I wish I knew more about IT. It seems like our financial system is more and more vulnerable all the time now.
I am so glad I am retired and not responsible for an IT system anymore. You don't know how many nightmares I had...and I literally mean nightmares...about things that could go wrong. The chief of which was getting hacked. We handed credit card numbers, and my worst nightmare was being one of
THOSE companies that had data breaches.
I have been retired for two years, and I still have occasional nightmares about that. The nightmares are getting less frequent for me personally now, but apparently more frequent for others in IT:
You know the saying "Ignorance is bliss" so be warned, the following information may spoil your bliss...
In 2017 ALONE:
E-Sports Entertainment Association (ESEA)
January 8, 2017: On December 30, 2016, ESEA, one of the largest video gaming communities, issued a warning to players after
discovering a breach. At the time, it wasn’t known what was stolen and how many people were affected. However, in January, LeakedSource revealed that 1,503,707 ESEA records had been added to its database and that leaked records included a great deal of private information.
Xbox 360 ISO and PSP ISO
February 1, 2017: Security expert Troy Hunt, of the website
Have I Been Pwned?, revealed that
Xbox 360 ISO and PSP ISO had been hacked in September 2015. The websites, both forums which host illegal video game download files, housed sensitive user information that was taken. 1.2 million Xbox 360 ISO users and 1.3 million PSP ISO users were affected and may have had their e-mail addresses, IP addresses, usernames, and passwords stolen in the breach.
InterContinental Hotels Group (IHG)
February 7, 2017: IHG, the company that owns popular hotel chains like Crowne Plaza, Holiday Inn, Candlewood Suites, and Kimpton Hotels,
announced a data breach that affected 12 of its properties. Malware was found on servers which processed payments made at on-site restaurants and bars; travelers that used cards at the front desk did not have information taken. The malware was active from August 2016 to December 2016 and stolen data includes cardholder names, card numbers, expiration dates, and internal verification codes.
Arby’s
February 17, 2017: The national fast food chain acknowledged a data breach after being pressed by the website
KrebsOnSecurity. The company admitted that they had been notified in mid-January about a possible breach in select restaurants, but the FBI asked them not to go public yet.
River City Media
March 6, 2017: A group of spammers, operating under the name River City Media, unknowingly released their private data into cyberspace after failing to properly configure their backups. The leak known as
Spammergateincluded Hipchat logs, domain registration records, accounting details, infrastructure planning, production notes, scripts, business affiliations, and more. The biggest discovery, however, was a database of 1.4 billion email accounts, IP addresses, full names, and some physical addresses.
Verifone
March 7, 2017:
KrebsOnSecurity revealed that Verifone, the largest maker of point-of-sale credit card terminals used in the U.S., discovered a breach of its internal network in January 2017. When asked, Verifone said the breach didn’t affect its payment services network and was only within the corporate network. The company claims they responded to the breach immediately and “the potential for misuse of information is limited.” Sources say there’s evidence that a Russian hacking group is responsible for the breach, and that the intruders may have been inside Verifone’s network since mid-2016, but nothing has been confirmed.
Dun & Bradstreet
March 15, 2017: Dun & Bradstreet, a huge business services company, found its marketing database with over 33 million corporate contacts
shared across the web in March 2017. The firm claims its systems were not breached, but that it has sold the 52GB database to thousands of companies across the country; it’s unclear which of those businesses suffered the breach that exposed the records.
Saks Fifth Avenue
March 19, 2017: BuzzFeed broke the news that
customer information was available in plain text via a specific link on the Saks Fifth Avenue website. The information for tens of thousands of customers was visible on a page where customers could join a wait list for products they were interested in.
UNC Health Care
March 20, 2017: 1,300 letters were sent to prenatal patients who had received care in the University of North Carolina Health Care System about a potential data breach they may have been affected by. UNC Health Care revealed that women who had completed pregnancy home risk screening forms at prenatal appointments between 2014 and 2017 at the Women’s Clinic at N.C. Women’s Hospital and UNC Maternal-Fetal Medicine at Rex may have mistakenly had their personal information transmitted to local county health departments.
America’s JobLink
March 21, 2017: America’s JobLink, a web-based system that connects job seekers and employers,
revealed its systems were breached by a hacker who exploited a misconfiguration in the application code. The criminal was able to gain access to the personal information of 4.8 million job seekers, including full names, birth dates, and Social Security numbers.
FAFSA: IRS Data Retrieval Tool
April 6, 2017: The IRS revealed that up to
100,000 taxpayers may have had their personal information stolen in a scheme involving the IRS Data Retrieval Tool, which is used to complete the Free Application for Federal Student Aid (FAFSA).
InterContinental Hotels Group (IHG) – UPDATE
April 19, 2017: When IHG first announced a data breach in February 2017, it was believed that only 12 of its properties had been affected. It’s been revealed, however, that the initial 12 has jumped to 1,200.
