Compromises in 2015 affecting 10,000 or more

Compromises in 2015 affecting less than 10,000
Compromises in 2015 affecting an unknown, or undisclosed number


01/05/2015 Morgan Stanley

A bank in New York, New York
350,000 non-financial accounts compromised

An employee took customer information on 350,000 clients including account numbers. Additional information on what other information was captured has not yet been released. Data on several hundred clients were published on a website. (sources: ZDNet   Bloomberg)

01/06/2015 Aspire Indiana, Inc.

a healthcare provider or servicer in Indiana
43,890 non-financial accounts compromised

11/7/2014 several password-protected laptops were stolen exposing name and email address, but no other information. See also source.


01/14/2015 TRH Health Plan / BCBS of Tennessee

a healthcare provider or servicer in Tennessee
80,000 non-financial accounts compromised

TRH is a not-for-profit service company of Farm Bureau. TRH members were informed that BCBS of Tennessee (a health plan administrator) had inappropriately accessed names and addresses for marketing purposes in violation of HIPAA.


01/20/2015 Office

a retail business on the Internet & Worldwide
1,000,000 non-financial accounts compromised

Office is based in the United Kingdom with 150 stores worldwide and on the internet. In May 2014 an unauthorized individual hacked an unencrypted database of historic information that was in the process of being decommissioned. Scope: Exposed information included name, birthday and unencrypted passwords. Scale Information on more than one million customers was exposed. (source)


01/31/2015 Umass Memorial Medical

a healthcare provider or servicer in Massachusetts
14,000 non-financial accounts compromised

Allegedly a former employee accessed billing information that contained payment card information, name, Social Security number and birthday for 14,000.


02/03/2015 Boston Baskin Cancer Foundation

a healthcare provider or servicer in Massachusetts
56,694 non-financial accounts compromised

12/2/2015 a non-encrypted external hard drive with information from patients between 2008 to mid-2014 was stolen from an employee’s home along with other equipment. The employee was authorized to take data home. Scope Compromised information included patient name, address, telephone numbers, Social Security number and birthday. Employee information was also compromised including name, birthday, pay rate, hire data, termination date (if terminated) and Social Security number. Questions? Call 1-888-593-6181



02/04/2015 Anthem, Inc.

80 million exposed (estimated) non-financial accounts

Anthem is the largest for-profit managed health care company in the Blue Cross and Blue Shield Association and headquartered in Indianapolis, Indiana.

Scope: Compromised information included name, Social Security number birth date, address, phone number(s), email address(es) and some employment information. At the date of announcement the company indicated that neither financial information or medical history had been compromised.

Scale: A non-confirmed (but large) number of non-financial accounts were compromised. The potential is large. According to their web site Anthem serves 1 in 9 Americans, 37 million enrolled in its health plans, to a total of 69 million by including those served by its affiliated companies. 80 million exposures are being reported in multiple news outlets including CNN Money.

Anthem was formerly Wellpoint Inc. until last year. The breach also affected these other organizations

Anthem Blue Cross
Anthem Blue Cross and Blue Shield
Blue Cross and Blue Shield of Georgia
Empire Blue Cross Blue Shield

As of 2/5/2015 the breach was not mentioned on their home page. There is a separate web site with a FAQ.

Update 2/5/2015 Legal

First class action lawsuit being prepared in Anthem’s home state less than 12 hours after announcement

Update 2/5/2015 What Victims Need to Know

A good article from CNBC with brief video presentations on what to do.

Update 2/6/2015

Although medical information transmitted outside the organization was encrypted, data inside Anthem was not encrypted. Exposed persons include the chief executive. How did Anthem become aware of the breach? No alarm had been activated. A single administrator noticed his identity was being used to make requests from the database. (source)

Update 2/6/2015 Why you really should care

Article on how you can be harmed, the road to protection and more, (strong language)

Update 2/7/2015 Scammers act faster than Anthem

Just hours after Anthem announced the breach the phishing scams started. Anthem announced it was emailing notices to the affected. Faster than Anthem, scammers sent their own messages and a veritable flood of direct calls seducing prey into detrimental actions. (more at KOS)

Update 7/28/2015 Hackers identified

In a 28 page PDF Symantec identifies a well funded hacking group named Black Vine as the instigator of the Anthem attack. A summary can be read at NetworkWorld.

4/08/2016 Update  Unusual move by Anthem

Anthem wanted access to consumers personal computers to inspect them for malware capable of creating the harm alleged by the plaintiffs. (CourtHouseNews) U.S. District Judge Nathaniel Cousins said no. Adding it was “ironic that the defense was seeking discovery of the plaintiff’s personal information when the core allegations of the plaintiffs is the defense failed to protect them from damage to their personal information”. There are several reason Anthem may have tried. See…

02/18/2015 The Office of Jeb Bush

a business other than retail in Tallahassee, Florida
12,500 non-financial accounts compromised

Jeb Bush’s office inadvertently exposed individual personal information as part of a larger cached file of about 330.000 emails sent to him during his term as Governor of Florida. The email was sent as part of a measure for transparency, however his team neglected to remove personal information some of those individuals exposing their names, Social Security numbers, and birth dates. (source)


02/24/2015 South Sunflower County

a healthcare provider or servicer in Mississippi
19,000 non-financial accounts compromised
Improper disposal of records exposed many.

02/27/2015 Uber Hacked … 9 months ago

50,000 exposed non-financial accounts

What & When: On Friday 2/27/2015 Uber disclosed that one of its databases had been improperly accessed by an unknown third party. It appears the breach took place in May 2014 (9 months prior to disclosure) and was discovered in September 2014 (5 months before today’s disclosure). Scope: Exposed information were Uber driver’s names and license numbers. Scale: An upper limit of 50,000 exposed was provided, but no one knows precisely. Uber said it was a “small percentage” of current and former Uber drivers across the United States. 21,000 of those exposed are in California. (Sources: Los Angeles Times   Uber’s Blog Post)

Update 8/28/2015  Uber gets talent

Because Uber is in the ride-for-hire business a hack of its vehicles could be disastrous, even if Uber has no control over the telematics of the vehicle. 14 companies control 80% of the global automobile market (source) and Uber is preparing for the autonomous, self-driving future.

Uber hired the two security researchers who hacked Fiat-Chrysler’s Uconnect system back in July 2015. That hack generated a recall of 1.4 million vehicles. Charlie Miller and Chris Valasek made presentations at DefCon and BlackHat in 2015 and Uber induced them to leave their existing employers. (source: ArsTechnica see also NYTimes)

03/02/2015 Piedmont Advantage Credit Union

A credit union firm in North Carolina
46,000 accounts compromised

PACU cannot locate a laptop computer containing personal information and Social Security numbers. 46,000 is their entire membership.

03/03/2015 BCBS – Minnesota

a healthcare provider or servicer in Minnesota
1,000,000 non-financial accounts compromised

About one million prescription drug records were on a state database that was compromised by a nurse with a history of narcotics theft.

03/13/2015 Google / eNom / WhoIs

282,867 private WHOIS records were exposed over almost two years. Scope: Exposed information included name, real address, email address, telephone number and more.

“Google leaked the complete hidden whois data attached to more than 282,000 domains registered through the company’s Google Apps for Work service, a breach that could bite good and bad guys alike. The 282,867 domains counted by Cisco Systems’ researchers account for 94 percent of the addresses Google Apps has registered through a partnership with registrar eNom. Among the services is one that charges an additional $6 per year to shield from public view all personal information included in domain name whois records. Rather than being published publicly, the information is promised to remain in the hands of eNom except when it receives a court order to turn it over. Starting in mid 2013, a software defect in Google Apps started leaking the data … to become public once a domain registration was renewed. Cisco’s Talos Security Intelligence and Research Group discovered it on February 19 [2015], and five days later the leak was plugged, slightly shy of two years after it first sprung.” (source) [ Emphasis ours -ed ]

03/17/2015  Premera Blue Cross

11,000,000 exposed

What: Premera Blue Cross disclosed today that an intrusion into its network may have resulted in the breach of financial and medical records of 11 million customers. Announcement and FAQ are at PremeraUpdate.com When: Based on the investigation the attack started May 5, 2014, almost a year ago. Premera said it learned about the attack on January 29, 2015. Who: was affected? The breach exposed members from Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and affiliate brands, Vivacity and Connexion Insurance Solutions, Inc. Scope: Exposed were name, address, email address, telephone number, date of birth, Social Security number, member identification number, medical claims information. In some cases bank account information was also exposed. Source: KrebsOnSecurity

05/27/2015 Update  5 suits

Five class-action lawsuits were filed in U.S. District Court in Seattle on behalf of Premera customers from Washington, Nevada and Massachusetts. They have similar complaints: that Premera was negligent, breached its contract with customers, violated the Washington Consumer Protection Act and failed to disclose the breach in a timely manner. More at an article in The Seattle Times.

March 2015

In addition to others shown here, in March 2015, ITRC reported 11 incidents where the number affected was over 10,000 per incident. The incidents were considered non-financial and totaled 13,102,420. These included 11,000,000 for the Primera breach and three state medical/health breaches: Virginia Department of Medical Assistance (697,583), and two incidents at Georgia Department of Health (355,127 and 557,779).

04/07/2015 OpIsrael

The Internet
47,453+ accounts compromised

In a coordinated attack multiple sites were hacked. Scale: over 700 sites were hit exposing information for tens of thousands. Scope: exposed information included names, emails, clear text passwords, home address and city, gender, telephone numbers, social media credentials and some Paypal credentials. One precise number is 47,453 exposed email accounts that were unique in a group of over 75,000 accounts posted by the hackers as substantiation of their exploits. For access to the leaked data see the URL below. The total numbers may have been higher. Affected sites included government, businesses, social and religious oranizations.


April 2015

In addition to others shown here in April 2015, ITRC reported 6 incidents where the number affected was over 10,000 per incident. These incidents were all considered non-financial and affected 686,047. These included Children & Family Services (200,000) and Auburn (364,012).

05/14/2015 mSpy

Financial and Non-Financial accounts compromised

What: A merchant, mSpy a provider of monitoring services, was hacked in a way that the company appears not to have known. Security researcher Brian Krebs found a dark-web site hosting several hundred gigabytes of data taken from mobile devices running mSpy’s products.

Scope: Emails, text messages, payment information and location data. The unknown hackers indicate the whole data set includes information on more than 400,000 users and includes Apple IDs and passwords, tracking data, and payment details on some 145,000 successful transactions.

