DATA BREACH REPORT

FROM THE EDITORS AT CYBERSECURITY VENTURES

Q2 2017

The Data Breach Report provides a quarterly diary of noteworthy data breaches and cyber-attacks to CIOs, CSOs, CISOs, IT security teams, and the media.

WHO’S HACKED

Ransomware attacks dominate the data breach scene during second quarter of 2017

johnmelloembossedJohn P. Mello, Jr.

Menlo Park, Calif. – Jun. 30, 2017

Global ransomware damage costs are predicted to exceed $5 billion in 2017, up from $325 million in 2015. That’s a staggering 15X increase in just 2 years, and the damages are expected to worsen. Ransomware attacks on healthcare organizations will quadruple by 2020.

Two staggering attacks affected organizations around the world. In May, the WannaCry program infected thousands of computers in more than 100 countries. It was followed in June by the GoldenEye/NotPetya malware that disrupted computing activity in at least 65 nations.

The scope of the Ransomware problem was detailed by Verizon in its annual data breach report released in April — which found ransomware involved in 71 percent of the 40,000 data breaches they analyzed.

Also during the period one of the largest ransomware payoffs was made by Nayana, a web-hosting company in South Korea. It coughed up $1.1 million to digital extortionists after ransomware knocked out more than half of the company’s 300 servers and affected an estimated 3,400 websites it hosted.

Large data breaches also continued during the quarter. One of the largest was in India where 130 million holders of the country’s national identification card were told in May their ID numbers had been exposed on the public Internet since Nov. 2016. Another 77 million users of the education website Edmodo had their account information stolen when hackers broke into that site.

Meanwhile, 8tracks, an Internet radio service, told its users to change their passwords after reports appeared that a cache of credentials for 18 million users of the service were up for sale on the Dark Web. And Zomato, a restaurant search service, reset the stolen passwords of some 17 million users.

Lawyers were also busy during the period. Health insurer Anthem put a $115 million deal on the table to settle a data breach class action lawsuit against it. Retailer Target paid $18.5 million to settle a data breach lawsuit filed against it by 47 states. In addition, data breach litigation was settled against Neiman Marcus for $1.6 million and Kmart for $5.2 million.

Regulators were also busy. In June, it was reported that the UK’s Information Commissioner’s Office collected 65 percent more in fines in 2016 compared to 2015, to £3,245,500 from £2 million. In the United States, the federal Department of Health and Human Services collected for data breach infractions $2.5 million from CardioNet, a mobile heart monitoring technology company based in Malvern, Pa. and $400,000 from The Metro Community Provider Network in Denver.

Reports on the costs of data breaches were also released during the quarter. IBM Security found that the average cost of a data breach globally is $3.62 million, a 10 percent decrease from 2016. Meanwhile, CGI released an eye-opening analysis of 65 “severe” and “catastrophic” data breaches. It found that those kinds of breaches can cost a company 1.8 percent of its market value. For a typical FTSE 100 company, that would be a permanent loss of market capitalization of £120 million.

BREACH DIARY

June

Jun. 29. The UK’s Government Digital Service recommends users of its Data.Gov.UK website change their passwords after a database of usernames and email addresses were discovered on a system accessible to the public during a routine security review.

Jun. 28. Goldeneye ransomware spreads from Ukraine disrupting business and government computing activity in at least 65 nations. Businesses affected by the virus include Russian oil company Rosneft, shipping firm A.P. Moller-Maersk and pharmaceutical giant Merck.

Jun. 28. Nayana, a web-hosting company in South Korea, agrees to pay $1.1 million to unlock computers infected by hackers with ransomware. More than half of the company’s 300 servers were disabled by the attack that affected an estimated 3,400 websites.

Jun. 27. 8tracks, an Internet radio service, recommends its users change their passwords after reports appear that a cache of credentials for 18 million users of the service are up for sale on the Dark Web.

Jun. 27. Experian releases study that finds only nine percent of companies are prepared for the EU Global Data Protection Regulation and 59 percent of the 550 IT security and compliance professionals surveyed said their companies did not know how to comply with the GDPR.

Jun. 27. Anthony Murgio, 33, sentenced to five and a half years in prison for operating an illegal bitcoin exchange suspected of laundering money for hackers and linked to data breach at JPMorgan Chase & Co.

Jun. 23. FBI’s Internet Complaint Center reports U.S. losses due to Internet crime in 2016 totaled $1.3 billion.

Jun. 23. Plaintiff’s legal team announces $115 million proposed settlement in class action lawsuit against health insurer Anthem stemming from data breach resulting in the theft of personal information of 7.8 million people.

Jun. 23. The Register reports 32 terabytes of data stolen from Microsoft was posted to the Internet, including internal builds of Windows and chunks of its source code.

Jun. 23. The Times of London reports that stolen email addresses and passwords of tens of thousands of government officialsin the UK are being sold or bartered on Russian-speaking hacking sites.


Jun. 23. Airway Oxygen in Michigan notifies 500,000 people their personal health information is at risk due to unauthorized access to its infrastructure in April.

Jun. 23. Southern Illinois Healthcare reports that personal information of more than 600 patients is at risk after Experian Health, a third-party vendor, accidentally sent their data to the wrong medical facilities between Feb. 13 and March 13.

Jun. 23. CEO John Hutson of UK pub chain Wetherspoons announces it is deleting its database of customer email addresses to avoid the risk of it being hacked.

Jun. 22. U.S. District Judge Samuel Der-Yeghiayan preliminarily approves $1.6 million settlement of class action lawsuit against Neiman Marcus for data breach that occurred between July 16, 2013 and Jan. 10, 2014.

Jun. 22. Ward Solutions releases survey which includes finding that one in five Irish businesses have been hit with ransomware in the last 12 months.

Jun. 21. Scott Ables files class action lawsuit against Brooks Brothers Group over data breach that compromised payment data from customers who shopped at its stores between April 4, 2016 and March 1, 2017.

Jun. 21. Honda Motor Co. halts production at its vehicle making plant in Sayama for a day after discovering WannaCry ransomware on its computer network.

Jun. 21. Distil Networks releases study of 1,000 websites in retail, banking and consumer services which includes finding that 95 percent of sites can’t protect themselves against advanced persistent bot attacks.

Jun. 21. Atlantic Digestive Specialists notifies 94,195 customers their personal information is at risk after a ransomware attack on the systems of the group comprised of gastroenterologists with offices in Somersworth, Hampton and Portsmouth, N.H.

Jun. 21. Trustwave releases its 2017 Global Security report which includes finding that “dwell time” for hackers inside networks has declined year-over-year  to 49 days in 2016 from 80.5 days in 2015.

Jun. 21. Dr. Emma Philpott, chief executive at the IASME Consortium, notifies vendors that their email addresses are at risk after a data breach at the UK’s Cyber Essentials scheme, which accredits companies bidding on government contracts that deal with the handling of “certain sensitive and personal information.”

Jun. 20. Juniper Research forecast retailers will lose $71 billion globally over the next five years due to fraudulent Card-Not-Present transactions.

Jun. 20. IBM Security reports that the average cost of a data breach globally is $3.62 million, a 10 percent decrease from 2016.

Jun. 20. Minnesota State University Moorhead notifies about 800 faculty and staff and 8,000 students that personal information they’ve provided the institution is at risk after it was accessed by an unauthorized third-party.

Jun. 19. Torrance Memorial Medical Center in California notifies an undisclosed number of patients their personal information was compromised in a phishing attack on some of the hospital’s email accounts.

Jun. 16. The Buckle, a clothier with 450 stores in 44 states, alerts customers that their credit card information is at risk due to a compromise of its point-of-sale system between Oct. 28, 2016 to April 14, 2017. Company notes it believes the exposure of data that could be used to clone cards is limited due to the use of EMV technology at the stores.

Jun. 15. Sean Caffrey, 25, pleads guilty to hacking into U.S. Department of Defense and stealing data from around 30,000 satellite phones.

Jun. 15. AllClear ID estimates that European banks could face fines totalling €4.7 billion during the first three years that the EU’s General Data Protection Regulation is in effect.

Jun. 15. New York Atty. Gen. Eric T. Schneiderman announces CoPilot Provider Support Services, a provider of support services to the health care industry, agrees to pay $130,000 in penalties for waiting over a year to notify affected persons of a data breach exposing 221,178 patient records.

Jun. 15. Washington State University alerts some one million people their personal information is at risk after the heist from university property of an 85-pound  safe containing a hard drive with the information on it.

Jun. 14. Kaspersky Lab reports security incidents involving online banking services costs the institution an average of $1.75 million per incident.

Jun. 13. UK Information Commissioner’s Office fines Gloucester City Council £100,000 after sensitive personal data was compromised in an attack on its systems that exploited the Heartbleed vulnerability in OpenSSL.

Jun. 13. TD Bank finds that 91 percent of financial pros at 2017 NACHA Payments conference believe payment fraud will continue to grow over the next two to three years, a slight increase over the 89 percent that felt that way last year.

