DATA BREACH REPORT
FROM THE EDITORS AT CYBERSECURITY VENTURES
Yahoo, Equifax data breaches grow during fourth quarter
Sausalito, Calif. – Jan. 5, 2018
Both Yahoo and Equifax revised their tallies of users affected by mammoth data breaches at those companies during the last quarter of 2017, as other top-shelf brands also found their data threatened during the period.
Yahoo’s new owner Verizon announced during the quarter that all three billion Yahoo accounts were affected in the now infamous 2013 data breaches. Equifax, too, added 2.5 million accounts to the toll of its breach in 2017, bringing the grand total of affected users to 145.5 million.
Another major brand that found itself in the stolen data limelight was Uber, which confessed that information on 57 million driver and rider accounts was stolen by a hacker more than a year ago. The company paid the hacker $100,000 to destroy his copy of the data and wrote the payment off as a “bug bounty.”
Malaysian telecommunication companies were also victimized by data thieves during the quarter when a cache of information was leaked online, including 46.2 million phone numbers, customer details and addresses, and SIM card information, such as IMEI and IMSI numbers.
Another large trove of data was discovered by Troy Hunt, who runs the data breach search information site Have I Been Pwned. He found a database on the Net containing personal information on 30 million South Africans.
A database was also compromised at Disqus, the Internet’s largest provider of hosted commenting systems. It estimates 17.5 million users could be affected by the data breach.
It took We Heart It four years, but the teen-oriented website announced during the quarter it had discovered a 2013 data breach that may affect as many as eight million accounts. It recommended that any users who hadn’t changed their passwords since 2013 do so now.
A huge breach of 13.5 million documents from Appleby, a Bermuda-based law firm that offers financial and tax services to blue chip corporations and very wealthy people, became the source of numerous news stories during the period under the collective rubric “The Paradise Papers.”
Meanwhile data breaches placed at risk 2.7 million accounts at Verticalscope, a Canadian network of websites focused on vertical markets such as cars, pets, sports and technology; 1.7 million accounts at Imgur, an image sharing and host site; 1.6 million accounts at TIO Networks, a payment processing company owned by PayPal; and 1.13 million accounts at Nissan Canada Finance.
Organizations that failed to adequately protect their data paid the price for their shortcomings during the quarter in settlements and penalties. Canada paid C$17.5 million to settle a lawsuit brought by half a million student loan recipients whose personal information was stolen on a hard drive.
Two health care providers were also penalized during the period. 21st Century Oncology of Fort Myers, Fla., agrees to pay a $2.3 million fine to the US Department of Health and Human Services to settle a case stemming from a data breach in 2015 that affected more than 2.2 million patient records. Meanwhile, Cottage Health Systems and its affiliated hospitals paid California $2 million over incidents where the medical information of more than 50,000 patients was exposed online.
Data during the quarter was also jeopardized by website bugs and misconfigured cloud services. Security researcher Karan Saini, for example, found a bug at T-Mobile’s website that put at risk sensitive information about 76 million of the company’s customers.
Meanwhile, security research firm UpGuard discovered misconfigured AWS data repositories exposing to risk information on 123 million American household kept by Alteryx, a California-based data analytics firm, and a trove of sensitive data belonging to Accenture, one of the world’s largest corporate consulting and management firms.
Another research company, Kromtech Security, also found a number of dangerous misconfigurations during the quarter. One, at Tarte Cosmetics, exposed information of two million customers on the Net. Others exposed blood test results of 150,000 people and private information about more than 1.100 NFL players and agents.
Dec. 29. SSM Health in St. Louis, Mo. reports medical records of 29,000 patients are at risk after they were inappropriately accessed by an employee in its customer service call center. It says that although the former employee accessed patient information from multiple states, the focus of his illegal activities was on the medical records of a small number of patients with a controlled substance prescription and a primary care physician within the St. Louis area.
Dec. 28. Jason’s Deli, a fast food chain with 266 locations in 28 states, informs Krebs on Security it is investigating a possible data breach that’s compromised customer payment card information.
Dec. 28. Global clothing retailer Forever 21 announces results of probe of data breach incident it reported in November. It confirms data from customer payment cards was compromised at some of its stores from April 3, 2017 to November 18, 2017.
Dec. 23. Operators of Ancestry.com take offline RootsWeb, a free community-driven collection of tools that are used by some people to host and share genealogical information. Move made after Ancestry notified that a file with email addresses, usernames and passwords of 300,000 of RootsWeb site users had appeared online. Ancestry says only 55,000 of the accounts in the file contain data shared by RootsWeb and one of Ancestry’s sites and many of those were either free trial or unused accounts.
Dec. 22. Canada agrees to settle class action lawsuit for at least C$17.5 million arising from data breach resulting in the loss of personal information of 583,000 student loan recipients. Data was stored on a portable hard drive that went missing five years ago.
Dec. 21. Nissan Canada Finance notifies 1.13 million customers of a data breach affecting an unspecified number of past and present customers. Although the intruder had access to customer name, address, vehicle make and model, vehicle identification number, credit score, loan amount and monthly payment information, the company says there is no evidence the attacker accessed payment and contact information such as email addresses or phone numbers.
Dec. 20. Security research firm UpGuard reports an online repository belonging to Alteryx, a California-based data analytics firm, was left publicly exposed, revealing sensitive personal information for 123 million American households. The respository, an AWS S3 bucket, also contained a database belonging to Alteryx’s partner, Experian, which recently suffered a data breach exposing sensitive information about 145.5 million Americans.
Dec. 13. 21st Century Oncology of Fort Myers, Fla., agrees to pay $2.3 million fine to the US Department of Health and Human Services to settle case stemming from data breach in 2015 that affected more than 2.2 million patient records.
Dec. 13. Personal information of hundreds of prisoners, corrections officers and visitors, along with sensitive operational information about the Alexander Maconochie Centre in Canberra, Australia, are accidently released to a news outlet. The information, which should have been redacted but was not, was sent to the Australian Broadcasting Corporation in compliance with a Freedom of Information Request.
Dec. 8. UNC Dermatology, a practice of physicians at the University of North Carolina, begins notifying 24,000 patients their personal information is at risk after a computer was stolen from the UNC Dermatology & Skin Cancer Center in Burlington, N.C.
Dec. 7. NiceHash CEO Marko Kobal announces his marketplace for mining digital currencies was infiltrated through a compromised computer and 4,700 bitcoins worth $75 million were stolen.
Dec. 7. Sinai Health System in Chicago announces personal information of 11,350 people is at risk after the email accounts of at least two employees were compromised in a phishing attack.
Dec. 6. Reuters reports a 20-year-old Florida man was paid $100,000 through a bug bounty program to destroy data he’d stolen from Uber. The news service says it was unable to identify the man, who was paid through HackerOne, which hosts Uber’s bug bounty program, and another person believed to have helped him.
Dec. 6. Henry Ford Health in Michigan announces it’s notifying 18,478 patients their personal health information was accessed or stolen when the email accounts of a number of employees were compromised. It explains that the patients’ data was in emails in the compromised accounts.
Dec. 6. Ranga Jayaraman, chief digital officer of Stanford University’s School of Business, resigns after discovery of misconfigured server that exposed personal information of 10,000 employees on the public Internet.
Dec. 5. CCRM Minneapolis, a fertility clinic located in Edina, Minn., warns some 3,300 patients their health care information is at risk after an unauthorized third-party launched a ransomware attack on the clinic’s systems.
Dec. 5. US Consumer Financial Protection Bureau head Mick Mulvaney announces agency has frozen the collection of consumer information over cybersecurity concerns. Earlier in the year two reports were released about data security at the agency.
Dec. 4. US Senators Bill Nelson, D-Fla., Richard Blumenthal, D-Conn., and Tammy Baldwin, D-Wisc. file legislation to impose sentences of up to five years in jail for executives who fail to notify consumers within 30 days of a data breach.
Dec. 1. PayPal announces it has found evidence of a data breach in TIO Networks that may have compromised personal identifying information of some 1.6 million customers. TIO is a payment processing company PayPal bought in July.
Dec. 1. Stanford University reveals a misconfigured graduate school of business server exposed online for about six months personal information of 10,000 non-teaching staff throughout the university.
Dec. 1. Morrisons, the fourth largest supermarket chain in the UK, found liable in London’s High Court in collective action brought against the company by 5,518 former and current employees over exposure of their personal data by the chain’s former auditor.
Dec. 1. Nordfront and Gang Rape Sweden post to the Internet a leaked judicial database of sentences imposed on more than 83,000 people from May 4, 2004 to January 8, 2015. Data includes decision date, name, social security number, court, destination number, date of judgment, period of imprisonment, region and place of investigation for the prosecution of suspects.
Nov. 30. Bavarian news agency BR24 reports a leak in the user data maintained by international bicycle rental company Obike has exposed for at least two weeks personal and location data of its worldwide customers. It says flaw in Obike’s mobile app exposed a user’s personal data after they shared information about a ride on social media.
Nov. 29. Multi-State billing Services, a medical billing company, agrees to pay Massachusetts $100,000and to improve security practices over data breach in which 2,600 Bay State school children were put at risk of identity theft and fraud.
Nov. 29. Shipbroker Clarkson announces its computer systems have been breached and confidential information stolen. It says hackers gained unauthorized access to the systems through a compromised user account.
Nov. 29. A collective lawsuit is filed against Google in London’s High Court for bypassing data protections in Apple’s Safari browser to gather data from UK iPhone users and use it for targeted advertising.
Nov. 28. New York Times reports an investigation is under way by federal authorities into the theft of a computer system containing sensitive personal information of some 246,000 employees of the US Department of Homeland Security. It notes the theft was part of a scheme by three members of the DHS’ Inspector General’s Office who planned to modify that office’s case management software and sell it to inspector general’s offices throughout the federal government.
Nov. 28. UpGuard reports Accenture, one of the world’s largest corporate consulting and management firms, exposed for an unknown amount of time the data in four AWS cloud storage buckets. The data, which was unsecured and accessible to the public, included secret API data, authentication credentials, certificates, decryption keys, customer information, and more data that could have been used to attack both Accenture and its clients.
Nov. 25. The UK’s Sunday Telegraph reports personal information of the 5,000 members of the prestigious Oxford and Cambridge Club is at risk after a backup hard drive containing the data was stolen from the club’s headquarters in London. Among the members affected by the theft are comedian Stephen Fry and the UK’s leading astrophysicist Lord Rees.
Nov. 25. Irish Central Statistics Office confirms personal information on some 3,000 former employees was exposed when it was accidentally sent to four individuals, three of whom are former employees.
Nov. 24. North Carolina Department of Health and Human Services notifies some 6,000 people their personal identifying information is at risk after the agency accidentally sent a spreadsheet containing the data to a vendor.
Nov. 23. Australian Department of Social Services notifies 8,500 current and former employees their personal information is at risk after a data breach at Business Information Services, a contractor of the agency. According to The Guardian, the employees’ data, which covered a period from 2004 to 2015, was exposed from June 2016 to October 2017.
Nov. 23. Dalhousie University in Canada notifies 20,000 people, mostly alumni, their personal information was exposed on the school’s computer network in a folder accessible to faculty, staff and students. The institution adds the information was exposed from Sept. 16, 2016 to March 3, 2017.
Nov. 24. Imgur, an image sharing and host site, announces it’s investigating a 2014 data breach that affected the email addresses and passwords of 1.7 million user accounts. The site was notified of the breach by Troy Hunt, who runs the data breach notification service Have I Been Pwned.
Nov. 22. Cottage Health Systems and its affiliated hospitals in California agree to $2 million settlement with the Golden State in case involving allegations that the provider failed to implement basic, reasonable safeguards to protect patient medical information in violation of state and federal privacy laws. The settlement follows two data breach incidents by Cottage Health where the medical information of more than 50,000 patients was exposed online.
Nov. 21. Uber reveals 57 million driver and rider accounts were stolen by hackers. It says theft was kept secret for more than a year after paying a $100,000 ransom to the thieves.
Nov. 20. Intel publishes security advisory listing new vulnerabilities in some of its management tools. Flaws in Management engine, remote server management tool Server Platform Services, and hardware authentication tool Trusted Execution Engine could be used by a threat actor to gain full control over a computer.
Nov. 20. The Unique Identification Authority of India, in response to a Right to Information request, reveals 210 central and state government websites have leaked personal details of users of Aadhaar, the country’s national identification system. The agency says the information has been removed from public view but would not say how or when the breach took place or how many citizens were affected by the leak.
Nov. 20. Student at McMaster University in Canada is charged with unauthorized use of a computer after breaking into a database containing admission offer letters of 25,000 applicants.
Nov. 17. Owner of website that allows Malaysians to see if their personal information was compromised in a massive data breach of telecommunications companies in the country announces he’s shutting down the site after Malaysian authorities blocked the site. Subscription information for 46.2 million Malaysians was stolen in the breach.
Nov. 16. Kromtech reports data belonging to the Australian Broadcasting Company was exposed to the public Internet due to misconfiguration of at least two AWS S3 buckets. Data included hashed passwords and credentials to access ABC content.
Nov. 14. Google releases study of stolen account credentials which finds 788,000 credentials stolen by keyloggers, 12.4 million by phishing and 1.9 billion by data breaches.
Nov. 14. Global clothing retailer Forever 21 announces it’s investigating a potential data breach exposing payment card information to threat actors. Chain has more than 800 stores in 57 countries.
Nov. 10. Google reports phishing victims are 400 times more likely to have their accounts hijacked compared to 10 times for data breach victims. It explains phishing is riskier to users because more and better information is acquired by hackers in a phishing attack than in a data breach.
Nov. 10. Equifax reports quarterly profits plunged 27 percent following massive data breach exposing confidential information of 145.5 million Americans.
Nov. 10. Kromtech Security Center reports a misconfigured Apache Hive database belonging to ride share service Fasten was exposed to the public Internet for 48 hours before being taken offline. Exposed information included customer data on some one million users of the company’s mobile app.
Nov. 8. Risked Based Security reports there were 3,833 data breaches globally during the first three quarters of 2017, exposing more than seven billion records. However, 78.5 percent of those records were exposed in just five breaches.
Nov. 8. Former CEO Marissa Mayer apologizes to Yahoo users for two massive data breaches at the company while appearing before a congressional committee holding hearings on cyber attacks on US companies. She also blames Russia for at least one of the breaches.
Nov. 8. The Guardian reports a flaw at the website of the Australian Securities and Investments Commission allows one person to view another’s search history by entering an email address and a date range. Defect also allows documents to be downloaded that another person paid for.
Nov. 8. US Federal Trade Commission finalizes settlement in data breach case involving TaxSlayer. During the breach, 9,000 user accounts were compromised and the information used to file false tax returns. Settlement calls for TaxSlayer not to violate federal laws governing securing customer information for 20 years and for submitting to biennial third-party assessments of compliance with those laws for 10 years.
Nov. 7. Spirit One, a Portland, Ore. Internet Service Provider, confirms it accidentally gave one of its customers access to other customers’ email accounts. The company explained that it thought the customer was the administrator of a domain managed by Spirit One.
Nov. 7. UK Information Commissioner’s Office releases survey that finds only 20 percent of Britain’s citizens trust companies to securely store their personal information.
Nov. 5. News outlets around the world begin publishing stories based on the “Paradise Papers,” a cache of more than 13.4 million documents leaked from Appleby, a Bermuda-based law firm that offers financial and tax services to blue chip corporations and very wealthy people.
