Cybersecurity Ventures Cybercrime Diary. PHOTO: Cybercrime Magazine.

Cybercrime Diary, Vol. 3, No. 4: Who’s Hacked? Latest Data Breaches And Cyberattacks

Marriott, Apollo, and Quora end year making data breach headlines

John P. Mello, Jr.

Northport, N.Y. – Jan. 2, 2019

Marriott, Apollo and Quora discovered hackers don’t take holidays, as those companies suffered massive data breaches during the holiday season. Lodging chain Marriott suffered a breach of its reservation system that compromised the personal information of 500 million customers. Apollo, a sales engagement company, also revealed that 200 million records had been stolen from a database it maintained of prospective clients. Quora, a popular question-and-answer website, too, was victimized during the final frame of 2018. A breach there placed at risk personal information of 100 million users. Those were just a few of many data breaches listed in our diary below.


Dec. 28. Nova Entertainment warns more than 260,000 Australian listeners that personal data collected from them between 2009 and 2011 has been publicly disclosed due to a data breach.

Dec. 28. The South Korean Unification Ministry reveals personal information of nearly 1,000 North Korean defectors has been stolen by hackers from a database maintained by the resettlement agency.

Dec. 28. Blue Cross Blue Shield of Michigan warns nearly 15,000 members of its Medicare Advantage health care plans that their personal data is at risk due to the theft of a laptop containing their data.

Dec. 27. Alcohol-seller BevMo in California is warning more than 14,000 customers who performed transactions on its website between August 2 and September 26 that their payment card information is at risk after malicious code was found on the site’s checkout page.

Dec. 27. Avery Center of Obstetrics and Gynecology in Connecticut is ordered to pay Emily Byrne $853,000 for releasing her medical records to a former boyfriend without her consent.

Dec. 26. Flowers Hospital in Alabama pays $150,000 to settle lawsuit arising from data breach in 2014 affecting some 1,200 patients.

Dec. 21. San Diego Unified School District reveals that the compromise of one of its databases has exposed to unauthorized parties the personal information of more 500,000 students, parents, and staff members.

Dec. 20. German magazine c’t reports a bug in Amazon Alexa resulted in 1,700 voice recordings of one user being shared without authorization with another user. Amazon says it has fixed the problem.

Dec. 20. French Data Protection Authority fines Uber €400,000 over a 2016 data breach that exposed the personal data of 57 million people worldwide.

Dec. 20. Bruegger’s Bagels, a national restaurant chain, warns customers who made purchases at its locations between Aug. 28 and Dec. 3 that their payment card information is at risk due to a compromise of the company’s point of sale system.

Dec. 20. Minneapolis-based Caribou Coffee announces that a data breach affecting at least 265 of its stores has exposed personal information, including credit card data. The number of customers affected by the attack is not disclosed.

Dec. 20. Eyewear retailer Warby Parker announces data of 198,000 customers is at risk after a “credential stuffing” attack by hackers. Credential stuffing results from threat actors using credentials obtained from one data breach to create breaches elsewhere.

Dec. 19. McLean Hospital in Belmont, Mass. agrees to pay $175,000 in fines to the Bay State for losing eight unencrypted back-up tapes containing personal and health information for 1,500 patients, employees, and brain donors.

Dec. 19. Yapstone Holdings, a processor of payments for rental and vacation properties, agrees to pay $155,000 penalty to Massachusetts for exposing online personal information of 6,800 of the state’s residents when password protection was removed from its public-facing websites after they were upgraded.

Dec. 18. Gemini Advisory reports vulnerabilities in Click2Gov, a software program used by communities to collect bills and fees, has resulted in 294,929 payment records being compromised in 46 U.S. cities. It estimates cybercriminals have raked in $1.7 million selling those records, typically for $10 per record.

Dec. 18. NASA informs current and former employees their personal identifying information, including Social Security numbers, is at risk after discovery in October that a server containing the data was compromised.

Dec. 14. Facebook reveals bug in a photo API exposes photos of 6.8 million users to third-party developers.

Dec. 11. Google announces it will shut down its social network Google+ after discovering a bug exposed information of 52.5 million users to developers following a software update. The company originally announced it was shuttering its social network in October after news reports a security flaw in the system exposed the personal profile data of some 500 million users.

Dec. 10. U.S. House Oversight Committee releases report finding 2017 Equifax data breach that affected 148 million Americans was “entirely preventable.”

Dec. 10. Baylor Scott & White Medical Center in Frisco, Texas alerts some 47,000 patients and guarantors their personal data is at risk due to an unlawful intrusion into its computer systems. It adds that there is no indication that any of the information accessed by the intruder was disclosed or misused.

