DATA BREACH REPORT

FROM THE EDITORS AT CYBERSECURITY VENTURES

Q1 2017

The Data Breach Report provides a quarterly diary of noteworthy data breaches and cyber-attacks to CIOs, CSOs, CISOs, IT security teams, and the media.

WHO’S HACKED

McDonald’s, Arby’s headline data breaches during first quarter of year

johnmelloembossedJohn P. Mello, Jr.

Menlo Park, Calif. – Mar. 31, 2017

Data breaches at fast food chains Arby’s and McDonald’s Canada were among the prominent brands hit by data breaches during the first three months of 2017. Another eatery chain, Wendy’s, was the target of a lawsuit stemming from a data breach at that chain, as was clothing retailer Eddie Bauer.

Some other companies paid the price of having their data compromised. Neiman Marcus settled a data breach lawsuit for $1.6 million and Home Depot settled one for $25 million.

Among the largest breaches during the period was the compromise of the voting records of 55 million Filipinos, the leak of 33.7 million email addresses from Dun & Bradstreet and news that six million accounts were hacked at South African cinema company Ster-Kinekor. One of the most controversial leaks during the period was WikiLeaks publishing of a large cache of documents stolen from the CIA.

Meanwhile, IBM reported that four billion records were exposed worldwide in 2016, more than the previous two years combined.

BREACH DIARY

March

Mar. 31. McDonald’s Canada discloses that a data breach at its website for job applicants resulted in the theft of personal information for some 95,000 people.

Mar. 31. The UK’s Independent Parliamentary Standards Authority accidently exposed for four hours on the Internet confidential personal information, including salaries, for about 3,000 staff members of parliament.

Mar. 30. Government Accountability Office finds that U.S. Office of Personnel Management overpaid for identity theft insurance for the more than 20 million current and former federal employees who had sensitive information about them stolen in a data breach at the agency.

Mar. 30. IBM releases its X-Force Threat Intelligence Index for 2017 finding that in 2016, four billion records were leaked worldwide — more than the two previous years combined.

Mar. 28. Hong Kong’s Registration and Electoral Office reports the personal information of 3.7 million voters is at risk after two laptops containing the data were stolen from a room at the AsiaWorld-Expo on Lantau.

Mar. 28. Maxim Senkh of Novgorod, Russia, pleads guilty in U.S. federal court to participating in a botnet scheme based on stolen OpenSSH credentials that raked in millions of dollars worldwide from click-fraud and spam campaigns.

Mar. 28. Associated Press reports lawsuits have been filed by eight credit unions in seven states against Arby’s for losses attributed to a data breach that occurred when the fast food chain’s point-of-sale system was compromised.

Mar. 27. St. Paul Fire & Marine files lawsuit to avoid paying more than $2.4 million in damages resulting from data breach at Rosen Hotels & Resorts last year.

Mar. 27. The U.S. Treasury Inspector General for Tax Administration reports the IRS failed to deactivate its Identity Protection Personal Identification Number program after a data breach in May 2015 despite repeated recommendations by the TIGTA to do so.

Mar. 22. Urology Austin in Texas announces a ransomware attack on its computer network has potentially exposed patient information for 279,663 people.

Mar. 22. America’s Joblink, which connects job seekers with employers in 10 states, reports a data breach has placed at risk the personal information of millions of people stored on service’s servers.

Mar. 21. New York Attorney General Eric T. Schneiderman reports his office received notice of 1,300 data breaches in the state in 2016, a 60 percent increase over the previous year.

Mar. 20. Protenus Breach Barometer reports 31 healthcare data breaches occurred in February affecting 206,151 patient records.

Mar. 20. BuzzFeed News reports that personal information of tens of thousands of Saks Fifth Avenue’s customers is at risk because it was exposed at the company’s online shopping site.

Mar. 17. Neiman Marcus agrees to pay $1.6 million to settle lawsuit over 2013 data breach in which the credit card data of 350,000 shoppers was compromised.

Mar. 16. The Association of British Travel Agents announces account information for as many as 43,000 people is at risk due to a data breach at a third-party provider hosting its data.

Mar. 15. U.S. Justice Department indicts for hacking half a billion Yahoo accounts Russian Federal Security Service agents Dmitry Dokuchaev and Igor Sushchin and two co-conspirators, Alexsey Belan and Karim Baratov.

Mar. 15. Wishbone, a polling app popular among teens, says its API has been hacked and more than two million email addresses compromised.

Mar. 15. Troy Hunt posts to his data breach notification site Have I Been Pwned a database leaked from Dun & Bradstreet containing 33.7 million unique email addresses and other information on employees in thousands of companies.

