Cybersecurity Ventures Cybercrime Diary. PHOTO: Cybercrime Magazine.

Cybercrime Diary, Vol. 3, No. 1: Who’s Hacked? Latest Data Breaches And Cyberattacks

Facebook, Walmart, FedEx, Walmart kick off the new year with data breach headlines

John P. Mello, Jr.

Sausalito, Calif. – Apr. 6, 2018

Although Facebook has dominated the cybersecurity media headlines over the past few weeks, and the hacks on major brands before that, a careful read through our latest cybercrime diary reveals that organizations of all types and sizes globally are under continual cyber attack.

“Cybercrime is rampant and continually evolving, so always look to minimize or ‘shrink your attack surface’ by understanding both present and past vulnerabilities,” says Gordon MacKay, EVP and CTO at Digital Defense, a trusted provider of security risk assessment solutions, protecting billions of dollars in assets for clients around the globe.

CYBERCRIME DIARY

March

Mar. 30. Czech Republic extradites to the United States Yevgeniy A. Nikulin, a Russian man accused of breaching systems of three American technology companies in 2012, possibly compromising the personal information of more than 100 million users.

Mar. 30. CareFirst BlueCross BluesShield, Maryland’s largest health insurer, announces personal information of 6,800 members is at risk after an employee’s email account was compromised in a phishing attack.

Mar. 30. Cambridge Health Alliance in Massachusetts announces personal information of some 2,500 patients is at risk after electronic files containing the data was discovered by police in the possession of an unauthorized third party.

Mar. 29. Under Armour announces personal information of 150 million users of its MyFitnessPal is at risk after it discovered an intruder had accessed the data.

Mar. 28. City of Baltimore says its emergency dispatch system was shut down by a ransomware attack from Sunday morning to Monday morning. It explains attackers breached the system through a misconfigured firewall, but were contained before any damage could be done.

Mar. 27. An Post, the state-owned provider of postal services in the Republic of Ireland, reveals names and addresses of up 8,000 people is at risk after the data was inadvertently sent to a subsidiary.

Mar. 27. ATI Physical Therapy, which has 100 clinics in Illinois and hundreds of others in 24 states, reports the personal information of as many as 35,000 patients is at risk after a number of employee email accounts were compromised by hackers.

Mar. 26. US Federal Trade Commission confirms it is investigating the privacy practices of Facebook in connection to the leak of personal information of 50 million users to Cambridge Analytica, which used the data to develop techniques used by the Trump presidential campaign organization.

Mar. 26. Upguard, a cybersecurity company, reports the discovery of an unprotected GitHub repository belonging to AggregateIQ, a Canadian political data firm with ties to Cambridge Analytica, which improperly obtained the personal information of 50 million Facebook users and used it to develop techniques for the Trump presidential campaign. The exposed repository contained a set of sophisticated applications, data management programs, advertising trackers, and information databases, as well as numerous credentials, keys, hashes, usernames, and passwords to access other AIQ assets.

Mar. 26. Mississippi State Department of Health sends letters to an undisclosed number of clients notifying them their personal information is at risk after an employee “unknowingly” emailed a spreadsheet containing the data to a contractor working for a government agency.

Mar. 25. Kent and Medway NHS and the Social Care Partnership Trust in the UK notifies their patients that their personal information is at risk after a staff member accessed their medical records without authorization.

Mar. 23. Karan Saini, a New Delhi-based security researcher, reveals a data leak on a system run by Indane, a state-owned utility company, is exposing the personal information of all Aadhaar holders. Aadhaar is a national database of personal information, including biometric data, of more than a  billion citizens of India.

Mar. 23. Pennsylvania’s Department of Education warns 360,000 teachers and staffers their personal information is at risk after an error by an employee allowed users of the state’s Teacher Information Management System to view each other’s information. The breach occurred on Feb. 22 and lasted about 30 minutes.

Mar. 23. Security researcher Giovanni Collazo discovers 2,284 etcd servers exposed on the open Internet. Those servers are used for storing critical information, such as credentials and configuration information for distributed systems.

