Security Incidents around Us

General Info      

The internet has become an incredible source for not only information, but for banking, shopping, paying bills, and performing many other tasks that once required us to stray from home, and venture into the city to resolve. This has no doubt provided many of us with great conveniences and time saving, allowing us more time to spend on other matters that are more important to our daily lives. However, with this great convenience comes great risks. As we are able to perform many more tasks over the internet, it also increases the risk for our data or even our identities to be stolen online.

In February 2020, Security Magazine sited a report from Risk Based Security that stated for the year ending in 2019, there were 7,098 breaches reported. In these breaches, 15.1 billion records were exposed. This was almost triple the records exposed in 2018. Some of these records were even from many higher education resources. Considering that, we would like to take the opportunity to provide some recent information on data and security breaches on this page to promote better awareness of these incidents.

How to Reduce Your Exposure to the Risks

One easy method to keep your information safe is frequently changing your password. This prevents stale credentials from being used to gain access to your information in the event of a credential leak. Never use the same password on different websites. While this is convenient, it makes it easy for your accounts to be compromised on multiple sites when one site experiences a breach of user credentials. Use a password manager to store your passwords for different websites. These not only make it easier to keep up with your passwords, but also will let you generate different secure passwords for each site. Some password managers include LastPass, BitWarden, and 1Password. There are also sites you can put in your email address you have linked to your online accounts to check and see if those accounts were victims of a breach. One such site is https://haveibeenpwned.com . If you find you have been a victim of a data breach, change your password immediately. Also pay attention to emails you receive and never click on any questionable links you aren't sure about. If unsure, it is always better to ask. Please don't hesitate to report them using the Phish Alert button in your Outlook client. If you have any questions about the breaches listed on this page, please conact the ITS Helpdesk to answer any of your questions.

 

Recent Data Breaches

 
(Taken from IdentityForce.com)

Guess

July 12, 2021: The fashion retailer, Guess, notified an undisclosed number of customers of a data breach following a ransomware attack that resulted in a data breach. Sensitive information including Social Security numbers, driver’s license numbers, passport numbers and/or financial account numbers may have been accessed or acquired.

Forefront Dermatology

July 9, 2021: U.S. healthcare provider, Forefront Dermatology, announced unauthorized access to its IT systems exposed the personal data and medical records of up to 2.4 million patients. The data exposed included patient names, addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, healthcare provider names, and/or medical and clinical treatment information among other sensitive data.

Wegmans

June 21, 2021: The U.S. supermarket chain, Wegmans Food Markets, notified an undisclosed number of customers that their data was exposed after two of its cloud-based databases were misconfigured and made publicly accessible online. The personal information in the databases included customer names, addresses, phone numbers, birth dates, Shoppers Club numbers, email addresses, and hashed passwords to Wegmans.com accounts.

Carter’s

June 20, 2021: The personal and shipping information of over 410,000 customers of the baby clothing retailer, Carter’s, were exposed due to a third-party data breach with the company’s online purchases software. The information disclosed in the data leak includes names, email addresses, billing addresses, phone numbers, purchasing details, and shipping tracking IDs and links.

Volkswagen & Audi

June 15, 2021: A third-party marketing services supplier disclosed the personal information of 3.3 million customers of Volkswagen and its Audi subsidiary. The exposed data includes their name, mailing address, email address and phone numbers. The data may also include information about a vehicle that has been purchased, leased or inquired about, including vehicle identification numbers, makes, models, years, colors and trim packages.

Bose

May 25, 2021: Audio maker, Bose Corporation, disclosed a data breach following a ransomware attack. During the investigation of the ransomware’s attack impact on its network, they discovered some of its current and former employees’ personal information was accessed by the attackers. The personal information exposed in the attack includes names, Social Security Numbers, compensation information, and other HR-related information.