Nov. 5. Hackread reports hackers have stolen WhatsApp screenshots of explicit photos and chat conversations of World Wrestling Entertainment personality Paige, whose real name is Saraya Jade-Bevis, and posted them to celebrity gossip website. It adds that the material was also posted to Twitter.
Nov. 3. Krebs on Security reports data breach at Verticalscope, a Canadian network of websites focused on vertical markets such as cars, pets, sports and technology, has put at risk at least 2.7 million user accounts. Krebs adds that a previous breach in 2016 at the company resulted in the theft of information on 45 million accounts.
Nov. 3. AT&T reports the average cost to recover from a data breach in 2017 was $3.6 million.
Nov. 2. JD Power releases survey of 1,322 U.S consumers that finds only 51 percent are very aware or somewhat aware of the Equifax data breach that compromised sensitive personal and financial information of 145.5 million Americans.
Nov. 2. iTnews reports a misconfigured Amazon S3 bucket has exposed to the public Internet personal information of almost 50,000 Australian employees of several government agencies, banks and a utility. The flawed bucket, which belongs to a third-party contractor, was discovered by Polish security researcher who goes by the Twitter handle Wojciech.
Nov. 1. Hetzner, a South African data center operator and web hosting provider, advises clients that one of its databases was accessed by an unauthorized party and recommends they change their passwords immediately.
Oct. 31. Hilton hotels pays $700,000 to settle claims against it by New York and Vermont for two data breaches that occurred in 2015. In a statement, New York Attorney General Eric T. Schneiderman says Hilton failed to timely notify consumers of the breaches, did not maintain reasonable data security and did not comply with a number of payment card industry data security standards.
Oct. 31. Health insurer CareFirst petitions US Supreme Court to overturn lower cower ruling that allowed a class action lawsuit over a data breach to proceed although no actual harm to members of the class was shown. If Court agrees to decide the case, it could clear up conflicting decisions by lower courts over when a data breach lawsuit should be allowed to proceed in court.
Oct. 30. Denver Post reports personal and financial information of 800 donors, customers, and current and former employees of the Denver Art Museum were compromised in a “data security incident” that occurred during the summer.
Oct. 30. New Jersey Attorney General Christopher Porrino releases first annual data breach report. It found 116,000 of the state’s resident were affected by 676 data breaches in 2016.
Oct. 30. Eclectic website Lowyat.net reports it’s confirmed that some 46.2 million mobile phone numbers from Malaysian telecommunications companies and mobile virtual operators have been leaked online. It says leak includes postpaid and prepaid numbers, customer details and addresses, as well as SIM card information, such as IMEI and IMSI numbers.
Oct. 29. Heathrow airport officials launch investigation into origin of a USB stick found by an unemployed man who turned it over to a UK newspaper. The device contained confidential data, including the exact route Britain’s queen takes to the airport.
Oct. 26. Reserve Bank of India imposes $1 million penalty on Yes Bank for failing to promptly report a data breach in 2016 that affected 3.2 million debit cards issued by the institution. Under RBI rules, a bank must report a breach within two to six hours of its discovery.
Oct. 26. Motherboard reports a security researcher warned Equifax of the vulnerability that led to the compromise of sensitive personal information of 145.5 million Americans six months before the data breach occurred.
Oct. 26. Insurance giant AIG announces it will start to include cyber coverage in its commercial casualty insurance policies beginning in 2018. Typically businesses need to purchase such coverage as a separate policy.
Oct. 25. Appelby, a Bermuda-based law firm that caters to the super rich, announces it suffered a data breach in 2016 and that it’s being contacted about it by the International Consortium of Investigative Journalists.
Oct. 25. Rasmussen Reports survey of 1,000 American adults reveals 41 percent of them have been victims of payment card information theft.
Oct. 25. F-Secure releases analysis of email addresses of more than 200 CEOs from top businesses in 10 countries finding 30 percent of the executives had their passwords leaked when a service they subscribe to suffered a data breach.
Oct. 24. Specialty insurer Beazley reports rapid rise in data breaches of its clients caused by social engineering attacks. It says during first three months of 2017, social engineering data breaches increased nine percent, compared to one percent for the same period in 2016.
Oct. 23. Hacker group that calls itself The Dark Overlord breaches systems at London Bridge Plastic Surgery in the UK and steals an undisclosed amount of data. Clinic is known for its celebrity clients, including some members of the Britain’s royal family.
Oct. 23. Georgia Revenue commissioner Lynne Riley says state has blocked $108 million in fraudulent tax returns in 2017, compared to $19 million in 2015.
Oct. 23. Coinhive, a cryptocurrency mining software provider, acknowledges a compromised password led to the hijacking of its mining scripts , which allowed thieves to redirect funds intended for Coinhive into a virtual wallet controlled by the attackers.
Oct. 23. COL financial, a major online Philippines brokerage firm, warns clients it has discovered a possible data breach of its systems. It says client account balances, stock positions and account transactions were not affected by the incident, but recommends passwords be changed.
Oct. 20. Federal court in Manhattan sentences Yuri Lebedev, a Florida software engineer, to 16 months in prison for role in data breach at JPMorgan Chase & Co. in 2014 that exposed information on more than 83 million accounts.
Oct. 20. Kromtech reports Tarte Cosmetics has secured two databases containing information on nearly two million online customers after a misconfiguration error exposed the data to the public Internet for more than 10 years.
Oct. 19. Verisk Analytics estimates losses to Merk & Co. due to “NotPetya” data breach in June could cost insurers $275 million.
Oct. 19. Class action lawsuit filed against home respiratory care and medical equipment provider Lincare Holdings of Clearwater, Fla. by employees who allege they were harmed by data breach that exposed their tax information to online thieves.
Oct. 17. IRS Commissioner John Koskinen says his agency doesn’t expect the Equifax data breach to have a major impact on 2018 tax filings since 100 million Americans had already had their personal identifying information stolen by digital thieves prior to the breach.
Oct. 17. Reuters reports Microsoft’s database for tracking bugs in its software was breached by hackers in 2013 and the company never revealed the intrusion to its customers or the public. The defects were eventually corrected, but in the interim, the threat actors could have used the bug data to attack any computer using Microsoft software.
Oct. 17. Troy Hunt, founder of the data breach information search site HaveI BeenPwned, announces he’s found a database containing unique personal information of more than 30 million South Africans. He says the data breach that exposed the information took place around March 2017, although some data dates back to the 1990s.
Oct. 16. Pizza Hut informs some 60,000 customers who placed orders with the company’s mobile app or at its website that their payment card information has been stolen by a hacker.
Oct. 16. Beazley, a specialist insurer, reports that during the first nine months of 2017, unintended disclosure accounted for 41 percent of data breach incidents reported to the company by health care organizations. That’s more than twice the second most frequent cause for data loss, hacking or malware (19 percent).
Oct. 13. We Heart It, a teen-oriented website, reveals eight million accounts may have been affected by a data breach that took place in 2013. It advises users who have not changed their passwords since 2013 to do so now.
Oct. 12. Equifax takes down one of its web pages after discovering it contained malicious code from a third-party vendor. The code on the company’s credit report assistance page uses an Adobe Flash document to infect a computer with malware.
Oct. 12. IRS temporarily suspends $7.2 million contract it awarded Equifax to verify taxpayers’ identities and help combat fraud. Suspension comes about a month after a data breach at Equifax compromised confidential information of 145.5 million Americans.
Oct. 12. Hyatt Hotels acknowledges it’s discovered unauthorized access to customer payment card information at 41 properties worldwide, including 18 in China, between March 18, 2017 and July 2, 2017. In 2015, a similar incident affected 250 of the chain’s hotels in 50 countries.
Oct. 11. Washington Attorney General Bob Ferguson releases second annual data breach report for the state. It finds that three million state residents were affected by data breaches between July 2016 and July 2017. That’s six times more residents affected than in the previous 12-month period.
Oct. 11. ZDNet reports Victory Phones, an automated phone research and data compilation firm in Grand Rapids, Mich. was hacked and several databases stolen. It says theft exposes data on hundreds of thousands of Americans who submitted donations to political campaigns.
Oct. 10. Kromtech Security reports an Amazon S3 repository belonging to Patient Home Monitoring exposed to the public Internet blood test results of an estimated 150,000 people. PHM offers a variety of monitoring services to manage respiratory diseases and sleep apnea, as well as blood testing for patients on anticoagulants.
Oct. 10. Motherboard reports a bug on a T-Mobile website has put at risk sensitive information about 76 million of the company’s customers.
Oct. 9. First class action lawsuit arising from a data breach begins in London’s High Court. The litigation was brought by 5,500 employees of UK supermarket giant Morrisons whose former auditor exposed personal information of nearly 100,000 employees online over a “personal grievance” with the company.
Oct. 9. Domino’s Australia says it’s investigating a potential data leak at a former supplier after some of its customers began receiving spam that contained information about where they bought their pizza.
Oct. 6. US Office of the Inspector General reports Federal Deposit Insurance Corp., which is responsible for insuring the nation’s banks, suffered more than 50 data breaches in 2015 and 2016. The OIG also notes the average time the FDIC took to notify people affected by the hacks was 288 days.
Oct. 6. Disqus, the Internet’s largest provider of hosted commenting systems, announces one of its databases from 2012, which included information dating back to 2007, was exposed in a data breach. It says 17.5 million users may be affected by the attack.
Oct. 6. Forrester Research reveals intruders using stolen credentials accessed some confidential reports intended for clients but did not access any client data.
Oct. 6. Cabrillo College in Aptos, Calif. notifies 40,000 students their personal information may have been exposed in a breach of the school’s computer systems. College says Social Security numbers of 12,000 students and personal information of 28,000 others may have been compromised.
Oct. 4. Fast food chain Sonic reveals malware attack on some of its outlets may have exposed their customers payment card information to hackers.
Oct. 4. Catholic United Financial, a financial services company servicing Catholic Church members in the upper US Midwest, informs 127,310 current and former members of a data breach. It says hacker accessed first and last names, mailing addresses, dates of birth, email addresses, insurance policy information and Social Security numbers of members.
Oct. 3. Equifax CEO Richard Smith, appearing before a congressional committee examining a data breach at his company, blames a single IT person failing to patch an Apache flaw that led to the exposure of sensitive personal information of 145.5.million Americans.
Oct. 3. Verizon Communications reveals all three billion Yahoo user accounts were affected by data breach in 2013. Verizon purchased Yahoo for $4.48 billion in June.
Oct. 3. Federal investigators warn Atlanta public school system that confidential data on the system’s 6,000 employees may have been compromised in data breach.
Oct. 2. Information security research firm Kromtech reports a misconfigured Elasticsearch database has exposed to the public Internet private information of more than 1,100 NFL players and agents.
Oct. 2. Equifax reveals an additional 2.5 million Americans were affected by a data breach at the company in July. New tally brings the total number of people affected by the breach to 145.5 million.
Oct. 1.Vermont Attorney General T.J. Donovan announces SAManage USA will pay $264,000 fine for exposing online Social Security numbers of 660 Vermont Health Connect users.
Stay tuned for the Q2 2018 edition of the Data Breach Report.
John P. Mello, Jr. a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.
Massive data breaches dominate the news in third quarter of 2017
Menlo Park, Calif. – Oct. 3, 2017
Massive data breaches at credit reporting agency Equifax and subscription television service HBO dominated data breach news during this year’s third quarter.
Sensitive information for more than 140 million Americans was compromised by the Equifax data breach, which set off a cascade of resignations, lawsuits and investigations.
CEO of the company, Richard Smith, resigned, as did Chief Information Officer David Webb and Chief Security Officer Susan Mauldin. Nearly a dozen lawsuits were filed in the federal and state courts, as well as in a Canadian court where consumers are seeking $450 billion in damages.
Meanwhile, the Federal Trade Commission announced it is probing the breach. In addition, 40 states have banded together to investigate the incident. Equifax, too, is looking into the breach, as well as $1.8 million in stock sales made by senior executives just weeks before the event was made public.
At HBO, hackers calling themselves Mr. Smith pilfered 1.5 terabytes of data from HBO and dribbled it on the Internet during August. They started with unaired episodes of Ballers and Room 104, as well as written material for an episode of Game of Thrones. They then moved on to dropping four unaired episodes of GoT and prior to that show’s season finale, released a detailed outline of that installment. Some arrests were made in connection with the data theft in India. Police there collared three employees and one former employee of Prime Focus Technology which stores and processes GoT for the Indian streaming website Hotstar.
Past massive data breaches also made headlines during the period. An arrest was made in connection with the June 2015 data breach at the U.S. Office of Personnel management in which sensitive data for more than 21 million people was stolen. Yu Pingan, a Chinese national, was arrested in Los Angeles and later charged with having a hand in the malware that was used for the breach. Meanwhile, the OPM got off the hook for any legal ramifications from the incident when a federal district court judge in D.C. dismissed two lawsuits filed against the agency over the breach.
An arrest was also made in connection to the huge data breach at Yahoo which affected more than a billion user accounts. Karim Baratov, 22, pleaded not guilty in a San Francisco federal court to charges he participated in the Yahoo hack. Yahoo wasn’t as lucky as the OPM in avoiding litigation, though. A federal district court in California ruled that a class action lawsuit could proceed against the company.
According to the Identity Theft Resource Center, there were 791 data breaches during the first six months of the year, a 29 percent jump over the same period in 2016. Breaches continued to climb in the second half of the year. Many of those breaches involved household names.
For example, Dow Jones & Company, Time Warner, Viacom, Verizon and World Wrestling Entertainment all put customer data at risk by misconfirguring cloud servers. Wells Fargo placed information about its wealthiest customers at risk when it accidently sent the data to opposing attorneys in a lawsuit involving the bank. Customer credit card information at Whole Foods and Sonic was compromised by point-of-sale attacks. Instagram’s security, too, was compromised due to a software bug. Meanwhile, Hard Rock Hotels & Casinos discovered payment card information over an eight month period was compromised by a breach ast a third-party reservation system.
Some significant penalties and settlements were also announced during the period. SAManage USA paid a $264,000 fine for exposing the data of Vermont Health Connect users, and TalkTalk, a U.K. IT services provider, paid a £100,000 fine for a breach affecting 21,000 customers. Meanwhile, Ruby Corp. settled a lawsuit against Ashley Madison for $11.2 million, Nationwide Insurance paid $5.5 million to put to rest a case arising from a 2012 data breach that exposed the personal information of 1.27 million customers and healthcare insurer Anthem received preliminary approval of a $115 million settlement of litigation arising from 2015 breach that allowed intruders to access personal identifying information of 80 million people.
Sep. 29. Equifax tells U.S. House of Representatives it is investigating sale of stock by senior executives weeks before a massive data breach at the company was made public. Executives made $1.8 million off the stock sale. Sensitive information on some 143 million Americans was compromised in the breach.
Sep. 29. Crystal Bray and Samuel Cook file putative class action lawsuit against GameStop over six-month data breach that compromised payment cards of its customers. Plaintiffs allege the company’s cavalier approach to data security led to the breach.
Sep. 29. Vermont Attorney General T. J. Donovan announces SAManage USA, which provides support services for Vermont Health Connect, will pay a $264,000 fine for a data breach affecting 660 VHC users.
Sep. 28. Whole Foods, a grocery chain recently acquired by Amazon, reveals a data breach compromised credit card information at taprooms and restaurants at some of its stores. It adds that Payment cards used at its grocery stores were not affected by the breach.
Sep. 28. Chicago files lawsuit in state court against Equifax in connection with data breach at company. City alleges Equifax violated the city’s consumer fraud ordinance and state laws regarding information privacy, consumer fraud and deceptive practices.