Mar. 23. Oregon Gov. Kate Brown signs into law bill requiring state residents be notified within 45 days of discovery of a data breach affecting them, unless doing so would impede a law enforcement investigation.

Mar. 22. Fundera and Wakefield Research release study that finds consumers spent $1.4 billion to freeze their credit files in the wake of the Equifax data breach that compromised sensitive information of about 147 million Americans.

Mar. 21. National Mentor Healthcare in Georgia states it’s notifying an unspecified number of people their personal information is at risk after a disk containing the data was lost in the mail.

Mar. 21. Active Network, a company used by endurance events organizers around the world, reveals credit card details of an undisclosed number of marathon runners and endurance athletes were stolen in a data breach that occurred between December 2016 and September 2017.

Mar. 21. South Dakota Gov. Dennis Daugaard signs into law bill requiring state residents be notified of a data breach affecting them within 60 days of the breach’s discovery.

Mar. 20. Orbitz, a travel site owned by Expedia, reveals a data breach at one of its older websites and the platform of an unnamed partner has placed at risk information on 880,000 payment cards used between Jan. 1, 2016 and Dec. 22, 2017.

Mar. 20. Camelot advises 10.5 million players of the UK’s National Lottery to change their passwords after it discovers unauthorized access to more than 100 accounts. This is the second breach in 18 months. In November 2016, 26,500 accounts were compromised through the re-use of stolen credentials.

Mar. 18. Sky News reports confidential information of as many as 450 people is at risk due to a vulnerability in an online tool used by police in Gwent, Wales. It adds police are under investigation because they did not inform the affected citizens about their risk.

Mar. 16. New York Times and London Observer report Cambridge Analytica, a big data analytics company, improperly harvested personal information of more than 50 million Facebook users to develop techniques used by the Trump presidential campaign organization.

Mar. 16. Frost Bank in San Antonio, Texas, states a data breach has exposed the archived images of checks of some 470 business customers.

Mar. 16. Cybersecurity firm NFIR discovers Dutch Data Protection Authority exposed the names of some of its employees in 800 public documents posted to the Internet. The DPA is charged with receiving data breach reports from companies registered in the Netherlands.

Mar. 15. Mossack Fonseca, victim of a data breach that exposed information in 11.5 million client files, announces it will be closing up shop at the end of the month. Documents leaked from the firm were the basis of an expose known as the Panama Papers.

Mar. 15. Svitzer, a shipping company that’s part of the Maersk Group, reports sensitive personal information of some 500 employees in their Australian office is at risk after the email accounts of three employees were compromised for almost 11 months. All mail to the accounts were secretly forwarded outside the company.

Mar. 14. Kromtech, a cybersecurity firm, discovers error in Amazon storage bucket of MBM Company, a jewelry provider to Walmart, has exposed personal information of 1.3 million people to the public Internet.

Mar. 14. US Security and Exchange Commission charges Jun Ying, a former CIO at Equifax, with insider trading for dumping shares in the company after he learned of a massive data breach but before news of the incident was made public.

Mar. 13. North American Electric Reliability Corporation files with Federal Regulatory Commission notice that it has fined a utility $2.7 million for violating Critical Infrastructure Protection Reliability Standards. Although NAERC did not identify the utility by name, it’s believed to be Pacific Gas & Electric, which exposed its asset management system to the public Internet for a period of time in 2016.

Mar. 13. The Mirror reports personal information of 17,000 Tesco Bank customers is at risk due to an error at one of its partners, Travelex, a foreign currency provider, that exposed the data to the public Internet from Dec. 14, 2016 to Jan. 23, 2017.

Mar. 12. BJC HealthCare in St. Louis announces personal information of more than 33,000 patients is at risk due to a configuration error that exposed one of its servers to the public Internet.

Mar. 11. TheMarker, an Israeli newspaper, reports Remini, a popular app used by preschool teachers to communicate with parents, contained a vulnerability that could be exploited to leak information in the software to the Internet. It says app has access to 8.5 million photos and videos of children and personal details of more than 111,000 adults. It adds flaw was corrected by the makers of the app after they were informed about it by a white hat hacker.

