Security Incidents around Us

General Info      

The internet has become an incredible source for not only information, but for banking, shopping, paying bills, and performing many other tasks that once required us to stray from home, and venture into the city to resolve. This has no doubt provided many of us with great conveniences and time saving, allowing us more time to spend on other matters that are more important to our daily lives. However, with this great convenience comes great risks. As we are able to perform many more tasks over the internet, it also increases the risk for our data or even our identities to be stolen online.

In February 2020, Security Magazine sited a report from Risk Based Security that stated for the year ending in 2019, there were 7,098 breaches reported. In these breaches, 15.1 billion records were exposed. This was almost triple the records exposed in 2018. Some of these records were even from many higher education resources. Considering that, we would like to take the opportunity to provide some recent information on data and security breaches on this page to promote better awareness of these incidents.

How to Reduce Your Exposure to the Risks

One easy method to keep your information safe is frequently changing your password. This prevents stale credentials from being used to gain access to your information in the event of a credential leak. Never use the same password on different websites. While this is convenient, it makes it easy for your accounts to be compromised on multiple sites when one site experiences a breach of user credentials. Use a password manager to store your passwords for different websites. These not only make it easier to keep up with your passwords, but also will let you generate different secure passwords for each site. Some password managers include LastPass, BitWarden, and 1Password. There are also sites you can put in your email address you have linked to your online accounts to check and see if those accounts were victims of a breach. One such site is https://haveibeenpwned.com . If you find you have been a victim of a data breach, change your password immediately. Also pay attention to emails you receive and never click on any questionable links you aren't sure about. If unsure, it is always better to ask. Please don't hesitate to report them using the Phish Alert button in your Outlook client. If you have any questions about the breaches listed on this page, please conact the ITS Helpdesk to answer any of your questions.

 

Data Breaches Affecting UNA

 

Blackbaud

July 16, 2020: The actual data breach occurred on February 7, 2020 as a result of a ransomware attack, however Blackbaud customers weren't alerted by the company until July 16, 2020. Credit card information, bank account information, or Social Security numbers were not stolen, according to the spokesperson. A ransom was payed to the cyber criminals to destroy the subset of data taken during
the attack, but the amount of the ransom wasn't't disclosed by Blackbaud.


The data accessed by the cybercriminal may have contained some of the following information:

  • Basic details, eg name, title, gender, date of birth and student number (if applicable);
  • Addresses and contact details eg phone, email and LinkedIn profile URL;
  • Course and educational attainment details, eg what qualification you received and some of the extracurricular opportunities you participated in while studying at York (if applicable);
  • A record of your engagement with alumni and fundraising activities eg enquiries, event participation, volunteering, donations, and any other interactions you have with us;
  • Professional details, eg the profession you work in and your employer;
  • Information about your interests you have provided to us eg in response to one of our surveys

 

Recent Data Breaches

 
(Taken from IdentityForce.com)

Facebook

April 3, 2021: The personal data of 533 million Facebook users from 106 countries has been posted online for free in a low-level hacking forum. The data was scraped in a vulnerability that the company patched in 2019, and includes users’ phone numbers, full names, location, email address, and biographical information.

Cancer Treatment Centers of America

March 26, 2021: The Cancer Treatment Centers of America sent out notifications to 104,808 patients, alerting them a compromised email account led to medical information being accessed by an unknown third-party.  The compromised account contained patient names, health insurance information, medical record numbers, CTCA account numbers, and limited medical information.

Hobby Lobby

March 23, 2021: A database containing records of over 300,000 customers of the arts and crafts chain store, Hobby Lobby, was exposed after the company suffered a cloud-bucket misconfiguration. The disclosed information included customer names, phone numbers, physical and email addresses, and the last four digits of their payment card, as well as the source code for the company’s app.

