05 Apr Cybercrime Diary, Vol. 2, No. 2: Who’s Hacked? Latest Data Breaches And Cyberattacks
Ransomware attacks dominate the data breach scene during second quarter of 2017
Menlo Park, Calif. – Jun. 30, 2017
Global ransomware damage costs are predicted to exceed $5 billion in 2017, up from $325 million in 2015. That’s a staggering 15X increase in just 2 years, and the damages are expected to worsen. Ransomware attacks on healthcare organizations will quadruple by 2020.
Two staggering attacks affected organizations around the world. In May, the WannaCry program infected thousands of computers in more than 100 countries. It was followed in June by the GoldenEye/NotPetya malware that disrupted computing activity in at least 65 nations.
The scope of the Ransomware problem was detailed by Verizon in its annual data breach report released in April — which found ransomware involved in 71 percent of the 40,000 data breaches they analyzed.
Also during the period one of the largest ransomware payoffs was made by Nayana, a web-hosting company in South Korea. It coughed up $1.1 million to digital extortionists after ransomware knocked out more than half of the company’s 300 servers and affected an estimated 3,400 websites it hosted.
Large data breaches also continued during the quarter. One of the largest was in India where 130 million holders of the country’s national identification card were told in May their ID numbers had been exposed on the public Internet since Nov. 2016. Another 77 million users of the education website Edmodo had their account information stolen when hackers broke into that site.
Meanwhile, 8tracks, an Internet radio service, told its users to change their passwords after reports appeared that a cache of credentials for 18 million users of the service were up for sale on the Dark Web. And Zomato, a restaurant search service, reset the stolen passwords of some 17 million users.
Lawyers were also busy during the period. Health insurer Anthem put a $115 million deal on the table to settle a data breach class action lawsuit against it. Retailer Target paid $18.5 million to settle a data breach lawsuit filed against it by 47 states. In addition, data breach litigation was settled against Neiman Marcus for $1.6 million and Kmart for $5.2 million.
Regulators were also busy. In June, it was reported that the UK’s Information Commissioner’s Office collected 65 percent more in fines in 2016 compared to 2015, to £3,245,500 from £2 million. In the United States, the federal Department of Health and Human Services collected for data breach infractions $2.5 million from CardioNet, a mobile heart monitoring technology company based in Malvern, Pa. and $400,000 from The Metro Community Provider Network in Denver.
Reports on the costs of data breaches were also released during the quarter. IBM Security found that the average cost of a data breach globally is $3.62 million, a 10 percent decrease from 2016. Meanwhile, CGI released an eye-opening analysis of 65 “severe” and “catastrophic” data breaches. It found that those kinds of breaches can cost a company 1.8 percent of its market value. For a typical FTSE 100 company, that would be a permanent loss of market capitalization of £120 million.
CYBERCRIME DIARY
June
Jun. 29. The UK’s Government Digital Service recommends users of its Data.Gov.UK website change their passwords after a database of usernames and email addresses were discovered on a system accessible to the public during a routine security review.
Jun. 28. Goldeneye ransomware spreads from Ukraine disrupting business and government computing activity in at least 65 nations. Businesses affected by the virus include Russian oil company Rosneft, shipping firm A.P. Moller-Maersk and pharmaceutical giant Merck.
Jun. 28. Nayana, a web-hosting company in South Korea, agrees to pay $1.1 million to unlock computers infected by hackers with ransomware. More than half of the company’s 300 servers were disabled by the attack that affected an estimated 3,400 websites.
Jun. 27. 8tracks, an Internet radio service, recommends its users change their passwords after reports appear that a cache of credentials for 18 million users of the service are up for sale on the Dark Web.
Jun. 27. Experian releases study that finds only nine percent of companies are prepared for the EU Global Data Protection Regulation and 59 percent of the 550 IT security and compliance professionals surveyed said their companies did not know how to comply with the GDPR.
Jun. 27. Anthony Murgio, 33, sentenced to five and a half years in prison for operating an illegal bitcoin exchange suspected of laundering money for hackers and linked to data breach at JPMorgan Chase & Co.
Jun. 23. FBI’s Internet Complaint Center reports U.S. losses due to Internet crime in 2016 totaled $1.3 billion.
Jun. 23. Plaintiff’s legal team announces $115 million proposed settlement in class action lawsuit against health insurer Anthem stemming from data breach resulting in the theft of personal information of 7.8 million people.
Jun. 23. The Register reports 32 terabytes of data stolen from Microsoft was posted to the Internet, including internal builds of Windows and chunks of its source code.
