10 Apr Cybercrime Diary, Vol. 2, No. 4: Who’s Hacked? Latest Data Breaches And Cyberattacks
Yahoo, Equifax data breaches grow during fourth quarter
Sausalito, Calif. – Jan. 5, 2018
Both Yahoo and Equifax revised their tallies of users affected by mammoth data breaches at those companies during the last quarter of 2017, as other top-shelf brands also found their data threatened during the period.
Yahoo’s new owner Verizon announced during the quarter that all three billion Yahoo accounts were affected in the now infamous 2013 data breaches. Equifax, too, added 2.5 million accounts to the toll of its breach in 2017, bringing the grand total of affected users to 145.5 million.
Another major brand that found itself in the stolen data limelight was Uber, which confessed that information on 57 million driver and rider accounts was stolen by a hacker more than a year ago. The company paid the hacker $100,000 to destroy his copy of the data and wrote the payment off as a “bug bounty.”
Malaysian telecommunication companies were also victimized by data thieves during the quarter when a cache of information was leaked online, including 46.2 million phone numbers, customer details and addresses, and SIM card information, such as IMEI and IMSI numbers.
Another large trove of data was discovered by Troy Hunt, who runs the data breach search information site Have I Been Pwned. He found a database on the Net containing personal information on 30 million South Africans.
A database was also compromised at Disqus, the Internet’s largest provider of hosted commenting systems. It estimates 17.5 million users could be affected by the data breach.
It took We Heart It four years, but the teen-oriented website announced during the quarter it had discovered a 2013 data breach that may affect as many as eight million accounts. It recommended that any users who hadn’t changed their passwords since 2013 do so now.
A huge breach of 13.5 million documents from Appleby, a Bermuda-based law firm that offers financial and tax services to blue chip corporations and very wealthy people, became the source of numerous news stories during the period under the collective rubric “The Paradise Papers.”
Meanwhile data breaches placed at risk 2.7 million accounts at Verticalscope, a Canadian network of websites focused on vertical markets such as cars, pets, sports and technology; 1.7 million accounts at Imgur, an image sharing and host site; 1.6 million accounts at TIO Networks, a payment processing company owned by PayPal; and 1.13 million accounts at Nissan Canada Finance.
Organizations that failed to adequately protect their data paid the price for their shortcomings during the quarter in settlements and penalties. Canada paid C$17.5 million to settle a lawsuit brought by half a million student loan recipients whose personal information was stolen on a hard drive.
Two health care providers were also penalized during the period. 21st Century Oncology of Fort Myers, Fla., agrees to pay a $2.3 million fine to the US Department of Health and Human Services to settle a case stemming from a data breach in 2015 that affected more than 2.2 million patient records. Meanwhile, Cottage Health Systems and its affiliated hospitals paid California $2 million over incidents where the medical information of more than 50,000 patients was exposed online.
Data during the quarter was also jeopardized by website bugs and misconfigured cloud services. Security researcher Karan Saini, for example, found a bug at T-Mobile’s website that put at risk sensitive information about 76 million of the company’s customers.
Meanwhile, security research firm UpGuard discovered misconfigured AWS data repositories exposing to risk information on 123 million American household kept by Alteryx, a California-based data analytics firm, and a trove of sensitive data belonging to Accenture, one of the world’s largest corporate consulting and management firms.
Another research company, Kromtech Security, also found a number of dangerous misconfigurations during the quarter. One, at Tarte Cosmetics, exposed information of two million customers on the Net. Others exposed blood test results of 150,000 people and private information about more than 1.100 NFL players and agents.
CYBERCRIME DIARY
December
Dec. 29. SSM Health in St. Louis, Mo. reports medical records of 29,000 patients are at risk after they were inappropriately accessed by an employee in its customer service call center. It says that although the former employee accessed patient information from multiple states, the focus of his illegal activities was on the medical records of a small number of patients with a controlled substance prescription and a primary care physician within the St. Louis area.