California State Controller’s Office (SCO)

March 23, 2021: A phishing attack targeting the California State Controller’s Office (SCO) Unclaimed Property Division led to an employee clicking on a malicious link, logging into a fake website, and granting a hacker access to their email account. The criminal had access to the account for 24 hours, allowing permission to view Personally Identifying Information (PII) contained in Unclaimed Property Holder Reports and to send more phishing emails to the hacked SCO employee’s contacts. The number of employees affected and the types of personal information impacted have not been disclosed.

MultiCare

March 9, 2021: A third-party ransomware attack exposed the personal information of over 200,000 patients, providers and staff of MultiCare Health System, a non-profit health care organization. The attack allowed access to personal information including names, insurance policy numbers, Social Security numbers, dates of birth, bank account numbers, and more.

SITA

March 4, 2021: The global IT company, SITA, which supports 90% of the world’s airlines confirmed it fell victim to a cyberattack, exposing the PII belonging to an undisclosed number of airline passengers. The stolen information includes names, traveler’s service card numbers, and status level.

Microsoft Exchange

March 3, 2021: Cybercriminals have targeted four security flaws in Microsoft Exchange Server email software. The attackers used the bugs on the Exchange servers to access email accounts of at least 30,000 organizations across the United States, including small businesses, towns, cities and local governments. The cyberattack gives the hackers total remote control over affected systems, allowing for potential data theft and further compromise. Microsoft has released security patches for these bugs and urges customers to apply the updates as soon as possible.

T-Mobile

February 26, 2021: An undisclosed number of T-Mobile customers were affected by SIM swap attacks, or SIM hijacking, where scammers take control of and switch phone numbers over to a SIM card they own using social engineering. With access to customer phone numbers, scammers receive messages and calls which allows them to log into the victims’ bank accounts to steal money, change account passwords, and even locking the victims out of their own accounts that use two-factor authentication. The attack also exposed customer information including names, addresses, email addresses, account numbers, social security numbers (SSNs), account personal identification numbers (PIN), account security questions and answers, date of birth, plan information, and the number of lines subscribed to their accounts.

Kroger

February 20, 2021: A third-party data breach at cloud solutions company, Accellion,  allowed hackers to steal human resources data and pharmacy records belonging to the supermarket giant, Kroger. The records disclosed could include names, email addresses, phone numbers, home addresses, dates of birth, Social Security numbers as well as information on health insurance, prescriptions and medical history.

California DMV

February 18, 2021: The California Department of Motor Vehicles (DMV) alerted drivers they suffered a data breach after billing contractor, Automatic Funds Transfer Services, was hit by a ransomware attack. The attack exposed drivers’ personal information from the last 20 months of California vehicle registration records, including names, addresses, license plate numbers and vehicle identification numbers (VINs).

Nebraska Medicine

February 10, 2021: A malware attack allowed a hacker to access and copy files containing the personal and medical information of 219,000 patients of Nebraska Medicine. The health network notified affected individuals that the accessed information includes names, addresses, dates of birth, medical record numbers, health insurance information, physician notes, laboratory results, imaging, diagnosis information, treatment information, and/or prescription information, and a limited number of Social Security numbers and driver’s license numbers.

“Compilation of Many Breaches” (COMB)

February 2,  2021: A database containing more than 3.2 billion unique pairs of cleartext emails and passwords belonging to past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin, Yahoo, and more were discovered online. This is the largest compilation of data from multiple breaches, which is where the name “Compilation of Many Breaches” or COMB comes from. The searchable and well-organized database was leaked to a popular hacking forum, giving hackers access to account credentials, including approximately 200 million Gmail addresses and 450 million Yahoo email addresses, and more.

U.S. Cellular

January 28, 2021: Through a targeted attack on retail employees of U.S. Cellular, the fourth-largest wireless carrier in the U.S., hackers were able to scam employees into downloading malicious software onto company computers. Once downloaded, the software granted remote access to the company devices and to the customer relationship management (CRM) software containing account records for 4.9 million customers. The company states that 276 customers were impacted and notified of the security incident. While viewing a customers’ account in the CRM, the hacker had access to names, addresses, PINs, cell phone numbers, service plans, and billing/usage statements.