Sep. 27. San Francisco files lawsuit in California state court seeking tens of millions of dollars in civil penalties against Equifax in connection with data breach at company.
Sep. 26. Krebs on Security reports data breach at Sonic Drive-In may have compromised some five million payment card accounts. Sonic is a fast-food chain with 3,600 locations in 45 states.
Sep. 26. Richard Smith resigns as CEO of Equifax. During Smith’s tenure at the company, it experienced a data breach in which sensitive information on 143 million Americans was compromised.
Sep. 22. Law firms Robbins Geller and Hagens Berman announce they’ve filed proposed class-action lawsuit on behalf of people in 43 states in federal district court in Atlanta against Equifax in connection with data breach at company,
Sep. 21. Webroot reports an average of 1.4 million phishing sites are created every month. Phishing is a prime method for creating data breaches.
Sep. 21. Kromtech discovers data repository of vehicle device and monitoring company SVR exposed on the Internet due to a configuration error in an Amazon Web Services S3 bucket. Data included information on SVR’s customers and re-seller network, as well as on tracking devices on vehicles.
Sep. 19. U.S. District Court in Washington, D.C. dismisses two lawsuits filed against the Office of Personnel Management over June 2015 data breach in which sensitive data on more than 21 million people was stolen.
Sep. 19. Upguard, a cybersecurity firm, reports about a gigabyte of credentials and configuration files belonging to entertainment giant Viacom were exposed on the Internet via an unsecured server.
Sep. 15. Equifax announces resignations of Chief Information Officer David Webb and Chief Security Officer Susan Mauldin. Resignations follow data breach that affected 143 million U.S. customers.
Sep. 15. U.S. Rep. Jim Himes, D-Conn., files bill to protect consumers affected by data breach at a credit reporting agency. Measure allows consumers to ask for a security freeze on their information free of charge following a breach.
Sep. 14. Scott Meyers, Judey Meyers and Karl Gordon Eikost file a proposed class-action lawsuit in a Chicago federal court against Equifax in connection with data breach at company.
Sep. 12. Jennifer Mertlich and others file proposed class-action lawsuit in a Seattle federal court against Equifax in connection with data breach at company.
Sep. 14. Federal Trade Commission announces investigation of data breach at Equifax.
Sep. 13. Reuters reports nearly 40 states have joined an investigation into data breach at Equifax.
Sep. 12. Canadian consumers seek $450 billion in class-action lawsuit filed in Toronto against Equifax in connection with data breach at company.
Sep. 11. Five citizens of Utah file proposed class-action lawsuit in Salt Lake City federal court against Equifax. Citizens are seeking $5 billion in damages.
Sep. 9. Brian F. Spector of Florida and James McGonnigal of Maryland file proposed class-action lawsuit in an Atlanta federal court against Equifax..
Sep. 8. ZDNet reports Alexander Filinov and Konstantin Teplyakov, two members of the Humpty Dumpty hacker gang have been sentenced by a Moscow court to three years in a penal colony for compromising computers, smartphones and tablets of Russian citizens and stealing data from them. It adds that accounts of high ranking Kremlin officials were also hacked by the group, including the Twitter account of Prime Minister Dmitry Medvedev.
Sep. 7. Credit reporting agency Equifax reveals data breach of its systems placing at risk sensitive information of 143 million American consumers.
Sep. 7. Roman Seleznev, 33, pleas guilty in federal courts in Nevada and Georgia to his role in a cyber theft ring that allegedly stole $50 million using credit card numbers stolen from online sources. Seleznev is the son of Valery Seleznev, a member of Russia’s lower house of parliament who has been critical of U.S. policies.
Sep. 5. Times of London reports data breaches at British universities have doubled in the last two years to 1,152. It notes cyber gangs behind the attacks seek information that they can sell to nation-states.
Sep. 4. Hacker News reports massive data breach at Taringa, known as the Reddit of Latin America. Breach compromised login details of 28 million users. HN says LeakBase, a breach notification service, has obtained a copy of the stolen data.
Sep. 4. Upguard, a security research firm, reports third-party contractor for private military contractor TigerSwan accidentally exposed on the Internet resume files of 9,402 people. Data includes job histories of U.S. military veterans, mercenaries and Iraqi and Afghan nationals who worked in their countries with U.S. forces and government institutions.
Sep. 1. Kromtech reports four million records containing personal information of Time Warner customers were stored without a password on an Amazon server. More than 600 GB of data was exposed, which included usernames, email addresses, MAC addresses, device serial numbers and financial transaction information.
Sep. 1. Crown Records Management releases survey finding that in the U.K. pharmaceutical industry 23 percent of IT decision makers chose not to report a data breach to management or appropriate authorities; 23 percent know someone who hasn’t reported a breach; and 15 percent don’t know to whom to report a breach.
Sep. 1. U.K. Information Commissioner’s Office fines Nottinghamshire County Council £70,000 for exposing to the public Internet personal data of elderly and disabled people in an online directory.
Sep. 1. AXA insurance notifies 5,400 customers some of their personal data is at risk after a data breach at its online health portal. It says email addresses, birth dates and mobile numbers were exposed in the breach.
Aug. 31. U.S. District court Judge Lucy Koh rules class action lawsuit may proceed against Yahoo over three data breaches from 2013 to 2015 which affected more than a billion user accounts.
Aug. 30. CeX, a technology and video game retailer, says personal details of up to two million customers may have been compromised in a “sophisticated breach.”
Aug. 30. Instagram, a Facebook company, announces hackers exploited a software bug in its software that allowed them to access the accounts of an unspecified number of “high profile” users. The company says email addresses and phone numbers may have been obtained by the data thieves but not the passwords for the accounts.
Aug. 30. U.S. Food and Drug administration issues recall of 465,000 St. Jude pacemakers so their firmware can be patched to prevent unauthorized tampering with the devices.
Aug. 30. Mid-Michigan Physicians Imaging Center notifies more than 106,000 patients that their personal health information is at risk due to a data breach at a third-party service provider, McLaren Medical Group.
Aug. 30. Silver Cross Hospital in Lenox, Ill. reveals data breach at third-party service provider has exposed health information for up to 9,000 patients.
Aug. 30. U.S. Appeals Court in St. Louis upholds most of lower court ruling dismissing lawsuit stemming from two 2014 data breaches at SuperValu, a supermarket wholesaler and retailer based in Minnesota. However, the court reinstated the case of one of the plaintiffs who demonstrated his credit card was misused because of the data breach.
Aug. 29. Security researcher with the handle Benkow discovers server in the Netherlands containing information on 711 million email accounts for the Onliner spambot. Onliner is used to deliver banking malware and is responsible for more than 100,000 infections around the world, according to Benkow.
Aug. 28. Legal Action Center files lawsuit against Aetna accusing the insurer of breaching the privacy rights of 12,000 customers in 23 states by allowing the words “filling prescriptions for HIV” to be seen in window envelopes sent to the clients. Lawsuit seeks unspecified damages, a change in Aetna’s mailing practices and legal fees and costs.
Aug. 28. Major League Lacrosse sends email to its players informing them a link on the player registration web page directed browsers to a spreadsheet containing social security numbers, email addresses, phone numbers and mailing addresses of everyone in the league’s player pool.
Aug. 26. Hackers known as Mr. Smith, who claim to have stolen 1.5 terabytes of data from HBO, post on Reddit a detailed outline of the much anticipated season finale of the HBO series Game of Thrones.
Aug. 25. U.S. District Court Judge Lucy Koh gives preliminary approval of $115 million settlement of litigation against healthcare insurer Anthem over massive data breach in 2015 when intruders accessed personal identifying information and other data on some 80 million people.
Aug. 25. Taiwan’s Financial Supervisory Commission says no data breach was involved in incidents of credit card fraud involving Apple Pay. Fraudulent purchases were made through the service after user bank accounts were compromised through social engineering attacks.
Aug. 25. ERPScan reports vulnerabilities in point of sale systems developed by SAP and Oracle that allow an adversary to not only compromise credit card data but gain control of the POS server and perform tasks such as changing prices or remotely starting or stopping terminals.
Aug. 24. Yu Pingan, a Chinese national, is accused by U.S. Justice Department of being linked to malware used in massive data theft at U.S. Office of Personnel Management. Pingan was arrested Aug. 21 at Los Angeles International Airport.
Aug. 24. Legal Action Center and AIDS Law Project of Pennsylvania says health insurer Aetna exposed the HIV status of patients in several states in the clear window of the envelopes of mail communications sent to the patients.
Aug. 24. Beaumont, Texas suspends online water bill payment system after it received complaints from taxpayers of unauthorized charges to their iTunes accounts. City says it is investigating potential data breach.
Aug. 23. Karim Baratov, 22, pleads not guilty in San Francisco federal court to charges he participated in the massive hack of Yahoo.
Aug. 21. OneLogin releases survey of 500 IT decision makers finding one in five enterprises say failure to deprovision employees from corporate applications contributed to a data breach in their organizations.
Aug. 21. OurMine hacks Sony PlayStation social media accounts. It also posts to Twitter screenshots of the PlayStation Network’s databases, suggesting they have been compromised.
Aug. 18. The Sun reports a person with alleged connections to the hacktivist group Anonymous has stolen data on 1.2 million patients of the U.K.’s national health system.
Aug. 18. U.S. Department of Labor shuts down portal for employers to report employee injuries and illnesses after it was informed by Department of Homeland Security that data at the site may be compromised.
Aug. 17. San Antonio Institute for Women’s Health warns patients their personal information is at risk after it discovered a keylogger residing on its systems from June 5 to July 6.
Aug. 17. Security researcher Chris Vickery reports misconfigured Amazon Web Services server exposed to the public Internet information on 1.8 million Chicago voters.
Aug. 17. Hacker group calling itself OurMine compromises HBO’s Twitter and Facebook accounts and advises company to tighten up its security.
Aug. 17. Delaware Gov. John Carney signs into law bill requiring free credit monitoring services to citizens of state whose personal information is compromised in a data breach.
Aug. 17. AP Moller Maersk reports $264 million loss due to disruptions in service caused by the NotPetya virus in June.
Aug. 15. Indian Police arrest three employees and one former employee of Prime Focus Technology in connection with leaking an unaired episode of the HBO series Game of Thrones. Prime Focus stores and processes the series for the Indian streaming website Hotstar.
Aug. 11. U.K.’s Information Commissioner’s Office fines IT services company TalkTalk £100,000 in connection with a third-party data breach that allowed unlawful access to the personal data of up to 21,000 customers.
Aug. 9. Nationwide Mutual Insurance agrees to pay states $5.5 million to settle case stemming from 2012 data breach which exposed the personal information of 1.27 million consumers.
Aug. 9. U.S. Department of Justice charges two Iranian nationals — Arash Amiri Abedian, 31, and Danial Jeloudar, 27 — of hacking into online merchants and stealing credit card and personal information of customers.
Aug. 9. Kromtech reports misconfigured Amazon Web Services bucket leaves vulnerable personal identifying information of an estimated 48,000 customers of Indian credit services company Creditseva.
Aug. 8. Colorado Judicial Department reveals inadvertant exposure of files containing more than 600,000 jurors in the state for almost a year. Agency states it doesn’t beleive data was downloaded in bulk, stolen or used illegally.
Aug. 7. Hackers drop second wave of sensitive HBO data on the Internet. Drop includes four episodes of the current Game of Thrones season, the script of an unaired fifth episode and countless internal documents.
Aug. 5. UCLA notifies more than 30,000 current and former students their personal data was on a server accessed by an unauthorized party. University adds it does not believe any sensitive information was obtained by the intruder.
Aug. 4. Protenus reports there were 233 healthcare data breaches during the first half of 2017 affecting 1.2 million patient records.
Aug. 2. FBI arrests Marcus Hutchins, 23, for his role in creating and distributing the Kronos banking Trojan. Hutchins has been credited with stalling the spread of WannaCry malware which crippled the U.K.’s national health care system in May.
Aug. 1. Kaspersky Lab reports DDoS attacks were launched against resources in 84 countries during 2Q 2017, an increase of 14 nations from previous quarter, although almost half the attacks (47.42 percent) were directed at China.
Aug. 1. Cyber insurance underwriter Beazley reports 32 percent of 1,330 client incidents during the first six months of 2017 were caused by hacking and malware attacks. Another 30 percent of the breaches were caused by employee or third-party provider error.
Aug. 1. Mandiant, which is owned by FireEye, confirms the social media accounts and personal laptop of one of its employees were compromised and business documents related to two Israeli customers stolen.
Aug. 1. Federal appeals court rules customers of CareFirst can sue the health insurer over a 2014 data breach of its systems. Appeals court reversed decision of lower court which dismissed the lawsuit.
Jul. 31. Entertainment weekly reports hackers stole 1.5 terabytes of data from HBO. Some of data posted to the Internet includes upcoming episodes of Ballers and Room 104, as well as written material from the fourth episode of Game of Thrones.
Jul. 30. France fines Hertz £40,000 after car rental company exposed personal identifying information of 35,357 customers to the public Internet due to a misconfigured server.
Jul. 28. Anthem reports personal identifying information of more than 18,500 members is at risk after an employee emailed the data to a personal account. The healthcare provider notes the employee was engaged in activities related to identity theft..
Jul. 27. Virgin America notifies employees their personal information is at risk after an unauthorized party gained access to login information and passwords used to access the company’s computer network. It notes 3,120 employees and contractors had their login credentials compromised and 110 employees had personal identifying information stolen.
Jul. 26. U.S. grand jury indicts Alexander Vinnik for laundering more than $4 billion in bitcoin, including funds from Mt. Gox, a failed bitcoin exchange.
Jul. 26. UniCredit, Italy’s biggest bank, reports two data breaches at one of its third-party providers resulted in unauthorized access to personal loan accounts of 400,000 customers. Breaches occurred in September and October 2016 and June and July 2017.
Jul. 26. HackRead reports China has arrested 11 hackers suspected of developing Fireball, a malware program which infected 250 million computers worldwide, 20 percent of them in large corporations.
Jul. 26. Gait House hotel in Louisville, Ky. reveals its payment processing system was infected with malware putting at risk payment card transactions performed between Dec. 21, 2016 and April 11.
Jul. 24. Swedish Prime Minister Stefan Lofven calls data breach at country’s Transport Agency “incredibly serious.” Inadequate safeguards at a government contractor exposed all information in the agency’s database to the contractor’s Eastern European subsidiaries. Data included details about bridges, roads, ports, the subway system in Stockholm and other infrastructure. It also may have included the identities of undercover agents working for the Swedish police and armed forces.
Jul. 24. Thales releases 2017 data threat report which finds 43 percent of retailers have suffered an IT breach in the past year.
Jul. 24. RedLock reports hundreds of organizations have misconfigured their Google Groups service exposing personal identifying information of group members to the public Internet.
Jul. 24. Federal court in St. Louis approves Ruby Corp. agreement to pay $11.2 million to settle class action lawsuit stemming from data breach at Ashley Madison adultery website.
Jul. 22. Bloomberg reports Wells Fargo in under investigation by the federal Financial Industry Regulatory Authority for accidentally submitting to an attorney sensitive information for tens of thousands of accounts belonging to high-wealth individuals doing brokerage business with the bank.
Jul. 21. New York Times reports 1.4 gigabytes of data affecting at least 50,000 Wells Fargo customers, including some of the banks wealthiest clients, was inadvertently sent to lawyers of a former employee suing the institution for defamation. Newspaper notes the disclosure is a data breach that potentially violates numerous state and federal consumer privacy laws.
