Welcome to GearBrain's Weekly Data Breach Report, a collection of known breaches into company databases where someone you don't know got access to your personal information. The frequency at which these break-ins happen appears to be growing, so every week we'll update our report with fresh news on the latest hacks and links on where you can go if there's action to be taken — whether you're concerned about your privacy or not.This week we're looking at a phishing attack targeting college students, a mobile exploit that tunnels into a smartphone, strips it of personal details, and sends these off to a hacker, plus the latest hoop Equifax victims are being told they have jump through to get their $125 settlement.
- More than 15 percent of used drives sold on eBay still have personal data
- 5 ways to stay secure online
- Two-thirds of hotel websites found to leak personal guest data
Week of September 9, 2019: Cobalt Dickens
Universities are being targeted by a group trying to steal log-on credentials
Nope, not the name of Charles' brother — but instead it's a group of hackers who are luring users through 20 different domains to steal their information. Researchers think they're going to an online library, log in, and get their details taken. We're taking about phishing, and the group is hardly new to this behavior, having caught the eye of the US. Department of Justice in 2018 — and getting in trouble for it.
The phish starts with an email that looks like it's coming from their school, and telling them to re-up their library account. What to do? As usual — try very hard not to click on links in emails, even if you think you know where it's coming from.
A SIM card exploit can secretly track and steal details from smartphone
An exploit is taking advantage of a weakness in SIM cards, tracking phone owners, where they are, and also able to hijack calls. The way this works is people get an SMS message. How many have been affected? That doesn't appear to be clear — but the exploit has been around for two years.
One report believes this attack is actually coming from a private company, and could get into mobile phones in regions as wide ranging as Europe, the Middle East, West Africa and the Americas.
More Equifax steps
Equifax is not giving up that settlement money any time soon
Those who have already signed up to get their Equifax settlement — for $125 — are finding there are more steps they need to take. Reports show people who have registered are now receiving emails that they have to show they've had credit monitoring — and promise to have monitoring going for at least another six months in order to get the $125.
While, in some cases, people can get free credit monitoring if they've been the victim of a hack, or identity theft, these services can charge a monthly fee of anywhere from about $10 to $30. After six months, you'll have easily eaten through your $125.
This week, Facebook confirmed that the phone numbers of over 200 million users had been exposed on a database which was unencrypted and could have been accessed by anyone. The database, which is not believed to have been created by Facebook, paired phone numbers up with the User IDs of Facebook users, unique numbers assigned to each user.
It would have been relatively easy for someone viewing the database to discover someone's phone number. Some entries in the database also included the user's name, gender and the country they lived in, along with their user ID and phone number.
The exposed data comes more than a year after Facebook switched off a feature in April 2018, whereby users could be found by searching the social network with their phone number. Also this week, Facebook launched a dating website for US users, called Facebook Dating...
The exposed server included private and sensitive corporate emails
Also this week, it was discovered that industrial supplier DK-Lok had left private emails and communications exposed for all to see. Cybersecurity company vpnMentor revealed the existence of the database on Thursday, belonging to the South Korean company and containing emails between staff, clients, and some personal email too.
"Many of the emails were marked private & confidential, revealing highly sensitive information about DK-Lok operations, products, and client relations," vpnMentor said. The firm added it had made several attempts to contact DK-Lok about the leaking server, but received no reply - vpnMentor even pointed out how they could see their own emails on the server, proving their communications were getting through, but not being responded to.
vpnMentor said: "The most absurd part is that we not only know that they received an email from one journalist we work with, alerting them to the leak...but we know they trashed it."
Sensitive information exposed publicly included product prices and quotes, project bids, travel arrangements, private conversations, and discussions on suppliers, clients, projects and internal operations.
Yahoo breach claim forms available now - how to get yoursiStock
Yahoo announced this week that claim forma are now available for users looking to seek compensation from multiple data breaches which affected over three billion people between 2012 and 2016. There is a $117.5m pot of compensation cash, but the amount each claimant receives will depend on how many apply.
Readers believing they were affected by the data breaches must file a claim online or by mail by July 20, 2020, and they can find more information at www.YahooDataBreachSettlement.com.
Tesla Model STesla Model S all-electric luxury saloon car front view
The keyless system of a Tesla Model S has been hacked again, this time by researchers eager to show how vulnerable the key fob is — even with a patch that Tesla put in place.
Researchers from Belgium University found a bug, a work around, in the encryption again, wrote Wired, which reported the news. Tesla had built a new set of key fobs, from Pektron, after the same researchers showed they were able to hack the car in 2018.
This vulnerability, however, can be reportedly fixed with a software update — meaning Tesla owners just need to wait to get their key fobs secure again.
ImpervaDigital security concept
Imperva, a cybersecurity company that protects other firms' information, was itself the victim of a hack, they disclosed this week. The breach impacted customers who had accounts with Imperva through September 15, 2017, and included email addresses, hashed and salted passwords and for some, API keys and customer-provided SSL certificates.
Imperva only learned of this on August 20, 2019 — which means for nearly two years, that information was available. Of course any Imperva customer should contact the company, and also reset API keys among other steps, along with setting up two-factor authentication.
Capital One updateCapital One Bank ATM.
The Capital One hacker, still in custody, has been arraigned on two charges related to the breach of the credit card company
Paige A. Thompson, also known as "erratic," will be arraigned in Seattle on wire fraud, and computer fraud and abuse, as per a United States Department of Justice (DOJ) statement. The former software engineer is still in custody for hacking into Capital One's database, as well as "more than 30 other entities," said the DOJ.
Thompson is being charged with not only hacking in the data base, but also cryptojacking, which is using someone else's computer power to mine cryptocurrency, without their knowledge.
Week of August 19, 2019: MoviePass
MoviePass, the movie ticket subscription service, confirmed this week had become the victim of a data breach. The company said the breach may have left customer information - including user billing details - exposed online.