VIPGames

January 26, 2021: VIPGames.com, a free gaming platform, exposed over 23 million records for more than 66,000 desktop and mobile users due to a cloud misconfiguration. The leaked user records include usernames, emails, IP addresses, hashed passwords, Facebook, Twitter and Google IDs, bets and data on players who were banned from the platform.

Bonobos

January 22, 2021: Customer data was stolen from the men’s clothing retailer, Bonobos, was found for free in a hacker forum after a cybercriminal downloaded the company’s backup cloud data. The exposed database contains order information for over 7 million customers, including addresses, phone numbers, and account information for 1.8 million registered customers, and 3.5 million partial credit card records.

MeetMindful

January 24, 2021: The dating platform, MeetMindful.com, was hacked by a well known-hacker and had its user’s account details and personal information posted for free in a hacker forum. The leaked details of more than 2.28 million users registered included names, email addresses, location details, dating preferences, marital status, birth dates, IP addresses, Bcrypt-hashed account passwords, Facebook user IDs and Facebook authentication tokens.

Pixlr

January 20, 2021:  A database containing 1.9 million user records belonging to Pixlr, a free online photo-editing application, was leaked by a hacker. The database was stolen at the same time as the attack on 123RF, which exposed over 83 million user records. The leaked records include email addresses, usernames, hashed passwords, user’s country, whether they signed up for the newsletter, and other sensitive information.

Mimecast

January 12, 2021: A cybercriminal compromised a certificate used to authenticate Mimecast’s Sync and Recover, Continuity Monitor, and Internal Email Protect (IEP) products to Microsoft 365. Mimecast is a cloud-based email management service that provides email security services for Microsoft 365 accounts. According to the company, approximately 10 percent of its customers used the compromised connection, but have since been asked to reinstall a newly issued certificate.

Facebook, Instagram and LinkedIn

January 11, 2021: A Chinese social media management company, Socialarks, suffered a data leak through an unsecured database that exposed account details and Personally Identifiable Information (PII) of at least 214 million social media users from Facebook and Instagram, and LinkedIn. The exposed information for each platform varies but includes user’s names, phone numbers, email addresses, profile links, usernames, profile pictures, profile description, follower and engagement logistics, location, Messenger ID, website link, job profile, LinkedIn profile link, connected social media account login names and company name.

Parler

January 11, 2021: News of the conservative social media app, Parler, having its data scraped by a hacker came to light after Amazon Web Services removed the platform from its servers. The 70TB of leaked information includes 99.9% of posts, messages, and video data containing EXIF data — metadata of date, time, and location. Parler’s Verified Citizens, or users who had verified their identity by uploading their driver’s license or other government-issued photo ID, were also exposed.

Ubiquiti Inc.

January 11, 2021: One of the biggest Internet of Things (IoT) technology vendors, Ubiquiti, Inc., alerted its customers of a data breach caused by unauthorized access to their database through a third-party cloud provider. The email communication advised customers to change passwords and enable multi-factor authentication. The data exposed may include an undisclosed number of customer names, email addresses, hashed and salted passwords, addresses, and phone numbers.


Tufts Health Plan, Aetna, Blue Cross Blue Shield & EyeMed

December 11, 2020:A phishing attack on the vision benefits management company, EyeMed, exposed the personal and medical information of hundreds of thousands of health plan members, including 484,157 Aetna members (announced on December 28, 2020,) 60,545 members of Tufts Health Plan, and 1,300 members of Blue Cross Blue Shield of Tennessee. The information disclosed during the attack included names, addresses, dates of birth, phone numbers, email addresses, vision insurance account/identification numbers, health insurance account/identification numbers, Medicaid or Medicare numbers, driver’s license, birth or marriage certificates. For a smaller number of members, partial or full social security numbers and/or financial information, medical diagnoses and conditions, treatment information, and passport numbers were also included.