Jul. 21. Darkface, a security firm, reports hackers pilfered 10 GB of data from a North American casino by compromising a fish tank connected to the Internet.
Jul. 21. Federal district court in Colorado dismisses proposed class action lawsuit by credit unions stemming from data breach at Noodles & Co. A data breach at Noodles in September 2016 placed at risk the payment cards of hundreds of thousands of customers who ate at the restaurant chain’s 322 locations in the nation.
Jul. 21. Atlantis Paradise Island resort in the Bahamas reports point-of-sale system for its food, beverage and retail locations was compromised by malware putting at risk all payment card transactions made from Nov. 1, 2016 to April 3, 2017.
Jul. 21. Nuance, a speech recognition company, issues financial statement warning Wall Street analysts that its fiscal 2017 third quarter and possibly the fourth quarter would be negatively impacted by the NotPetya global ransomware attack.
Jul. 20. Ricoh Australia warns banks, government agencies. universities and large businesses that a number of documents about its multifunction devices, some containing sensitive data, have been posted to the Internet and indexed by Google’s search engine.
Jul. 19. Arlington Research releases survey of 500 IT workers commissioned by OneLogin finding that 32 percent of companies take more than a week to remove former workers from their systems. Survey also found that 20 percent of organizations have experienced a data breach caused by an ex-employee.
Jul. 18. Identity Theft Resource Center and CyberScout reports 791 data breaches for the first six months of 2017, a 29 percent jump over 2016.
Jul. 18. Women’s Health Care Group PA in Philadelphia reveals that one of its servers and a workstation were subjected to a ransomware attack affecting 300,000 people. Group was able to continue normal operations by restoring affected data from backups.
Jul. 17. UpGuard reports sensitive and personal information of from two to four million Dow Jones & Company customers was exposed to more than a million users of Amazon Web Services through a cloud-based repository configured for semi-public access. Also exposed were the details of 1.6 million entries in a suite of databases used largely by financial institutions for compliance with money laundering regulations.
Jul. 17. B&B Theatres, the seventh largest theater chain in the United States, says it’s investigating a breach of its credit card system. The announcement came after blogger Brian Krebs reported the company has been leaking customer credit card data from its systems for two years.
Jul. 17. FBI issues warning to consumers to consider cybersecurity before introducing smart, interactive, Internet-connected toys into their homes or trusted environments. Such toys can collect personal information that puts the privacy of children at risk.
Jul. 17. U.S. Virgin Islands police department announces it will stop collecting Social Security information from people filing incident reports. Decision made after police officer stole personal identifying information of four people as part of an alleged identity theft scam.
Jul. 15. U.K. Information Commissioner’s Office fines Boomerang Video £60,000 for 2014 data breach that resulted in the theft of information on 26,331 customers.
Jul. 14. Ruby Corp. agrees to pay $11.2 million to settle class action lawsuit stemming from data breach at Ashley Madison adultery website.
Jul. 14. Kevin Kunlay Williams, 56, pleads guilty in federal court in St. Louis to mail fraud, aggravated identity theft, re-entry of a removed alien and making a false statement relating to citizenship. Williams admits in court that he filed more than 2,000 fraudulent tax returns seeking $12.2 million in refunds.
Jul. 13. The international healthcare group Bupta reveals personal identifying information for 547,000 customers was compromised when an employee copied and removed the data from the company’s systems. It notes no financial or medical data was stolen.
Jul. 12. UpGuard reports a third-party vendor has exposed on the Internet personal identifying information of as many 14 million Verizon customers by misconfiguring a cloud server.It adds that data from a French telco, Orange S.A., was also exposed on the server owned and operated by Nice systems, an Israeli company that’s known to work closely with phone cracking firms Hacking Team and Cellebrite.
Jul. 12. Wilshire Law Firm files proposed class action lawsuit against Sabre Corp. over eight-month data breach that compromised payment card information of customers who made reservations at a number of hotels. Among the affected hotels were Trump Hotels, the Four Seasons, Hard Rock International, Montage Beverly Hills and Loews Hotels.
Jul. 12. Indian law enforcement authorities arrest Imran Chippa, 35, a former engineering student from Rajasthan, for allegedly stealing and posting to the Internet personal data of more than 100 million customers of Reliance Jio, an Indian telecom company.
Jul. 12. University of Iowa Health Care warns 5,300 patients some of their health care information is at risk after it was posted for two years to an unsecure application developer’s website. It notes that the information did not include clinical information like diagnoses, social security numbers or financial information like credit card numbers.
Jul. 12. KnowBe4, a security training provider, releases quarterly analysis of top phishing subject lines. Top lines for the second quarter of 2017 included Security Alert, Revised Vacation & Sick Time Policy and UPS Label Delivery 1ZBE312TNY00015011.
Jul. 10. Kaspersky Lab and B2B International reports that employees in 40 percent of businesses worldwide hide IT security incidents to avoid punishment.
Jul. 7. Krebs on Security reports the seventh largest theater chain in the United States, B&B Theaters, is investigating a two-year breach of its credit card systems. The chain operates 414 screens in 50 locations in nine states.
July 7. Avanti Markets, a self-service payment kiosk operator, notifies users of its machines that some 1900 of them were infected with malware designed to steal payment card and other information. Infection occurred from July 4 to August 4. According to the company, the kiosks are used by 1.6 million customers in 46 states.
Jul. 6. Hard Rock Hotels & Casinos announces that due to a security incident at a third-party reservation system, payment card information is at risk of customers who performed transactions at 11 of the chain’s locations from Aug. 10, 2016 to March 9, 2017.
Jul. 6. The Register reports South Korean law enforcement authorities are investigating a data breach at digital money exchange Bithumb. It noted personal identifying information for 32,000 users — about three percent of the user base — was stolen. Bithumb handled $1.7 billion in bitcoin transactions in 2016.
Jul. 6. Logicforce releases survey of more than 200 law firms finding two-thirds of them (66 percent) reported a data breach in 2016. It also notes that an average of 10,000 intrusions occur daily at law firms.
Jul. 6. UC Davis Health in California notifies some 15,000 patients their personal information is at risk after an employee was duped by a phishing scam.
Jul. 5. MacKeeper reports Kromtech discovered two open and publically accessible Amazon S3 buckets with personal identifying information of more than three million fans of World Wrestling Entertainment.
Jul. 5. Federal court judge in Illinois dismisses putative class action lawsuit against digital toymaker VTech. Litigation stems from data breach in which data on 11 million adults and children was compromised.
Jul. 5. Airway Oxygen, a health care provider in Wyoming, Mich. reports ransomware attack affecting 500,000 people. It says there is no indication that any protected health information was accessed or acquired during the attack.
Jul. 4. FBI alerts Wooster-Ashland Regional Council of Governments in Ohio of a data breach of its computer systems involving more than 200,000 records containing confidential information of the region’s residents.
Jul. 3. Motherboard reports AA, a U.K. auto insurance company, exposed on the Internet sensitive information of more than 100,000 customers due to a misconfigured server and did not tell them about it.
Jul. 3. The Guardian reports that Medicare patient details of any Australian is being sold on the Dark Net for $30 per individual. It noted the data seller says requests for information can be fulfilled by exploiting a vulnerability in the government’s systems.
Stay tuned for the Q4 2017 edition of the Data Breach Report.
John P. Mello, Jr. a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.
Ransomware attacks dominate the data breach scene during second quarter of 2017
Menlo Park, Calif. – Jun. 30, 2017
Global ransomware damage costs are predicted to exceed $5 billion in 2017, up from $325 million in 2015. That’s a staggering 15X increase in just 2 years, and the damages are expected to worsen. Ransomware attacks on healthcare organizations will quadruple by 2020.
Two staggering attacks affected organizations around the world. In May, the WannaCry program infected thousands of computers in more than 100 countries. It was followed in June by the GoldenEye/NotPetya malware that disrupted computing activity in at least 65 nations.
The scope of the Ransomware problem was detailed by Verizon in its annual data breach report released in April — which found ransomware involved in 71 percent of the 40,000 data breaches they analyzed.
Also during the period one of the largest ransomware payoffs was made by Nayana, a web-hosting company in South Korea. It coughed up $1.1 million to digital extortionists after ransomware knocked out more than half of the company’s 300 servers and affected an estimated 3,400 websites it hosted.
Large data breaches also continued during the quarter. One of the largest was in India where 130 million holders of the country’s national identification card were told in May their ID numbers had been exposed on the public Internet since Nov. 2016. Another 77 million users of the education website Edmodo had their account information stolen when hackers broke into that site.
Meanwhile, 8tracks, an Internet radio service, told its users to change their passwords after reports appeared that a cache of credentials for 18 million users of the service were up for sale on the Dark Web. And Zomato, a restaurant search service, reset the stolen passwords of some 17 million users.
Lawyers were also busy during the period. Health insurer Anthem put a $115 million deal on the table to settle a data breach class action lawsuit against it. Retailer Target paid $18.5 million to settle a data breach lawsuit filed against it by 47 states. In addition, data breach litigation was settled against Neiman Marcus for $1.6 million and Kmart for $5.2 million.
Regulators were also busy. In June, it was reported that the UK’s Information Commissioner’s Office collected 65 percent more in fines in 2016 compared to 2015, to £3,245,500 from £2 million. In the United States, the federal Department of Health and Human Services collected for data breach infractions $2.5 million from CardioNet, a mobile heart monitoring technology company based in Malvern, Pa. and $400,000 from The Metro Community Provider Network in Denver.
Reports on the costs of data breaches were also released during the quarter. IBM Security found that the average cost of a data breach globally is $3.62 million, a 10 percent decrease from 2016. Meanwhile, CGI released an eye-opening analysis of 65 “severe” and “catastrophic” data breaches. It found that those kinds of breaches can cost a company 1.8 percent of its market value. For a typical FTSE 100 company, that would be a permanent loss of market capitalization of £120 million.
Jun. 29. The UK’s Government Digital Service recommends users of its Data.Gov.UK website change their passwords after a database of usernames and email addresses were discovered on a system accessible to the public during a routine security review.
Jun. 28. Goldeneye ransomware spreads from Ukraine disrupting business and government computing activity in at least 65 nations. Businesses affected by the virus include Russian oil company Rosneft, shipping firm A.P. Moller-Maersk and pharmaceutical giant Merck.
Jun. 28. Nayana, a web-hosting company in South Korea, agrees to pay $1.1 million to unlock computers infected by hackers with ransomware. More than half of the company’s 300 servers were disabled by the attack that affected an estimated 3,400 websites.
Jun. 27. 8tracks, an Internet radio service, recommends its users change their passwords after reports appear that a cache of credentials for 18 million users of the service are up for sale on the Dark Web.
Jun. 27. Experian releases study that finds only nine percent of companies are prepared for the EU Global Data Protection Regulation and 59 percent of the 550 IT security and compliance professionals surveyed said their companies did not know how to comply with the GDPR.
Jun. 27. Anthony Murgio, 33, sentenced to five and a half years in prison for operating an illegal bitcoin exchange suspected of laundering money for hackers and linked to data breach at JPMorgan Chase & Co.
Jun. 23. FBI’s Internet Complaint Center reports U.S. losses due to Internet crime in 2016 totaled $1.3 billion.
Jun. 23. Plaintiff’s legal team announces $115 million proposed settlement in class action lawsuit against health insurer Anthem stemming from data breach resulting in the theft of personal information of 7.8 million people.
Jun. 23. The Register reports 32 terabytes of data stolen from Microsoft was posted to the Internet, including internal builds of Windows and chunks of its source code.
Jun. 23. The Times of London reports that stolen email addresses and passwords of tens of thousands of government officialsin the UK are being sold or bartered on Russian-speaking hacking sites.
Jun. 23. Airway Oxygen in Michigan notifies 500,000 people their personal health information is at risk due to unauthorized access to its infrastructure in April.
Jun. 23. Southern Illinois Healthcare reports that personal information of more than 600 patients is at risk after Experian Health, a third-party vendor, accidentally sent their data to the wrong medical facilities between Feb. 13 and March 13.
Jun. 23. CEO John Hutson of UK pub chain Wetherspoons announces it is deleting its database of customer email addresses to avoid the risk of it being hacked.
Jun. 22. U.S. District Judge Samuel Der-Yeghiayan preliminarily approves $1.6 million settlement of class action lawsuit against Neiman Marcus for data breach that occurred between July 16, 2013 and Jan. 10, 2014.
Jun. 22. Ward Solutions releases survey which includes finding that one in five Irish businesses have been hit with ransomware in the last 12 months.
Jun. 21. Scott Ables files class action lawsuit against Brooks Brothers Group over data breach that compromised payment data from customers who shopped at its stores between April 4, 2016 and March 1, 2017.
Jun. 21. Honda Motor Co. halts production at its vehicle making plant in Sayama for a day after discovering WannaCry ransomware on its computer network.
Jun. 21. Distil Networks releases study of 1,000 websites in retail, banking and consumer services which includes finding that 95 percent of sites can’t protect themselves against advanced persistent bot attacks.
Jun. 21. Atlantic Digestive Specialists notifies 94,195 customers their personal information is at risk after a ransomware attack on the systems of the group comprised of gastroenterologists with offices in Somersworth, Hampton and Portsmouth, N.H.
Jun. 21. Trustwave releases its 2017 Global Security report which includes finding that “dwell time” for hackers inside networks has declined year-over-year to 49 days in 2016 from 80.5 days in 2015.
Jun. 21. Dr. Emma Philpott, chief executive at the IASME Consortium, notifies vendors that their email addresses are at risk after a data breach at the UK’s Cyber Essentials scheme, which accredits companies bidding on government contracts that deal with the handling of “certain sensitive and personal information.”
Jun. 20. Juniper Research forecast retailers will lose $71 billion globally over the next five years due to fraudulent Card-Not-Present transactions.
Jun. 20. IBM Security reports that the average cost of a data breach globally is $3.62 million, a 10 percent decrease from 2016.
Jun. 20. Minnesota State University Moorhead notifies about 800 faculty and staff and 8,000 students that personal information they’ve provided the institution is at risk after it was accessed by an unauthorized third-party.
Jun. 19. Torrance Memorial Medical Center in California notifies an undisclosed number of patients their personal information was compromised in a phishing attack on some of the hospital’s email accounts.
Jun. 16. The Buckle, a clothier with 450 stores in 44 states, alerts customers that their credit card information is at risk due to a compromise of its point-of-sale system between Oct. 28, 2016 to April 14, 2017. Company notes it believes the exposure of data that could be used to clone cards is limited due to the use of EMV technology at the stores.
Jun. 15. Sean Caffrey, 25, pleads guilty to hacking into U.S. Department of Defense and stealing data from around 30,000 satellite phones.
Jun. 15. AllClear ID estimates that European banks could face fines totalling €4.7 billion during the first three years that the EU’s General Data Protection Regulation is in effect.
Jun. 15. New York Atty. Gen. Eric T. Schneiderman announces CoPilot Provider Support Services, a provider of support services to the health care industry, agrees to pay $130,000 in penalties for waiting over a year to notify affected persons of a data breach exposing 221,178 patient records.
Jun. 15. Washington State University alerts some one million people their personal information is at risk after the heist from university property of an 85-pound safe containing a hard drive with the information on it.
Jun. 14. Kaspersky Lab reports security incidents involving online banking services costs the institution an average of $1.75 million per incident.
Jun. 13. UK Information Commissioner’s Office fines Gloucester City Council £100,000 after sensitive personal data was compromised in an attack on its systems that exploited the Heartbleed vulnerability in OpenSSL.
