2016 Compromises affecting 10,000 or more
1/04/2016 Ohio area tax authority loses records
The Regional Income Tax Agency has lost a DVD with information on about 50,000 people who filed with that agency. “No indication” it was stolen. It was stored at a third party vendor’s facility and its loss was discovered when the DVD was recalled to be destroyed. More …
1/05/2016 Ukraine Power Grid Hacked
Reported by TSN news in late December 2015, a power outage lasting several hours left about half the homes in the western Ivano-Frankivsk region without power. Slovakian information security firm ESET now reports that the attacks were much more widespread than originally believed. “This is the first time we have proof and can tie [ specific ] malware to a particular outage,” Kyle Wilhoit, a senior researcher at security firm Trend Micro, tells Reuters. “It is pretty scary.” Much more at 12/31/2015 Reuters 1/05/2016 DataBreachToday
1/06/2016 Update A spreadsheet started it?
Did a malware laden Excel spreadsheet start the cascade lead to a massive power outage? Paul Ducklin of Sophos:
Company X receives an Excel file via mail. The file contains macros, which don’t run by default, but if the recipient clicks to allow them, the macros install malware from a family called BlackEnergy.
BlackEnergy is what is known as a bot or zombie, which calls home to receive instructions from the remote attackers. (The malware name predates any connection with the energy industry.)
The attackers can then install various additional malware items, such a data-trashing Trojan called KillDisk, and a hacked copy of the DropBear SSH server that has backdoor “master passwords” programmed into it. Source
[ Don’t open Microsoft Office documents from people you don’t know. Make sure your system is set up to ASK for permission to execute macros. Do NOT give approval for macro execution for documents you might suspect. Security is in YOUR hands. -ed ]
1/07/2016 Update Sandworm
“U.S. cyber intelligence firm iSight Partners said on Thursday it has determined that a Russian hacking group known as Sandworm caused last month’s unprecedented power outage in Ukraine.” More at Reuters
[ iSight should know SandWorm code. They “discovered” it in October 2014 during an analysis of Russian attacks against NATO. Review this post as it gave definition to the meaning of a weaponized PowerPoint presentation. -ed ]
1/14/2016 Update Coordinated Attack
While malware was part of it there were other parts that coordinated in taking out the Ukraine power. See NakedSecurity/Sophos.
1/22/2016 Update Follow on Phishing
Spear-phishing targeted at energy related businesses and facilities in the Ukraine continue. There may be a single source or multiple sources and they may, or may not, be related to the recent blackout. The malicious payloads are more common than the earlier tailored BlackEnergy. The main airport in Ukraine’s capital, Kyiv International Airport (IEV), was infected by malware that communicated with a server based in Russia. One thing is certain, someone is making winter more miserable. More at DataBreachToday.
1/06/2016 Southern New Hampshire University
A database containing student information including names, email addresses, course name, course section, assignments and scores was exposed to the public. More …
1/06/2016 TimeWarnerCable Hacked
320,000+/- customers exposed.
TWC was notified by the Federal Bureau of Investigation that some customer information including email addresses and account passwords “may have been compromised.” TWC has no idea how the information was obtained saying both “were likely gathered either through malware downloaded during phishing attacks” and obtained “indirectly through data breaches of other companies that stored Time Warner Cable’s customer information”. Reuters
1/08/2016 Indiana University Health
An unencrypted portable storage device went “missing” from the Emergency Department. Informatioin on that device included patient names, birthday, age, telephone number, dates of service, diagnoses and physician. More…
1/12/2016 St. Luke’s
A late report to HHS.GOV: 10/31/2015 an unknown person entered a restricted area of the hospital and removed a USB drive that may have contained protected health information on patients. More …
1/12/2016 Faithless Fans
A database containing 18,000 user names and passwords was discovered on the web. The hack was later determined and the company fixed the database but neither disclosed the breach nor the repair. Although the fan database isn’t a very valuable target the prize comes from two other uses: use of the information for phishing and a tendency for people to use the same username/password combination on other sites. In 2018 the European Union with introduce new data protection rules that may include “mandatory data breach reporting” so the affected are at least informed. Source
1/19/2016 Blue Shield of California
20,764 exposed when an unauthorized user gained access to the data systems. More …
1/19/2016 New West Health Services of Montana
28,209 exposed when a laptop computer was stolen from an off site location. Information may have included customer name, birthday, address, medical history, diagnosis, prescription(s), driver’s license number, Social Security numbers, bank account, and charge card information. More …
1/26/2016 Bailey’s Inc.
15,000 compromised when charge card information was taken from the company web site BaileysOnline.com Keystrokes were captured starting on 9/25/2015 and ending 1/13/2016. Compromised were cardholder names, address, telephone number, email address, charge card number, CVV numbers, expiration date, user name and password. More …
950,000 compromised because a St. Louis based health care provider cannot locate six hard drives containing name, address, birthday, Social Security number, and other health information for persons who received laboratory services from 2009 to 2015. The absence-of-presence was discovered during an inventory of information technology assets. Centene provides such services over 23 states.
1/28/2016 FOP hacked
The Fraternal Order of Police (FOP) reported information taken from their web servers and re-posted on line. The fop.net server was taken off line and was still off line 1/30/2016. The FOP president, Chuck Canterbury, reports the FBI is investigating. The web site is primarily members only and serves as a discussion forum. The facts are in dispute. One who re-posted part says there are terabytes more. Canterbury says there was never that much material. What was re-posted includes hundreds of contracts between authorities and FOP. Some of these have been criticized as shielding police officers from prosecution or disciplinary action following validated excessive uses of force. More…
2/04/2016 Taobao users
20 million exposed
Alibaba, the largest collection online buyers and sellers, owns Taobao which is like Amazon’s storefronts with consumer-to-consumer (C2C) sales. The Taobao website connects the buyers and sellers. Like such systems everywhere it is sort of self policing. Sellers who don’t deliver as promised or buyers who don’t pay get bad marks. Those with poor marks are shunned by other buyers and sellers.