Mar. 14. Three, a UK telecom provider, announces 76,373 more customers than originally reported were affected by a data breach last year which allowed intruders to gain access to a database in the company’s computer system.

Mar. 13. Virginia amends its data breach notification law to include tax phishing scams.

Mar. 13. Security website Haveibeenpwned.com alerts six million users of South African cinema company Ster-Kinekor that their accounts were compromised in a 2016 data breach.

Mar. 12. MacKeeper security researchers report they’ve discovered a misconfigured device connected to the Internet belonging to a U.S. Air Force officer that has exposed sensitive information to the public, including a spreadsheet with details about ongoing investigations by the service.

Mar. 10. The U.S. departments of Internal Revenue and Education shut off a tool used by by students to apply for college financial assistance due to concerns about a potential security breach.

Mar. 9. Home Depot agrees to $25 million to settle lawsuit brought by financial institutions over the 2014 data breach at the “big box” hardware store.

Mar. 9. St. Louis furniture retailer Weekends Only says Aptos, the company that hosts its online store, has suffered a data breach potentially affecting the credit card information of 8,000 customers.

Mar. 9. Veridian Credit Union sues clothing retailer Eddie Bauer over data breach that compromised its point-of-sale system.

Mar. 9. Brad Maiorino, who was hired by Target in 2014 after it experienced a massive data breach in which information on more than 40 million payment cards was stolen, leaves retailer for job at Booz Allen Hamilton.

Mar. 8. Verifone, the largest payment terminal company in the United States, says data breach of its systems affected some two dozen American gas station convenience stores over a short period of time.

Mar. 8. BitSight, a security ratings company, reports that Fortune 1000 businesses are more prone to cyberattacks than firms that do not make the list.

Mar. 7. WikiLeaks posts online thousands of documents it says were leaked from the U.S. Central Intelligence Agency, including information on tools used by the spies to hack computers and mobile phones.

Mar. 7. Brand New Day, a Medicare-approved health plan in California, notifies 14,005 patients their electronic personal health information is at risk from a data breach at a third-party provider.

Mar. 7. CyberEdge Group releases survey of 1,100 IT decision makes in 15 countries that finds 79 percent of organizations were affected by a successful cyberattack and 61 percent were infected with ransomware, although only 33 percent paid the ransom.

Mar. 6. Security researcher Chris Vickery reports that a failure by River City Media to safeguard its database of 1.34 million email accounts left the data exposed for public view on the Internet.

Mar. 3. Shareholders Foundation announces investor lawsuit has been filed in California against Yahoo for alleged false and misleading statements about data security at the company and a data breach in which personal user data was stolen from at least 500 million accounts.

Mar. 3. Emory Healthcare in Atlanta reports a database containing appointment information for about 80,000 patients was deleted by an intruder who demanded a ransom to restore it.

Mar. 3. Purdys Chocolatier of Vancouver, British Columbia, Canada, says the private information of some 12,000 Canadian and 1.500 U.S. buyers has been compromised by a data breach at Aptos, an Internet service provider to the company.

Mar. 1. Yahoo board of directors report senior executives failed to “properly comprehend or investigate” 2014 data breach affecting 500 million accounts and decide not to award CEO Marissa Mayer her cash bonus for 2016.

Mar. 1. Autoneum North America, headquartered in Farmington Hills, Mich., announces tax information for 2,400 workers was stolen in a phishing scam.

February

Feb. 28. UK Information Commissioner’s Office fines health company HCA International £200,000 for violating the country’s Data Protection Act by storing medical data on an unsecure server.

Feb. 28. Redmond, Wash., School District says tax information for 1,000 current and former employees was stolen when it was emailed to a thief posing as the superintendent of the district.

Feb. 28. Trend Micro reports that the number of new ransomware families in 2016 jumped 752 percent, to more than 20 from less than five in 2015.

Feb. 28. Goldenvoice warns users of Coachella.com to be on alert for spam emails from people impersonating Coachella personnel after a data breach at the website for music fans.

Feb. 24. Cellebrite, a mobile forensics company based in Israel, announces it has found a means to unlock and extract the full file system from any iPhone 6 or 6 Plus.

Feb. 24. Financial institutions file proposed class action lawsuit against fast food sandwich chain Arby’s for failing to adequately protect its point-of-sale system from hackers, which resulted in the institutions reissuing potentially millions of new payment cards.

Feb. 24. MacKeeper security researchers discovers a leaky data set on the computer systems at Stewart International Airport in New York that’s exposed to the public Internet 760 gigabyts of sensitive information including employee Social Security numbers and network passwords.