Jun. 13. U.S. District Court Judge Andrea R. Wood in Chicago dismisses lawsuit against Barnes & Noble arising from compromise of its PIN pads used to process payment card transactions at 63 of its stores. Court finds plaintiffs did not offer sufficient injury to sustain a class action.

Jun. 12. Michelle Provost files putative class action lawsuit in Georgia federal court against Tempur Sealy International and Aptos for failing to appropriately safeguard customers’ personal information, which led to a February 2016 breach that compromised sensitive customer data.

Jun. 12. Fifteen Attorneys General clarify data breach notification laws in their states declaring notice is triggered whether CVV numbers are stolen in a breach or not.

Jun. 9. Mississippi’s Division of Medicaid notifies 5,220 people their personal health information is at risk due to the insecure transfer of the data from an online form to a designated staff member.

Jun. 9. Select Restaurants, a chain of eateries in the Cleveland area, announces security breach at third party vendor has placed at risk payment card information of customers who did business at some of the chain’s outlets between Oct. 26, 2016 and Feb. 3, 2017.

June 8. CD Projekt Red, maker of the Witcher game series, rejects ransom demands of hackers who claim to have stolen files from the company, including those related to its much anticipated game Cyberpunk 2077.

Jun. 8. BitSight reports that two months before the WannaCry ransomware epidemic, nearly 20 percent of the Windows computers it studied were running versions of that operating system no longer supported by Microsoft.

Jun. 8. GameStop notifies customers their name, address and credit card information is at risk due to a data breach at the site affecting purchases made from Aug. 10, 2016 to Feb. 9, 2017.

Jun. 5. Old Mutual, a prominent South African financial services firm, warns a “relatively small group” of customers their personal information is at risk after a breach of one of its computer systems.

Jun. 5. Victory Medical Center in Austin, Texas, states that demographic data of some 2,000 patients was leaked online after a data breach of its systems.

Jun. 5. Security researcher Aaron Guzman finds eight software vulnerabilities in a 2017 Subaru WRX STi that could be exploited by an attacker to lock and unlock doors, sound the horn, access a vehicle’s location history and control other behaviors.

Jun. 5. Healthcare Industry Cybersecurity Task Force releases report that includes recommendation that the U.S. Health and Human Services Department create a single person to coordinate the cybersecurity initiatives with the health care industry.

Jun. 1. Dr. Zain Kadri’s plastic surgery clinic announces personal information of as many as 15,000 patients, including some celebrities, was stolen by a disgruntled employee who has posted some of the information on Snapchat, Instagram and Facebook.

May

May 31. OneLogin, an identity management service provider, alerts users that their data is at risk after an intruder uses one of the company’s Amazon Web Services encryption keys to access its AWS platform.

May 31. Gizmodo confirms a cache more than 60,000 government  files were exposed on a publicly accessible Amazon server for an unknown amount of time. Information in the files included passwords to a U.S. government system containing sensitive information, security credentials of a lead senior engineer at Booz Allen Hamilton and at least a half dozen unencrypted passwords belonging to government contractors with Top Secret Facility Clearance.

May 31. A hacking group called Tsar Team leaks thousands of patient photos from the Grozio Chirurgija cosmetic surgery clinic in Lithuania after clinic and patients refused to meet the group’s ransom demands.

May 31. University of Alaska sends letters to some 25,000 students, staff and faculty alerting them their personal information is at risk after hackers compromised several secured accounts through an email scam.

May 31. Kmart Stores, for the second time in three years, discovers malware on the credit card processing systems of some of its outlets.

May 31. Rep. Tom Graves, R-Ga., files bill allowing victims of cyberattacks to hack their attackers, as well as hack into other victims’ computers for “reconnaissance” purposes.

May 30. Ovum, a consulting company, releases survey finding 76 percent of Canadian companies expect data breach attempts to increase in the next 12 months but only 46 percent expect to spend more on cybersecurity during the period.

May 30. A survey of 187 marketing and advertising companies by YouGov and commissioned by Irwin Mitchel finds that 17 percent of the firms would go out of business if they had to pay the maximum penalty for violating the EU’s General Data Protection Regulation that takes effect in 2018.

May 26. Alcoa Community Federal Credit Union files class action lawsuit against the Chipotle restaurant chain over hacking of its point-of-sale system that compromised the payment cards of hundreds of thousands of customers.

May 26. Molina Healthcare, a major insurer in Medicaid and state exchanges across the country, shuts down its online patient portal after a vulnerability was discovered that exposed health records of 4.8 million customers in 12 states to the public Internet.

May 26. Chipotle Mexican Grill announces previously disclosed malware infection of its point of sale system affected nearly all the outlets in the national restaurant chain.

May 25. PNI Digital Media, which provides photo services to retailers such as Costco and CVS, reaches deal with consumers affected by a data breach of the company’s point of sale system. The deal provides up $250 per customer for bank fees, long-distance telephone charges and other expenses, and up to $10,000 for “extraordinary expenses,” as well as $650,000 for attorneys’ fees and court costs.

May 25. Home Depot acknowledges that a spreadsheet containing personal data of some 8,000 people was exposed to the public Internet due to human error.

May 25. Sens. Maggie Hassan, D-N.H., and Rob Portman, R-Ohio, file legislation to establish a bug bounty program in the U.S. Department of Homeland Security.

May 25. UW Health in Wisconsin notifies 2,046 patients that their personal information is at risk after an employee’s email account, which contained files with patient information in them, was compromised by an intruder.

May 23. Florida Department of Agriculture and Consumer Services states personal information of more than 16,000 of the state’s concealed weapons permit owners is at risk after a breach of the agency’s website.

May 23. Target Corporation announces it will pay $18.5 million to 47 states and the District of Columbia to settle case against it stemming from 2013 data breach that compromised tens of millions of customer payment cards.

May 23. St. Luke’s-Roosevelt Hospital Center in New York City agrees to pay U.S. Department of Health and Human services $387,200 to settle potential violations of the federal Health Insurance Portability and Accountability Act.

May 22. DHR International reports that salaries for chief information security officers at top European companies have cracked €1 million and for small and medium companies they’re being paid a minimum of €200,000.

May 21. Global management consultancy Olive Wyman predicts companies on the FTSE 100 could face up to £5 billion in fines if they don’t comply with the EU’s General Data Protection Regulation set to take effect next year.

May 19. In Chicago, U.S. District Court Judge John Lee approves $5.2 million settlement, including $1.7 million for plaintiff’s attorneys, of lawsuit by financial services companies against Kmart stemming from  a data breach that affected about 8.1 million payment cards.

May 19. Twitter alerts users of  Vine that their email addresses and in some cases phone numbers are at risk due to a software bug that was patched within 24 hours.

May 18. PureMatrimony.com, a muslim dating website, advises some 100,000 members to reset their passwords due to an apparent data breach at a third-party website.

May 18. Restaurant search service Zomato resets some 17 million user passwords that it says were stolen when an employee’s development was compromised.

May 18. ZDnet reports font sharing site DaFont.com has been breached and its database of nearly 700,000 user accounts stolen by hackers.

May 17. Edmodo, an education website for parents, students and teachers, confirms data breach which resulted in theft of account information for 77 million users, including passwords that were salted and bcrypt hashed.

May 18. Federal district court in California rules in lawsuit against credit protection and reporting company Experian that forensic report requested by firm’s lawyers is protected by attorney-client privilege and exempt from legal discovery process.

May 17. Cybersecurity blogger Brian Krebs reports that a subsidiary of Equifax, one of the nation’s largest consumer data brokers and credit bureaus, was breached by hackers who stole W-2 tax data for an undisclosed number of customers.

May 16. France fines Facebook 150,000 euros for collecting information on users without their knowledge.

May 16. Crain’s New York Business reports protected health information of 3,500 patients at Coney Island NYC Health + Hospitals is at risk after it was accessed by a volunteer in the phlebotomy department without clearance to do so.

May 15. The UK’s Information Commissioner’s Office reports that data breach reports to the office increased 31.5 percent to 2,565 in 2017 from 1,950 in 2016.

May 15. Electronic signature technology provider DocuSign confirms a series of malware phishing attacks against its customers is connected to a data breach at one of its computer systems.

May 15. Bell Canada issues apology to its customers after nearly 1.9 million of their email addresses and 1,700 names and phone numbers were compromised in a data breach and extortion scheme.

May 15. University of New Mexico Foundation notifies some 23,000 donors, annuitants, foundation employees and vendors that their personal information is at risk due to a computer server breach discovered April 17.

May 15. United Airlines confirms that codes to gain access to the cockpits in its aircraft may have been posted to the Internet. A spokesperson for United says it is working on resolving the issue.

May 12. WannaCry, a ransomware program based on software stolen from the NSA, infects thousands of computers in more than 100 countries, forces the UK’s health care system to turn away patients and disables computers in Russia’s Interior Ministry.

May 12. Brooks Brothers announces a compromise of its point of sales system that could affect the payment card information of some of customers who shopped at some of its stores between April 4, 2016 and March 1, 2017.

