04 Apr Cybercrime Diary, Vol. 4, No. 1: Who’s Hacked? Latest Data Breaches And Cyberattacks
Toyota and FEMA leak data, Wendy’s and Nieman Marcus pay for past breaches
Sausalito, Calif. – Apr. 2, 2019
High profile data breaches during the first three months of the year included compromise of servers at Toyota’s Japanese offices jeopardizing data of 3.1 million car owners and the U.S. Federal Emergency Management Agency’s exposure of data on 2.5 million disaster survivors. Meanwhile, Wendy’s paid $50 million to settle litigation arising from a data breach in 2015-16 and Nieman Marcus paid the states $1.5 million to put to bed a case stemming from a 2013 data breach. That’s just some of the data breach news in our diary below.
Mar. 30. Secur Solutions Group, a vendor of Singapore’s Health Science Authority, acknowledges the personal information of 800,000 blood donors was improperly posted online and possibly stolen.
Mar. 29. Toyota announces information of 3.1 million Toyota and Lexus car owners is at risk after intruders breached the computer systems at its main offices in Japan and gained unauthorized access to the data.
Mar. 29. Earl Enterprises, a national restaurant operator based in Orlando, Fla., announces the point-of-sale systems at some of its dining locations were compromised by malware between May 23, 2018 and March 18, 2019 and that payment cards used at the locations during that period are at risk.
Mar. 26. Kaspersky Lab estimates thousands of Asus computers have been infected with malware from a compromised version of a tool used to update the machines. Asus says it has patched the vulnerability.
Mar. 25. UCLA Health Systems settles lawsuit for $7.5 million stemming from 2015 data breach that exposed data of 4.5 million patients.
Mar. 25. The National Board of Examiners in Optometry settles lawsuit stemming from 2016 data theft that affected 61,000 optometrists and optometry students for $3.5 million.
Mar. 25. Australian security researcher Nikola Cubrilovic pleads guilty to charges related to unauthorized access to database of car-sharing company GoGet. Cubrilovic is accused of gaining unauthorized access to GoGet vehicles more than 30 times between May and July 2017.
Mar. 23. Zammis Clark, 24, pleads guilty in a London Crown Court for hacking into Microsoft and Nintendo servers and stealing confidential information. He’s sentenced to total of 15 months imprisonment, suspended for 18 months. A Serious Crime Prevention Order for a period of five years was also imposed on Clark, which carries an unlimited fine and up to five years in prison if breached.
Mar. 22. US Federal Emergency Management Agency and Department of Homeland Security reveal sensitive information of 2.5 million disaster survivors is at risk after it was shared with a contractor.
Mar. 21. Facebook acknowledges it has been storing the passwords of hundreds of millions of users on the company’s servers without encryption. It adds that that no passwords were leaked and the company has found no indication the sensitive data was improperly accessed.
Mar. 21. Oregon Department of Human Services reveals private health information of more than 350,000 people is at risk after its email system was compromised by a phishing scam.
Mar. 17. Gnosticplayer posts for sale online fourth cache of data breach data. Latest cache is from six companies and includes 26.42 million user records for which the hacker is asking a bitcoin payment worth $4,940.
Mar. 14. European Data Protection Board reports €56 million in penalties have been collected from more than 200,000 reported violations of the EU’s General Data Protection Regulation since in took effect in May 2018.
Mar. 14. Security researcher Noam Totem discovers unprotected Elasticsearch server putting at risk millions of customer profiles and shopping orders of Gearbest, a large Chinese online shopping site.
Mar. 11. Michigan Attorney General Dana Nessel and the Department of Insurance and Financial Services Director Anita G. Fox urge some 600,000 members of several healthcare insurance providers in the state to take precautions to safeguard personal information that may have been compromised in a data breach at the Wolverine Solutions Group, a third-party vendor of the providers.
Mar. 11. Dutch security researcher Victor Greves discovers unprotected database online in China containing personal information of more than 1.8 million women. Data includes phone numbers, addresses, and “BreedReady” status.
Mar. 8. Wall Street Journal reports students applying for entrance to Grinnell, Oberlin, and Hamilton colleges receive ransom notes offering them data from their application files for a bitcoin payment worth $3,890, later reduced to $60. Information offered students included notes from admissions’ officers, their interview reports, and acceptance decisions.
Mar. 8. Security researcher Bob Diachenko discovers unprotected database containing more than 800 million new and unique email records, as well as some personal identifying information. Diachenko believes the owner of the data to be Verifications IO, an enterprise email validation company.