Dec. 7. Cape Cod Community College President John Cox notifies college employees that hackers stole $807,130 from the school in West Barnstable, Mass., through a phishing scam.

Dec. 7. Italy levels $11.4 million in fines on Facebook for using people’s data for commercial purposes in ways that break the nation’s laws.

Dec. 4. Cancer Treatment Centers of America in Arizona warns 41,948 people their protected health care information is at risk after an employee’s email account was compromised in a phishing scam.

Dec. 3. Security blogger Brian Krebs reports Jared and Kay Jewelers have fixed a bug at their websites that allowed any user to see other customers’ orders with a simple modification of a receipt’s URL.


Nov. 30. Marriott reveals data breach of its reservation system has compromised personal information of 500 million customers. Data accessed by intruders included names, addresses, credit card numbers, phone numbers, passport numbers, travel locations, and arrival and departure dates.

Nov. 30. Quora, a popular question-and-answer website, discovers data breach placing at risk personal information of some 100 million users. Data compromised included email addresses, cryptographically protected passwords to private direct messages, and data from other networks, such as Facebook and Twitter, that users can choose to link to their accounts.

Nov. 29. Security researcher Fabio Castro discovers unprotected ElasticSearch server of Sky Brasil, one of the largest subscription TV services in Brazil, exposing on the Internet data of 32 million subscribers.

Nov. 29. Twitter user with the handle @TheHackerGiraffe hacks 50,000 printers and prints message to subscribe to the YouTube channel of Felix Kjellberg, a YouTube personality better known as PewDiePie. PewDiePie is battling to keep his ranking as most subscribed YouTube channel against Indian record label T-Series.

Nov. 28. Atrium Health, a healthcare and wellness provider serving North and South Carolina, reveals an intruder had unauthorized access to its databases through a third-party vendor between September 22 to 29, exposing information including 700,000 Social Security numbers, on 2.65 million patients.

Nov. 28. Hacken security researcher Bob Diachenko discovers unprotected ElasticSearch server exposing online information on nearly 57 million Americans. Diachenko says he could not identify the owner of the data, but evidence points to Data & Leads Inc., a data management company.

Nov. 28. Dell resets passwords of its website users after it detects an attempt to extract customer data from the site. It says that while it’s possible data was extracted, it found no conclusive evidence data was removed from its network. It did not disclose how many customers were affected by the attack.

Nov. 27. Uber is fined $1.17 million by British and Dutch authorities for 2016 data breach and cover up that resulted in the theft of information on 57 million users and drivers of the ride-sharing service.

Nov. 27. U.S. Justice Department announces dismantling of two international online ad-fraud rings and indictment of eight men connected to the criminal enterprises. It estimates one ring falsified billions of ad views causing businesses to pay more than $7 million for ads never seen by consumers. The other ring bilked businesses of more than $29 million for unseen ads.

Nov. 26. The Data Protection Authority of Belgium announces increase in data breach reports it has received since EU’s General Data Protection Regulation took effect in May, to 317 from 13 a year ago.

Nov. 23. Germany issues first penalty under European Union’s General Data Protection Regulation. Knuddels, a flirty chat site, is fined €20,000 for data breach resulting in theft of 808,000 email addresses and more than 1.8 million user names and passwords.

Nov. 21. U.S. Post Office fixes security flaw that allowed anyone with an account at the agency’s website to view the account details of any of the other 60 million users of the system.

Nov. 21. Online retailer Amazon announces a technical error exposed a number of customers’ names and email addresses on its website. The company did not disclose how many customers were affected or their location.

Nov. 21. Troy Hunt of Have I Been Pwned, a data breach tracking website, reports theft of personal data of nearly half a million subscribers to High Tail Hall, an adult entertainment website that features sexualized animals. High Tail says no financial data was compromised by the data breach and security has been tightened up.

Nov. 20. Connor Allsopp, 21, is sentenced to 12 months in prison and Matthew Hanley, 23, to eight months by UK judge Anaju Dhir for their role in a data breach at telecommunications company TalkTalk in 2015, which affected 1.6 million accounts and cost the company £77 million.

Nov. 20. Recorded Future, a cybersecurity firm, reports Tessa88, a hacker connected to some massive data breaches in 2016 at MySpace, Badoo, Dropbox, LinkedIn, and Twitter, is Maksim Vladimirovich Donakov, 29, of Penza, Russia.