Health Plan of San Joaquin

May 17, 2021: Unauthorized access to the business email accounts at Health Plan of San Joaquin allowed the perpetrator to gain access to patients’ sensitive personal and medical information contained in messages and attachments that passed through the affected email accounts. Exposed data types include Social Security numbers, driver’s license numbers, login information, medical records such as lab results and treatment information, and more

Bailey & Galyen

May 14, 2021: A cyberattack targeting the law offices of Bailey & Galyen exposed the personal information of an undisclosed number of clients and employees. The PII included clients’ names, dates of birth, driver’s license or personal identification card numbers, Social Security Numbers, payment account numbers, payment card information, biometric data including but not limited to medical information and history, medical diagnosis and treatment information, health insurance information, and other personal information.

CaptureRX

May 7, 2021: CaptureRx, a healthcare system IT company, exposed almost 2 million patient records belonging to over 100 hospitals and healthcare organizations after it was targeted by a ransomware attack.  The sensitive medical information involved in the cyberattack includes names, birthdates, and prescription details.

Experian

April 26, 2021: An independent security researcher uncovered a data leak caused by an unsecured Experian application programming interface (API) while researching student loan vendors online. The tool, used by Experian and many other lending sites, allowed anyone to easily access the private credit scores of tens of millions of Americans by supplying their name, date of birth, and mailing address.

Reverb

April 24, 2021: A database containing the personal details of over 5.6 million users of the popular music instruments online marketplace, Reverb, was discovered after it was leaked into the Dark Web. The database contained full names, email addresses, postal addresses, phone numbers, listing/order count, PayPal account email, IP address, and more.

GEICO

April 19, 2021: The auto insurance company Government Employees Insurance Company, known as GEICO, filed a data breach notice announcing information gathered from other sources was used to “obtain unauthorized access to your driver’s license number through the online sales system on our website.” The total normal of insured drivers affected has not been disclosed but the hackers had accessed between January 21 and March 1. Driver’s licenses contain Personally Identifiable Information (PII) such as name, address, and date of birth.

ParkMobile

April 12, 2021: A third-party software vulnerability is responsible for exposing 21 million customer records belonging to ParkMobile, a contactless payment parking app. The stolen data includes email addresses, phone numbers, license plate numbers, hashed passwords, and mailing addresses.

ClubHouse

April 10, 2021: A database containing 1.3 million scraped Clubhouse user records were leaked for free on a popular hacker forum. The leaked database from the audio chat social network includes user ID, name, photo URL, username, Twitter handle, Instagram handle, number of followers, number of people followed by the user, and account creation date – all of which the company claims is public information. 

LinkedIn

April 6, 2021: Over 500 million LinkedIn user profiles were discovered on the Dark Web. The hackers shared two million of these LinkedIn records for only $2 total to prove the legitimacy of the information in the stolen data. The LinkedIn account users’ data was scrapped or imported from the website into a database, and includes names, LinkedIn account IDs, email addresses, phone numbers, gender, LinkedIn profile links, connected social media profile links, professional titles, and other work-related personal data.

Facebook

April 3, 2021: The personal data of 533 million Facebook users from 106 countries has been posted online for free in a low-level hacking forum. The data was scraped in a vulnerability that the company patched in 2019, and includes users’ phone numbers, full names, location, email address, and biographical information.

Cancer Treatment Centers of America

March 26, 2021: The Cancer Treatment Centers of America sent out notifications to 104,808 patients, alerting them a compromised email account led to medical information being accessed by an unknown third-party.  The compromised account contained patient names, health insurance information, medical record numbers, CTCA account numbers, and limited medical information.

Hobby Lobby

March 23, 2021: A database containing records of over 300,000 customers of the arts and crafts chain store, Hobby Lobby, was exposed after the company suffered a cloud-bucket misconfiguration. The disclosed information included customer names, phone numbers, physical and email addresses, and the last four digits of their payment card, as well as the source code for the company’s app.

California State Controller’s Office (SCO)

March 23, 2021: A phishing attack targeting the California State Controller’s Office (SCO) Unclaimed Property Division led to an employee clicking on a malicious link, logging into a fake website, and granting a hacker access to their email account. The criminal had access to the account for 24 hours, allowing permission to view Personally Identifying Information (PII) contained in Unclaimed Property Holder Reports and to send more phishing emails to the hacked SCO employee’s contacts. The number of employees affected and the types of personal information impacted have not been disclosed.