Dec. 28. Jason’s Deli, a fast food chain with 266 locations in 28 states, informs Krebs on Security it is investigating a possible data breach that’s compromised customer payment card information.
Dec. 28. Global clothing retailer Forever 21 announces results of probe of data breach incident it reported in November. It confirms data from customer payment cards was compromised at some of its stores from April 3, 2017 to November 18, 2017.
Dec. 23. Operators of Ancestry.com take offline RootsWeb, a free community-driven collection of tools that are used by some people to host and share genealogical information. Move made after Ancestry notified that a file with email addresses, usernames and passwords of 300,000 of RootsWeb site users had appeared online. Ancestry says only 55,000 of the accounts in the file contain data shared by RootsWeb and one of Ancestry’s sites and many of those were either free trial or unused accounts.
Dec. 22. Canada agrees to settle class action lawsuit for at least C$17.5 million arising from data breach resulting in the loss of personal information of 583,000 student loan recipients. Data was stored on a portable hard drive that went missing five years ago.
Dec. 21. Nissan Canada Finance notifies 1.13 million customers of a data breach affecting an unspecified number of past and present customers. Although the intruder had access to customer name, address, vehicle make and model, vehicle identification number, credit score, loan amount and monthly payment information, the company says there is no evidence the attacker accessed payment and contact information such as email addresses or phone numbers.
Dec. 20. Security research firm UpGuard reports an online repository belonging to Alteryx, a California-based data analytics firm, was left publicly exposed, revealing sensitive personal information for 123 million American households. The respository, an AWS S3 bucket, also contained a database belonging to Alteryx’s partner, Experian, which recently suffered a data breach exposing sensitive information about 145.5 million Americans.
Dec. 13. 21st Century Oncology of Fort Myers, Fla., agrees to pay $2.3 million fine to the US Department of Health and Human Services to settle case stemming from data breach in 2015 that affected more than 2.2 million patient records.
Dec. 13. Personal information of hundreds of prisoners, corrections officers and visitors, along with sensitive operational information about the Alexander Maconochie Centre in Canberra, Australia, are accidently released to a news outlet. The information, which should have been redacted but was not, was sent to the Australian Broadcasting Corporation in compliance with a Freedom of Information Request.
Dec. 8. UNC Dermatology, a practice of physicians at the University of North Carolina, begins notifying 24,000 patients their personal information is at risk after a computer was stolen from the UNC Dermatology & Skin Cancer Center in Burlington, N.C.
Dec. 7. NiceHash CEO Marko Kobal announces his marketplace for mining digital currencies was infiltrated through a compromised computer and 4,700 bitcoins worth $75 million were stolen.
Dec. 7. Sinai Health System in Chicago announces personal information of 11,350 people is at risk after the email accounts of at least two employees were compromised in a phishing attack.
Dec. 6. Reuters reports a 20-year-old Florida man was paid $100,000 through a bug bounty program to destroy data he’d stolen from Uber. The news service says it was unable to identify the man, who was paid through HackerOne, which hosts Uber’s bug bounty program, and another person believed to have helped him.
Dec. 6. Henry Ford Health in Michigan announces it’s notifying 18,478 patients their personal health information was accessed or stolen when the email accounts of a number of employees were compromised. It explains that the patients’ data was in emails in the compromised accounts.
Dec. 6. Ranga Jayaraman, chief digital officer of Stanford University’s School of Business, resigns after discovery of misconfigured server that exposed personal information of 10,000 employees on the public Internet.
Dec. 5. CCRM Minneapolis, a fertility clinic located in Edina, Minn., warns some 3,300 patients their health care information is at risk after an unauthorized third-party launched a ransomware attack on the clinic’s systems.
Dec. 5. US Consumer Financial Protection Bureau head Mick Mulvaney announces agency has frozen the collection of consumer information over cybersecurity concerns. Earlier in the year two reports were released about data security at the agency.
Dec. 4. US Senators Bill Nelson, D-Fla., Richard Blumenthal, D-Conn., and Tammy Baldwin, D-Wisc. file legislation to impose sentences of up to five years in jail for executives who fail to notify consumers within 30 days of a data breach.
