In the most recent episode of the Digital Identity Podcast, Carlos, Terry and Ben from the SelfKey R&D team discuss the merits of identity hubs, claims and verified credentials.
Data Breaches in 2019 – An Alarming Timeline
Your data is valuable and should belong to you. Nevertheless our online records are exposed on an almost daily basis, with potentially devastating consequences. This blog post aims to provide an up-to-date list of data breaches and hacks.
Your personal information is not safe online. Data breaches happen on an almost daily basis, exposing our email addresses, passwords, credit card numbers, social security numbers and other highly sensitive data.
Unfortunately, most people do not understand the gravity of the problem until it personally affects them through identity theft or other malicious activity. Unsurprisingly however, the rate of identity related crime is exploding, and a recent study claims that there is a new victim of identity theft every 2 seconds in the United States alone.
On top of that, Experian has published statistics showing that 31% of data breach victims later have their identity stolen. Keeping in mind that the number of records exposed through data breaches is so high, this is alarming news.
One important reason for the malaise is that data breaches have seemingly become an inevitable part of modern life. We have to register for online accounts in order to participate in a modern society, and have to swallow the fact that the centralized databases containing our information will sooner or later suffer a breach.
That is why SelfKey is working on an end-to-end self-sovereign identity management system which will do a much better job of protecting you from data breaches.
You can learn more about our solution here, but for now, let’s take a closer look at the damage.
State of the breach June 2019: AT LEAST 4 billion records, including credit card numbers, home addresses, phone numbers and other highly sensitive information, have been exposed through data breaches in 2019.
Check out Have I Been Pwned to see if your accounts have been compromised by a data breach.
11 Million – Emuparadise, June 10, 2019
ZDNet has reported that 11 million user accounts of the popular gaming emulator Emuparadise were exposed after a recent data breach. The user passwords were stored as salted MD5 hashes, a form of encryption deemed unsafe since 2012, and were easily cracked. The full extent of the breach is still unknown, although ZDNet claims that passwords, email addresses, IP addresses and usernames are involved.
7.7 Million – Labcorp, June 4, 2019
Just a day after Quest Diagnostics announced its breach, another company dealing with highly sensitive medical records announced a major security incident. According to USA Today, Labcorp was also using the collections firm American Medical Collection Agency (AMCA), which experienced a supposed breach earlier this month. Specifics are hard to come by, but names, addresses, dates of birth, and balance information are likely among the compromised data.
11.9 Million – Quest Diagnostics, June 3, 2019
Quest Diagnostics, a clinical laboratory company, announced that an “unauthorized user” gained access to the medical records and social security numbers of up to 12 million customers. Information is still sparse, but it appears that AMCA, a billing vendor used by Quest, was exploited for the attack. All parties are working closely together to understand the full scope of the data breach.
Unknown – Checkers Restaurants, May 30, 2019
ZDNet reported that hackers breached the security systems of Checkers Restaurants and installed malware which infiltrated the restaurant chain’s point of sale software. As a result, the hackers managed to steal customers’ payment card number, cardholder name, expiration date and card verification code.
Hundreds of locations have been affected although the total number of impacted customers is still unknown.
Unknown – Flipboard, May 29, 2019
The popular news aggregation app Flipboard announced that it had detected unauthorized access to some of its databases between June 2, 2018 and March 23, 2019. It’s still unclear how many of the 145 million monthly users are affected, but names, email addresses and cryptographically protected passwords are among the exposed data.
139 Million – Canva, May 28, 2019
Marketingland reported that the leading graphic design tool Canva had experienced a cyber attack which affected up to 139 million users. According to the report, the attack targeted usernames, email addresses and passwords, although luckily credit card details were not compromised. Canva is particularly popular among entrepreneurs and online marketers from all over the world.
885 million – First American, May 25, 2019
Renowned cyber security experts Krebs on Security reported that Fortune 500 giant First American Financial Corp exposed customers’ bank account numbers, statements, mortgage as well as tax records through its faulty website. 885 million highly sensitive records were leaked to anyone who knew where to look, with the records going back to 2003.
49 Million – Chtrbox, May 20, 2019
An unsecured database seemingly belonging to Chtrbox, a Mumbai-based social media marketing firm, was discovered online. TechCrunch reports that the database contained more than 49 million records comprising bio info, email address, phone number, and profile picture of millions of Instagram users.
