Clock 15 MINUTES

All Data Breaches in 2019 – An Alarming Timeline

Your data is valuable and should belong to you. Nevertheless our online records are exposed on an almost daily basis, with potentially devastating consequences. This blog post aims to provide an up-to-date list of data breaches and hacks.

12 Jun
2019
SelfKey
Identity Wallet
data breaches in 2019
key-icon

Your personal information is not safe online. Data breaches happen on an almost daily basis, exposing our email addresses, passwords, credit card numbers, social security numbers and other highly sensitive data.

Unfortunately, most people do not understand the gravity of the problem until it personally affects them through identity theft or other malicious activity. Unsurprisingly however, the rate of identity related crime is exploding, and a recent study claims that there is a new victim of identity theft every 2 seconds in the United States alone.

On top of that, Experian has published statistics showing that 31% of data breach victims later have their identity stolen. Keeping in mind that the number of records exposed through data breaches is so high, this is alarming news.

One important reason for the malaise is that data breaches have seemingly become an inevitable part of modern life. We have to register for online accounts in order to participate in a modern society, and have to swallow the fact that the centralized databases containing our information will sooner or later suffer a breach.

That is why SelfKey is working on an end-to-end self-sovereign identity management system which will do a much better job of protecting you from data breaches.

You can learn more about our solution here, but for now, let’s take a closer look at the damage.

State of the breach September 2019: AT LEAST 4 billion records, including credit card numbers, home addresses, phone numbers and other highly sensitive information, have been exposed through data breaches in 2019.

Check out Have I Been Pwned to see if your accounts have been compromised by a data breach.

XX Million – Malindo Air, September 18, 2019

Malindo Air, the low-cost Indonesian Airline, has confirmed a significant data breach affecting millions of passengers. The information, including names, home addresses, phone numbers and even passport numbers, has already been leaked on public forums meaning that those affected, likely already face a much higher risk of identity theft and fraud.

20 Million – Novaestrat, September 16, 2019

A massive data breach has reportedly affected almost the entire population of Ecuador. Security company vpnMentor was the first to identify the breach, when their research team found a Miami-based Elasticsearch server run by the Ecuadorian company Noaestrat.

The breach is particularly damaging, due to the extensive quantity of information stored about each individual. This includes birth dates, names, contact information, national identification numbers, tax payer identification numbers, driving records and bank account balances. The information was seemingly compiled by several Ecuadorian government registries, automotive associations and the Ecuadorian national bank. Among the affected are reportedly six million children.

50,000 – Get, September 9, 2019

According to the Guardian, the personal details of around 50,000 university students have been exposed. An app designed to facilitate payments for university clubs and societies, called Get, apparently allowed unauthorized users to get access to other users’ data, including names, email addresses, date of birth and phone numbers.

14 Million – Hostinger, August 25, 2019

Techcrunch reported that the popular web hosting service Hostinger suffered a major data breach affecting millions of users. According to the report, a hacker gained access to the company’s systems  including an API database. That database contained customer usernames, email addresses and passwords.

Hostinger has said that the API database stored roughly 14 million customers’ records.

1 Million – Suprema, August 14, 2019

One of the leading biometrics companies, Suprema, left the fingerprints, facial recognition information, unencrypted usernames and passwords of over 1 million people on an unencrypted database. The Guardian broke the story, reporting that Suprema’s data is used by the UK Metropolitan police and 5,700 other organizations.

23 Million – CafePress, August 5, 2019

The personal information of over 23 million CafePress customers has been exposed according to multiple reports. The custom T-shirt and merchandise company has yet to issue a statement but the exposed data has been circulating in hacker forums for weeks. The data breach involved the names, usernames, email addresses, passwords, and physical addresses.

50 Million – Poshmark, August 1, 2019

The US-based fashion platform Poshmark suffered a significant data breach according to a blog post on their site.  An unauthorized third party managed to access the email addresses, names, user names, and even clothing size preferences of Poshmark users.

It is still unclear how many people are affected but Poshmark is said to have around 50 million users.

100 Million – Capital One, July 29, 2019

The New York Times is reporting that a former Software Engineer hacked the database of Capital One and obtained the personal information of more than 100 million people. Federal prosecutors have named it one of the largest data breaches in history with potentially devastating consequences.

In addition to millions of stolen credit card applications – Capital One is the third largest issuer of credit cards in the US – the breach also compromised one million Canadian social insurance numbers.