May 9. FICO Asia-Pacific releases survey finding three out of four senior fraud managers said they would stop working with a partner that failed a cybersecurity audit.

May 8. Risk modelling firm RMS forecasts that if all U.S. businesses had cyber insurance, more than $5 billion in data breach losses would be covered every year.

May 5. Retailer Debenhams says the personal data of 26,000 customers of its Flowers website may have been stolen by hackers who breached  a third-party e-commerce company, Ecomnova.

May 5. Tufts University Executive Vice President Patricia Campbell and Senior Vice President for University Relations Mary Jeka announce sensitive financial information about the Massachusetts school’s department budgets and staff and faculty salaries was posted to a public website by a group calling itself TuftsLeaks.

May 5. Ontario government confirms personal information of thousands of citizens is at risk due to a printing mistake on health care renewal forms mailed to residents of the province.

May 5. Angela Lynn Martin files class action lawsuit in a federal district court in Florida against Scottrade over data breach that compromised the personal information of 4.6 million people from September 2014 to February 2014.

May 3. Google says it stopped in an hour an email spam campaign impersonating Google docs which affected less than a tenth of a percent of Gmail users.

May 3. Bitglass releases annual health care data breach report which shows a year-over-year increase in breaches to 328 in 2016 from 268 in 2015, but a decline, for the second year in a row, in records exposed to 16.6 million.

May 3. O2-Telefonica in Germany confirms that some of its customers have had their bank accounts cleaned out by thieves who intercepted the customers’ two-factor authentication codes by hacking the SS7 protocol used by mobile phone networks.

May 3. Bernard Ogie Oretekor, 46, sentenced to seven years and one month in prison and ordered to pay  $1.97 million in restitution to the Internal Revenue Service and another $910,000 to four people and two companies for wire fraud, money laundering and identity theft. The Nigerian man used phishing emails to obtain information about his victims that he used to drain money from their bank accounts and collect refunds from bogus tax returns.

May 2. Travel giant Sabre Corp.reports to SEC that company is investigating an incident of unauthorized access to payment information contained in a reservation system that serves more than 32,000 hotels and lodging establishments.

May 2. Fitchburg, Mass., City Solicitor Vincent Pusateri says 1,800 people have been notified their Social Security numbers are at risk after they were posted to the Internet three and a half years ago. The posting was the result of a hack or the data was accidently removed from an employee’s hard drive. The data was encrypted, but the encryption key was also posted to the Net.

May 2. Newspaper publisher Gannett warns some 18,000 current and former employees their personal information is at risk after email accounts in its human resource department were compromised by hackers.

May 2. U.S. Appeals Court in New York City affirms lower court ruling that dismissed class action lawsuit against Michaels Stores because plaintiff failed to show any injury from data beach at the retailer.

May 1. Federal district court judge in St. Louis dismisses for second time litigation against Schnuck Markets filed by financial institutions which allege negligence and breach of implied contract by the supermarket chain during data breaches it suffered in 2012 and 2013.

May 1. The Centre for Internet & Society in India reports that sensitive data for almost 130 million Aadhaar cardholders has been exposed to the public Internet since Nov. 2016. Aadhaar is a 12-digit number issued to all residents of India based on biometric and demographic data.

April

Apr. 30. The Gleaner in Jamaica reports information on more than 14,000 of the island’s high school students hosted on a database in the United States has been encrypted with ransomware by hackers who are demanding $5,000 to descramble the data.

Apr. 29. Hindustan Times reports a programming error at a website operated by the Directorate of Social Security for the Indian state of Jharkhand has exposed personal information of 1.6 million pensioners to the public Internet.

Apr. 28. The hacker group known as The Dark Overlord Solutions posts to Pastebin links to stolen copies of an upcoming episode of Orange Is the New Black after Nefflix refused to meet the gang’s ransom demands.

Apr. 28. Home Depot agrees to change its cybersecurity governance policies and pay $1 million in attorneys’ fees to settle shareholders’ lawsuit related to a massive payment card data breach in 2014.

Apr. 28. Diamond Institute for Infertility and Menopause in New Jersey advises some 14,000 patients that their personal health information is at risk due to someone gaining unauthorized access to a third-party server hosting the data.

Apr. 28. Greenwood County School District 50 in South Carolina sends letters to some 3,300 current and former employees alerting them their personal information is at risk after an unauthorized user breached four employee email accounts that contained tax and benefit plan information.

Apr. 28. Kromtech Security Researchers discover personal  information on at least 500,000 customers of Alliance Direct Lending Corporation was exposed to the public Internet for an unknown amount of time.

Apr. 28. Eddie Bauer argues in a federal court in Washington for dismissal of a proposed class action lawsuit by a credit union due to insufficient facts to support the financial institution’s claim that 2016 data breach at the retailer was due to negligence.

Apr. 28. Australian Federal Police confirms it unlawfully accessed a journalist’s phone records without a warrant.

Apr. 28. IBM X-Force releases report finding financial services sector attacked by cyber criminals 65 percent more than any other industry, resulting in the breach of more 200 million records in 2016, a 937 percent increase over the previous year.

Apr. 28. Trinity College sends letter to people who have contributed to the Trinity Foundation over the past decade that their personal information may have been compromised in a phishing attack.

Apr. 28. Stuart Colianni uploads to the research site Kaggle 40,000 profile photos scraped from Tinder without authorization to create a data set for facial recognition research.

Apr. 28. Paratransit Services, a provider of non-emergency medical and public transportation services in Washington, Oregon and California notifies everyone who worked for the company in 2016 that their personal tax information is at risk after their W-2 tax forms for the year were emailed to a phishing scammer.

Apr. 27. Verizon releases its annual data breach report which finds that ransomware was involved in 71 percent of the more than 40,000 incidents analyzed in the report.

Apr. 27. Matthew Hanley, 22, and Connor Douglas Allsopp, 20, plead guilty to crimes connected to the theft of 150,000 customer records from broadband service provider Talk Talk in 2015.

Apr. 27. Security researcher Chris Vickery reports AMP, a provider of online platforms for futures trading, exposed on the Internet details of its financial operations and private information of more than 10,000 account applicants due to a misconfigured backup device managed by a third-party IT vendor.

Apr. 27. Thales Data Threat Report finds 34 percent of U.S. government respondents have experienced a data breach in the last year and 96 percent of them consider themselves “vulnerable.”

Apr. 26. Employees of Tipton County school system in Tennessee file $19 million federal class action lawsuit against board of education for falling for a phishing scam that resulted in the theft of the workers’ tax information.

Apr. 26. Symantec releases Internet Security Threat Report which reveals that the average ransom demanded by ransomware extortionists increased 266 percent, to $1,077 in 2016 from $294 in 2015.

Apr. 26. Accenture releases survey which included finding that one in eight UK consumers have had their personal medical information stolen from technology systems.

Apr. 26. Kromtech security researchers report 88 megabytes of spreadsheet documents apparently belonging to Alliance Direct Lending Corp. and containing information on hundreds of auto dealerships in the United States and as many as one million customer details was exposed to the public Internet for an unknown length of time due to a misconfigured AWS S3 bucket.

Apr. 26. Motherboard reports customer data from Ciphr, a provider of secure mobile phones, has been dumped on the public Internet. “All Ciphr emails/servers have been compromised,” the website hosting the purloined data claims.

Apr. 25. LeakBase, a for-profit breach notification service, says it has obtained from a hacker more than five million records belonging to customers of R2 Games, which also had 22 million accounts compromisedin December 2015.

Apr. 25. Chipotle tells investors during an earnings conference call that it’s investigating some unauthorized activity on a network that supports payment processing for purchases made at its chain of burrito restaurants.

Apr. 25. Blowout Cards, a website devoted to buying, selling and trading sports and other kinds of cards, warns its customers their payment card information is at risk due to a data breach at the site.

Apr. 25. Thales and 451 Research release report finding 78 percent of Mexican organizations and 75 percent of Brazilian organizations have experienced a data breach.

Apr. 25. Behaviorial Health Center in Bangor, Maine says more than 4,000 clients had their personal information stolen in a data breach in March.

Apr. 24. Experian asks California federal court judge to deny motion by T-Mobile customers in class action lawsuit to release a report prepared by information security firm Mandiant related to a data breach that exposed the personal information of 15 million consumers.

Apr. 24. HipChat notifies all account holders that it has reset their passwords after its security team discovered an incident affecting one of its servers and attributed to a vulnerability in a third-party library.

Apr. 24. CardioNet, a mobile heart monitoring technology company based in Malverri, Pa. agrees to pay $2.5 million to U.S. Department of Health and Human Services to settle case arising from the theft of a laptop containing unencrypted patient data.

Apr. 24. Western Health Screening, an onsite blood screening provider in Billings, Mont. alerts an undisclosed number of participants in a health fair from 2008 and 2012 that their demographic data is at risk due to the theft of an unencrypted flash drive.

Apr. 24. Booz Allen reports customer information has been compromised at dozens of car washes in the United States that use the payment infrastructure of DRB systems.

Apr. 22. Lifespan, Rhode Island’s largest health care-network, notifies some 20,000 patients their health information is at risk after a laptop containing it was stolen from an employee’s car.