1.5 Million – Freedom Mobile, May 9, 2019
The VPN Mentor research team discovered a data breach which exposed the personal information of 1.5 million Freedom Mobile users. Worryingly, the data included credit card numbers and CVV numbers, meaning that significant financial damage will likely be incurred as a result.
1.6 Million – AMC Networks, May 1, 2019
Renowned security expert Bob Diachenko discovered a publicly available MongoDB instance exposing the data of 1.6 million AMC network subscribers. The subscriber information contained names, emails, subscription plan details and more personally identifiable information. This is another alarming example of failure to meet the very lowest security standards.
Unknown – Atlanta Hawks, April 23, 2019
Struggling Basketball teams are just as vulnerable to data breaches as governments, businesses and Universities. On April 23, CNet reported that the Atlanta Hawks eCommerce store had been infected with malware designed to steal the payment information of customers. Expert Willem De Groot identified the notorious hacking group Magecart as the culprit and the Atlanta Hawks are still investigating the full extent of the hack.
The SelfKey Identity Wallet is a free identity solution for Windows, Linux and Mac. Get yours today!
9 Million – Bodybuilding.com, April 22, 2019
One of the biggest service providers in the fitness industry, bodybuilding.com, suffered a serious hacking attack potentially impacting its 9 million users. According to Forbes, a sophisticated phishing attack had allowed hackers to gain access to the highly sensitive data including billing addresses, names, email addresses and birth dates.
Unknown – Microsoft Email Services, April 15, 2019
Popular email services msn.com, hotmail.com and outlook.com were affected by a significant data breach according to TechCrunch. The vulnerability seemingly existed between January 1st and March 28 2019, and allowed hackers to access email accounts.
540 Million – Facebook, April 2, 2019
Mark Zuckerberg was in the news for all the wrong reasons in April 2019. The (so far) newest addition to the litany of blunders involved exposing the personal records of over 540 million Facebook users. According to TechCrunch, cybersecurity experts found the data on an unsecured, publicly accessible database.
1.3 Million – Georgia Tech, April 2, 2019
Universities are just as likely to get hacked as a business or government organization. On April 2nd, a host of highly sensitive personal information managed by Georgia Tech was accessed by a hacker. The information of 1.3 million faculty members, students and employees was affected according to patch.com. Social Security Numbers, birth days, names and addresses were breached.
980 Million – Verifications.io, March 29, 2019
Towards the end of March 2019, cybersecurity expert Bob Diachenko found an unsecured database containing 982 million email addresses along with names, genders, employers and home addresses. The server was unsecured and available to anyone who knew were to look. Upon notification verifications.io, the company seemingly behind the database, shut down its website and ostensibly ceased to operate.
2 Million – Earl Enterprises, March 29, 2019
The credit card information of more than 2 million customers of Earl Enterprises was stolen and later sold according to krebsonsecurity.com. Criminals managed to install sophisticated malware on the company’s point of sale software, allowing them to syphon off the highly sensitive payment information.
1.8 Million – Federal Emergency Management Agency, March 22, 2019
Data breaches are particularly harmful when they affect vulnerable people. In March 2019, the Washington Post reported that 1.8 million disaster survivors had their banking information plus their home addresses accidentally shared with contractors. These people had primarily sought shelter after wildfires and hurricanes.
2 Million – Oregon Department of Human Services, March 21, 2019
Government organizations are just as likely to suffer data breaches as hospitals, businesses and two person startups. On March 21st, the Oregon Department of Human Services announced that poorly trained employees had fallen for a phishing attack, comprising highly sensitive personal information of roughly 1.6 million people. This includes emails, addresses, names and much more.
600 Million – Facebook, March 21, 2019
Facebook has a long history of privacy abuses and data scandals. At the end of March 2019, the social media giant admitted that it had failed to secure the passwords of 600 million users since around 2012. Thousands of Facebook employees had access to the millions of unsecured records, which were stored in a plain text file.
1.5 Million – Gearbest, March 14, 2019
In March, the VPN Monitor research team reported that Gearbest, a highly successful Chinese eCommerce company, had a completely unsecured database. The VPN Monitor team managed to access a database containing 1.5 million records. Alarmingly, the information contained payment information, billing address, order history and much more highly sensitive information.