300,000 – QuickBit, July 22, 2019

On the 22nd of July, Coindesk reported that the Swedish cryptocurrency exchange QuickBit suffered an extensive data breach. According to the report, the digital asset platform unknowingly leaked the data of 300,000 customers via an unprotected MongoDB database.

The exposed data included full names, addresses, email addresses, user gender, and dates of birth.

5 Million – Bulgaria’s National Revenue Agency, July 17, 2019

Bulgaria suffered a devastating data breach and the largest in its history according to The Next Web. Hackers managed to breach the National Revenue Agency and access highly sensitive information of 5 Million citizens. Bulgaria’s population stands at 7 Million, meaning that almost everyone is affected.

The compromised data includes personal identifiable numbers, addresses, and even income data. The hackers sent a download link to local media and stated: “The state of your cyber-security is a parody.” An investigation into the extent and ramifications of the data breach are under way.

14,600 – Los Angeles County Department of Health Services, July 10, 2019

CBS Los Angeles reported that malicious actors managed to use a phishing attack to access highly sensitive personal information of 14,600 patients. 2019 has been a horrific year for customer privacy in the medical industry, with breaches occurring on an almost weekly basis.

According to reports, the Los Angeles County Department of Health is in the process of notifying patients. The phishing attack happened in March 2019, and the hackers seemingly had access to employee accounts for several hours. Among the exposed information is: names, addresses, phone numbers and patient information.

78,000 – Maryland Dept. of Labor, July 6, 2019

According to Yahoo News, 78,000 people may have had their personal information exposed, due to a data breach affecting Maryland’s Department of Labor. The data reportedly occurred earlier this year and no evidence of malicious activity was found. Nevertheless, the Department is offering all affected customers two years free credit monitoring.

Mars Mission Data – NASA, June 24, 2019

On the 24th of June it was reported that NASA had experienced a significant security incident. According to this report, an unauthorized individual managed to access NASA’s Jet Propulsion Laboratory, making off with highly sensitive information. The hacker supposedly went undetected for 10 months and had access to many critical projects – including details about NASA’s Curiosity Rover.

11 Million – Emuparadise, June 10, 2019

ZDNet has reported that 11 million user accounts of the popular gaming emulator Emuparadise were exposed after a recent data breach. The user passwords were stored as salted MD5 hashes, a form of encryption deemed unsafe since 2012, and were easily cracked. The full extent of the breach is still unknown, although ZDNet claims that passwords, email addresses, IP addresses and usernames are involved.

7.7 Million – Labcorp, June 4, 2019

Just a day after Quest Diagnostics announced its breach, another company dealing with highly sensitive medical records announced a major security incident. According to USA Today, Labcorp was also using the collections firm American Medical Collection Agency (AMCA), which experienced a supposed breach earlier this month. Specifics are hard to come by, but names, addresses, dates of birth, and balance information are likely among the compromised data.

11.9 Million – Quest Diagnostics, June 3, 2019

Quest Diagnostics, a clinical laboratory company, announced that an “unauthorized user” gained access to the medical records and social security numbers of up to 12 million customers.  Information is still sparse, but it appears that AMCA, a billing vendor used by Quest, was exploited for the attack. All parties are working closely together to understand the full scope of the data breach.

Unknown – Checkers Restaurants, May 30, 2019

ZDNet reported that hackers breached the security systems of Checkers Restaurants and installed malware which infiltrated the restaurant chain’s point of sale software. As a result, the hackers managed to steal customers’ payment card number, cardholder name, expiration date and card verification code.

Hundreds of locations have been affected although the total number of impacted customers is still unknown.

Unknown – Flipboard, May 29, 2019

The popular news aggregation app Flipboard announced that it had detected unauthorized  access to some of its databases between June 2, 2018 and March 23, 2019. It’s still unclear how many of the 145 million monthly users are affected, but names, email addresses and cryptographically protected passwords are among the exposed data.

139 Million – Canva, May 28, 2019

Marketingland reported that the leading graphic design tool Canva had experienced a cyber attack which affected up to 139 million users. According to the report, the attack targeted usernames, email addresses and passwords, although luckily credit card details were not compromised. Canva is particularly popular among entrepreneurs and online marketers from all over the world.

885 million – First American, May 25, 2019

Renowned cyber security experts Krebs on Security reported that Fortune 500 giant First American Financial Corp exposed customers’ bank account numbers, statements, mortgage as well as tax records through its faulty website. 885 million highly sensitive records were leaked to anyone who knew where to look, with the records going back to 2003.