Hackers obtained 99 million usernames and passwords from a number of sources. They used Alibaba’s cloud computing platform to apply the details to Taobao. They found about 20%, over 20 million, of those user names and passwords were used for Taobao. Criminal conduct ensued, there was a detection and, according to Chinese officials, the crooks have been caught. Original report from Reuters. Analysis from Motherboard and NakedSecurity/Sophos
[ One user account for one web site. Don’t reuse! It may inconvenience some electrons, but in this case being green means keeping your money. -ed ]
2/04/2016 UCF SSN & PII swiped
63,000 exposed at the University of Central Florida
Students (current and former), staff and faculty were compromised in January. Also exposed were employees who worked at UCF back to the 1980s. How the breach was discovered was not disclosed. See more from the Orlando Sentinel
2/08/2016 29k Feds Exposed
29,000 DHS and FBI exposed
[ Whether or not the information was obtained via scraping already public records or improper access of one or more sources of information to which they were not privileged, someone has exposed information on about 20,000 agents of the Federal Bureau of Investigation (FBI) and 9,000 employees of the Department of Homeland Security (DHS). -ed ]
On Sunday 2/7/2016, Motherboard obtained an advance copy of a sub-set of the database. They called a “large” selection of telephone numbers and connected with voicemail boxes matching the name listed in the database. Other connections were made with department operation centers and a few to people. A few of the numbers reached persons or offices other than those listed. On reaching the DHS National Operations Center, Motherboard was told they were the first to report a “data breach”. According to the anonymous hacker access was obtained via a single compromised email account then “social engineered” a code from a “helpful” person to get past the security portal. More at Motherboard
2/08/2016 Update DHS Reply
DHS: “We take these reports very seriously, however there is no indication at this time that there is any breach of sensitive or personally identifiable information.” The posted information was notable for what it did not contain. Although the poster referred to charge card numbers none were provided. DHS describes the information obtainable via Freedom of Information Act request. More at FoxNews
2/13/2016 1M charge cards for sale
Since at least June 2015 Bestvalid.cc has been selling the stolen charge card details of over a million people for as little as £1.67 (about $2.50/each) in an operation labeled “the largest and most brazen of its kind”. The site is on the open web, not the deep web, not the dark web, just out in the open. With a victim’s permission a reporter made a purchase with bitcoin. In the bundle received were charge card details and other identity theft items including mother’s name, mobile phone number and postal address. Merchants are not being forthcoming about charge card compromise either. In last year’s TalkTalk breach it was reported that only partial charge card information was exposed when over 150,000 complete sets of information were. Absent warning consumers had no chance to act proactively to prevent misuse. More at Telegraph/UK
[ This is why NC3 was designed, to make the merchant storehouse of charge card information valueless to criminals. Tweet
Ajaypal Singh Banga CEO @mastercard
and Charles W. Scharf CEO @visa
Tell them a better way exists that adds functionality beyond anything available and does not require new hardware for providers, merchants or consumers. See www.NC3.mobi -ed ]
Ajaypal Singh Banga CEO @mastercard
and Charles W. Scharf CEO @visa
2/27/2016 University of California/Berkely Hacked
Financial information on 80,000 exposed
December 28 2015, during the fix of a problem with the financial management system, a hacker broke in gaining access financial data for students, alumni, current and former employees. Exfiltration of the data was not confirmed. Affected were those who received non-salary payments though electronic fund transfers, such as financial aid awards and work-related reimbursements. Vendors who received EFT payments were also exposed. (Source)
[ It took two full months for public disclosure, but the affected were notified within a week. -ed ]
In addition to others shown here in February 2016, ITRC reported 7 incidents where the number affected was over 10,000 per incident. The incidents were considered non-financial and totaled 203,439. These included 91,000 from the Washington State Health Authority.
3/01/2016 Twitter Bug
Mid February: about 10,000 Twitter uses that a bug in the password recovery system may have exposed their personal information. Details were limited to 140 characters. Read more at Naked Security / Sophos. [ ok, one part of the above was sarcasm, but we don’t have a sarcasm font. -ed ]
3/03/2016 Main Line Health
A spear phishing attack resulted in data on 11,000 employees to a scammer per HIPAA Journal.
3/03/2016 Public Health Trust
There was an unauthorized access to 24,188 electronic medical records.
3/03/2016 Premier Healthcare
A locked laptop computer was stolen from the Billing Department which was locked and protected by an alarm system. The laptop was password-protected, but was not encrypted. Information exposed included material to address billing issues for 205,748 patients.
3/10/2016 22,000 exposed
A cyber security breach by a disillusioned ISIS member brings an intelligence prize with information with 22,000 names, addresses, telephone numbers and family contacts. More at Fortune
3/11/2016 2.2 million exposed
Cancer center hacked in October 2015.
21st Century Oncology is based in Fort Myers, Florida operates 145 cancer treatment centers in the United States and 36 more in seven Latin American countries. In November 13, 2015 they were notified by the FBI “that patient information was illegally obtained by an unauthorized third party who may have gained access to a 21st Century database.” Subsequent investigation found that the breach occurred October 3, 2015 and may have exposed patient names, Social Security number, physician names, diagnosis, treatment and insurance information. 21st CO revealed the number affected on March 4, 2016 as part of an 8-K filing with the Securities and Exchange Commission. That is five months after the breach and four months after being told about the breach by the FBI. The delay as at the request of the FBI so as not to compromise the investigation. More at Data Breach Today.
3/15/2016 LAZ Parking
About 14,000 employees of the LAZ parking company in southern California had their 2015 W2 information sent in response to an email.
3/24/2016 Kantar Group
A W2 phishing scam obtained information on about 28,000 employees of the market research firm Kantar Group. See KrebsOnSecurity
3/24/2016 1.5 million Verizon exposed
Earlier this week the sale contact information on some 1.5 million customers of Verizon Enterprise was offered for $100,000. Alternately $10,000 would buy 100,000 records. Detail are sparse but it appears Verizon found the weakness before the offering and is contacting affected customers. More at Krebs On Security.
3/28/2016 Mercy Clinics
15,625 patients have been informed that their name, address, date of birth, medical diagnoses, treatment information, and health insurance details. Some Social Security numbers may have been exposed by a data-capturing virus. Per HIPAA Journal
3/29/2016 UC students/staff/faculty monitored by … UC
When: Late in 2015 high-powered spyware was installed at the University of California, a large school system with undergraduate, graduate, medical programs and more in many locations.
Who: Who had it installed? No foreign hacker, no rogue federal government program. It was the University of California’s president, Janet Napolitano, former head of the Department of Homeland Security. (source)
Why: UC has been the target of some large-scale problems and protection was warranted. The question and outrage have to do with the secrecy with which the “protection” was installed. Without public announcement or disclosure, hardware and software were installed to monitor traffic patterns including what web sites are viewed by students, staff, and faculty.
Earlier this century, an attempt to track what books you read was met with withering criticism for its potential to muzzle free speech.
What: The office of the president has not explained what is being collected, what analysis is being performed, and how that collected data is itself being protected. Earlier practice was to delete the log files rapidly. Now these files continue to exist and are subject to exposure through legal or illegal means.
The official policy seems to have evaporated. The official word from UC-Davis on spyware says:
The use of programs to identify and remove spyware programs is strongly advised to help to maintain the privacy of personal information and Internet use. The use of an anti-spyware program must be accompanied by installing program updates on regular basis to ensure the ability to detect and remove new spyware or adware programs. This standard applies to computers connected to the campus network using Windows operating systems. [ source highlighting ours -ed ]
That quote is from the “UC Davis Cyber-Safety Program Policy”. There is a link to a document at https://security.ucdavis.edu/archive/pdf/310-22.pdf which appears to be non-existent.
In general California students are not reluctant to make their unhappiness known. In early February several students sued Google for violating their contract regarding scanning email to target advertisements.
[ We are surprised this is below the national radar. The participants in this conflict are not lightweights. On one side is a major university that educates national-level computer science talent and has a long history of supporting free speech. The other served for four years as head of Homeland Security. While the motives may have been good, and may still be good, the secrecy with which the surveillance was begun is antithetical to our freedoms. Monitoring what people read is unsettling, as was the library issue earlier this century. In general, Secrecy begets Tyranny:
“Secrecy is the keystone to all tyranny. Not force, but secrecy and censorship. When any government or church for that matter, undertakes to say to its subjects, “This you may not read, this you must not know,” the end result is tyranny and oppression, no matter how holy the motives. Mighty little force is needed to control a man who has been hoodwinked in this fashion; contrariwise, no amount of force can control a free man, whose mind is free. No, not the rack nor the atomic bomb, not anything. You can’t conquer a free man; the most you can do is kill him.”