MultiCare

March 9, 2021: A third-party ransomware attack exposed the personal information of over 200,000 patients, providers and staff of MultiCare Health System, a non-profit health care organization. The attack allowed access to personal information including names, insurance policy numbers, Social Security numbers, dates of birth, bank account numbers, and more.

SITA

March 4, 2021: The global IT company, SITA, which supports 90% of the world’s airlines confirmed it fell victim to a cyberattack, exposing the PII belonging to an undisclosed number of airline passengers. The stolen information includes names, traveler’s service card numbers, and status level.

Microsoft Exchange

March 3, 2021: Cybercriminals have targeted four security flaws in Microsoft Exchange Server email software. The attackers used the bugs on the Exchange servers to access email accounts of at least 30,000 organizations across the United States, including small businesses, towns, cities and local governments. The cyberattack gives the hackers total remote control over affected systems, allowing for potential data theft and further compromise. Microsoft has released security patches for these bugs and urges customers to apply the updates as soon as possible.

T-Mobile

February 26, 2021: An undisclosed number of T-Mobile customers were affected by SIM swap attacks, or SIM hijacking, where scammers take control of and switch phone numbers over to a SIM card they own using social engineering. With access to customer phone numbers, scammers receive messages and calls which allows them to log into the victims’ bank accounts to steal money, change account passwords, and even locking the victims out of their own accounts that use two-factor authentication. The attack also exposed customer information including names, addresses, email addresses, account numbers, social security numbers (SSNs), account personal identification numbers (PIN), account security questions and answers, date of birth, plan information, and the number of lines subscribed to their accounts.

Kroger

February 20, 2021: A third-party data breach at cloud solutions company, Accellion,  allowed hackers to steal human resources data and pharmacy records belonging to the supermarket giant, Kroger. The records disclosed could include names, email addresses, phone numbers, home addresses, dates of birth, Social Security numbers as well as information on health insurance, prescriptions and medical history.

California DMV

February 18, 2021: The California Department of Motor Vehicles (DMV) alerted drivers they suffered a data breach after billing contractor, Automatic Funds Transfer Services, was hit by a ransomware attack. The attack exposed drivers’ personal information from the last 20 months of California vehicle registration records, including names, addresses, license plate numbers and vehicle identification numbers (VINs).

Nebraska Medicine

February 10, 2021: A malware attack allowed a hacker to access and copy files containing the personal and medical information of 219,000 patients of Nebraska Medicine. The health network notified affected individuals that the accessed information includes names, addresses, dates of birth, medical record numbers, health insurance information, physician notes, laboratory results, imaging, diagnosis information, treatment information, and/or prescription information, and a limited number of Social Security numbers and driver’s license numbers.

“Compilation of Many Breaches” (COMB)

February 2,  2021: A database containing more than 3.2 billion unique pairs of cleartext emails and passwords belonging to past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin, Yahoo, and more were discovered online. This is the largest compilation of data from multiple breaches, which is where the name “Compilation of Many Breaches” or COMB comes from. The searchable and well-organized database was leaked to a popular hacking forum, giving hackers access to account credentials, including approximately 200 million Gmail addresses and 450 million Yahoo email addresses, and more.

U.S. Cellular

January 28, 2021: Through a targeted attack on retail employees of U.S. Cellular, the fourth-largest wireless carrier in the U.S., hackers were able to scam employees into downloading malicious software onto company computers. Once downloaded, the software granted remote access to the company devices and to the customer relationship management (CRM) software containing account records for 4.9 million customers. The company states that 276 customers were impacted and notified of the security incident. While viewing a customers’ account in the CRM, the hacker had access to names, addresses, PINs, cell phone numbers, service plans, and billing/usage statements.

VIPGames

January 26, 2021: VIPGames.com, a free gaming platform, exposed over 23 million records for more than 66,000 desktop and mobile users due to a cloud misconfiguration. The leaked user records include usernames, emails, IP addresses, hashed passwords, Facebook, Twitter and Google IDs, bets and data on players who were banned from the platform.