2.4 Million – Dow Jones, March 1, 2019
One of the most significant data breaches ever occurred on March 1st, when more than 2 million identity records including government officials and politicians was leaked online. According to reports from Zdnet, the information was stored, alarmingly, on a publicly accessible database.
1 Million – UW Medicine, February 20, 2019
February 20th was a particularly bad day for the personal data of medical patients as both Advent and UW Medicine reported significant data breaches. In the case of the UW Medicine data breach, nearly 1 million people were affected by a simple bug: A problem with the platforms server indexed highly sensitive data on search engine’s, meaning that patient’s financial history, passwords, social security and more were available with a simple Google search.
42,000 – Advent Health, February 20, 2019
Data breaches affecting medical records are particularly hazardous. In February, the Advent Health Medical Group notified its members of a 16-month long data breach exposing medical histories, social security numbers and a host of highly sensitive information. According to reports, 42,000 individuals were affected.
14.8 Million – 500px, February 15, 2019
The popular photo sharing site 500px was hacked, exposing the data of 14.8 million users. Information such as names, usernames, emails, locations, gender, and birth dates were revealed. The website notified its users and forced a password reset, although the hack happened in July 2018 and they weren’t aware of it until February 2019.
6 Million – Coffee Meets Bagel, February 14, 2019
In a case of ironically poor timing, the dating app Coffee Meets Bagel announced a data breach just in time for Valentine’s Day. While only names and emails of users were exposed, the breach impacted approximated 6 million people.
Unknown – Dunkin’ Donuts, February 12, 2019
Dunkin’ Donuts announced a data breach for the second time in three months, affecting DD Perks rewards members. Hackers used credential stuffing attacks to gain access to customer accounts, then sold them on the Dark Web for profit. The first of these attacks happened at the end of November, and although the company didn’t say how many customers had been affected, there are currently 10 million DD Perks members.
24,000 – EyeSouth Partners, February 6, 2019
An unauthorized third party gained access to an employee email account of Georgia-based EyeSouth Partners. Over 24,000 patients had their data compromised, such as names, health insurance information, and account balance information.
Unknown – Huddle House, February 4, 2019
The US-based casual dining and fast food restaurant chain, Huddle House had their point of sale system compromised, giving hackers the ability to install malware to steal the payment information of customers between August 2017 and February 2019. How much damage was done is still unclear as Huddle House is continuing their investigation.
20,000 – Catawba Valley Medical Center, February 4, 2019
Phishing scams seems to be a popular and effective cyberattack in the medical industry, as three employee email accounts at Catawba Valley Medical Center were hacked by one in the summer months of 2018. An estimated 20,000 patients of the North Carolina-based medical facility had their names, birth dates, social security numbers, and personal health information exposed in the attack.
Unknown – Houzz, January 31, 2019
To finish off January, the popular home improvement website Houzz announced a data breach affecting users of their platform. While Houzz did not disclose how many people were affected by the breach, the site has approximately 40 million users. The company stated that public profile information such as names, locations, usernames, and hashed passwords were taken by an unauthorized third party.
23,000 – Critical Care, Pulmonary & Sleep Associates, January 31, 2019
Employees of the Critical Care, Pulmonary & Sleep Associates (CCPSA) fell for a phishing attack that led to approximately 23,000 patients having their data breached. The Colorado-based healthcare facility realized that the hacker had access to names, dates of birth, addresses, medical information, social security numbers, and driver’s licenses for three months
100,000 – Alaska Department of Health & Social Services, January 23, 2019
Alaska’s Division of Public Assistance was the target of a cyberattack that exposed data of at least 100,000 people. It is still unknown who the attacker was, but they were able to access the names, birth dates, addresses, social security numbers, health information, and income of people who had applied for government programs.
24 Million – Ascension, January 23, 2019
The data analytics company Ascension, based in Fort-Worth, Texas, left more than 24 million mortgage and banking documents unprotected in an online database for at least two weeks. According to a report from TechCrunch, the documents included people’s names, addresses, dates of birth, social security numbers, and financial information.
108 Million – Various Online Betting Sites, January 23, 2019
Four different online betting sites stored data on Elasticsearch cloud storage without securing it. Approximately 108 million records were breached including names, addresses, emails, phone numbers, usernames, birth dates, IP addresses, account balances, games played, and win and loss information. If you’ve placed bets via kahunacasino.com, azur-casino.com, easybet.com, or viproomcasino.net, your information was likely exposed.