It was reported that tens of thousands of customers had had their data exposed by the breach, and a day after the initial report MoviePass issued a statement. The company said: "We are working diligently to investigate the scope of this incident and its potential impact on our subscribers."
The data was exposed by a leaking database first discovered by cybersecurity firm SpiderSilk. The server contained over 160 million records and was growing at the time of the discovery, but only a small amount of the data was sensitive user information. This data included the numbers of MasterCard-based debit card issued by MoviePass to its users. Other data exposed included billing information, names and postal addresses.
Arizona State University
Arizona State University told 4,000 students this week that their email addresses were "accidentally revealed" in late July, reports AZ Central. The inadvertent exposure of the email addresses has been described as a breach of federal health privacy law.
The email addresses weren't exposed via an unencrypted server which could be tricky to find. Instead, and somewhat worse, the university sent bulk emails to students about health insurance renewals, but failed to mask the identity of recipients, and some of the email addresses revealed show student names.
The university said it was able to delete over 2,500 of the messages, and more than 1,130 of them went unread by recipients.
Described as an "unintended action", the university said the incident was a breach of the Health Insurance Portability and Accountability Act.
Massachusetts General Hospital
It was announced by Massachusetts General Hospital on Thursday this week it has notified 9,900 people of a privacy breach. During the breach, the hospital believes a third party may have accessed data, including demographic and genetic information for study participants.
The third party is said to have accessed databases "related to two computer applications used by researchers in the Department of Neurology for specific Neurology research studies," the hospital said. The third party had unauthorized access to the databases between June 10 and June 16, 2019.
According to the hospital, accessed data may have included participants first and last names, plus certain demographic information like marital status, sex, race and ethnicity, along with their date of birth, dates of study visits and tests, medical record number, type of study and research study identification number, diagnosis and medical history, biomarkers and genetic information, types of assessments and results, "and other research information.
The hospital says it has hired a third-party forensic investigator and is in the process of notifying affected individuals. More information can be found on the hospital's website.
Week of August 12, 2019: Choice Hotels
Hundreds of thousands of records from Choice Hotels were stolen by hackers from names and addresses to email details and phone numbers. The records had been stored in a database that belonged to an outside party — not the hotel chain. Nevertheless, guests' information was not only hacked, but is now up for ransom for about $4,000 or .4 bitcoin, according to Comparitech, which worked with a security expert to find the original breach.
Anyone who stayed at the hotel chain should certainly change any passwords they have, but they should also be aware that with their phone numbers and email addresses now floating about they could be getting a bump in spam as well.
Suprema Biostar 2
Fingerprint, facial recognition data and passwords of users was discovered unsecured by researchers on the site of Suprema's Biostar 2 security platform. The large cache of data — 27.8 million records — may or may not have been hacked. But the fact that the database was publicly accessible is alarming since the platform is used to grant access to buildings in the U.S., Japan, UAE, India and the U.K. — including the UK Metropolitan police, reports The Guardian.
Fingerprints of more than one million people are just some of the biometric data in the cache — data which cannot be changed like a password. Researchers report that actual images of people's fingerprints were stored.
Supermarket chain Hy-Vee said that some credit card customers that used its fuel stations, drive-thru coffee shops and restaurants have been victims of a data breach. These include some Market Grilles, Market Grille Express and Wahlburgers locations that were inside the stores.
The chain does not know how many people were involved, but says it will notify customers. Keenly, people who frequent the chain should make sure they're checking credit card statements if they see anything that looks amiss.
Week of August 5, 2019: Monzo
Almost half a million Monzo customers were told this week to change their PIN, after the British challenger bank admitted it had been storing the numbers in an insecure database accessible by its workers.
It was announced that the PINs of 480,000 customers were in a file which could have been accessed by its employees for months. Monzo said in a blog post on Monday: "As soon as we discovered the bug, we immediately made changes to make sure the information wasn't accessible to anyone in Monzo...We've checked all the accounts that have been affected by this bug thoroughly, and confirmed the information hasn't been used to commit fraud."
The incident affected less than a fifth of Monzo's UK customers, and it appears that no harm was done. However, it comes at an unfortunate time for Monzo, as the rapidly-growing bank prepares to open shop in the US, just as Apple launches its Card, which offers similar smartphone app-based features.
Air New Zealand
National carrier Air New Zealand warned over 100,000 of its Airpoints members this week that some of their data may have been compromised as part of a cyber attack. The customers were contacted by email on August 9.
In all, approximately 112,000 members of the airline's Airpoints membership programme were affected.
Air New Zealand said in a statement addressed to the affected members: "We're sorry to advise that some of your personal information may have been affected by a recent phishing incident relating to two Air New Zealand staff accounts...While your Airpoints account was not accessed, some information relating to your membership profile may have been visible in our internal documents should these documents have been accessed."
The airline said the amount of personal data exposed will vary from one member to another, but said it could include their Airpoints number, name and email address. It said passwords and credit card details were not affected.
Twitter disclosed more bugs this week relating to how it uses the personal data of its users to target advertisements at them. The social network admitted it may have shared user data with ad partners, even when users had opted out of this from happening.
Twitter said in a blog post: "We recently found issues where your settings choices may not have worked as intended." The company admitted that, if a user clicked or viewed an advert for a mobile app then interacted with the app since May 2018, it "may have shared certain data" with advertising partners, "even if you didn't give us permission to do so."
The certain data shared could include "country code, if you engaged with the ad and when, information about the ad, etc", Twitter said. It also admitted it may have showed users adverts based on inferences it made about the device you use, even if you did not give it permission to do so. The issues were fixed on August 5 2019, Twitter says, but because the incident began in May 2018 the company could find itself having to pay a hefty GDPR fine.
Week of July 29, 2019: Capital One
This week saw Capital One admit to a "data security incident" which occurred in March 2019, and said it may have impacted about 100 million people in the US, and six million in Canada.