Feb. 23. Food store chain Ellwood Thompson’s Local Market based in Richmond, Va., alerts 360 former and current employees their W-2 tax information is at risk after it was emailed to someone posing as the founder of the company.

Feb. 23. Cloudflare says system error exposed some sensitive data on its servers to the Internet, which was subsequently cached by search engines crawling the Net; however, system problem has been fixed and cache material scrubbed.

Feb. 22. Meridian Health Services of Indiana announces W-2 tax information of some 1,200 current and former employees has been compromised by a phishing scam.

Feb. 21. New sale terms of Yahoo to Verizon announced by companies of $4.48 billion, $350 million less than originally offered, a reduction attributed to two massive data breaches at Yahoo last year.

Feb. 21. Shareholders Foundation in San Diego announces an investor lawsuit has been filed against Wendy’s board of directors in connection with a point-of-sale data breach that affected some of the fast food firm’s franchises in 2015 and 2016.

Feb. 21. Business Continuity Institute and British Standards Institute release survey of more than 700 organizations in 79 countries finding that nearly nine out of 10 businesses (88 percent) worldwide are worried about the threat of cyberattacks.

Feb. 21. Louisiana Department of Insurance says personal information is at risk of an estimated 8,000 former members of the failed Louisiana Health Cooperative after a data breach at the co-op’s reinsurance broker.

Feb. 20. Accenture releases survey finding more than one in four (26 percent) Americans have had their personal medical information stolen from a technology system and that half those victims suffered medical identity theft, which cost them, on average, $2,500 in out-of-pocket expenses.

Feb. 20. Nursing home chain American Senior Communities in Indiana states W-2 tax information of more than 17,000 employees has been compromised in a phishing scam.

Feb. 18. Family Services of Rochester (Minn.) says an investigation is underway of a data breach that has compromised the personal information of an unspecified number of clients.

Feb. 17. Memorial Health Care systems, an operator of six hospitals in South Florida, agrees to pay U.S. Department of Health and Human Services $5.5 million to settle case involving the theft of patient information by two employees.

Feb. 17. A survey of 250 IT pros by iSense Solutions for Bitdefender finds 34 percent of companies have suffered a data breach in the last year and of those companies breached, 74 percent don’t know how it happened.

Feb.16. New York Department of Financial Services releases “first in nation” cybersecurity regulations for the financial services industry.

Feb. 16. The Philippines’ Commission on Elections confirms a laptop containing personal information, including biometrics, of 55 million voters was stolen from the election office of Wao, Lanao del Sur.

Feb. 16. British Columbia Premier Christy Clark announces an investigation is underway into a data breach of the province’s PharmaNet system that compromised medical information of some 7,500 people.

Feb. 16. Memorial Health Care System in Florida pays $5.5 million to settle potential violations of federal privacy and security rules after reporting the personal health information of 115,143 people was impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff.

Feb. 15. Yahoo warns its users that forged cookies were used to log into some of their accounts in 2015 or 2016 without the use of passwords.

Feb. 15. U.S. Bureau of Indian Affairs says personal data of more than 20,000 members of two Montana American Indian tribes is at risk after an external hard drive was stolen from a law enforcement vehicle in Big Horn County.

Feb. 15. Texas Department of Transportation confirms breach of an automated administration system which may have left some employee data altered and compromised.

Feb. 15. Redspin releases annual data breach report revealing hacking attacks on healthcare providers increased 320 percent in 2016.

Feb. 15. World Trademark Review reports that more than 100,000 websites have been hacked and defaced following the release WordPress 4.7.2 which contained a fix for a critical vulnerability.

Feb. 15. Charter Oak Fire Insurance Company and Travelers Property Casualty Co. of America asks federal court in Florida to reject claim by 21st Century Oncology that data breach losses are covered by publication of confidential information clause in existing insurance policy.

Feb.15. Horizon Healthcare Services of New Jersey agrees to pay state $1.1 million to settle case involving the theft of two laptops that allegedly compromised the personal information of 690,000 policyholders.

Feb. 14. Verizon releases its 2017 data breach digest finding that the effects of breaches are spreading to even more parts of an enterprise and causing more problems outside of IT.

Feb. 11. NBC News reports data breach at PIP, a printing chain with more than 400 outlets in 13 countries, has exposed thousands of sensitive documents from labor filings for NFL players to lawsuits against Hollywood studios.

Feb. 10. Ercan Findikoglu is sentenced in a New York federal court to eight years in prison for conducting cyberattacks that netted him $55 million.

Feb. 10. Bloomington Public Schools in Minnesota alerts several thousand employees their personal and financial information is at risk from a tax form phishing scam.