12,000 – Graeters Ice Cream, January 22, 2019
The Cincinnati-based purveyor of sweets, Graeter’s Ice Cream notified approximately 12,000 online customers that their data had been compromised. Malicious code was discovered on the company’s checkout page which captured customer data such as customer credit card details, names, addresses, phone numbers, and fax numbers.
20,000 – BlackRock Inc., January 22, 2019
The world’s largest asset manager, BlackRock, accidentally leaked the information of as many as 20,000 financial advisors. The company had posted confidential spreadsheets which contained information related to the advisors who work with BlackRock’s iShares unit. The names, emails, and assets managed by advisors were amongst the information that was exposed.
773 Million – Collection #1, January 17, 2019
On the same day, security researcher Troy Hunt discovered a massive database of leaked data on a cloud storage site called MEGA. The database contained over 773 million emails and 22 million passwords, amalgamated from thousands of different data breaches dating back to 2008. The information was also shared on a popular hacking forum, so it is unknown who exactly accessed the data. Needless to say, it doesn’t look good. If you are worried that your credentials have been compromised, you can check on Have I Been Pwned?
Unknown – Oklahoma Department of Securities, January 17, 2019
The Oklahoma Department of Securities (ODS) left millions of government files exposed and unprotected on an open server belonging to the agency. Amongst the exposed files were records pertinent to FBI investigations. The oldest records that were exposed dated back to 1986, and range from personal data to login credentials and internal communications records. The ODS is currently investigating how many records were exposed, who may have accessed them and the potential damage this data breach may have caused.
Unknown – Fortnite, January 16, 2019
The popular online video game Fortnite was found to have exposed players to being hacked. A security firm called Check Point discovered the vulnerabilities in the game and alerted Fortnite to the threat. The vulnerabilities could have allowed malicious actors to take over the account of any player, view their personal information, purchase V-bucks (the in-game currency), and listen in to game chatter. While it is unknown just how many users were affected, Fortnite has 200 million users worldwide of which 80 million are active each month.
31,000 – Managed Health Services of Indiana, January 11, 2019
A phishing attack on the Managed Health Services of Indiana (MHS) exposed the health information of more than 31,000 patients in 2018 and was not discovered until January. The compromised data included names, insurance ID numbers, dates of birth, addresses, and medical conditions. While the MHS says there has been no evidence that the data has been misused, patients were obviously upset.
Unknown – OXO, January 10, 2019
The New York-based manufacturer, OXO discovered that they had been hacked in two separate incidents over the past two years. Both hacks exposed customer information entered on their website. OXO found unauthorized code on their website which collected customer names, addresses, and credit card information. The company has declined to announce the number of customers who were affected by the breach.
Unknown – BenefitMall, January 7, 2019
BenefitMall, a US provider of HR, payroll, and employer services, announced a data breach that occurred after an email phishing attack compromised employee login credentials. The exact extent of this breach is unknown as the company has not released the exact number of records that were affected by the attack. That being said, the stolen information could include customer information such as names, social security numbers, addresses, bank account numbers, dates of birth, and information about their insurance premiums.
Unknown – DiscountMugs.com, January 4, 2019
A major online retailer of custom mugs and apparel, DiscountMugs.com was hacked over a four-month period during the latter half of 2018. Although the company did not disclose how many customers were affected by the breach, it is believed to be upwards of several thousand. A malicious card skimming code had been placed in the company’s payment section of their website and hackers were able to steal full card payment details, names, emails, phone numbers, and addresses.
7.6 Million – BlankMediaGames, January 3, 2019
In almost no time at all, the next great data breach occurred the day after Blur announced their breach. This time, the information of 7.6 million gamers had been stolen during a hack of the game Town of Salem by BlankMediaGames (BMG). According to BMGs announcement, the server had been compromised and emails, usernames, IP addresses, in-game purchases, and in-game activity had been exposed.
2.4 Million – Blur, January 2, 2019
It didn’t take long for the first major breach announcement of 2019. Blur announced a breach after an unsecured server exposed a file containing 2.4 million user names, email addresses, password hints, IP addresses, and encrypted passwords. The password management company urged their users to change their Blur login credentials and enable two-factor authentication.