Unusually at this stage of such an incident, the alleged hacker is known and already in custody. The stolen data included names, addresses, birth dates, credit ratings and more. The hacker is said to have worked alone and broke into Capital One's systems through a "configuration vulnerability" which was discovered by the company on July 17.
Credit card numbers and customer login details were not accessed, Capital One says. However it did say that the Social Security numbers of 140,000 US customers and one million in Canada were stolen.
It was claimed this week that 3.7 million customer records stolen from cosmetics company Sephora were discovered for sale on the dark web.
Singapore-based cybersecurity company Group-IB says it discovered two databases containing the customer records, and said they are "likely to be related" to Sephora. The leak dates back to February this year and was announced by Group-IB on August 1.
One of the databases listed for sale is said to contain 500,000 records including user names and hashed passwords from Sephora's Indonesia and Thailand websites. The second database, called "Sephora 2019/03 - Shopping - [3.2 million]", contains 3.2 million customer records stolen in March this year.
Sephora said details had indeed been leaked, and they affected online customers in Singapore, Malaysia, Indonesia, Thailand, the Philippines, Hong Kong, Australia and New Zealand, reported Channel News Asia.
FTC warns Equifax compensation fund could run dry
Following the opening of a website allowing victims of the 2017 Equifax data breach to claim $125 in compensation, the Federal Trade Commission has warned there isn't enough money to go around.
The 147 million victims can opt for Equifax's own free credit monitoring service, or chose to take the $125, which is intended to pay for a credit monitoring service from elsewhere. But the FTC claims "million of people" have visited the website to claim their $125, and as a result the commission says the $31 million settlement fund isn't enough.
The FTC has warned that victims will get "nowhere near $125", and added in a blog post: "If you haven't submitted your claim yet, think about opting for the free credit monitoring instead. Frankly, the free credit monitoring is worth a lot more - the market value would be hundreds of dollars a year."
Pearson, a British education company, said this week that it has notified customers about a data breach which saw unauthorized access to about 13,000 school and university accounts.
Most of these accounts are held in the US, and the exposed data included first and last names, plus birth dates and email addresses in some cases.
The company said: "While we have no evidence that this information has been misused, we have notified the affected customers as a precaution."
Week of July 22, 2019: Lancaster University
Lancaster University, based in the U.K., has been hit with a data breach that hacked the school through two methods. One involves undergraduate applications for both 2019 and 2020, where names, addresses, telephone numbers and email addresses were breached. As a result, some were sent fake invoices, which the school is warning people to note.
A second attack also hit existing student records, with some of them — "a very small number," said the school — accessed and ID details as well. The school is contacting those students specifically if they've been involved.
The social media giant is also getting handed other requirements — like creating an independent privacy committee — but the fine, announced earlier this year, is seen by some as not hefty enough considering the impact on consumers.
Equifax has finally reached a settlement for the 2017 data breach that affected more than 147 million people — and it will be close to $700 million. While dwarfing the Facebook fine which is in the billions of dollars, $300 million of this settlement is meant to go back to people who were impacted by the breach.
Who has been impacted? Well, that's something consumers can actually discover on their own, by going to a specific web site, where they can also file a claim.
While there is a possibility of a flat cash payout for some — around $125 — Equifax is also agreeing to give people upwards of 10 years of free credit monitoring — which will not be through them but through Experion.
Higher payouts will be based on how impacted someone was by the breach. For example, if they had to spend time trying to clear up identity fraud issues, they can get $25 an hour back for up to 20 hours, plus out-of-pocket losses and up to 25 percent of the products they paid for before the breach — adding up to $20,000. That's going to not be the norm for most. But its worth checking out to see if you're eligible at all.
Week of July 15: Sprint
Sprint has sent a letter to those involved, but basically phone numbers, device, the device ID, billing details like account numbers, upgrade eligibility, account holder's names and billing address were involved. Sprint said it has "re-secured" the accounts as of June 25, 2019. But you know what we're going to say: Change. Your. Password.
Slack's was hit with a data breach in 2015 — and is just now changing the passwords of those users who may have been affected. Basically, about 1 percent of Slack accounts are involved, said the company, with Slack resetting the passwords on its end. Who is getting this forced change? Anyone who created an account before March 2015, anyone who did not change their own password since that time, and accounts that do not log on with a single sign-on.
If your account is getting a forced reset, you'll get instructions from Slack with details. You can also go to its help center.
Clinical Pathology Laboratories
So the American Medical Collection Agency (AMCA) hack has hit another company, this time Clinical Pathology Laboratories (CPL). Its patients may have had their names, addresses, phone numbers, birthdates, credit card or banking details and other information hacked.
CPL believes that about 2.2 million patients are involved — but only about 34,500 have had their credit card and banking information breached.
Week of July 8: British Airways hit with record fines
British Airways got served what's being called a "record fine" for the hack in 2018 that made off with about 500,000 customers data. The fine, for about $229 million (£183 pounds), is coming from the Information Commissioner's Office in the United Kingdom for the data breach that happened around June 2018.
Names, email addresses and credit card data — from numbers to CVV codes — were involved. The new fines are part of the General Data Protection Regulation, also known as GDPR, that went into effect in 2018.
Los Angeles hospitals exposed from contractor breach
A contractor for Nemadji Research Corporation got hit with a phishing hack, and may have exposed data of thousands of patients at Los Angeles hospitals. Data included names, medical records numbers, birthdates and other medical ID details.
About 14,600 patients and their data are involved, as the contractor which determines patient eligibility for reimbursement, works with the Los Angeles County Department of Health Services. Hospitals that fall under their purview include County-USC Medical Center in Boyle Heights and the Olive View-UCLA Medical Center in Sylmar, according to the Los Angeles Times.