Feb. 9. Arby’s alerts nearly 355,000 customers that their payment card information may have been compromised due to a malware infection of the point-of-sale system at some of its stores between October 25 and January 19.

Feb. 9. Hacked-DB reports a hacker has leaked 1.3 million accounts stolen from staffing website eLance in 2009, as well as hundreds of thousands of Yahoo and Gmail accounts.

Feb. 9. Mercer County School District in West Virginia is victimized by tax phishing scam that results in theft of personal and financial information of some 1,800 school employees.

Feb. 8. Boeing reveals the personal information of some 36,000 employees is at risk after an employee sent a spreadsheet with the information to his spouse to resolve a formatting issue.

Feb. 8. Brian Neff, who owns an online insurance company based in Texas, files putative class action lawsuit in a federal district court in California claiming fraudulent charges were made to his credit cards due to data breaches at Yahoo.

Feb. 8. Russia’s Ministry of Internal Affairs announces it arrested in January nine suspected members of a cybercrime group known as Lurk alleged to have played a role in the theft of more than $17 million from the country’s banks.

Feb. 7. GoCardless, a UK payment processing company, warns its customers that their personal data is at risk due to the theft of 19 laptops from its offices.

Feb. 6. Federal Trade Commission announces Vizio, one of the world’s largest makers of “smart” televisions, agrees to pay $2.2 million to settle charges it installed software on its TVs to collect viewing data on 11 million consumer TVs without the knowledge or consent of their owners.

Feb. 6. Marsh announces launch of Marsh CyberShield, a cyber risk and data breach insurance policy for mid- to large-sized organizations to cover up to $624 million in risk associated with cyber incidents and data breaches.

Feb. 6. U.S. Appeals Court in West Virginia dismisses lawsuit arising from data breaches at the Bryan Dorn Veterans Affairs Medical Center in Columbia, S.C., saying plaintiffs “failed to show they were in any real and immediate danger of sustaining a direct injury as a result of some official conduct.”

Feb. 6. Gdadebo Adebiyi pleads guilty to conspiracy to commit mail fraud for his role in a breach of the Bradley University data warehouse which resulted in the theft of $770,000.

Feb. 3. Hacker dumps on the Internet a database of users of Freeedom Hosting II, as well as the administrative credentials for accessing the thousands of “Dark Web” websites it services.

Feb. 3. Michigan Unemployment Insurance Agency says personal information of up to 1.87 million workers in the state is at risk after a software error in its computer system exposed their data to third-party payroll vendors and employers unauthorized to access it.

Feb. 3. Toys R Us advises all loyalty customers to change their passwords because of data breaches at the vendor that runs its Rewards R Us program.

Feb. 2. InterContinental Hotels Group confirms credit card data breach between August and December 2016 at restaurants and bars at 12 of its hotels.

Feb. 1. U.S. Department of Health and Human Services announces Children’s Medical Center of Dallas has agreed to pay $3.2 million civil money penalty for impermissible disclosure of unsecured electronic protected health information and non-compliance over many years with federal security standards.

Feb. 1. Licking County, Ohio, announces more than 1,000 computers have been shut down by a ransomwaree attack.

January

Jan. 31. Officials at Scotty’s Brewhouse in Indianapolis reveal W-2 forms of 4,000 employees were emailed to an unknown party posing as the CEO of the company.

Jan. 31. Data breach notification site Have I Been Pwned reports that 1.8 million user credentials have been stolen from online forum of Polish game development studio CD Projekt RED.

Jan. 31. Cisco releases security report that finds for more than a third of organizations that suffered a data breach in 2016, the cost of the breach exceeded 20 percent of revenues.

Jan. 31. The Irish Sun reports that data breaches at two popular forums for PlayStation and Xbox have resulted in the exposure of 2.5 million accounts.

Jan. 30. Baseball Commissioner Rob Manfred strips the St. Louis Cardinals of its top two draft picks and orders the team to pay the Houston Astros $2 million for hacking into the Astros email system and scouting database.

Jan.30. Belton (Texas) Independent School District officials discover W-2 forms of 1,700 current and former employees were emailed to an online scammer posing as the ISD’s superintendent.

Jan. 29.Massachusetts releases online records showing sensitive information from nearly 3.4 million Bay State customer accounts have been inappropriately viewed, lost or stolen from businesses and state agencies since 2012.

Jan. 29. The Romantik Seehotel Jägerwirt in Austria pays cyber extortionist $1,600 after ransomware attack disabled the hotel’s key lock, reservation and cash desk systems.

Jan. 27. MacKeeper researchers say recordings of some 400,000 phone calls from at least one U.S.-based telemarketing firm has been exposed on the Internet due to a database misconfiguration error.