Jun. 23. The Times of London reports that stolen email addresses and passwords of tens of thousands of government officialsin the UK are being sold or bartered on Russian-speaking hacking sites.
Jun. 23. Airway Oxygen in Michigan notifies 500,000 people their personal health information is at risk due to unauthorized access to its infrastructure in April.
Jun. 23. Southern Illinois Healthcare reports that personal information of more than 600 patients is at risk after Experian Health, a third-party vendor, accidentally sent their data to the wrong medical facilities between Feb. 13 and March 13.
Jun. 23. CEO John Hutson of UK pub chain Wetherspoons announces it is deleting its database of customer email addresses to avoid the risk of it being hacked.
Jun. 22. U.S. District Judge Samuel Der-Yeghiayan preliminarily approves $1.6 million settlement of class action lawsuit against Neiman Marcus for data breach that occurred between July 16, 2013 and Jan. 10, 2014.
Jun. 22. Ward Solutions releases survey which includes finding that one in five Irish businesses have been hit with ransomware in the last 12 months.
Jun. 21. Scott Ables files class action lawsuit against Brooks Brothers Group over data breach that compromised payment data from customers who shopped at its stores between April 4, 2016 and March 1, 2017.
Jun. 21. Honda Motor Co. halts production at its vehicle making plant in Sayama for a day after discovering WannaCry ransomware on its computer network.
Jun. 21. Distil Networks releases study of 1,000 websites in retail, banking and consumer services which includes finding that 95 percent of sites can’t protect themselves against advanced persistent bot attacks.
Jun. 21. Atlantic Digestive Specialists notifies 94,195 customers their personal information is at risk after a ransomware attack on the systems of the group comprised of gastroenterologists with offices in Somersworth, Hampton and Portsmouth, N.H.
Jun. 21. Trustwave releases its 2017 Global Security report which includes finding that “dwell time” for hackers inside networks has declined year-over-year to 49 days in 2016 from 80.5 days in 2015.
Jun. 21. Dr. Emma Philpott, chief executive at the IASME Consortium, notifies vendors that their email addresses are at risk after a data breach at the UK’s Cyber Essentials scheme, which accredits companies bidding on government contracts that deal with the handling of “certain sensitive and personal information.”
Jun. 20. Juniper Research forecast retailers will lose $71 billion globally over the next five years due to fraudulent Card-Not-Present transactions.
Jun. 20. IBM Security reports that the average cost of a data breach globally is $3.62 million, a 10 percent decrease from 2016.
Jun. 20. Minnesota State University Moorhead notifies about 800 faculty and staff and 8,000 students that personal information they’ve provided the institution is at risk after it was accessed by an unauthorized third-party.
Jun. 19. Torrance Memorial Medical Center in California notifies an undisclosed number of patients their personal information was compromised in a phishing attack on some of the hospital’s email accounts.
Jun. 16. The Buckle, a clothier with 450 stores in 44 states, alerts customers that their credit card information is at risk due to a compromise of its point-of-sale system between Oct. 28, 2016 to April 14, 2017. Company notes it believes the exposure of data that could be used to clone cards is limited due to the use of EMV technology at the stores.
RELATED: ThreatBook is China’s first threat intelligence company
Jun. 15. Sean Caffrey, 25, pleads guilty to hacking into U.S. Department of Defense and stealing data from around 30,000 satellite phones.
Jun. 15. AllClear ID estimates that European banks could face fines totalling €4.7 billion during the first three years that the EU’s General Data Protection Regulation is in effect.
Jun. 15. New York Atty. Gen. Eric T. Schneiderman announces CoPilot Provider Support Services, a provider of support services to the health care industry, agrees to pay $130,000 in penalties for waiting over a year to notify affected persons of a data breach exposing 221,178 patient records.
Jun. 15. Washington State University alerts some one million people their personal information is at risk after the heist from university property of an 85-pound safe containing a hard drive with the information on it.
Jun. 14. Kaspersky Lab reports security incidents involving online banking services costs the institution an average of $1.75 million per incident.
Jun. 13. UK Information Commissioner’s Office fines Gloucester City Council £100,000 after sensitive personal data was compromised in an attack on its systems that exploited the Heartbleed vulnerability in OpenSSL.
Jun. 13. TD Bank finds that 91 percent of financial pros at 2017 NACHA Payments conference believe payment fraud will continue to grow over the next two to three years, a slight increase over the 89 percent that felt that way last year.
Jun. 13. U.S. District Court Judge Andrea R. Wood in Chicago dismisses lawsuit against Barnes & Noble arising from compromise of its PIN pads used to process payment card transactions at 63 of its stores. Court finds plaintiffs did not offer sufficient injury to sustain a class action.
