said it discovered hackers had broken into the site on Nov 30 and stolen the data of up to 100 million users, including names, emails and encrypted passwords, the Verge reported.
IP addresses and users’ questions, answers, comments and direct messages could also have been accessed. Users who linked other social media sites to Quora could have had contacts or demographic information taken, Forbes added.
Quora sent affected users an email and made all users reset their passwords.
#4: MyFitnessPal (Under Armour) – 150 million users
In March this year, 150 million users of sports clothing brand Under Armour’s fitness app, MyFitnessPal, had their data hacked and stolen by an “unauthorised party”.
Usernames, email addresses and passwords were taken, but the hacker did not get payment details and driver’s license numbers, the company said.
It urged users to change their passwords after the breach occurred.
#3: Twitter – potentially 330 million users
No hacking happened in this case. Instead, an internal glitch discovered in May saw the passwords of an undisclosed number of Twitter users stored in readable text on an internal system, Reuters reported.
A person familiar with the situation told Reuters that the number of affected passwords was “substantial”, and that the passwords had been exposed for “several months”.
Most world leaders and major personalities have a Twitter account.
Twitter users’ private data has been hacked twice in the past, Reuters added. Twitter urged its over 330 million users to change their passwords after the glitch was discovered.
#2: Marriott Starwood Hotels – 500 million customers
About 367 million customers had personal information taken, possibly including their name, address, phone number, passport number and date of birth. Some even had credit card information stolen, which Marriott said it had encrypted – but warned that hackers might be able to decrypt.
The company said hackers managed to gain access to its guest reservation system in Sep 2014, and had been copying guest information since then. It is now investigating the breach.
#1: Aadhaar – 1.1 billion users
This year’s most serious data breach occurred in March when news broke of a data breach in India’s biometric ID program, Aadhaar.
The program, which is used by over 1.1 billion Indian citizens and run by a state-owned utility company, was hit with multiple security lapses, allowing outsiders easy access to citizens’ names, identity numbers and bank details, ZDNet reported.
Indian citizens’ ID numbers, which are unique 12-digit numbers, provide access to a range of personal data.
The Unique Identification Authority of India (UIDAI) denied claims that Aadhaar had been compromised, Reuters said. But in September, India’s Supreme Court struck down a government mandate for widespread Aadhaar use, with one judge saying it violated privacy rights, Reuters said in a separate report.
The court ruled that the program must provide an avenue of compensation for anyone whose data had been stolen due to UIDAI lapses.