K12.com left children's data unprotected for a week
A web site that serves up educational software left a database open and unprotected that includes nearly 7 million records with student data as specific as birthdate, names, age, school name and gender. All the information was left visible to public searches, according to Comparitech which discovered the breach.
The unsecured data had been visible since June 23, and closed only on July 1 and was specific to students using the A+nyWhere Learning System. Parents who believe their child was using these materials should look for phishing attempts any email address connected to this program, which is used by more than 1,100 school districts.
Week of July 1: Orvibo smart home data leak affects millions
Albeit a relatively quiet one for data breaches, this week saw Orvibo, a smart home systems and platform company, leave a database containing over two billion user records publicly exposed. The server, which did not have a password and could be accessed by anyone who knew its online location, contained the usernames, email addresses, passwords and precise locations of many of the company's two million users.
Worse still, the exposed data included account reset codes, so a hacker could easily have reset the account of a target, then log them out and take control. This would have given them access to sensitive smart home devices, like security cameras and alarm systems. vpnMentor made the leak public on July 1, having not heard from from Orvibo for two weeks after raising the alarm; the server was eventually secured on July 2.
Marriott hotel fined for data breach
The Marriott hotels group was this week fined almost $270,000 after a five-year security breach was discovered. The fine comes from Turkey's data protection authority, and is the punishment for an incident which saw cyber attackers seize data from nearly 500 million customers of Marriott's Starwood group hotels. The breach took place between 2014 and 2018, and the data stolen included customer birth dates, passport numbers, email addresses and credit card information.
The fine came as a result of discovering that, of the 383 million customer records exposed, 1.24 million were of Marriott customers living in Turkey.
Given the breach lasted four years, it was deemed that Marriott had not carried out any necessary inspections to detect such unauthorized access to private customer data.
Week of June 24: Dominion National finds old breach
A well-known dental and vision insurance firm, Dominion National, reported a data breach from nine years ago, accessing about data from about 95,000 people in Delaware — or about 10 percent of the state's population. Information that may have seen includes names, birth dates, Social Security numbers, Bank accounts, routing numbers as well as other Taxpayer identification information.
The Insurance Commissioner of the State of Delaware believes the hack may have happened around the date of August 25, 2010 — and is offering two free years of credit monitoring and fraud services.
Hackers hit Florida again
The Village of Key Biscayne in Florida announced they were victims of a data breach — the third city in several weeks in the state, reports the Associated Press. Last week, Riviera Beach, Fl. paid $600,000 to hackers, while Lake City, Fl. ponied up $460,000 on Tuesday to hackers too. The fees were paid as ransomware after hackers got into the city's systems and security networks.
Bitrue hacked for more than $4 million
Finally, hackers made off with more than $4 million from a cryptocurrency exchange called Bitrue on June 27, which informed people through its Twitter account. While not ideal, Bitrue is insured, and so anyone affected will not lose their funds. The theft was of two different crypto coins: XRP and ADA.
Week of June 17: AMCA files for bankruptcy protection after data breach
The American Medical Collection Agency (AMCA) filed for bankruptcy protection this week, in the wake of a large-scale data breach. As we reported earlier in June, blood testing companies Quest and LabCorp became victims of the AMCA breach, with millions of customers potentially having their personal data exposed. Other clients of AMCA include BioReference Laboratories Carecentrix, and Sunrise Laboratories. They all used AMCA's services to bill their customers.
The security failure has affected over 20 million Americans, according to ZDnet, after hackers stole customer names, Social Security numbers, addresses, birth dates, and payment card information. The data was later discovered being offered for sale on the dark web.
AMCA quickly became the target of multiple class-action lawsuits, blaming the data breach on a lack of adequate security measures being in place. The company then filed for bankruptcy protection in New York on June 17. AMCA had to pay out almost $4 million to inform seven million people by mail that their data may have been compromised. To cover this expense, plus $400,000 in cybersecurity forensic bills, AMCA took out a loan from its CEO and founder, Russell Fuchs.
Department for Human Services data breach impacts 645,000 people
Oregon's Department of Human Services this week admitted a data breach in January affected more than 645,000 Oregonians, almost double the original estimate. The compromised data included first and last names, postal addresses, Social Security numbers, case numbers and personal health information. Some of the protected health data is due special protection under federal health privacy laws, reports OregonLive.
The DHS said it will provide 12 months of identity theft monitoring and recovery services to anyone whose information was accessed during the breach; these services will be provided by specialist identity theft company MyIDCare.
Transgender children's charity apologizes after private email database appears online
Mermaids, a UK-based transgender support charity and lobby group, apologized this week after a report by The Sunday Times revealed that over 1,000 pages of confidential emails were freely accessible online. The data, which included the contents of emails from the parents of transgender children, also revealed email addresses, names and telephone numbers of those who had contacted the charity.
In a statement published to its website, Mermaids said it was grateful that thew newspaper had discovered the data leak, and it immediately took action to remove the sensitive material from public view.
The charity said: "The scope of the breach was that internal Mermaids emails from 2016 and 2017 in a private user group were available on the internet, if certain precise search-terms were used. Mermaids understands that the information could not be found unless the person searching for the information was already aware that the information could be found."
Those affected by the data breach has been contacted by Mermaids, and the charity has reported itself to the Charity Commission. An independent third party will be hired by Mermaids to report to the charity about its findings related to the breach.
Week of June 10 Evite: We’d like to invite you to a data breach
Evite, the online invitation site, is having to reach out to customers after a hacker tried to sell information from the site. The company says the data is from 2013 and earlier — not recent details. Still, Evite's been around since 1998: that's plenty for a hacker to syphon away.
What was taken? The usual: Names, emails, passwords, user names, phone numbers, snail mail addresses and also birthdates. Evite purportedly sent an email out to users warned them of the breach. As expected, the company is asking people to change their passwords if they use the same one on other sites and look at accounts and see if there's anything suspicious.