Mar. 7. Jun Ying, former CIO of Equifax, pleads guilty in federal court in Atlanta to insider trading. Ying sold stock for nearly $1 million a week and half before Equifax publicly revealed a data breach affecting some 145.5 million consumers.
Mar. 4. Marriott hotel chain reveals in financial report that 2018 data breach that resulted in the theft of sensitive data on five million people cost the company $3 million, with insurance picking up $25 million of the tab for the breach.
Mar. 4. GDI security researcher Victor Gevers finds unprotected server online exposing the private messages of 300 million Chinese users of some popular messaging apps. He adds that the data is shared automatically with police servers in 17 cities and provinces.
Mar. 1. Rutland Regional Medical Center in Vermont reports that an investigation of a data breach at the facility found information on 72,224 patients may have been stolen, as well as 4,000 Social Security numbers.
Feb. 27. Security researcher Bob Diachenko reports he found a copy of the Dow Jones Watchlist dataset on a public Elasticsearch cluster. He notes the more than 2.4 million records in the list contains the identities of government officials, politicians and people of political influence in every country of the world.
Feb. 27. Sports trading card and collectible company Topps notifies public that transaction information is at risk of anyone doing business at the firm’s website from Nov. 19, 2018 to Jan. 9, 2019 due to malicious code inserted into the site’s checkout process.
Feb. 25. Rush University Medical Center in Illinois notifies some 45,000 patients their personal information is at risk after an employee of one of the hospital’s billing processing vendors exposed the information to an unauthorized third party.
Feb. 22. UConn Health in Connecticut announces personal information of some 326,000 people is at risk after several employee email accounts were compromised by an intruder.
Feb. 22. Intuit announces a number of TurboTax tax preparation accounts were compromised and tax return information accessed by an unauthorized third-party in a credential stuffing attack on the system.
Feb. 22. Group-IB, a cybersecurity company, reports it has discovered for sale on the dark web databases with 69,189 Pakistani bank cards with PINS that it estimates have a market value of $3.5 million.
Feb. 22. The Kentucky Counseling Center, a statewide mental health services organization, announces it has notified some 16,400 patients their sensitive information is at risk after it was removed from the center without authorization by a former employee.
Feb. 21. University of Washington Medicine reveals it’s in the process of notifying 974,000 patients that some of their medical information is at risk after it was discovered they were stored on a web server that made the files available and visible by search of the Internet.
Feb. 21. The UK’s Labour Party locks down access to membership databases and campaign tools after learning rogue members of the party were attempting to access the information to use it for their future campaigns. Under UK law, it’s illegal to obtain or retain personal data without the consent of a data’s controller.
Feb. 20. The Age reports Melbourne Heart Group in Australia is unable to access some 15,000 patient files scrambled in a ransomware attack. It notes that although a ransom was paid, some files remain unrecoverable.
Feb. 18. The UK’s Parliament’s Digital, Culture, Media and Sport Committee reports that Facebook knew of a data breach by Cambridge Analytica before it was reported in the media in 2015. Report concludes the social network “deliberately misled” a wide-ranging investigation into disinformation, “fake news” and election interference.
Feb. 18. Computer Sweden reports that audio recordings of 2.7 million phone calls made to the country’s healthcare hotline were stored on an unsecured web server that could be accessed by anyone with a browser.
Feb. 18. Malta’s Data Protection Commissioner imposes €5,000 fine on the island nation’s Lands Authority for violations of the EU’s General Data Protection Regulation.
Feb. 17. Hacker who has previously posted for sale on the dark web caches of stolen data of 620 million and 127 million records posts a third cache of more than 92 million records from eight websites, which he hopes to sell for $9,400.
Feb. 15. Risked Based Security releases annual report finding a year-over-year decline in publicly disclosed data breaches of 3.2 percent and a drop in records exposed of 35.9 percent, to 5 billion from 7.9 billion.
Feb. 15. AdventHealth Medical Group Pulmonary and Sleep Medicine in Florida alerts some 42,000 patients their personal information is at risk after the healthcare provider’s systems were breached by an intruder for over a year. Compromised data includes medical histories, insurance carriers, Social Security numbers, along with demographic information such as names, phone numbers, and email addresses.
Feb. 15. Memorial Hospital at Gulfport in Mississippi begins notifying some 30,000 patients that their personal information is at risk after its email system was compromised in a phishing attack.
Feb. 15. North Country Business Products in Minnesota announces malware infected a number of the company’s business partners restaurants between January 3 and 24 and collected payment card information of some consumers at the sites.
