Data Breaches: As Certain as Death and Taxes

Data breach - as certain as death and taxes.jpg

Most of us are familiar with the famous quotation by Benjamin Franklin...

“In this world nothing can be said to be certain, except death and taxes.”

That might have been true in the Founding Father's time, but in today's digital age there is a new certainty…

… Data breaches!

So far this year, we have witnessed a growing list of data breaches that have caused havoc around the world. But while the newspapers have reported mostly on breaches involving financial data, many cyber-crime groups are now targeting the low-hanging fruit, like healthcare and social services. Alarmingly, 2019 has seen multiple data breaches claim victims within the healthcare sector.

Recent history has shown us that the biggest consequence of most data breaches is identity theft.

Hackers only need a few pieces of personal information, such as date of birth, social security number and residential address, to exploit your information for the purpose of obtaining loans and credit cards, or to use your data for more sophisticated phishing attacks.

Moreover, data thieves can also access the online accounts they have hacked, and collect private messages and images. The only limitations to what these criminals can do with your personal data is their technical and creative skills, plus a big dose of audacity.

As a consequence, the more prudent among us do whatever we can to keep ourselves safe, while keeping in mind that if our data is out there in cyberspace, it's also highly likely that somewhere out there a hacker is attempting to get his filthy hands or our data.

2019 is on track to being the worst year on record for data breaches.

2019 is on track to being the worst year on record for data breaches.

Let's rewind to the start of 2019. It certainly didn't take long for the first data breach of the year to hit the headlines.

On January 2, 2019, Abine, the company behind the Blur password manager and the DeleteMe online privacy protection service, announced a major data breach that compromised the personal data of almost 2.4 million Blur users. The hackers gained access to an unsecured server and exposed a file containing 2.4 million user names, email addresses, password hints, IP addresses, and encrypted passwords.

2019 is clearly shaping up to be a landmark year for data breaches. At the time of writing this article, it has seen more than 3,800 breaches - a 50 percent + increase over the last four years, according to a report published by Risk Based Security in August.

We’ve selected 3 examples of the worst data breach incidents for each month so far this year.

January 16, 2019: Fortnight

A flaw within the online video game Fortnite exposed players to being hacked. According to the security firm Check Point, who discovered the vulnerabilities, a threat actor could take over the account of any game player, view their personal account information, purchase V-bucks (in-game currency), and eavesdrop on game chatter. Fortnite has 200 million users worldwide, 80 million of whom are active each month.

January 23, 2019: Online Betting Sites

Three online betting sites copied data containing 108 million records to Elasticsearch cloud storage without securing it. If you’ve placed bets via kahunacasino.com, azur-casino.com, easybet.com, or viproomcasino.net your information was likely exposed, including: names, addresses, phone numbers, email addresses, birth dates, usernames, account balances, IP addresses, browser and OS details, games played, and win and loss information.

January 23, 2019: Alaska Department of Health & Social Services

A cyberattack targeting Alaska’s Division of Public Assistance has exposed data on at least 100,000 people. The attacker was able to access the names, Social Security numbers, dates of birth, addresses, health information, and income of people who applied for government programs.

February 15, 2019: T500px

The accounts of 14.8 million users of 500px have been hacked, revealing full names, usernames, email addresses, birth dates, locations, and gender. The photo sharing website has notified its users and is forcing a password reset.

February 20, 2019: Coinmama

The usernames and hashed passwords of 450,000 users of Coinmama were recently posted on a dark web registry. The cryptocurrency broker has notified its customers and has encouraged all users to change their passwords.

Data breach - exploit attack.jpg

March 1, 2019: Dow Jones

A database containing 2,418,862 identity records on government officials and politicians from every country in the world was leaked online from a Dow Jones watchlist. The watchlist is compiled from publicly available information on prominent individuals who have the ability to embezzle money, accept bribes, or launder funds.

March 20, 2019: Zoll Medical

The personal information of 277,319 patients has been exposed by a Zoll Medical data breach. The medical device manufacturer headquartered in Chelmsford, MA announced that data from emails was leaked during a server migration, including names, addresses, dates of birth, and medical information. Some patients also has their SSN exposed.

March 22, 2019: Federal Emergency Management Agency (FEMA)

Survivors who sought shelter assistance after hurricanes Maria and Irma, as well as California wildfires, have had their PII exposed in a FEMA privacy incident. About 2.5 million disaster victims had information like names and addresses, bank account information and birth dates shared with a contractor, leaving them unprotected.

April 2, 2019: Facebook

Two third-party applications which hold Facebook datasets were left exposed to the public online. Over 540 million records, including account names, Facebook ID, and user activity were exposed through Cultura Colectiva. The second application, At the Pool, disclosed passwords along with information regarding photos, events, groups, check-ins and more.

April 15, 2019: City of Tallahassee

Nearly $500,000 of the city of Tallahassee employees’ payroll was stolen by hackers who redirected direct deposits into an unauthorized account. City officials responsible for investigating the incident suspect the cyberattack came from a foreign nation.

April 19, 2019: Steps to Recovery

Patients seeking treatment for drug and alcohol abuse have had their sensitive personal information exposed in a data breach of several addiction rehabilitation centers. The data was discovered unprotected by security researcher, Justin Paine. Approximately 145,000 patients have been impacted.