Dec. 1. PayPal announces it has found evidence of a data breach in TIO Networks that may have compromised personal identifying information of some 1.6 million customers. TIO is a payment processing company PayPal bought in July.
Dec. 1. Stanford University reveals a misconfigured graduate school of business server exposed online for about six months personal information of 10,000 non-teaching staff throughout the university.
Dec. 1. Morrisons, the fourth largest supermarket chain in the UK, found liable in London’s High Court in collective action brought against the company by 5,518 former and current employees over exposure of their personal data by the chain’s former auditor.
Dec. 1. Nordfront and Gang Rape Sweden post to the Internet a leaked judicial database of sentences imposed on more than 83,000 people from May 4, 2004 to January 8, 2015. Data includes decision date, name, social security number, court, destination number, date of judgment, period of imprisonment, region and place of investigation for the prosecution of suspects.
November
Nov. 30. Bavarian news agency BR24 reports a leak in the user data maintained by international bicycle rental company Obike has exposed for at least two weeks personal and location data of its worldwide customers. It says flaw in Obike’s mobile app exposed a user’s personal data after they shared information about a ride on social media.
Nov. 29. Multi-State billing Services, a medical billing company, agrees to pay Massachusetts $100,000and to improve security practices over data breach in which 2,600 Bay State school children were put at risk of identity theft and fraud.
Nov. 29. Shipbroker Clarkson announces its computer systems have been breached and confidential information stolen. It says hackers gained unauthorized access to the systems through a compromised user account.
Nov. 29. A collective lawsuit is filed against Google in London’s High Court for bypassing data protections in Apple’s Safari browser to gather data from UK iPhone users and use it for targeted advertising.
Nov. 28. New York Times reports an investigation is under way by federal authorities into the theft of a computer system containing sensitive personal information of some 246,000 employees of the US Department of Homeland Security. It notes the theft was part of a scheme by three members of the DHS’ Inspector General’s Office who planned to modify that office’s case management software and sell it to inspector general’s offices throughout the federal government.
Nov. 28. UpGuard reports Accenture, one of the world’s largest corporate consulting and management firms, exposed for an unknown amount of time the data in four AWS cloud storage buckets. The data, which was unsecured and accessible to the public, included secret API data, authentication credentials, certificates, decryption keys, customer information, and more data that could have been used to attack both Accenture and its clients.
Nov. 25. The UK’s Sunday Telegraph reports personal information of the 5,000 members of the prestigious Oxford and Cambridge Club is at risk after a backup hard drive containing the data was stolen from the club’s headquarters in London. Among the members affected by the theft are comedian Stephen Fry and the UK’s leading astrophysicist Lord Rees.
Nov. 25. Irish Central Statistics Office confirms personal information on some 3,000 former employees was exposed when it was accidentally sent to four individuals, three of whom are former employees.
Nov. 24. North Carolina Department of Health and Human Services notifies some 6,000 people their personal identifying information is at risk after the agency accidentally sent a spreadsheet containing the data to a vendor.
Nov. 23. Australian Department of Social Services notifies 8,500 current and former employees their personal information is at risk after a data breach at Business Information Services, a contractor of the agency. According to The Guardian, the employees’ data, which covered a period from 2004 to 2015, was exposed from June 2016 to October 2017.
Nov. 23. Dalhousie University in Canada notifies 20,000 people, mostly alumni, their personal information was exposed on the school’s computer network in a folder accessible to faculty, staff and students. The institution adds the information was exposed from Sept. 16, 2016 to March 3, 2017.
Nov. 24. Imgur, an image sharing and host site, announces it’s investigating a 2014 data breach that affected the email addresses and passwords of 1.7 million user accounts. The site was notified of the breach by Troy Hunt, who runs the data breach notification service Have I Been Pwned.