Mar. 9. U.S. District Court Judge Lucy Koh in San Jose, Calif. rejects bid by Verizon to dismiss user class action lawsuit against Yahoo for data breaches that compromised three billion accounts in 2013 and 2016.

Mar. 9. Florida Virtual School announces personal information of more than 350,000 students, parents and teachers was stolen two years ago by hackers who discovered one of the school’s servers was unprotected. School learned of breach in February after one of the thieves bragged about the heist on a common hacking site.

Mar. 8. Yahoo agrees to settle investor lawsuit stemming from data breach that compromised three billion accounts for $80 million. Stockholders claimed in their action that the company misled them about its cybersecurity practices.

Mar. 7. EmblemHealth and its wholly owned subsidiary Group Health Incorporated agrees to pay $575,000 penalty to state of New York for error that resulted in the Social Security numbers of 81,122 policyholders being printed on the labels of a mailing sent to them.

Mar. 7. Page Six reports personal data of a number of celebrities is at risk after three computers were stolen from Innovative Artists, a talent agency in Los Angeles. IA clients include Sterling K. Brown, Britt Robertson, Rachel Brosnahan, Channing Tatum, Lacey Chabert, and Jane Seymour.

Mar. 6. Fresno State University reveals personal information of 15,000 student athletes, sports camp attendees, and athletic corporation employees is at risk after an external hard drive was stolen from a campus building. Most of the data covered a period from 2003 to 2014.

Mar. 2. Equifax says massive data breach in 2017 that compromised sensitive information of some 147 million consumers will cost the company $275 million in technology and data security upgrades, legal fees, and the offering of free identity theft protection and credit monitoring services.

Mar. 2. Rockdale Independent School District in Texas says tax information of more than 350 employees is at risk after it was sent to an online scammer pretending to be the superintendent of the district.

Mar. 2. St. Peter’s Surgery & Endoscopy Center in New York state announces medical records of some 135,000 patients are at risk after malware was discovered on the center’s computer systems.

Mar. 2. Applebees, a national restaurant chain, announces it has found malware on its point-of-sale system. It says more than 160 eateries are affected by the attack, most from Dec. 6, 2017 to Jan. 2, 2018, but a few were infected as long ago as November 23. It adds the malicious code is designed  to collect names, credit or debit card numbers, expiration dates, and card verification codes.

Mar. 1. Equifax finds an additional 2.4 million Americans affected by a data breach at the credit reporting company in 2017. It adds the new pool of victims had less information compromised than by the 145.5 million people originally connected to the breach.

Mar. 1. Kansas Department for Aging and Disability says personal information of 11,000 people is at risk after a staff member improperly emailed the data to local contractors with the state’s 11 area agencies on aging. Information included Social Security numbers, birth dates, and other personal details of Medicaid recipients and potential recipients of the health care program.

Mar. 1. ZDNet reports a database belonging to L’Express, a French news magazine, was exposed to the public Internet without a password for weeks before the issue was addressed. The MongoDB database is 60GB in size and contains data on 693,000 readers and other information about the publication’s operations.

Mar. 1. Tufts Health Plan announces accounts of some 70,000 members are at risk after membership cards were mailed to them with their account numbers visible in the transparent window of the envelopes containing the cards.

February

Feb. 28. NIS America warns its customers their payment and address information is at risk after it discovered malware on its online stores designed to skim customer information at checkout. It says malicious app was active between January 23 and February 26. Customers who made purchases in that time frame are most likely to be affected by the attack.

Feb. 28. Nuance Communications, a speech and image technology company, reports to US Security and Exchange Commission that the NotPetya global malware attack in June 2017 cost the company $92 million in lost revenue, a number that’s expected to increase in 2018.

Feb. 28. Marine Corps Times reports private information of 21,426 marines, sailors and civilians is at risk after an attachment containing the information was sent to the wrong email distribution list.

Feb. 22. Thales, a cybersecurity and data security company, releases report that finds 57 percent of federal IT pros say they experienced a data breach in the last 12 months. That compares to 34 percent in 2017 and 18 percent in 2016.