Jun. 12. Michelle Provost files putative class action lawsuit in Georgia federal court against Tempur Sealy International and Aptos for failing to appropriately safeguard customers’ personal information, which led to a February 2016 breach that compromised sensitive customer data.
Jun. 12. Fifteen Attorneys General clarify data breach notification laws in their states declaring notice is triggered whether CVV numbers are stolen in a breach or not.
Jun. 9. Mississippi’s Division of Medicaid notifies 5,220 people their personal health information is at risk due to the insecure transfer of the data from an online form to a designated staff member.
Jun. 9. Select Restaurants, a chain of eateries in the Cleveland area, announces security breach at third party vendor has placed at risk payment card information of customers who did business at some of the chain’s outlets between Oct. 26, 2016 and Feb. 3, 2017.
June 8. CD Projekt Red, maker of the Witcher game series, rejects ransom demands of hackers who claim to have stolen files from the company, including those related to its much anticipated game Cyberpunk 2077.
Jun. 8. BitSight reports that two months before the WannaCry ransomware epidemic, nearly 20 percent of the Windows computers it studied were running versions of that operating system no longer supported by Microsoft.
Jun. 8. GameStop notifies customers their name, address and credit card information is at risk due to a data breach at the site affecting purchases made from Aug. 10, 2016 to Feb. 9, 2017.
Jun. 5. Old Mutual, a prominent South African financial services firm, warns a “relatively small group” of customers their personal information is at risk after a breach of one of its computer systems.
Jun. 5. Victory Medical Center in Austin, Texas, states that demographic data of some 2,000 patients was leaked online after a data breach of its systems.
Jun. 5. Security researcher Aaron Guzman finds eight software vulnerabilities in a 2017 Subaru WRX STi that could be exploited by an attacker to lock and unlock doors, sound the horn, access a vehicle’s location history and control other behaviors.
Jun. 5. Healthcare Industry Cybersecurity Task Force releases report that includes recommendation that the U.S. Health and Human Services Department create a single person to coordinate the cybersecurity initiatives with the health care industry.
Jun. 1. Dr. Zain Kadri’s plastic surgery clinic announces personal information of as many as 15,000 patients, including some celebrities, was stolen by a disgruntled employee who has posted some of the information on Snapchat, Instagram and Facebook.
May
May 31. OneLogin, an identity management service provider, alerts users that their data is at risk after an intruder uses one of the company’s Amazon Web Services encryption keys to access its AWS platform.
May 31. Gizmodo confirms a cache more than 60,000 government files were exposed on a publicly accessible Amazon server for an unknown amount of time. Information in the files included passwords to a U.S. government system containing sensitive information, security credentials of a lead senior engineer at Booz Allen Hamilton and at least a half dozen unencrypted passwords belonging to government contractors with Top Secret Facility Clearance.
May 31. A hacking group called Tsar Team leaks thousands of patient photos from the Grozio Chirurgija cosmetic surgery clinic in Lithuania after clinic and patients refused to meet the group’s ransom demands.
May 31. University of Alaska sends letters to some 25,000 students, staff and faculty alerting them their personal information is at risk after hackers compromised several secured accounts through an email scam.
May 31. Kmart Stores, for the second time in three years, discovers malware on the credit card processing systems of some of its outlets.
May 31. Rep. Tom Graves, R-Ga., files bill allowing victims of cyberattacks to hack their attackers, as well as hack into other victims’ computers for “reconnaissance” purposes.
May 30. Ovum, a consulting company, releases survey finding 76 percent of Canadian companies expect data breach attempts to increase in the next 12 months but only 46 percent expect to spend more on cybersecurity during the period.
May 30. A survey of 187 marketing and advertising companies by YouGov and commissioned by Irwin Mitchel finds that 17 percent of the firms would go out of business if they had to pay the maximum penalty for violating the EU’s General Data Protection Regulation that takes effect in 2018.
May 26. Alcoa Community Federal Credit Union files class action lawsuit against the Chipotle restaurant chain over hacking of its point-of-sale system that compromised the payment cards of hundreds of thousands of customers.
May 26. Molina Healthcare, a major insurer in Medicaid and state exchanges across the country, shuts down its online patient portal after a vulnerability was discovered that exposed health records of 4.8 million customers in 12 states to the public Internet.
May 26. Chipotle Mexican Grill announces previously disclosed malware infection of its point of sale system affected nearly all the outlets in the national restaurant chain.
May 25. PNI Digital Media, which provides photo services to retailers such as Costco and CVS, reaches deal with consumers affected by a data breach of the company’s point of sale system. The deal provides up $250 per customer for bank fees, long-distance telephone charges and other expenses, and up to $10,000 for “extraordinary expenses,” as well as $650,000 for attorneys’ fees and court costs.