Robert A. Heinlein (source)
“Secrecy is the keystone to all tyranny. Not force, but secrecy and censorship. When any government or church for that matter, undertakes to say to its subjects, “This you may not read, this you must not know,” the end result is tyranny and oppression, no matter how holy the motives. Mighty little force is needed to control a man who has been hoodwinked in this fashion; contrariwise, no amount of force can control a free man, whose mind is free. No, not the rack nor the atomic bomb, not anything. You can’t conquer a free man; the most you can do is kill him.”
Robert A. Heinlein (source)
3/31/2016 State Department Visa Database
Half a billion records exposed.
In addition to common items such as name, address, birthday, Social Security number etc. this database contains a massive biometric treasure. Photographs and fingerprints make it highly valuable to a nation-level intelligence service. The exposure is being downplayed by public announcement of being “hard to exploit”, but being hard to do isn’t impossible to do. Who hacked the Office of Personnel Management in June 2015? That breach went undetected for almost a year. The number affected started at 4 million, then 10 million and, thanks to a second breach, totaled over 25 million records. Who did that? Perhaps more important is the potential for hackers to alter pending applications to obtain approval for a passport or a visa that would otherwise be turned down. More at ABCNews
4/04/2016 Massive Turk Exposure
49.6 million records exposed?
Using servers in Romania an Icelandic group specializing in divulging leaks has posted a database that appears to contain personal information. The content, partially verified by AP, contained names, national ID numbers, addresses, birthdates and parents’ names. Included in the disclosed information was Turkish President Recep Tayyip Erdogan, the prior President Abdullah Gul, and the current Prime Minister Ahmet Davutoglu. More at The Seattle Times
4/04/2016 Irked Hacker Strikes
237,000 records exposed or were they?
Poor security practices of an adult website (ok, a porn provider) irked a hacker so much he hacked them and they never knew it until the data appeared in the dark web. Worse, because that one site was part of an affiliated group of adult web sites more information was exposed. The company says the data is recycled from an older breach. The company never removes old user identification, but those accounts are not useful after they expire. More at Motherboard
4/10/2016 Philippine Election Database
The Philippine Commission on Elections website was defaced and a few days later, Lulzsec Pilipinas dumped the voter database. The Commission claimed no sensitive information was exposed in the breach. Do you believe them? Probably good that you didn’t because over a million Philippine voters who are out of the country had their PII, including fingerprints, exposed. More …
4/11/2016 44k at FDIC
44,000 exposed in “inadvertent” breach
A former employee left FDIC on Friday February 26, 2016 with a personal storage device. FDIC detected the breach on Monday February 29, 2016. The device was returned Tuesday March 1, 2016. What was on the device? The FDIC isn’t saying only that the former employee had legitimate access to it “for bank resolution and receivership purposes.” More at Washington Post
In addition to others shown here in March 2016, ITRC reported 2 incidents where the number affected was over 10,000 per incident. The incidents were considered non-financial and totaled 47,588. These included a W2 phishing scam that snagged about 21,000 W2s for employees of Sprouts in Arizona and an unauthorized access to computer records of the Illinois Valley Podiatry Group which exposed patient data on 26,588 persons.
4/14/2016 93.4 million Mexican voters exposed
Earlier in April 2016 the Philippine Election Database was compromised. In December 2015 over 191 million American voters were exposed. Now the voter database from Mexico, all Mexicans registered to vote as of February 2015, has been found on line. There were 93.4 million entries in 100+ gigabytes. The compromise was confirmed. Mexican authorities explain that the database is not on line, let alone on Amazon Cloud storage. When the database is provided to political parties it is sent via hard drive. The non-password protected database was found by the Shodan-Slueth Chris Vickery. A list of the fields exposed and more is at Motherboard / Vice
4/22/2016 Update Mexican voter database off line
Vickery discovered the database 4/14 and reported it to the US State Department, the Department of Homeland Security, Mexico via the Mexican Embassy in Washington D.C., the Mexican Instituto Nacional Electoral (INE), and Amazon. The database was taken offline 4/22, eight days later. Vickery’s blog
4/27/2016 Minecraft Lifeboat springs leak
“Lifeboat” has been hacked to expose 7 million users. More
[ Were you exposed? See Have I Been Pwned website. Just enter email address to check against many (too many) breaches. -ed ]
4/27/2016 Beautiful People get hacked too
1.1 million users who were “beautiful” enough to be included on the dating site BeautifulPeople.com have had their height, weight, job, email address, telephone numbers, and other information contained in about 15 million “private” email messages exposed since December 2015. Some of the beautiful people found their exposed data but had not been notified by the company. 170 of these beautiful people used a .gov email address. More
[ BP validated the email addresses so whoever used it has access to those government email accounts. BP also requires an image of the applicant has to be posted for others to vote on acceptance. Is someone looking into the use of .GOV email addresses? Were you exposed? See Have I Been Pwned website. Just enter email address to check against many (too many) breaches. -ed ]
4/30/2016 Computer Distributor Infects Computers
12 million infected
On 12 million computers in Australia, France, Japan, New Zealand, Spain, the United Kingdom and the United States, there exists software with capabilities for adware and spyware. It was installed there by advertising company Tuto4PC. Discovered by Cisco’s Talos security intelligence and research group, the software has administrator rights and can download and install other software without user consent and gathers consumer personal information. The software is aware of sandboxes, antivirus and security tools including forensic software. As a result, Talos classified Tuto4PC as a “full backdoor capable of a multitude of undesirable functions on the victim machine.”
The French are investigating the installation of unwanted software and harvesting of users’ personal details. In response, Tuto4PC Group CEO stated the antivirus bypass technology is not used for malicious purposes, just to make it easier for users to install applications being blocked by antivirus software. More at Security Week.
[ If the bypass was for user benefit why isn’t it available with an on / off switch? Why was new software downloaded without user permission or notification? The Talos classification story is well worth the reading to learn how a seemingly benign piece of software was determined to have capabilities far in excess of expected and for purposes decidedly not benign. -ed ]
In addition to others shown here in April 2016, ITRC reported 3 incidents where the number affected was over 10,000 per incident. The incidents were considered non-financial and totaled 5,109,247. These included:
4/6/2016 Office of Child Support Enforcement / Washington State. In February 2016 burglars stole a laptop and hard drives that may have contained up to 5 million names and Social Security numbers.
4/20/2016 Patient Treatment Centers of America was hacked exposing 19,397 patient names, addresses, identification numbers and Social Security numbers.
4/20/2016 The Archdiocese of Denver payroll system was accessed. W2 information was accessed for about 80 people, but 18,000 names, addresses and Social Security numbers are in the database.
5/03/2016 ADP weakness exposes W2s
ADP provides payroll, tax and benefits administration for more than 640,000 companies. U.S. Bancorp, the fifth-largest commercial bank in the United States, warned some of its employees that their W-2 data had been stolen thanks to a weakness in ADP’s customer portal.
How? ADP has an online portal allowing employees to access their data directly, without having to go through their company human resources. If an employee never created (registered) their account at the external portal a crook, relying on static information, could perform the registration, and obtain anything the original employee could have accessed. More at Krebs On Security.
