DATA BREACH REPORT

FROM THE EDITORS AT CYBERSECURITY VENTURES

Q4 2016

The Data Breach Report provides a quarterly diary of noteworthy data breaches and cyber-attacks to CIOs, CSOs, CISOs, IT security teams, and the media.

WHO’S HACKED

Yahoo, Friend Finder, Dropbox suffer biggest attacks

johnmelloembossedJohn P. Mello, Jr.

Menlo Park, Calif. – Dec. 30, 2016

Information on millions of people was exposed during the final calendar quarter of 2016.

Among the big hacks during the period were the theft of information on more than one billion Yahoo accounts, the compromise of the Friend Finder network, which put at risk 412 million accounts and the posting to the Internet by a hacker of 68 million Dropbox accounts from a 2012 data breach.

Cyber bank robbers were also busy during the frame. They compromised 3.2 million payment cards in India and stole $31 million from the central bank of Russia.

BREACH DIARY

December

Dec. 29. FBI and U.S. Department of Homeland Security issue joint report detailing the tools and infrastructure used by Russian intelligence services to compromise and exploit networks and infrastructure associated with the recent U.S. election, as well as a range of U.S. government, political and private sector entities.

Dec. 29. Nevada takes its marijuana portal offline after a data breach exposed confidential information on some 12,000 applications for cards used to obtain medical marijuana.

Dec. 28. InterContinental Hotel Group, which operates more than 5,000 hotels worldwide, says it’s investigating reports of a possible data breach at a small number of its hotels located in the United States.

Dec. 27. Three Chinese citizens charged by United States of engaging in conspiracies to commit insider trading, wire fraud and computer intrusion in an indictment filed in federal court in Manhattan.

Dec. 24. The Daily Caller reports a Russian hacker breached The Russian Visa Center and exposed information on some 3,000 people seeking assistance in obtaining Russian visas.

Dec. 14. Yahoo discloses data breach dating back to 2013 resulting in theft of information on more than one billion accounts.

Dec. 2. Reuters reports hackers using a client’s credentials stole more than $31 million from the central bank of Russia.

Dec. 1. MacKeeper Security Researcher Chris Vickery reports sensitive information of explosives handling company Allied-Horizontal is at risk after a Network-Attached Storage device was exposed to the public Internet.

Dec. 1. International law enforcement authorities announce dismantling of Avalanche, a malware delivery and money mule recruiting platform that produced hundreds of millions of euros in revenues for its operators.

November

Nov. 30. Camelot, the operator of the UK’s national lottery, announces some 26,500 player accounts are at risk after a data breach of its systems.

Nov. 30. Europol reports sensitive data on terrorism investigations conducted from 2006 to 2008 is at risk after an employee brought the data home in violation of agency policy and stored it on a hard drive connected to the Internet without password protection.

Nov. 29. Barrett Brown, a self-proclaimed spokesman for the hacktivist collaborative known as Anonymous, is released from federal prison five months before scheduled.

Nov. 29 Idaho Fish & Game announces it is again selling licenses and posting hunter reports online. The service was knocked offline in August by a data breach.

Nov. 29. Deutsche Telecom and German Office for Information Security announce system disruption over the weekend  affecting some 900,000 customers was part of a failed global attempt by hackers to hijack routers and use them to disrupt Internet traffic.

Nov. 28. The Japan Times reports a cyberattack by a state actor in September may have compromised Japan’s internal military network.

Nov. 28. U.S. Navy warns more than 130,000 sailors their personal information is at risk after a laptop by a contractor is compromised.

Nov. 19. Russian telecom watchdog Roskomnadzor discovers data breaches at 55 websites which contain personal information of children who have written to “Father Frost,” the Russian Santa Claus.

Nov. 18. Michigan State University announces it will notify some 400,000 current and former students and staff of data breach that has compromised their personal information.

Nov. 16. GulfNews reports personal records of more than 34 million residents of the Indian state of Kerala was posted to Facebook by a hacker disenchanted with the security of the state’s computer systems.

Nov. 16. Protenus reports month-to-month decline in health care data breaches to 35 in October from 37 in September, although the number of patient records increased to 776,533 from 246,876.

Nov. 16. Workers at Indian security firm AI solutions discovered selling phone records of Australians from call centers of Optus, Telstra and Vodaphone.

Nov. 15. Seventeen-year-old boy pleads guilty in UK to data breach last year at telecommunications provider TalkTalk which resulted in unauthorized access to personal data of nearly 160,000 people.

Nov. 14. Adobe agrees to pay $1 million to 15 states to settle case stemming from 2013 data breach at the company which resulted in unauthorized access to some 552,000 people.