Nov. 22. Cottage Health Systems and its affiliated hospitals in California agree to $2 million settlement with the Golden State in case involving allegations that the provider failed to implement basic, reasonable safeguards to protect patient medical information in violation of state and federal privacy laws. The settlement follows two data breach incidents by Cottage Health where the medical information of more than 50,000 patients was exposed online.
Nov. 21. Uber reveals 57 million driver and rider accounts were stolen by hackers. It says theft was kept secret for more than a year after paying a $100,000 ransom to the thieves.
Nov. 20. Intel publishes security advisory listing new vulnerabilities in some of its management tools. Flaws in Management engine, remote server management tool Server Platform Services, and hardware authentication tool Trusted Execution Engine could be used by a threat actor to gain full control over a computer.
Nov. 20. The Unique Identification Authority of India, in response to a Right to Information request, reveals 210 central and state government websites have leaked personal details of users of Aadhaar, the country’s national identification system. The agency says the information has been removed from public view but would not say how or when the breach took place or how many citizens were affected by the leak.
Nov. 20. Student at McMaster University in Canada is charged with unauthorized use of a computer after breaking into a database containing admission offer letters of 25,000 applicants.
Nov. 17. Owner of website that allows Malaysians to see if their personal information was compromised in a massive data breach of telecommunications companies in the country announces he’s shutting down the site after Malaysian authorities blocked the site. Subscription information for 46.2 million Malaysians was stolen in the breach.
Nov. 16. Kromtech reports data belonging to the Australian Broadcasting Company was exposed to the public Internet due to misconfiguration of at least two AWS S3 buckets. Data included hashed passwords and credentials to access ABC content.
Nov. 14. Google releases study of stolen account credentials which finds 788,000 credentials stolen by keyloggers, 12.4 million by phishing and 1.9 billion by data breaches.
Nov. 14. Global clothing retailer Forever 21 announces it’s investigating a potential data breach exposing payment card information to threat actors. Chain has more than 800 stores in 57 countries.
Nov. 10. Google reports phishing victims are 400 times more likely to have their accounts hijacked compared to 10 times for data breach victims. It explains phishing is riskier to users because more and better information is acquired by hackers in a phishing attack than in a data breach.
Nov. 10. Equifax reports quarterly profits plunged 27 percent following massive data breach exposing confidential information of 145.5 million Americans.
Nov. 10. Kromtech Security Center reports a misconfigured Apache Hive database belonging to ride share service Fasten was exposed to the public Internet for 48 hours before being taken offline. Exposed information included customer data on some one million users of the company’s mobile app.
Nov. 8. Risked Based Security reports there were 3,833 data breaches globally during the first three quarters of 2017, exposing more than seven billion records. However, 78.5 percent of those records were exposed in just five breaches.
Nov. 8. Former CEO Marissa Mayer apologizes to Yahoo users for two massive data breaches at the company while appearing before a congressional committee holding hearings on cyber attacks on US companies. She also blames Russia for at least one of the breaches.
Nov. 8. The Guardian reports a flaw at the website of the Australian Securities and Investments Commission allows one person to view another’s search history by entering an email address and a date range. Defect also allows documents to be downloaded that another person paid for.
Nov. 8. US Federal Trade Commission finalizes settlement in data breach case involving TaxSlayer. During the breach, 9,000 user accounts were compromised and the information used to file false tax returns. Settlement calls for TaxSlayer not to violate federal laws governing securing customer information for 20 years and for submitting to biennial third-party assessments of compliance with those laws for 10 years.
Nov. 7. Spirit One, a Portland, Ore. Internet Service Provider, confirms it accidentally gave one of its customers access to other customers’ email accounts. The company explained that it thought the customer was the administrator of a domain managed by Spirit One.
Nov. 7. UK Information Commissioner’s Office releases survey that finds only 20 percent of Britain’s citizens trust companies to securely store their personal information.
Nov. 5. News outlets around the world begin publishing stories based on the “Paradise Papers,” a cache of more than 13.4 million documents leaked from Appleby, a Bermuda-based law firm that offers financial and tax services to blue chip corporations and very wealthy people.