Feb. 22. Asia Times reports 10,000 credit and debit card numbers belonging to customers of the Punjab National Bank in India have been discovered on a Dark Web site by CloudSek Information Security, a data transaction monitoring company.

Feb. 22. CarePlus Health Plan, a provider of Medicare advantage health maintenance organization benefit plans in Florida, confirms explanation of benefit letters were incorrectly mailed to some 11,200 of its members.

Feb. 22. Harper’s magazine advises its subscribers to change their passwords for its site because it believes they have been compromised by hackers.

Feb. 22. Massachusetts Department of Revenue revises estimate of number of businesses affected by data breach earlier in the month to 39,000 from 16,500.

Feb. 21. Raytheon and the Ponemon Institute release survey of 1,100 senior IT specialists from the United States, Europe, the Middle East and Africa in which 80 percent of respondents predict unsecured Internet of Things devices will cause a potentially catastrophic data breach at their organizations in the next three years.

Feb. 21. University of Virginia Health Systems mails letters to 1,882 patients telling them their personal health information is at risk after malware was discovered on a laptop and other devices of one of the healthcare providers physicians. The malware allowed an unauthorized party to spy on the doctor’s activity between May 3, 2015 and Dec. 27, 2016.

Feb. 21. Singapore Press Holdings Magazines and the HardwareZone apologize to 685,000 users whose personal data is at risk after it was viewed by an intruder who accessed it with the compromised credentials of a senior moderator at the HWZ site.

Feb. 20. The Verge reports credentials for 55,851 Snapchat accounts were posted to a public website after a phishing attack on the message service’s users. It says not all the credentials were valid and Snapchat reset most of them after the attack, but for a period of time some valid credentials were exposed on the public site.

Feb. 20. RedLock, a cybersecurity firm, reports sensitive data belonging to electric car maker Tesla was at risk when a Kubernetes console without password protection was exposed to the public Internet. Kubernetes is software used to manage software containers. Hackers also used their Kubernetes access to perform cryptomining.

Feb. 20. Big Brother Watch, a UK advocacy group, reports local authorities suffered 98 million cyberattacks between 2013 and 2017, or 37 attempts per minute. Most of the attacks were unsuccessful, with only 29 percent leading to a system breach and only six percent resulting in a data loss.

Feb. 16. Sacramento Bee reports personal information is at risk of as many as 2,300 employees of California’s Fish and Wildlife Department after a former employee downloaded the data to an unsecured network. The data, which was for employees who worked for the agency in 2007, included workers’ names and Social Security numbers. The department says the former employee did not appear to have any malicious intent behind his actions.

Feb. 15. Kromtech, a cybersecurity company, reveals more than 119,000 sensitive customer documents stored by FedEx on an Amazon server were exposed to the public on the Internet due to a configuration error. It says FedEx has addressed the issue and found no evidence that any data was misappropriated.

Feb. 15. New Jersey US District Court Judge Jerome B. Simandle sentences Vladimir Drinkman, 37, and  Dmitriy Smilianets, 34, for their roles in a worldwide hacking and data breach scheme that targeted major corporate networks, compromised 160 million credit card numbers, and resulted in hundreds of millions of dollars in losses. Drinkman was sentenced to 144 months in federal prison and Smilianets will be incarcerated for 51 months and 21 days.

Feb. 15. Triple-S Advantage, a healthcare provider  in Puerto Rico, notifies 36,305 people their personal information is at risk after it was mailed  to the wrong address. It adds that it believes none of the information was misused.

Feb. 13. The Register reports Western Union is notifying its customers their personal information is at risk after vendor it used for data storage was compromised by hackers. Money transfer company says data at the storage facility included customers’ contact details, bank names, Western Union internal customer ID numbers, as well as transaction amounts, times, and identification numbers, but no credit card information.

Feb. 13. Boston Globe reports a data mix-up at the Massachusetts Revenue Department exposed private information of about 16,500 business taxpayers to be viewed by companies using the agency’s tax portal. Information exposed by the error included business names, federal employer identification numbers, and tax payments.