Data breach - broken access controls.jpg

May 3, 2019: AMC Networks

The personal information of 1.6 million subscribers of AMC Network’s premium streaming video platforms, Sundance Now and Shudder, were disclosed after the company’s database was left accessible to the public. The breach included names, email addresses, details about subscription plans and last four digits of credit cards. The exposed database also encompassed video analytics data gathered by Youbora, adding 441,943 exposed records including user IP addresses, country, city, state, ZIP code, and location coordinates.

May 14, 2019: WhatsApp

Facebook is facing another data privacy scandal after a WhatsApp data breach. The messaging app, which has over 1.5 billion users worldwide, experienced a security flaw that left people vulnerable to spyware designed by the NSO Group, an Israeli government surveillance agency. Those affected would have been able to be spied on through their phone’s microphone and camera, WhatsApp messages and connected apps.

May 20, 2019: Instagram

More than 49 million Instagram influencers, celebrities, and brands have had their private contact information exposed after an India-based social media marketing company left the data unprotected on an Amazon Web Services database. TechCrunch reported that the bio, profile photo, location, verification status, email address and phone number of high-profile accounts were exposed.

June 6, 2019: Opko Health

Another healthcare-related company has been impacted by the hack of American Medical Collection Agency (AMCA), which compromised Quest Diagnostics and LabCorp. Opko Health announced a data breach affecting 422,600 customers. Credit card and bank account information, email addresses, addresses, phone numbers, and balance information were exposed.

June 11, 2019: Evite

More than 100 million users of online event planning service company, Evite, have had their information put up for sale on the dark web. A hacker who goes by the name Gnosticplayers released user names, email addresses, IP addresses, and cleartext passwords. In some cases, dates of birth, phone numbers, and postal addresses were also included.

June 12, 2019: Evernote

A security vulnerability within Evernote’s Web Clipper Chrome extension gave hackers access to the online data of its 4.6 million users. Authentication, financials, private communications, and more could have been accessed by malicious actors by exploiting a flaw in the Evernote code. The company has since corrected the issue, but it’s unclear how long user data may have been compromised.

Data breach - Malware attack.jpg

July 10, 2019: Los Angeles County Department of Health Services

A contractor for the Los Angeles County Department of Health Services fell victim to a phishing attack, exposing the personal information of 14,600 patients, including names, addresses, patient information, and social security numbers.

July 17, 2019: Clinical Pathology Laboratories (CPL)

Another clinical lab reported personal information of their patients were compromised following the previously-reported AMCA data breach, shortly after the Quest Diagnostics, LapCorp, and Opko Health data breaches. Clinical Pathology Laboratories (CPL) disclosed 2.2 million patients had their names, addresses, phone numbers, dates of birth, dates of service, balance information and treatment provider information exposed and an additional 34,500 patients had credit card or banking information affected.

July 29, 2019: Los Angeles Personnel Department

A hacker has stolen personal information of about 20,000 Los Angeles Police Department officers, recruits, and applicants from the Los Angeles Personnel Department Candidate Application Program. The compromised data included names, birth dates, partial social security numbers, email addresses, and applicant account passwords.

August 5, 2019: Poshmark

The online marketplace, Poshmark, announced in a blog post that a hacker gained access the names, usernames, genders, city data, email addresses, size preferences and scrambled passwords of its users. Poshmark has over 50 million users but has not confirmed how many where affected by the breach.

August 14, 2019: Hy-Vee

Hy-Vee reported a security breach of its point-of-sale (PoS) system, impacting consumers who made purchases at Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants (Market Grilles, Market Grille Express, and Wahlburgers.) The company says the hackers did not access the separate PoS systems that run their grocery stores, drugstores, or convenience stores. Nine days later, KrebsonSecurity discovered 5.3 million stolen credit and debit card accounts linked to the Hy-Vee breach were up for sale on the Dark Web under the name “Solar Energy” Breach.

August 21, 2019: MoviePass

Personal and credit card information of 58,000 subscribers to movie ticket subscription service, MoviePass, were left unsecured on a server that was not password protected. MoviePass customers are issued cards that function like debit cards. Names, addresses, MoviePass debit card number, card expiration date, card balance and activation date were impacted in this breach.

Data breach - phishing attack.jpg

September 5, 2019: Facebook

An unprotected server containing over 419 million records of Facebook users was discovered, giving hackers access Facebook user’s unique ID and phone numbers. In some cases, user’s names, genders, and locations were also included.

September 16, 2019: Dealer Leader, LLC.

The personal information of 198 million prospective car buyers was left exposed in an unsecured database belonging to Dealer Leader, a digital marketing company for car dealerships. The information exposed included names, email addresses, phone numbers, home addresses and IP addresses.

September 30, 2019: Zynga

Over 218 million players of the popular mobile games Draw Something and Words With Friends, created by mobile game maker Zynga, have their account information accessed by hacker, Gnosticplayers. The hacker accessed a database that included data from Android and iOS players, including names, email addresses, login IDs, hashed passwords, phone numbers, Facebook IDs and Zynga account IDs.

Sources: Risk Based Security (Report), Identity Force