Nov. 5. Hackread reports hackers have stolen WhatsApp screenshots of explicit photos and chat conversations of World Wrestling Entertainment personality Paige, whose real name is Saraya Jade-Bevis, and posted them to celebrity gossip website. It adds that the material was also posted to Twitter.
Nov. 3. Krebs on Security reports data breach at Verticalscope, a Canadian network of websites focused on vertical markets such as cars, pets, sports and technology, has put at risk at least 2.7 million user accounts. Krebs adds that a previous breach in 2016 at the company resulted in the theft of information on 45 million accounts.
Nov. 3. AT&T reports the average cost to recover from a data breach in 2017 was $3.6 million.
Nov. 2. JD Power releases survey of 1,322 U.S consumers that finds only 51 percent are very aware or somewhat aware of the Equifax data breach that compromised sensitive personal and financial information of 145.5 million Americans.
Nov. 2. iTnews reports a misconfigured Amazon S3 bucket has exposed to the public Internet personal information of almost 50,000 Australian employees of several government agencies, banks and a utility. The flawed bucket, which belongs to a third-party contractor, was discovered by Polish security researcher who goes by the Twitter handle Wojciech.
Nov. 1. Hetzner, a South African data center operator and web hosting provider, advises clients that one of its databases was accessed by an unauthorized party and recommends they change their passwords immediately.
October
Oct. 31. Hilton hotels pays $700,000 to settle claims against it by New York and Vermont for two data breaches that occurred in 2015. In a statement, New York Attorney General Eric T. Schneiderman says Hilton failed to timely notify consumers of the breaches, did not maintain reasonable data security and did not comply with a number of payment card industry data security standards.
Oct. 31. Health insurer CareFirst petitions US Supreme Court to overturn lower cower ruling that allowed a class action lawsuit over a data breach to proceed although no actual harm to members of the class was shown. If Court agrees to decide the case, it could clear up conflicting decisions by lower courts over when a data breach lawsuit should be allowed to proceed in court.
Oct. 30. Denver Post reports personal and financial information of 800 donors, customers, and current and former employees of the Denver Art Museum were compromised in a “data security incident” that occurred during the summer.
Oct. 30. New Jersey Attorney General Christopher Porrino releases first annual data breach report. It found 116,000 of the state’s resident were affected by 676 data breaches in 2016.
Oct. 30. Eclectic website Lowyat.net reports it’s confirmed that some 46.2 million mobile phone numbers from Malaysian telecommunications companies and mobile virtual operators have been leaked online. It says leak includes postpaid and prepaid numbers, customer details and addresses, as well as SIM card information, such as IMEI and IMSI numbers.
Oct. 29. Heathrow airport officials launch investigation into origin of a USB stick found by an unemployed man who turned it over to a UK newspaper. The device contained confidential data, including the exact route Britain’s queen takes to the airport.
Oct. 26. Reserve Bank of India imposes $1 million penalty on Yes Bank for failing to promptly report a data breach in 2016 that affected 3.2 million debit cards issued by the institution. Under RBI rules, a bank must report a breach within two to six hours of its discovery.
Oct. 26. Motherboard reports a security researcher warned Equifax of the vulnerability that led to the compromise of sensitive personal information of 145.5 million Americans six months before the data breach occurred.
Oct. 26. Insurance giant AIG announces it will start to include cyber coverage in its commercial casualty insurance policies beginning in 2018. Typically businesses need to purchase such coverage as a separate policy.
Oct. 25. Appelby, a Bermuda-based law firm that caters to the super rich, announces it suffered a data breach in 2016 and that it’s being contacted about it by the International Consortium of Investigative Journalists.
Oct. 25. Rasmussen Reports survey of 1,000 American adults reveals 41 percent of them have been victims of payment card information theft.
Oct. 25. F-Secure releases analysis of email addresses of more than 200 CEOs from top businesses in 10 countries finding 30 percent of the executives had their passwords leaked when a service they subscribe to suffered a data breach.