Apr. 22. Bitcoin exchange Yapizon announces four of its hot wallets were compromised by hackers and bitcoins worth $5.3 million stolen.

Apr. 21. Security researchers Tao Sauvage and Antide Petit report they’ve found 10 noteworthy vulnerabilities in 20 models of Linksys routers that could allow an attacker to overload the routers and prevent Internet access for their users.

Apr. 21. Federal District Court judge in Seattle sentences Roman Valerevich, 32, to 27 years in prison for running a vast credit card fraud and identity theft operation from his homes in Indonesia and Russia.

Apr. 21. Survey by Dimensional Research and sponsored by Check Point Software finds 64 percent of security professionals doubt their organizations can prevent a breach to their employees’mobile devices.

Apr. 21. Iowa Veterans Home in Marshalltown, Iowa warns nearly 3,000 current and former residents that their medical and financial information is at risk after three employees had their network credentials compromised in a phishing scam.

Apr. 21. UK’s National Crimes Agency reports that the availability of free and easy-to-use hacking tools is attracting more and more young people into cybercrime.

Apr. 20. University of California reveals a group of fraudsters bilked the school of $12 million by writing prescriptions using information scammed from students lured to phony clinical trials through Facebook ads.

Apr. 20. Vigilante.pw, a data breach recorder, reports more than 2.4 million user accounts were stolen in 2016 from fashon gaming website and social network Fashion Fantasy Game.

Apr. 20. Dell End-User Security Survey finds that 46 percent of employees use public Wi-Fi networks to access confidential information and 49 percent use personal email accounts for work.

Apr. 20. Mastercard announces a new kind of payment card with a fingerprint sensor to authenticate transactions.

Apr. 20. Outdoor clothing retailer Eddie Bauer declares it will fight class action lawsuit filed in a federal district in Seattle by Veridian Credit Union over a data breach that occurred between January and July 2016.

Apr. 20. ServiceNow releases results of survey of 300 CISOs that finds 81 percent of them believe data breaches in their company are going unaddressed and 78 percent said they were concerned they didn’t have the capability to detect a data breach.

Apr. 20. Center for Children’s Digestive Health in Illinois agrees to pay $31,000 to U.S. Department of Health and Human Services for storing protected health information with a third party service provider without a Business Associate Agreement.

Apr. 19. MacKeeper Security Research Center reports Schoolzilla, a student data warehousing platform, exposed private data for 1.3 million students on the Internet when it misconfigured its cloud storage, an Amazon S3 bucket.

Apr. 19. Oracle patches 299 vulnerabilities in most of the company’s product families including Oracle Database Server, Fusion Middleware, Enterprise Manager Base platform, PeopleSoft Enterprise and Java.

Apr. 19. Metropolitan Police says it will investigate how a mail marketing agency obtained the addresses of 30,000 gun owners in the UK that were in a database maintained by the agency.

Apr. 19. Ipsos Mori releases survey that finds 2.5 million UK businesses suffered a digital attack last year.

Apr. 17. InterContinental Hotels Group releases data that reveals point-of-sale malware attack announced in February affected more than 1,000 of its properties, not 12 as originally estimated.

Apr. 13. Protenus reports that in March there were 39 health care data breaches affecting more than 1.5 million patient records, more than the two previous months combined.

Apr. 13. KnowBe4 releases list of top-clicked topics in phishing emails for first quarter. At the top of the list was UPS Label Delivery, followed by email account updates, full inbox and delivery attempt was made.

Apr. 13. The Metro Community Provider Network in Denver agrees to pay $400,000 to settle case against it by the U.S. Department of Health and Human Services Office for Civil Rights stemming from a data breach at the organization in 2011.

Apr. 13. California Federal District Court Judge Vince Chhabria rejects motion to dismiss class action lawsuit against the Klimpton Hotel and Restaurant Group over data breach that resulted in the compromise of payment cards used at the chain from Feb. 16 to Jul. 7, 2016. Klimpton argued case should be dismissed because no harm was suffered by plaintiffs.

Apr. 12. Canadian court denies bail for Karim Baratov, 22, an immigrant from Kazakhstan, who is awaiting extradition to the United States for allegedly participating in Yahoo data breaches that compromised 500 million user accounts.

Apr. 12. CGI releases an analysis of 65 “severe” and “catastrophic” data breaches and finds they can cost a company 1.8 percent of its value or for a typical FTSE 100 company, a permanent loss of market capitalization of £120 million.

Apr. 12. AQA, an independent education charity and the largest provider of academic qualifications taught in UK schools and colleges, says personal information for 64,000 current and former examiners was stolen by hackers who breached some of the organization’s online systems.

Apr. 12. Irish Data Commissioner Helen Dixon says her office is preparing a report on the Yahoo data breach that resulted in the theft of data on 500 million accounts, and it will impose remedial action if necessary.

Apr. 11. Irish Office of the Data Protection Commissioner reports it received 2,224 data breach notifications in 2016, a four percent decrease from 2015 when 2,317 breaches were reported.

Apr. 11. Irish Data Protection Commissioner’s office announces it has finalized preparations for an investigation into the processing of patient data in the country’s hospitals.

Apr. 11. Mailguard, an antivirus software maker, warns Australian businesses to beware of false invoices that appear to be from the popular accounting software MYOB and contain a bogus invoice button leading to a booby-trapped website.

Apr. 10. The Wall Street Journal reports tens of thousands of dollars have been stolen from third-party sellers on Amazon by hackers who are using stolen credentials to compromise the sellers’ accounts.

Apr. 9. Payday loan firm Wonga says it is investigating a data breach that could affect as many as 245,000 customers in the UK.

Apr. 7. Twitter drops lawsuit against U.S. government after U.S. Customs and Border Protection withdraws summons demanding identity of people behind a Twitter account critical of President Donald J. Trump.

Apr. 7. Gamestop confirms it has been notified by a credit card processor that credit card data from its website is being sold on the Internet. It advises customers to monitor their credit cards for unauthorized charges while it investigates the potential data breach.

Apr. 7. Personal health information of 918,000 people is at risk after a backup database belonging to HealthNow Networks, a Florida telemarketer, was posted without access controls to the Internet.

Apr. 6. U.S. Government Accounting Office recommends Congress authorize agencies to determine the appropriate level of identity theft insurance for persons affected by data breaches. Currently coverage amounts are fixed by law.

Apr. 6. Internal Revenue Service tells U.S. Senate Finance Commitee that as many as 100,000 taxpayers could have been compromised and $30 million stolen in scam where hackers posed as students using a data retrieval tool used to prepare applications for financial aid.

Apr. 6. New Mexico Gov. Susana Martinez signs into law a bill requiring anyone owning or licensing the personal data of any resident of the state to notify them if their data is affected by a breach.

Apr. 5. Scotttade announces Genpact, a third-part vendor, uploaded to an insecure server a data set containing commercial loan information for 20,000 people and businesses and that the two were investigating to what extent the data may have been compromised.

Apr. 5. UK Information Commissioner’s Office fines 11 charities £138,000 for misusing information about millions of past donors to seek further funds for future projects.

Apr. 5. Quest Diagnostics argues in a New Jersey federal court that a putative class action lawsuit stemming from a data breach at the company affecting some 34,000 people should be dismissed because the incident did not increase the lead plaintiff’s risk of identity theft since the stolen material was already publicly available.


Apr. 4. MacKeeper researcher Chris Vickery reports that an online data repository used by the state of North Carolina was left exposed to public Internet for an unknown amount of time.

Apr. 4. Bitglass reports that one in three organizations have been hacked more than five times in the last 12 months and that 87 percent of them were victims of at least one cyberattack.

Apr. 4. Tennessee Governor Bill Haslam signs into law amendments to state’s data breach law clarifying when the 45 day notice requirement is triggered and adding technical requirements for its encryption exemption.

Apr. 3. International Association of Athletics Federation announces data breach it believes was perpetrated by Fancy Bear, the group of Russian hackers who meddled with the 2016 U.S. presidential election, but can’t confirm if any data was stolen in the attack.

Apr. 3. Online edition of JAMA Internal Medicine publishes study finding that larger hospitals and those with a major teaching mission are more likely to suffer a data breach than smaller hospitals without a teaching mission.

Apr. 3. Reservation Center, an online travel agency, files lawsuit in federal district court in Ohio against Expedia for allegedly stealing data from RC and selling it to its competitors.

Apr. 3. Vancouver police arrest man believed to have broken into PharmaNet, a centralized system for pharmacies in the Canadian province of British Columbia, and used patient information for fraudulent purposes.

Stay tuned for the Q3 2017 edition of the Data Breach Report.

John P. Mello, Jr. a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.

grayfooterline

Q1 2017

The Data Breach Report provides a quarterly diary of noteworthy data breaches and cyber-attacks to CIOs, CSOs, CISOs, IT security teams, and the media.

WHO’S HACKED

McDonald’s, Arby’s headline data breaches during first quarter of year

johnmelloembossedJohn P. Mello, Jr.