May 25. Home Depot acknowledges that a spreadsheet containing personal data of some 8,000 people was exposed to the public Internet due to human error.
May 25. Sens. Maggie Hassan, D-N.H., and Rob Portman, R-Ohio, file legislation to establish a bug bounty program in the U.S. Department of Homeland Security.
May 25. UW Health in Wisconsin notifies 2,046 patients that their personal information is at risk after an employee’s email account, which contained files with patient information in them, was compromised by an intruder.
May 23. Florida Department of Agriculture and Consumer Services states personal information of more than 16,000 of the state’s concealed weapons permit owners is at risk after a breach of the agency’s website.
May 23. Target Corporation announces it will pay $18.5 million to 47 states and the District of Columbia to settle case against it stemming from 2013 data breach that compromised tens of millions of customer payment cards.
May 23. St. Luke’s-Roosevelt Hospital Center in New York City agrees to pay U.S. Department of Health and Human services $387,200 to settle potential violations of the federal Health Insurance Portability and Accountability Act.
May 22. DHR International reports that salaries for chief information security officers at top European companies have cracked €1 million and for small and medium companies they’re being paid a minimum of €200,000.
May 21. Global management consultancy Olive Wyman predicts companies on the FTSE 100 could face up to £5 billion in fines if they don’t comply with the EU’s General Data Protection Regulation set to take effect next year.
May 19. In Chicago, U.S. District Court Judge John Lee approves $5.2 million settlement, including $1.7 million for plaintiff’s attorneys, of lawsuit by financial services companies against Kmart stemming from a data breach that affected about 8.1 million payment cards.
May 19. Twitter alerts users of Vine that their email addresses and in some cases phone numbers are at risk due to a software bug that was patched within 24 hours.
May 18. PureMatrimony.com, a muslim dating website, advises some 100,000 members to reset their passwords due to an apparent data breach at a third-party website.
May 18. Restaurant search service Zomato resets some 17 million user passwords that it says were stolen when an employee’s development was compromised.
May 18. ZDnet reports font sharing site DaFont.com has been breached and its database of nearly 700,000 user accounts stolen by hackers.
May 17. Edmodo, an education website for parents, students and teachers, confirms data breach which resulted in theft of account information for 77 million users, including passwords that were salted and bcrypt hashed.
May 18. Federal district court in California rules in lawsuit against credit protection and reporting company Experian that forensic report requested by firm’s lawyers is protected by attorney-client privilege and exempt from legal discovery process.
May 17. Cybersecurity blogger Brian Krebs reports that a subsidiary of Equifax, one of the nation’s largest consumer data brokers and credit bureaus, was breached by hackers who stole W-2 tax data for an undisclosed number of customers.
May 16. France fines Facebook 150,000 euros for collecting information on users without their knowledge.
May 16. Crain’s New York Business reports protected health information of 3,500 patients at Coney Island NYC Health + Hospitals is at risk after it was accessed by a volunteer in the phlebotomy department without clearance to do so.
RELATED: ThreatBook – Threat Intelligence Analysis Platform
May 15. The UK’s Information Commissioner’s Office reports that data breach reports to the office increased 31.5 percent to 2,565 in 2017 from 1,950 in 2016.
May 15. Electronic signature technology provider DocuSign confirms a series of malware phishing attacks against its customers is connected to a data breach at one of its computer systems.
May 15. Bell Canada issues apology to its customers after nearly 1.9 million of their email addresses and 1,700 names and phone numbers were compromised in a data breach and extortion scheme.
May 15. University of New Mexico Foundation notifies some 23,000 donors, annuitants, foundation employees and vendors that their personal information is at risk due to a computer server breach discovered April 17.
May 15. United Airlines confirms that codes to gain access to the cockpits in its aircraft may have been posted to the Internet. A spokesperson for United says it is working on resolving the issue.
May 12. WannaCry, a ransomware program based on software stolen from the NSA, infects thousands of computers in more than 100 countries, forces the UK’s health care system to turn away patients and disables computers in Russia’s Interior Ministry.
May 12. Brooks Brothers announces a compromise of its point of sales system that could affect the payment card information of some of customers who shopped at some of its stores between April 4, 2016 and March 1, 2017.
May 9. FICO Asia-Pacific releases survey finding three out of four senior fraud managers said they would stop working with a partner that failed a cybersecurity audit.
May 8. Risk modelling firm RMS forecasts that if all U.S. businesses had cyber insurance, more than $5 billion in data breach losses would be covered every year.