Scale: an undetermined number of consumers use mSpy, but taking the hacker’s word, this affects 400,000+ non-financial accounts and 140,000+ financial accounts. Some unfortunate consumers may be in both counts.

Much more on the article.

Update: 05/20/2015 mSpy denial countered

“mSpy told BBC News it had been the victim of a “predatory attack” by blackmailers, but said it had not given in to demands for money. Claims the hackers had breached its systems and stolen data were false, it said. A leading security expert had earlier reported a breach of its systems. “There is no data of 400,000 of our customers on the web,” a spokeswoman for the company told BBC News.” (BBC News).

The security expert was Brian Krebs who reported the same day that he had harvested information from the dark web, contacted the people described in that information, all of whom confirmed they were customers of mSpy. “I spent the better part of the day today pulling customer records from the hundreds of gigabytes of data leaked from mSpy. I spoke with multiple customers whose payment and personal data — and that of their kids, employees and significant others — were included in the huge cache. All confirmed they are or were recently paying customers of mSpy.” (source:KOS article).

Update: 05/21/2015 mSpy confesses

The next day after security researcher Brian Krebs disclosed data, mSpy admitted it had been hacked and data taken. Krebs had broken the story a week earlier. “ After insisting that the data was fake and no breach had taken place, mSpy has now admitted that data had been stolen.” (source:BBC News) [ ed: mSpy also reported the number affected was closer to 80,000 from 400,000. Given their recent bout of not quite telling the truth, we’re keeping the number at 400,000 exposed. ]

Why is this important? mSpy not only monitors children for their parents it monitors adult activity for other adults. It may be the mSpy has information that people do not want disclosed, you know, secrets? Disclosure, or threatened exposure, of those secrets make those people susceptible to blackmail.

Update: 05/27/2015 exposed mSpy data still on line

“Incredibly, nearly two weeks after this breach became public, all of the leaked screen shots remain viewable over the Internet with nothing more than a Web browser if one knows the base URL that precedes the file name. And that base URL is trivial to work out if you have an active mSpy account.” Read how at Krebs on Security. mSpy was “reached today [ 5/27/2015 -ed ] about the exposed screenshots, mSpy reiterated its claim the data cannot be traced back to the data owner, and then acknowledged that it was reworking its system to render the exposed screenshot links unusable.”

05/20/2015 CareFirst

1,100,000+/- accounts compromised

Scope: “CareFirst said that although the hackers gained access to customer names, email addresses and birthdates, they did not obtain sensitive financial or medical information like Social Security numbers, credit card information and medical claims.” (source).

CareFirst is offering credit monitoring and identity theft protection for two years. The theft of insurance information, but not medical information, Social Security numbers and charge card information sounds questionable. (source).

05/21/2015 Adult FriendFinder

64,000,000+/- accounts compromised

What: A California based web site containing personally identifiable, and sensitive, information was hacked. Information was identified on the dark web in March 2015 before the company noticed the breach. Scope: Compromised information includes usernames, email addresses, birth dates, IP addresses, zipcodes, gender, sexual preference, purpose for using the site which can include extramarital affairs. Scale: The site reports having about 64 million users. Information on 3.9 million have been exposed. Speed: Within hours of the data being leaked, hackers hit victims with spam, and virus laden, emails. After the initial campaign, hackers are expected to sift the data looking for potential blackmail targets. Within the released data were dozens of government and armed services personnel, including members of the British Army. (sources: 5/21/2015 Britain’s Channel 4 news  5/22/2015 CBS)

05/26/2015 Internal Revenue Service

IRS / Federal Governments
100,000+/- accounts compromised
344,000+/- Updated total compromised (see 8/17/2015 update below)

“Using Social Security numbers, birth dates, street addresses and other personal information obtained elsewhere, the criminals completed a multistep authentication process and requested the tax returns and other filings, the I.R.S. said. Information from those forms was used to file fraudulent returns, the I.R.S. said, and the agency sent nearly $50 million in refunds before it detected the scheme.” “More than 200,000 attempts to view the past returns using stolen information were made from February to mid-May, and about half were successful. … The agency paid $5.8 billion in falsely claimed refunds in 2013.” To put that in context: “During this filing season, taxpayers successfully and safely downloaded a total of approximately 23 million transcripts” (NYTimes article) (NYTimes follow up article)

Update: 06/02/2015

In testimony before the Senate Finance Committee IRS Commissioner John Koskinen said “… the IRS paid identity thieves $5.2 billion in 2011 alone.” (source)

Also – legal companies make a profit from even fraudulent tax returns. (source) States are looking for a better way to stop tax refund fraud. Sounds more complicates with another consumer identification number. (source)

Update: 06/09/2015

Could legal companies be forced to disgorge those profits? (source)

Update: 08/17/2015   Total raised to 344,000

The IRS added 220,000 to more than than double the previous number of exposed persons. “In 2012, the IRS sent a total of 655 tax refunds to a single address in Lithuania, and 343 refunds went to a lone address in Shanghai … The IRS estimates it paid out $5.8 billion in fraudulent refunds to identity thieves in 2013.” Source: Associated Press via [ http://abcnews.go.com/Technology/wireStory/irs-thieves-stole-tax-info-additional-220000-33137882 ] ABCNews.

Update: 08/20/2015    Law Enforcement Fight Back / New Lingo

Over the past week arrests were made in multiple states following multi year investigations. While certainly not directly related to the IRS breach of 5/26/2015 this does show a renewed commitment to combating the white-collar crime of identity theft and tax fraud which are as lucrative and less risky than dealing drugs. In Los Angeles CA 32 members of one gang was charged with 283 counts of criminal conspiracy, 299 counts of identity theft, 226 counts of grand theft and 58 counts of attempted theft. 866 counts in all or just over 27 each. In Elizabeth, NJ 14 members of another gang charged a 49-count indictment for a range of “white-collar crimes” and the charges were filed under New Jersey’s Racketeer Influenced and Corrupt Organizations (RICO) statute which carries significant penalties. “Money mules” are people used to move funds. Sometimes it is moving cash around the country, sometimes catching funds from a “jackpotted” ATM programmed to spout cash, or to exchange those funds for gift cards, prepaid debit cards or other financial equivalents easier to move. “Drop hoes” are people used to receive improperly obtained tax refunds, then convert either checks or direct deposit into forms for eventually delivery to the crooks that caused them. (source)

Update: 12/11/2015   IRS to court: Dismiss!

Is the IRS immune from liability for exposing hundreds of thousands of taxpayers?

Well, they think so: “After hackers stole the data of 330,000 taxpayers from an IRS database earlier this year, the federal agency now is requesting that the circuit court hearing the class action suit dismiss the case in its entirety. The IRS alleges the court does not have jurisdiction over the claims for three reasons: the claims are preempted by the IRS Code; the IRS is immune from liability under the doctrine of sovereign immunity; and the taxpayers have not proven any actual injury by the data breach.” per CyberSecurityDocket [ highlighting ours -ed ]

May 2015

In addition to others shown here in May 2015, ITRC reported 6 incidents where the number affected was over 10,000 per incident. One incident was considered financial and exposed 25,000. The other five incidents were non-financial and exposed 361,505.

2/26/2016 Update  IRS: Affected was 700,000

Reported in May 2015, the IRS exposed information on 100,000 taxpayers. That number was raised to 344,000 in August 2015. It was just raised again to 700,000. Is that the end of it? What took so long? This Update: AP via US News.  Start of the story

06/04/2015 4M Federal Employees

OPM / Federal Government
6/04/2015 – 4,000,000+/- accounts compromised
6/12/2015 – 2nd breach exposed 10,000,000+/- compromised accounts
7/09/2015 – 2nd breach exposed 21,500,000+/- accounts. Total 25.5M so far

Today the “U.S. Office of Personnel Management (OPM) has identified a cybersecurity incident potentially affecting personnel data for current and former federal employees, including personally identifiable information (PII).” About two months ago, in “April 2015, OPM detected a cyber-intrusion affecting its information technology (IT) systems and data.” As of 6/4 OPM is notifying the affected employees. Because of the volume notifications may take several weeks starting June 8, 2015. OPM is not offering any no-charge credit protection and refers federal employees to other services

More at the OPM announcement and a Forbes article.

According to the Washington Post the June 2014 attack on OPM originated in China. A previous OPM breach on July 10, 2014 was also attributed to China. As for why this breach is so dangerous to our nation, see this 2m 44s CNN video from 6/9/2015.

Update: 06/11/2015

The American Federation of Government Employees (AFGE, representing 670,000+ employees) says this breach affected every single federal employee. (source)

Update: 06/12/2015

The White House confirmed OPM had second cyber attack and accessed federal security clearance forms containing sensitive information many people applying for national security positions. “Standard Form 86,” asks sensitive information, drug and alcohol use, mental illness, bankruptcy, and arrests and a list of contacts and relatives. Such information could be used for extortion or blackmail. The list itself reveals who received a security clearance exposing covert operatives and compromises intelligence officers.

Scale: including this second breach the number exposed is raised to 14 million. Scope: The hackers stole Social Security numbers, military records, veteran status information, address, birthdate, job history, pay history; information on health and life life insurance, pension information; age, gender and race data. Exposed accounts are reclassified to financial from non-financial. (Sources: AP  Forbes  NY Times)

Update: 06/15/2015 Time Line

Security researcher Brian Krebs does a time line from March 2014 (OPM breach), August 2014 (breach of USIS, security clearance providers), December 2014 Keypoint, February 2015 Anthem, Premera Blue Cross, and Carefirst Blue Cross leading up to e-QIP, which processes security clearance applications. (KOS article). If you think you were affected by this event read this KOS article.

Update: 06/18/2015 Where is the data?

When data is stolen for monetary profit usually samples of it show up on the dark web as a prelude to a sale. The absence of the OPM data for sale suggests the data was not stolen for monetary profit. Some crooks have offered data claiming it to be from the OPM breach, but security research Brian Krebs determined the data was from a 2013 breach at Unicor.gov, also known as Federal Prison Industries, which uses prisoner labor from the Federal Bureau of Prisons to produce goods and services. They were hacked as part of the Adobe ColdFusion exploit. So, where is the OPM data? Who really has it?

Update: 06/20/2015 Breach lasted nearly a year

According to a report from the NY Times the OPM breach went “undetected for nearly a year”.

