Skip to main content
IT World Canada
Howard Solomon | January 2, 2019

The cyber security record book has closed on 2018, and what a ghastly year it was.

It began with the acknowledgment of the Spectre/Meltdown vulnerabilities and ended with the revelation of an API vulnerability at Facebook and a huge breach at Marriott Hotels’ Starwood chain.

In between — and this is only a partial list of publicly-disclosed international issues — a database with some 340 million records belonging to U.S. marketing and data aggregation firm data broker Exactis was discovered open to anyone; Twitter urged all of its more than 330 million users to immediately change their passwords after a bug exposed them in plain text; 150 million users of the food and nutrition application MyFitnessPal were told their usernames, email addresses, and hashed passwords had been stolen; LocalBlox, a personal and business data search service, left a database exposed with 48 million records of detailed personal information on tens of millions of individuals and Ticketfly admitted names, addresses, email addresses and phone numbers connected to approximately 27 million accounts were accessed.

In Canada, more evidence that even stalwarts can be hit: Bell Canada acknowledged hackers accessed personal information of around 100,000 customers, and the Bank of Montreal and CIBC’s Simplii Financial were hacked. Meanwhile, a security researcher found an unprotected messaging server belonging to a fitness company called PumpUp left personal data exposed, one of several problems with those using the MQTT messaging protocol; another researcher discovered huge amounts of unencrypted personal data on Canadian and U.S. customers in servers and PCs for sale on Craigslist that once belonged to the bankrupt computer electronics chain NCIX; the company that oversees Ontario’s 407 toll highway began investigating an alleged insider theft of data involving 60,000 customers and ransomware stung the Ontario towns of Wasaga Beach and Midland, as well as the Quebec regional municipality of Mekina.

There isn’t enough space in this story to list the companies with clumsy staffers who in 2018 left corporate data exposed on Amazon S3 buckets.

There isn’t enough space in this story to discuss how social media was exploited in 2018 by foreign governments. (But here’s a link to a report on how it was done in the U.S. 2016 election.)