Oct. 24. Specialty insurer Beazley reports rapid rise in data breaches of its clients caused by social engineering attacks. It says during first three months of 2017, social engineering data breaches increased nine percent, compared to one percent for the same period in 2016.
Oct. 23. Hacker group that calls itself The Dark Overlord breaches systems at London Bridge Plastic Surgery in the UK and steals an undisclosed amount of data. Clinic is known for its celebrity clients, including some members of the Britain’s royal family.
Oct. 23. Georgia Revenue commissioner Lynne Riley says state has blocked $108 million in fraudulent tax returns in 2017, compared to $19 million in 2015.
Oct. 23. Coinhive, a cryptocurrency mining software provider, acknowledges a compromised password led to the hijacking of its mining scripts , which allowed thieves to redirect funds intended for Coinhive into a virtual wallet controlled by the attackers.
Oct. 23. COL financial, a major online Philippines brokerage firm, warns clients it has discovered a possible data breach of its systems. It says client account balances, stock positions and account transactions were not affected by the incident, but recommends passwords be changed.
Oct. 20. Federal court in Manhattan sentences Yuri Lebedev, a Florida software engineer, to 16 months in prison for role in data breach at JPMorgan Chase & Co. in 2014 that exposed information on more than 83 million accounts.
Oct. 20. Kromtech reports Tarte Cosmetics has secured two databases containing information on nearly two million online customers after a misconfiguration error exposed the data to the public Internet for more than 10 years.
Oct. 19. Verisk Analytics estimates losses to Merk & Co. due to “NotPetya” data breach in June could cost insurers $275 million.
Oct. 19. Class action lawsuit filed against home respiratory care and medical equipment provider Lincare Holdings of Clearwater, Fla. by employees who allege they were harmed by data breach that exposed their tax information to online thieves.
Oct. 17. IRS Commissioner John Koskinen says his agency doesn’t expect the Equifax data breach to have a major impact on 2018 tax filings since 100 million Americans had already had their personal identifying information stolen by digital thieves prior to the breach.
Oct. 17. Reuters reports Microsoft’s database for tracking bugs in its software was breached by hackers in 2013 and the company never revealed the intrusion to its customers or the public. The defects were eventually corrected, but in the interim, the threat actors could have used the bug data to attack any computer using Microsoft software.
Oct. 17. Troy Hunt, founder of the data breach information search site HaveI BeenPwned, announces he’s found a database containing unique personal information of more than 30 million South Africans. He says the data breach that exposed the information took place around March 2017, although some data dates back to the 1990s.
Oct. 16. Pizza Hut informs some 60,000 customers who placed orders with the company’s mobile app or at its website that their payment card information has been stolen by a hacker.
Oct. 16. Beazley, a specialist insurer, reports that during the first nine months of 2017, unintended disclosure accounted for 41 percent of data breach incidents reported to the company by health care organizations. That’s more than twice the second most frequent cause for data loss, hacking or malware (19 percent).
Oct. 13. We Heart It, a teen-oriented website, reveals eight million accounts may have been affected by a data breach that took place in 2013. It advises users who have not changed their passwords since 2013 to do so now.
Oct. 12. Equifax takes down one of its web pages after discovering it contained malicious code from a third-party vendor. The code on the company’s credit report assistance page uses an Adobe Flash document to infect a computer with malware.
Oct. 12. IRS temporarily suspends $7.2 million contract it awarded Equifax to verify taxpayers’ identities and help combat fraud. Suspension comes about a month after a data breach at Equifax compromised confidential information of 145.5 million Americans.
Oct. 12. Hyatt Hotels acknowledges it’s discovered unauthorized access to customer payment card information at 41 properties worldwide, including 18 in China, between March 18, 2017 and July 2, 2017. In 2015, a similar incident affected 250 of the chain’s hotels in 50 countries.
Oct. 11. Washington Attorney General Bob Ferguson releases second annual data breach report for the state. It finds that three million state residents were affected by data breaches between July 2016 and July 2017. That’s six times more residents affected than in the previous 12-month period.