The breach was actually found in April thanks to ZDNet which reported that the hacker in question had told the site it been selling data from a number of companies including online fashion site Mode Operandi.
Besides changing your password, another option is to use an online tool like Password Checkup, launched through Google Chrome, which is designed to tell you of your password has appeared on a compromised list.
U.S. Customs and Border Protection: License plate and photo please
Images of faces and license plates taken at a specific point at the U.S. border have been breached through a cyberattack, the U.S. Customs and Border Protection (CBP) admitted this week. Currently, the department thinks just 100,000 people have been affected, which would include images taken of people in their cars as they crossed into the U.S.
CBP won't say where this border point was — or between which countries — although they did say that passports and other travel papers weren't affected. Faces, though, are a concern as facial recognition software is growing in use, a biometric marker used to identify people in a number of ways, including some security devices, smartphones and even at the upcoming Tokyo 2020 Olympic Summer Games.
A subcontractor for CBP is being blamed by the agency for moving the data to a its own company network. The data was collected during a month and half, and only in certain car lanes at the land border.
Radiohead: Someone Creep-ed on the band’s archived songs
This data breach didn't steal information from a lot of people — but it sure impacted millions. Hackers got 18 hours of old recordings from English band Radiohead, threatening to release them if the band didn't pony up $150,000.
The band turned the tables, posting the archived discs on its Bandcamp site, and letting people download and buy "the whole lot," as they said for just £18, with the money going to Extinction Rebellion, an international group known for its nonviolent protests and work in the conservation and environmental areas.
Fans are, as expected, supportive and thrilled. There are 18 discs, and it's 1.8 GB. So clear out some old photos, and enjoy or as the band said "until we all get bored and moved on."
Week of June 3rd: Quest blood testing warns of 12 million-customer data breach
One of the largest blood testing companies in the US, Quest Diagnostics, admitted this week that up to 12 million customers may have had their medical and financial data compromised.
Revealed in an 8-K filing with the Securities and Exchange Commission, Quest said that, at some point between August 1, 2018 and March 30, 2019, a billion collection vendor's data had been breached by an unauthorized person. Data included which could have been stolen include credit card numbers, bank account information, medical information, and other personal data such as Social Security numbers.
Quest reassured its patients that laboratory test results were not provided to AMCA, the compromised vendor.
The blood testing firm said in the SEC filing: "Quest Diagnostics takes this matter very seriously and is committed to the privacy and security of patients' personal, medical and financial information."
Just a day after Quest announced it may have been the victim of a data breach, rival LabCorp made a similar announcement. As with Quest, LabCorp lay the blame at its third-party billing collections vendor, American Medical Collection Agency, which notified the blood collection firm of hackers gaining access to its systems.
LabCorp said 7.7 million of its customers had their data stored on the hacked AMCA system. The data included full names, credit card and bank account numbers, birth dates, addresses, phone numbers, dates of service, health care provider information, and the amount owned by customers to LabCorp.
As with Quest, the company said it did not provide AMCA with information about tests and lab results, and AMCA said it did not store Social Security numbers. Of the millions of datasets on file, LabCorp believes the credit card or bank account information of about 200,000 customers may have been accessed, and it is notifying those people. The company will offer identify protection and credit-monitoring services for two years.
Australian National University
The Australian National University (ANU) announced this week it had been the victim of a data breach in which a "significant amount of student and staff information was stolen. The breach took place in late 2018 and the university estimates the data of some 200,000 people was unlawfully accessed.
In a statement, vice-chancellor Brian Schmidt said: "We believe there was unauthorized access to significant amounts of personal staff, student and visitor data extending back 19 years". The data included names, addresses, dates of birth, phone numbers, email addresses, emergency contact details, tax file numbers, payroll information, bank account details, passport details and even the academic records of students. Not affected, the university said, was academic research work.
A day later, it was reported by the Sydney Morning Herald that China may have been behind the attack, according to senior intelligence officials. It was reported how the intelligence community fears the data will be used to target promising young students in the hope they can be used as informants as they move through careers in government and even intelligence agency careers.
Pyramid Hotel Group
The week began with news that researchers from VPNMentor had discovered an unprotected database which contained security audit logs for hotels run by the Pyramid Hotel Group. This includes chains like Marriott's Aloft Hotels in Florida, and Tarrytown House Estate in New York. Pyramid also operates hotels owned by Sheraton and Westin, although it isn't known if these were affected.
The exposed data stretched back to April 19th and was mostly made up of server logins, internet addresses and firewalls, but also included the full names of hotel staff, along with details about hotel security policies.
It's unclear if the information on the exposed server was viewed by anyone, but it would have served as the perfect tutorial to break into hotel databases and access sensitive customer information.
Week of May 27th: Checkers Drive In
Checkers, one of the biggest chain of restaurants in the U.S., found out customers may have had their credit card details swiped when they ordered up a burger and fries at that or one of its Rally's locations. The breach affected people who used a magnetic stripe card at locations across 20 states, grabbing their card number, expiration date, name and the verification code.
Dates are random and span months, going back to December 2015 in some cases. (Rally's on MLK Blvd in Los Angeles — we're looking at you.) The company is asking people to review their credit card statements, and order a credit report. In the meantime, you can see if your card may have been involved — and if you're a Checker's regular, given how many locations got hit by the malware, the potential that you were is high.
Flipboard, the news app, has been hit by a data breach that involved user names, personal names, passwords and email addresses. The hack didn't affect every user, said the company which has been emailing some people. But those who were on the site between June 2, 2018 and March 23, 2019 as well as April 21 - 22, 2019 may have had their details scraped.
