2015-under10k

Compromises in 2015 affecting less than 10,000

Compromises in 2015 affecting 10,000 or more
Compromises in 2015 affecting an unknown, or undisclosed, number

01/01/2015 Union First Market Bank

A bank in Richmond-area, Virgina
3,000 financial accounts compromised
 
3,000 ATM cards were skimmed. See also: (source) (should have been late 2014, but we missed it. Sorry)

https://www.bankatunion.com/home/fiFiles/static/documents/debitcardnotice-update.pdf

01/15/2015 St. Louis County, Department of Health (MO)

State or Local Government in Missouri
4,000 non-financial accounts compromised
 
11/18/2014 an employee emailed to his personal account a document containing about 4,000 names and Social Security numbers for inmates incarcerated from 2008 to 2014. Although no information was exposed it was a reportable HIPAA violation.

http://www.phiprivacy.net/st-louis-county-dept-of-health-investigates-hipaa-breach-involving-inmates/

01/20/2015 Lubbock Housing Authority

State or Local Government in Texas
1,100 non-financial accounts compromised
 
About 1,100 applications for Section 8 housing may have had their applications exposed when a file showing name, address, Social Security number and estimated income placed on the internet.

http://lubbockonline.com/local-news/2015-01-21/lha-mistakenly-posts-personal-information-now-offering-credit-monitoring

01/21/2015 Mount Pleasant School District

an educational institution in Mount Pleasant, Texas
915 non-financial accounts compromised
 
Present and former staff had their personal information possibly compromised between January 18th 2015 and January 21st 2015. Scope Exposed information included name, address and Social Security numbers.

http://www.dailytribune.net/news/data-breach-hits-mpisd-employees/article_051ec5d0-a1d2-11e4-b1c7-afde4a6d4ed1.html

01/22/2015 Blue Zebra Sports

a retail business in Tennessee
1,218 non-financial accounts compromised
 
On 10/9/2014 BZS learned that Illegally obtained credentials allowed unauthorized access to officiating.com for the past three years. Users were notified 10/22/2014.

[ original URL no longer supported. Search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]

01/22/2015 McKenna, Long & Aldridge

a retail business in Washington, D. C.,
441 non-financial accounts compromised
 
In November and December 2013 information on about 440 current and former employees was exposed. The vendor who ran those servers notified MLA on 2/14/2014, almost a year ago.

[ original URL no longer supported. Search removed search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]

01/22/2015 Waynesburg University

an educational institution in Pennsylvania
284 non-financial accounts compromised
 
On 6/20/20014 about 280 student name, address, telephone number, and some Social Security numbers were on a file accessible via the internet. The information has since been removed.

[ original URL no longer supported. Search removed search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]

01/22/2015 Direct Learning Systems

a retail business in Pennsylvania
1,507 non-financial accounts compromised
 
10/19/2013 unauthorized access allowed for continuing access to over 1,500. 7/13/2014 the site was used as a phishing site and compromised personal information about customers of a third-party bank. (Almost identical to 1/22/15 Modern Gun School)

[ original URL no longer supported. Search removed search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]

01/22/2015 Modern Gun School

a retail business in Pennsylvania
287 non-financial accounts compromised
 
10/19/2013 unauthorized access allowed for continuing access to over 280. 7/13/2014 the site was used as a phishing site and compromised personal information about customers of a third-party bank. (Almost identical to 1/22/15 Direct Learning Systems)

[ original URL no longer supported. Search removed search → http://www.oag.state.md.us/idtheft/index.htm by year for the material ]

01/23/2015 Sutter Health

a healthcare provider or servicer in San Francisco, California
844 non-financial accounts compromised
 
An employee accessed record for patients of the California Pacific Medical Center / Sutter Heath who were seen between October 2013 and October 2014. Scope: exposed information included clinical information such as diagnosis, clinical notes, prescriptions and the last four digits of the patient’s Social Security number. According to the company charge card information and the complete SSN were not compromised

http://oag.ca.gov/ecrime/databreach/reports/sb24-48217

01/23/2015 TMA Practice Management Group

a retail business in Texas
2,260 non-financial accounts compromised
 
“Improper disposal, Loss Other Portable Electronic Device” exposed about 2,250.