Oct. 11. ZDNet reports Victory Phones, an automated phone research and data compilation firm in Grand Rapids, Mich. was hacked and several databases stolen. It says theft exposes data on hundreds of thousands of Americans who submitted donations to political campaigns.
Oct. 10. Kromtech Security reports an Amazon S3 repository belonging to Patient Home Monitoring exposed to the public Internet blood test results of an estimated 150,000 people. PHM offers a variety of monitoring services to manage respiratory diseases and sleep apnea, as well as blood testing for patients on anticoagulants.
Oct. 10. Motherboard reports a bug on a T-Mobile website has put at risk sensitive information about 76 million of the company’s customers.
Oct. 9. First class action lawsuit arising from a data breach begins in London’s High Court. The litigation was brought by 5,500 employees of UK supermarket giant Morrisons whose former auditor exposed personal information of nearly 100,000 employees online over a “personal grievance” with the company.
Oct. 9. Domino’s Australia says it’s investigating a potential data leak at a former supplier after some of its customers began receiving spam that contained information about where they bought their pizza.
Oct. 6. US Office of the Inspector General reports Federal Deposit Insurance Corp., which is responsible for insuring the nation’s banks, suffered more than 50 data breaches in 2015 and 2016. The OIG also notes the average time the FDIC took to notify people affected by the hacks was 288 days.
Oct. 6. Disqus, the Internet’s largest provider of hosted commenting systems, announces one of its databases from 2012, which included information dating back to 2007, was exposed in a data breach. It says 17.5 million users may be affected by the attack.
Oct. 6. Forrester Research reveals intruders using stolen credentials accessed some confidential reports intended for clients but did not access any client data.
Oct. 6. Cabrillo College in Aptos, Calif. notifies 40,000 students their personal information may have been exposed in a breach of the school’s computer systems. College says Social Security numbers of 12,000 students and personal information of 28,000 others may have been compromised.
Oct. 4. Fast food chain Sonic reveals malware attack on some of its outlets may have exposed their customers payment card information to hackers.
Oct. 4. Catholic United Financial, a financial services company servicing Catholic Church members in the upper US Midwest, informs 127,310 current and former members of a data breach. It says hacker accessed first and last names, mailing addresses, dates of birth, email addresses, insurance policy information and Social Security numbers of members.
Oct. 3. Equifax CEO Richard Smith, appearing before a congressional committee examining a data breach at his company, blames a single IT person failing to patch an Apache flaw that led to the exposure of sensitive personal information of 145.5.million Americans.
Oct. 3. Verizon Communications reveals all three billion Yahoo user accounts were affected by data breach in 2013. Verizon purchased Yahoo for $4.48 billion in June.
Oct. 3. Federal investigators warn Atlanta public school system that confidential data on the system’s 6,000 employees may have been compromised in data breach.
Oct. 2. Information security research firm Kromtech reports a misconfigured Elasticsearch database has exposed to the public Internet private information of more than 1,100 NFL players and agents.
Oct. 2. Equifax reveals an additional 2.5 million Americans were affected by a data breach at the company in July. New tally brings the total number of people affected by the breach to 145.5 million.
Oct. 1. Vermont Attorney General T.J. Donovan announces SAManage USA will pay $264,000 fine for exposing online Social Security numbers of 660 Vermont Health Connect users.
John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.
The Cybercrime Diary is sponsored by Digital Defense, Inc.
Founded in 1999, Digital Defense is a trusted provider of security risk assessment solutions, protecting billions of dollars in assets for clients around the globe.
Serving clients across numerous industries from small businesses to very large enterprises, Digital Defense’s innovative and leading edge information security technology helps organizations safeguard sensitive data and eases the burdens associated with information security. Frontline Vulnerability Manager™, the original Vulnerability Management as a Service (VMaaS) platform, delivers consistently accurate vulnerability scanning and penetration testing, while SecurED®, the company’s security awareness training promotes employees’ security-minded behavior.