49 Million – Chtrbox, May 20, 2019

An unsecured database seemingly belonging to Chtrbox, a Mumbai-based social media marketing firm, was discovered online. TechCrunch reports that the database contained more than 49 million records comprising bio info, email address, phone number, and profile picture of millions of Instagram users.

1.5 Million – Freedom Mobile, May 9, 2019

The VPN Mentor research team discovered a data breach which exposed the personal information of 1.5 million Freedom Mobile users. Worryingly, the data included credit card numbers and CVV numbers, meaning that significant financial damage will likely be incurred as a result.

1.6 Million – AMC Networks, May 1, 2019

Renowned security expert Bob Diachenko discovered a publicly available MongoDB instance exposing the data of 1.6 million AMC network subscribers. The subscriber information contained names, emails, subscription plan details and more personally identifiable information. This is another alarming example of failure to meet the very lowest security standards.

Unknown – Atlanta Hawks, April 23, 2019

Struggling Basketball teams are just as vulnerable to data breaches as governments, businesses and Universities. On April 23, CNet reported that the Atlanta Hawks eCommerce store had been infected with malware designed to steal the payment information of customers. Expert Willem De Groot identified the notorious hacking group Magecart as the culprit and the Atlanta Hawks are still investigating the full extent of the hack.

The SelfKey Identity Wallet is a free identity solution for Windows, Linux and Mac. Get yours today!

9 Million – Bodybuilding.com, April 22, 2019

One of the biggest service providers in the fitness industry, bodybuilding.com, suffered a serious hacking attack potentially impacting its 9 million users. According to Forbes, a sophisticated phishing attack had allowed hackers to gain access to the highly sensitive data including billing addresses, names, email addresses and birth dates.

Unknown – Microsoft Email Services, April 15, 2019

Popular email services msn.com, hotmail.com and outlook.com were affected by a significant data breach according to TechCrunch. The vulnerability seemingly existed between January 1st and March 28 2019, and allowed hackers to access email accounts.

540 Million – Facebook, April 2, 2019

Mark Zuckerberg was in the news for all the wrong reasons in April 2019. The (so far) newest addition to the litany of blunders involved exposing the personal records of over 540 million Facebook users. According to TechCrunch, cybersecurity experts found the data on an unsecured, publicly accessible database.

1.3 Million – Georgia Tech, April 2, 2019

Universities are just as likely to get hacked as a business or government organization. On April 2nd, a host of highly sensitive personal information managed by Georgia Tech was accessed by a hacker. The information of 1.3 million faculty members, students and employees was affected according to patch.com. Social Security Numbers, birth days, names and addresses were breached.

980 Million – Verifications.io, March 29, 2019

Towards the end of March 2019, cybersecurity expert Bob Diachenko found an unsecured database containing 982 million email addresses along with names, genders, employers and home addresses. The server was unsecured and available to anyone who knew were to look. Upon notification verifications.io, the company seemingly behind the database, shut down its website and ostensibly ceased to operate.

2 Million – Earl Enterprises, March 29, 2019

The credit card information of more than 2 million customers of Earl Enterprises was stolen and later sold according to krebsonsecurity.com. Criminals managed to install sophisticated malware on the company’s point of sale software, allowing them to syphon off the highly sensitive payment information.

1.8 Million – Federal Emergency Management Agency, March 22, 2019

Data breaches are particularly harmful when they affect vulnerable people. In March 2019, the Washington Post reported that 1.8 million disaster survivors had their banking information plus their home addresses accidentally shared with contractors. These people had primarily sought shelter after wildfires and hurricanes.

2 Million – Oregon Department of Human Services, March 21, 2019

Government organizations are just as likely to suffer data breaches as hospitals, businesses and two person startups. On March 21st, the Oregon Department of Human Services announced that poorly trained employees had fallen for a phishing attack, comprising highly sensitive personal information of roughly 1.6 million people. This includes emails, addresses, names and much more.

600 Million – Facebook, March 21, 2019

Facebook has a long history of privacy abuses and data scandals. At the end of March 2019, the social media giant admitted that it had failed to secure the passwords of 600 million users since around 2012. Thousands of Facebook employees had access to the millions of unsecured records, which were stored in a plain text file.