May 5. Retailer Debenhams says the personal data of 26,000 customers of its Flowers website may have been stolen by hackers who breached a third-party e-commerce company, Ecomnova.
May 5. Tufts University Executive Vice President Patricia Campbell and Senior Vice President for University Relations Mary Jeka announce sensitive financial information about the Massachusetts school’s department budgets and staff and faculty salaries was posted to a public website by a group calling itself TuftsLeaks.
May 5. Ontario government confirms personal information of thousands of citizens is at risk due to a printing mistake on health care renewal forms mailed to residents of the province.
May 5. Angela Lynn Martin files class action lawsuit in a federal district court in Florida against Scottrade over data breach that compromised the personal information of 4.6 million people from September 2014 to February 2014.
May 3. Google says it stopped in an hour an email spam campaign impersonating Google docs which affected less than a tenth of a percent of Gmail users.
May 3. Bitglass releases annual health care data breach report which shows a year-over-year increase in breaches to 328 in 2016 from 268 in 2015, but a decline, for the second year in a row, in records exposed to 16.6 million.
May 3. O2-Telefonica in Germany confirms that some of its customers have had their bank accounts cleaned out by thieves who intercepted the customers’ two-factor authentication codes by hacking the SS7 protocol used by mobile phone networks.
May 3. Bernard Ogie Oretekor, 46, sentenced to seven years and one month in prison and ordered to pay $1.97 million in restitution to the Internal Revenue Service and another $910,000 to four people and two companies for wire fraud, money laundering and identity theft. The Nigerian man used phishing emails to obtain information about his victims that he used to drain money from their bank accounts and collect refunds from bogus tax returns.
May 2. Travel giant Sabre Corp.reports to SEC that company is investigating an incident of unauthorized access to payment information contained in a reservation system that serves more than 32,000 hotels and lodging establishments.
May 2. Fitchburg, Mass., City Solicitor Vincent Pusateri says 1,800 people have been notified their Social Security numbers are at risk after they were posted to the Internet three and a half years ago. The posting was the result of a hack or the data was accidently removed from an employee’s hard drive. The data was encrypted, but the encryption key was also posted to the Net.
May 2. Newspaper publisher Gannett warns some 18,000 current and former employees their personal information is at risk after email accounts in its human resource department were compromised by hackers.
May 2. U.S. Appeals Court in New York City affirms lower court ruling that dismissed class action lawsuit against Michaels Stores because plaintiff failed to show any injury from data beach at the retailer.
May 1. Federal district court judge in St. Louis dismisses for second time litigation against Schnuck Markets filed by financial institutions which allege negligence and breach of implied contract by the supermarket chain during data breaches it suffered in 2012 and 2013.
May 1. The Centre for Internet & Society in India reports that sensitive data for almost 130 million Aadhaar cardholders has been exposed to the public Internet since Nov. 2016. Aadhaar is a 12-digit number issued to all residents of India based on biometric and demographic data.
April
Apr. 30. The Gleaner in Jamaica reports information on more than 14,000 of the island’s high school students hosted on a database in the United States has been encrypted with ransomware by hackers who are demanding $5,000 to descramble the data.
Apr. 29. Hindustan Times reports a programming error at a website operated by the Directorate of Social Security for the Indian state of Jharkhand has exposed personal information of 1.6 million pensioners to the public Internet.
Apr. 28. The hacker group known as The Dark Overlord Solutions posts to Pastebin links to stolen copies of an upcoming episode of Orange Is the New Black after Nefflix refused to meet the gang’s ransom demands.
Apr. 28. Home Depot agrees to change its cybersecurity governance policies and pay $1 million in attorneys’ fees to settle shareholders’ lawsuit related to a massive payment card data breach in 2014.
Apr. 28. Diamond Institute for Infertility and Menopause in New Jersey advises some 14,000 patients that their personal health information is at risk due to someone gaining unauthorized access to a third-party server hosting the data.
Apr. 28. Greenwood County School District 50 in South Carolina sends letters to some 3,300 current and former employees alerting them their personal information is at risk after an unauthorized user breached four employee email accounts that contained tax and benefit plan information.
Apr. 28. Kromtech Security Researchers discover personal information on at least 500,000 customers of Alliance Direct Lending Corporation was exposed to the public Internet for an unknown amount of time.
Apr. 28. Eddie Bauer argues in a federal court in Washington for dismissal of a proposed class action lawsuit by a credit union due to insufficient facts to support the financial institution’s claim that 2016 data breach at the retailer was due to negligence.
Apr. 28. Australian Federal Police confirms it unlawfully accessed a journalist’s phone records without a warrant.