Feb. 11. The Register reports more than 4,200 websites around the world, including the UK’s Commissioner of Information’s office and the portal for US court information, were infected with cryptomining malware delivered in browser plugin called Browsealoud, which is designed to read web pages for people with sight problems.

Feb. 10. CNN reports tax IDs and driver’s license details may have been exposed in Equifax data breach, in addition to other sensitive information about consumers originally revealed by the company.

Feb. 7. Swisscom, a telecom company, reveals in statement one of its sales partners suffered a data breach in the autumn of 2017 that compromised personal information of 800,000 Swisscom clients. It adds data, under Swiss law, was “non-sensitive” because it is in the public domain or on existing marketing lists.

Feb. 7. Officials of Waldo County in Maine begin notifying some 100 employees their tax information is at risk after it was sent to phishing scammer.

Feb. 7. Thomasville, N.C. notifies some 270 employees their Social Security numbers are at risk after they were posted to Facebook in documents requested under the state’s public records laws. City Manager Kelly Craver explains information should have been redacted from documents but wasn’t.

Feb. 6. Risk Based Security releases report that finds data breaches in 2017 reached an all time high (5,207). It also found that the number of records compromised in those breaches increased 24.2 percent over 2016, to 7.8 billion, also a new all time high.

Feb. 6. Javelin Strategy & Research releases study that finds identity fraud victims increased year-over-year by 1.3 million, to 16.7 million in 2017 from 15.4 million in 2016. Study also finds that, for the first time ever, more Social Security numbers were stolen than credit card numbers.

Feb. 5. Partners HealthCare, the largest private employer in Massachusetts, announces an intrusion into its information systems has placed at risk personal healthcare data of 2,600 patients.

Feb. 5. Upguard, a cyber risk solutions company, reports Octoly, a brand marketing firm, exposed on the public Internet sensitive information of more than 12,000 prominent social media influencers due to misconfiguration of a cloud repository.

Feb. 4. Keokuk, Iowa, announces the tax information of employees who worked for the city in 2017 is at risk after W-2 tax form data was sent to an unauthorized party who launched a phishing attack against the municipality.

Feb. 1. Fresenius Medical Care North America agrees to pay $3.5 million to the US Department of Health and Human Services Office for Civil Rights to settle potential violations of the privacy and security rules of the Health Insurance Portability and Accountability Act. In 2013, the provider of products and services for people with chronic kidney failure reported five data breaches that occurred from February to July 2012.

Feb. 1. Eastern Maine Medical Center alerts 660 patients their healthcare information is at risk after a portable hard drive containing the data disappeared from the provider’s State Street facility in Bangor.

Feb. 1. Massachusetts Attorney General Maura Healey announces new portal for filing data breach notices online. Notices can be filed through the portal in lieu of paper filings.

January

Jan. 31. Cybercrime Squad of the state of New South Wales in Australia arrests 37-year-old man suspected of compromising computer systems of GoGet, a car sharing company, in order to use vehicles without authorization. GoGet says payment card information was not affected by the breach.

Jan. 29. Credential monitoring firm VeriClouds finds an average of 10 percent of Fortune 500 employees’ email credentials have been leaked via a data breach. Some industries have higher averages, such as telecommunications (23 percent), energy (18 percent) and financial services (17 percent). Study is based on analysis of eight billion stolen credentials gathered over a three-year period.

Jan. 29. University of Richmond in Virginia reports its information security staff discovered a cache of 1.4 billion pieces of private account information on a concealed website on the Internet. The university says the cache is made up of information from a number of data breaches over several years, including those at LinkedIn, Adobe, and Yahoo.

Jan. 27. Coincheck, one of Japan’s largest digital currency exchanges, reports data breach resulting in theft of $534 million in virtual money.

Jan. 27. Charlotte Housing Authority in North Carolina announces federal tax information for its current and some former employees was compromised when it was sent to a fraudulent email account by an employee who believed they were responding to a request from the agency’s CEO.

Jan. 26. API developer The SMS Works reports the UK Information Commissioner’s Office collected £4.9 million in fines in 2017, a 69 percent increase over 2016 when the office garnered £2.9 million from financial penalties.