5/05/2016 Millions of Credentials for $1
Hold Security researchers found for sale stolen credentials in 1.17 billion records. Eliminating duplicates there were over 150 million from Mail.ru accounts (57M, almost 90% of all Mail.Ru users), and tens of millions of credentials for Gmail (24M), Microsoft (Hotmail 33M) and Yahoo (40M), plus “hundreds of thousands of accounts” at German and Chinese email providers. More at Reuters
5/06/2016 Update Maybe not
[ In September 2014 there was a reported exposure similar to this. We reported it, but did not include the numbers in our count of exposed accounts. There are reasons to exclude this one as well. See Business Insider. -ed ]
5/07/2016 Kroger employees exposed
Equifax allows employees of many companies, including Kroger, to download their W2, that document so prized by crooks because it has so much information allowing them to file for false tax returns.
All the crook needed was the 8-digit “default PIN code”. The first four digits are the last four digits of the employees Social Security number and the last four digits are their birth year. Kroger alone employs over 430,000 people. They, and all the other employees of Equifax customers, were exposed. More at Krebs On Security.
5/10/2016 InvestBank Breach
Exposes 100,000 payment cards and more
About 10GB of data appears to contain bank internal files, other financial documents, customers’ data and 100,000 Visa and MasterCard payment card numbers. Also included were bank statements for more than 3,300 InvestBank customers, ATM transaction records, extensive details relating to InvestBank’s employees, property records, scans of identity documents and other sensitive material. The breach seems to have been accomplished by the same group that hacked Qatar National Bank in late April 2016. More at Data Breach Today
5/13/2016 PORN dot GOV?
Not exactly. A hardcore fetish web site was injected with an SQL code to reveal information about its customers. Information included IP, email, username and passwords of more than 100,000 users. We’ve seen exposures like this before. What is perhaps new is the number of email addresses ending in dot-GOV and dot-MIL indicating a position with the US government or military. More at Hack Read.
[ Were you exposed? See Have I Been Pwned website. Just enter email address to check against many (too many) breaches. Thanks to Troy Hunt for finding this breach and maintaining such a great tool. As for those who used GOV/MIL email addresses, why not use Gmail? It might have saved an interview with the inspector general, the FBI or other people with the power to end your career or worse. -ed ]
5/19/2016 Update No watchdogs, no verification
According to Troy Hunt no one from the US government or military has contacted him to get a list of the GOV or MIL addresses in the database. Also, if it wasn’t clear before, this web site didn’t verify the accuracy of the email address provided. So, anyone could have registered with any email email address. Unlike some other websites that don’t verify there were no publicly available glaring misrepresentations.
5/20/2016 Update Social Scientists Swipe PII
70,000 people exposed by … social scientists?
Between November 2014 and March 2015 Danish researchers accessed a website and harvested the data of 70,000 people. Information included, age, gender, location, personality traits, usernames and more. The researchers didn’t hack the site, they viewed the profiles in the normal manner and used an automated “screen scraper” to harvest the data. The data was included in a document submitted for review, not published, but reviewers took objection.
Was it public? No. At best it was semi-public and protected by copyright. The contents may not be published or used to create derivative works for any public or commercial purpose. Perhaps worse, these were social scientists who generally take personal information and make it anonymous. This data had considerable personally identifiable information (PII).
The Open Science Framework (OSF, who had received the data for review prior to publication) removed the data following a Digital Millennium Copyright Act (DMCA) complaint from the web site and an investigation. The researchers say they will submit to other journals. Because the data was available there is a possibility it has already been taken for other, less beneficial, purposes than the advancement of social science. More at Naked Security / Sophos
5/23/2016 Bank Secrecy Exposed
100,000+ exposed in The Great Swiss Bank Heist.
Back in the mid-2000s one person was able to extract data on over 100,000 Swiss bank accounts. The exposure itself was shrouded in secrecy. Were honorable clients exposed? Yes. About 13% of the list had secret accounts, but declared them to their respective governments and paid taxes. About 87% did not.
The prosecution claimed that the privacy of thousands of honorable clients had been violated … this was hard to reconcile with the damning particulars of the list. Of six hundred and twenty-eight Indian names on the list, only seventy-nine had declared their assets to the Indian government. The proportion was similar for Argentina and Greece. Gabriel Zucman, the economist, estimates that eighty per cent of assets in offshore havens are undeclared. Tax evasion wasn’t incidental to H.S.B.C.’s Swiss bank, Henzelin concluded; it was the bank’s raison d’être. [ (source) Highlighting ours. -ed ]
In the case of Greece the amount hidden was a double digit percentage of their national gross product. Neighboring countries began to realize that the hidden banking system was siphoning funds that represented tax revenue and the amount was staggering. Much more at the New Yorker.
We didn’t have such large problems in the last century. Why today do we have a global economy that damages so many? Perhaps because in the ‘old’ days more people played by the same set of rules. This from the Bank of England describes the breach of trust where some participants simply don’t follow the same rules, taking benefit now for themselves and leaving the system in disarray.
Evidence has emerged, both micro and macro, to suggest trust may play a crucial role in value creation. At the micro level, there is now ample evidence the degree of trust or social capital within a company contributes positively to its value creation capacity,” said Haldane. “At the macro level, there is now a strong body of evidence, looking across a large range of countries and over long periods of time, that high levels of trust and co-operation are associated with higher economic growth. Put differently, a lack of trust jeopardizes one of finance’s key societal functions — higher growth.”[ (source 26 page PDF) Highlighting ours – ed ]
Exposed: 360,213,024 records that might have an email address, a username, some with one password and some with two passwords. 111,341,258 of the accounts included a username. 68,493,651 had a secondary password. Passwords were weakly protected. What appears to be a default password “homelesspa” was in use for over 850,000 records and was #1 in frequency followed by “password1”, “abc123” and “123456”. The top four email domains were @yahoo.com (over 126 million), @hotmail.com (almost 80 million), @gmail.com (over 25 million) and @aol.com (over 24 million). There is an open question of when MySpace was hacked and MySpace has not responded to requests for comment. More at Leaked Source.
7/01/2016 Update MySpace
The compromised MySpace data was released and is now on the Have I Been Pwned website with over 1.1 billion compromised credentials. Just enter an email address to check against many (too many) breaches.
5/30/2016 65M Tumblr Accounts
Tumblr (now owned by Yahoo) posted note #69,375
We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password. For additional information on keeping your accounts secure, please visit our Account Security page. [ (source) Highlighting ours -ed ]
A cyber intelligence specialist for Hacked-DB got the breach data and reports the number of hacked accounts at 65,469,298. Tumblr refused to confirm, deny or comment on the accuracy of the number. More at Hack Read.
[ We have repeatedly indicated our opinion that breaches are not being reported. (see When Do You Get Told?) This and the bank heists via SWIFT are just two recent examples. This one appears to have Yahoo/Tumblr management speaking with two voices. One: it was years ago, before new management, no big deal, etc. Two: We won’t say how many there were and (even though it is no big deal, right?) we’ll be requiring a password reset for affected users. Hardly the way to give us the warm and fuzzy security feeling. -ed ]
In addition to others shown here in May 2016, ITRC reported 10 incidents where the number affected was over 10,000 per incident. The incidents were considered non-financial and totaled 732,286. See below.
5/31/2016 Brunswick Corporation / Mercury Marine
13,000 people were exposed thanks to a successful phishing expedition that caught W2s for current and former employees about 5/3/2016 per ITRC 20160503-04.