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

01/23/2015 St. Peter’s Health Partners

a healthcare provider or servicer in New York
5,117 non-financial accounts compromised
 
Following the theft of a cellphone their email system may have been breached exposing over 5,100. (source)

http://www.scmagazine.com/albany-health-system-notifies-more-than-5000-patients-of-data-breach/article/394364/

01/23/2015 Xand Corporation

a retail business in New York
3,334 non-financial accounts compromised
 
The only explanation provided was “network server”. 12/2/2014 Xand was acquired by TierPoint, a provider of network services. No mention of the breach was found on their website. Over 3,300 were exposed. (source)

01/25/2015 California Pacific Medical Center

a healthcare provider or servicer in California
845 non-financial accounts compromised
 
A pharmacy employee may have accessed over 840 patient records without authorization.

http://www.phiprivacy.net/california-pacific-medical-center-discovers-employee-was-improperly-accessing-patient-records-for-one-year/

01/25/2015 Home Respiratory Care

a healthcare provider or servicer
1,285 non-financial accounts compromised
 
(no detailed information found!)

01/26/2015 Harel Chiropractic

a healthcare provider or servicer in Wisconsin
3,000 non-financial accounts compromised
 
A breach was discovered on 11/20/2014 which may have exposed patient information on 3,000 patients.

http://www.phiprivacy.net/wi-harel-chiropractic-clinic-notifies-3000-patients-of-breach/

02/02/2015 Senior Health Partners

a healthcare provider or servicer in New York
2,772 non-financial accounts compromised
 
Technology was stolen from the nurse’s residence. The laptop was password-protected and encrypted, but the information was in the bag. Over 2,700 were exposed.

http://www.phiprivacy.net/senior-health-partners-provides-notice-of-data-security-incident/

02/05/2015 Planned Parenthood

a healthcare provider or servicer in Ohio
5,000 non-financial accounts compromised
 
For more information please search (source) About 5,000 were exposed

02/05/2015 Phoenix House

a retail business in New York
2,000 financial accounts compromised
 
On 12/19/2014 a hired consultant made unauthorized changes to a payroll system hosted by a third party. This was discovered on 12/22/2015. Scope: Exposed information included name, Social Security number, address, salary and benefit information for about 2,000 people. See link for protection information from this non-profit drug and alcohol rehab center.

https://oag.ca.gov/system/files/PHOENIX%20HOUSE_%20INDIVIDUAL%20NOTIFICATION%20VERSION%201_WPP-REVISED_0.PDF?

02/07/2015 Utah State University

an educational institution in Utah
347 non-financial accounts compromised
 
An email sent 2/5/2015 to just over 1,000 people inadvertently included names and Social Security numbers for almost 350 people.

http://www.databreaches.net/email-gaffe-exposes-347-utah-state-university-students-social-security-numbers/

02/09/2015 Ranier Surgical Inc.

a healthcare provider or servicer in Texas
4,920 non-financial accounts compromised
 
Search (source) for this breach, Over 4,900 were exposed.

02/09/2015 Office of Arturo Thomas

a healthcare provider or servicer in Illinois
600 non-financial accounts compromised
 
For more information please search (source) About 600 were exposed.

02/12/2015 Pathways to Hope

a healthcare provider or servicer in Florida
600 non-financial accounts compromised
 
(no detailed information found on exposure of about 600 persons)

02/14/2015 Kaiser Permanente Hawaii

a healthcare provider or servicer in Hawaii
6,600 non-financial accounts compromised
 
On 1/7/2015 a box of documents spilled from the moving contractor’s vehicle. Many documents, but not all, were recovered. Information on an estimated 6,600 people were exposed.

http://www.phiprivacy.net/kaiser-permanente-notifies-hawaii-members-of-pharmacy-records-breach/

02/17/2015 mdINDR

a healthcare provider or servicer in Florida
1,859 non-financial accounts compromised
 
On 11/3/2014 there was an unauthorized access to to email. Search (source) for the report. Over 1,800 people were exposed.