Jan. 26. Decatur County General Hospital in Parsons, Tenn. notifies 24,000 patients their personal and healthcare information is at risk after cyrptomining malware was discovered on the provider’s Electronic Medical Record server.

Jan. 26. Irish court sentences Rory Lenihan to effectively one year in prison for receiving £22,000 in corrupt payments between 2008 and 2010 from private investigators for providing them with information from his then employer, the Department of Employment Affairs and Social Protection.

Jan. 23. Protenus Breach Barometer for 2017 reveals 5.6 million patient records were breached during the year. It also shows that while the number of data breaches at health systems increased slightly year-over-year, to 477 in 2017 from 450 in 2016, the number of records compromised dropped dramatically from 27.3 million in 2016.

Jan. 23. The Malaysian Communication and Multimedia Commission tells Reuters it’s investigating report by tech portal Lowyat.net that files containing personal information of 220,000 Malaysian organ donors has been posted online where anyone can access them.

Jan. 23. British charity Age UK estimates that personal information of as many as 5,000 current and former employees was compromised in two data breaches that occurred at the end of 2017.

Jan. 23. Mississippi Education Superintendent Carey Wright announces 2016 standardized test information for 663 students is at risk after an unauthorized user accessed them at Questar Assessment, which administers English language arts and math tests for the state.

Jan. 23. Royal Canadian Mounted Police and Canada’s Privacy Commissioner’s office confirm they’re investigating a data breach at Bell Canada that placed at risk personal information of some 100,000 customers.

Jan. 23. National Stores announces customer payment card information at some of its 340 locations in the United States and Puerto Rico was compromised by malware on the retailer’s sales systems between July 16 and Dec. 11, 2017. The retail chain does business under several brands, including Fallas, Fallas Paredes, and Fallas Discount Stores.

Jan. 20. Florida Division of Elections announces private information of 945 people is at risk after it was released to a member of the public by mistake. The incident is the second time in four months a state agency has exposed sensitive information about state residents.

Jan. 19. Smartphone maker OnePlus announces up to 40,000 customers were affected by a security breach that forced the company to shut off credit card payments at its online store. It says a malicious script running on one of its payment processing servers has been scraping payment card information from the site since November 2017.

Jan. 19. Westminster Ingleside King Farm Presbyterian Retirement Communities in Maryland warns 5,228 residents their personal healthcare information is at risk after it was targeted in a malware attack.

Jan. 18. Singapore’s Personal Data Protection Commission fines Social Metric, a digital marketing agency, S$18,000 for the public display of private information on its website of 558 people, including 155 children.

Jan. 18. New York State Education Department reveals that personal data of about 52 students is at risk after it was accessed by a former employee of Questar Assessment, the company that develops reading and math tests for scholars in grades three through eight in the state.

Jan. 18. Chicago-based Allscripts reveals 1,500 clients affected by ransomware attack that disabled the healthcare vendor’s electronic health record and controlled substances prescription systems, and other services.

Jan. 17. Aetna agrees to $17 million settlement of class action lawsuit stemming from botched mailing that exposed the HIV status of some 12,000 customers in July 2017.

Jan. 17. UK Home Office pays asylum seeker £15,500 after it mishandled information about him that endangered the lives of him and his family.

Jan. 16. Royal Canadian Mounted Police charges Evan Bloom, operator of the for-profit data breach website LeakedSource, with selling stolen personal identities.

Jan. 15. Norway’s Health South-East RHF reveals the information for nearly three million patients is at risk after the healthcare provider’s computer systems were breached by hackers.

Jan. 14. Independent News & Media, the largest publisher of newspapers in Ireland, warns National Union of Journalists their members’ confidential information may have been compromised when the publisher allowed Trusted Data Solutions, an IT services provider, access to the company’s servers.

Jan. 12. Onco360 and CareMed Specialty Pharmacy warns their patients that their personal information is at risk after the email accounts of three employees were compromised by system intruders. It has been estimated that as many as 53,173 people may be affected by the incursion.

Jan. 11. Jason’s Deli, a national restaurant chain, warns customers that malware planted on its point-of-sale system has placed at risk some two million payment card numbers.