Jun. 13. TD Bank finds that 91 percent of financial pros at 2017 NACHA Payments conference believe payment fraud will continue to grow over the next two to three years, a slight increase over the 89 percent that felt that way last year.
Jun. 13. U.S. District Court Judge Andrea R. Wood in Chicago dismisses lawsuit against Barnes & Noble arising from compromise of its PIN pads used to process payment card transactions at 63 of its stores. Court finds plaintiffs did not offer sufficient injury to sustain a class action.
Jun. 12. Michelle Provost files putative class action lawsuit in Georgia federal court against Tempur Sealy International and Aptos for failing to appropriately safeguard customers’ personal information, which led to a February 2016 breach that compromised sensitive customer data.
Jun. 12. Fifteen Attorneys General clarify data breach notification laws in their states declaring notice is triggered whether CVV numbers are stolen in a breach or not.
Jun. 9. Mississippi’s Division of Medicaid notifies 5,220 people their personal health information is at risk due to the insecure transfer of the data from an online form to a designated staff member.
Jun. 9. Select Restaurants, a chain of eateries in the Cleveland area, announces security breach at third party vendor has placed at risk payment card information of customers who did business at some of the chain’s outlets between Oct. 26, 2016 and Feb. 3, 2017.
June 8. CD Projekt Red, maker of the Witcher game series, rejects ransom demands of hackers who claim to have stolen files from the company, including those related to its much anticipated game Cyberpunk 2077.
Jun. 8. BitSight reports that two months before the WannaCry ransomware epidemic, nearly 20 percent of the Windows computers it studied were running versions of that operating system no longer supported by Microsoft.
Jun. 8. GameStop notifies customers their name, address and credit card information is at risk due to a data breach at the site affecting purchases made from Aug. 10, 2016 to Feb. 9, 2017.
Jun. 5. Old Mutual, a prominent South African financial services firm, warns a “relatively small group” of customers their personal information is at risk after a breach of one of its computer systems.
Jun. 5. Victory Medical Center in Austin, Texas, states that demographic data of some 2,000 patients was leaked online after a data breach of its systems.
Jun. 5. Security researcher Aaron Guzman finds eight software vulnerabilities in a 2017 Subaru WRX STi that could be exploited by an attacker to lock and unlock doors, sound the horn, access a vehicle’s location history and control other behaviors.
Jun. 5. Healthcare Industry Cybersecurity Task Force releases report that includes recommendation that the U.S. Health and Human Services Department create a single person to coordinate the cybersecurity initiatives with the health care industry.
Jun. 1. Dr. Zain Kadri’s plastic surgery clinic announces personal information of as many as 15,000 patients, including some celebrities, was stolen by a disgruntled employee who has posted some of the information on Snapchat, Instagram and Facebook.
May 31. OneLogin, an identity management service provider, alerts users that their data is at risk after an intruder uses one of the company’s Amazon Web Services encryption keys to access its AWS platform.
May 31. Gizmodo confirms a cache more than 60,000 government files were exposed on a publicly accessible Amazon server for an unknown amount of time. Information in the files included passwords to a U.S. government system containing sensitive information, security credentials of a lead senior engineer at Booz Allen Hamilton and at least a half dozen unencrypted passwords belonging to government contractors with Top Secret Facility Clearance.
May 31. A hacking group called Tsar Team leaks thousands of patient photos from the Grozio Chirurgija cosmetic surgery clinic in Lithuania after clinic and patients refused to meet the group’s ransom demands.
May 31. University of Alaska sends letters to some 25,000 students, staff and faculty alerting them their personal information is at risk after hackers compromised several secured accounts through an email scam.
May 31. Kmart Stores, for the second time in three years, discovers malware on the credit card processing systems of some of its outlets.
May 31. Rep. Tom Graves, R-Ga., files bill allowing victims of cyberattacks to hack their attackers, as well as hack into other victims’ computers for “reconnaissance” purposes.
May 30. Ovum, a consulting company, releases survey finding 76 percent of Canadian companies expect data breach attempts to increase in the next 12 months but only 46 percent expect to spend more on cybersecurity during the period.
May 30. A survey of 187 marketing and advertising companies by YouGov and commissioned by Irwin Mitchel finds that 17 percent of the firms would go out of business if they had to pay the maximum penalty for violating the EU’s General Data Protection Regulation that takes effect in 2018.
May 26. Alcoa Community Federal Credit Union files class action lawsuit against the Chipotle restaurant chain over hacking of its point-of-sale system that compromised the payment cards of hundreds of thousands of customers.
May 26. Molina Healthcare, a major insurer in Medicaid and state exchanges across the country, shuts down its online patient portal after a vulnerability was discovered that exposed health records of 4.8 million customers in 12 states to the public Internet.
May 26. Chipotle Mexican Grill announces previously disclosed malware infection of its point of sale system affected nearly all the outlets in the national restaurant chain.
May 25. PNI Digital Media, which provides photo services to retailers such as Costco and CVS, reaches deal with consumers affected by a data breach of the company’s point of sale system. The deal provides up $250 per customer for bank fees, long-distance telephone charges and other expenses, and up to $10,000 for “extraordinary expenses,” as well as $650,000 for attorneys’ fees and court costs.
May 25. Home Depot acknowledges that a spreadsheet containing personal data of some 8,000 people was exposed to the public Internet due to human error.
May 25. Sens. Maggie Hassan, D-N.H., and Rob Portman, R-Ohio, file legislation to establish a bug bounty program in the U.S. Department of Homeland Security.
May 25. UW Health in Wisconsin notifies 2,046 patients that their personal information is at risk after an employee’s email account, which contained files with patient information in them, was compromised by an intruder.
May 23. Florida Department of Agriculture and Consumer Services states personal information of more than 16,000 of the state’s concealed weapons permit owners is at risk after a breach of the agency’s website.
May 23. Target Corporation announces it will pay $18.5 million to 47 states and the District of Columbia to settle case against it stemming from 2013 data breach that compromised tens of millions of customer payment cards.
May 23. St. Luke’s-Roosevelt Hospital Center in New York City agrees to pay U.S. Department of Health and Human services $387,200 to settle potential violations of the federal Health Insurance Portability and Accountability Act.
May 22. DHR International reports that salaries for chief information security officers at top European companies have cracked €1 million and for small and medium companies they’re being paid a minimum of €200,000.
May 21. Global management consultancy Olive Wyman predicts companies on the FTSE 100 could face up to £5 billion in fines if they don’t comply with the EU’s General Data Protection Regulation set to take effect next year.
May 19. In Chicago, U.S. District Court Judge John Lee approves $5.2 million settlement, including $1.7 million for plaintiff’s attorneys, of lawsuit by financial services companies against Kmart stemming from a data breach that affected about 8.1 million payment cards.
May 19. Twitter alerts users of Vine that their email addresses and in some cases phone numbers are at risk due to a software bug that was patched within 24 hours.
May 18. PureMatrimony.com, a muslim dating website, advises some 100,000 members to reset their passwords due to an apparent data breach at a third-party website.
May 18. Restaurant search service Zomato resets some 17 million user passwords that it says were stolen when an employee’s development was compromised.
May 18. ZDnet reports font sharing site DaFont.com has been breached and its database of nearly 700,000 user accounts stolen by hackers.
May 17. Edmodo, an education website for parents, students and teachers, confirms data breach which resulted in theft of account information for 77 million users, including passwords that were salted and bcrypt hashed.
May 18. Federal district court in California rules in lawsuit against credit protection and reporting company Experian that forensic report requested by firm’s lawyers is protected by attorney-client privilege and exempt from legal discovery process.
May 17. Cybersecurity blogger Brian Krebs reports that a subsidiary of Equifax, one of the nation’s largest consumer data brokers and credit bureaus, was breached by hackers who stole W-2 tax data for an undisclosed number of customers.
May 16. France fines Facebook 150,000 euros for collecting information on users without their knowledge.
May 16. Crain’s New York Business reports protected health information of 3,500 patients at Coney Island NYC Health + Hospitals is at risk after it was accessed by a volunteer in the phlebotomy department without clearance to do so.
May 15. The UK’s Information Commissioner’s Office reports that data breach reports to the office increased 31.5 percent to 2,565 in 2017 from 1,950 in 2016.
May 15. Electronic signature technology provider DocuSign confirms a series of malware phishing attacks against its customers is connected to a data breach at one of its computer systems.
May 15. Bell Canada issues apology to its customers after nearly 1.9 million of their email addresses and 1,700 names and phone numbers were compromised in a data breach and extortion scheme.
May 15. University of New Mexico Foundation notifies some 23,000 donors, annuitants, foundation employees and vendors that their personal information is at risk due to a computer server breach discovered April 17.
May 15. United Airlines confirms that codes to gain access to the cockpits in its aircraft may have been posted to the Internet. A spokesperson for United says it is working on resolving the issue.
May 12. WannaCry, a ransomware program based on software stolen from the NSA, infects thousands of computers in more than 100 countries, forces the UK’s health care system to turn away patients and disables computers in Russia’s Interior Ministry.
May 12. Brooks Brothers announces a compromise of its point of sales system that could affect the payment card information of some of customers who shopped at some of its stores between April 4, 2016 and March 1, 2017.
May 9. FICO Asia-Pacific releases survey finding three out of four senior fraud managers said they would stop working with a partner that failed a cybersecurity audit.
May 8. Risk modelling firm RMS forecasts that if all U.S. businesses had cyber insurance, more than $5 billion in data breach losses would be covered every year.
May 5. Retailer Debenhams says the personal data of 26,000 customers of its Flowers website may have been stolen by hackers who breached a third-party e-commerce company, Ecomnova.
May 5. Tufts University Executive Vice President Patricia Campbell and Senior Vice President for University Relations Mary Jeka announce sensitive financial information about the Massachusetts school’s department budgets and staff and faculty salaries was posted to a public website by a group calling itself TuftsLeaks.
May 5. Ontario government confirms personal information of thousands of citizens is at risk due to a printing mistake on health care renewal forms mailed to residents of the province.
May 5. Angela Lynn Martin files class action lawsuit in a federal district court in Florida against Scottrade over data breach that compromised the personal information of 4.6 million people from September 2014 to February 2014.
May 3. Google says it stopped in an hour an email spam campaign impersonating Google docs which affected less than a tenth of a percent of Gmail users.
May 3. Bitglass releases annual health care data breach report which shows a year-over-year increase in breaches to 328 in 2016 from 268 in 2015, but a decline, for the second year in a row, in records exposed to 16.6 million.
May 3. O2-Telefonica in Germany confirms that some of its customers have had their bank accounts cleaned out by thieves who intercepted the customers’ two-factor authentication codes by hacking the SS7 protocol used by mobile phone networks.
May 3. Bernard Ogie Oretekor, 46, sentenced to seven years and one month in prison and ordered to pay $1.97 million in restitution to the Internal Revenue Service and another $910,000 to four people and two companies for wire fraud, money laundering and identity theft. The Nigerian man used phishing emails to obtain information about his victims that he used to drain money from their bank accounts and collect refunds from bogus tax returns.
May 2. Travel giant Sabre Corp.reports to SEC that company is investigating an incident of unauthorized access to payment information contained in a reservation system that serves more than 32,000 hotels and lodging establishments.
May 2. Fitchburg, Mass., City Solicitor Vincent Pusateri says 1,800 people have been notified their Social Security numbers are at risk after they were posted to the Internet three and a half years ago. The posting was the result of a hack or the data was accidently removed from an employee’s hard drive. The data was encrypted, but the encryption key was also posted to the Net.
May 2. Newspaper publisher Gannett warns some 18,000 current and former employees their personal information is at risk after email accounts in its human resource department were compromised by hackers.
May 2. U.S. Appeals Court in New York City affirms lower court ruling that dismissed class action lawsuit against Michaels Stores because plaintiff failed to show any injury from data beach at the retailer.
May 1. Federal district court judge in St. Louis dismisses for second time litigation against Schnuck Markets filed by financial institutions which allege negligence and breach of implied contract by the supermarket chain during data breaches it suffered in 2012 and 2013.
May 1. The Centre for Internet & Society in India reports that sensitive data for almost 130 million Aadhaar cardholders has been exposed to the public Internet since Nov. 2016. Aadhaar is a 12-digit number issued to all residents of India based on biometric and demographic data.
Apr. 30. The Gleaner in Jamaica reports information on more than 14,000 of the island’s high school students hosted on a database in the United States has been encrypted with ransomware by hackers who are demanding $5,000 to descramble the data.
Apr. 29. Hindustan Times reports a programming error at a website operated by the Directorate of Social Security for the Indian state of Jharkhand has exposed personal information of 1.6 million pensioners to the public Internet.
Apr. 28. The hacker group known as The Dark Overlord Solutions posts to Pastebin links to stolen copies of an upcoming episode of Orange Is the New Black after Nefflix refused to meet the gang’s ransom demands.
Apr. 28. Home Depot agrees to change its cybersecurity governance policies and pay $1 million in attorneys’ fees to settle shareholders’ lawsuit related to a massive payment card data breach in 2014.
Apr. 28. Diamond Institute for Infertility and Menopause in New Jersey advises some 14,000 patients that their personal health information is at risk due to someone gaining unauthorized access to a third-party server hosting the data.
Apr. 28. Greenwood County School District 50 in South Carolina sends letters to some 3,300 current and former employees alerting them their personal information is at risk after an unauthorized user breached four employee email accounts that contained tax and benefit plan information.
Apr. 28. Kromtech Security Researchers discover personal information on at least 500,000 customers of Alliance Direct Lending Corporation was exposed to the public Internet for an unknown amount of time.
Apr. 28. Eddie Bauer argues in a federal court in Washington for dismissal of a proposed class action lawsuit by a credit union due to insufficient facts to support the financial institution’s claim that 2016 data breach at the retailer was due to negligence.
Apr. 28. Australian Federal Police confirms it unlawfully accessed a journalist’s phone records without a warrant.
Apr. 28. IBM X-Force releases report finding financial services sector attacked by cyber criminals 65 percent more than any other industry, resulting in the breach of more 200 million records in 2016, a 937 percent increase over the previous year.
Apr. 28. Trinity College sends letter to people who have contributed to the Trinity Foundation over the past decade that their personal information may have been compromised in a phishing attack.
Apr. 28. Stuart Colianni uploads to the research site Kaggle 40,000 profile photos scraped from Tinder without authorization to create a data set for facial recognition research.
Apr. 28. Paratransit Services, a provider of non-emergency medical and public transportation services in Washington, Oregon and California notifies everyone who worked for the company in 2016 that their personal tax information is at risk after their W-2 tax forms for the year were emailed to a phishing scammer.
Apr. 27. Verizon releases its annual data breach report which finds that ransomware was involved in 71 percent of the more than 40,000 incidents analyzed in the report.
Apr. 27. Matthew Hanley, 22, and Connor Douglas Allsopp, 20, plead guilty to crimes connected to the theft of 150,000 customer records from broadband service provider Talk Talk in 2015.
Apr. 27. Security researcher Chris Vickery reports AMP, a provider of online platforms for futures trading, exposed on the Internet details of its financial operations and private information of more than 10,000 account applicants due to a misconfigured backup device managed by a third-party IT vendor.
Apr. 27. Thales Data Threat Report finds 34 percent of U.S. government respondents have experienced a data breach in the last year and 96 percent of them consider themselves “vulnerable.”
Apr. 26. Employees of Tipton County school system in Tennessee file $19 million federal class action lawsuit against board of education for falling for a phishing scam that resulted in the theft of the workers’ tax information.