As regards cyber security overall at the Federal level, the Nuclear Regulatory Commission has crucial information on unsecured network drives and has lost track of laptops with critical data. The I.R.S. allows the use of weak passwords like “password.” The Department of Education stores information from millions of student loan applicants. Examiners were able to connect “rogue” computers and hardware to the network without detection. Part of the Securities and Exchange Commission network had no firewall or intrusion protection for months.

Update: 07/09/2015 2nd breach exposed 21.5M

What: OPM announced today details on the second breach. Scale: Included 19.7 million people who applied for background investigations and 1.8 million others who were mostly their spouses or cohabitants. Total including the 4M federal employees announced 6/4/2015 now total 25.5 million. Scope: individual information including Social Security numbers, some included interview material, and about 1.1 million included fingerprints. (source)

Update: 07/24/2015 Could current crop of covert operatives be desk bound?

While the OPM breach did not expose actual identities of covert operatives it creates a point of exposure with a search of granted visas for diplomats. If a John Doe was granted a diplomatic visa, but does not appear in the compromised data of security clearance than the person granted a visa is possibly not really John Doe. A real diplomat would have had a background clearance. Admiral Michael S. Rogers, director of the National Security Agency, alluded to that problem 7/23/2015 during an interview at the Aspen Security Forum in Colorado. (source and more)

Update: 09/01/2015  OPM+AM=CounterIntel Nightmare

China and Russia are into gathering personally identifiable information in a very large way. While a single compromise is painful, multiple large compromises allow for cross-referencing to generate a large picture of a more clearly identified subject who could then be subject to coercion. Unfortunately many treasure troves of information are not being well protected. (source)

Update: 09/02/2015  OPM spends … $133M on Credit Monitoring?

The Office of Personnel Management (OPM) and the Department of Defense (DOD) awarded a $133M contract to “protect” persons exposed in the recent breaches. The order came from the General Services Administration (GSA) contracts awarded yesterday.

Aside from being rather expensive these services provided don’t “protect”, they “monitor”. Consumers get informed after the fact of new accounts opened in their names, suspicious transactions, etc. More effective at protection is a credit freeze. Opening new accounts, new mortgages etc is a rare event for most people and freezing credit is a pro-active preventative measure. Read more and also How I Learned to Stop Worrying and Embrace the Security Freeze at KrebsOnSecurity.

Update: 09/23/2015  5.6M Sets of Fingerprints

Wednesday OPM upped the number of compromised fingerprint sets from 1.1 million to 5.6 million. Those are from employees, contractors, job applicants and those who applied for security clearances. OPM: “Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,”. Given increasing using of biometric security that is questionable. It also puts a crimp in law enforcement. 5.6 million people can now be implicated in a crime because their fingerprints appear at the scene. Intelligence efforts are also hampered as fingerprinting foreign visitors as they arrive in a country is not uncommon. (Source: NY Times)

Update: 12/03/2015  China admits OPM breach, sorta

China has admitted that the OPM breach came from within their borders, but characterized the actors as criminals. Yesterday the government of China arrested hackers suspected of perpetuating the OPM breach. The veracity of their responsibility could not be confirmed. China has, in the past, arrested people for crimes they did not commit.

Update: 12/14/2015  OPM breach exposed journalists

Six months after the OPM breach was revealed we’re learning about new victims.

When OPM officials disclosed the intrusion months ago the stolen data was reported limited to federal employees and contractors and some people who were listed as references on millions of applications for security clearances. That group has just been expanded to include reporters, photographers and camera operators who regularly cover the White House and hundreds of agencies including the Defense Department, the White House and the CIA in the Washington DC area or worldwide. The number affected could easily reach into the thousands. More at the Washington Post article. As to the apparently ever-changing story of what happened see this Motherboard article.

Update: 2/22/2016  OPM InfoChief resigns. Congress cancels

Eight months after the breach we’re not going to learn what happened from the inside

In an email OPM chief information officer Donna Seymour wrote she felt her presence was distracting and that her resignation was in OPM’s “best interest.” The resignation was just a few days before her scheduled appearance before the House Oversight Committee chaired by Representative Jason Chaffetz (R Utah 3rd District). In response to the resignation the scheduled appearance was canceled. (Source)

[ Civilians and former employees appear before Congress. Why was her appearance no longer required? What information she had to provide is still needed. Or, was the threat of a public grilling in front of the committee used to get her to resign as Rep Chaffetz has sought repeatedly? -ed ]

June 2015

In addition to others shown here in June 2015, ITRC reported three incidents where the number affected was over 10,000 per incident. The incidents were considered non-financial and totaled 80,213. These included two medical breaches where details of what was exposed were not disclosed. Also included was an incident where a safe containing unencrypted information was lost. The whole safe went missing along with data on 50,000 people.

07/11/2015 US Army National Guard

455,000+ members had personally identifiable information exposed
850,000+ updated exposed

What: In an incident unrelated to the June 2015 OPM exposure a contract employee transferred files containing personal information on the Army National Guard and the Air National Guard to a non-Department of Defense-accredited data center. Scope: Included were names, Social Security numbers and home addresses. Scale: Federal budget for FY 2015 included 350,000+/- members of the Army National Guard and 105,000+/- members of the Air National Guard for a minimum exposure of 455,000 current numbers. The breach included people who served from 2004 so the total number exposed could be considerably larger. (source)

Update: 7/18/2015

Raised to 850,000 per InfoSecurity Magazine

07/13/2015 Walmart Photocentre Canada

60,000 web-site customers had charge cards compromised
7/17/2015 Update, CVS and Costco affected

Operated by PNI Digital Media the WalmartCanadaPhotoCentre.ca web site was temporarily taken offline. The breach affected Walmart Canada Online Photocentres in Canada, not Walmart.ca, Walmart.com or in-store purchases. PNI was acquired by Staples in 2014. According to its website they support “19,000 retail locations and 8,000 in-store kiosks”. It is not known if the breach affected PNI (thus exposing many more) or just the Canadian Photocenters. Questions or concerns? Call (888) 763-4077 Source: Huffingtonpost Canada

Update 7/17/2015 Scope Define & Others Compromised

Scope: Exposed data may include name, address, phone number, email address, photo account password and charge card information

A few days ago we noted that we didn’t know if PNI (the servicer) had been compromised or not. Appears so. Both CVS and Costco have temporarily disabled their on line photo services. RiteAid may also be affected. This means that the number of affected consumers may rise considerably.

The reference to retail locations and kiosks has been removed from the PNI web site, but KrebsOnSecurity posed a screen capture and their WikiPedia page no longer lists all their clients. Source

07/19/2015 Ashley Madison

37,000,000+/- web-site customers compromised

What: Owned by Avid Life Media (ALM) AshleyMadison.com is a web site for people to meet. Their slogan is “Life is short. Have an affair.” Samples of data taken from their web site have been posted on line to support a claim of hacking the entire user database, financial information and more. ALM also owns similar sites Cougar Life and Established Men. Scope: For $19 ALM offered customers a service to completely erase their profile information. Apparently that didn’t happen. Customers paid with charge cards and their real name, address, charge card number, other credentials as well as customer provided statements of sexual preferences and fantasies was retained. Given the site has a goal of arranging illicit meetings the exposure could provide considerable ammunition for divorces or blackmail. Scale: AshleyMadison has a reported 37 million customers. The number of potential exposures from the other sites is unknown. Source: KrebsOnSecurity

Foretold: Wall Street Journal Money Beat reported 5/22/2015 that a breach for AshleyMadison was a risk factor in considering an initial public offering especially considering the breach at AdultFriendFinder less than three months ago.

Something else to consider: the web site’s Forgot Password procedure could be manipulated to confirm the existence of an account and reset the password. (source: Troy Hunt)

Update 07/31/2015

Spam & Malware Wave Hackers posted some information they claimed to have stolen and said all the data would be dumped unless the site closed down. Since then there have been no more reports of data supposedly stolen from the site being posted on the web by the attackers. Yet there have been a wave of emails and published links that indicate they are posting also posting hacked data. “The BBC has visited many of the pages the links point to and found that all of them were fake. The majority of the files contained a short list of email addresses and passwords that have been widely shared online since 2011 strongly suggesting they are not part of a cache of recently stolen data.” Worse, some of those sites are pushing malware to the web visitors. Source: BBC

Update 08/18/2015  Data dumped or not?

Ashley Madison used email addresses, theoretically unique on this planet, to identify people who opened an account. For the most part these email address were not verified. To verify a company would send email to the supplied address and receive a response. This proved the person who supplied the email address at least had access to that account. It does not guarantee that person was the rightful owner of that account. This means that just because your email address was found in the database does not mean you were a member. It is possible that someone else used your email address accidentally or deliberately. Thanks to someone, you can check the database for an email address at https://ashleymadisonleakeddata.com/check/

AM reports that they used a service to process actual charge card transactions so the charge card number should not be in a data dump, just the transaction number that can’t be linked back to a real person.

Dumped or Not?
Many of the earlier data dumps did not contain Ashley Madison data. They were remixes of old data. On 8/18/2015 the original hackers reported that the time for Avid Life Media to take down the Ashley Madison web site had expired and claimed to have posted the actual database. They provided a signature key to differentiate their data from the fake data. This data set was examined by several people and found to contain the last four digits of their credit card number. This contradicts the company reports that no charge card information was stored. (Source: KrebsOnSecurity  see also NY Times)

Data dumps released earlier than 8/18 were likely faked.
This data dump from the original perpetrators appears genuine.

Update 08/19/2015  Who?

According to the Army Times some 15,000 records contain emails for military or federal government domains including 6,788 us.army.mil, 1,665 navy.mil, 809 usmc.mil, 206 mail.mil, and more than 875 ending in .gov. Specialized domains for reserve and National Guard branches, unit-specific email domains, etc. are also on the list.

According to the UK Telegraph included in the database were 92 addresses from the Ministry of Defence, 1,716 email addresses from universities using the .ac.uk suffix; 124 ending in .gov.uk; 65 local education authorities and schools using .sch.uk; 56 National Heath Service emails and a few emails ending in .police.uk.

According to Quartz and another source, there are four major data sets. Three contain member/profile data and one contains a comprehensive list of all charge card transactions from March 2008 through June 2015. The charge card data is in CSV files, one for each day. Each of the several million individual credit card transactions indicates the name of the person involved, their address, the last four digits of their credit card number, and the amount paid, among other information. The data elements include amount, authorization code, card ending in, first name, last name, date of transaction, city, country, email, state, consumer’s IP address, username, and password. The passwords are encrypted and decrypting them all would be time consuming, but given all the information available, a single person could be located and the single password decrypted to allow access to information they had on line.

