2016 Compromises affecting 10,000 or more

2016 Compromises affecting less than 10,000
2016 Compromises affecting an unknown, or undisclosed number
2016 Summary of Compromises
2016 General Information

1/04/2016  Ohio area tax authority loses records

50,000 affected

The Regional Income Tax Agency has lost a DVD with information on about 50,000 people who filed with that agency. “No indication” it was stolen. It was stored at a third party vendor’s facility and its loss was discovered when the DVD was recalled to be destroyed. More …

1/05/2016  Ukraine Power Grid Hacked

1,400,000 affected

Reported by TSN news in late December 2015, a power outage lasting several hours left about half the homes in the western Ivano-Frankivsk region without power. Slovakian information security firm ESET now reports that the attacks were much more widespread than originally believed. “This is the first time we have proof and can tie [ specific ] malware to a particular outage,” Kyle Wilhoit, a senior researcher at security firm Trend Micro, tells Reuters. “It is pretty scary.” Much more at 12/31/2015 Reuters 1/05/2016 DataBreachToday

1/06/2016 Update  A spreadsheet started it?

Did a malware laden Excel spreadsheet start the cascade lead to a massive power outage? Paul Ducklin of Sophos:

Company X receives an Excel file via mail. The file contains macros, which don’t run by default, but if the recipient clicks to allow them, the macros install malware from a family called BlackEnergy.

BlackEnergy is what is known as a bot or zombie, which calls home to receive instructions from the remote attackers. (The malware name predates any connection with the energy industry.)

The attackers can then install various additional malware items, such a data-trashing Trojan called KillDisk, and a hacked copy of the DropBear SSH server that has backdoor “master passwords” programmed into it. Source

[ Don’t open Microsoft Office documents from people you don’t know. Make sure your system is set up to ASK for permission to execute macros. Do NOT give approval for macro execution for documents you might suspect. Security is in YOUR hands. -ed ]

1/07/2016 Update  Sandworm

“U.S. cyber intelligence firm iSight Partners said on Thursday it has determined that a Russian hacking group known as Sandworm caused last month’s unprecedented power outage in Ukraine.” More at Reuters

[ iSight should know SandWorm code. They “discovered” it in October 2014 during an analysis of Russian attacks against NATO. Review this post as it gave definition to the meaning of a weaponized PowerPoint presentation. -ed ]

1/14/2016 Update  Coordinated Attack

While malware was part of it there were other parts that coordinated in taking out the Ukraine power. See NakedSecurity/Sophos.

1/22/2016 Update  Follow on Phishing

Spear-phishing targeted at energy related businesses and facilities in the Ukraine continue. There may be a single source or multiple sources and they may, or may not, be related to the recent blackout. The malicious payloads are more common than the earlier tailored BlackEnergy. The main airport in Ukraine’s capital, Kyiv International Airport (IEV), was infected by malware that communicated with a server based in Russia. One thing is certain, someone is making winter more miserable. More at DataBreachToday.

1/06/2016  Southern New Hampshire University

140,000 exposed

A database containing student information including names, email addresses, course name, course section, assignments and scores was exposed to the public. More …

1/06/2016  TimeWarnerCable Hacked

320,000+/- customers exposed.

TWC was notified by the Federal Bureau of Investigation that some customer information including email addresses and account passwords “may have been compromised.” TWC has no idea how the information was obtained saying both “were likely gathered either through malware downloaded during phishing attacks” and obtained “indirectly through data breaches of other companies that stored Time Warner Cable’s customer information”. Reuters

1/08/2016   Indiana University Health

29,324 compromised

An unencrypted portable storage device went “missing” from the Emergency Department. Informatioin on that device included patient names, birthday, age, telephone number, dates of service, diagnoses and physician. More…

1/12/2016   St. Luke’s

29,156 compromised

A late report to HHS.GOV: 10/31/2015 an unknown person entered a restricted area of the hospital and removed a USB drive that may have contained protected health information on patients. More …

1/12/2016   Faithless Fans

18,000 compromised

A database containing 18,000 user names and passwords was discovered on the web. The hack was later determined and the company fixed the database but neither disclosed the breach nor the repair. Although the fan database isn’t a very valuable target the prize comes from two other uses: use of the information for phishing and a tendency for people to use the same username/password combination on other sites. In 2018 the European Union with introduce new data protection rules that may include “mandatory data breach reporting” so the affected are at least informed. Source

1/19/2016   Blue Shield of California

20,764 exposed when an unauthorized user gained access to the data systems. More …

1/19/2016   New West Health Services of Montana

28,209 exposed when a laptop computer was stolen from an off site location. Information may have included customer name, birthday, address, medical history, diagnosis, prescription(s), driver’s license number, Social Security numbers, bank account, and charge card information. More …

1/26/2016   Bailey’s Inc.

15,000 compromised when charge card information was taken from the company web site BaileysOnline.com Keystrokes were captured starting on 9/25/2015 and ending 1/13/2016. Compromised were cardholder names, address, telephone number, email address, charge card number, CVV numbers, expiration date, user name and password. More …

1/26/2016   Centene

950,000 compromised because a St. Louis based health care provider cannot locate six hard drives containing name, address, birthday, Social Security number, and other health information for persons who received laboratory services from 2009 to 2015. The absence-of-presence was discovered during an inventory of information technology assets. Centene provides such services over 23 states.