Apr. 28. IBM X-Force releases report finding financial services sector attacked by cyber criminals 65 percent more than any other industry, resulting in the breach of more 200 million records in 2016, a 937 percent increase over the previous year.
Apr. 28. Trinity College sends letter to people who have contributed to the Trinity Foundation over the past decade that their personal information may have been compromised in a phishing attack.
Apr. 28. Stuart Colianni uploads to the research site Kaggle 40,000 profile photos scraped from Tinder without authorization to create a data set for facial recognition research.
Apr. 28. Paratransit Services, a provider of non-emergency medical and public transportation services in Washington, Oregon and California notifies everyone who worked for the company in 2016 that their personal tax information is at risk after their W-2 tax forms for the year were emailed to a phishing scammer.
Apr. 27. Verizon releases its annual data breach report which finds that ransomware was involved in 71 percent of the more than 40,000 incidents analyzed in the report.
Apr. 27. Matthew Hanley, 22, and Connor Douglas Allsopp, 20, plead guilty to crimes connected to the theft of 150,000 customer records from broadband service provider Talk Talk in 2015.
Apr. 27. Security researcher Chris Vickery reports AMP, a provider of online platforms for futures trading, exposed on the Internet details of its financial operations and private information of more than 10,000 account applicants due to a misconfigured backup device managed by a third-party IT vendor.
Apr. 27. Thales Data Threat Report finds 34 percent of U.S. government respondents have experienced a data breach in the last year and 96 percent of them consider themselves “vulnerable.”
Apr. 26. Employees of Tipton County school system in Tennessee file $19 million federal class action lawsuit against board of education for falling for a phishing scam that resulted in the theft of the workers’ tax information.
Apr. 26. Symantec releases Internet Security Threat Report which reveals that the average ransom demanded by ransomware extortionists increased 266 percent, to $1,077 in 2016 from $294 in 2015.
Apr. 26. Accenture releases survey which included finding that one in eight UK consumers have had their personal medical information stolen from technology systems.
Apr. 26. Kromtech security researchers report 88 megabytes of spreadsheet documents apparently belonging to Alliance Direct Lending Corp. and containing information on hundreds of auto dealerships in the United States and as many as one million customer details was exposed to the public Internet for an unknown length of time due to a misconfigured AWS S3 bucket.
Apr. 26. Motherboard reports customer data from Ciphr, a provider of secure mobile phones, has been dumped on the public Internet. “All Ciphr emails/servers have been compromised,” the website hosting the purloined data claims.
Apr. 25. LeakBase, a for-profit breach notification service, says it has obtained from a hacker more than five million records belonging to customers of R2 Games, which also had 22 million accounts compromisedin December 2015.
Apr. 25. Chipotle tells investors during an earnings conference call that it’s investigating some unauthorized activity on a network that supports payment processing for purchases made at its chain of burrito restaurants.
Apr. 25. Blowout Cards, a website devoted to buying, selling and trading sports and other kinds of cards, warns its customers their payment card information is at risk due to a data breach at the site.
Apr. 25. Thales and 451 Research release report finding 78 percent of Mexican organizations and 75 percent of Brazilian organizations have experienced a data breach.
Apr. 25. Behaviorial Health Center in Bangor, Maine says more than 4,000 clients had their personal information stolen in a data breach in March.
Apr. 24. Experian asks California federal court judge to deny motion by T-Mobile customers in class action lawsuit to release a report prepared by information security firm Mandiant related to a data breach that exposed the personal information of 15 million consumers.
Apr. 24. HipChat notifies all account holders that it has reset their passwords after its security team discovered an incident affecting one of its servers and attributed to a vulnerability in a third-party library.
Apr. 24. CardioNet, a mobile heart monitoring technology company based in Malverri, Pa. agrees to pay $2.5 million to U.S. Department of Health and Human Services to settle case arising from the theft of a laptop containing unencrypted patient data.
Apr. 24. Western Health Screening, an onsite blood screening provider in Billings, Mont. alerts an undisclosed number of participants in a health fair from 2008 and 2012 that their demographic data is at risk due to the theft of an unencrypted flash drive.
Apr. 24. Booz Allen reports customer information has been compromised at dozens of car washes in the United States that use the payment infrastructure of DRB systems.
Apr. 22. Lifespan, Rhode Island’s largest health care-network, notifies some 20,000 patients their health information is at risk after a laptop containing it was stolen from an employee’s car.
Apr. 22. Bitcoin exchange Yapizon announces four of its hot wallets were compromised by hackers and bitcoins worth $5.3 million stolen.