Spotify

December 10, 2020: An undisclosed number of users of the audio streaming service, Spotify, have had their passwords reset after a software vulnerability exposed account information. A data breach notification filed by Spotify claims the data exposed “may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify.”

Dental Care Alliance

December 10, 2020: A cyberattack on healthcare provider, Dental Care Alliance, exposed sensitive personal and medical information of over 1 million patients. The attack exposed patient names, addresses, dental diagnosis and treatment information, patient account numbers, billing information, bank account numbers, the name of the patient’s dentist, and health insurance information.

FireEye 

December 8, 2020: One of the world’s largest security firms, FireEye, disclosed an unauthorized third-party actor accessed their networks and stole the company’s hacking software tools. The highly sophisticated hacker also attempted to search and gather information related to the company’s government customers.

Cannon

November 25, 2020: Cannon, a popular camera manufacturer, publicly disclosed a ransomware attack and resulting data breach targeting the firm had occurred for several weeks in July and August of 2020. Over 10TB of breached data belonging to potentially thousands of current and former employees working for Cannon between 2005 and 2020 was compromised, including Social Security numbers, driver’s license numbers or government-issued identification, bank account information for direct deposits, dates of birth, and beneficiary and dependent information.

Pray.com

November 19, 2020: An unsecured database belonging to the app Pray.com exposed the personal information of over 10 million individuals – including users of the app and their contacts. The impacted information includes photos uploaded by the app’s users, names, home and email addresses, phone numbers, marital status, and login information. The data breach expanded beyond just the direct users of Pray.com app, and also exposed the contact information belonging to any contact stored on their mobile device, such as contacts names, phone numbers, email, home and business addresses, company names and family ties.

Vertafore

November 14, 2020: Vertafore, an insurance software firm, fell victim to a data breach and exposed the personal and driver’s license data of over 27 million Texas citizens. The files accessed by an unauthorized party contained Texas driver license numbers, as well as names, dates of birth, addresses and vehicle registration histories.

123RF

November 12, 2020: popular stock photo and vector site, 123RF, experienced a data breach, and exposed 8.3 million user records. The database was later put for sale on the Dark Web, impacting members’ full name, email address, MD5 hashed passwords, company name, phone number, address, PayPal email, and IP address.

Animal Jam

November 11, 2020: Animal Jam, a popular online game for kids, was hacked and 46 million account records were compromised in a data breach. The databases belonging to WildWorks, the company behind Animal Jam, were posted to an online hacking forum on the dark web. The data included information related to children and parent accounts, including user names, emails, passwords, birth dates, and billing addresses connected to PayPal accounts.

Expedia, Hotels.com & Booking.com

November 6, 2020:  A unsecured database belonging to the hotel reservation platform, Prestige Software, leaked sensitive data from over 10 million hotel guests worldwide, dating as far back as 2013. The third-party data leak affected guests that have booked reservations through travel companies such as Expedia, Hotels.com, Booking.com, Agoda, Amadeus, Hotelbeds, Omnibees, Sabre and more. The information exposed in the data leak includes names, email addresses, national ID numbers, phone numbers of hotel guests, and reservation details such as reservation number, dates of a stay, the price paid per night. The unsecured database also disclosed sensitive credit card details from over 100,000 guests, including card number, cardholder’s name, CVV, and expiration date, and total cost of hotel reservations.

Mashable.com

November 5, 2020:  A database containing staff, users, and subscribers data of the online media company, Mashable.com, was leaked by hackers and reported publicly on November 8th. The breached data was later detected on the Dark Web on December 16th. The database contains 1,852,595 records, including names, email addresses, country, gender, job description, online behavior related details, date of registration, IP addresses, social media profile links, and authentication tokens.

JM Bullion

November 3, 2020:  Malware embedded in the online shopping platform of precious metals dealer, JM Bullion, captured the personal and banking card information of customers who made purchases between February and July 2020. Using the malicious code, hackers we able to collect an undisclosed number of customer names, addresses, and payment card details including account numbers, card expiration dates, and the security codes.