Jan. 27. Singapore’s Personal Data Protection Commission fines PropNex Realty $10,000 after it accidentally exposed online the personal data of 1,765 people.

Jan. 27. A data thief posing as the CEO of solar company Sunrun obtains W-2 forms of an unspecified number of employees in a phishing scam.

Jan. 27. Lexington County School District 2 in Wisconsin reveals W-2 forms of employees who worked there between Jan. 1 and Dec. 31, 2016 were stolen in a phishing scam.

Jan. 27. Superintendant Daniel Trevino announces personal information in the W-2 tax forms of some 950 employees of the Mercedes, Texas,school district is at risk after it was emailed to an unauthorized third-party in a phishing scam.

Jan. 26. New York Attorney General Eric T. Schneiderman announces Acer Service Corporation has agreed to pay $115,000 in penalties and to shore up its data security after a data breach at its website exposed more than 35,000 credit card numbers.

Jan. 26. UGI Utilities in Pennsylvania announces personal information of about 1,900 employees was acquired by perpetrators of an email phishing scam.

Jan. 26. Website of LeakedSource, a for-profit breach notification service, disappears from Net amid reports it was raided by law enforcement.

Jan. 26. Pew Research Center releases survey finding that 51 percent of American adults are “not at all confident” or “not too confident” in social media sites keeping their information safe and 49 percent feel the same way about the federal government.

Jan. 26. Beazley, a provider of data breach response insurance, reports ransomware attacks in 2016 quadrupled over the previous year will double again in 2017.

Jan. 25. Risk Based Security reports that in 2016 there were 4,149 data breaches that exposed 4.2 billion records.

Jan. 25. Rosen Law Firm announces filing of investors class action lawsuit against Yahoo stemming from data breaches that resulted in theft of information for one billion user accounts.

Jan. 23. Wall Street Journal reports SEC is investigating whether two massive data breaches at Yahoo should have been reported sooner.

Jan. 23. Reuters reports that bandits who stole data from 29,000 clients of XP Investments SA of Brazil demanded a $7.1 million ransom to keep the security breach secret.

Jan. 20. Federal appellate court in Philadelphia finds class action lawsuit against Horizon Healthcare stemming from data breach may proceed even though only intangible injuries are claimed by the plaintiffs.

Jan. 20. Ohio State Veterinary Medical Center in Dublin, Ohio, alerts 4,611 clients that their personal data is at risk due to data breach caused by malware infection.

Jan. 20. Bowlmor AMF, the world’s largest bowling center operator, says it has had a possible data breach at 21 of its more than 300 domestic locations in 12 states.

Jan. 20. CSO Online reports a misconfigured synchronization program at Canadian ISP KWIC Internet has exposed its customers’ personal information and more on the public Internet.

Jan. 19. Identity Theft Resource Center and CyberScout report U.S. data breaches reached all time high in 2016 of 1,093, a 40 percent increase over the 780 in 2015.

Jan. 19. Army announces its first bug bounty program received 400 bug reports, 118 of which were unique and actionable and earned their programmers $100,000 in rewards.

Jan. 19. Ransomware attack on St. Louis Public Library disables 700 computers and prevents books and other materials from being checked out of the library.

Jan. 18. Supercell, the developer of the mobile game Clash of Clans, warns users a vulnerability in its forum software has exposed their emails and encrypted passwords to hackers. According to the breach notification website LeakBase, some 1.1 million accounts are affected by the breach.

Jan. 18. CoPilot Provider Support Services, a health care provider in Hyde Park, New York, announces personal information of some 220,000 people is at risk after one of its databases was accessed by an unauthorized third-party.

Jan. 17. Australian Prime Minister Malcom Turnbull orders his top cyber security adviser to prepare a report on claims that more than 3,000 government officials had private data stolen in the 2013 Yahoo data breach.

Jan. 17. An analysis of 16,000 Android applications by cybersecurity firm Fallible reveals 2,500 of them had some type of secret credential hard-coded into them by developers, including access tokens and API keys for services like Twitter, Dropbox, Flickr, Instagram, Slack and Amazon Web Services.

Jan.17. Motherboard reports data traders are swapping details o more than one million user accounts belonging to Supercell. a maker of popular mobile games, such as Clash of Clans.

Jan. 17. Sentara, a healthcare provider servicing Virginia and North Carolina says personal information of 5,454 patients is at risk due to data breach at third party vendor.

Jan. 17. Children’s Hospital of Los Angeles warns 3,600 patients their personal data is at risk due to theft of an unencrypted laptop in October.