Apr. 21. Security researchers Tao Sauvage and Antide Petit report they’ve found 10 noteworthy vulnerabilities in 20 models of Linksys routers that could allow an attacker to overload the routers and prevent Internet access for their users.
Apr. 21. Federal District Court judge in Seattle sentences Roman Valerevich, 32, to 27 years in prison for running a vast credit card fraud and identity theft operation from his homes in Indonesia and Russia.
Apr. 21. Survey by Dimensional Research and sponsored by Check Point Software finds 64 percent of security professionals doubt their organizations can prevent a breach to their employees’mobile devices.
Apr. 21. Iowa Veterans Home in Marshalltown, Iowa warns nearly 3,000 current and former residents that their medical and financial information is at risk after three employees had their network credentials compromised in a phishing scam.
Apr. 21. UK’s National Crimes Agency reports that the availability of free and easy-to-use hacking tools is attracting more and more young people into cybercrime.
RELATED: The ThreatBook team has in-depth understanding of China’s distinct cybersecurity landscape
Apr. 20. University of California reveals a group of fraudsters bilked the school of $12 million by writing prescriptions using information scammed from students lured to phony clinical trials through Facebook ads.
Apr. 20. Vigilante.pw, a data breach recorder, reports more than 2.4 million user accounts were stolen in 2016 from fashon gaming website and social network Fashion Fantasy Game.
Apr. 20. Dell End-User Security Survey finds that 46 percent of employees use public Wi-Fi networks to access confidential information and 49 percent use personal email accounts for work.
Apr. 20. Mastercard announces a new kind of payment card with a fingerprint sensor to authenticate transactions.
Apr. 20. Outdoor clothing retailer Eddie Bauer declares it will fight class action lawsuit filed in a federal district in Seattle by Veridian Credit Union over a data breach that occurred between January and July 2016.
Apr. 20. ServiceNow releases results of survey of 300 CISOs that finds 81 percent of them believe data breaches in their company are going unaddressed and 78 percent said they were concerned they didn’t have the capability to detect a data breach.
Apr. 20. Center for Children’s Digestive Health in Illinois agrees to pay $31,000 to U.S. Department of Health and Human Services for storing protected health information with a third party service provider without a Business Associate Agreement.
Apr. 19. MacKeeper Security Research Center reports Schoolzilla, a student data warehousing platform, exposed private data for 1.3 million students on the Internet when it misconfigured its cloud storage, an Amazon S3 bucket.
Apr. 19. Oracle patches 299 vulnerabilities in most of the company’s product families including Oracle Database Server, Fusion Middleware, Enterprise Manager Base platform, PeopleSoft Enterprise and Java.
Apr. 19. Metropolitan Police says it will investigate how a mail marketing agency obtained the addresses of 30,000 gun owners in the UK that were in a database maintained by the agency.
Apr. 19. Ipsos Mori releases survey that finds 2.5 million UK businesses suffered a digital attack last year.
Apr. 17. InterContinental Hotels Group releases data that reveals point-of-sale malware attack announced in February affected more than 1,000 of its properties, not 12 as originally estimated.
Apr. 13. Protenus reports that in March there were 39 health care data breaches affecting more than 1.5 million patient records, more than the two previous months combined.
Apr. 13. KnowBe4 releases list of top-clicked topics in phishing emails for first quarter. At the top of the list was UPS Label Delivery, followed by email account updates, full inbox and delivery attempt was made.
Apr. 13. The Metro Community Provider Network in Denver agrees to pay $400,000 to settle case against it by the U.S. Department of Health and Human Services Office for Civil Rights stemming from a data breach at the organization in 2011.
Apr. 13. California Federal District Court Judge Vince Chhabria rejects motion to dismiss class action lawsuit against the Klimpton Hotel and Restaurant Group over data breach that resulted in the compromise of payment cards used at the chain from Feb. 16 to Jul. 7, 2016. Klimpton argued case should be dismissed because no harm was suffered by plaintiffs.
Apr. 12. Canadian court denies bail for Karim Baratov, 22, an immigrant from Kazakhstan, who is awaiting extradition to the United States for allegedly participating in Yahoo data breaches that compromised 500 million user accounts.
Apr. 12. CGI releases an analysis of 65 “severe” and “catastrophic” data breaches and finds they can cost a company 1.8 percent of its value or for a typical FTSE 100 company, a permanent loss of market capitalization of £120 million.
Apr. 12. AQA, an independent education charity and the largest provider of academic qualifications taught in UK schools and colleges, says personal information for 64,000 current and former examiners was stolen by hackers who breached some of the organization’s online systems.