Fragomen, Del Rey, Bernsen & Loewy

October 27, 2020:  The immigration law firm responsible for representing Google, Fragomen, Del Rey, Bernsen & Loewy, announced a security incident has exposed the personal information of current and former Google employees.  An unauthorized third party gained access to an undisclosed number of employee Form I9’s, containing full name, date of birth, phone number, social security number, passport numbers, mailing address, and email address.

Pfizer

October 20, 2020:  The pharmaceutical corporation, Pfizer, exposed the personal and medical information of hundreds of medical patients taking cancer drugs through a data leak. A misconfigured Google Cloud database exposed names, phone numbers, home addresses, email addresses, customer support messages, health data, medical status, phone call transcripts, and prescription information.

Broadvoice

October 20, 2020: Security researchers at Comparitech discovered an unsecured database containing the records of more than 350 million customers along with call transcripts belonging to the cloud-based communication company, Broadvoice. The exposed Elasticsearch database enclosed personal details such as caller names, caller identification number, phone number, and location along with voicemail transcripts.

Dickey’s BBQ

October 16, 2020: A year-long Point-of-Sale (POS) system breach has impacted 3 million customers of the popular national BBQ chain, Dickey’s Barbecue Pit. Hackers posted over 3 million customers’ payment card details for sale on the Dark Web, where each record is being sold for $17 per card.

Barnes & Noble

October 15, 2020: Popular bookseller, Barnes & Noble, notified customers that a cybersecurity attack led to exposed customer information and caused service disruption of Nook e-reader books. The company has not disclosed how many customers have been impacted, but noted billing and shipping addresses, telephone numbers, and email addresses were accessed in the data leak.

Chowbus

October 6, 2020: Customers of the food delivery startup, Chowbus, received an email notification from the company that included a link to access the personal and account information of about 800,000 customers. The customer data in the data dump includes names, phone numbers, and mailing and email addresses.

Blackbaud

October 6, 2020: Blackbaud, a cloud-based fundraising database management vendor for non-profits and educational institutions, became victim to a ransomware attack beginning in February 2020, which remained undetected until May 2020. Blackbaud paid the ransom and received confirmation the data had been destroyed. Before deleting the data, the cybercriminals copied sensitive data from over 6 million donors, potential donors, patients, and community members including names, emails, phone numbers, dates of birth, genders, provider names, dates of service, department visited, and philanthropic giving history. A recent SEC filing in September 2020, reveals hackers gained access to more unencrypted data than originally reported, including Social Security numbers, financial accounts, and payment information. Hundreds of Blackbaud’s impacted clients continue to disclose the data incident, including Inova Health (1.5 million), Saint Luke’s Foundation (360,212), MultiCare Foundation (300,000), Spectrum Health (52,711), Northwestern Memorial HealthCare (55,983), and Main Line Health (60,595). Several organizations in Vermont were also included in the breach, such as the Vermont Foodbank, Middlebury College, and Vermont Public Radio.

Warner Music Group

September 29, 2020: A recent legal filing revealed entertainment and record label conglomerate, Warner Music Group (WMG), suffered a three-month-long Magecart attack that exposed an undisclosed number of customers’ personal and financial information. Hackers accessed customers’ details from Warner Music’s e-commerce websites hosted and supported by a third-party, capturing customer’s names, email addresses, telephone numbers, billing addresses, shipping addresses, and payment card details such as card numbers, CVC/CVV, and expiration dates.

Town Sports

September 24, 2020:  A researcher at Comparitech discovered an unsecured online database containing records of 600,000 gym members of the fitness chain, Town Sports International. Town Sports has 185 clubs under various brands, including New York Sports Clubs, Philadelphia Sports Clubs, Boston Sports Clubs, Washington Sports Clubs. The database exposed customer names, postal addresses, email addresses, phone numbers, check-in data, gym location, notes on customer accounts, last four digits of credit card, credit card expiration date, and billing history.