Jan. 10. UK Information Commissioner’s Office fines mobile phone retailer Carphone £400,000 for failing to adequately protect its customers’ data, which resulted in 2015 data breach.

Jan. 10. Leicester City Council orders 27 cab companies to destroy spreadsheet file containing information on thousands of vulnerable people, including children, sent to them in error. It warns opening the file violates the UK’s Data Protection Act.

Jan. 10. US Sens. Elizabeth Warren, D-Mass, and Mark Warner, D-Va., file legislation imposing stricter regulation of credit reporting agencies. Bill establishes an Office of Cybersecurity in the Federal Trade Commission for inspecting and supervising information security at CRAs and imposes stiff financial penalties for any compromise of consumers’ personal identifying information.

Jan. 9. Digital Interruption, a UK cybersecurity firm, reveals flaws at SinVR, a virtual reality pornography website, placing at risk personal identifying information of some 20,000 users.

Jan. 9. Wall Street Journal reports Wag Labs, maker of a popular dog walking app, accidently exposed information about its users online due to a technical problem at its website. Information exposed to the public included addresses and codes to lockboxes that could allow thieves to enter a home.

Jan. 8. VTech, a maker of online-enabled toys, agrees to pay $650,000 to settle enforcement action by US Federal Trade Commission stemming from data breach in November 2015 resulting in the theft of data on 4.8 million parents and 200,000 children.

Jan. 8. North Carolina Attorney General Josh Stein releases 2017 data breach report for the state, which shows a 15 percent increase from 2016, or 1,022 breaches affecting 5.3 million residents of the Tar Heel State.

Jan. 8. Bipartisan coalition introduces into North Carolina legislature bill to expand definition of data breach to include ransomware and require data breaches be reported to the public and state attorney general within 15 days.

Jan. 7. Unique Identification Authority of India files criminal complaint against Rachna Khaira, a reporter who exposed a data breach affecting the personal information of 1.2 billion Indians in the nation’s Aadhaar d Aadhaar database. The complaint alleges a wide range of charges including forgery and cheating.

Jan. 5. Florida’s Agency for Health Care Administration announces personal information of up to 30,000 Medicaid enrollees is at risk after an unauthorized third party accessed it through a phishing scam.

Jan 5. Oklahoma State University Center for Health Sciences discloses personal information for nearly 280,000 Medicaid patients is at risk after a server containing the data was accessed by an unauthorized third party.

Jan. 5. Cosmetic products retailer beautyblender notifies an undisclosed number of customers their credit card information is at risk after malware was planted on its website. Company says it can’t determine how many customers are affected by the attack because backups of the site, which could be used to pinpoint when the site became infected, aren’t available from its web hosting provider.

Jan. 3. US Department of Homeland Security notifies some 247,167 current and former employees, as well as individuals associated with DHS investigations from 2002 to 2014 that their personal information is at risk after it was removed from the agency by a former employee currently under criminal investigation.

Jan. 3. Tribune of India reports a blackmarket service is available online that allows anyone willing to pay a fee of around $8 to access the personal information of any Indian citizen in the country’s national Aadhaar database. For another $5, the service sells software to print an Aadhaar card from any Aadhaar number provided the service.

Jan. 2. Atlanta-based Emory Healthcare notifies 24,000 patients their diagnostic and medical information is at risk after a physician who formerly worked at the provider stored  the data in a Microsoft OneDrive account accessible by some individuals at the University of Arizona, where the doctor now works.

Cybercrime Diary Archives

John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.

The Cybercrime Diary is sponsored by Digital Defense, Inc.

Founded in 1999, Digital Defense is a trusted provider of security risk assessment solutions, protecting billions of dollars in assets for clients around the globe.

Serving clients across numerous industries from small businesses to very large enterprises, Digital Defense’s innovative and leading edge information security technology helps organizations safeguard sensitive data and eases the burdens associated with information security. Frontline Vulnerability Manager™, the original Vulnerability Management as a Service (VMaaS) platform, delivers consistently accurate vulnerability scanning and penetration testing, while SecurED®, the company’s security awareness training promotes employees’ security-minded behavior.