gearbrain
istock

Data Breach Weekly Security Report: Which company lost control of your information this week

The companies that gave up your personal details, even though you trusted them to keep everything secure

Like GearBrain on Facebook

Welcome to GearBrain's Weekly Data Breach Report, a collection of known breaches into company databases where someone you don't know got access to your personal information. The frequency at which these break-ins happen appears to be growing, so every week we'll update our report with fresh news on the latest hacks and links on where you can go if there's action to be taken — whether you're concerned about your privacy or not.

Read More:



Week of April 15 — The FBI gets hacked

A photo of FBI agents. A group that support graduates of the FBI Academy got hacked with names, email address and jobs breached.

A group that support graduates of the FBI Academy got hacked with names, email address and jobs breached

iStock

Hackers hit the servers belonging to a group connected to the FBI — and not only walked away with names, jobs, email addresses and in some situations, the physical addresses, publishing them online. More than 23,000 people were affected in total, hundreds of them law enforcement people, after the hackers broke into the online database of three local chapters of the FBI National Academy Associates.

Microsoft

A photo of a Microsoft store. Microsoft Outlook was breached, with hackers getting access to 6 percent of customer accounts, including email.

Microsoft Outlook was breached, with hackers getting access to 6 percent of customer accounts, including email

iStock

If you use Microsoft Outlook, this may not sit well. Hackers gained access to Outlook, allowing them to read user's emails for months. In this case, the data breach came after hackers stole the login details from a Microsoft customer service agent. Microsoft has cut off the hackers — but between January 1 and March 28, about 6 percent of customer accounts were basically open to them. Next steps? You know what we're going to tell you: Change your password.

Wipro

A photo of a Wipro office in India. The outsourcing firm, with U.S. clients, has reportedly been breached

Wipro, an outsourcing firm based in India, with U.S. clients, has reportedly been breached

iStock

IT firm Wipro is not a name that most of us would know as companies outsource their IT needs to this firm. But KrebsonSecurity reported this week that its own systems were used to attack clients, based on phishing attacks on Wipro's own people. (Hint: Do not click on emails from people you don't know.)

Week of Monday, April 8: Don't panic, but a hotel has probably mishandled your passport

Photo of a hotel booking website on a laptop

Hotel websites were found to be leaking customer data

iStock

This week, cybersecurity research firm Symantec revealed how the websites of over 1,500 hotels in more than 50 countries accidentally leak private customer information. The problem is to do with how the websites send customers an email, with a link which takes them directly to their booking details - no need for a username, password, or even an account with the site.

That would normally be fine, but the webpage contains adverts, which means advertisers and other companies could have direct access to customer details, including their name, postal address, email address, and passport number.

The report comes soon after Marriott International disclosed in November how it had exposed 500 million guest records, in one of the largest-ever data breaches. However, Symantec said Marriott was not included in its study of hotel websites.

Candid Wueest, principal threat researcher at Symantec, said: "I found that two in three, or 67 percent, of these [1,500+ hotel websites] are inadvertently leaking booking reference codes to third-party sites such as advertisers and analytics companies. All of them did have a privacy policy, but none of them mentioned this behavior explicitly."

AeroGarden

Photo of an indoor garden by AeroGarden

The company found malware on the payment page of its website

AeroGarden

Makers of an indoor gardening system AeroGarden, sought to nip bad news in the bud this week, contacting customers about a data breach which it discovered in early March. Customers were told how their credit card information had been lifted from AreoGrow's website by a piece of malware which was active between October 29, 2018 and March 4.

Planted in AeroGarden's payment processing page, the malware potentially scooped up payment card numbers, expiry dates, security codes and other customer data. The company was at pains to say customer's security PINs and social security numbers were not stolen.

In a bid to turn over a new leaf, AeroGarden says it has informed law enforcement and will give victims a year of free identity protection services from Experian.

Yahoo

Yahoo's initial offer of $50 million was rejected by a judge

iStock

Yahoo — now owned by Verizon — is this week trying to settle the breach of three billion of its user accounts with a $117.5 million payout. This comes after a judge rejected the company's first offer of just $50 million.