In October 2015 a former FDIC employee walked out with thousands of sensitive records including 10,000 Social Security numbers. The data was recovered in December 2015 but not reported until May 2016 during which various FDIC officers debated over whether or not the exposure constituted a “major” incident. Per ITRC 20160509-08.
5/31/2016 Ohio Department of Mental Health and Addiction Services
A survey was sent via postcard instead of envelopes exposing health care information for 59,000 patients about 5/9/2016 per ITRC 20160509-01.
5/31/2016 Mayfield Clinic of Cincinnati
In February 2016 23,341 patients were sent email with an attachment of malware. How many were actually infected is unknown. The data to send the email was obtained by an individual who gained access to a database held by a vendor to Mayfield per ITRC 20160510-03.
5/31/2016 National Counseling Group
On 3/21/2016 email was hacked exposing information on 23,000 per ITRC 20160510-05.
5/31/2016 Medical Colleagues of Texas
The computer system was hacked exposing names, addresses, health insurance information and Social Security numbers for 68,631 people per ITRC 20160512-06.
5/31/2016 California Correctional Health Care Services
On 2/25/2016 a password protected, but unencrypted, laptop was stolen from a personal vehicle exposing medical information on 400,000 people per ITRC 20160516-02.
5/31/2016 Poway Unified School District of California
A parent asked for information on her own name using a public records request. The district released information on 36,000 students including their name, nicknames, addresses, phone number, hearing exam results, vision exam results, language fluency, academic test results, and parent occupation.
5/31/2016 San Juan County of New Mexico
A system was hacked exposing healthcare information for 12,000 patients exposing personal helth care information per ITRC 20160524-04.
5/31/2016 Southwest Eye Institute
Information on 87,314 patients were exposed by a network hack per ITRC 20160524-17.
6/01/2016 Major Utility Open to the Internet?
Chris Vickery has had excellent success at trolling the internet and finding poorly secured or totally unsecured data. At the end of May he posted that a major utility had exposed 47,000 computers, servers, and other devices left wide open. “We’re talking about IP addresses, operating systems, hostnames, locations, MAC addresses, and more” “This would be a treasure trove for any hostile nation-state hacking group.” Dangerous? Yes. Back in March 2016 the Ukraine power grid was hacked affecting over a million people. In response the company said this data was all “fake”. There are fake networks specifically designed to lure intruders. This might have been the most detailed such “honeypot” ever. If so, why did the company take it down rapidly after being notified? This company delivers delivers natural gas and electricity to about 16 million people in California. Do they have no security?
6/02/2016 NFL players
This past April a football trainer’s laptop was stolen along with paper records in a backpack. Combined, the two have electronic and paper medical records for thousands of players, including NFL Combine attendees since 2004. HIPAA rules may not apply because the NFL is not a “covered health care provider”, but the exposure is the same. More at DeadSpin and Data Breach Today.
6/03/2016 Multi MongoDB
36 million records were compromised from over 110 IP addresses. Specific information varied by server but included were full name, username, password, telephone, physical address, over half a million email addresses and more. The primary vulnerability was poor security configuration. More at Hack Read.
6/07/2016 Driver’s Licenses from Louisiana
For sale on the dark net: 290,000 records with first name, middle name, last name, birthday, license number, addresses, city, state, zip code and phone numbers. Some records have emails. Where did the information come from? Consider two more fields: state that issued driver’s license and offense. That has the appearance of a police database for driving infractions. Records are primarily from Louisiana, but include Delaware and Texas. The hacker asking $12,153,960,000 USD, over 12 billion dollars, or some agreeable price. Bitcoin only. More at Hack Read.
VK.com is Russia’s largest social networking site with more than 350 million users over all Europe. 100 million records containing, full names, email addresses (sometimes two), location, and telephone number were offered for sale. Also included were [gulp] plain text passwords. LeakedSource has part of the database added to its service. You can check it. You might not believe the most common passwords. See The Hacker News for more.
6/08/2016 State Farm
DAC Group had a security breach to a development system populated with production data. 93,000 customer accounts were exposed. 77,000 of those accounts were for State Farm, a group of insurance and financial services companies. More at Hack Read
6/09/2016 Karma Bites Crooks
ShOping.su is known for selling hacked accounts. They got hacked and 16,000 ShOping.su’s registered accounts plus 15,000 stolen accounts and 9,000 sets of charge card data were taken. Hacked-DB confirmed data is indeed from platforms across the web and contains ID card numbers, social security numbers, charge card numbers, zip code, phone numbers, usernames, email addresses and more. See Hack Read.
6/10/2016 uTorrent Hacked
385,000 sets of user credentials compromised by the vendor hosting the forum. More at Hack Read.
iMesh of New York was one of the first peer-to-peer (P2P) file sharing services. It started in the late 1990s, grew to be among the most popular about 2009 and, according to their web site, is no longer available as of May 2016. Their database was compromised about 9/22/2013. Why does it matter now? Just recently all 51 million records surfaced for sale at 0.5 BitCoins, about $330 USD. Many people use the same userid and password on other sites. If you do, change your passwords.
Compromised information included username, password, email addresses, IP addresses, location and more. The users were from US (13.7M), Turkey (±4M), UK (3.5+M) and other countries. The most common email domains used were HotMail (14.3M) and Yahoo (10.5M). The password “123456” was used by almost a million users. All passwords were protected by MD5 which was found to have a significant vulnerability. More at The Hacker News.
6/14/2016 Greenwich University / UK
Greenwich University, based in London with multiple facilities, was hacked. According to a defacement page, the hack was accomplished by a former student who had been dismissed by the university. The entire 2.7GB database included sensitive information on over 21,000 students, staff, exams, grades, personal conversations, full name, email address, password, location and more. More at Hack Read.
6/15/2016 VerticalScope / MultiCompany
VerticalScope “specializes in the acquisition and development of websites and online communities for the Automotive, Powersports, Power Equipment, Pets, Sports and Technology vertical markets.” The automotive list has over 500 domains. Outdoor (80+), Sports (20+) and there are many, many more. An estimated 42 million user accounts have been compromised. Exposed were the user’s user name, password(s), email address and IP address (giving general location.) Over 40 million passwords were protected with the now-deprecated MD5 protocol. How weak is that? 11 million were cracked in 10 days by researchers in 2015. Users didn’t help by choosing “123456” as the most frequent password with “password” coming in third.
Time to say again change your password if you use any of VerticalScope’s domains, use one password for one site (not many) and use a strong passphrase (ex: I_HatePasswords2!). More at Naked Security / Sophos.
In early July 2016 we reported on the dangers of using a cloud-based provider. Later we found information on three of that provider’s customers. See below.
6/20/2016 Bizmatics / Stamford Podiatry Group
Medical and personal information for 40,491 people was compromised in a security incident where an unauthorized person, or persons, had access between 2/22/2016 and 4/14/2016. Information included full name, medical history, referring doctors, treating doctors, treatment, Social Security number, gender, birthday, marital status, telephone number, email address, and insurance. More at SC Magazine.
6/20/2016 Bizmatics / Integrated Health Solutions, P.C.
IHS was informed by Bizmatics, Inc. that Bizmatics experienced unauthorized access to its records which may have included access to 19,776 patient records.