Gawker reports what can be revealed for an individual already in the news.

Update 08/20/2015  Protecting yourself or not?

It appears that people, even when dealing with personally identifiable information they really, really don’t want exposed, are not being careful about what they are doing.

The title of the UK Register (whose motto is “Biting the hand that feeds IT”) article is … provocative. They report that many of the email users are obviously fakes like foxmulder@fbi.gov and i-trust-you-not@nsa.gov and they doubt former Prime Minister Tony Blair really used his official email address.

The Register reports five “British police officers using their .police.uk email accounts have details that check out, as does one address for a senior member of the British civil service in a position that would make him a ripe target for blackmail. In all we’ve found nearly 100 .gov.uk email addresses, many of whom do seem to be the real deal.”

The Register also questions how IT departments are letting sites like Ashley Madison through web filters. Not using a home computer for adultery is understandable, but using a work computer seems fraught with peril. Regarding peril: some people used dummy accounts, but used applications that automatically transmitted their GPS location, whether the user knew it or not. Coupled with the exposed IP address (see yesterday’s update above) a simple denial isn’t going to be persuasive.

The answer would be “some are”. The question is the title of the article:

The Ashley Madison files – are people really this stupid?

Accounts in India
The Ashley Madison database appears to include personally identifiable (and sensitive) information for between 100,000 to 150,000 registered customers in India.


Update 08/24/2015  Extortion, Death, Mil concerns, and a counter


Spear Phishing & S/O Targeting
In addition to the spam and malware wave described above, extortion emails are being sent to targeted email addresses (spear phishing) found in the data. There is another angle: targeting the spouse of someone listed. “Your significant other was found on Ashley Madison. Want to know more?” Attachments to any such emails need to be considered as MALWARE. (more at the source)

One to many extortionists
The data was made public. Paying one extortionist will not deter others. All have the same capability to expose someone as a user of Ashley Madison. Remember: Email addresses were not verified.

Rather die than
Perhaps the first reported suicide related to this exposure.

Military Specific Concerns
The users of some 15,000 military email addressees may have additional concerns. Even using the site may be a violation of Article 134, the General Article, of the Uniform Code of Military Justice according to The Manual For Courts Martial 2012 Edition (884 page PDF) specifically MCM page IV-100 on page 384 of the PDF.

The General Article has multiple specific instances listed under numbered paragraphs. Actual (vs. intended) adultery is specifically listed under Paragraph 62 on MCM IV-103, page 387 of the cited PDF) Sub paragraph 62(c)(2)(e) specifically addresses the misuse, if any, of government time and resources to facilitate the commission of the misconduct

For officers, and officers-in-training, there is also Article 133 Conduct unbecoming an officer and a gentleman (MCM page IV-99 on page 383 of the PDF)

A-M counters with $500k bounty
While not insignificant, it may be too little to interest the people who know the hackers and too late to do any good other than prosecute after the fact. Had a few million dollars been offered early the data might have been precluded from entering the public domain. (source)

More troubles for A-M
What goes around comes around? You reap what you sow?

Late last week, the Impact Team — the hacking group that has claimed responsibility for leaking personal data on more than 30 million AshleyMadison users — released a 30-gigabyte archive that it said were emails lifted from AshleyMadison CEO Noel Biderman.

A review of those missives shows that on at least one occasion, a former company executive hacked another dating website, exfiltrating their entire user database. On Nov. 30, 2012, Raja Bhatia, the founding chief technology officer of AshleyMadison.com, sent a message to Biderman notifying his boss of a security hole discovered in nerve.com, an American online magazine dedicated to sexual topics, relationships and culture. [ highlighting ours -ed. More at the source ]

Update 08/25/2015  and the bad news keeps coming

In the last month multiple lawsuits have been filed claiming negligence, breach of contract and privacy violations by Ashley Madison for failing to take reasonable steps to protect user information security including those who paid for information deletion. All the lawsuits, so far anyway, seek unspecified damages and class-action status to represent the ±37 million registered users. (Source: Associated Press via CBS News)

One suit by “John Doe”, a resident of Los Angeles, California. Another suit representing Canadians was filed Thursday 8/20/2015 in the Ontario Superior Court of Justice. Its class-action status “still needs to be certified by the court”

Update 08/26/2015  A fraud? Who dunnit?

Almost None of the Women in the Ashley Madison Database Ever Used the Site is an analysis by Annalee Newitz published in Gizmodo which has strong evidence that the actual subscribers (primarily men) were chasing non-actual people, creations, fabrications, you know, fantasies.

Nominally the database contained 36,894,116 members total of which 31,343,429 (84.955%) million men and 5,550,687 (15.0449%) million women. Round that to 85:15 and remember that in a statistically large database the attributes should be distributed about the same way.

99.78% of the women (all but about 12,000) never interacted with the site past creating the accounts. 20,269,675 men out of the 31,343,429 (about 65%) checked their AM messages at least once. 1,491 women out of 5,550,671 (about 2/100s of 1%) checked their AM messages at least once. The AM chat system was used by 11,030,920 men out of 31,343,419 (about 35.2%) and by 2,409 women out of 5,550,687 (about 4/100 of 1%). Does your nose twitch yet?

Email addresses for about 10,000 were of the form xxx@ashleymadison.com. Certainly the emails could be faked, but were they 10,000 employees of ashleymadison looking for adventure? About 90% of those email addresses were for females. (Did AM have 9,000 female employees?) The source IP address for over 80,000 profiles was meaning they were created within the AM domain. Over 68,000 (85%) of those profiles were females. That is the reverse of what would be expected.

“Either way, we’re left with data that suggests Ashley Madison is a site where tens of millions of men write mail, chat, and spend money for women who aren’t there.”

Was it Fraud?
Maybe not – the small print on the site said the use was for “entertainment” only. Maybe – the site offered a “guarantee affair” for a fee. For the guaranteed deletion of data that AM kept anyway? Oh yes.

Who Dunnit?
That is, who hacked AM? Althought not definitive, Brian Krebs reports on a plausible suspect at KrebsOnSecurity.

Update 08/27/2015  AM Fembots

Another Annalle Newitz article for Gizmodo describes how the company created synthetic profiles for “Ashley’s Angels”. Read the article for more. The closing paragraph: “Instead of looking at Ashley Madison as a dating site, I think it’s more accurate to call it an anti-community—a hugely popular social site where it’s impossible to be social, because the men can’t talk to each other, most of the women are fake, and the only interaction available is with credit card payments. It is one of the purest representations of dystopia I’ve ever seen. Or, as one of its more famous users have put it, Ashley Madison is like something straight out of Hell.”

Update 08/28/2015  Biderman Bails

Avid Life Media (who operates Ashley Madison and other sites) announced earlier today that their chief executive, Noel Biderman is “stepping down”. More details at the source.

Update 08/31/2015  100k New Users?

In a statement today, Avid Life Media, parent company of Ashley Madison, issued a statement from Toronto, Ontario, Canada. The statement starts:

Recent media reports predicting the imminent demise of Ashley Madison are greatly exaggerated. The company continues its day-to-day operations even as it deals with the theft of its private data by criminal hackers. Despite having our business and customers attacked, we are growing. This past week alone, hundreds of thousands of new users signed up for the Ashley Madison platform – including 87,596 women. [ emphasis ours -ed. More at the source ]

The claims to additional members has not been verified by any independent source and given the company’s previous claims to delete data for a fee (which they didn’t) and their systematic creation of fake profiles for Ashley Angels (which they did) their verisimilitude is properly questioned.

Update 08/31/2015  Ligonier Ministries

The ministry has suspended until July 2016 one of the their teaching fellows who is also a rector and chair of philosophy and theology at the ministry’s Reformation Bible College. He had confessed that he had visited the site “…. in a moment of weakness, pain, and from an unhealthy curiosity. … My goal was not to gather research for critical commentary, but to fan the flames of my imagination.” [ His wife died in 2011 and we are not naming this suspended teaching fellow. -ed ]

Update: 09/01/2015  AM+OPM=CounterIntel Nightmare

China and Russia are into gathering personally identifiable information in a very large way. While a single compromise is painful, multiple large compromises allow for cross-referencing to generate a large picture of a more clearly identified subject who could then be subject to coercion. Unfortunately many treasure troves of information are not being well protected. (source)

Update 09/08/2015  Perils of Publishers & Reporters

Persons or organizations reported as having done, or may-have-done, bad things may try to coerce the reporter into a retraction by threatening or filing a “libel” lawsuit. There are differences between the generally written libel and the generally spoken “slander”, but both are considered “defamation”.

Both can share an expensive price tag and a common defense: the truth. Reporting the truth, while however distasteful to the reported subject, is neither slander nor libel. (see 6 successful celebrity cases)

In this case an officer of Ashley Madison was reported to have done an act and reported that act via email to their superior. The email exists (a fact) and the email reports as fact the underlying act. Making matters even more complex is this is foreign jurisdiction (the journalist is in the United States, the accuser in a neighboring country). Yet the reporter followed the Reporters Committee for Freedom of the Press advice on avoiding libel suits. We need such intestinal fortitude supporting our First Amendment and the freedom of the press.

Update 09/10/2015  almost 75% of passwords cracked

Some sensitive documents hacked from Ashley Madison we protected by passwords encrypted with a widely used cryptographic algorithm called bcrypt based on an earlier cipher and presented in 1999. Bcrypt is supposed to require such intense computing power that it should take centuries to crack the 36 million AM passwords. Well, not so much. Hobbyist crackers (white-hat hackers) found programming errors that allow orders of magnitude faster processing and, in 10 days, already cracked 11M of 15M passwords. For more see article in Ars Technica.

04/20/2016 Update   Class Action caveat

The judge has indicated that the class action does not merit protection of the plaintiff. That means those who want to sue have to use their real names. This creates a conundrum for those who want to keep that information a secret. Only named plaintiffs, and their attorneys, will receive awards, if any. More at Ars Technica / UK

07/20/2015 UCLA Hospital System

4,500,000+/- Exposed

What: The University of California, Los Angeles hospital system which includes the Ronald Reagan UCLA Medical Center; UCLA Medical Center, Santa Monica; Mattel Children’s Hospital UCLA; and Resnick Neuropsychiatric Hospital at UCLA plus more than 150 primary and specialty offices. When: The breach may have started as early as September 2014. Scale: Information for up to 4.5 million people was exposed. Scope: Exposed were names, Social Security numbers, addresses, dates of birth, medical record numbers, Medicare or health plan ID numbers and some medical information. Source: Associated Press/RDMag via RICIS

July 2015

In addition to others shown here in July 2015, ITRC reported 4 incidents where the number affected was over 10,000 per incident. 3 incidents were considered non-financial and totaled 111,117 and 1 was financial exposing 85,000.