02/17/2015 North Dallas Urogynecology PLLC

a healthcare provider or servicer in Texas
678 non-financial accounts compromised
 
A laptop computer was stolen. Search (source) for the report Over 670 people were exposed

02/17/2015 National Pain Institute

a healthcare provider or servicer in Florida
500 non-financial accounts compromised
 
A desktop computer was not cleaned of patient information prior to disposal. Search ((source) for the report. About 500 people were exposed.

02/17/2015 Office of David E. Hansen, DDS PS

a healthcare provider or servicer in Washington
2,000 non-financial accounts compromised
 
On 5/10/2014 papers, films and an “other” portable electronic device was stolen exposing information. Search (source) for the report. About 2,000 were exposed

02/17/2015 Office of Ronald D. Garrett-Roe M. D.

a healthcare provider or servicer in Texas
1,600 non-financial accounts compromised
 
A desktop computer was hacked. Search (source) for the report. Over 1,500 were exposed.

02/18/2015 Hunt

a healthcare provider or servicer in Texas
3,000 non-financial accounts compromised
 
A warehouse that stored medical records for Hunt Regional Medical Partners was vandalized January 16-17, 2015. About 3,000 were exposed.

02/18/2015 University of Maine

an educational institution in Maine
941 non-financial accounts compromised
 
A breach was discovered that exposed personal information of over 940 current and former students

http://www.databreaches.net/umaine-probing-data-breach-affecting-more-than-900/

02/20/2015 KSIT/TriNet

a retail business in Virginia
641 non-financial accounts compromised
 
About 2/9/2015 an email containing personal information on employees of KSI Trading was inadvertently sent an employee at one of TriNrt’s customers. That information included names and Social Security numbers for over 640 people.

02/20/2015 Lone Star Circle of Care

a healthcare provider or servicer in Texas
8,700 non-financial accounts compromised
 
Personal information for 6,300 patients and 2,400 others was disclosed after being discovered 1/9/2015. A backup file was posted on-line for almost 6 months. Scope: Exposed information included name, address, telephone number and, for some, birthday.

http://www.statesman.com/news/news/data-breach-at-lone-star-circle-of-care-affects-87/nkFyY/

02/28/2015 Office or Raymond Mark Turner, M.D.

a healthcare provider or servicer in Nevada
2,153 non-financial accounts compromised
 
A laptop containing medical records was stolen exposing over 2,150 people.

March 2015

ITRC reported 35 incidents where the number affected was under 10,000 per incident. The total disclosed was 100,011.

April 2015

In April 2015, ITRC reported 33 incidents where the number affected was under 10,000 per incident. The total disclosed was 74,607.

May 2015

In May 2015, ITRC reported 18 incidents where the number affected was under 10,000 per incident. The total disclosed was 37,634.

June 2015

In June 2015, ITRC reported 24 incidents where the number affected was under 10,000 per incident. The total disclosed was 63,779.

July 2015

In July 2015, ITRC reported 18 incidents where the number affected was under 10,000 per incident. The total disclosed was 40,082. They were counted as non-financial.

8/07/2015 $46M taken from Ubiquiti

Networking firm Ubiquiti Networks Inc. disclosed that cyber thieves recently stole $46.7 million because crooks fooled executives into making bogus wire transfers. Some was, and more will be, recovered, but the majority appears lost and may not be insured.

On June 5, 2015, the Company determined that it had been the victim of a criminal fraud. The incident involved employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties. As soon as the Company became aware of this fraudulent activity it initiated contact with its Hong Kong subsidiary’s bank and promptly initiated legal proceedings in various foreign jurisdictions. As a result of these efforts, the Company has recovered $8.1 million of the amounts transferred. Furthermore, an additional $6.8 million of the amounts transferred are currently subject to legal injunction and reasonably expected to be recovered by the Company in due course. … The Company may not be successful in obtaining any insurance coverage for this loss. [ highlighting ours – ed. Source 8/6/2015 SEC 8-K Item 8.01 ]