Nov. 14. Data breach at Friend Finder Network places at risk personal information in more than 412 million accounts.

Nov. 3. New Zealand Nurses Organization announces “tens of thousands” member’s contact details were emailed to someone posing as the chief executive of the organization.

Nov. 2. Business Insider announces its website was compromised by OurMine, a group that hacks websites to expose security flaws.

Nov. 2. U.S. District Judge Rosemary Collyer dismisses class action lawsuit stemming from 2015 data breach at the IRS in which  the personal and financial information of 330,000 taxpayers and their family members was compromised by hackers who infiltrated the now defunct “Get Transcript” service, which allowed taxpayers to access their tax filings online.

October

Oct. 31. Hacker group calling itself Shadow Brokers releases data dump of alleged computer servers around the world compromised by The Equation Group, which is believed to be linked to the NSA.

Oct. 31. U.S. Office of Personnel Management announces it is changing credit monitoring and identity protection service providers and that some of the 25 million people affected by a data breach at the agency will have to re-enroll to continue coverage.

Oct. 31. Attorney General of Washington reports that from July 2015 to July 2016 39 data breaches in the state affected some 450,000 people.

Oct. 20. Weebly, a San Francisco-based website creation company, starts notifying more than 43 million customers their personal information is at risk due to data breach that ocurred in February.

Oct. 20. National Payments Corporation of India reports some 3.2 million payment cards have been compromised in massive ATM security breach.

Oct. 19.  Federal Reserve, FDIC and OCC issue notice of proposed rulemaking seeking comments on a set of enforceable cybersecurity standards for banks with more than $50 billion in assets.

Oct. 18. Redbus, an Indian online travel ticketing platform, confirms data breach that may have compromised more than four million accounts. Company advises all its users to reset their passwords.

Oct. 19. Czech police announce they have arrested Russian citizen in Prague wanted by the FBI in connection to 2012 data theft of 117 million passwords at LinkedIn.

Oct. 17. Katy Independent School District in Texas warns 78,000 students and staff members their personal data is at risk due to a data breach.

Oct. 7. U.S. government formally accuses Russia of a campaign of cyber attacks against Democratic Party organizations ahead of the Nov. 8 presidential election.

Oct. 6. Central Ohio Urology Group reports to U.S. Department of Health and Human Services that 300,000 patients were affected by data breach in August, the eighth largest breach in the nation this year.

Oct. 6. Montana Department of Justice reports 110,000 citizens of the state were victims of data breaches in the last 12 months.

Oct. 6. American 1 Credit Union in Jackson, Mich., announced it will decline all purchases made at Wendy’s by its payment card holders because it doesn’t believe the fast food chain has removed all the malware that infected its point-of-sale systems in more than 1,000 locations in 2-15.

Oct. 5. The BBC reports Fancy Bears, the hackers who published online medical records stolen from the World Anti-Doping Agency, may have doctored some of the data in those records.

Oct. 5. UK Information Commissioner’s Office orders TalkTalk to pay fine of£400,000 in connection to 2015 data breach that affected 150,000 customers.

Oct. 5. The New York Times reports the FBI has arrested Harold T. Martin,  a former employee of NSA contractor Booz Allen Hamilton, and is investigating whether he stole and disclosed classified security code developed by the agency to compromise the networks of foreign governments.

Oct. 4. Personal data of more than 1.5 million users of websites run by C&Z Tech Limited, which include HaveAFling.mobi, HaveAnAffair.mobi and HookUpDating.mobi, is at risk after a database for the sites was found exposed to the Internet without a password.

Oct. 4. Thomas White, aka The Cthulhu, posts to his website as a free download information from more than 68 million Dropbox accounts stolen in a 2012 data breach of the service.

Oct. 4. The Sunday Express reports that Amazon has alerted some its customers that their passwords have been reset after it discovered their Amazon email address and password corresponded to a login list posted online.

Oct. 4. Reuters reports that last year Yahoo built a custom program to search all its customers’ incoming emails for information provided to it by U.S. intelligence officials. Yahoo later denied the claims in the report.

Oct. 3. U.S. District Court Judge Andrea R. Wood dismisses class action lawsuit against Barnes & Noble related to a compromise of its point-of-sale systems in 2012. She found that plaintiffs failed to show they had suffered any actual damages because of the data breach.

Oct. 3. U.S. Surgeon General warns 6,600 medical professionals in his “commissioned corps” that their personal information is at risk by a breach of the agency’s personnel system.

Stay tuned for the Q1 2017 edition of the Data Breach Report.

John P. Mello, Jr. a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.

grayfooterline

© 2015 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.