08/07/2015 IRS Loses Flash Drive

12,000 Exposed

What: The Internal Revenue Service was performing a random audit of the Katy Independent School District in Katy, Texas. An agent had information on a flash drive, then lost it. Scope: Potentially exposed are names, addresses, birthdates, Social Security numbers. Scale: Almost 12,000 individual records may have been exposed. (source)

08/10/2015 Carphone Warehouse

2,400,000+/- Exposed

What: Carphone Warehouse a mobile communications supplier in the UK, was hacked and customer data compromised. When: 8/08/2015 Carphone Warehouse reported a cyber-attack was discovered on 8/05/2015 that may have occurred during the past two weeks. Scale In addition to serving its own mobile network, Carphone Warehouse also provides services to OneStopPhoneShop.com, e2save.com and Mobiles.co.uk, Talk Mobile and TalkTalk Mobile. Credit card details (encrypted) of up to 90,000 people may have been accessed. Scope: Exposed were names, addresses, dates of birth and bank details. Some card details (encrypted) may have been exposed.


Instead of selling the information outright it may be used as targeting phishing attacks against those customers by faking emails or telephone calls reportedly to be from one of the hacked businesses. Consumers to click on links may be redirected to malware laden web sites or convinced to disclose more directly profitable items such as account numbers, passwords, etc. Source: SC Magazine, UK

08/18/2015 Web.com

93,000+/- Exposed

What: Web.com, who also owns major internet registrars Register.Com and Network Solutions, reported a computer system breach. Emails have been sent to affected customers and will be followed with a letter via USPS. Web.Com provides small businesses with web services including design, marketing, hosting, domain registration and similar services. When: The breach was discovered 8/13/2015. No statement as to how long the breach was in effect. Scope: Exposed were name and address along with charge card information. Scale: Web.Com reports that about 3% of its more than 3.3 million customers were exposed. There was no explanation as to how this number was determined considering Web.Com retains charge card information for seven years. (Sources: Web.Com  Sophos)

08/24/2015 AutoZone / AutoZonePro

162,000+/- Exposed

A hacker reported on Twitter that AutoZone.com had been hacked. As proof of the hack a link was provided to information on 49,000+ customers. Although the customer passwords were hashed the hacker provided the hash code itself. The hacker also posted detailed field names that should be recognizable by the company. The hacker also reportedly had exfiltrated, but not posted, complete charge card information and had compromised 162,000 records, but only posted about 50,000. It is not yet, and may never be, clear if the hack was of AutoZone.com (oriented toward consumers) or AutoZonePro.com (oriented toward larger scale businesses). (source)

08/31/2015 Apple iPhones

225,000+/- Exposed

KeyRaider malware has collected login credentials for Apple accounts plus certificates and private keys from jailbroken iPhones. The malware was not distributed by Apple’s App Store, but a another site Cydia. Other Cydia distributed apps with malware have caused problems for users in at least 18 countries including China, France, Japan, Russia and the United Kingdom. The compromised the login credentials have been used to make unauthorized purchases of applications with charges being made to charge card associated with the account. Some phones have been disabled pending a ransom payment. In addition, the stolen data was uploaded to a server vulnerable to an SQL Injection Attack meaning that another party could download the stolen information. (Source)

08/31/2015 Utah Food Bank

10,385+/- Exposed

What: The Utah Food Bank donation webpage may have been compromised and an unauthorized individual may have gained access to donation information submitted. Potentially affected persons are being notified and offered credit monitoring. When: Transactions on the the website from October 8, 2013 through July 16, 2015 may have been exposed. That is almost two years. Scale: Personally identifiable and financial information on 10,385 persons may have been exposed. Scope: Exposed information may have included full names, mailing addresses, email addresses, charge card numbers, expiration dates and security codes. (Source)

August 2015

In addition to others shown here in August 2015, ITRC reported 6 incidents where the number affected was over 10,000 per incident. The incidents were considered non-financial and totaled 363,795. These included a report on 8/25/2015 of 160,000 compromised records from Empi Inc. / DJO LLC MN Medical. Few details were available.

09/09/2015 Excellus/BCBS

10.5 million+/- Exposed

Who: The breach affected Excellus Bluecross BlueShield (BCBS), Lifetime Healthcare Companies, Lifetime Benefit Solutions, Lifetime Care, Lifetime Health Medical Group, The MedAmerica Companies, and Univera. What: Although the data was encrypted hackers gained administrative access allowing them access. When: In early August 2015 they learned their systems had been accessed on December 23, 2013, more than twenty months ago. Scope: Exposed information included name, birthday, Social Security numbers, mailing address, telephone number(s), BCBS identification number, financial and claims information. Some clinical information may have been exposed. Scale: About 10.5 million were exposed. 7 million were from multiple Excellus BCBS plans. The remaining 3.5 million were people the other companies listed above. (Source: Secure Computing Magazine)

09/10/2015 Cal State Students

79,000+/- Exposed

What: A breach of We End Violence a violence prevention education organization in California discovered a potential intrusion on a website server. When: The date of intrusion wasn’t announced, but the breach was discovered Monday August 24, 2015 and the site was disabled Wednesday August 26, 2015. Scope: Name, student ID number, email addresse, username, password, gender identity, race, ethnicity, age, relationship status, sexual identity and the name of the user’s college or university. Scale: About 79,000 students on eight campuses of California State University may have been exposed. (Source: Secure Computing Magazine story and breach report.

9/16/2015 Oakland Family Services

16,000+/- compromised

Who: Oakland Family Services, a non-profit organization based in Pontiac, Michigan that provides mental health and substance abuse treatment. What: There was unauthorized remote access to the email account of an employee who had succumbed to a phishing scam. Scale: Information on about 16,000 persons who received mental health or substance abuse treatment between 2007 and 2015 was compromised. Scope: Exposed were names, mailing addresses, telephone numbers, dates of birth, identification numbers of several types including insurance, service dates and types including diagnoses. Social Security numbers were exposed for some. Announcement (2 page PDF) and FAQ (5 page PDF). See also Secure Computing Magazine

09/17/2015 Kardashian/Jenner Web&Apps expose data

900,000+/- Exposed

A 19-year old developer found an open, unsecured application programming interface (API) that allowed access to user data, ability to create and delete users, photos and videos. Because the Kardashian family of web sites and smart phone apps are near-clones the same security weakness was present in all of them. Because the web sites and related smart phone applications offer paid content the question arises on the security of payment information. More, including details on the API weakness at TechCrunch. Initially reported at about 600K, raised to 900K at Slate.

09/18/2015 Comcast

75,000+/- Exposed

Between 2010 and 2012 Comcast published the names, phone numbers and addresses of about 75,000 people who paid to keep the information private. The data was published after it was sold through a listings data licensing company. Comcast refunded about $2.5 million to customers in 2013. Today (almost five years later) Comcast agreed to pay about $33 million: $25M to California state agencies, about $400,000 to about 200 who had specific safety concerns (law enforcement, judges, domestic abuse victims etc.) and $100 to each affected customers. (Source HuffPo)

09/22/2015 Molina/CVS

54,203 Exposed

Who: Molina Healthcare uses CVS as their over-the-counter benefits vendor. What: A CVS employee sent information to his personal computer. When: The compromise took place on or about 3/26/2015. CVS notified Molina on 7/20/2015, almost four months later. Scope: Compromised information included name, plan start and end dates, and multiple identification numbers. Scale: 54,203 current current and former members in California, Florida, Illinois, Michigan, New Mexico, Ohio, Texas, Utah, Washington and Wisconsin. Source: SCM

09/24/2015 Grupo Financiero Banorte

20,000+/- Exposed

Who: Grupo Financiero Banorte of Mexico. What: The bank was breached and, in Mexico, customers who are affected by a data breach are to be notified, rapidly. GFB notified the National Banking and Securities Commission and only a few customers. Earlier in September the National Transparency, Information Access and Data Protection Institute (INAI, a Mexican governmental data protection authority) issued a fine of 32 million pesos ($1.95M USD). When: It appears the breach occurred in late 2014 and early 2015. Scale: “Around” 20,000 accounts are “thought to have been compromised.” That includes prior customers whose data was supposed to have been deleted. Scope: What was exposed was not clear. More …

September 2015

In addition to others shown here in September 2015, ITRC reported 1 incident where the number affected was over 10,000 per incident. The incidents were considered non-financial and totaled 13,000. This was Pediatric Gastroenterology, Hepatology and Nutrition of Florida who had data stolen from them. The data included name, social security number, account number, patient identification, and birthday.

10/01/2015 Experian/T-Mobile

15 million+/- Exposed

What: In a 10/1/2015 press release credit reporting agency Experian reported that hackers were able to get information on people who applied for T-Mobile wireless service. When: The date of the breach was unknown, but people who applied between 9/1/2013 and 9/15/2015 had their data exposed. Scale: Information on about 15 million T-Mobile customers and applicants were exposed. Scope: Exposed information included name, home address, birthdate, Social Security number, and “other personal information”.

Update 10/01/2015 Experian/T-Mobile

T-Mobile offered two free years of credit monitoring services at www.protectmyID.com/securityincident where it says “We offer multiple layers of protection and are backed by Experian® – a name you can trust.” Consumers were quick to see the irony in being protected by the company that was breached. T-Mobile is working on an alternative. [ what about those who applied, were denied and breached anyway? -ed ]

Update 10/02/2015 Experian/T-Mobile

Experian detected the breach on 9/15/2015. More on what you can do to protect yourself at KrebsOnSecurity.

10/01/2015  Outlook Web Mail Server Hacked

11,000+ exposed in one organization

Inside firewalls, this Outlook mail server was hacked via the Outlook Web Application (OWA) to compromise almost all email passwords over an extended period of time giving the hackers a toehold into enterprise data.

In a research report Cybereason followed a client’s “spidey sense” to discover an advanced persistent threat, customized for the one organization, to hack OWA in a way to expose almost all user names and passwords.