6/20/2016 Bizmatics / ENT and Allergy Center of Arkansas
In early April Bizmatics notified EACA “that at least some of our electronic patient medical records were potentially accessed and obtained by unauthorized persons. The information contained in the records that may have been accessed included patient names, addresses, health visit information, and at least the last four digits of the patient’s Social Security number.” EACA reported to HHS that 16,200 patient records may have been exposed. More at Data Breaches.
6/23/2016 154 million US voters very exposed
L2 is a data brokerage firm. They sold a large database with 154 million US voter records to a client. The database contained much more than voter registration information. Personal information included name, address, age, ethnicity, email, Facebook profiles, gun ownership, position on gay marriage, and “pro-life” position. All of this was legally sold to an L2 customer.
Chris Vickery, who has found many an inappropriate data set unsecured on the web, found this on rented server space from Google’s Cloud services. It was a CouchDB database, configured for public access without requiring username, password, or any other authentication. He traced it to L2. L2 indicated the data set was about a year old and was their data, but the location wasn’t theirs. In a stunning burst of speed, within three hours the database was taken down. L2 located the original customer who indicated they had been breached and the data taken from them. No information on how many people may have already downloaded it or how long it had been available. Vickery’s blog post at MacKeeper and more at Naked Security / Sophos.
[ The “we were hacked” explanation has to be taken with a little skepticism until supported by cyber-forensic evidence. This is not the first large scale exposure of voter records. In December 2015 over 191 million US voters were exposed. In April 2016 over 93 million Mexican voters were exposed. The speed with which the data was taken down is worthy of applause. That the data was not detected by the hacked company (if they were hacked) is lamentable. Are we yet outraged at the leaky kettle called “big data”? My HACKED stamp is getting cracked from excessive use. -ed ]
6/23/2016 T-Mobile Hacked by Employee
A T-Mobile employees in the Czech Republic took 1.5 million customer records with name, email address, account numbers and more with intent to sell it. The Czech Republic has refused to provide any “additional specific information” about what data was leaked citing an ongoing police investigation. More at The Hacker News
6/29/2016 2.2M “suspect” persons
Security researcher Chris Vickery has found another unsecured database on line. Access does not require a username or password. This is the same researcher who found the database with 154 million US voters.
This new discovery is called “World-Check” and lists individuals around the world. It is used by over 300 government and intelligence agencies, 49 of the 50 biggest banks, and 9 of the top 10 global law firms. The current version lists 93,000 individuals “suspected” of having terrorist ties and millions of others. This data is openly for sale. The exposed version is from mid-2014 and has 2.2 million people on it. It is not hosted by Thomson Reuters (who acquired the company that created World-Check). It is still on line.
[ Compare this response to L2 response which got the exposed data off line in hours after being notified. While this data is created and sold legally it has since become exposed. -ed ]
6/30/2016 10M health records
Four databases totaling about 10 million are available for sale on the Dark Web. The records are reportedly from:
a large, nationwide health insurer
a healthcare organization based in Georgia (stored in plain text)
a healthcare provider in the central and midwest
a healthcare organization in Farmington, MO (also in plain text)
More at Data Breach Today
In addition to others shown here in June 2016, ITRC reported two incidents where the number affected was over 10,000 per incident. These included Acer Service Corporation (34,500 financial / exposed charge card information) and Wal-Mart AR (27,393 non-financial / refund checks were sent to wrong person improperly exposing some medical information)
7/10/2016 80K exposed at Amazon
A hacker found a major stash of Kindle subscriber information and submitted it to Amazon for bug bounty on critical security flaws in Amazon’s server. When he didn’t hear back he released the information which was confirmed to be “new” in the sense it had not been seen before. Information may have contained user’s email, password, address including zipcode, phone number, and more. See Hack Read.
[ The first of four stories on 7/10/2016 describing over 100 million compromises. Are you sick of it yet? Are you practicing safe hex? Are you telling companies that have your information to be [deleted] protective of it? Just wait until your unchangeable biometric identifier is compromised! -ed ]
7/10/2016 615K exposed at Netia
Friday Reuters reported what may have been a breach at Netia, a major telecommunications provider in Poland. Saturday Hack Read reported that the data for 615,000 subscribers had been posted on line. Information included full name, home address and IP address. The only glimmer of good news is that the data was last updated in 2014.
7/10/2016 20M exposed at MTN
Earlier in July, the second largest cell provider in Iran (MTN) was hacked exposing personal information on 20 million MTN subscribers. Worse, anyone could send a Telegram bot (popular messaging app) with a cell number to access information which included full name, address, landline number, city and postal code. More at Hack Read
7/10/2016 Malware increases click-costs to advertisers
An advertising firm in China distributed malware so cell phones “clicked” on their advertisements allowing them to bill their customers an estimated additional $300,000 per month. The malware was HummingBad for Android and Yispecter for iOS. The latter can infect jailbroken and NOT-jailbroken i-phones. The malware was hidden in over 200 applications. HummingBad is known to be in 85 million phones world-wide. The Yispecter spread isn’t reliably known. More at The Hacker News.
7/11/2016 Penton Media / 5 sites / 1.8M users
The databases underlying five web sites are for sale with about 1.8 million users among them. See Salted Hash
Mac-Forums about 300,000 accounts
Hot Scripts 1+ million users
Web Hosting Talk about 500,000 users
A little later Leaked Source reported that Penton, the host media company, was breached on July 4, 2016 and, in addition to the above, the databases of dBforums, and A Best Web were compromised. The databases are hashed and salted using the now-deprecated MD5 protocol. [ NonTechTranslation: they were protected, but that protection system was seriously eroded years ago. -ed ] The most common password in all of the Penton exposures was “123456”. Penton has not confirmed the breach.
7/13/2016 Omni Hotels / 50k charge cards
7/8/2016 Omni Hotels posted a notice on point of sale (POS) malware that collected charge card information including name, charge card number, security code and expiration date. It was discovered 5/30/2016, about five weeks before disclosure. The malware may have operated as early as 12/23/2015, almost six months before the notice, and operated through 6/14/2016.
What Omni didn’t say is how many of its 40+ properties were affected, how the malware was introduced, or how they learned of it. The latter is understandable because the first Omni heard of it was when someone reported 50,000 charge cards for sale in February 2016. More at Data Breach Today.
7/13/2016 34+k patients exposed
The data for 34,621 patients, almost all from Big Apple Ortho-Med Supply Inc. (Bronx, NY), is available for sale. Data includes full name, complete address, email, date of birth, and multiple telephone numbers. More at Hack Read.
7/16/2016 Ubuntu Forum / 2M exposed
Forums for Ubuntu, a popular flavor of Linux, have been hacked. Exposed data includes username, email address and IP address for two million users. Preliminary cause was a known, but unpatched, SQL injection vulnerability in the ForumRunner add-on. Announcement from SlashDot.
[ Earlier this year Linux Mint was hacked. In addition to forum information a web page was redirected to a clone whose downloads were infected with malware. -ed ]
7/18/2016 4 Dating Sites Hacked / 2.2M exposed
Four dating websites have been hacked in the last two weeks. Passwords from one were in plain text format, one other in now-deprecated MD5 hash. The most common password was “12345”. One site had 2,035,020 users and collectively 2.2 million were exposed. SoftPedia and Hack Read.