Bonobos

January 22, 2021: Customer data was stolen from the men’s clothing retailer, Bonobos, was found for free in a hacker forum after a cybercriminal downloaded the company’s backup cloud data. The exposed database contains order information for over 7 million customers, including addresses, phone numbers, and account information for 1.8 million registered customers, and 3.5 million partial credit card records.

MeetMindful

January 24, 2021: The dating platform, MeetMindful.com, was hacked by a well known-hacker and had its user’s account details and personal information posted for free in a hacker forum. The leaked details of more than 2.28 million users registered included names, email addresses, location details, dating preferences, marital status, birth dates, IP addresses, Bcrypt-hashed account passwords, Facebook user IDs and Facebook authentication tokens.

Pixlr

January 20, 2021:  A database containing 1.9 million user records belonging to Pixlr, a free online photo-editing application, was leaked by a hacker. The database was stolen at the same time as the attack on 123RF, which exposed over 83 million user records. The leaked records include email addresses, usernames, hashed passwords, user’s country, whether they signed up for the newsletter, and other sensitive information.

Mimecast

January 12, 2021: A cybercriminal compromised a certificate used to authenticate Mimecast’s Sync and Recover, Continuity Monitor, and Internal Email Protect (IEP) products to Microsoft 365. Mimecast is a cloud-based email management service that provides email security services for Microsoft 365 accounts. According to the company, approximately 10 percent of its customers used the compromised connection, but have since been asked to reinstall a newly issued certificate.

Facebook, Instagram and LinkedIn

January 11, 2021: A Chinese social media management company, Socialarks, suffered a data leak through an unsecured database that exposed account details and Personally Identifiable Information (PII) of at least 214 million social media users from Facebook and Instagram, and LinkedIn. The exposed information for each platform varies but includes user’s names, phone numbers, email addresses, profile links, usernames, profile pictures, profile description, follower and engagement logistics, location, Messenger ID, website link, job profile, LinkedIn profile link, connected social media account login names and company name.

Parler

January 11, 2021: News of the conservative social media app, Parler, having its data scraped by a hacker came to light after Amazon Web Services removed the platform from its servers. The 70TB of leaked information includes 99.9% of posts, messages, and video data containing EXIF data — metadata of date, time, and location. Parler’s Verified Citizens, or users who had verified their identity by uploading their driver’s license or other government-issued photo ID, were also exposed.

Ubiquiti Inc.

January 11, 2021: One of the biggest Internet of Things (IoT) technology vendors, Ubiquiti, Inc., alerted its customers of a data breach caused by unauthorized access to their database through a third-party cloud provider. The email communication advised customers to change passwords and enable multi-factor authentication. The data exposed may include an undisclosed number of customer names, email addresses, hashed and salted passwords, addresses, and phone numbers.


Tufts Health Plan, Aetna, Blue Cross Blue Shield & EyeMed

December 11, 2020:A phishing attack on the vision benefits management company, EyeMed, exposed the personal and medical information of hundreds of thousands of health plan members, including 484,157 Aetna members (announced on December 28, 2020,) 60,545 members of Tufts Health Plan, and 1,300 members of Blue Cross Blue Shield of Tennessee. The information disclosed during the attack included names, addresses, dates of birth, phone numbers, email addresses, vision insurance account/identification numbers, health insurance account/identification numbers, Medicaid or Medicare numbers, driver’s license, birth or marriage certificates. For a smaller number of members, partial or full social security numbers and/or financial information, medical diagnoses and conditions, treatment information, and passport numbers were also included.

Spotify

December 10, 2020: An undisclosed number of users of the audio streaming service, Spotify, have had their passwords reset after a software vulnerability exposed account information. A data breach notification filed by Spotify claims the data exposed “may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify.”

Dental Care Alliance

December 10, 2020: A cyberattack on healthcare provider, Dental Care Alliance, exposed sensitive personal and medical information of over 1 million patients. The attack exposed patient names, addresses, dental diagnosis and treatment information, patient account numbers, billing information, bank account numbers, the name of the patient’s dentist, and health insurance information.