Jan. 13. Protenus reports fewer patient records were stolen in health care data breaches in 2016 (27.3 million) than 2015 (113 million) but there were more data breaches in 2016 (450) compared to 2015 (253).

Jan. 13. The Delaware Department 0f Insurance announces the personal information of 19,000 members of Highmark Blue Cross Blue Shield of Delaware is at risk following a data breach at two of the health care provider’s subcontractors.

Jan. 13. Three Pennsylvania Superior Court judges uphold lower court ruling that health care provider UPMC, which suffered a data breach in which personal information of 62,000 employees was stolen, is not under any obligation to keep its employees data safe.

Jan. 13. Federal appeals court in St. Louis affirms lower court ruling capping liability at $500,000 for data breach at Schmuck Markets in 2013.

Jan. 13. Margarita Serrano files class action lawsuit in a federal district court in California alleging Automotive Recovery Services exposed her personal information to hackers after she donated a car to charity.

Jan. 12. Motherboard reports it has received from a hacker 900 gigabytes of data stolen from Cellebrite — an Israeli mobile hacking company that’s done work for U.S. federal and state law enforcement agencies as well as Russia, the United Arab Emirates and Turkey — including customer information, databases, and a vast amount of technical data regarding its products.

Jan. 12. Federal court in Tennessee approves $1.9 million settlement of class action lawsuit against Mapco Express for data breach in 2013.

Jan.11. CSO Online reports that 68.5 percent of public-facing MongoDB databases or 32,820 installations have been infected by ransomware from multiple actors.

Jan. 11. UK Information Commissioner’s Office fines Royal & Sun Alliance Insurance £150,000 for data breach resulting from theft of storage device containing information on nearly 60,000 customers.

Jan. 11. Giulio Occhionero, 45, and Francesca Maria Occhionero, 49, are charged in a Roman court with hacking into the phones and computers of high-ranking government officials, business leaders and Freemasons in Italy.

Jan. 10. Federal judge in Tennessee approves $1.9 million settlement in lawsuit against convenience store chain Mapco Express stemming from point of sale data breach in 2013.

Jan. 9. Presence Health in Illinois agrees to pay $475,000 to settle case with U.S. Department of Health and Human Services over the untimely reporting of a breach of protected health information.

Jan. 9. Owners of the Two Plus Two poker discussion forum confirms personal information about its members has been stolen and posted to the Internet for public access.

Jan. 9. Sydney Morning Herald reports National Australia Bank mistakenly sent the bank account details of 60,000 customers to an email address controlled by Real Assets Limited, a domain name broker.

Jan. 9. An investor files a lawsuit against the board of directors of Wendy’s claiming breach of fiduciary duties by mismanaging a data breach that resulted in the theft of customer data.

Jan. 8. Online gambling site TwoPlusTwo tells some of its 400,000 customers to reset their passwords and take extra precautions trading or staking players because of data breach at the site.

Jan. 7. Breach notification service LeakedSource announces it has obtained 1,503,707 customer records stolen in data breach in December from ESEA, one of the largest competitive video gaming communities on earth.

Jan. 6. California Department of Insurance finds data breach that compromised 78.8 million consumer records at health insurer Anthem was performed on behalf of a foreign government.

Jan. 6. Los Angeles Valley College pays $28,000 in bitcoin to hacker who locked out 1,800 staff and teachers from their computers with ransomware.

Jan. 5. The Philipine National Privacy Commission recommends criminal charges be filed against Commission on Elections Chairman J. Andres D. Bautista for a data breach exposing online the personal data of 1.3 million overseas Filipino voters and the fingerprints of 15.8 million people.

Jan. 5. Federal Trade Commission files complaint against D-Link for failing to take adequate measures to secure its routers and webcams which left them vulnerable to hackers and put consumer privacy at risk.

Jan. 5. The University of Alberta in Canada warns more than 3,000 faculty, students and staff that their passwords are at risk due to malware infections on 300 computers at the institution.

Jan. 4. Frederick County (Maryland) Board of Education refuses to send student information to state Education Department after suspected data breach at department exposed on the Inernet personal information of 1,000 students from the county.

Jan. 4. Andrew Minty, Jamie Leong, and Michelle Craddock, plead guilty and are sentenced for conspiring to steal customer information from Enterprise Rent-A-Car in the UK and selling it for hundreds of thousands of pounds to accident claims companies who used it to make nuisance calls about personal injury claims.

Jan. 3. U.S. Office of Management and Budget publishes new policies on how federal agencies should prepare for and address a breach of personally identifiable information.

Jan. 3 The Massachusetts Office of Consumer Affairs and Business Regulation announces it is making reports of potential identity theft available to the public on its website and eliminating need to file a public records request to see them.