Those who connect Flipboard accounts to other third-party sites — social media, for example — may have had those security tokens accessed as well. Here's what Flipboard is doing: it's gone ahead and changed everyone's passwords for them. So if you log out, or log in from a new device, you're going to have to reset your password. You should also do that on any third-party service you use that's been linked to Flipboard. The company said it's also replaced — or even deleted — some of these tokens. You might want to consider not linking them together going forward.
Graphic designers take note: Canva, the tool which makes designing as simple as dragging and and dropping, is a victim of a data breach affecting more than 130 million customers. Usernames, passwords and email addresses are involved — although Canva said the passwords were encrypted and unreadable.
Of course by now you know the drill: If you're a regular user of Canva, you need change your password. User designs, as well as credit card details don't appear to be part of the hack. But checking your credit card statements is never a bad idea and backing up your work on another source wouldn't hurt either.
Week of May 20th - 49 million Instagram users have contact details exposed
This week, it emerged that the location and contact details — including phone numbers and email addresses — of 49 million Instagram users were exposed online. The data belonged to so-called influencers, who have a large following on Instagram and earn a living from the Facebook-owned image sharing site.
The database was traced to Chtrbox, a Mumbai-based marketing company which had stored the information on an Amazon server but failed to protect it with a password.
Chtrbox says the database was only exposed publicly for 72 hours, and has since been taken offline. It appears the contact details were gathered by 'scraping' them from the affected users' Instagram accounts, a practice which violates the social media site's policies.
Instagram says it is speaking with Chtrbox to understand how the data was obtained. The marketing company says it had not purchased any data that had been obtained by "unethical means."
Georgia Tech offers ID theft protection and credit monitoring to data breach victims
In the wake of a data breach which saw a database containing the personal details of 1.3 million people unlawfully accessed, Georgia Tech has offered credit monitoring and identification theft protection to everyone affected.
Georgia Tech disclosed in April that someone illegally accessed a database that may have included the names, addresses, birth dates and Social Security numbers of almost 1.3 million people, including past and present students, staff, and other people associated with the university.
Jim Fortner, Georgia Tech's interim executive vice president for administration and finance, said: "We regret that this incident occurred and apologized for any inconvenience."
Offering such services is standard procedure for when a database like this has been accessed, even if the target company or institution is unsure if any data was actually stolen.
Seattle blood bank announces loss of patient data
Bloodworks, a Seattle-based blood bank, announced this week that the private details of patients may have fallen into the wrong hands. But instead of being the victim of a cyberattack, or carelessly leaving sensitive data on an unencrypted server, Bloodworks says a document has gone missing from an employee's desk.
A statement admitted: "The document contained certain patient information, including name, date of birth, and medical diagnosis." Bloodworks describes the incident as a "data privacy event" on its website.
Thankfully, it said that no Social Security numbers or financial account information was held in the lost document. Bloodworks said it is now in the process of informing patients whose details appeared in the document, providing them with information on how to place a credit freeze against their name, or add a fraud alert to their credit file.
A phone line has been setup for anyone who thinks they may have been affected by this incident. The toll-free number is 1-800-363-3903 and is open Monday through Friday, between 8:00am and 5:00pm PST.
Shubert Organization admits February data breach, credit card details stolen
The Shubert Organization, owner of 17 Broadway theaters, admitted this week that it was the victim of a data breach which began on February 8 and lasted for three days.
Contacting affected customers by letter this week, Shubert said data potentially taken during the breach included customer names, email addresses, credit card numbers and card expiry dates. Affected customers are being offered 24 months of free credit monitoring through TransUnion Interactive to help protect them from further personal damage.
Shubert told its customers it become aware of "unusual activity related to an employee's email account" on February 11 this year, and a subsequent investigation revealed "unauthorized access to some employees' email accounts" during the previous three days.
The company told customers: "While the investigation was unable to confirm the scope of the information that was accessed within the affected email accounts, Shubert is notifying you in an abundance of caution because we have confirmed that your information was present in the affected email accounts."
Week of May 13th — Uniqlo's online site has been breached
Uniqlo, the Japanese clothing store known for their T-shirts and well-priced basics is involved in a data breach that hit its parent company, Fast Retailing. The breach involves more than 461,000 customers that shopped on the Uniqlo online site between April 23 and May 10. Hackers gained access to personal data, with Fast Retailing stating that names, addressees, gender, date of birth and other contact information — including credit card expiration dates — "may have been browsed," on its web site.
Customers should change their passwords if they've shopped with the firm — and Fast Retailing itself suggests that people should not use the same password from other sites, nor one that people can easily guess.
West Hartford Schools has a test registration problem
A company that registers students for tests such as those for advanced placement courses, may have been breached according to a story in the Hartford Courant. Parents received a note from the West Hartford school district telling them that names, grade level, emails, date of birth and other personal details about their children may have been breached by the company. Social Security numbers and credit card details were not involved.
If you use WhatsApp, you need to read this now
While data may not have been exposed from the security breach impacting messaging platform WhatsApp, that doesn't mean the danger isn't present. Hence the call from the company — to everyone of its 1.5 billion users — to update the app to ensure they have a patch for spyware called Pegasus.
The malware, while not thought to have affected the general user base of WhatsApp, attacks mobile devices like smartphones. How easy it is for the spyware to get on to the app? An attacker makes a WhatsApp call to someone — and even if the person doesn't pick up, the malware can harvest emails, messages, get into their camera and microphone and much more.
The attacker can also erase traces of the call, wiping logs clean so that the victim never knew the malware had infected their device, or been used against them. Use WhatsApp? Update the app people.
Week of May 6th - Data breeches are a ticking time bomb
Before we delve into this week's data breaches, we would like to draw your attention to a report published by Verizon. The report, built with data from over 41,000 security incidents and 2,013 data breaches provided by 74 public and private data sources spanning 86 countries, found that 69 percent of breaches are perpetrated by outsiders.