1.5 Million – Gearbest, March 14, 2019

In March, the VPN Monitor research team reported that Gearbest, a highly successful Chinese eCommerce company, had a completely unsecured database. The VPN Monitor team managed to access a database containing 1.5 million records. Alarmingly, the information contained payment information, billing address, order history and much more highly sensitive information.

2.4 Million – Dow Jones, March 1, 2019

One of the most significant data breaches ever occurred on March 1st, when more than 2 million identity records including government officials and politicians was leaked online. According to reports from Zdnet, the information was stored, alarmingly, on a publicly accessible database.

1 Million – UW Medicine, February 20, 2019

February 20th was a particularly bad day for the personal data of medical patients as both Advent and UW Medicine reported significant data breaches. In the case of the UW Medicine data breach, nearly 1 million people were affected by a simple bug: A problem with the platforms server indexed highly sensitive data on search engine’s, meaning that patient’s financial history, passwords, social security and more were available with a simple Google search.

42,000 – Advent Health, February 20, 2019

Data breaches affecting medical records are particularly hazardous. In February, the Advent Health Medical Group notified its members of a 16-month long data breach exposing medical histories, social security numbers and a host of highly sensitive information. According to reports, 42,000 individuals were affected.

14.8 Million – 500px, February 15, 2019

The popular photo sharing site 500px was hacked, exposing the data of 14.8 million users. Information such as names, usernames, emails, locations, gender, and birth dates were revealed. The website notified its users and forced a password reset, although the hack happened in July 2018 and they weren’t aware of it until February 2019.

6 Million – Coffee Meets Bagel, February 14, 2019

In a case of ironically poor timing, the dating app Coffee Meets Bagel announced a data breach just in time for Valentine’s Day. While only names and emails of users were exposed, the breach impacted approximated 6 million people.

Unknown – Dunkin’ Donuts, February 12, 2019

Dunkin’ Donuts announced a data breach for the second time in three months, affecting DD Perks rewards members. Hackers used credential stuffing attacks to gain access to customer accounts, then sold them on the Dark Web for profit. The first of these attacks happened at the end of November, and although the company didn’t say how many customers had been affected, there are currently 10 million DD Perks members.

24,000 – EyeSouth Partners, February 6, 2019

An unauthorized third party gained access to an employee email account of Georgia-based EyeSouth Partners. Over 24,000 patients had their data compromised, such as names, health insurance information, and account balance information.

Unknown – Huddle House, February 4, 2019

The US-based casual dining and fast food restaurant chain, Huddle House had their point of sale system compromised, giving hackers the ability to install malware to steal the payment information of customers between August 2017 and February 2019. How much damage was done is still unclear as Huddle House is continuing their investigation.

20,000 – Catawba Valley Medical Center, February 4, 2019

Phishing scams seems to be a popular and effective cyberattack in the medical industry, as three employee email accounts at Catawba Valley Medical Center were hacked by one in the summer months of 2018. An estimated 20,000 patients of the North Carolina-based medical facility had their names, birth dates, social security numbers, and personal health information exposed in the attack.

Unknown – Houzz, January 31, 2019

To finish off January, the popular home improvement website Houzz announced a data breach affecting users of their platform. While Houzz did not disclose how many people were affected by the breach, the site has approximately 40 million users. The company stated that public profile information such as names, locations, usernames, and hashed passwords were taken by an unauthorized third party.

23,000 – Critical Care, Pulmonary & Sleep Associates, January 31, 2019

Employees of the Critical Care, Pulmonary & Sleep Associates (CCPSA) fell for a phishing attack that led to approximately 23,000 patients having their data breached. The Colorado-based healthcare facility realized that the hacker had access to names, dates of birth, addresses, medical information, social security numbers, and driver’s licenses for three months

100,000 – Alaska Department of Health & Social Services, January 23, 2019

Alaska’s Division of Public Assistance was the target of a cyberattack that exposed data of at least 100,000 people. It is still unknown who the attacker was, but they were able to access the names, birth dates, addresses, social security numbers, health information, and income of people who had applied for government programs.

24 Million – Ascension, January 23, 2019

The data analytics company Ascension, based in Fort-Worth, Texas, left more than 24 million mortgage and banking documents unprotected in an online database for at least two weeks. According to a report from TechCrunch, the documents included people’s names, addresses, dates of birth, social security numbers, and financial information.