Menlo Park, Calif. – Mar. 31, 2017

Data breaches at fast food chains Arby’s and McDonald’s Canada were among the prominent brands hit by data breaches during the first three months of 2017. Another eatery chain, Wendy’s, was the target of a lawsuit stemming from a data breach at that chain, as was clothing retailer Eddie Bauer.

Some other companies paid the price of having their data compromised. Neiman Marcus settled a data breach lawsuit for $1.6 million and Home Depot settled one for $25 million.

Among the largest breaches during the period was the compromise of the voting records of 55 million Filipinos, the leak of 33.7 million email addresses from Dun & Bradstreet and news that six million accounts were hacked at South African cinema company Ster-Kinekor. One of the most controversial leaks during the period was WikiLeaks publishing of a large cache of documents stolen from the CIA.

Meanwhile, IBM reported that four billion records were exposed worldwide in 2016, more than the previous two years combined.

BREACH DIARY

March

Mar. 31. McDonald’s Canada discloses that a data breach at its website for job applicants resulted in the theft of personal information for some 95,000 people.

Mar. 31. The UK’s Independent Parliamentary Standards Authority accidently exposed for four hours on the Internet confidential personal information, including salaries, for about 3,000 staff members of parliament.

Mar. 30. Government Accountability Office finds that U.S. Office of Personnel Management overpaid for identity theft insurance for the more than 20 million current and former federal employees who had sensitive information about them stolen in a data breach at the agency.

Mar. 30. IBM releases its X-Force Threat Intelligence Index for 2017 finding that in 2016, four billion records were leaked worldwide — more than the two previous years combined.

Mar. 28. Hong Kong’s Registration and Electoral Office reports the personal information of 3.7 million voters is at risk after two laptops containing the data were stolen from a room at the AsiaWorld-Expo on Lantau.

Mar. 28. Maxim Senkh of Novgorod, Russia, pleads guilty in U.S. federal court to participating in a botnet scheme based on stolen OpenSSH credentials that raked in millions of dollars worldwide from click-fraud and spam campaigns.

Mar. 28. Associated Press reports lawsuits have been filed by eight credit unions in seven states against Arby’s for losses attributed to a data breach that occurred when the fast food chain’s point-of-sale system was compromised.

Mar. 27. St. Paul Fire & Marine files lawsuit to avoid paying more than $2.4 million in damages resulting from data breach at Rosen Hotels & Resorts last year.

Mar. 27. The U.S. Treasury Inspector General for Tax Administration reports the IRS failed to deactivate its Identity Protection Personal Identification Number program after a data breach in May 2015 despite repeated recommendations by the TIGTA to do so.

Mar. 22. Urology Austin in Texas announces a ransomware attack on its computer network has potentially exposed patient information for 279,663 people.

Mar. 22. America’s Joblink, which connects job seekers with employers in 10 states, reports a data breach has placed at risk the personal information of millions of people stored on service’s servers.

Mar. 21. New York Attorney General Eric T. Schneiderman reports his office received notice of 1,300 data breaches in the state in 2016, a 60 percent increase over the previous year.

Mar. 20. Protenus Breach Barometer reports 31 healthcare data breaches occurred in February affecting 206,151 patient records.

Mar. 20. BuzzFeed News reports that personal information of tens of thousands of Saks Fifth Avenue’s customers is at risk because it was exposed at the company’s online shopping site.

Mar. 17. Neiman Marcus agrees to pay $1.6 million to settle lawsuit over 2013 data breach in which the credit card data of 350,000 shoppers was compromised.

Mar. 16. The Association of British Travel Agents announces account information for as many as 43,000 people is at risk due to a data breach at a third-party provider hosting its data.

Mar. 15. U.S. Justice Department indicts for hacking half a billion Yahoo accounts Russian Federal Security Service agents Dmitry Dokuchaev and Igor Sushchin and two co-conspirators, Alexsey Belan and Karim Baratov.

Mar. 15. Wishbone, a polling app popular among teens, says its API has been hacked and more than two million email addresses compromised.

Mar. 15. Troy Hunt posts to his data breach notification site Have I Been Pwned a database leaked from Dun & Bradstreet containing 33.7 million unique email addresses and other information on employees in thousands of companies.

Mar. 14. Three, a UK telecom provider, announces 76,373 more customers than originally reported were affected by a data breach last year which allowed intruders to gain access to a database in the company’s computer system.

Mar. 13. Virginia amends its data breach notification law to include tax phishing scams.

Mar. 13. Security website Haveibeenpwned.com alerts six million users of South African cinema company Ster-Kinekor that their accounts were compromised in a 2016 data breach.

Mar. 12. MacKeeper security researchers report they’ve discovered a misconfigured device connected to the Internet belonging to a U.S. Air Force officer that has exposed sensitive information to the public, including a spreadsheet with details about ongoing investigations by the service.

Mar. 10. The U.S. departments of Internal Revenue and Education shut off a tool used by by students to apply for college financial assistance due to concerns about a potential security breach.

Mar. 9. Home Depot agrees to $25 million to settle lawsuit brought by financial institutions over the 2014 data breach at the “big box” hardware store.

Mar. 9. St. Louis furniture retailer Weekends Only says Aptos, the company that hosts its online store, has suffered a data breach potentially affecting the credit card information of 8,000 customers.

Mar. 9. Veridian Credit Union sues clothing retailer Eddie Bauer over data breach that compromised its point-of-sale system.

Mar. 9. Brad Maiorino, who was hired by Target in 2014 after it experienced a massive data breach in which information on more than 40 million payment cards was stolen, leaves retailer for job at Booz Allen Hamilton.

Mar. 8. Verifone, the largest payment terminal company in the United States, says data breach of its systems affected some two dozen American gas station convenience stores over a short period of time.

Mar. 8. BitSight, a security ratings company, reports that Fortune 1000 businesses are more prone to cyberattacks than firms that do not make the list.

Mar. 7. WikiLeaks posts online thousands of documents it says were leaked from the U.S. Central Intelligence Agency, including information on tools used by the spies to hack computers and mobile phones.

Mar. 7. Brand New Day, a Medicare-approved health plan in California, notifies 14,005 patients their electronic personal health information is at risk from a data breach at a third-party provider.

Mar. 7. CyberEdge Group releases survey of 1,100 IT decision makes in 15 countries that finds 79 percent of organizations were affected by a successful cyberattack and 61 percent were infected with ransomware, although only 33 percent paid the ransom.

Mar. 6. Security researcher Chris Vickery reports that a failure by River City Media to safeguard its database of 1.34 million email accounts left the data exposed for public view on the Internet.

Mar. 3. Shareholders Foundation announces investor lawsuit has been filed in California against Yahoo for alleged false and misleading statements about data security at the company and a data breach in which personal user data was stolen from at least 500 million accounts.

Mar. 3. Emory Healthcare in Atlanta reports a database containing appointment information for about 80,000 patients was deleted by an intruder who demanded a ransom to restore it.

Mar. 3. Purdys Chocolatier of Vancouver, British Columbia, Canada, says the private information of some 12,000 Canadian and 1.500 U.S. buyers has been compromised by a data breach at Aptos, an Internet service provider to the company.

Mar. 1. Yahoo board of directors report senior executives failed to “properly comprehend or investigate” 2014 data breach affecting 500 million accounts and decide not to award CEO Marissa Mayer her cash bonus for 2016.

Mar. 1. Autoneum North America, headquartered in Farmington Hills, Mich., announces tax information for 2,400 workers was stolen in a phishing scam.

February

Feb. 28. UK Information Commissioner’s Office fines health company HCA International £200,000 for violating the country’s Data Protection Act by storing medical data on an unsecure server.

Feb. 28. Redmond, Wash., School District says tax information for 1,000 current and former employees was stolen when it was emailed to a thief posing as the superintendent of the district.

Feb. 28. Trend Micro reports that the number of new ransomware families in 2016 jumped 752 percent, to more than 20 from less than five in 2015.

Feb. 28. Goldenvoice warns users of Coachella.com to be on alert for spam emails from people impersonating Coachella personnel after a data breach at the website for music fans.

Feb. 24. Cellebrite, a mobile forensics company based in Israel, announces it has found a means to unlock and extract the full file system from any iPhone 6 or 6 Plus.

Feb. 24. Financial institutions file proposed class action lawsuit against fast food sandwich chain Arby’s for failing to adequately protect its point-of-sale system from hackers, which resulted in the institutions reissuing potentially millions of new payment cards.

Feb. 24. MacKeeper security researchers discovers a leaky data set on the computer systems at Stewart International Airport in New York that’s exposed to the public Internet 760 gigabyts of sensitive information including employee Social Security numbers and network passwords.

Feb. 23. Food store chain Ellwood Thompson’s Local Market based in Richmond, Va., alerts 360 former and current employees their W-2 tax information is at risk after it was emailed to someone posing as the founder of the company.

Feb. 23. Cloudflare says system error exposed some sensitive data on its servers to the Internet, which was subsequently cached by search engines crawling the Net; however, system problem has been fixed and cache material scrubbed.