7/23/2016 Clash of Kings Forum Hacked / 1.6M exposed
The forum for the popular Android and iOS game with over 100 million installations was vulnerable because it was using a 2013 versions of vBulletin and did not use HTTPS for transactions. Exposed were 1,597,717 sets of usernames, email, IP addresses, device identifiers and passwords. Users used their social media accounts to access the site also exposed that information. More at Hack Read
7/31/2016 Internet Mall Hacked / 10+M exposed
With annual transactions reaching nearly a billion dollars an internet mall was an attractive target. In May 2016 they were hacked and personally identifiable information including name, email addresses, telephone number and more were exfiltrated. The company did not detect the breach. In July they were surprised to receive a ransom message: Pay $2.6 billion dollars or we’ll leak the information.
The ransom actually was for an astonishing 2.891 trillion (2,891,460,000,000) won, the currency of South Korea. The hackers were tracked to North Korea’s General Bureau of Reconnaissance, North Korea’s main foreign intelligence agency. The intrusion had used some of the same code and came from the same IP addresses as in previous breaches. More at NY Times.
In addition to others shown here in July 2016, ITRC reported 6 incidents where the number affected was over 10,000 per incident. The incidents were considered non-financial and totaled 139,674. These included:
7/05/2016 22,000 Massachusetts General Hospital Dental Group
7/11/2016 38,000 exposed via phishing email at North Carolina State University.
7/12/2016 13,000 Ransomware attack on Ambulatory Surgery Center of St. Mary Medical Center, Middletown PA.
7/12/2016 13,671 Uncommon Care of PA, exposed via Bizmatics
7/12/2016 31,000 Unauthorized accss to Laser & Dermatologic Surgery Center MO.
7/12/2016 22,000 North Ottawa Medical Group of MI, exposed via Bizmatics.
8/01/2016 House of the Mouse, hacked. 391K exposed
Disney Consumer Products and Interactive Media “became aware” on July 12, 2016 that an unauthorized party had accessed servers at least twice on 7/9/2016 and 7/12/2016 and acquired user information from the PlaydomForums.com domain. More from their 7/29 FAQ and from GameInformer.
[ Good news: They noticed it on their own and didn’t have to wait until a ransom demand arrived. Why didn’t they become aware on 7/9? Great news: they are not knee-jerking the “your security is important to us”. -ed ]
8/05/2016 Banner Health 3.7M exposed
On June 17, 2016 hackers commenced to infiltrate Banner Health. They were discovered July 7, 2016, two weeks later. Cyber attackers may have gained unauthorized access to computer systems that process payment card data at food and beverage outlets at some Banner Health locations. Six weeks after the attack started Banner Health issued a statement (2 page PDF). Exposed were payment card data (cardholder name, card number, expiration date and internal verification code). Unauthorized access to patient information, health plan member and beneficiary information, about information and healthcare provider information may also have been exposed. More at Data Breach Today
8/11/2016 Dota2 Forum 1.9M exposed
The developer forum for Defense of the Ancients 2 (Dota2), a multiplayer online battle arena video game, was breached 7/10/2016 exposing emails, IP addresses, usernames, user identifier and hashed passwords. On 8/9/2016 an unknown sender sent the information to LeakedSource (a data mining company) who reported the passwords were salted and hashed with deprecated MD5. Over 80% of the passwords have been converted to plain text. As the breach was determined to be considerably in advance of any action it appears reasonable to state the administrators of the forum were unaware of the breach until after the data had been delivered. More at Hack Read
[ Search LeakedSource to see if your data is in the thousands of recorded breaches. I checked using my email and it was found in two known breaches among 1.9 billion emails – ed ]
8/12/2016 VW does it again, bigger
VM has admitted to vulnerabilities affecting almost every VW made since 1995, an estimated 100,000,000 vehicles. Researchers at University of Birmingham in the UK extracted a cryptographic key common to many vehicles. Add the unique value encoded on the matching remote key fob (electronic eavesdropping can read it) and a functional fob clone can access that car. The paper (17 page PDF) was presented at Usenix and included in the Proceedings of the 25th USENIX Security Symposium August 10–12, 2016 in Austin, Texas.
This affects many of Volkswagen’s vehicles including the Audi A1, Q3, Ibiza, Leon, Alhambra, Skoda’s Fabia 1, 2, Octavia, SuperB, Yeti, Amarok, Caddy, e-Up Golf 4, 6, and Polo. Some later versions of Audi use a different system. A second vulnerability affects more makes including Alfa Romeo, Citroën, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot that use an older crypto design in HiTag2 fobs. Electronic eavesdropping gathers codes sent by the key fob and the encryption scheme can be cracked in under a minute. What fantastically complex technologies can do this? How about a $40 Arduino processor and software defined radio (SDR)? More at Ars Technica and Reuters.
[ Volkswagen took a public relations bath for knowingly and falsely representing diesel emissions on many cars. That this security vulnerability existed for so long isn’t going to make consumers any happier. Some day insurance companies will realize the lack of stout security makes these cars easier to steal and, because they are undamaged, easier to sell. Read an opinion on how to better create car software -ed ]
8/28/2016 Opera sync hacked
About 1.7 million users of Opera browser’s synchronization service have had their login details exposed. Opera is resetting all affected account passwords. More at Engadget.
8/29/2016 68+ million credentials exposed
Credentials from 2012 known breach of DropBox have appeared on line. DropBox has confirmed the data is valid and is again forcing a password change. About 47% of the exposed passwords were secured with the strong function bcrypt. The remaining 53% were secured with SHA-1, a deprecated function. Motherboard / Vice
[ Why were not the accounts secured with the deprecated SHA-1 provided a forced reset and stored with the stronger function? -ed ]
9/02/2016 42+ million credentials exposed
Account details from a breach of Last.fm website were taken in March 2012. The company admitted the breach months later. They didn’t force a password reset. They “encouraged” users to change their passwords. That 2012 data appeared on line just recently. It was “protected” with the MD5 hash which was shown to be weak in 2004. Because of the weaknesses 96% of all the passwords in the exposed data were hacked in two hours. More at The Hacker News
[ With this revelation NC3 has recorded over TWO BILLION compromises in 2016 to date. Why didn’t the company phase-force (say 20% of accounts per month) a password change and store the new passwords with the available better protection? -ed ]
9/07/2016 98+ million credentials exposed
Another very delayed notification: 2012 saw some large data breaches including almost 100 million credentials from Rambler.ru, a Russian web portal and email provider. This one included passwords in plain text. The breach was not reported. LeakedSource reported it had a copy of the data. Rambler has responded that a password reset was forced, passwords are now encrypted, and users are prohibited from using a prior password. More at Naked Security / Sophos.
9/07/2016 1+ million compromised ‘things’
Malware was written in the C language for easy compilation across multiple platforms. The many variants are infecting devices we don’t always consider “computers” such as security camera digital video recorders that use the internet for communication. Once compromised these devices become part of a network of robots (botnet) that can be used to find other devices to compromise and used to mount distributed denial-of-service attacks either by hire or for ransom. How powerful is this ‘bot army? Very. Over one million devices were observed in these attacks. The majority were generically named “H.264 DVRs” and located in Taiwan, Brazil, Columbia, US, Mexico, China, India and more. Poor security design is one part, but the human installers often left the default security settings. More at Level3
9/07/2016 790+ thousand exposed
The forum for Brazzer’s porn site was hacked exposing over 790,000 users and their plaintext passwords. Some users who did not join the forum may have also had their credentials exposed. Incredibly this data was from another unreported 2012 breach. The breach was due to outdated vBulletin software. More at Motherboard / Vice.