Nov. 19. Vision Direct, a large European online seller of contact lenses and eye care products, announces a data breach caused by a fake Google analytics script on its websites in the UK, Ireland, the Netherlands, France, Spain, Italy, and Belgium has placed at risk personal and financial data of 16,300 people.

Nov. 16. TechCrunch reports a security lapse by Voxox, a communications company based in San Diego, Calif., exposed tens of millions of text messages on the Internet. The messages were in a database unprotected by a password. Messages included password reset links, two-factor codes, and shipping notifications.

Nov. 16. Rockhurst University in Missouri settles lawsuit arising from tax form phishing scam in 2016 affecting some 1,200 staffers for $250,000.

Nov. 16. Moscow-based Group IB, a threat intelligence company, reports two major phishing campaigns have been launched against Russian financial institutions. The campaigns involve emails claiming to be from the country’s Central Bank and contain malware buried in attachments to the missives.

Nov. 15. The Ponemon Institute and Opus, a provider of compliance and risk management solutions, release survey of more than 1,000 risk and security professionals in the U.S. and UK finding that 59 percent of companies have experienced a data breach caused by one of their vendors or a third party.

Nov. 14. The U.S. Centers for Medicare & Medicaid Services revises estimate of people affected by data breach announced in October to 93,689 from 75,000. Information at risk from the breach includes names, dates of birth, addresses, portions of Social Security numbers, expected income, family relationships, and health insurance status.

Nov. 14. Flashpoint and Risk IQ report Russian hacking group Magecart is selling on the Dark Web credit card numbers robbed from 250,000 British Airways customers in a data breach in August. Prices range from €7 to €39 each.

Nov. 13. Bob Diachenko of Hacken discovers unprotected MongoDB database exposed to the Internet containing emails and personal data of 21,612 Kars4Kids donors and customers. He adds also exposed was a super administrator login and password, as well as usernames and passwords that could be used by attackers to access a dashboard that could be used to access more sensitive data on the system.

Nov. 13. First Health, a Florida healthcare provider, announces a phishing attack on its employees resulted in the compromise of protected health information for 42,000 of its customers.

Nov. 8. Chinese drone-maker DJI announces it has corrected security flaw in its cloud infrastructure that allowed unauthorized people to access the private accounts of its users and access data, such as photos, videos, and flight logs, as well as peek at camera footage while the device is in flight.

Nov. 7. Security researcher Bob Diachenko of Hacken reports unprotected MongoDB database belonging to American Express in India has exposed millions of records to the public Internet. He notes most of the records were encrypted, but 689,272 records containing customers’ personal information were in plaintext and could be viewed by anyone who visited the site.

Nov. 7. Bowker temporarily suspends sale of ISBN numbers at its MyIdentifiers website after intruders steal payment card numbers used for purchases from May 1 to October 23.

Nov. 7. Nordstrom notifies employees that their personal data is at risk after it was mishandled by a contract worker. Data at risk includes names, Social Security numbers, dates of birth, checking account and routing numbers, and salaries.

Nov. 7. Ontario Cannabis Store announces data breach through Canada Post has affected some information for 4,500 customers, about two percent of the store’s customers. The store says only names of people who ordered from the store and signed for delivery of the order were compromised.

Nov. 6. Protenus Breach Barometer reports 4.4 million patient records were compromised in 117 healthcare data breaches in the third quarter of 2018. That exceeds 3.15 million records compromised in the second quarter and 1.13 million in quarter one.

Nov. 6. HSBC bank confirms compromise of some accounts of U.S. customers. It says intruders accessed account numbers and balances, statement and transaction histories, and payee details, as well as users’ names, addresses and dates of birth. It adds fewer than one percent of American clients were affected by the attack.

Nov. 2. French and German media report 65 gigabytes of data has been stolen from Ingerop, a French engineering and consulting company. Data included sensitive documents related to nuclear power plants, prisons, and tram networks, as well as information on more than a thousand of the company’s employees.

Nov. 2. Former directors of Yahoo agree to $29 million settlement of investors lawsuit stemming from massive data breach at the company in 2014 affecting three billion users. Total settlements from cases arising from the breach have amounted to $100 million.

Nov. 2. BBC reports private messages of 81,000 Facebook accounts are being sold on the Dark Web. Facebook says its security hasn’t been compromised and maintains data theft was work of malicious browser extensions.

Nov. 2. ATA Consulting, which did business as the now defunct Best Medical Transcription, agrees to pay New Jersey $200,000 in connection to a data breach that exposed online the records of 1,650 patients of the state’s Virtua healthcare system.