Feb. 22. Meridian Health Services of Indiana announces W-2 tax information of some 1,200 current and former employees has been compromised by a phishing scam.

Feb. 21. New sale terms of Yahoo to Verizon announced by companies of $4.48 billion, $350 million less than originally offered, a reduction attributed to two massive data breaches at Yahoo last year.

Feb. 21. Shareholders Foundation in San Diego announces an investor lawsuit has been filed against Wendy’s board of directors in connection with a point-of-sale data breach that affected some of the fast food firm’s franchises in 2015 and 2016.

Feb. 21. Business Continuity Institute and British Standards Institute release survey of more than 700 organizations in 79 countries finding that nearly nine out of 10 businesses (88 percent) worldwide are worried about the threat of cyberattacks.

Feb. 21. Louisiana Department of Insurance says personal information is at risk of an estimated 8,000 former members of the failed Louisiana Health Cooperative after a data breach at the co-op’s reinsurance broker.

Feb. 20. Accenture releases survey finding more than one in four (26 percent) Americans have had their personal medical information stolen from a technology system and that half those victims suffered medical identity theft, which cost them, on average, $2,500 in out-of-pocket expenses.

Feb. 20. Nursing home chain American Senior Communities in Indiana states W-2 tax information of more than 17,000 employees has been compromised in a phishing scam.

Feb. 18. Family Services of Rochester (Minn.) says an investigation is underway of a data breach that has compromised the personal information of an unspecified number of clients.

Feb. 17. Memorial Health Care systems, an operator of six hospitals in South Florida, agrees to pay U.S. Department of Health and Human Services $5.5 million to settle case involving the theft of patient information by two employees.

Feb. 17. A survey of 250 IT pros by iSense Solutions for Bitdefender finds 34 percent of companies have suffered a data breach in the last year and of those companies breached, 74 percent don’t know how it happened.

Feb.16. New York Department of Financial Services releases “first in nation” cybersecurity regulations for the financial services industry.

Feb. 16. The Philippines’ Commission on Elections confirms a laptop containing personal information, including biometrics, of 55 million voters was stolen from the election office of Wao, Lanao del Sur.

Feb. 16. British Columbia Premier Christy Clark announces an investigation is underway into a data breach of the province’s PharmaNet system that compromised medical information of some 7,500 people.

Feb. 16. Memorial Health Care System in Florida pays $5.5 million to settle potential violations of federal privacy and security rules after reporting the personal health information of 115,143 people was impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff.

Feb. 15. Yahoo warns its users that forged cookies were used to log into some of their accounts in 2015 or 2016 without the use of passwords.

Feb. 15. U.S. Bureau of Indian Affairs says personal data of more than 20,000 members of two Montana American Indian tribes is at risk after an external hard drive was stolen from a law enforcement vehicle in Big Horn County.

Feb. 15. Texas Department of Transportation confirms breach of an automated administration system which may have left some employee data altered and compromised.

Feb. 15. Redspin releases annual data breach report revealing hacking attacks on healthcare providers increased 320 percent in 2016.

Feb. 15. World Trademark Review reports that more than 100,000 websites have been hacked and defaced following the release WordPress 4.7.2 which contained a fix for a critical vulnerability.

Feb. 15. Charter Oak Fire Insurance Company and Travelers Property Casualty Co. of America asks federal court in Florida to reject claim by 21st Century Oncology that data breach losses are covered by publication of confidential information clause in existing insurance policy.

Feb.15. Horizon Healthcare Services of New Jersey agrees to pay state $1.1 million to settle case involving the theft of two laptops that allegedly compromised the personal information of 690,000 policyholders.

Feb. 14. Verizon releases its 2017 data breach digest finding that the effects of breaches are spreading to even more parts of an enterprise and causing more problems outside of IT.

Feb. 11. NBC News reports data breach at PIP, a printing chain with more than 400 outlets in 13 countries, has exposed thousands of sensitive documents from labor filings for NFL players to lawsuits against Hollywood studios.

Feb. 10. Ercan Findikoglu is sentenced in a New York federal court to eight years in prison for conducting cyberattacks that netted him $55 million.

Feb. 10. Bloomington Public Schools in Minnesota alerts several thousand employees their personal and financial information is at risk from a tax form phishing scam.

Feb. 9. Arby’s alerts nearly 355,000 customers that their payment card information may have been compromised due to a malware infection of the point-of-sale system at some of its stores between October 25 and January 19.

Feb. 9. Hacked-DB reports a hacker has leaked 1.3 million accounts stolen from staffing website eLance in 2009, as well as hundreds of thousands of Yahoo and Gmail accounts.

Feb. 9. Mercer County School District in West Virginia is victimized by tax phishing scam that results in theft of personal and financial information of some 1,800 school employees.

Feb. 8. Boeing reveals the personal information of some 36,000 employees is at risk after an employee sent a spreadsheet with the information to his spouse to resolve a formatting issue.

Feb. 8. Brian Neff, who owns an online insurance company based in Texas, files putative class action lawsuit in a federal district court in California claiming fraudulent charges were made to his credit cards due to data breaches at Yahoo.

Feb. 8. Russia’s Ministry of Internal Affairs announces it arrested in January nine suspected members of a cybercrime group known as Lurk alleged to have played a role in the theft of more than $17 million from the country’s banks.

Feb. 7. GoCardless, a UK payment processing company, warns its customers that their personal data is at risk due to the theft of 19 laptops from its offices.

Feb. 6. Federal Trade Commission announces Vizio, one of the world’s largest makers of “smart” televisions, agrees to pay $2.2 million to settle charges it installed software on its TVs to collect viewing data on 11 million consumer TVs without the knowledge or consent of their owners.

Feb. 6. Marsh announces launch of Marsh CyberShield, a cyber risk and data breach insurance policy for mid- to large-sized organizations to cover up to $624 million in risk associated with cyber incidents and data breaches.

Feb. 6. U.S. Appeals Court in West Virginia dismisses lawsuit arising from data breaches at the Bryan Dorn Veterans Affairs Medical Center in Columbia, S.C., saying plaintiffs “failed to show they were in any real and immediate danger of sustaining a direct injury as a result of some official conduct.”

Feb. 6. Gdadebo Adebiyi pleads guilty to conspiracy to commit mail fraud for his role in a breach of the Bradley University data warehouse which resulted in the theft of $770,000.

Feb. 3. Hacker dumps on the Internet a database of users of Freeedom Hosting II, as well as the administrative credentials for accessing the thousands of “Dark Web” websites it services.

Feb. 3. Michigan Unemployment Insurance Agency says personal information of up to 1.87 million workers in the state is at risk after a software error in its computer system exposed their data to third-party payroll vendors and employers unauthorized to access it.

Feb. 3. Toys R Us advises all loyalty customers to change their passwords because of data breaches at the vendor that runs its Rewards R Us program.

Feb. 2. InterContinental Hotels Group confirms credit card data breach between August and December 2016 at restaurants and bars at 12 of its hotels.

Feb. 1. U.S. Department of Health and Human Services announces Children’s Medical Center of Dallas has agreed to pay $3.2 million civil money penalty for impermissible disclosure of unsecured electronic protected health information and non-compliance over many years with federal security standards.

Feb. 1. Licking County, Ohio, announces more than 1,000 computers have been shut down by a ransomwaree attack.

January

Jan. 31. Officials at Scotty’s Brewhouse in Indianapolis reveal W-2 forms of 4,000 employees were emailed to an unknown party posing as the CEO of the company.

Jan. 31. Data breach notification site Have I Been Pwned reports that 1.8 million user credentials have been stolen from online forum of Polish game development studio CD Projekt RED.

Jan. 31. Cisco releases security report that finds for more than a third of organizations that suffered a data breach in 2016, the cost of the breach exceeded 20 percent of revenues.

Jan. 31. The Irish Sun reports that data breaches at two popular forums for PlayStation and Xbox have resulted in the exposure of 2.5 million accounts.

Jan. 30. Baseball Commissioner Rob Manfred strips the St. Louis Cardinals of its top two draft picks and orders the team to pay the Houston Astros $2 million for hacking into the Astros email system and scouting database.

Jan.30. Belton (Texas) Independent School District officials discover W-2 forms of 1,700 current and former employees were emailed to an online scammer posing as the ISD’s superintendent.

Jan. 29.Massachusetts releases online records showing sensitive information from nearly 3.4 million Bay State customer accounts have been inappropriately viewed, lost or stolen from businesses and state agencies since 2012.

Jan. 29. The Romantik Seehotel Jägerwirt in Austria pays cyber extortionist $1,600 after ransomware attack disabled the hotel’s key lock, reservation and cash desk systems.

Jan. 27. MacKeeper researchers say recordings of some 400,000 phone calls from at least one U.S.-based telemarketing firm has been exposed on the Internet due to a database misconfiguration error.

Jan. 27. Singapore’s Personal Data Protection Commission fines PropNex Realty $10,000 after it accidentally exposed online the personal data of 1,765 people.