It was also revealed that 39 percent were the work of organized criminal groups, and in 23 percent of cases, data breaches involved actors identified as nation-state or state-affiliated. 53 percent of breaches featured hacking, 33 percent exploited social media, 28 percent involved malware, 21 percent were blamed on errors, and four percent were the result of physical actions.
The vast majority of victims — 43 percent - were small businesses, followed by public sector entities (16 percent), healthcare organizations (15 percent), and financial entities (10 percent).
Commenting on the report, Bryan Sartin, Verizon's head of global security services, told the BBC described data breaches as a "time bomb", adding: Compromises happen in minutes and then extend out to hours, days, weeks and sometimes months. Yet we are still looking at months for them to be discovered...When it comes to account takeover, senior executives are getting hit hard right now. Humans are the weakest link in the chain especially when they are on their mobile devices."
Freedom Mobile user data gets a little too much freedom
Freedom Mobile, Canada's fourth-largest cell network, has become victim to a data breach which saw a server leaking five million logs containing customer data. According to security researchers Noam Rotem and Ran Locar, the server wasn't protected with a password, so anyone could access it.
Speaking to TechCrunch, the pair said it took Freedom Mobile a week to secure the leaking database after first being informed about it. Unencrypted data presented by the security researchers showed customer names, email addresses, phone numbers, postal addresses, dates of birth, customer types and their Freedom mobile account numbers. Answers to credit check questions asked by Equifax were also included, along with whether an applicant was accepted or rejected, and the reason why.
A spokesperson for the cell network said around 15,000 of its 1.5 million customers were affected by the leaky server. Specifically, customers who opened or made changes to their accounts between March 25 and April 15 at 17 Freedom Mobile retail locations had their data set free, along with any customer who made changes or opened an account on April 16, regardless of retail location.
Indiana is suing Equifax over massive 2017 cyberattack
Indiana is suing Equifax over the 2017 data breach which affected over 140 million people, of which almost four million were from the US state. The lawsuit accuses Equifax, a major credit bureau, of failing to protect the personal information of the Indiana residents who were exposed by the breach.
Attorney general Curtis Hill said: "Hoosiers trust us to work hard every day to ensure their safety and security. This action against Equifax results from an extensive investigation, and we will continue our diligent efforts to protect consumers from illegal or irresponsible business."
Data stolen during the breach, which spanned from May 13 to July 30, 2017, included names, Social Security numbers, birth dates, addresses and, in some cases, driver's license numbers.
Week of April 29th — Unknown data base is unprotected with 80 million accounts
Here, we have a security breach that is no one's fault — well, no one anyone can pin it on. The breach is online, and in the form of a database, and was discovered by VPNMentor — with 80 million households affected, the security firm said. There are names, addresses, birth dates and even if these people own home or not — oh, and the address of those homes as well. Everyone on there is over 40 (yes, that means if you're a Millennial you're safe.) VPNMentor can't even find out who owns the database, which means it can't be locked down. Fun.
Inmediata Health Group
If this is your health provider, your name, address, gender, date of birth and your medical claim information may have been compromised in a recent data security breach of Inmediata Health Corp. The health care provider is reaching out to patients — quite exhaustively as it turns out, reports Health IT Security, with people reporting they're getting letters, but for other people as well as themselves. Confusing.
After a hack in March 2017 of the clothing company Eddie Bauer, Veridian Credit Union filed a class-action lawsuit for its own customers. That suit ended in a settlement of a whopping $9.8 million. Don't start shopping for cars yet — or even a new Eddie Bauer jacket. Each customer, represented by the suit, is walking away with (wait for it) — $2. That's a large cup of java from your local deli, or a banana (and not the cappuccino) from Starbucks.
Week of April 22 - Bodybuilding.com urges password reset
Bodybuilding.com, the internet's largest online store and forum for fitness and bodybuilding admitted this week it was the victim of a security breach sometime in February 2019. The website, which has over seven million registered users on its forums, and receives over 30 million visitors per month, said it isn't sure if customer data has been stolen.
The site reassured users that full credit card numbers are not stored - only the last four digits, if a user has requested this be saved - but cannot be certain that other personal information wasn't stolen. But information that might have been accessed unlawfully includes user names, email addresses, billing and shipping addresses, phone numbers, order history, any communications with the website, birthdates, and any information added by users to their BodySpace profile.
Bodybuilding.com says it has found a remedy for the incident, and has coordinated with law enforcement authorities. Users are urged to change their password immediately, otherwise Bodybuilding.com will reset them on June 12. The cause of the breach appears to have been a phishing email sent to the site in July 2018.
EmCare, a provider of physician practice management services, this week announced it was addressing a "data security incident" that involved the personal information of some patients, employees and contractors. The hackers gained access to employee email accounts that contained the personal information of as many as 60,000 individuals, half of whom are patients.
The breach was discovered back on February 19, and EmCare has now admitted the unlawfully accessed data may include names and dates of birth, plus clinical information for some patients. In some instances, the company said, social security and driver's license numbers were affected. EmCare says it has arranged for identity protection and credit monitoring service for patients and employees affected by the breach.
Facebook (yet again)
Canadian regulators said tis week that Facebook has broken the country's privacy laws, and they will be taking the social network to court. Canadian officials say Facebook "committed serious contraventions of Canadian privacy laws" when the personal data belonging to over 87 million Facebook users worldwide was leaked as part of the Cambridge Analytica scandal on 2018. The data included that belonging to 622,000 Canadians.
A report by the Privacy Commissioner of Canada and the Information and Privacy Commissioner from British Columbia concluded Facebook has not done enough to prevent the mishandling of user data collected through a Facebook app called This is Your Digital Life. Commissioners said Facebook used "superficial and ineffective safeguards and consent mechanisms."
Later in the week, the New York attorney general's office announced it has opened an investigation into Facebook. This comes after a discovery earlier in April that Facebook had the email contacts belonging to over 1.5 million people without their consent.