FireEye 

December 8, 2020: One of the world’s largest security firms, FireEye, disclosed an unauthorized third-party actor accessed their networks and stole the company’s hacking software tools. The highly sophisticated hacker also attempted to search and gather information related to the company’s government customers.

Cannon

November 25, 2020: Cannon, a popular camera manufacturer, publicly disclosed a ransomware attack and resulting data breach targeting the firm had occurred for several weeks in July and August of 2020. Over 10TB of breached data belonging to potentially thousands of current and former employees working for Cannon between 2005 and 2020 was compromised, including Social Security numbers, driver’s license numbers or government-issued identification, bank account information for direct deposits, dates of birth, and beneficiary and dependent information.

Pray.com

November 19, 2020: An unsecured database belonging to the app Pray.com exposed the personal information of over 10 million individuals – including users of the app and their contacts. The impacted information includes photos uploaded by the app’s users, names, home and email addresses, phone numbers, marital status, and login information. The data breach expanded beyond just the direct users of Pray.com app, and also exposed the contact information belonging to any contact stored on their mobile device, such as contacts names, phone numbers, email, home and business addresses, company names and family ties.

Vertafore

November 14, 2020: Vertafore, an insurance software firm, fell victim to a data breach and exposed the personal and driver’s license data of over 27 million Texas citizens. The files accessed by an unauthorized party contained Texas driver license numbers, as well as names, dates of birth, addresses and vehicle registration histories.

123RF

November 12, 2020: popular stock photo and vector site, 123RF, experienced a data breach, and exposed 8.3 million user records. The database was later put for sale on the Dark Web, impacting members’ full name, email address, MD5 hashed passwords, company name, phone number, address, PayPal email, and IP address.

Animal Jam

November 11, 2020: Animal Jam, a popular online game for kids, was hacked and 46 million account records were compromised in a data breach. The databases belonging to WildWorks, the company behind Animal Jam, were posted to an online hacking forum on the dark web. The data included information related to children and parent accounts, including user names, emails, passwords, birth dates, and billing addresses connected to PayPal accounts.

Expedia, Hotels.com & Booking.com

November 6, 2020:  A unsecured database belonging to the hotel reservation platform, Prestige Software, leaked sensitive data from over 10 million hotel guests worldwide, dating as far back as 2013. The third-party data leak affected guests that have booked reservations through travel companies such as Expedia, Hotels.com, Booking.com, Agoda, Amadeus, Hotelbeds, Omnibees, Sabre and more. The information exposed in the data leak includes names, email addresses, national ID numbers, phone numbers of hotel guests, and reservation details such as reservation number, dates of a stay, the price paid per night. The unsecured database also disclosed sensitive credit card details from over 100,000 guests, including card number, cardholder’s name, CVV, and expiration date, and total cost of hotel reservations.

Mashable.com

November 5, 2020:  A database containing staff, users, and subscribers data of the online media company, Mashable.com, was leaked by hackers and reported publicly on November 8th. The breached data was later detected on the Dark Web on December 16th. The database contains 1,852,595 records, including names, email addresses, country, gender, job description, online behavior related details, date of registration, IP addresses, social media profile links, and authentication tokens.

JM Bullion

November 3, 2020:  Malware embedded in the online shopping platform of precious metals dealer, JM Bullion, captured the personal and banking card information of customers who made purchases between February and July 2020. Using the malicious code, hackers we able to collect an undisclosed number of customer names, addresses, and payment card details including account numbers, card expiration dates, and the security codes.

Fragomen, Del Rey, Bernsen & Loewy

October 27, 2020:  The immigration law firm responsible for representing Google, Fragomen, Del Rey, Bernsen & Loewy, announced a security incident has exposed the personal information of current and former Google employees.  An unauthorized third party gained access to an undisclosed number of employee Form I9’s, containing full name, date of birth, phone number, social security number, passport numbers, mailing address, and email address.