Nov. 1. Chicago Police arrest Kristi Sims, 28, for stealing personal information on some 80,000 employees, volunteers, and vendors from a Chicago Public Schools database. Data stolen by the former CPS worker included names, employee ID numbers, phone numbers, addresses, dates of birth, criminal arrest histories, and Department of Child and Family Services findings.


Oct. 31. Facebook reports loss of a million European users during three-month period in which it revealed data breach affecting 29 million users.

Oct. 30. Washington Attorney General’s office releases report finding that data breaches affected 3.4 million citizens of the state from July 2017 to July 2018, an increase of 26 percent over the previous year-long period.

Oct. 30. Radisson Hotel Group alerts some members of its rewards program that their personal information is at risk due to a security incident. It says it is monitoring the affected accounts for unauthorized behavior and warns members to be watchful of phishing scams pretending to come from Radisson.

Oct. 29. Reynolds Porter Chamberlain, a corporate and insurance law firm headquartered in London, reports that the average fine issued by the UK’s Information Commissioner has doubled during the first nine months of 2018 to £146,000. It adds revenues from penalties collected during the period rose 24 percent, to £4.98 million from £4 million in 2017.

Oct. 25. CNO Financial Groups reports to U.S. Office for Civil Rights a data breach at its Bankers Life subsidiary that places at risk personal identifiable information for 566,217 people.

Oct. 25. UK Information Commissioner’s Office fines Facebook £500,000 for failing to sufficiently protect the privacy of 87 million users by allowing personal data to be accessed by developers without informed consent.

Oct. 25. TechCrunch reports two hackers who stole the data of millions of Uber users have been indicted for a data breach at Lynda, an online learning portal. It notes Vasile Mereacre, a Canadian citizen living in Toronto, and Brandon Glover, a Florida resident, have been indicted for stealing data on 55,000 Lynda accounts and trying to leverage that data to obtain money from LinkedIn’s bug bounty program.

Oct. 25. DirectTV and CenturyLink agree to pay some 1,000 subscribers $700 each to settle lawsuit arising from the companies posting customers’ personal information from billing statements to the public Internet.

Oct. 25. British Airways revises impact of data breach in September. It says 185,000 more customers were affected than originally estimated. However, the number of payment cards affected by the breach was reduced, to 244,000 from 380,000.

Oct. 24. Hong Kong-based international airline Cathay Pacific confirms its computer system was compromised for seven months, exposing personal information and travel histories of as many as 9.4 million people.

Oct. 23. Girl Scouts of Orange County sends letter to some 3,000 members alerting them their personal information is at risk after it was accessed by an attacker who compromised the organization’s email system.

Oct. 22. Yahoo agrees to pay $85 million and provide free credit monitoring for 200 million people to settle lawsuit arising from data breaches in 2013 and 2014 that compromised some one billion user accounts. Under the settlement, $50 million will go to users and $35 million to pay legal fees.

Oct. 18. Troy Hunt of Have I Been Pwned, a data breach information site, alerts users of Facepunch that the game studio suffered a data breach in 2016 that affected 343,000 accounts. Information compromised included usernames, email and IP addresses, dates of birth, and salted MD5 password hashes.

Oct. 18. National Privacy Commission of the Philippines orders Facebook to file a comprehensive data breach report and notify 750,00 of its users in that country of breach in September that compromised 30 million accounts.

Oct. 16. Sudhakar Reddy Bonthu, 44, a former manager at Equifax, is sentenced to eight months of home confinement, fined $50,000, and forfeits $75,979 for insider trading. He bought and sold Equifax stock while aware of a massive data breach before it was made public.

Oct. 15. Anthem Inc., the second-largest health insurer in the United States, agrees to pay $16 million to U.S. Department of Health and Human Services to settle potential privacy violations stemming from 2015 data breach that compromised personal information of nearly 79 million people.

Oct. 12. Pentagon reveals a data breach of the U.S. Department of Defense email system could affect as many as 30,000 workers. It adds that no classified information was compromised.

Oct. 12. Sonic restaurant chain agrees to pay $4.3 million to settle claims arising from 2017 data breach of its point of sale systems at 325 locations.

Oct. 12. Facebook revises estimate of accounts compromised in September data breach to 29 million from 50 million.

Oct. 12. Estonian news publication Postimees reports flaw in the country’s school information system EKIS has for years allowed anyone to read and download descriptions of children’s medical conditions, behavioral problems, and family relationships. The system holds four to five million entries, which means information on thousands of people has been improperly made public for a long time, Postimees noted.