Feb. 14. Security researchers at Checkmarx discover vulnerability in OkCupid, a popular romance app, that can be exploited by a malicious actor to steal credentials, launch man-in-the-middle attacks, or completely compromise the application.
Feb. 14. An information seller who previously offered for sale on the dark web a cache of stolen information on 620 million user records from 16 websites offers for sale a second cache of 127 million records from eight websites for about $14,500.
Feb. 13. Wendy’s agrees to pay a group of financial institutions $50 million to settle lawsuit stemming from a 2015 to 2016 data breach.
Feb. 12. Protenus 2019 Annual Breach Barometer Report reveals more than 15 million US patient health records were breached in 2018.
Feb. 12. Don Best, a sports betting provider, warns customers their personal information is at risk after an intruder used malware to gain unauthorized access to the company’s network. It advises users to change their passwords and freeze their credit cards.
Feb. 11. Cyberattack on VFEmail, a business and consumer email provider in Milwaukee, wipes all data from its US servers. The company says all disks on all its servers were reformatted, including backups.
Feb. 11. Carbon Black, an endpoint security company, reports nine out of 10 organizations in the UK have suffered a data breach in the last 12 months.
Feb. 11. The Register reports data for 620 million accounts stolen from 16 hacked websites is being sold on the dark web for less than $20,000 in bitcoin.
Feb. 8. Landmark White, one of the biggest valuation firms in Australia, reveals data breach has placed at risk sensitive information for some 100,000 customers, including property valuations and personal contact information of homeowners, residents, and property agents.
Feb. 8. HuffPost India reports ERP software used by some companies inside Mumbai’s Bharat Diamond Bourse, one of the largest of its kind in the world, is uploading real-time sale and purchase information to a cloud server that’s not password protected.
Feb. 7. US Health and Human Services’ Office of Civil Rights reports it collected a record $28.7 million from healthcare providers and insurers in 2018 for inadequately responding to data breaches.
Feb. 5. Law firm DLA Piper reports that more than 59,000 data breaches have been reported in Europe since the General Data Protection Regulation took effect in May 2018.
Feb. 4. Identity Theft Resource Center reports theft of the number of consumer records containing personal information increased year-over-year by 126 percent, to 447 million in 2018 from 198 million in 2017.
Feb. 4. Community Health Systems, a national healthcare provider based in Tennessee, settles lawsuit stemming from data breach resulting in the theft of sensitive data of 4.5 million patients. Under the proposed settlement, $250 will be awarded patients who can document out-of-pocket expenses due to the breach. $5,000 will be awarded patients who experienced identity theft. Lawyers will get $900,000. Lead plaintiffs will be awarded $3,500 each.
Feb. 4. Roper St. Francis Healthcare, of South Carolina, and Valley Professionals Community Health Center, of Indiana, notifies some 12,000 patients their personal information is at risk after their email systems were compromised in a phishing attack.
Feb. 3. Google removes 29 malicious Android applications from Google Play store. Apps malicious activity included displaying full-screen ads for pornographic content every time a phone was unlocked and directing users to phishing sites designed to pry personal data from them.
Feb. 1. Huddle House, a US restaurant chain, announces a point-of-sale malware infection has placed at risk payment card information for purchases at its 341 locations from between Aug. 1, 2017 and Feb. 1, 2019.
Feb. 1. UK Information Commissioner’s Office fines Leave.EU and Eldon Insurance, formerly GoSkippy Insurance, $157,000 for using the personal data of the insurance company’s clients to send them ads supporting Brexit.
Feb. 1. TechCrunch reports one of the web systems used to record worker attendance in the Indian state of Jharkhand was exposed to the Internet without a password as far back as 2014. Data at risk of 166,000 workers includes names, job titles, partial phone numbers, and Aadhaar number, a confidential 12-digit number assigned to each Indian citizen as part of the country’s national identity and biometric database.
Jan. 31. Healthcare insurer Aetna agrees to pay $935,000 to California to settle case involving its inadvertent exposure of the HIV status of about 12,000 customers, 1,991 of them in the Golden State.
Jan. 31. Houzz, a home improvement company valued at $4 billion, alerts its users of a data breach that exposed some data of an undisclosed number of users to an unauthorized intruder.
Jan. 30. Airbus, the second largest aviation and aeronautics company in the world, announces a compromise of its computer systems allowed intruders to gain unauthorized access to the plane maker’s data. It adds the data breach had no impact on the company’s commercial operations.