Chipotle
April 25, 2017: Chipotle posted a “
Notice of Data Security Incident” on its website to let customers know about unauthorized activity it detected on the network that supports in-restaurant payment processes. It believes payment card transactions that occurred from March 24, 2017 through April 18, 2017 may have been affected.
Sabre Hospitality Solutions
May 2, 2017: Sabre Hospitality Solutions, a tech company that provides reservation system services for more than 36,000 properties, revealed a breach that allowed hotel customer payment information to be compromised.
Gmail
May 3, 2017: Gmail users were targeted in a
sophisticated phishing scam that was seeking to gain access to accounts through a third-party app. The emails were made to look like they were from a user’s trusted contact and notified the individual that they wanted to share a Google Doc with them. Once clicked, the link led to Google’s real security page where the person was prompted to allow a fake Google Docs app to manage his or her email account.
Bronx Lebanon Hospital Center
May 10, 2017: Thousands of HIPAA-protected medical records were exposed in a data breach due to a misconfigured Rsync backup server hosted by a third party, iHealth. At least 7,000 patients who visited the Bronx Lebanon Hospital Center in New York between 2014 and 2017 may have had extremely personal information compromised. Leaked information
has been reported to include names, home addresses, religious affiliations, addiction histories, mental health and medical diagnoses, HIV statuses, and sexual assault and domestic violence reports.
Brooks Brothers
May 12, 2017: If you shopped at a Brooks Brothers retail store or outlet in the last year and used a credit or debit card, you may have had your card data stolen. Brooks Brothers
revealed a breach that affected some of their stores between April 4, 2016, and March 1, 2017; the retailer has not revealed which exact locations were targeted yet.
DocuSign
May 17, 2017: Customers and users of the electronic signature provider DoguSign were targeted recently by malware phishing attacks.
DocuSign says that hackers breached one of its systems, but they only obtained email addresses and no other personal information. The hackers used the email addresses to conduct a malicious email campaign in which DocuSign-branded messages were sent that prompted recipients to click and download a Microsoft Word document that contained malware.
OneLogin
May 31, 2017:
OneLogin, a San Francisco-based company that allows users to manage logins to multiple sites and apps through a cloud-based platform, has reported a
troubling data breach. OneLogin provides single sign-on and identity management for about 2,000 companies in 44 countries, over 300 app vendors and more than 70 software-as-a-service providers. A threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US.
Kmart
May 31, 2017: Sears Holdings, the parent company of Kmart,
revealed that Kmart’s store payment systems were infected with malware; Kmart.com and Sears shoppers were not impacted by this breach. The malicious code has been removed, but the company has not shared how long the payment system was under attack and how many stores were affected.
University of Oklahoma
June 14, 2017: The University of Oklahoma’s (OU) student-run newspaper,
The Oklahoma Daily, was the first to discover an on-campus data breach connected to the university’s document sharing system, Delve. Educational records, dating back to at least 2002, were unintentionally exposed through incorrect privacy settings.
Washington State University
June 15, 2017: A hard drive containing the personal information of approximately one million people
was stolenfrom a Washington State University storage unit in Olympia, WA.
Deep Root Analytics
June 20, 2017: Last year, the Republican National Committee hired Deep Root Analytics, a data analytics firm, to gather political information about U.S. voters. Chris Vickery, a cyber risk analyst, discovered that the sensitive information Deep Root Analytics obtained–
personal data for roughly 198 million American citizens–was stored on an Amazon cloud server without password protection for almost two weeks this month.
Blue Cross Blue Shield / Anthem
June 27, 2017: Health insurance company Anthem has agreed to a $115 million settlement in connection with a
2015 data breach that impacted 80 million of their customers across their Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare brands.
California Association of Realtors
July 10, 2017: A subsidiary of the California Association of Realtors—Real Estate Business Services (REBS)—was the victim of a data breach; it was recently reported to the California Attorney General’s Office. The organization’s
store.car.org online payment system
was infected with malware that was active between March 13, 2017, and May 15, 2017.
Verizon
July 13, 2017: A reported
14 million Verizon subscribers may have been affected by a data breach, and you might be one of them if you have contacted Verizon customer service in the past six months.
Online Spambot
August 30, 2017: Remember the
River City Media breach from March 2017 in which the “bad guys” had information stolen? It’s happened again to an online spambot, and the set of stolen data is even larger. Though River City Media’s breach was originally believed to impact 1.4 billion people, it “only” ended up being 393 million records; this online spambot breach reportedly involves
711 million records.
TalentPen and TigerSwan
September 2, 2017: Over 9,000 documents containing the personal information of job seekers with Top Secret clearance were
publicly available on an unsecured Amazon server for just over six months.
