The scariest security horror stories of 2018

A fishing hook rests on top of a stack of credit cards, while a padlock sits in the background out of focus

There's no such thing as a quiet year when it comes to security, but 2018 has been particularly eventful. From systemic CPU vulnerabilities to hacks affecting hundreds of millions of people, the last twelve months have been a seemingly non-stop parade of cyber gaffes and security blunders. Here's our pick of the year's biggest and most embarrassing security snafus.

Meltdown & Spectre

The hardware world was rocked at the start of the year by the discovery of a series of major vulnerabilities affecting virtually every Intel processor produced in the last twenty years, as well as AMD and ARM chips. The flaws allow for data exfiltration and snooping, making them a particular concern for businesses.

It's currently unknown whether or not Meltdown and Spectre are being exploited in the wild to target victims, but the widespread impact of the issues make it likely that it will play an ongoing role in future breaches as unpatched systems inevitably fall victim to Meltdown and Spectre-based exploits.

Google Plus unceremoniously axed

Google Plus, the company's oft-derided rival to the likes of Twitter and Facebook, met an early (although arguably not untimely) demise towards the end of the year, after Google discovered a massive data leak in the service's APIs that affected the personal data of up to 500,000 users.

To add insult to injury, a second security flaw was discovered earlier this month this time affecting more than 52 million users and forcing Google to shutter the platform four months earlier than it had originally intended to. An ignominious end for one of Google's least successful projects.

Marriott's unexpected Chinese visitors

Marriott hotel sign

The Marriott hotel chain found itself with some unexpected guests this year, after it discovered that hackers had been squatting on its network for at least four years. To be specific, it was the hotels in Marriott's Starwood Group which were affected, including prestigious chains like the Sheraton, Westin and W Hotels.

Hackers may have accessed the information of up to 500 million guests, including passport numbers, phone numbers and email addresses. According to investigators, the hack may haveeven been part of a Chinese espionage operation.

British Airways flies into trouble

British flag on airplane

Towards the end of this year, British Airways announced two separate hacks on their systems, resulting in a total of 565,000 customers having their data stolen, including payment data and personal information. Given the sensitive nature of the data handled by airlines, this breach was a particularly egregious one.

It was made all the more egregious by the possibility that BA itself may have inadvertently introduced the vulnerability that led to the hack. As Barry Collins revealed, BA's rush to address the complaints about its data gathering raised by security researcher Mustafa Al-Bassam may have accidentally led them to introduce a flawed script. Oops...

Equifax pays the piper

Equifax on phone

It's remarkable how quickly we all seem to have forgotten about Equifax, the company that let the personal data of 146 million users across the globe get stolen out from under its nose. Although US citizens were the worst affected, brits also fell victim to the breach, with some 15 million UK users affected.

Although the breach was disclosed last year, the company has only started to feel the full ramifications of its failing relatively recently. It was slapped with a top-level 500,000 fine by the ICO, and the US government pointed the finger of blame squarely at ex-CEO Richard Smith, claiming it was his aggressive expansion strategy that led to the breach in the first place.

Apple's blunder down under

Apple building

It's one thing to get hacked, but getting hacked by a bored Aussie teenager is something else entirely. That's the fate that befell Apple, after a Melbourne private schoolboy exfiltrated 90GB of secret data from the company's servers. A rather embarrassing gaffe for a company that prides itself on the security of its products.

This breach feels comfortably nostalgic, harking back to the teenage hackers of the 90s, rather than the Russian gangsters and state-funded cybercriminals that we're more familiar with today. The young hacker told courts that he hacked the company because he's such a big fan, and he stored all his custom-built intrusion tools in a folder labelled 'hacky hack hack'. That's faintly charming somehow.

Reddit? Hackedit.

Social media platform Reddit is no stranger to controversy, and it made headlines yet again this year after announcing that an attack on its SMS-based two-factor authentication system (which the company admitted was "not nearly as secure as we would hope") led to hackers making off with a huge cache of data from between 2005 and 2007.

The attackers gained access to among other things current email addresses, old salted and hashed passwords and internal Reddit data such as config files, logs, source code and more. A relatively minor breach as far as the impact on users goes, it was another setback for an embattled company that has weathered more than its share of storms.

Dixons Carphone phones in its security

Currys PC World Carphone Warehouse signage at building entrance

Dixons Carphone has had a rough year. The parent company behind Carphone Warehouse and Currys PC World has recently announced a 440 million loss, and back in June the company announced that it had been the victim of a breach which saw 10 million customers' records stolen.

Dixons Carphone should be bracing itself for another fine from the ICO at some point in the future; it was hit with a 400,000 fine in January this year for a breach that occured in 2015. That breach only affected three million people, though, and occured before the advent of GDPR. The fine for this year's incident could well be significantly higher.

Government's counter-terror Trello leak

It's commonly said that the only things that are certain in life are death and taxes, but there's a strong argument for adding 'government IT blunders' to that list. In one of the most embarrassing screw-ups of the year, the government accidentally leaked sensitive information via project management tool Trello.

In yet another case of a lack of authentication coming back to bite a forgetful admin, a Trello board including anti-terror tools, contact details for top civil servants and guides for accessing government buildings was left publicly accessible via Google search. An even more concerning detail is that this information may have been accessible for up to four years.

Zuckerberg gets egg on his Facebook

Between the Cambridge Analytica scandal, Russian information warfare and a series of painfully awkward congressional hearings, Facebook has finally started attracting the attention of lawmakers, and not in a good way. It seems the company has a slight problem with preventing exploitation of its platform, which was highlighted by the theft of 30 million users' access tokens a few months ago.

These tokens allowed attackers to access a range of personal information from victims' Facebook profiles, including contact details and, in some cases, location information and search history. Three million EU users were affected in the breach, so it's a virtual certainty that the company will have a rather hefty GDPR fine to deal with at some point.

Adam Shepherd

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.