Business Email Compromise (BEC) or man-in-the-email (MITE) scams are adaptive and surprisingly complex. Also known as “CEO fraud” the scam starts when the email accounts of employees are spoofed or hijacked. During the summer of 2014, the Scoular Co of Omaha Nebraska, a commodities trading company founded in 1895 in, made multiple wire transfers to a bank in China after receiving instructions to do so. The transfers were made by the company financial controller after receiving emails purporting to be from the chief executive of the firm. The emails required silence and described a secret deal for the acquisition of a China-based company. The instructions were fake and the emails came from computers, email addresses and servers in Russia, France and Israel. The total of $17.2M is unlikely to be recovered as the account at the Shanghai Pudong Development Bank has been depleted of funds.

Business who do material wire transfers, especially to other countries, are recommended to not allow a single email message be sufficient for such a transfer. Adopt a two-person rule, require authentication of the original message via another channel (ex: authenticate email by a telephone call to a specific telephone number) or similar requirements to avoid material exposure and potentially unrecoverable losses. (Source and More at KrebsOnSecurity)

Related: Who Loses When Companies Suffer a Cyber Heist?
KOS – Online Banking Best Practices for Businesses (read the section on making a “live CD” to boot to a more secure Linux environment)

8/10/2015 Mohu

2,500+/- financial accounts compromised

Who: The website of Mohu, a division of GreenWave Scientific, Inc. was attacked. What: The attacker(s) were able to insert malware and extract the information. When: It appears the compromise was between June 3, 2015 and July 28, 2015. The malware was removed July 28, 2015. Scope: Exposed information included name, mailing address, email address, telephone numbers, charge card numbers, expiration dates and CVV codes. Scale: Information on about 2,500 accounts were exposed. (Source: New Hampshire Department of Justice notice required because there were FOUR New Hampshire residents affected)

August 2015

In August 2015, ITRC reported 23 incidents where the number affected was under 10,000 per incident. The total disclosed was 57,063.

9/17/2015 Schools in North Carolina

7,600+/- compromised

Who and What: An employee of North Carolina-based Charlotte-Mecklenburg Schools disclosed employment application information to an outside contractor without authorization. The information has reportedly been removed and the school is increasing security to prevent a recurrence. Scale: About 7,600 exposed. Scope: Exposed were names, addresses, and Social Security numbers. Source: Secure Computing Magazine

9/25/2015 Barrington Orthopedic Specialists

1,009 compromised

Who and What: A laptop computer and an Electro Myography (EMG) machine were stolen from Barrington Orthopedic Specialists based in Illinois. The computer had personally identifiable information on patients. When: The theft was discovered on Tuesday 8/18/2015 and the theft was believed to have taken place between Friday 8/14/2015 and discovery. Scope: Compromised information included patient name, birth date, EMG test results and reports. Scale: 1,009 HIPPA Patient Letter and article from SCM.

9/28/2015 Oldham County Schools / Kentucky

2,800+/- compromised

What: Unauthorized access to a nutrition services computer at North Oldham High School was achieved via phishing. The computer contained personal information. When: The single incident occurred 9/10/2015. Scope: Compromised information included name, birthdate and Social Security number. Scale: Information on about 2,800 persons were in the database. Source: SCM

9/29/2015 Horizon / BCBS New Jersey

1,115+/- compromised

What: Multiple persons posed as health care professionals and gained access to personal information which was then used to submit false claims to Horizon Blue Cross Blue Shield of New Jersey. When: The scheme was uncovered by a Horizon BCBSNJ investigative unit on 7/30/2015. Scope: Compromised information included name, birthdate, gender and member ID number. Scale: Information was compromised for 1,115 members. 58 had claims falsely filed in their names. Source: SCM

September 2015

In September 2015, in addition to the above, ITRC reported 18 incidents where the number affected was under 10,000 per incident. The total disclosed was 49,364.

10/01/2015 ABA

6,400+ compromised

What: In an undated post the American Bankers Association (ABA) reported a breach of its shopping cart data. [ The post said “today” which is 10/1/2015, but there is no date on the post itself -ed ]. When: The date of compromise was not reported. Scope: Exposed data included email addresses, user names and passwords. Scale: “At least 6,400 records” were exposed.