Contrary to other web servers that typically have only a web interface, OWA is unique: it is a critical internal infrastructure that also faces the Internet, making it an intermediary between the internal, allegedly protected DMZ, and the web. The customer was using OWA to enable remote user access to Outlook. This configuration of OWA created an ideal attack platform because the server was exposed both internally and externally. Moreover, because OWA authentication is based on domain credentials, whoever gains access to the OWA server becomes the owner of the entire organization’s domain credentials. [ from page 3 of the Cybereason research report 11 page PDF. Page 5 reports the 11,000-plus exposed passwords. Highlighting ours – ed ]

The customization indicated a targeted attack, but changing the customization is a minor effort and other organizations running OWA in a similar configuration should be on guard. More …

10/01/2015  Patreon Hacked

2.3 million records exposed

Patreon is a site that accepts donations and supports artists. They announced a security breach that exposed some registered names, physical address and e-mail addresses. More …

10/01/2015  Patreon Data Dumped

Almost 15GB of data from Patreon has been posted on the internet. Security researcher Troy Hunt has concluded that they almost certainly came from Patreon servers. “He said the amount and type of data posted by the hackers suggest the breach was more extensive and potentially damaging to users than he previously assumed.” Hunt also found 2.3 million unique e-mail addresses, the entire database, including a number of private messages sent and received by users. “Obviously all the campaigns, supporters and pledges are there too,” he wrote in one tweet. “You can determine how much those using Patreon are making.” “Everything private now public.” More …

10/02/2015 Scottrade

4.6 million+/- Exposed

Who: Scottrade Inc., a retail brokerage firm, was informed by federal law enforcement that consumer information had been taken from them completely avoiding Scottrade internal security measures. (per PC World) When: In August 2015 the Federal Bureau of Investigation notified Scottrade, but asked them not to inform their customers as it was part of an ongoing investigation. On 10/1/2015 the company posted a message that indicates unauthorized access appears to have been between late 2013 and early 2014. Scope: Customer contact information and possibly Social Security numbers appeared to have been exposed. Scale: 4.6 million customers of Scottrade were exposed. More …


Customers of financial services firms such Scotttrade should be hyper vigilant for fake communications via any means.


October is Cybersecurity Awareness Month and by Day 2 crooks have made about 20 million people more aware (15M from Experian/T-Mobile and 4.6M from Scottrade).

10/02/2015 A Nice Virus

tens of thousands compromised

Are appearances deceiving or did someone create a nice virus? Symantec reported yesterday on Linux.Wifatch (sometimes reported as Ifwatch), infecting devices on the internet of things. The code infects home routers turning them into a node on a peer-to-peer network of similarly infected devices. Such a network can be used for a distributed denial of service attack or similar bad acts. Most consumers are ill-prepared to detect or counter the infection. Symantec set up honeypots to attract this infection and they were successful. Analysis indicated that Wifatch was more oriented toward securing and protecting infected devices. The code itself isn’t obfuscated and was straight forward to read. Over several months of observation no malicious activities were observed. As a protective measure Wifatch kills the Telnet daemon to prevent external access to the device and leaves a message for users to change the password. Systems in multiple countries have been infected. Leading the list is China (32% of infections noted), Brazil (16%), Mexico and India (9% each), Vietnam, Italy, and Turkey (7% each), Republic of Korea and the United States (5% each) and Poland (3%). To the extent that Wifatch is actively protecting poorly secured systems it is a force for good. To the extent it is an unauthorized modification of a device, it is bad. [ there are Inherent Dangers on the Internet Of Things, don’t be an IDIOT -ed ]

10/21/2015  Salt Lake County, Utah

14,000+/- compromised

What & Where: During a scheduled upgrade by Salt Lake County, Utah information submitted in connection with worker’s compensation or other claims may have been exposed to the internet because of an improperly set security setting. When: The security settings were set on June 18, 2015. Salt Lake County learned of it on September 18, 2015, almost three months later. Scope: Exposed were Name, address, Social Security numbers and some medical information. Scale: 14,000 notifications were mailed out. According to a notice (6 page PDF) sent to the New Hampshire Department of Justice, two residents of New Hampshire were affected. More at SCM.

10/23/2016  The Commons Hotel

Initially unknown, updated 10/26/2015 to 19,472 affected.

Who: The Commons Hotel in Minnesota, part of Noble House Hotels and Resorts identified malware on the payment card system. When: The malware may have affected cards used between 1/28/2015 and 8/3/2015. Scope: Exposed information included name, payment card number, expiration date, and CVV. Scale: Initial reports did not include number exposed, but the company updated the report a few days later to over 19,000. Source: SCM

10/23/2015 Huge Exposure at TalkTalk, British Broadband

4 million exposed

Scale: All the current and former customers of British broadband provider TalkTalk have been exposed. Scope: Exposed information included customer name, address, birth date, email addresses, telephone numbers, and and charge card information. When: The attack was Wednesday 10/21/2015, police were contacted and the public notified in rapid order.

One story is that this was a distributed denial of service attack (DDoS) where a website is pummeled by volumes of traffic larger than the capability to serve that traffic. A DDoS attack denies service and does not, in and of itself steal information. It may be that the DDoS attack was a deception to distract attention from the theft effort. More at BBC

10/24/2015 Update  TalkTalk hackers want BTC

The hackers disclosed sufficient information to establish they have at least some of the data they claim. They want BitCoin worth just over $120,000 US dollars or they will publically reveal all the data. (see extortion and blackmail) More at KrebsOnSecurity. [ Simply paying the money is no guarantee that the information has not already, or will be, exposed. See what Kipling wrote on paying such ransoms. -ed ]

10/27/2015 Multiple Updates

Stolen Data in Play – bank accounts of victims of the TalkTalk mass cyber-attack were raided as early as 10/24/2015. Customers were being cold-called even before the broadband firm realised that customer details had been stolen. More …

An arrest – Yesterday “officers from the Police Service of Northern Ireland (PSNI), working with detectives from the Metropolitan Police Cyber Crime Unit (MPCCU), executed a search warrant at an address in County Antrim, Northern Ireland. At the address, a 15-year-old boy was arrested on suspicion of Computer Misuse Act offences. He has been taken into custody at a County Antrim police station where he will later be interviewed.” per UK Metropolitan Police [ http://news.met.police.uk/news/arrest-re-talktalk-investigation-135026 ] News. [ A 15 years old in Ireland? Were not the hackers reported as a “Russian Islamist group” ????? -ed ]

CEO says – In September 2014 an IT security specialist revealed numerous security weaknesses on the TalkTalk website last year. The CEO responded by saying that TalkTalk’s security is “head and shoulders better than some of our competitors.” Maybe not. TalkTalk didn’t use TLS/SSL encryption, a basic protective measure. The CEO also said the customer financial data wasn’t encrypted because it was “not legally required” by the 1998 Data Protection Act. More at Sophos …

10/30/2015  Multiple Updates

A 16-year old from London is the second suspect arrested in the TalkTalk hack and the CEO says the compromise was smaller than publicized. (BBC) TalkTalk was breached in February and July of 2015 and does not use encryption … anywhere.
(TheRegister) More at Sophos

11/02/2015  Multiple Updates

3rd Suspect Arrested
Detectives from London’s Metropolitan Police Cybercrime Unit and officers from the National Crime Agency arrested a 20-year-old man in Staffordshire, England. The man was released on bail until March 2016. More …

Customers defrauded and seek compensation
TalkTalk has acknowledged that it was breached three times in less than a year. Yet, the company reportedly declined to accept liability or pay compensation to thousands of people who claim to have each been defrauded by up to £5,000 pounds.

TalkTalk reduces number exposed
TalkTalk says the number exposed was about 1.2 million persons; 28,000 incomplete charge card details; 21,000 unique bank account numbers; and 15,000 customer dates of birth. No explanation was provided for these numbers.

11/03/2015  Management Review

The Register (whose motto is Biting the Hand That Feeds IT) offers a less than complimentary review of how TalkTalk management is not really keeping the public informed in this article.

11/04/2015  Police make 4th arrest

This time a 16-year-old boy from Norwich (eastern England) according to Reuters.

11/05/2015 Update  2FA beaten, OG & Glubz

How two-factor authentication was beaten to hijack an email and a twitter account used in the TalkTalk hack, what is OG and why people will pay heavily for it, and in pursuit of Glubz. More at KrebsOnSecurity

1/30/2016 Update  TalkTalk loses 250k subscribers

In addition to the breach in October 2015 in which information on over four million customers was compromised TalkTalk had phone scammers working at one of their call centers run by Wipro, an Indian outsourcer. The overall impact? Over 250,000 existing customers have left TalkTalk and their share of new customers has declined. See article in SCMagazine/UK.

10/30/2015  000Webhost hacked months ago

13,545,468 exposed

Wrapping up National Cyber Security Awareness Month we’ve learned that five months ago the 000Webhost company was breached exposing customer names, emails and passwords that were stored in plaintext. Security researcher Troy Hunt reports the data is for sale. He found many insecure elements including non-https logins. He discovered that 000webhost and hosting24 are owned by the same parent company Hostinger in the UK. He tried to reach them many ways and and they don’t seem to want to talk to anyone about security problems, even a noted researcher. Mr. Hunt has added 13,545,468 email addresses from this breach to his site HaveIBeenPwnd. Your entry is checked against many breaches. Look to see if you’ve been exposed.

October 2015

In addition to others shown here in October 2015, ITRC reported 3 incidents where the number affected was over 10,000 per incident. The incidents compromised non-financial information on 58,100. These included an E*Trade breach that occurred in late 2013 exposing personally identifiable information (PII) on 31,000 customers. Also Emergence Health Network (EHN) reporting improper access to a server that may have dated back to 2012 exposing PII, including Social Security numbers, on 11,100 persons. Lastly, the Children’s Medical Clinics of East Texas reported unauthorized access to a desktop computer which may have exposed 16,000 persons.

11/04/2015  vBulletin & Foxit

220,000 vBulletin user accounts
260,000 Foxit user accounts (of 537,000 total)
480,000 total user accounts compromised

vBulletin, the publisher of popular forum software maker and Foxit Software have been breached based on the same vulnerability. Compromised were user identifications, full names, email addresses, security questions and corresponding answers (both in plain text) and salted passwords. Vbulletin was breached in November of 2013. More at Sophos

11/06/2015  ProtonMail & others

500,000+ users affected and
“hundreds” of other firms impacted

In 2013 ProtonMail was developed at the CERN research facility to use end-to-end encryption to resist surveillance by intelligence agencies. It reported paying ransom of 15 bitcoins (about $6,000 or £4,000 at today’s prices) to stop a Distributed Denial of Service (DDoS) attack.