Activision

September 21, 2020:  Over 500,000 gamer accounts of Activision, the video game publisher, were targeted in a credential stuffing attack. It has been reported that login data, such as email and password, was published publicly online, granting hackers access the Call of Duty accounts, often locking the rightful owner out of their account.

Children’s Hospitals and Clinics of Minnesota

September 16, 2020:  Children’s Hospitals and Clinics of Minnesota sent notification that a third-party data breach exposed over 160,000 patient records. The patient impacted in the breach includes names, addresses, phone numbers, ages, dates of birth, genders, medical record numbers, dates of treatment, locations of treatment, names of doctors and health insurance status.

Staples

September 14, 2020:  An undisclosed number of customers of the office retail giant, Staples, received email notification disclosing their information has been exposed in a data breach. The breached information includes customer names, addresses, email addresses, phone numbers, last four credit card digits, and order details.

Razer

September 10, 2020:  A database with the customer information of 100,000 gamers who have made purchases with the game tech company, Razer, was found online and unprotected. The exposed information included name, email, phone number, customer internal ID, order number, order details, billing and shipping address.

NorthShore University HealthSystem

September 9, 2020:  The Chicago based healthcare system, NorthShore University HealthSystem, disclosed the protected health information of 348,000 medical patients was exposed through a third-party data breach. The data breach exposed patient names, dates of birth, addresses, phone numbers, e-mails, admission and discharge dates, locations of services, and physician names and specialties.

Imperium Health

September 7, 2020:  A phishing attack led to the protected health information of 140,000 medical patients of Imperium Health Management to be exposed. The information accessed through the attack includes patient names, addresses, dates of birth, medical record numbers, account numbers, health insurance information, Medicare numbers, Medicare Health Insurance Claim Numbers (which can include Social Security numbers), and limited clinical and treatment information.

Telmate

September 5, 2020:  Over 1 million inmates that have used the prison phone service, Telmate, have had their personal information exposed in an unsecured database. The information of both inmates and their contacts that was disclosed included names, gender, offense, religion, facility location, relationship status, medication history, emails, physical and IP addresses, phone numbers and driver’s license details.

Utah Pathology Services

August 31, 2020: In an attempt to redirect funds from Utah Pathology Services, an unauthorized hacker gained access to an employee email account and the sensitive information of 112,000 medical patients. The accessed information includes patient names, gender, date of birth, mailing address, phone number, email address, health insurance information, internal record numbers, diagnostic information, and a small number of Social Security numbers.

Dynasplint Systems

August 26, 2020: A motion rehabilitation device manufacturer, Dynasplint Systems, experienced an encryption attack on its business devices that exposed the personal and medical information of 103,000 patients. The accessed information includes names, addresses, dates of birth, Social Security numbers, and medical information.

Freepik

August 21, 2020: Freepik, a free image database, sent out a breach notification to 8.3 million users that their account login information was exposed through injected malware on their website. The malware collected emails of all users and hashed passwords of 3.77 million users.

Instagram, TikTok & Youtube

August 20, 2020: Researchers at Comparitech uncovered an unsecured database with 235 million Instagram, TikTok, and YouTube user profiles exposed online belonging to the defunct social media data broker, Deep Social. The scraped profile information in the data leak includes names, ages, genders, profile photos, account descriptions, statistics about follower engagement and demographic such as number of likes, followers, follower growth rate, engagement rate, audience demographic (gender, age and location), and whether the profile belongs to a business or has advertisements.

Avon

July 28, 2020: An unsecured database exposed the Personally Identifiable Information(PII) of 19 million customers and potential employees of the cosmetic company, Avon. The leaked information included names, phone numbers, dates of birth, email and home addresses, and GPS coordinates, as well as other technical information.

Promo.com

July 28, 2020: The video creation platform, Promo.com, confirmed their 22 million customers have had their personal and account information exposed in a third-party data breach. The compromised data includes names, email addresses, IP addresses, user location, gender, and encrypted passwords.