10/09/2015  Dow Jones

3,500 compromised over three years

There have been two infiltration of the financial firm Dow Jones & Company. They may, or may not, have been related.

One of them involved the exposure of 3.500 customers (DJ announcement & FAQ, 3 page PDF sent 10/9/2015) which reported “payment card and contact information” were exposed. The FAQ reports that attackers may have had access from August 2012 to July 2015, just short of three years. It also appears that DJC internal resources were unaware of the breach until they were informed by “federal law enforcement”. [ WSJ 10/9/2015 and more at Kaspersky/Threatpost 10/13/2015 For a duration of almost three years 3,500 exposed seems rather small -ed ]

The other breach appears to have targeted information no-yet-public for an advantage in trading. There is a conflict between the company reports and Bloomberg’s report as to whether or not investigations are being conducted by Federal Bureau of Investigation, Secret Service and the Securities and Exchange Commission. Source: Reuters

10/09/2015  University Medical Department

9,300+/- compromised

What & Who: A laptop computer was stolen from a physician who had previously worked for the University of Oklahoma Department of Urology. The computer had information on patients and procedures between 1996 and 2009. The university did not know the physician retained the information after leaving their employ. The laptop was password protected, but the data was not encrypted. The physician is not certain the computer even contained patient information, University policies generally prohibit removal of patient information from its premises and require protection of patient information on laptops including secure storage. When:The theft was during the night of 16-17 July 2015. The university wasn’t notified until August 14, 2015. It wasn’t until mid-September 2015 the university determined neither the physician nor the current employer had notified the patients. Scope: Name, birth date or age, diagnosis, treatment code(s), date(s) of treatment with description. Scale: Information on about 9,300 people was exposed. OU notice. See also Secure Computing Magazine. [ Given the uncertainty and subsequent disruption perhaps out processing should include an affirmation of not retaining personally identifiable information? -ed ]

10/13/2015  Schwab

9,400+ compromised

Who and What: Schwab Retirement Plan Services accidentally emailed a spreadsheet to a participant enrolled in another retirement plan serviced by SRPS. Scope: Exposed information included name, address, birth date, Social Security number, dates of employment, marital statuses, account balances and more. Scale: 9,400 people were exposed.

The good news is that the recipient of the spreadsheet informed their plan sponsor, who notified SRPS. The recipient’s firm deleted the email and attachment from their email system and server. See Office of the Attorney General in California notification and SCM

10/14/2015  Uber Exposes Drivers

674 compromised

According to Gawker it takes about a minute to start the electronic “paperwork” to become a Uber driver, then 15 minutes to watch a safety video, then entering basic driver documentation such as your license, registration, and insurance. To edit this data, users of a new app were directed to a page containing information for other drivers including “clear, high-resolution pictures of drivers licenses, W-9 tax forms, livery car company articles of incorporation, and other sensitive personal documents—many of which contain social security numbers —can be easily viewed and downloaded.”

Uber reported that this exposure affected “no more” than 674 of its US drivers. Uber exposed 50,000 earlier this year. Read more at the source: Sophos.

10/16/2015  Community Catalysts of California

1,182 compromised

What & When: The home of an employee of Community Catalysts of California, an advocacy group, was burglarized in late August 2015 and a flash drive stolen from the employees car in a locked garage. The company was notified on September 8, 2015. Scope: Exposed information included name, address, diagnosis, birth date, gender, telephone number and some Social Security numbers. Scale: 1,182. Company [ http://communitycatalysts.org/possible-data-disclosure-notice ] notice and SCM article.

10/20/2015  North Carolina DHHS

1,615 compromised

Who & What: An employee of the North Carolina Department of Health and Human Services (DHHS) inadvertently sent an email containing an unencrypted spreadsheet containing personal information. Scope: Exposed were name, Medicaid identification numbers, medical provider names, medical provider ID numbers, and other information related to Medicaid services. Scale: 1,615 people had their information compromised. Source: SCM

10/29/2015  British Gas

2,200 compromised

British Gas, a provider of natural gas, has contacted 2,200 customers informing them that some of their information was posted to Pastebin. Exposed logins could have been used to view names, addresses and past energy bills. BG wrote that banking and payment card details were not exposed and “assured” customers that were was no breach of their systems. So how did the information get out?