Apr. 12. Irish Data Commissioner Helen Dixon says her office is preparing a report on the Yahoo data breach that resulted in the theft of data on 500 million accounts, and it will impose remedial action if necessary.
Apr. 11. Irish Office of the Data Protection Commissioner reports it received 2,224 data breach notifications in 2016, a four percent decrease from 2015 when 2,317 breaches were reported.
Apr. 11. Irish Data Protection Commissioner’s office announces it has finalized preparations for an investigation into the processing of patient data in the country’s hospitals.
Apr. 11. Mailguard, an antivirus software maker, warns Australian businesses to beware of false invoices that appear to be from the popular accounting software MYOB and contain a bogus invoice button leading to a booby-trapped website.
Apr. 10. The Wall Street Journal reports tens of thousands of dollars have been stolen from third-party sellers on Amazon by hackers who are using stolen credentials to compromise the sellers’ accounts.
Apr. 9. Payday loan firm Wonga says it is investigating a data breach that could affect as many as 245,000 customers in the UK.
Apr. 7. Twitter drops lawsuit against U.S. government after U.S. Customs and Border Protection withdraws summons demanding identity of people behind a Twitter account critical of President Donald J. Trump.
Apr. 7. Gamestop confirms it has been notified by a credit card processor that credit card data from its website is being sold on the Internet. It advises customers to monitor their credit cards for unauthorized charges while it investigates the potential data breach.
Apr. 7. Personal health information of 918,000 people is at risk after a backup database belonging to HealthNow Networks, a Florida telemarketer, was posted without access controls to the Internet.
Apr. 6. U.S. Government Accounting Office recommends Congress authorize agencies to determine the appropriate level of identity theft insurance for persons affected by data breaches. Currently coverage amounts are fixed by law.
Apr. 6. Internal Revenue Service tells U.S. Senate Finance Commitee that as many as 100,000 taxpayers could have been compromised and $30 million stolen in scam where hackers posed as students using a data retrieval tool used to prepare applications for financial aid.
Apr. 6. New Mexico Gov. Susana Martinez signs into law a bill requiring anyone owning or licensing the personal data of any resident of the state to notify them if their data is affected by a breach.
Apr. 5. Scotttade announces Genpact, a third-part vendor, uploaded to an insecure server a data set containing commercial loan information for 20,000 people and businesses and that the two were investigating to what extent the data may have been compromised.
Apr. 5. UK Information Commissioner’s Office fines 11 charities £138,000 for misusing information about millions of past donors to seek further funds for future projects.
Apr. 5. Quest Diagnostics argues in a New Jersey federal court that a putative class action lawsuit stemming from a data breach at the company affecting some 34,000 people should be dismissed because the incident did not increase the lead plaintiff’s risk of identity theft since the stolen material was already publicly available.
Apr. 4. MacKeeper researcher Chris Vickery reports that an online data repository used by the state of North Carolina was left exposed to public Internet for an unknown amount of time.
Apr. 4. Bitglass reports that one in three organizations have been hacked more than five times in the last 12 months and that 87 percent of them were victims of at least one cyberattack.
Apr. 4. Tennessee Governor Bill Haslam signs into law amendments to state’s data breach law clarifying when the 45 day notice requirement is triggered and adding technical requirements for its encryption exemption.
Apr. 3. International Association of Athletics Federation announces data breach it believes was perpetrated by Fancy Bear, the group of Russian hackers who meddled with the 2016 U.S. presidential election, but can’t confirm if any data was stolen in the attack.
Apr. 3. Online edition of JAMA Internal Medicine publishes study finding that larger hospitals and those with a major teaching mission are more likely to suffer a data breach than smaller hospitals without a teaching mission.
Apr. 3. Reservation Center, an online travel agency, files lawsuit in federal district court in Ohio against Expedia for allegedly stealing data from RC and selling it to its competitors.
Apr. 3. Vancouver police arrest man believed to have broken into PharmaNet, a centralized system for pharmacies in the Canadian province of British Columbia, and used patient information for fraudulent purposes.
John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.
The Cybercrime Diary is sponsored by Digital Defense, Inc.
Founded in 1999, Digital Defense is a trusted provider of security risk assessment solutions, protecting billions of dollars in assets for clients around the globe.
Serving clients across numerous industries from small businesses to very large enterprises, Digital Defense’s innovative and leading edge information security technology helps organizations safeguard sensitive data and eases the burdens associated with information security. Frontline Vulnerability Manager™, the original Vulnerability Management as a Service (VMaaS) platform, delivers consistently accurate vulnerability scanning and penetration testing, while SecurED®, the company’s security awareness training promotes employees’ security-minded behavior.