Drizly

July 28, 2020: The online alcohol delivery startup Drizly disclosed to its customers that a hacker accessed the account details of 2.5 million Drizly accounts. The customer information exposed included email addresses, date-of-birth, and hashed passwords.

Dave Mobile Banking App

July 26, 2020: A third-party breach leaked the account details of over 7.5 million users of the digital banking app, Dave. Although no financial information was disclosed, the breach exposed names, phone numbers, emails, birth dates, home addresses, and encrypted Social Security numbers.


Ancestry.com

July 20, 2020: An unsecured server exposed the sensitive data belonging to 60,000 customers of the family history search software company, Ancestry.com. The details leaked include email addresses, geolocation data, IP addresses, system user IDs, support messages and technical details.

Blackbaud

July 16, 2020: The actual data breach occured on February 7, 2020 as a result of a ransomware attack, however Blackbaud customers weren't alerted by the company until July 16, 2020. Credit card information, bank account information, or Social Security numbers were not stolen, according to the spokesperson. A ransom was payed to the cyber criminals to destroy the subset of data taken during
the attack, but the amount of the ransom wasn't't disclosed by Blackbaud.

Polk County

July 16, 2020: Over 450,000 residents of Polk County, Florida had their driver’s license numbers and Social Security numbers exposed after an employee at Polk County Tax Collector fell victim to a phishing attack.

Clubillion

July 7, 2020: Popular casino gambling app Clubillion has suffered a data leak, exposing the PII of millions of users around the world according to researchers at vpnMentor. While it was open to searchers, the Clubillion database was recording up to 200 million records a day, including users’ IP addresses, email addresses, amounts won, and private messages within the app. The majority of Clubillion’s daily users are from the United States.

Twitter

June 23, 2020: A security lapse at Twitter caused the account information of the social media company’s business users to be left exposed. The number of impacted business accounts has not been disclosed but its business users’ email addresses, phone numbers, and the last four digits of their credit card number were impacted.

BlueLeaks

June 22, 2020: More than 296 GB of data was leaked from US law enforcement agencies and fusion centers and posted the files online on a searchable portal titled BlueLeaks. The leaked data contains over one million files, such as scanned documents, videos, emails, audio files, some of which included sensitive and personal information, such as names, bank account numbers, and phone numbers.

Cognizant

June 17, 2020: Cognizant, one of the largest IT managed services company, announced its user’s information was accessed and stolen in a ransomware attack back in April 2020. The personal information involved in this incident included names, Social Security numbers, tax identification numbers, financial account information, driver’s licenses, and passport information.

Claire’s

June 15, 2020: The jewelry and accessories retailer Claire’s announced it was a victim of a magecart attack, exposing the payment card information of an unknown number of customers. The retailer has 3,500 locations worldwide and e-commerce operations and claims the breach only affected online sales.

Amtrak

June 2, 2020: In a notification to its users, the passenger railroad service Amtrak announced an unknown third party accessed an undisclosed number of Amtrak Guest Rewards accounts. The company claims only usernames, passwords, and some personal information was exposed and no Social Security numbers or financial data was accessed.

Mathway

May 24, 2020: At least 25 million Mathway app users, a top-rated mobile app calculator, had their email address and password exposed to data thieves, and the leaked database was quickly found for sale on the dark web. The breached data also included “back-end system data,” which wasn't’t identified specifically, but is typically the type of data that runs behind the scenes on a server, powering the application for the end-user but is not visible to the user.

Wishbone

May 20, 2020: Over 40 million users of the mobile app, Wishbone, had their personal information up for sale on the dark web. Usernames, emails, phone numbers, location information and hashed passwords were exposed in a data breach before being advertised in a hacking forum.

Home Chef

May 20, 2020: The information belonging to 8 million users of the home meal delivery service, Home Chef, was found for sale on the dark web after a data breach. The data found for sale includes names, email addresses, phone numbers, addresses, scrambled passwords, and last four digits of credit card numbers.