Stay tuned for the Q2 2017 edition of the Data Breach Report.

John P. Mello, Jr. a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.

grayfooterline

Q4 2016

The Data Breach Report provides a quarterly diary of noteworthy data breaches and cyber-attacks to CIOs, CSOs, CISOs, IT security teams, and the media.

WHO’S HACKED

Yahoo, Friend Finder, Dropbox suffer biggest attacks

johnmelloembossedJohn P. Mello, Jr.

Menlo Park, Calif. – Dec. 30, 2016

Information on millions of people was exposed during the final calendar quarter of 2016.

Among the big hacks during the period were the theft of information on more than one billion Yahoo accounts, the compromise of the Friend Finder network, which put at risk 412 million accounts and the posting to the Internet by a hacker of 68 million Dropbox accounts from a 2012 data breach.

Cyber bank robbers were also busy during the frame. They compromised 3.2 million payment cards in India and stole $31 million from the central bank of Russia.

BREACH DIARY

December

Dec. 29. FBI and U.S. Department of Homeland Security issue joint report detailing the tools and infrastructure used by Russian intelligence services to compromise and exploit networks and infrastructure associated with the recent U.S. election, as well as a range of U.S. government, political and private sector entities.

Dec. 29. Nevada takes its marijuana portal offline after a data breach exposed confidential information on some 12,000 applications for cards used to obtain medical marijuana.

Dec. 28. InterContinental Hotel Group, which operates more than 5,000 hotels worldwide, says it’s investigating reports of a possible data breach at a small number of its hotels located in the United States.

Dec. 27. Three Chinese citizens charged by United States of engaging in conspiracies to commit insider trading, wire fraud and computer intrusion in an indictment filed in federal court in Manhattan.

Dec. 24. The Daily Caller reports a Russian hacker breached The Russian Visa Center and exposed information on some 3,000 people seeking assistance in obtaining Russian visas.

Dec. 14. Yahoo discloses data breach dating back to 2013 resulting in theft of information on more than one billion accounts.

Dec. 2. Reuters reports hackers using a client’s credentials stole more than $31 million from the central bank of Russia.

Dec. 1. MacKeeper Security Researcher Chris Vickery reports sensitive information of explosives handling company Allied-Horizontal is at risk after a Network-Attached Storage device was exposed to the public Internet.

Dec. 1. International law enforcement authorities announce dismantling of Avalanche, a malware delivery and money mule recruiting platform that produced hundreds of millions of euros in revenues for its operators.

November

Nov. 30. Camelot, the operator of the UK’s national lottery, announces some 26,500 player accounts are at risk after a data breach of its systems.

Nov. 30. Europol reports sensitive data on terrorism investigations conducted from 2006 to 2008 is at risk after an employee brought the data home in violation of agency policy and stored it on a hard drive connected to the Internet without password protection.

Nov. 29. Barrett Brown, a self-proclaimed spokesman for the hacktivist collaborative known as Anonymous, is released from federal prison five months before scheduled.

Nov. 29 Idaho Fish & Game announces it is again selling licenses and posting hunter reports online. The service was knocked offline in August by a data breach.

Nov. 29. Deutsche Telecom and German Office for Information Security announce system disruption over the weekend  affecting some 900,000 customers was part of a failed global attempt by hackers to hijack routers and use them to disrupt Internet traffic.

Nov. 28. The Japan Times reports a cyberattack by a state actor in September may have compromised Japan’s internal military network.

Nov. 28. U.S. Navy warns more than 130,000 sailors their personal information is at risk after a laptop by a contractor is compromised.

Nov. 19. Russian telecom watchdog Roskomnadzor discovers data breaches at 55 websites which contain personal information of children who have written to “Father Frost,” the Russian Santa Claus.

Nov. 18. Michigan State University announces it will notify some 400,000 current and former students and staff of data breach that has compromised their personal information.

Nov. 16. GulfNews reports personal records of more than 34 million residents of the Indian state of Kerala was posted to Facebook by a hacker disenchanted with the security of the state’s computer systems.

Nov. 16. Protenus reports month-to-month decline in health care data breaches to 35 in October from 37 in September, although the number of patient records increased to 776,533 from 246,876.

Nov. 16. Workers at Indian security firm AI solutions discovered selling phone records of Australians from call centers of Optus, Telstra and Vodaphone.

Nov. 15. Seventeen-year-old boy pleads guilty in UK to data breach last year at telecommunications provider TalkTalk which resulted in unauthorized access to personal data of nearly 160,000 people.

Nov. 14. Adobe agrees to pay $1 million to 15 states to settle case stemming from 2013 data breach at the company which resulted in unauthorized access to some 552,000 people.