Oct. 11. Minnesota Department of Human Services states a phishing scam has resulted in unauthorized access to information for about 21,000 people who have interacted with the agency. It added that it has found no evidence of misuse of the compromised information.

Oct. 10. China’s top digital payment providers, Alipay and Tencent Holdings, warn customers that hackers are using stolen Apple IDs to break into accounts and steal cash. The companies advise users to lower their transaction limits to prevent losses, and to change their Apple ID password.

Oct. 9. Gemalto, a Dutch digital security company, reports there were 945 data breaches in the first half of 2018, which resulted in the compromise of 4.5 billion data records, a 113 percent increase over the same period in 2017.

Oct. 9. Hetzner, a German data center provider, announces “security incident” has exposed sensitive customer data to an intruder. Information accessed by the threat actor includes client names and e-mail addresses, telephone numbers, addresses, debit-order bank account details, such as bank account numbers, identity numbers, and VAT numbers.

Oct. 8. Wall Street Journal reports Google failed to disclose a bug that exposed to developers the private data of hundreds of thousands of users of its social network, Google+, because it feared it would draw the attention of regulators and hurt its reputation.

Oct. 8. UK Information Commissioner’s Office fines Heathrow Airport £120,000 for losing a USB stick containing sensitive personal data. Stick was eventually found and returned by a member of the public.

Oct. 8. UK high court denies permission to hear as a “representative action” a lawsuit seeking £1 billion in damages from Google for bypassing the privacy settings of 4.4 million iPhone users from August 2011 to February 2012. A representative action is a form of class action lawsuit in the UK.

Oct. 8. Amazon confirms it has fired an employee for feeding customer email addresses to a third-party seller on the e-retailer’s website. The company did not disclose the name of the employee, the seller receiving the purloined information, or the number of customers affected by the data breach.

Oct. 8. “Z.R..” 25, pleads guilty in Italy to defacing websites for NASA and 60 Italian government agencies in 2013. Italian police say the man was a leader of the “Master Italian Hackers Team,” which claimed responsibility for the attack at the time.

Oct. 5. California State University, East Bay states personal information of nearly 10,000 students is at risk after it was accessed intermittently by unauthorized parties on March 27, 2017 and September 2, 2018. Accessed information included students names, addresses, dates of birth, and Social Security numbers.

Oct. 5. Rebound Orthopedics & Neurosurgery in Vancouver, Wash. announces data breach has put at risk personal information of some 2,800 patients and employees. The breach occurred when an employee’s email account was compromised by an online intruder.

Oct. 5. Experian states it has fixed a flaw in its computer systems that allowed unauthorized people to obtain PIN numbers for frozen accounts and open new accounts under someone else’s name. Discovery of the vulnerability comes just over a year after a data theft at the company compromised the personal information of 148 million Americans.

Oct. 5. EarlySalary, an Indian online lender, announces personal data of some 20,000 prospective customers is at risk after a ransomware attack on its website. Names, personal details, and mobile numbers were accessed during the attack, the company noted.

Oct. 5. Gold Coast Health Plan in Camarillo, Calif. reports healthcare information of some 37,000 clients is at risk after it was accessed by hackers during a data breach.

Oct. 4. Cleveland, UK, police reveal they accidentally posted to their public website a spreadsheet containing personal information of 1,661 people who had to be restrained by police between April and June.

Oct. 3. Women’s fashion seller Shein reports data breach from June to August affected email addresses and encrypted passwords of some 6.42 million customers who visited the company’s website during that period.

Oct. 3. Burgerville, a restaurant chain, alerts customers who used a payment card between September 2017 to September 30, 2018 at any of the company’s 42 locations throughout Oregon and Southwest Washington that their cards may have been compromised by a malware infection on the company’s computer network.

Oct. 2. Apollo, a sales engagement company, alerts customers a data breach in July resulted in theft of material from its prospective contact database containing 200 million records. Records contain name, email address, company names, and other business contact information

Oct. 2. Officials of St. Petersburg, Fla., announce payment card information of more than 28,000 people has been compromised due to data breach at Click2Gov, which is used by the city for online collection of utility bills, parking tickets, business license fees, building permit fees, and civil citations.

Oct. 2. Cofense Intelligence, a cybersecurity firm, reports 40 percent of phishing emails containing keyloggers use a or address. Zoho, an Indian-based company offering an online office suite, had its domain taken down briefly in September by its registrar following complaints of phishing originating from Zoho.

Oct. 1. UK Financial Conduct Authority fines Tesco Bank £16.4 million for 2016 data breach that resulted in the theft of £2.26 million.

Cybercrime Diary Archives

John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.