Jan. 27. A data thief posing as the CEO of solar company Sunrun obtains W-2 forms of an unspecified number of employees in a phishing scam.

Jan. 27. Lexington County School District 2 in Wisconsin reveals W-2 forms of employees who worked there between Jan. 1 and Dec. 31, 2016 were stolen in a phishing scam.

Jan. 27. Superintendant Daniel Trevino announces personal information in the W-2 tax forms of some 950 employees of the Mercedes, Texas,school district is at risk after it was emailed to an unauthorized third-party in a phishing scam.

Jan. 26. New York Attorney General Eric T. Schneiderman announces Acer Service Corporation has agreed to pay $115,000 in penalties and to shore up its data security after a data breach at its website exposed more than 35,000 credit card numbers.

Jan. 26. UGI Utilities in Pennsylvania announces personal information of about 1,900 employees was acquired by perpetrators of an email phishing scam.

Jan. 26. Website of LeakedSource, a for-profit breach notification service, disappears from Net amid reports it was raided by law enforcement.

Jan. 26. Pew Research Center releases survey finding that 51 percent of American adults are “not at all confident” or “not too confident” in social media sites keeping their information safe and 49 percent feel the same way about the federal government.

Jan. 26. Beazley, a provider of data breach response insurance, reports ransomware attacks in 2016 quadrupled over the previous year will double again in 2017.

Jan. 25. Risk Based Security reports that in 2016 there were 4,149 data breaches that exposed 4.2 billion records.

Jan. 25. Rosen Law Firm announces filing of investors class action lawsuit against Yahoo stemming from data breaches that resulted in theft of information for one billion user accounts.

Jan. 23. Wall Street Journal reports SEC is investigating whether two massive data breaches at Yahoo should have been reported sooner.

Jan. 23. Reuters reports that bandits who stole data from 29,000 clients of XP Investments SA of Brazil demanded a $7.1 million ransom to keep the security breach secret.

Jan. 20. Federal appellate court in Philadelphia finds class action lawsuit against Horizon Healthcare stemming from data breach may proceed even though only intangible injuries are claimed by the plaintiffs.

Jan. 20. Ohio State Veterinary Medical Center in Dublin, Ohio, alerts 4,611 clients that their personal data is at risk due to data breach caused by malware infection.

Jan. 20. Bowlmor AMF, the world’s largest bowling center operator, says it has had a possible data breach at 21 of its more than 300 domestic locations in 12 states.

Jan. 20. CSO Online reports a misconfigured synchronization program at Canadian ISP KWIC Internet has exposed its customers’ personal information and more on the public Internet.

Jan. 19. Identity Theft Resource Center and CyberScout report U.S. data breaches reached all time high in 2016 of 1,093, a 40 percent increase over the 780 in 2015.

Jan. 19. Army announces its first bug bounty program received 400 bug reports, 118 of which were unique and actionable and earned their programmers $100,000 in rewards.

Jan. 19. Ransomware attack on St. Louis Public Library disables 700 computers and prevents books and other materials from being checked out of the library.

Jan. 18. Supercell, the developer of the mobile game Clash of Clans, warns users a vulnerability in its forum software has exposed their emails and encrypted passwords to hackers. According to the breach notification website LeakBase, some 1.1 million accounts are affected by the breach.

Jan. 18. CoPilot Provider Support Services, a health care provider in Hyde Park, New York, announces personal information of some 220,000 people is at risk after one of its databases was accessed by an unauthorized third-party.

Jan. 17. Australian Prime Minister Malcom Turnbull orders his top cyber security adviser to prepare a report on claims that more than 3,000 government officials had private data stolen in the 2013 Yahoo data breach.

Jan. 17. An analysis of 16,000 Android applications by cybersecurity firm Fallible reveals 2,500 of them had some type of secret credential hard-coded into them by developers, including access tokens and API keys for services like Twitter, Dropbox, Flickr, Instagram, Slack and Amazon Web Services.

Jan.17. Motherboard reports data traders are swapping details o more than one million user accounts belonging to Supercell. a maker of popular mobile games, such as Clash of Clans.

Jan. 17. Sentara, a healthcare provider servicing Virginia and North Carolina says personal information of 5,454 patients is at risk due to data breach at third party vendor.

Jan. 17. Children’s Hospital of Los Angeles warns 3,600 patients their personal data is at risk due to theft of an unencrypted laptop in October.

Jan. 13. Protenus reports fewer patient records were stolen in health care data breaches in 2016 (27.3 million) than 2015 (113 million) but there were more data breaches in 2016 (450) compared to 2015 (253).

Jan. 13. The Delaware Department 0f Insurance announces the personal information of 19,000 members of Highmark Blue Cross Blue Shield of Delaware is at risk following a data breach at two of the health care provider’s subcontractors.

Jan. 13. Three Pennsylvania Superior Court judges uphold lower court ruling that health care provider UPMC, which suffered a data breach in which personal information of 62,000 employees was stolen, is not under any obligation to keep its employees data safe.

Jan. 13. Federal appeals court in St. Louis affirms lower court ruling capping liability at $500,000 for data breach at Schmuck Markets in 2013.

Jan. 13. Margarita Serrano files class action lawsuit in a federal district court in California alleging Automotive Recovery Services exposed her personal information to hackers after she donated a car to charity.

Jan. 12. Motherboard reports it has received from a hacker 900 gigabytes of data stolen from Cellebrite — an Israeli mobile hacking company that’s done work for U.S. federal and state law enforcement agencies as well as Russia, the United Arab Emirates and Turkey — including customer information, databases, and a vast amount of technical data regarding its products.

Jan. 12. Federal court in Tennessee approves $1.9 million settlement of class action lawsuit against Mapco Express for data breach in 2013.

Jan.11. CSO Online reports that 68.5 percent of public-facing MongoDB databases or 32,820 installations have been infected by ransomware from multiple actors.

Jan. 11. UK Information Commissioner’s Office fines Royal & Sun Alliance Insurance £150,000 for data breach resulting from theft of storage device containing information on nearly 60,000 customers.

Jan. 11. Giulio Occhionero, 45, and Francesca Maria Occhionero, 49, are charged in a Roman court with hacking into the phones and computers of high-ranking government officials, business leaders and Freemasons in Italy.

Jan. 10. Federal judge in Tennessee approves $1.9 million settlement in lawsuit against convenience store chain Mapco Express stemming from point of sale data breach in 2013.

Jan. 9. Presence Health in Illinois agrees to pay $475,000 to settle case with U.S. Department of Health and Human Services over the untimely reporting of a breach of protected health information.

Jan. 9. Owners of the Two Plus Two poker discussion forum confirms personal information about its members has been stolen and posted to the Internet for public access.

Jan. 9. Sydney Morning Herald reports National Australia Bank mistakenly sent the bank account details of 60,000 customers to an email address controlled by Real Assets Limited, a domain name broker.

Jan. 9. An investor files a lawsuit against the board of directors of Wendy’s claiming breach of fiduciary duties by mismanaging a data breach that resulted in the theft of customer data.

Jan. 8. Online gambling site TwoPlusTwo tells some of its 400,000 customers to reset their passwords and take extra precautions trading or staking players because of data breach at the site.

Jan. 7. Breach notification service LeakedSource announces it has obtained 1,503,707 customer records stolen in data breach in December from ESEA, one of the largest competitive video gaming communities on earth.

Jan. 6. California Department of Insurance finds data breach that compromised 78.8 million consumer records at health insurer Anthem was performed on behalf of a foreign government.

Jan. 6. Los Angeles Valley College pays $28,000 in bitcoin to hacker who locked out 1,800 staff and teachers from their computers with ransomware.

Jan. 5. The Philipine National Privacy Commission recommends criminal charges be filed against Commission on Elections Chairman J. Andres D. Bautista for a data breach exposing online the personal data of 1.3 million overseas Filipino voters and the fingerprints of 15.8 million people.

Jan. 5. Federal Trade Commission files complaint against D-Link for failing to take adequate measures to secure its routers and webcams which left them vulnerable to hackers and put consumer privacy at risk.

Jan. 5. The University of Alberta in Canada warns more than 3,000 faculty, students and staff that their passwords are at risk due to malware infections on 300 computers at the institution.

Jan. 4. Frederick County (Maryland) Board of Education refuses to send student information to state Education Department after suspected data breach at department exposed on the Inernet personal information of 1,000 students from the county.

Jan. 4. Andrew Minty, Jamie Leong, and Michelle Craddock, plead guilty and are sentenced for conspiring to steal customer information from Enterprise Rent-A-Car in the UK and selling it for hundreds of thousands of pounds to accident claims companies who used it to make nuisance calls about personal injury claims.

Jan. 3. U.S. Office of Management and Budget publishes new policies on how federal agencies should prepare for and address a breach of personally identifiable information.

Jan. 3 The Massachusetts Office of Consumer Affairs and Business Regulation announces it is making reports of potential identity theft available to the public on its website and eliminating need to file a public records request to see them.

Stay tuned for the Q2 2017 edition of the Data Breach Report.