A warning email preceded an attack that took ProtonMail off line for about 15 minutes. The next day another larger attack pushed traffic over 100 GB/s. This attack not only took the ProtonMail data center off line it also impacted their internet service provider affecting hundreds of other firms and their many users. These firms pressured ProtonMail to pay the ransom and pledged toward an improvement fund to harden defensive infrastructure. Contrary to good customer service practice the DDoS is continuing days after the ransom was paid. (see what Kipling wrote about paying ransom 1907.)

ProtonMail has about 500,000 users but how many more were affected in those hundreds of other companies affected? There is a little good news. The ProtonMail data was encrypted and there is no evidence that it had been exported. So the information is still concealed. More at Sophos

Update: 11/12/2015  ProtonMail still offline.

11/09/2015  Ransomware updates

One particular ransomware was poorly written. Designed to infect Microsoft Word and Excel files it also affects other file types. Unfortunately no decryption key is created. Pay or not, you’ll never get your data unlocked.

Some web sites use programming code that is not on their computer but run from another system. Infecting that remote code is one way to compromise many computers without ever having to hack that computer in the first place. One treasure is “shopping cart” systems. Many merchants use them to handle charge card processing for a fee. Crooks hack that and get a stream of complete charge card information.

A ransomware version was discovered by Dr Web. It infects merchant systems via such remote services. Once the virus is installed at the merchant’s machine it encrypts everything: graphics, programming code, all of it whether it resides on the primary or alternate directories. Instructions on how to pay the ransom remains is plain text. (Source: BBC) See also: Ransomware: What Can You Do?

11/09/2015  Comcast Resets 200K+Passwords

200K+ affected

Discovered on the Dark Web was an offer to sell 590,000 Comcast subscriber email addresses and plaintext passwords for $1,000 in bitcoins. Comcast says they were not hacked. Comcast obtained the data, they may have been the reported single buyer, and found 2/3+/- of the records were no longer active. Comcast forced a reset about 200,000 passwords.

[ Comcast reset one of mine the evening of 11/10/2015. There was no email notification received (but I think they know my email address) and no notice I could find. -ed ]

11/10/2015  Password Swiper Available for Download

100,000+ Instagram users affected

In Canada and the United Kingdom the number one free app is InstaAgent which connects to Instagram to track visitors to the user’s account. It also appears to store and transmit usernames and passwords for that user’s account. The app was downloaded from Google Play between 100K and 500K times. The number of downloads from Apple’ s App Store is unknown. Google removed InstaAgent from the store earlier, Apple removed it later this afternoon.

Did you install InstaAgent?
Delete the app and change and your password!

How did such applications make it past the review process? The code [ http://peppersoft.net/instaagent ] shown by the discoverer shows the destination host and the user id / password to upload the data. See also 11/10/2015 MacRumors and 11/13/2015 Sophos.

11/11/2015  Prisoner Phone Calls Hacked

70 million calls+ exposed

A hacker obtained access to over 70 million telephone call records, to about 1,300,000 unique telephone numbers, from more than 63,000 inmates, in 36 states, between December 2011 and spring 2014. Each call record had a link to a “recording URL” where audio records of the call can be heard. More than 14,000 of these calls were between prisoners and the land lines of their attorneys. Calls to attorney cell phones were not so easily found. Tracing land line phone numbers also found 75 calls to a US attorney in Missouri.

Persons incarcerated can generally expect little privacy. Telephone calls are recorded, placards are posted that telephone calls are recorded, the calls start with a recording that telephone calls are recorded and you get the idea. There are clear exceptions to the recording of these telephone calls. One is the constitutionally protected communication between a prisoner and their attorney under the general title of attorney-client privilege derived from the Sixth Amendment. There is also a question as to whether the blanket recording is a form of mass surveillance, but that isn’t the issue here.

There are specialized providers of prison telephone services. They provide equipment, installation, maintenance, support generally at no charge to the government. In return, they charge high fees to prisoners and return a portion, an average of 40%+ or more, of revenue to the government.

One of these companies that markets direct to prisoners is Securus, who touts their Secure Call Platform which includes an ability to protect calls from unauthorized use by providing a “high level of security” and “We understand that confidentiality of calls is critical, and we will follow all Federal, State and Local laws in the conduct of our business.” If any call to an attorney is inadvertently made that recording will be destroyed upon discovery. Ummm, not so much.

More, and the response from Securus (look at the bottom for a 11/12/2015 update) at TheIntercept.

11/13/2015  Massive Data Exposure

18,670,000+/- records exposed
containing 56,000,000+/- individual data items

At the Blackhat security conference Europe 2015 in Amsterdam, Netherlands, researchers from the Technical University and the Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany, presented security weaknesses in applications using Backend-as-a-Service (BaaS) frameworks from providers like Parse (Facebook), CloudMine or Amazon Web Services. For developers BaaS is a great time saver because it provides a software development kit (SDK) and ready to use application programming interfaces (APIs) for routine functions to leave creators to concentrate on their application.

An investigation of those APIs found some internal hard coded access keys. Anyone examining the APIs could find the password objects and use them to access the back-end database. To find more weaknesses the researchers created HAVOC, a “fully-automatic exploit generator” that finds embedded credentials and finds keys generated on the fly. More than two million Android and iOS apps were examined revealing 1,000 back-end credentials. This allowed access to the millions of data elements. The same credentials allowed altering or deleting those records without the data owners ever being aware of the changes. Before this presentation the researchers notified BaaS providers and some changes have been made. As of 11/12/2015, a day before the presentation, 52 million elements were still exposed.

The (In)Security of Backend-as-a-Service briefing (HTML), presentation (56 page PDF), and the research paper (25 page PDF) are all available without registration thanks to BlackHat. See also this PC World article.

11/18/2015  Georgia gives away voter PII

6,000,000+/- people exposed

The personal information of each of the six million registered voters was distributed to a dozen different groups in October. While the state shares representative voter information not information that is personally identifiable. Scope: Exposed were name, address, date of birth, Social Security number and driver’s license number all on a dozen compact disks. This was a breach, but not from outside. It was a breach of trust between the office of the Secretary of State and the residents of Georgia. Source: WXIA-TV Channel 11, an NBC Affiliate in Atlanta, GA.

12/03/2015 Update  Georgia offers credit monitoring

Georgia Secretary of State Brian Kemp said the free credit monitoring should help reassure voters. A single person was named responsible, but that person says he does not have the security clearance to add the information to the disks. Kemp estimates the monitoring will cost $1.2 million. Source: WXIA-TV

[ Credit “monitoring” is reactive. If you’re affected, take the credit monitoring then get a credit “freeze”, in that order. As a victim any fees should be waived. A freeze is proactive. See Credit Monitoring vs Credit Freeze. Note to Secretary Kemp: it isn’t “free”. It is at “no-charge” to the affected except that the taxpayers of Georgia, whose state motto is “Wisdom, Justice, Moderation” are paying not only the $1.2 million, but all the other expenses. -ed ]

12/15/2015 Update  Initial Report on How

“The Georgia Secretary of State’s office has released their initial report into how data on 6-million registered voters was made public. The 30-page report pins the blame on former employee Gary Cooley, who worked in the state’s information technology division. The reports say that Cooley didn’t follow protocol when he gave another employee the login used to access the information.” Source: [ http://cnnnewsource.com/report-on-massive-voter-data-breach-released ] CNN.

11/19/2015  Dyre just in time for the holidays!

80,000+/- machines infected

Dyre, that nasty banking trojan has been updated to handle Windows 10, its new Edge browser, as well as Chrome, Firefox, Internet Explorer in 32-bit and 64-bit systems. IBM says more than one million dollars was taken from an organization. (The Register/UK)

11/23/2015  Security Oops in New Dell Computers

10,000,000+/- machines potentially affected

Just in time for the holidays: New Dell computers shipped since August 2015 may contain a security certificate that exposes users to exploits. (see multiple updates below)

Paradoxically Dell installed the eDellRoot certificate to help technicians by embedding system information. Unfortunately the certificate’s cryptographic key was also included. Any crook could exploit this by impersonating web sites that will appear to be genuine. The consumer has to access that site via a compromised connection. A common example is accessing a public wifi at your local coffee house. The double shot latte with foam next to you is intercepting the traffic, reading what you write, maybe modifying what you see before you see it. (see Is that Really Your Bank On Line? which describes Lenovo’s problem with Superfish. Also read what SlotBoom did in 20 minutes at a public WiFi spot. You may never use public WiFi again.) Source: ArsTechnica and Dell’s first response

[ Distinguish between a major oops vs a deliberate attempt to include undesirable elements into your new computer. From earlier in 2015 see how on major manufacturer deliberately hid their undesirable element in BIOS so operating system reinstallations would not remove it. -ed ]

11/24/2015 Update  Dell Response

An article in KrebsOnSecurity describes the situation differently and more on Dell’s initial response.

11/25/2015   Multiple updates

What to do:   A Sophos security article recaps the situation, explains how a compromised certificate fits in a Man-In-The-Middle (MITM) attack, explains another Dell certificate “DSDTestProvider”, and shows how to manage “Trusted Root Certificates”, just in case you need to do this … again.

Published in DHS CERT Vulnerability Notes Database   The DSDTestProvider root certificate includes the private key allowing attackers to create trusted certificates and perform web site impersonation, man-in-the-middle (MiTM), decrypt network traffic, install malware, and exposure sensitive information. More …

Certificate can be installed via update   In a Reddit thread a user reported and documented a new computer shipped 11/21/2015 that did not have the certificate until after an update.

Simply deleting the certificate isn’t enough  Simply deleting the offending root certificate (valid until 2039) isn’t enough because Dell Foundation Services and update will reinstall it. So, users need to stop then disable Dell Foundation Services, then delete the eDellRoot certificate. (See BankInfoSecurity article)

DSDTestProvider (2nd certificate) is explained more  in an article from TheRegister/UK (whose motto is Biting the hand that feeds IT) [ This second certificate has been documented to exist on machines more than a year old. -ed ]

Hopefully humor  In a hopefully humorous mode, ErrataSec wrote: “If I were a black-hat hacker, I’d immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone’s encrypted communications. I suggest “international first class”, because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking. … I point this out in order to describe the severity of Dell’s mistake. It’s not a simple bug that needs to be fixed, it’s a drop-everything and panic sort of bug. Dell needs to panic. Dell’s corporate customers need to panic.