Jan. 30. Minnesota Department of Human Services reveals personal information of up to 3,000 people is at risk after its email system was compromised by a phishing attack.
Jan. 30. The State Bank of India, the country’s largest bank, secures unprotected server hosting data on millions of its customers. It’s unknown how long the server was connected to the Internet without password protection.
Jan. 29. Rubrik, an IT security and cloud management company, pulls one of its servers offline after notified by TechCrunch it was accessible by anyone on the Internet. The server contained tens of gigabytes of data including customer names, contact information, and case work for each corporate customer.
Jan. 28. AA, a hacker who claims to have stolen personal information of 1.16 million students and alumni of the Universiti Teknologi MARA in Malaysia, demands university improve its data security or he will expose the data on the Internet.
Jan. 28. Singapore’s health ministry announces sensitive information about the HIV status of 14,200 people has been posted online by an American who is in illegal possession of the data and had been deported from the city-state.
Jan. 28. Discover Financial Services reports to California Attorney General that an undisclosed number of its accounts have been affected by a data breach that does not involve the Discover card systems. It adds that new cards have been issued to everyone affected by the breach.
Jan. 25. Washington State University’s board of regents authorizes a payment of up to $5.26 million to settle lawsuit stemming from 2017 hard-drive theft that placed at risk sensitive information of nearly 1.2 million people.
Jan. 25. European Commission announces EU data protection regulators have received more than 95,000 complaints about possible data breaches since the adoption of the General Data Protection Regulation in May 2018.
Jan. 25. The city of Sammamish, Wash. cancels all city credit cards after a ransomware attack on its computer systems.
Jan. 24. Ctrlbox Information Security reports a database containing some 70,000 offender and incident logs maintained by UK home and hardware store B&Q is at risk because no authentication is needed to access the database from the Internet. Information in the database includes first and last name of individuals who had been caught or suspected of theft from the stores, along with product codes, total price of losses, and GEOIP information for store locations.
Jan. 24. Valley Hope Association Addiction Centers in Kansas notifies some 70,000 patients their personal information was compromised in a phishing attack on the healthcare provider’s email system. Compromised information included patient names, addresses, medication/prescription information, Social Security numbers, financial account information, driver’s license or state identification card numbers, patient claim/billing information, dates of birth, health insurance information and medical record numbers, and doctor’s names.
Jan. 23. Security researcher Bob Diachenko finds exposed online an Amazon S3 server containing documents from banks and financial institutions across the U.S., including loans and mortgage agreements, documents from the U.S. Department of Housing and Urban Development, W-2 tax forms, loan repayment schedules and other sensitive financial information. He notes server belongs to OpticsML, a document management company that works with Ascension, which has also been identified by Diachenko as exposing financial documents online.
Jan. 23. Security researcher Bob Diachenko discovers database containing more than 24 million financial and banking documents has been exposed to the public Internet for two weeks. It’s believed the data belongs to Ascension, a data and analytics company for the financial industry, based in Fort Worth, Texas.
Jan. 23. Alaska’s Department of Health and Social Services sends letters to more than 700,000 households advising them their personal information may have been compromised by a malware infection on the agency’s computer systems.
Jan. 21. BlackRock, the world’s largest asset manager, reveals it inadvertently posted to the public Internet confidential information of 20,000 advisers who are the company’s clients. Information exposed included names and addresses of advisers who buy Exchange Traded Funds for clients and the assets under management each adviser had in the BlackRock’s iShares ETFs. It is unclear how long the data was exposed online.
Jan. 21. Ontario Social Services Minister Lisa MacLeod reveals private information of 45,000 people was placed at risk when it was accidentally emailed to 100 recipients by the Mississauga disability support program office. The ministry says it has contacted the recipients of the private information and asked them to delete it.
Jan. 20. France fines Alphabet’s Google $57 million for violating the European Union’s privacy rules. CNIL, France’s privacy watchdog, found that Google lacked transparency and clarity in the way it informs users about its handling of personal data and failed to properly obtain their consent for personalized ads.
Jan. 20. Chinese e-commerce platform Pinduoduo loses more than $1.5 million after hackers exploited vulnerability in company’s systems to issue coupons that allowed users to obtain products for free for several hours until the flaw was discovered by the online retailer.
Jan. 19. Philippine pawnshop Cebuana Lhuillier announces a data breach has put at risk personal information of more than 900,000 clients. Information that may have been compromised includes birth dates, addresses, and sources of income. It adds no transaction information was compromised and that its main servers remain safe and protected.