Magellan Health

May 13, 2020: Magellan Health, a Fortune 500 healthcare company, has sent a notice to its patients that it had fallen victim to a phishing scam and ransomware attack. The information held for ransom includes names, contact information, employee ID numbers, W-2 or 1099 information, including Social Security numbers or taxpayer identification numbers, as well as login credentials and passwords for employees.

U.S. Marshals

May 13, 2020: The personal information of 387,000 former and current inmates was access by a hacker who exploited a server vulnerability in a U.S. Marshals Service database. The information exposed includes names, dates of birth, social security numbers, and home addresses.

Fresenius Group

May 5, 2020: A reported ransomware attack on the Fresenius Group, a global healthcare company and one of the largest dialysis equipment providers in the U.S., impacted the company’s operations around the world. The organization claims their system was affected by a computer virus, but a source confirmed the hacker held the healthcare’s IT systems and data hostage in exchange for payment in bitcoin.


GoDaddy

May 4, 2020: The web hosting site, GoDaddy, announced to its users that an unauthorized third party was granted access to login credentials. The site is said to have 19 million users and possibly 24,000 users had their usernames and passwords exposed. The company has reset passwords to prevent further access.


Ambry Genetics

April 28, 2020: Ambry Genetics, a genetic testing laboratory based in the U.S., announced 233,000 medical patients had their personal and medical information accessed by a third party through an employee email. The unauthorized party accessed names, information related to customers’ use of the genetic laboratory’s services and medical information as well as the Social Security numbers of some of the victims.


Nintendo

April 27, 2020: A credential stuffing attack using previously exposed user IDs and passwords of popular video game company, Nintendo, granted hackers access to over 160,000 player accounts. With unauthorized access to the accounts, the fraudsters may have purchased digital items using stored cards as well as view personal information including name, date of birth, gender, country/region and email address.


Paay

April 22, 2020: A card payments processor startup, Paay, left a database containing 2.5 million card transaction records accessible online without a password. The exposed payment transaction belonging to 15 to 20 merchants includes full plaintext credit card number, expiry date, and the amount spent.


Facebook

April 21, 2020: More than 267 million Facebook profiles have been listed for sale on the Dark Web – all for $600. Reports link these profiles back to the data leak discovered in December, with additional PII attached, including email addresses. Researchers are still uncertain how this data was exposed originally, but have noted that 16.8 million of the Facebook profiles now include more data than originally exposed.


Beaumont Health

April 20, 2020: The personal and medical information of over 112,000 employees and patients of Beaumont Health was accessed by a malicious actor after compromising employee email accounts through a phishing attack. The information impacted includes names, birth dates, Social Security numbers, driver’s license numbers, medical condition data, and bank account data.


Quidd

April 14, 2020: A collection of 4 million login records belonging to the online marketplace Quidd was breached through a hack then posted on the dark web forum for free. Once accessible, the usernames, email addresses, and hashed account passwords were shared among members of the forum. Although the passwords were hashed, cybercriminals are unhashing them and selling the data again.


Zoom

April 14, 2020: The credentials of over 500,000 Zoom teleconferencing accounts were found for sale on the dark web and hacker forums for as little as $.02. Email addresses, passwords, personal meeting URLs, and host keys are said to be collected through a credential stuffing attack.


San Francisco International Airport (SFO)

April 13, 2020: Two websites hosted by the San Francisco International Airport (SFO), SFOConnect.com and SFOConstruction.com, suffered a security incident in which hackers injected malicious code to collect users’ login credentials. The malware gained access to usernames and passwords used to log on to the impacted websites.


Key Ring

April 6, 2020: A digital wallet app, Key Ring, left stored customer data of 14 million users accessible in an unsecured database. The app allows its users to easily upload and store scans and photos of membership and loyalty cards to a digital folder in their mobile device. The exposed data includes names, full credit card details (including CVV numbers), email address, birth date, address, membership ID numbers, retail club and loyalty card memberships, government IDs, gift cards, medical insurance cards, medical marijuana IDs, IP address and encrypted passwords.

 

For older data breaches please visit the IdentityForceBlog to see more.