Apr. 26. Symantec releases Internet Security Threat Report which reveals that the average ransom demanded by ransomware extortionists increased 266 percent, to $1,077 in 2016 from $294 in 2015.
Apr. 26. Accenture releases survey which included finding that one in eight UK consumers have had their personal medical information stolen from technology systems.
Apr. 26. Kromtech security researchers report 88 megabytes of spreadsheet documents apparently belonging to Alliance Direct Lending Corp. and containing information on hundreds of auto dealerships in the United States and as many as one million customer details was exposed to the public Internet for an unknown length of time due to a misconfigured AWS S3 bucket.
Apr. 26. Motherboard reports customer data from Ciphr, a provider of secure mobile phones, has been dumped on the public Internet. “All Ciphr emails/servers have been compromised,” the website hosting the purloined data claims.
Apr. 25. LeakBase, a for-profit breach notification service, says it has obtained from a hacker more than five million records belonging to customers of R2 Games, which also had 22 million accounts compromisedin December 2015.
Apr. 25. Chipotle tells investors during an earnings conference call that it’s investigating some unauthorized activity on a network that supports payment processing for purchases made at its chain of burrito restaurants.
Apr. 25. Blowout Cards, a website devoted to buying, selling and trading sports and other kinds of cards, warns its customers their payment card information is at risk due to a data breach at the site.
Apr. 25. Behaviorial Health Center in Bangor, Maine says more than 4,000 clients had their personal information stolen in a data breach in March.
Apr. 24. Experian asks California federal court judge to deny motion by T-Mobile customers in class action lawsuit to release a report prepared by information security firm Mandiant related to a data breach that exposed the personal information of 15 million consumers.
Apr. 24. HipChat notifies all account holders that it has reset their passwords after its security team discovered an incident affecting one of its servers and attributed to a vulnerability in a third-party library.
Apr. 24. CardioNet, a mobile heart monitoring technology company based in Malverri, Pa. agrees to pay $2.5 million to U.S. Department of Health and Human Services to settle case arising from the theft of a laptop containing unencrypted patient data.
Apr. 24. Western Health Screening, an onsite blood screening provider in Billings, Mont. alerts an undisclosed number of participants in a health fair from 2008 and 2012 that their demographic data is at risk due to the theft of an unencrypted flash drive.
Apr. 24. Booz Allen reports customer information has been compromised at dozens of car washes in the United States that use the payment infrastructure of DRB systems.
Apr. 22. Lifespan, Rhode Island’s largest health care-network, notifies some 20,000 patients their health information is at risk after a laptop containing it was stolen from an employee’s car.
Apr. 22. Bitcoin exchange Yapizon announces four of its hot wallets were compromised by hackers and bitcoins worth $5.3 million stolen.
Apr. 21. Security researchers Tao Sauvage and Antide Petit report they’ve found 10 noteworthy vulnerabilities in 20 models of Linksys routers that could allow an attacker to overload the routers and prevent Internet access for their users.
Apr. 21. Federal District Court judge in Seattle sentences Roman Valerevich, 32, to 27 years in prison for running a vast credit card fraud and identity theft operation from his homes in Indonesia and Russia.
Apr. 21. Survey by Dimensional Research and sponsored by Check Point Software finds 64 percent of security professionals doubt their organizations can prevent a breach to their employees’mobile devices.
Apr. 21. Iowa Veterans Home in Marshalltown, Iowa warns nearly 3,000 current and former residents that their medical and financial information is at risk after three employees had their network credentials compromised in a phishing scam.
Apr. 21. UK’s National Crimes Agency reports that the availability of free and easy-to-use hacking tools is attracting more and more young people into cybercrime.
Apr. 20. University of California reveals a group of fraudsters bilked the school of $12 million by writing prescriptions using information scammed from students lured to phony clinical trials through Facebook ads.
Apr. 20. Vigilante.pw, a data breach recorder, reports more than 2.4 million user accounts were stolen in 2016 from fashon gaming website and social network Fashion Fantasy Game.
Apr. 20. Dell End-User Security Survey finds that 46 percent of employees use public Wi-Fi networks to access confidential information and 49 percent use personal email accounts for work.
Apr. 20. Mastercard announces a new kind of payment card with a fingerprint sensor to authenticate transactions.
Apr. 20. Outdoor clothing retailer Eddie Bauer declares it will fight class action lawsuit filed in a federal district in Seattle by Veridian Credit Union over a data breach that occurred between January and July 2016.
Apr. 20. ServiceNow releases results of survey of 300 CISOs that finds 81 percent of them believe data breaches in their company are going unaddressed and 78 percent said they were concerned they didn’t have the capability to detect a data breach.
Apr. 20. Center for Children’s Digestive Health in Illinois agrees to pay $31,000 to U.S. Department of Health and Human Services for storing protected health information with a third party service provider without a Business Associate Agreement.
Apr. 19. MacKeeper Security Research Center reports Schoolzilla, a student data warehousing platform, exposed private data for 1.3 million students on the Internet when it misconfigured its cloud storage, an Amazon S3 bucket.
Apr. 19. Oracle patches 299 vulnerabilities in most of the company’s product families including Oracle Database Server, Fusion Middleware, Enterprise Manager Base platform, PeopleSoft Enterprise and Java.
Apr. 19. Metropolitan Police says it will investigate how a mail marketing agency obtained the addresses of 30,000 gun owners in the UK that were in a database maintained by the agency.
Apr. 19. Ipsos Mori releases survey that finds 2.5 million UK businesses suffered a digital attack last year.
Apr. 17. InterContinental Hotels Group releases data that reveals point-of-sale malware attack announced in February affected more than 1,000 of its properties, not 12 as originally estimated.
Apr. 13. Protenus reports that in March there were 39 health care data breaches affecting more than 1.5 million patient records, more than the two previous months combined.
Apr. 13. KnowBe4 releases list of top-clicked topics in phishing emails for first quarter. At the top of the list was UPS Label Delivery, followed by email account updates, full inbox and delivery attempt was made.
Apr. 13. The Metro Community Provider Network in Denver agrees to pay $400,000 to settle case against it by the U.S. Department of Health and Human Services Office for Civil Rights stemming from a data breach at the organization in 2011.
Apr. 13. California Federal District Court Judge Vince Chhabria rejects motion to dismiss class action lawsuit against the Klimpton Hotel and Restaurant Group over data breach that resulted in the compromise of payment cards used at the chain from Feb. 16 to Jul. 7, 2016. Klimpton argued case should be dismissed because no harm was suffered by plaintiffs.
Apr. 12. Canadian court denies bail for Karim Baratov, 22, an immigrant from Kazakhstan, who is awaiting extradition to the United States for allegedly participating in Yahoo data breaches that compromised 500 million user accounts.
Apr. 12. CGI releases an analysis of 65 “severe” and “catastrophic” data breaches and finds they can cost a company 1.8 percent of its value or for a typical FTSE 100 company, a permanent loss of market capitalization of £120 million.
Apr. 12. AQA, an independent education charity and the largest provider of academic qualifications taught in UK schools and colleges, says personal information for 64,000 current and former examiners was stolen by hackers who breached some of the organization’s online systems.
Apr. 12. Irish Data Commissioner Helen Dixon says her office is preparing a report on the Yahoo data breach that resulted in the theft of data on 500 million accounts, and it will impose remedial action if necessary.
Apr. 11. Irish Office of the Data Protection Commissioner reports it received 2,224 data breach notifications in 2016, a four percent decrease from 2015 when 2,317 breaches were reported.
Apr. 11. Irish Data Protection Commissioner’s office announces it has finalized preparations for an investigation into the processing of patient data in the country’s hospitals.
Apr. 11. Mailguard, an antivirus software maker, warns Australian businesses to beware of false invoices that appear to be from the popular accounting software MYOB and contain a bogus invoice button leading to a booby-trapped website.
Apr. 10. The Wall Street Journal reports tens of thousands of dollars have been stolen from third-party sellers on Amazon by hackers who are using stolen credentials to compromise the sellers’ accounts.
Apr. 9. Payday loan firm Wonga says it is investigating a data breach that could affect as many as 245,000 customers in the UK.
Apr. 7. Twitter drops lawsuit against U.S. government after U.S. Customs and Border Protection withdraws summons demanding identity of people behind a Twitter account critical of President Donald J. Trump.
Apr. 7. Gamestop confirms it has been notified by a credit card processor that credit card data from its website is being sold on the Internet. It advises customers to monitor their credit cards for unauthorized charges while it investigates the potential data breach.
Apr. 7. Personal health information of 918,000 people is at risk after a backup database belonging to HealthNow Networks, a Florida telemarketer, was posted without access controls to the Internet.
Apr. 6. U.S. Government Accounting Office recommends Congress authorize agencies to determine the appropriate level of identity theft insurance for persons affected by data breaches. Currently coverage amounts are fixed by law.
Apr. 6. Internal Revenue Service tells U.S. Senate Finance Commitee that as many as 100,000 taxpayers could have been compromised and $30 million stolen in scam where hackers posed as students using a data retrieval tool used to prepare applications for financial aid.
Apr. 6. New Mexico Gov. Susana Martinez signs into law a bill requiring anyone owning or licensing the personal data of any resident of the state to notify them if their data is affected by a breach.
Apr. 5. Scotttade announces Genpact, a third-part vendor, uploaded to an insecure server a data set containing commercial loan information for 20,000 people and businesses and that the two were investigating to what extent the data may have been compromised.
Apr. 5. UK Information Commissioner’s Office fines 11 charities £138,000 for misusing information about millions of past donors to seek further funds for future projects.
Apr. 5. Quest Diagnostics argues in a New Jersey federal court that a putative class action lawsuit stemming from a data breach at the company affecting some 34,000 people should be dismissed because the incident did not increase the lead plaintiff’s risk of identity theft since the stolen material was already publicly available.
Apr. 4. MacKeeper researcher Chris Vickery reports that an online data repository used by the state of North Carolina was left exposed to public Internet for an unknown amount of time.
Apr. 4. Bitglass reports that one in three organizations have been hacked more than five times in the last 12 months and that 87 percent of them were victims of at least one cyberattack.
Apr. 4. Tennessee Governor Bill Haslam signs into law amendments to state’s data breach law clarifying when the 45 day notice requirement is triggered and adding technical requirements for its encryption exemption.
Apr. 3. International Association of Athletics Federation announces data breach it believes was perpetrated by Fancy Bear, the group of Russian hackers who meddled with the 2016 U.S. presidential election, but can’t confirm if any data was stolen in the attack.
Apr. 3. Online edition of JAMA Internal Medicine publishes study finding that larger hospitals and those with a major teaching mission are more likely to suffer a data breach than smaller hospitals without a teaching mission.
Apr. 3. Reservation Center, an online travel agency, files lawsuit in federal district court in Ohio against Expedia for allegedly stealing data from RC and selling it to its competitors.
Apr. 3. Vancouver police arrest man believed to have broken into PharmaNet, a centralized system for pharmacies in the Canadian province of British Columbia, and used patient information for fraudulent purposes.
Stay tuned for the Q3 2017 edition of the Data Breach Report.
John P. Mello, Jr. a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.
The Data Breach Report provides a quarterly diary of noteworthy data breaches and cyber-attacks to CIOs, CSOs, CISOs, IT security teams, and the media.
McDonald’s, Arby’s headline data breaches during first quarter of year
Menlo Park, Calif. – Mar. 31, 2017
Data breaches at fast food chains Arby’s and McDonald’s Canada were among the prominent brands hit by data breaches during the first three months of 2017. Another eatery chain, Wendy’s, was the target of a lawsuit stemming from a data breach at that chain, as was clothing retailer Eddie Bauer.
Some other companies paid the price of having their data compromised. Neiman Marcus settled a data breach lawsuit for $1.6 million and Home Depot settled one for $25 million.
Among the largest breaches during the period was the compromise of the voting records of 55 million Filipinos, the leak of 33.7 million email addresses from Dun & Bradstreet and news that six million accounts were hacked at South African cinema company Ster-Kinekor. One of the most controversial leaks during the period was WikiLeaks publishing of a large cache of documents stolen from the CIA.
Meanwhile, IBM reported that four billion records were exposed worldwide in 2016, more than the previous two years combined.
Mar. 31. McDonald’s Canada discloses that a data breach at its website for job applicants resulted in the theft of personal information for some 95,000 people.
Mar. 31. The UK’s Independent Parliamentary Standards Authority accidently exposed for four hours on the Internet confidential personal information, including salaries, for about 3,000 staff members of parliament.
Mar. 30. Government Accountability Office finds that U.S. Office of Personnel Management overpaid for identity theft insurance for the more than 20 million current and former federal employees who had sensitive information about them stolen in a data breach at the agency.
Mar. 30. IBM releases its X-Force Threat Intelligence Index for 2017 finding that in 2016, four billion records were leaked worldwide — more than the two previous years combined.
Mar. 28. Hong Kong’s Registration and Electoral Office reports the personal information of 3.7 million voters is at risk after two laptops containing the data were stolen from a room at the AsiaWorld-Expo on Lantau.
Mar. 28. Maxim Senkh of Novgorod, Russia, pleads guilty in U.S. federal court to participating in a botnet scheme based on stolen OpenSSH credentials that raked in millions of dollars worldwide from click-fraud and spam campaigns.
Mar. 28. Associated Press reports lawsuits have been filed by eight credit unions in seven states against Arby’s for losses attributed to a data breach that occurred when the fast food chain’s point-of-sale system was compromised.
Mar. 27. St. Paul Fire & Marine files lawsuit to avoid paying more than $2.4 million in damages resulting from data breach at Rosen Hotels & Resorts last year.
Mar. 27. The U.S. Treasury Inspector General for Tax Administration reports the IRS failed to deactivate its Identity Protection Personal Identification Number program after a data breach in May 2015 despite repeated recommendations by the TIGTA to do so.
Mar. 22. Urology Austin in Texas announces a ransomware attack on its computer network has potentially exposed patient information for 279,663 people.
Mar. 22. America’s Joblink, which connects job seekers with employers in 10 states, reports a data breach has placed at risk the personal information of millions of people stored on service’s servers.
Mar. 21. New York Attorney General Eric T. Schneiderman reports his office received notice of 1,300 data breaches in the state in 2016, a 60 percent increase over the previous year.
Mar. 20. Protenus Breach Barometer reports 31 healthcare data breaches occurred in February affecting 206,151 patient records.
Mar. 20. BuzzFeed News reports that personal information of tens of thousands of Saks Fifth Avenue’s customers is at risk because it was exposed at the company’s online shopping site.
Mar. 17. Neiman Marcus agrees to pay $1.6 million to settle lawsuit over 2013 data breach in which the credit card data of 350,000 shoppers was compromised.
Mar. 16. The Association of British Travel Agents announces account information for as many as 43,000 people is at risk due to a data breach at a third-party provider hosting its data.
Mar. 15. U.S. Justice Department indicts for hacking half a billion Yahoo accounts Russian Federal Security Service agents Dmitry Dokuchaev and Igor Sushchin and two co-conspirators, Alexsey Belan and Karim Baratov.
Mar. 15. Wishbone, a polling app popular among teens, says its API has been hacked and more than two million email addresses compromised.
Mar. 15. Troy Hunt posts to his data breach notification site Have I Been Pwned a database leaked from Dun & Bradstreet containing 33.7 million unique email addresses and other information on employees in thousands of companies.
Mar. 14. Three, a UK telecom provider, announces 76,373 more customers than originally reported were affected by a data breach last year which allowed intruders to gain access to a database in the company’s computer system.
Mar. 13. Virginia amends its data breach notification law to include tax phishing scams.