Pfizer

October 20, 2020:  The pharmaceutical corporation, Pfizer, exposed the personal and medical information of hundreds of medical patients taking cancer drugs through a data leak. A misconfigured Google Cloud database exposed names, phone numbers, home addresses, email addresses, customer support messages, health data, medical status, phone call transcripts, and prescription information.

Broadvoice

October 20, 2020: Security researchers at Comparitech discovered an unsecured database containing the records of more than 350 million customers along with call transcripts belonging to the cloud-based communication company, Broadvoice. The exposed Elasticsearch database enclosed personal details such as caller names, caller identification number, phone number, and location along with voicemail transcripts.

Dickey’s BBQ

October 16, 2020: A year-long Point-of-Sale (POS) system breach has impacted 3 million customers of the popular national BBQ chain, Dickey’s Barbecue Pit. Hackers posted over 3 million customers’ payment card details for sale on the Dark Web, where each record is being sold for $17 per card.

Barnes & Noble

October 15, 2020: Popular bookseller, Barnes & Noble, notified customers that a cybersecurity attack led to exposed customer information and caused service disruption of Nook e-reader books. The company has not disclosed how many customers have been impacted, but noted billing and shipping addresses, telephone numbers, and email addresses were accessed in the data leak.

Chowbus

October 6, 2020: Customers of the food delivery startup, Chowbus, received an email notification from the company that included a link to access the personal and account information of about 800,000 customers. The customer data in the data dump includes names, phone numbers, and mailing and email addresses.

Blackbaud

October 6, 2020: Blackbaud, a cloud-based fundraising database management vendor for non-profits and educational institutions, became victim to a ransomware attack beginning in February 2020, which remained undetected until May 2020. Blackbaud paid the ransom and received confirmation the data had been destroyed. Before deleting the data, the cybercriminals copied sensitive data from over 6 million donors, potential donors, patients, and community members including names, emails, phone numbers, dates of birth, genders, provider names, dates of service, department visited, and philanthropic giving history. A recent SEC filing in September 2020, reveals hackers gained access to more unencrypted data than originally reported, including Social Security numbers, financial accounts, and payment information. Hundreds of Blackbaud’s impacted clients continue to disclose the data incident, including Inova Health (1.5 million), Saint Luke’s Foundation (360,212), MultiCare Foundation (300,000), Spectrum Health (52,711), Northwestern Memorial HealthCare (55,983), and Main Line Health (60,595). Several organizations in Vermont were also included in the breach, such as the Vermont Foodbank, Middlebury College, and Vermont Public Radio.

Warner Music Group

September 29, 2020: A recent legal filing revealed entertainment and record label conglomerate, Warner Music Group (WMG), suffered a three-month-long Magecart attack that exposed an undisclosed number of customers’ personal and financial information. Hackers accessed customers’ details from Warner Music’s e-commerce websites hosted and supported by a third-party, capturing customer’s names, email addresses, telephone numbers, billing addresses, shipping addresses, and payment card details such as card numbers, CVC/CVV, and expiration dates.

Town Sports

September 24, 2020:  A researcher at Comparitech discovered an unsecured online database containing records of 600,000 gym members of the fitness chain, Town Sports International. Town Sports has 185 clubs under various brands, including New York Sports Clubs, Philadelphia Sports Clubs, Boston Sports Clubs, Washington Sports Clubs. The database exposed customer names, postal addresses, email addresses, phone numbers, check-in data, gym location, notes on customer accounts, last four digits of credit card, credit card expiration date, and billing history.

Activision

September 21, 2020:  Over 500,000 gamer accounts of Activision, the video game publisher, were targeted in a credential stuffing attack. It has been reported that login data, such as email and password, was published publicly online, granting hackers access the Call of Duty accounts, often locking the rightful owner out of their account.

Children’s Hospitals and Clinics of Minnesota

September 16, 2020:  Children’s Hospitals and Clinics of Minnesota sent notification that a third-party data breach exposed over 160,000 patient records. The patient impacted in the breach includes names, addresses, phone numbers, ages, dates of birth, genders, medical record numbers, dates of treatment, locations of treatment, names of doctors and health insurance status.