Jan. 19. RBS and NatWest banks begin issuing new debit cards to thousands of Scots affected by Ticketmaster data breach in 2018.
Jan. 18. Las Colinas Orthopedic Surgery & Sports Medicine in Texas reports to U.S. Health and Human Services Department’s Office for Civil Rights that sensitive information of 76,000 people is at risk after an electronic device was stolen from its offices.
Jan. 16. Troy Hunt, who runs a data breach information website called Have I Been Pwned, announces discovery of “Collection #1,” a cache of data containing 1.6 billion unique email addresses and passwords. Hunt obtained the data from MEGA, a popular cloud service, after being tipped off about the cache from several sources.
Jan. 16. Upguard reveals Oklahoma’s Department of Securities left exposed on the Internet for an undetermined amount of time three terabytes of data, including millions of files that contained personal information and system credentials. It reported the data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services, allowing any user from any IP address to download all the files stored on the server.
Jan. 15. U.S. criminal indictment unsealed accusing Artem Radchenko, 27, and Oleksandr Ieremenko, 26, two Ukrainians, for hacking into database of Security and Exchange Commission to obtain unreleased news releases and use them to make illegal stock trades.
Jan. 15. U.S. Security and Exchange Commission files charges against nine defendants participating in a scheme to hack into the agency’s EDGAR system and extract nonpublic information for use in illegal trading activities. SEC estimates scheme produced more $4.million for its participants.
Jan. 15. Singapore’s Personal Data Protection Commission imposes $740,000 fine on Integrated Health Information Systems, which runs the city-state’s healthcare sector, and healthcare provider SingHealth for their role in a 2018 data breach resulting in the theft of personal data on 1.5 million people.
Jan. 11. Security researcher Bob Diachenko reports discovery online of an unprotected MongoDB database containing private and detailed data on more than 200 million Chinese job seekers. Owner of the database is unknown.
Jan. 9. Humana, a national health insurance provider based in Kentucky, reports to California Attorney General that sensitive information for some of its policyholders is at risk after a data breach at its business partner Bankers Life allowed intruders to hijack control of websites used to apply for Humana insurance.
Jan. 9. Reddit locks out of their accounts for several hours an undisclosed number of users after discovering unusual activity on its system that could signal a data breach.
Jan. 8. Nieman Marcus agrees to pay states $1.5 million to settle case stemming from data breach 2013.
Jan. 8. BenefitMall, a national provider of services to businesses, reports sensitive data for an undisclosed number of customers may be affected by a phishing compromise of its email system. The company works with a network of more than 20,000 brokers and accountants servicing some 200,000 small and medium businesses.
Jan. 7. OXO International, a U.S. kitchen utensil maker, reports to California Attorney General that its online ordering system was compromised between June 9, 2017 and November 28, 2017; June 8, 2018 and June 9, 2018; and July 20, 2018 and October 16, 2018. During those periods, it said, payment information may have been stolen.
Jan. 4. Marriott International revises number of guests affected by data breach at its Starwood hotel unit to five million from 500 million.
Jan. 4. DiscountMugs.com reports to state attorneys general that a compromise of its online payment system allowed hackers to steal credit card numbers from customers making purchases at its website from August 5 to November 16, 2018.
Jan. 4. NordVPN digital privacy expert Daniel Markuson estimates the data of more than one billion people was compromised in data breaches in 2018.
Jan. 4. Dublin, Ireland, tram system operation Luas announces personal information of 3,226 subscribers to its electronic newsletter was compromised after the operator’s website was attacked by a hacker who threatens to publish the data unless paid one bitcoin.
Jan. 3. Unknown person publishes online via Twitter cache of sensitive data about German politicians, celebrities, and public figures. Information includes personal phone numbers and addresses, internal party documents, credit card details and private chats. All German political parties are affected by the breach, except for politicians in Alternative for Germany, a far-right party.
Jan. 3. Choice Rehabilitation Center of Missouri notifies 4,309 patients their personal data was stolen after one of its email account was compromised for a month. The type of data snatched by the intruder is commonly used for medical fraud.
Jan. 2. Cybersecurity researchers at Dehashed discover data breach at the Town of Salem online role-playing game exposed personal information of more than seven million users. Information compromised included usernames, emails, passwords, IP addresses, game and forum activity, and some payment card information for premium services subscribers.
Jan. 2. Dental Center of Northwest Ohio announces personal information of patients and employees is at risk after an IT provider for the center was infected by ransomware. The healthcare provider stated it has not received any reports of the malicious act involving the data, but it’s possible an intruder accessed the information.
John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.