Mar. 13. Security website Haveibeenpwned.com alerts six million users of South African cinema company Ster-Kinekor that their accounts were compromised in a 2016 data breach.
Mar. 12. MacKeeper security researchers report they’ve discovered a misconfigured device connected to the Internet belonging to a U.S. Air Force officer that has exposed sensitive information to the public, including a spreadsheet with details about ongoing investigations by the service.
Mar. 10. The U.S. departments of Internal Revenue and Education shut off a tool used by by students to apply for college financial assistance due to concerns about a potential security breach.
Mar. 9. Home Depot agrees to $25 million to settle lawsuit brought by financial institutions over the 2014 data breach at the “big box” hardware store.
Mar. 9. St. Louis furniture retailer Weekends Only says Aptos, the company that hosts its online store, has suffered a data breach potentially affecting the credit card information of 8,000 customers.
Mar. 9. Veridian Credit Union sues clothing retailer Eddie Bauer over data breach that compromised its point-of-sale system.
Mar. 9. Brad Maiorino, who was hired by Target in 2014 after it experienced a massive data breach in which information on more than 40 million payment cards was stolen, leaves retailer for job at Booz Allen Hamilton.
Mar. 8. Verifone, the largest payment terminal company in the United States, says data breach of its systems affected some two dozen American gas station convenience stores over a short period of time.
Mar. 8. BitSight, a security ratings company, reports that Fortune 1000 businesses are more prone to cyberattacks than firms that do not make the list.
Mar. 7. WikiLeaks posts online thousands of documents it says were leaked from the U.S. Central Intelligence Agency, including information on tools used by the spies to hack computers and mobile phones.
Mar. 7. Brand New Day, a Medicare-approved health plan in California, notifies 14,005 patients their electronic personal health information is at risk from a data breach at a third-party provider.
Mar. 7. CyberEdge Group releases survey of 1,100 IT decision makes in 15 countries that finds 79 percent of organizations were affected by a successful cyberattack and 61 percent were infected with ransomware, although only 33 percent paid the ransom.
Mar. 6. Security researcher Chris Vickery reports that a failure by River City Media to safeguard its database of 1.34 million email accounts left the data exposed for public view on the Internet.
Mar. 3. Shareholders Foundation announces investor lawsuit has been filed in California against Yahoo for alleged false and misleading statements about data security at the company and a data breach in which personal user data was stolen from at least 500 million accounts.
Mar. 3. Emory Healthcare in Atlanta reports a database containing appointment information for about 80,000 patients was deleted by an intruder who demanded a ransom to restore it.
Mar. 3. Purdys Chocolatier of Vancouver, British Columbia, Canada, says the private information of some 12,000 Canadian and 1.500 U.S. buyers has been compromised by a data breach at Aptos, an Internet service provider to the company.
Mar. 1. Yahoo board of directors report senior executives failed to “properly comprehend or investigate” 2014 data breach affecting 500 million accounts and decide not to award CEO Marissa Mayer her cash bonus for 2016.
Mar. 1. Autoneum North America, headquartered in Farmington Hills, Mich., announces tax information for 2,400 workers was stolen in a phishing scam.
Feb. 28. UK Information Commissioner’s Office fines health company HCA International £200,000 for violating the country’s Data Protection Act by storing medical data on an unsecure server.
Feb. 28. Redmond, Wash., School District says tax information for 1,000 current and former employees was stolen when it was emailed to a thief posing as the superintendent of the district.
Feb. 28. Trend Micro reports that the number of new ransomware families in 2016 jumped 752 percent, to more than 20 from less than five in 2015.
Feb. 28. Goldenvoice warns users of Coachella.com to be on alert for spam emails from people impersonating Coachella personnel after a data breach at the website for music fans.
Feb. 24. Cellebrite, a mobile forensics company based in Israel, announces it has found a means to unlock and extract the full file system from any iPhone 6 or 6 Plus.
Feb. 24. Financial institutions file proposed class action lawsuit against fast food sandwich chain Arby’s for failing to adequately protect its point-of-sale system from hackers, which resulted in the institutions reissuing potentially millions of new payment cards.
Feb. 24. MacKeeper security researchers discovers a leaky data set on the computer systems at Stewart International Airport in New York that’s exposed to the public Internet 760 gigabyts of sensitive information including employee Social Security numbers and network passwords.
Feb. 23. Food store chain Ellwood Thompson’s Local Market based in Richmond, Va., alerts 360 former and current employees their W-2 tax information is at risk after it was emailed to someone posing as the founder of the company.
Feb. 23. Cloudflare says system error exposed some sensitive data on its servers to the Internet, which was subsequently cached by search engines crawling the Net; however, system problem has been fixed and cache material scrubbed.
Feb. 22. Meridian Health Services of Indiana announces W-2 tax information of some 1,200 current and former employees has been compromised by a phishing scam.
Feb. 21. New sale terms of Yahoo to Verizon announced by companies of $4.48 billion, $350 million less than originally offered, a reduction attributed to two massive data breaches at Yahoo last year.
Feb. 21. Shareholders Foundation in San Diego announces an investor lawsuit has been filed against Wendy’s board of directors in connection with a point-of-sale data breach that affected some of the fast food firm’s franchises in 2015 and 2016.
Feb. 21. Business Continuity Institute and British Standards Institute release survey of more than 700 organizations in 79 countries finding that nearly nine out of 10 businesses (88 percent) worldwide are worried about the threat of cyberattacks.
Feb. 21. Louisiana Department of Insurance says personal information is at risk of an estimated 8,000 former members of the failed Louisiana Health Cooperative after a data breach at the co-op’s reinsurance broker.
Feb. 20. Accenture releases survey finding more than one in four (26 percent) Americans have had their personal medical information stolen from a technology system and that half those victims suffered medical identity theft, which cost them, on average, $2,500 in out-of-pocket expenses.
Feb. 20. Nursing home chain American Senior Communities in Indiana states W-2 tax information of more than 17,000 employees has been compromised in a phishing scam.
Feb. 18. Family Services of Rochester (Minn.) says an investigation is underway of a data breach that has compromised the personal information of an unspecified number of clients.
Feb. 17. Memorial Health Care systems, an operator of six hospitals in South Florida, agrees to pay U.S. Department of Health and Human Services $5.5 million to settle case involving the theft of patient information by two employees.
Feb. 17. A survey of 250 IT pros by iSense Solutions for Bitdefender finds 34 percent of companies have suffered a data breach in the last year and of those companies breached, 74 percent don’t know how it happened.
Feb.16. New York Department of Financial Services releases “first in nation” cybersecurity regulations for the financial services industry.
Feb. 16. The Philippines’ Commission on Elections confirms a laptop containing personal information, including biometrics, of 55 million voters was stolen from the election office of Wao, Lanao del Sur.
Feb. 16. British Columbia Premier Christy Clark announces an investigation is underway into a data breach of the province’s PharmaNet system that compromised medical information of some 7,500 people.
Feb. 16. Memorial Health Care System in Florida pays $5.5 million to settle potential violations of federal privacy and security rules after reporting the personal health information of 115,143 people was impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff.
Feb. 15. Yahoo warns its users that forged cookies were used to log into some of their accounts in 2015 or 2016 without the use of passwords.
Feb. 15. U.S. Bureau of Indian Affairs says personal data of more than 20,000 members of two Montana American Indian tribes is at risk after an external hard drive was stolen from a law enforcement vehicle in Big Horn County.
Feb. 15. Texas Department of Transportation confirms breach of an automated administration system which may have left some employee data altered and compromised.
Feb. 15. Redspin releases annual data breach report revealing hacking attacks on healthcare providers increased 320 percent in 2016.
Feb. 15. World Trademark Review reports that more than 100,000 websites have been hacked and defaced following the release WordPress 4.7.2 which contained a fix for a critical vulnerability.
Feb. 15. Charter Oak Fire Insurance Company and Travelers Property Casualty Co. of America asks federal court in Florida to reject claim by 21st Century Oncology that data breach losses are covered by publication of confidential information clause in existing insurance policy.
Feb.15. Horizon Healthcare Services of New Jersey agrees to pay state $1.1 million to settle case involving the theft of two laptops that allegedly compromised the personal information of 690,000 policyholders.
Feb. 14. Verizon releases its 2017 data breach digest finding that the effects of breaches are spreading to even more parts of an enterprise and causing more problems outside of IT.
Feb. 11. NBC News reports data breach at PIP, a printing chain with more than 400 outlets in 13 countries, has exposed thousands of sensitive documents from labor filings for NFL players to lawsuits against Hollywood studios.
Feb. 10. Ercan Findikoglu is sentenced in a New York federal court to eight years in prison for conducting cyberattacks that netted him $55 million.
Feb. 10. Bloomington Public Schools in Minnesota alerts several thousand employees their personal and financial information is at risk from a tax form phishing scam.
Feb. 9. Arby’s alerts nearly 355,000 customers that their payment card information may have been compromised due to a malware infection of the point-of-sale system at some of its stores between October 25 and January 19.
Feb. 9. Hacked-DB reports a hacker has leaked 1.3 million accounts stolen from staffing website eLance in 2009, as well as hundreds of thousands of Yahoo and Gmail accounts.
Feb. 9. Mercer County School District in West Virginia is victimized by tax phishing scam that results in theft of personal and financial information of some 1,800 school employees.
Feb. 8. Boeing reveals the personal information of some 36,000 employees is at risk after an employee sent a spreadsheet with the information to his spouse to resolve a formatting issue.
Feb. 8. Brian Neff, who owns an online insurance company based in Texas, files putative class action lawsuit in a federal district court in California claiming fraudulent charges were made to his credit cards due to data breaches at Yahoo.
Feb. 8. Russia’s Ministry of Internal Affairs announces it arrested in January nine suspected members of a cybercrime group known as Lurk alleged to have played a role in the theft of more than $17 million from the country’s banks.
Feb. 7. GoCardless, a UK payment processing company, warns its customers that their personal data is at risk due to the theft of 19 laptops from its offices.
Feb. 6. Federal Trade Commission announces Vizio, one of the world’s largest makers of “smart” televisions, agrees to pay $2.2 million to settle charges it installed software on its TVs to collect viewing data on 11 million consumer TVs without the knowledge or consent of their owners.
Feb. 6. Marsh announces launch of Marsh CyberShield, a cyber risk and data breach insurance policy for mid- to large-sized organizations to cover up to $624 million in risk associated with cyber incidents and data breaches.
Feb. 6. U.S. Appeals Court in West Virginia dismisses lawsuit arising from data breaches at the Bryan Dorn Veterans Affairs Medical Center in Columbia, S.C., saying plaintiffs “failed to show they were in any real and immediate danger of sustaining a direct injury as a result of some official conduct.”
Feb. 6. Gdadebo Adebiyi pleads guilty to conspiracy to commit mail fraud for his role in a breach of the Bradley University data warehouse which resulted in the theft of $770,000.
Feb. 3. Hacker dumps on the Internet a database of users of Freeedom Hosting II, as well as the administrative credentials for accessing the thousands of “Dark Web” websites it services.
Feb. 3. Michigan Unemployment Insurance Agency says personal information of up to 1.87 million workers in the state is at risk after a software error in its computer system exposed their data to third-party payroll vendors and employers unauthorized to access it.
Feb. 3. Toys R Us advises all loyalty customers to change their passwords because of data breaches at the vendor that runs its Rewards R Us program.
Feb. 2. InterContinental Hotels Group confirms credit card data breach between August and December 2016 at restaurants and bars at 12 of its hotels.
Feb. 1. U.S. Department of Health and Human Services announces Children’s Medical Center of Dallas has agreed to pay $3.2 million civil money penalty for impermissible disclosure of unsecured electronic protected health information and non-compliance over many years with federal security standards.
Feb. 1. Licking County, Ohio, announces more than 1,000 computers have been shut down by a ransomwaree attack.
Jan. 31. Officials at Scotty’s Brewhouse in Indianapolis reveal W-2 forms of 4,000 employees were emailed to an unknown party posing as the CEO of the company.
Jan. 31. Data breach notification site Have I Been Pwned reports that 1.8 million user credentials have been stolen from online forum of Polish game development studio CD Projekt RED.
Jan. 31. Cisco releases security report that finds for more than a third of organizations that suffered a data breach in 2016, the cost of the breach exceeded 20 percent of revenues.
Jan. 31. The Irish Sun reports that data breaches at two popular forums for PlayStation and Xbox have resulted in the exposure of 2.5 million accounts.
Jan. 30. Baseball Commissioner Rob Manfred strips the St. Louis Cardinals of its top two draft picks and orders the team to pay the Houston Astros $2 million for hacking into the Astros email system and scouting database.
Jan.30. Belton (Texas) Independent School District officials discover W-2 forms of 1,700 current and former employees were emailed to an online scammer posing as the ISD’s superintendent.
Jan. 29.Massachusetts releases online records showing sensitive information from nearly 3.4 million Bay State customer accounts have been inappropriately viewed, lost or stolen from businesses and state agencies since 2012.
Jan. 29. The Romantik Seehotel Jägerwirt in Austria pays cyber extortionist $1,600 after ransomware attack disabled the hotel’s key lock, reservation and cash desk systems.
Jan. 27. MacKeeper researchers say recordings of some 400,000 phone calls from at least one U.S.-based telemarketing firm has been exposed on the Internet due to a database misconfiguration error.
Jan. 27. Singapore’s Personal Data Protection Commission fines PropNex Realty $10,000 after it accidentally exposed online the personal data of 1,765 people.
Jan. 27. A data thief posing as the CEO of solar company Sunrun obtains W-2 forms of an unspecified number of employees in a phishing scam.
Jan. 27. Lexington County School District 2 in Wisconsin reveals W-2 forms of employees who worked there between Jan. 1 and Dec. 31, 2016 were stolen in a phishing scam.
Jan. 27. Superintendant Daniel Trevino announces personal information in the W-2 tax forms of some 950 employees of the Mercedes, Texas,school district is at risk after it was emailed to an unauthorized third-party in a phishing scam.
Jan. 26. New York Attorney General Eric T. Schneiderman announces Acer Service Corporation has agreed to pay $115,000 in penalties and to shore up its data security after a data breach at its website exposed more than 35,000 credit card numbers.
Jan. 26. UGI Utilities in Pennsylvania announces personal information of about 1,900 employees was acquired by perpetrators of an email phishing scam.
Jan. 26. Website of LeakedSource, a for-profit breach notification service, disappears from Net amid reports it was raided by law enforcement.
Jan. 26. Pew Research Center releases survey finding that 51 percent of American adults are “not at all confident” or “not too confident” in social media sites keeping their information safe and 49 percent feel the same way about the federal government.
Jan. 26. Beazley, a provider of data breach response insurance, reports ransomware attacks in 2016 quadrupled over the previous year will double again in 2017.
Jan. 25. Risk Based Security reports that in 2016 there were 4,149 data breaches that exposed 4.2 billion records.
Jan. 25. Rosen Law Firm announces filing of investors class action lawsuit against Yahoo stemming from data breaches that resulted in theft of information for one billion user accounts.
Jan. 23. Wall Street Journal reports SEC is investigating whether two massive data breaches at Yahoo should have been reported sooner.
Jan. 23. Reuters reports that bandits who stole data from 29,000 clients of XP Investments SA of Brazil demanded a $7.1 million ransom to keep the security breach secret.
Jan. 20. Federal appellate court in Philadelphia finds class action lawsuit against Horizon Healthcare stemming from data breach may proceed even though only intangible injuries are claimed by the plaintiffs.