Staples

September 14, 2020:  An undisclosed number of customers of the office retail giant, Staples, received email notification disclosing their information has been exposed in a data breach. The breached information includes customer names, addresses, email addresses, phone numbers, last four credit card digits, and order details.

Razer

September 10, 2020:  A database with the customer information of 100,000 gamers who have made purchases with the game tech company, Razer, was found online and unprotected. The exposed information included name, email, phone number, customer internal ID, order number, order details, billing and shipping address.

NorthShore University HealthSystem

September 9, 2020:  The Chicago based healthcare system, NorthShore University HealthSystem, disclosed the protected health information of 348,000 medical patients was exposed through a third-party data breach. The data breach exposed patient names, dates of birth, addresses, phone numbers, e-mails, admission and discharge dates, locations of services, and physician names and specialties.

Imperium Health

September 7, 2020:  A phishing attack led to the protected health information of 140,000 medical patients of Imperium Health Management to be exposed. The information accessed through the attack includes patient names, addresses, dates of birth, medical record numbers, account numbers, health insurance information, Medicare numbers, Medicare Health Insurance Claim Numbers (which can include Social Security numbers), and limited clinical and treatment information.

Telmate

September 5, 2020:  Over 1 million inmates that have used the prison phone service, Telmate, have had their personal information exposed in an unsecured database. The information of both inmates and their contacts that was disclosed included names, gender, offense, religion, facility location, relationship status, medication history, emails, physical and IP addresses, phone numbers and driver’s license details.

Utah Pathology Services

August 31, 2020: In an attempt to redirect funds from Utah Pathology Services, an unauthorized hacker gained access to an employee email account and the sensitive information of 112,000 medical patients. The accessed information includes patient names, gender, date of birth, mailing address, phone number, email address, health insurance information, internal record numbers, diagnostic information, and a small number of Social Security numbers.

Dynasplint Systems

August 26, 2020: A motion rehabilitation device manufacturer, Dynasplint Systems, experienced an encryption attack on its business devices that exposed the personal and medical information of 103,000 patients. The accessed information includes names, addresses, dates of birth, Social Security numbers, and medical information.

Freepik

August 21, 2020: Freepik, a free image database, sent out a breach notification to 8.3 million users that their account login information was exposed through injected malware on their website. The malware collected emails of all users and hashed passwords of 3.77 million users.

Instagram, TikTok & Youtube

August 20, 2020: Researchers at Comparitech uncovered an unsecured database with 235 million Instagram, TikTok, and YouTube user profiles exposed online belonging to the defunct social media data broker, Deep Social. The scraped profile information in the data leak includes names, ages, genders, profile photos, account descriptions, statistics about follower engagement and demographic such as number of likes, followers, follower growth rate, engagement rate, audience demographic (gender, age and location), and whether the profile belongs to a business or has advertisements.

Avon

July 28, 2020: An unsecured database exposed the Personally Identifiable Information(PII) of 19 million customers and potential employees of the cosmetic company, Avon. The leaked information included names, phone numbers, dates of birth, email and home addresses, and GPS coordinates, as well as other technical information.

Promo.com

July 28, 2020: The video creation platform, Promo.com, confirmed their 22 million customers have had their personal and account information exposed in a third-party data breach. The compromised data includes names, email addresses, IP addresses, user location, gender, and encrypted passwords.

Drizly

July 28, 2020: The online alcohol delivery startup Drizly disclosed to its customers that a hacker accessed the account details of 2.5 million Drizly accounts. The customer information exposed included email addresses, date-of-birth, and hashed passwords.

Dave Mobile Banking App

July 26, 2020: A third-party breach leaked the account details of over 7.5 million users of the digital banking app, Dave. Although no financial information was disclosed, the breach exposed names, phone numbers, emails, birth dates, home addresses, and encrypted Social Security numbers.


Ancestry.com

July 20, 2020: An unsecured server exposed the sensitive data belonging to 60,000 customers of the family history search software company, Ancestry.com. The details leaked include email addresses, geolocation data, IP addresses, system user IDs, support messages and technical details.

 

 

For older data breaches please visit the IdentityForceBlog to see more.