There are several possibilities. The crooks could have obtained the information from another breach and tested to see if consumers used one password in several places. Or, consumers may have been social engineered to reveal the information.

The affected accounts had their passwords revoked and the affected consumers were asked to securely reset their password. British Gas is owned by Centrica and has some 14+ million customers. (Sources BBC and Sophos)

[ If the logins were exposed could not someone log in to see the financial information?
See also Using the same password in more than once place is a bad idea -ed ]

October 2015

In addition to others shown here in October 2015, ITRC reported 28 incidents where the number affected was under 10,000 per incident. The total disclosed was 55,473.

November 2015

In addition to others shown here in November 2015, ITRC reported 12 incidents where the number affected was under 10,000 per incident. The total disclosed was 24,492.

12/14/2015  Dating App Database Hacked

5,027 accounts exposed

“60 Minutes is in the lobby” is generally a frightening thing to hear. Almost as bad is running a specialized dating site and being contacted by someone saying your data is leaking all over the internet. What do you do?

Like a white-hat should the researcher disclosed the security issue to the company. The company (Hzone) didn’t reply so the researcher asked for help from DataBreaches.net. A week more and no reply. Anyone who knew how to discover public-facing MongoDB installations could still access the data. Eventually Hzone replied and threatened infection. Infection?

Yeah. Hzone is a specialized dating site for HIV infected people. Each exposed record had considerable personally identifiable information (PII) including birthday, relationship status, religion, country, height, sexual orientation, number of children, ethnicity, email address, IP details, password hash, nicknames, posted messages and more. Those messages contain political views, sexual life experiences, and medical information.

DataBreaches.net filed a complaint with the US Federal Trade Commission (FTC) 12/9/2015 urging them to talk some sense into the developer. No response has been received. It may be that Hzone didn’t have the technical expertise to secure that data. An Hzone spokesperson admitted the company wasn’t exactly “what you’d call particularly tech literate.” The leakage was stopped on December 13, 2015, but how many times was that data taken? Who might use it? What for?

So, when faced with this problem do NOT do what Hzone did. By not replying in a timely manner they extended the exposure of their user data to the world. They threatened the messenger instead of embracing the message. They appear not to have been prepared for their undertaking. The data wasn’t encrypted. They didn’t actually delete user information. Their incident responses were … unresponsive. More at CSO Online and Sophos.

[ If their terms of service cite words like “confidentiality” and “security” we can only imagine the lawsuits that may put them out of business. -ed ]

12/15/2015  ESA Passwords hacked

8,170 passwords and more were exposed

The hacking collective “Anonymous”, just for “lulz”, hacked the European Space Agency obtaining information on over 8,000 people. The published records included the site’s database, email ids, office addresses, workplace names, phone numbers and even plaintext passwords. More at the International Business Times article.

12/16/2015 Update  ESA Passwords were … simple

Lots of people work at the European Space Agency including some rocket scientists.

An analysis found that more than a third of the exposed passwords were just three characters long. Two of the eight character passwords were, we’re not kidding here, “password” and “12345678”. The short passwords might have been cracked, but about two percent of the published passwords were 14 characters or longer meaning it is just possible that the passwords were stored in plain text. Minimum levels of password strength (minimum length, mixed case, numbers, special characters) and secure storage are not impervious to hacking. Doing better than this isn’t rocket science either. For more see the Sophos article.

December 2015

In addition to others shown here in December 2015, ITRC reported 32 incidents where the number affected was under 10,000 per incident. The total disclosed was 32,886.

 
 

In addition to sources cited above the Chronology of Data Base Breaches maintained by the Privacy Rights Clearinghouse was used. Their website is a valuable resource for those seeking information on basic privacy, identity theft, medical privacy and much more. They are highly recommended. We also recommend The Identity Theft Resource Center (ITRC).

 
 

View the 2015 summary
Return to References page
Return to Year links page

Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.