Jan. 20. Ohio State Veterinary Medical Center in Dublin, Ohio, alerts 4,611 clients that their personal data is at risk due to data breach caused by malware infection.
Jan. 20. Bowlmor AMF, the world’s largest bowling center operator, says it has had a possible data breach at 21 of its more than 300 domestic locations in 12 states.
Jan. 20. CSO Online reports a misconfigured synchronization program at Canadian ISP KWIC Internet has exposed its customers’ personal information and more on the public Internet.
Jan. 19. Identity Theft Resource Center and CyberScout report U.S. data breaches reached all time high in 2016 of 1,093, a 40 percent increase over the 780 in 2015.
Jan. 19. Army announces its first bug bounty program received 400 bug reports, 118 of which were unique and actionable and earned their programmers $100,000 in rewards.
Jan. 19. Ransomware attack on St. Louis Public Library disables 700 computers and prevents books and other materials from being checked out of the library.
Jan. 18. Supercell, the developer of the mobile game Clash of Clans, warns users a vulnerability in its forum software has exposed their emails and encrypted passwords to hackers. According to the breach notification website LeakBase, some 1.1 million accounts are affected by the breach.
Jan. 18. CoPilot Provider Support Services, a health care provider in Hyde Park, New York, announces personal information of some 220,000 people is at risk after one of its databases was accessed by an unauthorized third-party.
Jan. 17. Australian Prime Minister Malcom Turnbull orders his top cyber security adviser to prepare a report on claims that more than 3,000 government officials had private data stolen in the 2013 Yahoo data breach.
Jan. 17. An analysis of 16,000 Android applications by cybersecurity firm Fallible reveals 2,500 of them had some type of secret credential hard-coded into them by developers, including access tokens and API keys for services like Twitter, Dropbox, Flickr, Instagram, Slack and Amazon Web Services.
Jan.17. Motherboard reports data traders are swapping details o more than one million user accounts belonging to Supercell. a maker of popular mobile games, such as Clash of Clans.
Jan. 17. Sentara, a healthcare provider servicing Virginia and North Carolina says personal information of 5,454 patients is at risk due to data breach at third party vendor.
Jan. 17. Children’s Hospital of Los Angeles warns 3,600 patients their personal data is at risk due to theft of an unencrypted laptop in October.
Jan. 13. Protenus reports fewer patient records were stolen in health care data breaches in 2016 (27.3 million) than 2015 (113 million) but there were more data breaches in 2016 (450) compared to 2015 (253).
Jan. 13. The Delaware Department 0f Insurance announces the personal information of 19,000 members of Highmark Blue Cross Blue Shield of Delaware is at risk following a data breach at two of the health care provider’s subcontractors.
Jan. 13. Three Pennsylvania Superior Court judges uphold lower court ruling that health care provider UPMC, which suffered a data breach in which personal information of 62,000 employees was stolen, is not under any obligation to keep its employees data safe.
Jan. 13. Federal appeals court in St. Louis affirms lower court ruling capping liability at $500,000 for data breach at Schmuck Markets in 2013.
Jan. 13. Margarita Serrano files class action lawsuit in a federal district court in California alleging Automotive Recovery Services exposed her personal information to hackers after she donated a car to charity.
Jan. 12. Motherboard reports it has received from a hacker 900 gigabytes of data stolen from Cellebrite — an Israeli mobile hacking company that’s done work for U.S. federal and state law enforcement agencies as well as Russia, the United Arab Emirates and Turkey — including customer information, databases, and a vast amount of technical data regarding its products.
Jan. 12. Federal court in Tennessee approves $1.9 million settlement of class action lawsuit against Mapco Express for data breach in 2013.
Jan.11. CSO Online reports that 68.5 percent of public-facing MongoDB databases or 32,820 installations have been infected by ransomware from multiple actors.
Jan. 11. UK Information Commissioner’s Office fines Royal & Sun Alliance Insurance £150,000 for data breach resulting from theft of storage device containing information on nearly 60,000 customers.
Jan. 11. Giulio Occhionero, 45, and Francesca Maria Occhionero, 49, are charged in a Roman court with hacking into the phones and computers of high-ranking government officials, business leaders and Freemasons in Italy.
Jan. 10. Federal judge in Tennessee approves $1.9 million settlement in lawsuit against convenience store chain Mapco Express stemming from point of sale data breach in 2013.
Jan. 9. Presence Health in Illinois agrees to pay $475,000 to settle case with U.S. Department of Health and Human Services over the untimely reporting of a breach of protected health information.
Jan. 9. Owners of the Two Plus Two poker discussion forum confirms personal information about its members has been stolen and posted to the Internet for public access.
Jan. 9. Sydney Morning Herald reports National Australia Bank mistakenly sent the bank account details of 60,000 customers to an email address controlled by Real Assets Limited, a domain name broker.
Jan. 9. An investor files a lawsuit against the board of directors of Wendy’s claiming breach of fiduciary duties by mismanaging a data breach that resulted in the theft of customer data.
Jan. 8. Online gambling site TwoPlusTwo tells some of its 400,000 customers to reset their passwords and take extra precautions trading or staking players because of data breach at the site.
Jan. 7. Breach notification service LeakedSource announces it has obtained 1,503,707 customer records stolen in data breach in December from ESEA, one of the largest competitive video gaming communities on earth.
Jan. 6. California Department of Insurance finds data breach that compromised 78.8 million consumer records at health insurer Anthem was performed on behalf of a foreign government.
Jan. 6. Los Angeles Valley College pays $28,000 in bitcoin to hacker who locked out 1,800 staff and teachers from their computers with ransomware.
Jan. 5. The Philipine National Privacy Commission recommends criminal charges be filed against Commission on Elections Chairman J. Andres D. Bautista for a data breach exposing online the personal data of 1.3 million overseas Filipino voters and the fingerprints of 15.8 million people.
Jan. 5. Federal Trade Commission files complaint against D-Link for failing to take adequate measures to secure its routers and webcams which left them vulnerable to hackers and put consumer privacy at risk.
Jan. 5. The University of Alberta in Canada warns more than 3,000 faculty, students and staff that their passwords are at risk due to malware infections on 300 computers at the institution.
Jan. 4. Frederick County (Maryland) Board of Education refuses to send student information to state Education Department after suspected data breach at department exposed on the Inernet personal information of 1,000 students from the county.
Jan. 4. Andrew Minty, Jamie Leong, and Michelle Craddock, plead guilty and are sentenced for conspiring to steal customer information from Enterprise Rent-A-Car in the UK and selling it for hundreds of thousands of pounds to accident claims companies who used it to make nuisance calls about personal injury claims.
Jan. 3. U.S. Office of Management and Budget publishes new policies on how federal agencies should prepare for and address a breach of personally identifiable information.
Jan. 3 The Massachusetts Office of Consumer Affairs and Business Regulation announces it is making reports of potential identity theft available to the public on its website and eliminating need to file a public records request to see them.
Stay tuned for the Q2 2017 edition of the Data Breach Report.
The Data Breach Report provides a quarterly diary of noteworthy data breaches and cyber-attacks to CIOs, CSOs, CISOs, IT security teams, and the media.
Yahoo, Friend Finder, Dropbox suffer biggest attacks
Menlo Park, Calif. – Dec. 30, 2016
Information on millions of people was exposed during the final calendar quarter of 2016.
Among the big hacks during the period were the theft of information on more than one billion Yahoo accounts, the compromise of the Friend Finder network, which put at risk 412 million accounts and the posting to the Internet by a hacker of 68 million Dropbox accounts from a 2012 data breach.
Cyber bank robbers were also busy during the frame. They compromised 3.2 million payment cards in India and stole $31 million from the central bank of Russia.
Dec. 29. FBI and U.S. Department of Homeland Security issue joint report detailing the tools and infrastructure used by Russian intelligence services to compromise and exploit networks and infrastructure associated with the recent U.S. election, as well as a range of U.S. government, political and private sector entities.
Dec. 29. Nevada takes its marijuana portal offline after a data breach exposed confidential information on some 12,000 applications for cards used to obtain medical marijuana.
Dec. 28. InterContinental Hotel Group, which operates more than 5,000 hotels worldwide, says it’s investigating reports of a possible data breach at a small number of its hotels located in the United States.
Dec. 27. Three Chinese citizens charged by United States of engaging in conspiracies to commit insider trading, wire fraud and computer intrusion in an indictment filed in federal court in Manhattan.
Dec. 24. The Daily Caller reports a Russian hacker breached The Russian Visa Center and exposed information on some 3,000 people seeking assistance in obtaining Russian visas.
Dec. 14. Yahoo discloses data breach dating back to 2013 resulting in theft of information on more than one billion accounts.
Dec. 2. Reuters reports hackers using a client’s credentials stole more than $31 million from the central bank of Russia.
Dec. 1. MacKeeper Security Researcher Chris Vickery reports sensitive information of explosives handling company Allied-Horizontal is at risk after a Network-Attached Storage device was exposed to the public Internet.
Dec. 1. International law enforcement authorities announce dismantling of Avalanche, a malware delivery and money mule recruiting platform that produced hundreds of millions of euros in revenues for its operators.
Nov. 30. Camelot, the operator of the UK’s national lottery, announces some 26,500 player accounts are at risk after a data breach of its systems.
Nov. 30. Europol reports sensitive data on terrorism investigations conducted from 2006 to 2008 is at risk after an employee brought the data home in violation of agency policy and stored it on a hard drive connected to the Internet without password protection.
Nov. 29. Barrett Brown, a self-proclaimed spokesman for the hacktivist collaborative known as Anonymous, is released from federal prison five months before scheduled.
Nov. 29 Idaho Fish & Game announces it is again selling licenses and posting hunter reports online. The service was knocked offline in August by a data breach.
Nov. 29. Deutsche Telecom and German Office for Information Security announce system disruption over the weekend affecting some 900,000 customers was part of a failed global attempt by hackers to hijack routers and use them to disrupt Internet traffic.
Nov. 28. The Japan Times reports a cyberattack by a state actor in September may have compromised Japan’s internal military network.
Nov. 28. U.S. Navy warns more than 130,000 sailors their personal information is at risk after a laptop by a contractor is compromised.
Nov. 19. Russian telecom watchdog Roskomnadzor discovers data breaches at 55 websites which contain personal information of children who have written to “Father Frost,” the Russian Santa Claus.
Nov. 18. Michigan State University announces it will notify some 400,000 current and former students and staff of data breach that has compromised their personal information.
Nov. 16. GulfNews reports personal records of more than 34 million residents of the Indian state of Kerala was posted to Facebook by a hacker disenchanted with the security of the state’s computer systems.
Nov. 16. Protenus reports month-to-month decline in health care data breaches to 35 in October from 37 in September, although the number of patient records increased to 776,533 from 246,876.
Nov. 16. Workers at Indian security firm AI solutions discovered selling phone records of Australians from call centers of Optus, Telstra and Vodaphone.
Nov. 15. Seventeen-year-old boy pleads guilty in UK to data breach last year at telecommunications provider TalkTalk which resulted in unauthorized access to personal data of nearly 160,000 people.
Nov. 14. Adobe agrees to pay $1 million to 15 states to settle case stemming from 2013 data breach at the company which resulted in unauthorized access to some 552,000 people.
Nov. 14. Data breach at Friend Finder Network places at risk personal information in more than 412 million accounts.
Nov. 3. New Zealand Nurses Organization announces “tens of thousands” member’s contact details were emailed to someone posing as the chief executive of the organization.
Nov. 2. Business Insider announces its website was compromised by OurMine, a group that hacks websites to expose security flaws.
Nov. 2. U.S. District Judge Rosemary Collyer dismisses class action lawsuit stemming from 2015 data breach at the IRS in which the personal and financial information of 330,000 taxpayers and their family members was compromised by hackers who infiltrated the now defunct “Get Transcript” service, which allowed taxpayers to access their tax filings online.
Oct. 31. Hacker group calling itself Shadow Brokers releases data dump of alleged computer servers around the world compromised by The Equation Group, which is believed to be linked to the NSA.
Oct. 31. U.S. Office of Personnel Management announces it is changing credit monitoring and identity protection service providers and that some of the 25 million people affected by a data breach at the agency will have to re-enroll to continue coverage.
Oct. 31. Attorney General of Washington reports that from July 2015 to July 2016 39 data breaches in the state affected some 450,000 people.
Oct. 20. Weebly, a San Francisco-based website creation company, starts notifying more than 43 million customers their personal information is at risk due to data breach that ocurred in February.
Oct. 20. National Payments Corporation of India reports some 3.2 million payment cards have been compromised in massive ATM security breach.
Oct. 19. Federal Reserve, FDIC and OCC issue notice of proposed rulemaking seeking comments on a set of enforceable cybersecurity standards for banks with more than $50 billion in assets.
Oct. 18. Redbus, an Indian online travel ticketing platform, confirms data breach that may have compromised more than four million accounts. Company advises all its users to reset their passwords.
Oct. 19. Czech police announce they have arrested Russian citizen in Prague wanted by the FBI in connection to 2012 data theft of 117 million passwords at LinkedIn.
Oct. 17. Katy Independent School District in Texas warns 78,000 students and staff members their personal data is at risk due to a data breach.
Oct. 7. U.S. government formally accuses Russia of a campaign of cyber attacks against Democratic Party organizations ahead of the Nov. 8 presidential election.
Oct. 6. Central Ohio Urology Group reports to U.S. Department of Health and Human Services that 300,000 patients were affected by data breach in August, the eighth largest breach in the nation this year.
Oct. 6. Montana Department of Justice reports 110,000 citizens of the state were victims of data breaches in the last 12 months.
Oct. 6. American 1 Credit Union in Jackson, Mich., announced it will decline all purchases made at Wendy’s by its payment card holders because it doesn’t believe the fast food chain has removed all the malware that infected its point-of-sale systems in more than 1,000 locations in 2-15.
Oct. 5. The BBC reports Fancy Bears, the hackers who published online medical records stolen from the World Anti-Doping Agency, may have doctored some of the data in those records.
Oct. 5. UK Information Commissioner’s Office orders TalkTalk to pay fine of£400,000 in connection to 2015 data breach that affected 150,000 customers.
Oct. 5. The New York Times reports the FBI has arrested Harold T. Martin, a former employee of NSA contractor Booz Allen Hamilton, and is investigating whether he stole and disclosed classified security code developed by the agency to compromise the networks of foreign governments.
Oct. 4. Personal data of more than 1.5 million users of websites run by C&Z Tech Limited, which include HaveAFling.mobi, HaveAnAffair.mobi and HookUpDating.mobi, is at risk after a database for the sites was found exposed to the Internet without a password.
Oct. 4. Thomas White, aka The Cthulhu, posts to his website as a free download information from more than 68 million Dropbox accounts stolen in a 2012 data breach of the service.
Oct. 4. The Sunday Express reports that Amazon has alerted some its customers that their passwords have been reset after it discovered their Amazon email address and password corresponded to a login list posted online.
Oct. 4. Reuters reports that last year Yahoo built a custom program to search all its customers’ incoming emails for information provided to it by U.S. intelligence officials. Yahoo later denied the claims in the report.
Oct. 3. U.S. District Court Judge Andrea R. Wood dismisses class action lawsuit against Barnes & Noble related to a compromise of its point-of-sale systems in 2012. She found that plaintiffs failed to show they had suffered any actual damages because of the data breach.
Oct. 3. U.S. Surgeon General warns 6,600 medical professionals in his “commissioned corps” that their personal information is at risk by a breach of the agency’s personnel system.
Stay tuned for the Q1 2017 edition of the Data Breach Report.
© 2015 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.