Attorney General Letitia James said: "It is time Facebook is held accountable for how it handles consumers' personal information. Facebook has repeatedly demonstrated a lack of respect for consumers' information while at the same time profiting from mining that data."
Week of April 15 — The FBI gets hacked
Hackers hit the servers belonging to a group connected to the FBI — and not only walked away with names, jobs, email addresses and in some situations, the physical addresses, publishing them online. More than 23,000 people were affected in total, hundreds of them law enforcement people, after the hackers broke into the online database of three local chapters of the FBI National Academy Associates.
If you use Microsoft Outlook, this may not sit well. Hackers gained access to Outlook, allowing them to read user's emails for months. In this case, the data breach came after hackers stole the login details from a Microsoft customer service agent. Microsoft has cut off the hackers — but between January 1 and March 28, about 6 percent of customer accounts were basically open to them. Next steps? You know what we're going to tell you: Change your password.
IT firm Wipro is not a name that most of us would know as companies outsource their IT needs to this firm. But KrebsonSecurity reported this week that its own systems were used to attack clients, based on phishing attacks on Wipro's own people. (Hint: Do not click on emails from people you don't know.)
Week of Monday, April 8: Don't panic, but a hotel has probably mishandled your passport
This week, cybersecurity research firm Symantec revealed how the websites of over 1,500 hotels in more than 50 countries accidentally leak private customer information. The problem is to do with how the websites send customers an email, with a link which takes them directly to their booking details - no need for a username, password, or even an account with the site.
That would normally be fine, but the webpage contains adverts, which means advertisers and other companies could have direct access to customer details, including their name, postal address, email address, and passport number.
The report comes soon after Marriott International disclosed in November how it had exposed 500 million guest records, in one of the largest-ever data breaches. However, Symantec said Marriott was not included in its study of hotel websites.
Makers of an indoor gardening system AeroGarden, sought to nip bad news in the bud this week, contacting customers about a data breach which it discovered in early March. Customers were told how their credit card information had been lifted from AreoGrow's website by a piece of malware which was active between October 29, 2018 and March 4.
Planted in AeroGarden's payment processing page, the malware potentially scooped up payment card numbers, expiry dates, security codes and other customer data. The company was at pains to say customer's security PINs and social security numbers were not stolen.
In a bid to turn over a new leaf, AeroGarden says it has informed law enforcement and will give victims a year of free identity protection services from Experian.
Yahoo — now owned by Verizon — is this week trying to settle the breach of three billion of its user accounts with a $117.5 million payout. This comes after a judge rejected the company's first offer of just $50 million.
The breach, which took place between 2013 and 2016, affected all three billion Yahoo user accounts worldwide, making it the largest data breach in history. The compensation package is made up of $55 million for compensating victims who took yahoo to court via a class action lawsuit, plus $24 million for credit monitoring.
Information which may have been stolen during the breach, which wasn't disclosed by Yahoo until 2017, may have included users' names, email addresses, phone numbers, and dates of birth, as well as a trove of encrypted and unencrypted passwords.
British Home Office
Meanwhile, the UK Home Office apologized to hundreds of European Union nationals this week, seeking settled status in the UK, after it accidentally shared their email addresses — by forgetting to use the 'blind CC' option.
Blamed on a "administrative error," the data gaffe revealed 240 personal email addresses to all 240 people the email was sent to; it is likely that this was a breach of the UK's Data Protection Act, and the Home Office may be forced to apologize in Parliament.
Week of April 1, 2019: Planet Hollywood, hit Facebook (yeah, again)
It hardly seems news anymore when we hear about Facebook getting breached. But here we are — a year after the Cambridge Analytica scandal — finding that more than 540 million of its users profile information apparently landed on publicly — yes, publicly — on Amazon cloud servers, according to cybersecurity company UpGuard. Two different developers, Cultura Colectiva and the "At the Pool" app makers apparently hadn't followed the rules on how to store the data they had from Facebook on users who played with its apps. This one wasn't great (of course no breach is great) as it included passwords, names, comments and even what people liked. Again, it's likely time to change your Facebook password.
Georgia Institute of Technology, commonly known as Georgia Tech, also managed to lose possession of the data around 1.3 million students and faculty at the leafy university. The breach wasn't anywhere as big as Facebook's, but the details exposed were problematic: not just names, but addresses, birth dates and social security numbers. Basically, this is everything you need to open a credit line or create a new identity. The school, actually known for its cybersecurity program, found out in late March and says it has locked everything down.
UPDATE: On April 10, the university said it has hired two firms to review the lapse in cyber security. Virginia-based Mandiant will investigate how the breach took place and the method hackers used to gain access. Meanwhile, Atlanta-based Ankura will analyze the data which was taken.
Toyota discovered that up to 3.1 million pieces of information may have been nabbed by hackers who broke into its network. These details were tied to eight different subsidiaries – including the Corolla line and also its luxury line, Lexus. Credit card details weren't part of this hack, but that's often the least concern as those companies can't force consumers to be responsible for chargers made in situations like these. Toyota isn't completely sure that the information was leaked and the company says it's monitoring the situation. As you should too.
Planet Hollywood, Buca di Beppo and.....
Finally, if you ate at a Planet Hollywood, Buca di Beppo, Chicken Guy, Mixology, Tequila Taqueria or the Earl of Sandwich, part of Earl Enterprises, between May 23, 2018 and March 18, 2019, you may want to take a gander at your credit and debit card statements. Software installed on the point of sale machines may have grabbed your credit card number, expiration date and even our name. Brian Krebs, always on it, reported that two million credit and debit card numbers from customers who ate at Earl Enterprises were floating around for sale. The breach apparently may have hit three locations in Disney Springs — Planet Hollywood, Earl of Sandwich and Chicken Guy — and all of the Buca de Beppo spots. Get online, check your bank and credit card statements, and perhaps think of cooking in tonight at home.