The post-disaster dialog is well documented at Dell  All its representatives are property spouting “Customer security and privacy is a top concern for Dell.” See this twitter thread from Dell to security researcher Troy Hunt.

[ Hopefully Dell had a disaster plan but, they still wound up being the company spouting “you’re security is important to us” (see the Summary section.) -ed ]

11/27/2015  VTech

4,800,000 adult records compromised
200,000 child records compromised

VTech, maker of cordless phone systems and children’s toys, has reported unauthorized access to customer data from their Learning Lodge app store database on November 14, 2015. Learning Lodge allows our customers to download apps, learning games, e-books and other educational content to their VTech products.

Exposed information may include name, email address, encrypted password, a secret question and an answer for password retrieval, IP address, mailing address and download history. NOT included are Social Security numbers, drivers license information or any charge card information. VTtech uses a third party for payment processing. The press release and a FAQ

Troy Hunt article reports he found 4.8 million unique customer email addresses. Worse, there are database elements referring to 200,000 children including name, birthdate, gender, and a link back to their parent. All communications are over unencrypted connections including passwords, parent’s details and information about children. No security, even the secret questions and answers were in plain text. Much of the underlying code is quite old. According to Mr. Hunt “… you get the distinct sense VTech’s assets were created a long time ago and then just … left there.”

Check the web site Have I Been Pwnd to which Mr. Hunt has added the 4.8 million adult email addresses from this breach. Your single entry is checked against many breaches. Look to see if you’ve been exposed.

12/01/2015 Update  VTech breach: larger scope than company revealed

Yesterday Motherboard revealed the breach included pictures of adults and kids, chat logs going back a year, and audio recordings in child and adult voices. The hacker reported to Motherboard “Frankly, it makes me sick that I was able to get all this stuff” and “VTech should have the book thrown at them.” How many pictures? The hacker submitted about 4,000 for authentication and report finding “tens of thousands”, about 190GB in size. The chats, recordings and images can generally be traced back to specific accounts.

VTech issued a press release announcing the closing of more than a dozen web sites as a precaution. The press release also contains contact emails for concerned customers from Australia, Belgium, Canada, China, Denmark, France, Germany, Hong Kong, Ireland, Latin America, Luxembourg, the Netherlands, New Zealand. Spain, the United Kingdom and the United States. More at Sophos.

12/02/2015 Update  VTech hacker: concerned & ethical

Hacker reports no intention of profiting or publishing the information he uncovered.

12/15/2015 Update  VTech breach: 1 arrested

An unnamed 21-year-old, from about 40 miles west of London via the M4, was charged under the UK’s Computer Misuse Act. Specifically: “suspicion of unauthorised access to computer to facilitate the commission of an offence, contrary to section 2 of the Computer Misuse Act 1990 and suspicion of causing a computer to perform function to secure/enable unauthorised access to a program/data, contrary to section 1 of the Computer Misuse Act 1990”. Source: UK South East Regional Organised Crime Unit (SEROCU) report of 12/15/2015. More at Sophos.

2/14/2016 Update  VTech back on line and …

For Valentine’s Day VTech has a special “gift” for you, lots of liability.

VTech exposed details of over 700,000 children and over 5 million adults. So what have they done? They changed their terms of service so that users, not them, are responsible for any future data breaches. Specifically, in the “Limitation of Liability” it says “You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties.” Think on that – a bank gets robbed and the customers are liable? You have to agree to use their service and they are not liable.

When did these terms get changed? The document indicates the day before Christmas December 24, 2015, which was before the site came back on line. The terms are just coming to light this week. More at The Guardian and at Daily Mail/UK

November 2015

In addition to others shown here in November 2015, ITRC reported 3 incidents where the number affected was over 10,000 per incident. The incidents were considered non-financial and exposed 6,099,681. These incidents were a Kentucky healthcare provider, the Georgia Secretary of State, and a doctor in New York.

12/04/2015  JD Wetherspoon hacked

656,723 exposed

Who & What: JD Wetherspoon, a popular pub chain in the UK, has been hacked. Scope: Exposed were names, birth dates, email addresses, partial charge card details of some customers who bought gift vouchers. Also exposed were some details on employees. The charge card details are insufficient to make purchases. When: The hack occurred between June 15-17, 2015 and the company released the information in December 2015. Sources: TheGuardian and the BBC.

12/09/2015  Steam accounts hacked

77,000 exposed per month! That is almost a million per year.

“Steam” powers over 6,000 games. In some, virtual goods may be purchased for real funds. Those goods can be traded or sold to other members. So, crooks hack accounts, trade or sell those assets and get away with real cash. It was a small problem that has ballooned. The company has a plan.

12/09/2015 Update:   Steam items – expensive!

Incredibly some of these virtual goods cost up to $500 real dollars … each! Some good advice so you don’t join the hacked brigade at this Sophos article.

3/15/2016 Update:  Steam Stealers Explode

Steam powered gaming is suffering tremendous theft

Kaspersky Labs has found nearly 1200 samples of different trojan groups of “Steam Stealers” preying on tens of thousands of users. Targets are around the world with concentrations in Russia, the United States, France, Germany, India and Brazil. The malware steals on line gaming items (that cost real money) and account credentials that can be sold for about $15USD. At an estimated 77,000 accounts per month that is between $12 and $14 million dollars a year. More at Kaspersky. Start of the story

12/14/2015  MacKeeper exposed

13 million exposed

Kromtech, the makers of MacKeeper, has acknowledged a breach that exposed usernames, passwords and other non-financial information. 21 gigabytes of data were found by a security researcher who spent a few bored moments using the Shodan search engine looking for database servers that require no authentication and are open to external connections. He found four, all belonging to Kromtech. More at the KrebsOnSecurity article. How to uninstall MacKeeper from MacWorld 12/4/2015.

12/17/2017  Landry’s breached

??? exposed (likely to be big)

Today Landry’s issued a press release confirming a breach affecting charge cards. Scope and scale of the breach is under investigation. The breach started as early as May 2015 and may still operating in some facilities. Landry’s operates over 50 chains collectively in over 500 locations. Security researcher Brian Krebs broke the story more than an hour before the press release was issued.

2/03/2016 Update  Landry details

46 of the Landry brands at 350 locations in 34 states, Washington DC and Canada were affected. The number of consumers affected has not been announced.
The source is reported to be scrapers installed on point-of-sale devices that were active during two time frames May 4, 2014 through March 15, 2015 and from May 5, 2015 through December 3, 2015. Although Landry’s didn’t say, the infection spread indicates the vector was via regional, not national, card payment processors. More at DataBreachToday.

12/19/2015  Hello Kitty

3.3 million exposed including 186,261 for those under 18

Sanrio sells things and uses characters, such as Hello Kitty and an official online community to support that sales effort. The underlying database was open to access and compromised data for many brands and affiliated domains. Scope: Exposed data included first and last names, birthday, gender, country of origin, email addresses, unsalted password hashes, password hint questions, those answers, and more. The earliest known exposure date is November 22, 2015. It appears this is another misconfigured installation of the MongoDB database. So far it appears that the researcher was the only one to access the data. More at CSO Online.

[ If a researcher, without criminal purpose access the data is that exposure? -ed ]

12/28/2015  Voters exposed

191+ million voters exposed nationwide

December 20, 2015 – Security researcher Chris Vickery (the same one who has uncovered thousands of poorly secured databases), found one with 191,337,174 voters exposed due to a misconfigured database. Did someone say “your security is important to us”? Well, yeah, not so much. Personally identifiable information on every registered voter in the United States of America was exposed.

Scope: Exposed were first and last name, mailing addresses, date of birth, gender, ethnicity, the date you registered to vote, telephone number, party affiliation, e-mail address (if you provided one when you registered), state voter ID, if you’re a permanent absentee voter, and if you are on the Do Not Call list. Worse: some law enforcement personnel do not have publicly listed telephone numbers or addresses. These were exposed too.

The database was probably compiled by NationBuilder (see CSO section below) who gathers the information and provides it to campaigns. That isn’t illegal. Who didn’t secure it is still unknown. If you know who please contact admin@databreaches.net or see the URL below for alternative contact information including PGP key. Source: DataBreachesNet

“To be perfectly clear, this story is not related to the Sanders / Clinton incident at all.” “In my voter record, the voter ID and the field names point directly to Nation Builder as the source of the data that’s been exposed. When you compare my voter record to the file structure published by Nation Builder, there are clear similarities including the nbec_precinct_code. This code is unique to Nation Builder. It’s shorthand for Nation Builder Election Center Precinct Code. In my case, that code is: 18097-Marion-Center (Marion County, Center Township).” “Based on the voter count and some of the records, the database appears to be from Nation Builder’s 2014 update from February or March, but unless the database owner is contacted and confirms, there’s no way to prove that conclusion. From CSO [ highlighting ours -ed ]

[ “Big Data” has turned around and bit everyone in the posterior. The database is no longer available, but ownership is unknown. Based on CSO (see above) the database could have been exposed for more than a year. Did anyone grab the exposed data before the researcher found it? Is the whole nation going on credit monitoring? If not, why not? At $100 per exposed person for credit monitoring that is a 20 BILLION dollar exposure. When offered get the credit monitoring and then go get a freeze, in that order. See Credit Monitoring vs Credit Freeze. Call your federal officials and express concern. If you tweet please use #ProtectMyPrivacy. -ed

7/18/2016 Update   US Voter Info For sale

In December 2015 security researcher Chris Vickery (the same one who has uncovered thousands of poorly secured databases), found one with 191,337,174 voters exposed due to a misconfigured database. The contents were voter records from every state in the union. Earlier this month that data was made available for a Bitcoin equivalent of under $350 per state. Screen pictures of a sample record are on line at Hack Read.

[ The ownership of the leaked data is still unknown and I doubt they want to be known. Is the whole nation going on credit monitoring? If not, why not? At just $10 per exposed person for credit monitoring that is a 2 BILLION dollar exposure. When offered get the credit monitoring and then go get a freeze, in that order. See Credit Monitoring vs Credit Freeze. Call your officials and express concern. Tweet with #ProtectMyPrivacy. -ed

December 2015

In addition to others shown here in December 2015, ITRC reported 3 incidents where the number affected was over 10,000 per incident. The incidents were considered non-financial and totaled 60,910. These included Keenan  Cottage Health  Buchness


View the 2015 summary
Return to References page
Return to Year links page

Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.