The breach, which took place between 2013 and 2016, affected all three billion Yahoo user accounts worldwide, making it the largest data breach in history. The compensation package is made up of $55 million for compensating victims who took yahoo to court via a class action lawsuit, plus $24 million for credit monitoring.

Information which may have been stolen during the breach, which wasn't disclosed by Yahoo until 2017, may have included users' names, email addresses, phone numbers, and dates of birth, as well as a trove of encrypted and unencrypted passwords.

British Home Office

Someone forgot to click the BCC button when sending the email

iStock

Meanwhile, the UK Home Office apologized to hundreds of European Union nationals this week, seeking settled status in the UK, after it accidentally shared their email addresses — by forgetting to use the 'blind CC' option.

Blamed on a "administrative error," the data gaffe revealed 240 personal email addresses to all 240 people the email was sent to; it is likely that this was a breach of the UK's Data Protection Act, and the Home Office may be forced to apologize in Parliament.

Week of April 1, 2019: Planet Hollywood, hit Facebook (yeah, again)

\u200bFacebook got breached again, with 540 million user profiles apparently affected

Facebook got breached again, with 540 million user profiles apparently affected

iStock

It hardly seems news anymore when we hear about Facebook getting breached. But here we are — a year after the Cambridge Analytica scandal — finding that more than 540 million of its users profile information apparently landed on publicly — yes, publicly — on Amazon cloud servers, according to cybersecurity company UpGuard. Two different developers, Cultura Colectiva and the "At the Pool" app makers apparently hadn't followed the rules on how to store the data they had from Facebook on users who played with its apps. This one wasn't great (of course no breach is great) as it included passwords, names, comments and even what people liked. Again, it's likely time to change your Facebook password.

Georgia Tech

An image of the sign at Georgia Tech, or the Georgia Institute of Technology, which lost possession of the data on 1.3 million students and faculty members

Georgia Tech lost possession of the data on 1.3 million students and faculty members

iStock

Georgia Institute of Technology, commonly known as Georgia Tech, also managed to lose possession of the data around 1.3 million students and faculty at the leafy university. The breach wasn't anywhere as big as Facebook's, but the details exposed were problematic: not just names, but addresses, birth dates and social security numbers. Basically, this is everything you need to open a credit line or create a new identity. The school, actually known for its cybersecurity program, found out in late March and says it has locked everything down.

UPDATE: On April 10, the university said it has hired two firms to review the lapse in cyber security. Virginia-based Mandiant will investigate how the breach took place and the method hackers used to gain access. Meanwhile, Atlanta-based Ankura will analyze the data which was taken.

Toyota

Toyota discovered that up to 3.1 million pieces of information may have been nabbed by hackers who broke into its network. These details were tied to eight different subsidiaries – including the Corolla line and also its luxury line, Lexus. Credit card details weren't part of this hack, but that's often the least concern as those companies can't force consumers to be responsible for chargers made in situations like these. Toyota isn't completely sure that the information was leaked and the company says it's monitoring the situation. As you should too.

Planet Hollywood, Buca di Beppo and.....

Finally, if you ate at a Planet Hollywood, Buca di Beppo, Chicken Guy, Mixology, Tequila Taqueria or the Earl of Sandwich, part of Earl Enterprises, between May 23, 2018 and March 18, 2019, you may want to take a gander at your credit and debit card statements. Software installed on the point of sale machines may have grabbed your credit card number, expiration date and even our name. Brian Krebs, always on it, reported that two million credit and debit card numbers from customers who ate at Earl Enterprises were floating around for sale. The breach apparently may have hit three locations in Disney Springs — Planet Hollywood, Earl of Sandwich and Chicken Guy — and all of the Buca de Beppo spots. Get online, check your bank and credit card statements, and perhaps think of cooking in tonight at home.



Like GearBrain on Facebook
Show Comments ()

The GearBrain

See which products "work with" either Google Assistant or Amazon Alexa by clicking on the device below.