Equifax
September 7, 2017: Equifax, one of the three largest credit agencies in the U.S.,
suffered a breach that may affect 143 million consumers. Due to the sensitivity of data stolen—including Social Security numbers and driver’s license numbers—this is being called one of the worst breaches ever.
U.S. Securities and Exchange Commission (SEC)
September 21, 2017: Jay Clayton, Chairman of the SEC,
issued a statement about cybersecurity and included details of a 2016 data breach. Clayton wrote that in 2016, a software vulnerability in the test filing component of the SEC’s EDGAR system was discovered and patched “promptly.” However, in August 2017, the SEC learned that incident “may have provided the basis for illicit gain through trading.”
SVR Tracking
September 21, 2017: SVR Tracking, a San-Diego based service that gives auto dealership and lot owners the ability to locate and recover vehicles, allowed more than
half a million customer records to be leaked online. On September 18, Kromtech Security Center found 540,642 records in an unsecured Amazon S3 bucket and notified SVR Tracking of their findings on September 20; SVR secured the bucket within three hours. However, it is unknown how long the information was publicly available online and the data was quite sensitive in nature.
Deloitte
September 25, 2017: A
breach that affected Deloitte, a multinational professional services firm, in March came to light—and the reason is pretty embarrassing for a company that was once named the “best cybersecurity consultant in the world” by Gartner. The firm did not employ two-factor authentication, so when hackers acquired a single password from an administrator of the firm’s email account, they were able to access all areas of the email system.
Sonic
September 26, 2017: KrebsOnSecurity r
eported a breach at fast food chain Sonic after discovering a “fire sale” of millions of stolen credit and debit card numbers on the Dark Web. Sonic learned about the breach when its credit card processor notified them of unusual activity on customer payment cards.
Whole Foods Market
September 28, 2017: Whole Foods Market—recently acquired by Amazon—
made a statement regarding the discovery of a recent breach of its payment systems. Individuals who shopped in the company’s grocery stores were likely not affected, but it is believed the unauthorized access occurred in Whole Foods locations with taprooms and full table-service restaurants.
Disqus
October 6, 2017: Disqus, a blog comment hosting service, revealed that it was targeted by hackers five years ago. The company had no idea it had been the victim of a data breach in 2012 until the website
Have I Been Pwned?reached out with exposed user information it had found.
Yahoo! (Update)
October 9, 2017: In December 2016, it was reported that “
more than 1 billion user accounts” may have been impacted by the 2013 Yahoo breach. Recent news, however, shows it was indeed more than 1 billion—much more.
Hyatt Hotels
October 12, 2017: After
suffering a data breach in December 2015, the Hyatt hotel chain has fallen victim to hackers again. The company
discovered unauthorized access to its payment card information for debit and credit cards that were swiped at the front desks of some of its properties.
Forever 21
November 14, 2017: Los Angeles-based clothing retailer Forever 21 announced that some of its customers may have been affected by a potential data breach. Upon receiving a tip from a third-party, Forever 21 launched an investigation and found certain point-of-sale (PoS) devices were compromised—likely between March and October of this year.
Maine Foster Care
November 14, 2017: Residents of Maine receiving foster care benefits had their
personal information exposedon a third-party website outside of the State of Maine system. During a system upgrade on September 21, 2017, a contractor hired by Maine Office of Information Technology accidentally posted the private information, which included names of foster children and legal guardians, addresses, and Social Security numbers.
Uber
November 21, 2017: The ride-sharing service giant Uber
revealed that in late 2016, it became aware of a data breach that potentially exposed the personal information of
57 million Uber users and drivers. However, the company chose
to pay the hackers $100,000 to keep the enormous data breach a secret, instead of immediately alerting those affected by the breach. How did this happen?
Imgur
November 24, 2017: Imgur, the online image-sharing community, had a lot to be thankful for on Thanksgiving—until it received a notification that day about a possible data breach from 2014. Troy Hunt, the owner of the website Have I Been Pwned, reached out to Imgur’s COO on November 23, 2017 to let him know that he had received data that seemed to include the emails and passwords of Imgur users.
TIO Networks
December 1, 2017: Due to a vulnerability in their network, TIO Networks, who was recently acquired by PayPal, may have
compromised the identities of over 1.6 million customers. The compromised data includes bank account information, payment card information, passwords and usernames for accounts, and Social Security numbers.
eBay
December 10, 2017: Due to a customer privacy leak, the personal information of many eBay customers, including usernames, first and last names, and purchase history, were made available via a Google’s Shopping platform.
Alteryx
December 19, 2017: Alteryx, a California-based data analytics firm, was found culpable of not protecting the personal information of
more than 120 million American households. The company had purchased this data from Experian, a giant credit reporting agency similar to
Equifax.