108 Million – Various Online Betting Sites, January 23, 2019

Four different online betting sites stored data on Elasticsearch cloud storage without securing it. Approximately 108 million records were breached including names, addresses, emails, phone numbers, usernames, birth dates, IP addresses, account balances, games played, and win and loss information. If you’ve placed bets via kahunacasino.com, azur-casino.com, easybet.com, or viproomcasino.net, your information was likely exposed.

12,000 – Graeters Ice Cream, January 22, 2019

The Cincinnati-based purveyor of sweets, Graeter’s Ice Cream notified approximately 12,000 online customers that their data had been compromised. Malicious code was discovered on the company’s checkout page which captured customer data such as customer credit card details, names, addresses, phone numbers, and fax numbers.

20,000 – BlackRock Inc., January 22, 2019

The world’s largest asset manager, BlackRock, accidentally leaked the information of as many as 20,000 financial advisors. The company had posted confidential spreadsheets which contained information related to the advisors who work with BlackRock’s iShares unit. The names, emails, and assets managed by advisors were amongst the information that was exposed.

773 Million – Collection #1, January 17, 2019

On the same day, security researcher Troy Hunt discovered a massive database of leaked data on a cloud storage site called MEGA. The database contained over 773 million emails and 22 million passwords, amalgamated from thousands of different data breaches dating back to 2008. The information was also shared on a popular hacking forum, so it is unknown who exactly accessed the data. Needless to say, it doesn’t look good. If you are worried that your credentials have been compromised, you can check on Have I Been Pwned?

Unknown – Oklahoma Department of Securities, January 17, 2019

The Oklahoma Department of Securities (ODS) left millions of government files exposed and unprotected on an open server belonging to the agency. Amongst the exposed files were records pertinent to FBI investigations. The oldest records that were exposed dated back to 1986, and range from personal data to login credentials and internal communications records. The ODS is currently investigating how many records were exposed, who may have accessed them and the potential damage this data breach may have caused.

Unknown – Fortnite, January 16, 2019

The popular online video game Fortnite was found to have exposed players to being hacked. A security firm called Check Point discovered the vulnerabilities in the game and alerted Fortnite to the threat. The vulnerabilities could have allowed malicious actors to take over the account of any player, view their personal information, purchase V-bucks (the in-game currency), and listen in to game chatter. While it is unknown just how many users were affected, Fortnite has 200 million users worldwide of which 80 million are active each month.

31,000 – Managed Health Services of Indiana, January 11, 2019

A phishing attack on the Managed Health Services of Indiana (MHS) exposed the health information of more than 31,000 patients in 2018 and was not discovered until January. The compromised data included names, insurance ID numbers, dates of birth, addresses, and medical conditions. While the MHS says there has been no evidence that the data has been misused, patients were obviously upset.

Unknown – OXO, January 10, 2019

The New York-based manufacturer, OXO discovered that they had been hacked in two separate incidents over the past two years. Both hacks exposed customer information entered on their website. OXO found unauthorized code on their website which collected customer names, addresses, and credit card information. The company has declined to announce the number of customers who were affected by the breach.

Unknown – BenefitMall, January 7, 2019

BenefitMall, a US provider of HR, payroll, and employer services, announced a data breach that occurred after an email phishing attack compromised employee login credentials. The exact extent of this breach is unknown as the company has not released the exact number of records that were affected by the attack. That being said, the stolen information could include customer information such as names, social security numbers, addresses, bank account numbers, dates of birth, and information about their insurance premiums.

Unknown – DiscountMugs.com, January 4, 2019

A major online retailer of custom mugs and apparel, DiscountMugs.com was hacked over a four-month period during the latter half of 2018. Although the company did not disclose how many customers were affected by the breach, it is believed to be upwards of several thousand. A malicious card skimming code had been placed in the company’s payment section of their website and hackers were able to steal full card payment details, names, emails, phone numbers, and addresses.

7.6 Million – BlankMediaGames, January 3, 2019

In almost no time at all, the next great data breach occurred the day after Blur announced their breach. This time, the information of 7.6 million gamers had been stolen during a hack of the game Town of Salem by BlankMediaGames (BMG). According to BMGs announcement, the server had been compromised and emails, usernames, IP addresses, in-game purchases, and in-game activity had been exposed.

2.4 Million – Blur, January 2, 2019

It didn’t take long for the first major breach announcement of 2019. Blur announced a breach after an unsecured server exposed a file containing 2.4 million user names, email addresses, password hints, IP addresses, and encrypted passwords. The password management company urged their users to change their Blur login credentials and enable two-factor authentication.