Nov. 14. Data breach at Friend Finder Network places at risk personal information in more than 412 million accounts.

Nov. 3. New Zealand Nurses Organization announces “tens of thousands” member’s contact details were emailed to someone posing as the chief executive of the organization.

Nov. 2. Business Insider announces its website was compromised by OurMine, a group that hacks websites to expose security flaws.

Nov. 2. U.S. District Judge Rosemary Collyer dismisses class action lawsuit stemming from 2015 data breach at the IRS in which  the personal and financial information of 330,000 taxpayers and their family members was compromised by hackers who infiltrated the now defunct “Get Transcript” service, which allowed taxpayers to access their tax filings online.

October

Oct. 31. Hacker group calling itself Shadow Brokers releases data dump of alleged computer servers around the world compromised by The Equation Group, which is believed to be linked to the NSA.

Oct. 31. U.S. Office of Personnel Management announces it is changing credit monitoring and identity protection service providers and that some of the 25 million people affected by a data breach at the agency will have to re-enroll to continue coverage.

Oct. 31. Attorney General of Washington reports that from July 2015 to July 2016 39 data breaches in the state affected some 450,000 people.

Oct. 20. Weebly, a San Francisco-based website creation company, starts notifying more than 43 million customers their personal information is at risk due to data breach that ocurred in February.

Oct. 20. National Payments Corporation of India reports some 3.2 million payment cards have been compromised in massive ATM security breach.

Oct. 19.  Federal Reserve, FDIC and OCC issue notice of proposed rulemaking seeking comments on a set of enforceable cybersecurity standards for banks with more than $50 billion in assets.

Oct. 18. Redbus, an Indian online travel ticketing platform, confirms data breach that may have compromised more than four million accounts. Company advises all its users to reset their passwords.

Oct. 19. Czech police announce they have arrested Russian citizen in Prague wanted by the FBI in connection to 2012 data theft of 117 million passwords at LinkedIn.

Oct. 17. Katy Independent School District in Texas warns 78,000 students and staff members their personal data is at risk due to a data breach.

Oct. 7. U.S. government formally accuses Russia of a campaign of cyber attacks against Democratic Party organizations ahead of the Nov. 8 presidential election.

Oct. 6. Central Ohio Urology Group reports to U.S. Department of Health and Human Services that 300,000 patients were affected by data breach in August, the eighth largest breach in the nation this year.

Oct. 6. Montana Department of Justice reports 110,000 citizens of the state were victims of data breaches in the last 12 months.

Oct. 6. American 1 Credit Union in Jackson, Mich., announced it will decline all purchases made at Wendy’s by its payment card holders because it doesn’t believe the fast food chain has removed all the malware that infected its point-of-sale systems in more than 1,000 locations in 2-15.

Oct. 5. The BBC reports Fancy Bears, the hackers who published online medical records stolen from the World Anti-Doping Agency, may have doctored some of the data in those records.

Oct. 5. UK Information Commissioner’s Office orders TalkTalk to pay fine of£400,000 in connection to 2015 data breach that affected 150,000 customers.

Oct. 5. The New York Times reports the FBI has arrested Harold T. Martin,  a former employee of NSA contractor Booz Allen Hamilton, and is investigating whether he stole and disclosed classified security code developed by the agency to compromise the networks of foreign governments.

Oct. 4. Personal data of more than 1.5 million users of websites run by C&Z Tech Limited, which include HaveAFling.mobi, HaveAnAffair.mobi and HookUpDating.mobi, is at risk after a database for the sites was found exposed to the Internet without a password.

Oct. 4. Thomas White, aka The Cthulhu, posts to his website as a free download information from more than 68 million Dropbox accounts stolen in a 2012 data breach of the service.

Oct. 4. The Sunday Express reports that Amazon has alerted some its customers that their passwords have been reset after it discovered their Amazon email address and password corresponded to a login list posted online.

Oct. 4. Reuters reports that last year Yahoo built a custom program to search all its customers’ incoming emails for information provided to it by U.S. intelligence officials. Yahoo later denied the claims in the report.

Oct. 3. U.S. District Court Judge Andrea R. Wood dismisses class action lawsuit against Barnes & Noble related to a compromise of its point-of-sale systems in 2012. She found that plaintiffs failed to show they had suffered any actual damages because of the data breach.

Oct. 3. U.S. Surgeon General warns 6,600 medical professionals in his “commissioned corps” that their personal information is at risk by a breach of the agency’s personnel system.

Stay tuned for the Q1 2017 edition of the Data Breach Report.

John P. Mello, Jr. a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.

grayfooterline

© 2015 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.