9/12/2016 11.6+ million more exposed in August
We gather our information from multiple publications. We get them from readers and friends. Lastly we check ITRC to find the smaller breaches that didn’t make the news. August 2016 is the first month where there were 11 exposures over 10,000 each for a total of 11,665,927. They were:
Athens Orthopedic Clinic in Georgia exposed 201,000 patient records during a cyber attack in Late July. Information on current and former patients included names, addresses, Social Security numbers, birth date, telephone number and more.
Midwest Orthopedics Group in Missouri was breached in late May 2016 exposing 29,153 patient names, address, Social Security number, birth date, diagnosis, laboratory results and more.
Newkirk Products is a manufacturer of identification cards for health insurance companies. They were beached exposing 3,300,000 insured names, mailing address, plan types, group ID number, and the names of covered dependents.
FDIC in Washington D.C. had an employee return all electronic devices when she left her job in late September 2015. A USB device was not returned exposing sensitive personal information including Social Security numbers on 28,000 to 30,000 individuals.
[ Reporting was almost a year after the loss and they don’t know how many? -ed ]
A business associate of Bon Secours Health Systems in Maryland left information on 655,000 patients exposed on the internet for four days in April 2016.
Valley Anesthesiology and Pain Consultants of Arizona reported in August that a third party may have gained unauthorized access to 882,590 patient records on June 13, 2016.
In June the Washington Department of Fishing & Wildlife was the target of a cyber-vandalism attack which may, or may not, have exposed information on 2,435,452 people who applied for licenses. Information potentially exposed name, birth date, address, driver’s license number, last four digits of the Social Security number, height, weight, and eye color. In some cases email address and telephone number were also potentially exposed.
The Kentucky Department of Fish & Wildlife was hacked by a social hacker who reported the weaknesses but did not publicize them until they were patched. 2,126,449 records containing name, birth date, address, and more were exposed.
The Oregon Department of Fish and Wildlife was hacked by a social hacker who reported the weaknesses but did not publicize them until they were patched. 1,195,204 records containing name, birth date, address, and more were exposed.
The Idaho Department of Fish and Game was hacked by a social hacker who reported the weaknesses but did not publicize them until they were patched. 788,064 records containing name, birth date, address, and more were exposed.
9/14/2016 6.6+ million more exposed
ClixSense pays people to view adds, take surveys, etc. It was hacked and 6.6 million sets of credentials taken. 2.2 million of them were placed on PasteBin. Have I Been Pwned has verified the authenticity of that data. The remaining 4.4 million sets are up for sale. Contents include full names, home address, email and IP address, birth date, gender, payment history and other banking details. The big kicker? plain text passwords. Also offered are Social Security numbers, complete source code of the ClixSense website, and internal emails. ClixSense posted a note describing that a production server no longer in use had been compromised. From there the hackers reached current data. New security measures have been implemented. ClixSense didn’t really address the unauthorized disclosures or poor security practices that allowed the breach to occur. Hackers also ran SQL code to change account names to “hacked account” and set user account balances zero. Hackers also changed all the internal email passwords and set up a DNS redirection for ClixSense to a “gay porn site”. The hackers communicated that the 2.2 million record dump was done only after ClixSense refused to admit the breach had occurred. PasteBin has removed the post including the 2.2 million records. As of 9/14/2016 ClixSense was displaying 6,626,048 members. More at Ars Technica and The Hacker News.
9/22/2016 Recode: Yahoo to confirm massive 2014 breach
Back in 2014 Yahoo reported a breach of unknown size. Earlier in 2016 Yahoo said it was investigating a breach where hackers claimed 200 million user accounts had been compromised. At 2am Recode reported that the expected announcement was “massive”.
9/22/2016 Yahoo confirms: Massive!
The New York Times has reported Yahoo confirmed the 2014 breach had compromised “at least” 500 million users including name, email, telephone number, birth date, passwords and more .
[ A breach in 2014 took two years to confirm? Why? Was the highly paid executive trying to keep the potential liability under wraps to boost the purchase price and her personal fortune at the risk for literally hundreds of millions of users? -ed ]
9/23/2016 324k cards exposed with CVV
Over 300,000 cards with card verification value (CVV, that three or four digit code generally on the back) were posted on a web site. The data was not encrypted and included the CVV which is not supposed to be retained long term. The name of the file was Bluesnap, which is a payment processor and they report they have not been hacked, even going to the extent of hiring an outside security consultant to examine their site. Regpack is a customer of Bluesnap. They first denied having been hacked and their data was encrypted. then revised the statement to say that occasionally Regpack stored unencrypted versions for analysis. Human error placed this file on a publicly accessible server. More at Naked Security / Sophos including some guidance for non-IT managers of businesses that receive CVV codes.
9/23/2016 update Regpack & The Streisand Effect
Regpacks denial, update, confusion and more is not the clear response a company wants to project when their security is demonstrably weak. Trying to hide an issue from technologically knowledgeable journalists can initiate the Streisand Effect (Wikipedia) where what someone is trying to hide actually gains attention. Regpack is trying not to lose trust and customers. Might be too late. More at Data Breach Today.
In addition to others shown here in September 2016, ITRC reported 6 incidents where the number affected was over 10,000 per incident. The incidents were considered non-financial and totaled 102,685. These included:
18,399 Franciscan Healthcare Highline
21,880 New York State Psychiatric Institute
10,700 Planned Parenthood of Greater Washington
15,478 University Gastroenterology, Inc. RI
20,000 M Holdings Securities of Oregon
16,228 King of Prussia Dental Associates PA
9/29/2016 New Jersey Spine Center was attacked by CryptoWall which encrypted their patient files making them inaccessible The files included payment information, but there is no evidence the files were exfiltrated. While this was an “unauthorized access” we didn’t include the 28,000 records because they were not exposed to an outside party.
11/14/2016 412+ million users compromised
Login credentials for adult websites run by California-based FriendFinder Networks Inc. were compromised in the largest hack of 2016. The sites include Adultfriendfinder.com (340M), cams.com (63M) and Penthouse.com (7M). Based on review of the email addresses it appears that over 15 million accounts were deleted by users, but retained by the sites.
What was FriendFinder’s response? “FriendFinder takes the security of its customer information seriously…” Passwords were in plain text or SHA1, a deprecated hashing algorithm. Over 99% of the SHA1 hashed passwords have been cracked. Considering FriendFinder was breached in May 2015 and exposed about 65 million credentials why any passwords were in still plain text is not security in any sense of the word. User passwords continue to be weak. The top six passwords by frequency were the numeric sequence starting with 12345. 12345 (2nd place), 123456 (1st place), 1234567 (6th place), 12345678 (4th place), 123456789 (3rd place) and 1234567890 (5th place). Why was there no password strength meter to disallow these? A general description at Reuters. Details at LeakedSource.
In one breach we just surpassed THREE BILLION compromised accounts.
In addition to sources cited above the Chronology of Data Base Breaches maintained by the Privacy Rights Clearinghouse was used. Their website is a valuable resource for those seeking information on basic privacy, identity theft, medical privacy and much more. They are highly recommended. We also recommend The Identity Theft Resource Center (ITRC).
2016 Compromises affecting less than 10,000
2016 Compromises affecting an unknown, or undisclosed number
2016 Summary of Compromises
2016 General Information
Return to References page
Return to Year links page
Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.