John P. Mello, Jr. a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.

grayfooterline

Q4 2016

The Data Breach Report provides a quarterly diary of noteworthy data breaches and cyber-attacks to CIOs, CSOs, CISOs, IT security teams, and the media.

WHO’S HACKED

Yahoo, Friend Finder, Dropbox suffer biggest attacks

johnmelloembossedJohn P. Mello, Jr.

Menlo Park, Calif. – Dec. 30, 2016

Information on millions of people was exposed during the final calendar quarter of 2016.

Among the big hacks during the period were the theft of information on more than one billion Yahoo accounts, the compromise of the Friend Finder network, which put at risk 412 million accounts and the posting to the Internet by a hacker of 68 million Dropbox accounts from a 2012 data breach.

Cyber bank robbers were also busy during the frame. They compromised 3.2 million payment cards in India and stole $31 million from the central bank of Russia.

BREACH DIARY

December

Dec. 29. FBI and U.S. Department of Homeland Security issue joint report detailing the tools and infrastructure used by Russian intelligence services to compromise and exploit networks and infrastructure associated with the recent U.S. election, as well as a range of U.S. government, political and private sector entities.

Dec. 29. Nevada takes its marijuana portal offline after a data breach exposed confidential information on some 12,000 applications for cards used to obtain medical marijuana.

Dec. 28. InterContinental Hotel Group, which operates more than 5,000 hotels worldwide, says it’s investigating reports of a possible data breach at a small number of its hotels located in the United States.

Dec. 27. Three Chinese citizens charged by United States of engaging in conspiracies to commit insider trading, wire fraud and computer intrusion in an indictment filed in federal court in Manhattan.

Dec. 24. The Daily Caller reports a Russian hacker breached The Russian Visa Center and exposed information on some 3,000 people seeking assistance in obtaining Russian visas.

Dec. 14. Yahoo discloses data breach dating back to 2013 resulting in theft of information on more than one billion accounts.

Dec. 2. Reuters reports hackers using a client’s credentials stole more than $31 million from the central bank of Russia.

Dec. 1. MacKeeper Security Researcher Chris Vickery reports sensitive information of explosives handling company Allied-Horizontal is at risk after a Network-Attached Storage device was exposed to the public Internet.

Dec. 1. International law enforcement authorities announce dismantling of Avalanche, a malware delivery and money mule recruiting platform that produced hundreds of millions of euros in revenues for its operators.

November

Nov. 30. Camelot, the operator of the UK’s national lottery, announces some 26,500 player accounts are at risk after a data breach of its systems.

Nov. 30. Europol reports sensitive data on terrorism investigations conducted from 2006 to 2008 is at risk after an employee brought the data home in violation of agency policy and stored it on a hard drive connected to the Internet without password protection.

Nov. 29. Barrett Brown, a self-proclaimed spokesman for the hacktivist collaborative known as Anonymous, is released from federal prison five months before scheduled.

Nov. 29 Idaho Fish & Game announces it is again selling licenses and posting hunter reports online. The service was knocked offline in August by a data breach.

Nov. 29. Deutsche Telecom and German Office for Information Security announce system disruption over the weekend  affecting some 900,000 customers was part of a failed global attempt by hackers to hijack routers and use them to disrupt Internet traffic.

Nov. 28. The Japan Times reports a cyberattack by a state actor in September may have compromised Japan’s internal military network.

Nov. 28. U.S. Navy warns more than 130,000 sailors their personal information is at risk after a laptop by a contractor is compromised.

Nov. 19. Russian telecom watchdog Roskomnadzor discovers data breaches at 55 websites which contain personal information of children who have written to “Father Frost,” the Russian Santa Claus.

Nov. 18. Michigan State University announces it will notify some 400,000 current and former students and staff of data breach that has compromised their personal information.

Nov. 16. GulfNews reports personal records of more than 34 million residents of the Indian state of Kerala was posted to Facebook by a hacker disenchanted with the security of the state’s computer systems.

Nov. 16. Protenus reports month-to-month decline in health care data breaches to 35 in October from 37 in September, although the number of patient records increased to 776,533 from 246,876.

Nov. 16. Workers at Indian security firm AI solutions discovered selling phone records of Australians from call centers of Optus, Telstra and Vodaphone.

Nov. 15. Seventeen-year-old boy pleads guilty in UK to data breach last year at telecommunications provider TalkTalk which resulted in unauthorized access to personal data of nearly 160,000 people.

Nov. 14. Adobe agrees to pay $1 million to 15 states to settle case stemming from 2013 data breach at the company which resulted in unauthorized access to some 552,000 people.

Nov. 14. Data breach at Friend Finder Network places at risk personal information in more than 412 million accounts.

Nov. 3. New Zealand Nurses Organization announces “tens of thousands” member’s contact details were emailed to someone posing as the chief executive of the organization.

Nov. 2. Business Insider announces its website was compromised by OurMine, a group that hacks websites to expose security flaws.

Nov. 2. U.S. District Judge Rosemary Collyer dismisses class action lawsuit stemming from 2015 data breach at the IRS in which  the personal and financial information of 330,000 taxpayers and their family members was compromised by hackers who infiltrated the now defunct “Get Transcript” service, which allowed taxpayers to access their tax filings online.

October

Oct. 31. Hacker group calling itself Shadow Brokers releases data dump of alleged computer servers around the world compromised by The Equation Group, which is believed to be linked to the NSA.

Oct. 31. U.S. Office of Personnel Management announces it is changing credit monitoring and identity protection service providers and that some of the 25 million people affected by a data breach at the agency will have to re-enroll to continue coverage.

Oct. 31. Attorney General of Washington reports that from July 2015 to July 2016 39 data breaches in the state affected some 450,000 people.

Oct. 20. Weebly, a San Francisco-based website creation company, starts notifying more than 43 million customers their personal information is at risk due to data breach that ocurred in February.

Oct. 20. National Payments Corporation of India reports some 3.2 million payment cards have been compromised in massive ATM security breach.

Oct. 19.  Federal Reserve, FDIC and OCC issue notice of proposed rulemaking seeking comments on a set of enforceable cybersecurity standards for banks with more than $50 billion in assets.

Oct. 18. Redbus, an Indian online travel ticketing platform, confirms data breach that may have compromised more than four million accounts. Company advises all its users to reset their passwords.

Oct. 19. Czech police announce they have arrested Russian citizen in Prague wanted by the FBI in connection to 2012 data theft of 117 million passwords at LinkedIn.

Oct. 17. Katy Independent School District in Texas warns 78,000 students and staff members their personal data is at risk due to a data breach.

Oct. 7. U.S. government formally accuses Russia of a campaign of cyber attacks against Democratic Party organizations ahead of the Nov. 8 presidential election.

Oct. 6. Central Ohio Urology Group reports to U.S. Department of Health and Human Services that 300,000 patients were affected by data breach in August, the eighth largest breach in the nation this year.

Oct. 6. Montana Department of Justice reports 110,000 citizens of the state were victims of data breaches in the last 12 months.

Oct. 6. American 1 Credit Union in Jackson, Mich., announced it will decline all purchases made at Wendy’s by its payment card holders because it doesn’t believe the fast food chain has removed all the malware that infected its point-of-sale systems in more than 1,000 locations in 2-15.

Oct. 5. The BBC reports Fancy Bears, the hackers who published online medical records stolen from the World Anti-Doping Agency, may have doctored some of the data in those records.

Oct. 5. UK Information Commissioner’s Office orders TalkTalk to pay fine of£400,000 in connection to 2015 data breach that affected 150,000 customers.

Oct. 5. The New York Times reports the FBI has arrested Harold T. Martin,  a former employee of NSA contractor Booz Allen Hamilton, and is investigating whether he stole and disclosed classified security code developed by the agency to compromise the networks of foreign governments.

Oct. 4. Personal data of more than 1.5 million users of websites run by C&Z Tech Limited, which include HaveAFling.mobi, HaveAnAffair.mobi and HookUpDating.mobi, is at risk after a database for the sites was found exposed to the Internet without a password.

Oct. 4. Thomas White, aka The Cthulhu, posts to his website as a free download information from more than 68 million Dropbox accounts stolen in a 2012 data breach of the service.

Oct. 4. The Sunday Express reports that Amazon has alerted some its customers that their passwords have been reset after it discovered their Amazon email address and password corresponded to a login list posted online.

Oct. 4. Reuters reports that last year Yahoo built a custom program to search all its customers’ incoming emails for information provided to it by U.S. intelligence officials. Yahoo later denied the claims in the report.

Oct. 3. U.S. District Court Judge Andrea R. Wood dismisses class action lawsuit against Barnes & Noble related to a compromise of its point-of-sale systems in 2012. She found that plaintiffs failed to show they had suffered any actual damages because of the data breach.

Oct. 3. U.S. Surgeon General warns 6,600 medical professionals in his “commissioned corps” that their personal information is at risk by a breach of the agency’s personnel system.

Stay tuned for the Q1 2017 edition of the Data Breach Report.

John P. Mello, Jr. a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.

grayfooterline

© 2015 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.