1/28/2016   FOP hacked

330,000 members

The Fraternal Order of Police (FOP) reported information taken from their web servers and re-posted on line. The fop.net server was taken off line and was still off line 1/30/2016. The FOP president, Chuck Canterbury, reports the FBI is investigating. The web site is primarily members only and serves as a discussion forum. The facts are in dispute. One who re-posted part says there are terabytes more. Canterbury says there was never that much material. What was re-posted includes hundreds of contracts between authorities and FOP. Some of these have been criticized as shielding police officers from prosecution or disciplinary action following validated excessive uses of force. More…

2/04/2016   Taobao users

20 million exposed

Alibaba, the largest collection online buyers and sellers, owns Taobao which is like Amazon’s storefronts with consumer-to-consumer (C2C) sales. The Taobao website connects the buyers and sellers. Like such systems everywhere it is sort of self policing. Sellers who don’t deliver as promised or buyers who don’t pay get bad marks. Those with poor marks are shunned by other buyers and sellers.

Hackers obtained 99 million usernames and passwords from a number of sources. They used Alibaba’s cloud computing platform to apply the details to Taobao. They found about 20%, over 20 million, of those user names and passwords were used for Taobao. Criminal conduct ensued, there was a detection and, according to Chinese officials, the crooks have been caught. Original report from Reuters.  Analysis from Motherboard and NakedSecurity/Sophos

[ One user account for one web site. Don’t reuse! It may inconvenience some electrons, but in this case being green means keeping your money. -ed ]

2/04/2016   UCF SSN & PII swiped

63,000 exposed at the University of Central Florida

Students (current and former), staff and faculty were compromised in January. Also exposed were employees who worked at UCF back to the 1980s. How the breach was discovered was not disclosed. See more from the Orlando Sentinel

2/08/2016  29k Feds Exposed

29,000 DHS and FBI exposed

[ Whether or not the information was obtained via scraping already public records or improper access of one or more sources of information to which they were not privileged, someone has exposed information on about 20,000 agents of the Federal Bureau of Investigation (FBI) and 9,000 employees of the Department of Homeland Security (DHS). -ed ]

On Sunday 2/7/2016, Motherboard obtained an advance copy of a sub-set of the database. They called a “large” selection of telephone numbers and connected with voicemail boxes matching the name listed in the database. Other connections were made with department operation centers and a few to people. A few of the numbers reached persons or offices other than those listed. On reaching the DHS National Operations Center, Motherboard was told they were the first to report a “data breach”. According to the anonymous hacker access was obtained via a single compromised email account then “social engineered” a code from a “helpful” person to get past the security portal. More at Motherboard

2/08/2016 Update  DHS Reply

DHS: “We take these reports very seriously, however there is no indication at this time that there is any breach of sensitive or personally identifiable information.” The posted information was notable for what it did not contain. Although the poster referred to charge card numbers none were provided. DHS describes the information obtainable via Freedom of Information Act request. More at FoxNews

2/13/2016  1M charge cards for sale

Since at least June 2015 Bestvalid.cc has been selling the stolen charge card details of over a million people for as little as £1.67 (about $2.50/each) in an operation labeled “the largest and most brazen of its kind”. The site is on the open web, not the deep web, not the dark web, just out in the open. With a victim’s permission a reporter made a purchase with bitcoin. In the bundle received were charge card details and other identity theft items including mother’s name, mobile phone number and postal address. Merchants are not being forthcoming about charge card compromise either. In last year’s TalkTalk breach it was reported that only partial charge card information was exposed when over 150,000 complete sets of information were. Absent warning consumers had no chance to act proactively to prevent misuse. More at Telegraph/UK

[ This is why NC3 was designed, to make the merchant storehouse of charge card information valueless to criminals. Tweet

Ajaypal Singh Banga CEO @mastercard
and Charles W. Scharf CEO @visa

Tell them a better way exists that adds functionality beyond anything available and does not require new hardware for providers, merchants or consumers. See www.NC3.mobi -ed ]

2/27/2016  University of California/Berkely Hacked

Financial information on 80,000 exposed

December 28 2015, during the fix of a problem with the financial management system, a hacker broke in gaining access financial data for students, alumni, current and former employees. Exfiltration of the data was not confirmed. Affected were those who received non-salary payments though electronic fund transfers, such as financial aid awards and work-related reimbursements. Vendors who received EFT payments were also exposed. (Source)

[ It took two full months for public disclosure, but the affected were notified within a week. -ed ]

February 2016

In addition to others shown here in February 2016, ITRC reported 7 incidents where the number affected was over 10,000 per incident. The incidents were considered non-financial and totaled 203,439. These included 91,000 from the Washington State Health Authority.

3/01/2016  Twitter Bug

Mid February: about 10,000 Twitter uses that a bug in the password recovery system may have exposed their personal information. Details were limited to 140 characters. Read more at Naked Security / Sophos. [ ok, one part of the above was sarcasm, but we don’t have a sarcasm font. -ed ]

3/03/2016  Main Line Health

A spear phishing attack resulted in data on 11,000 employees to a scammer per HIPAA Journal.

3/03/2016  Public Health Trust

There was an unauthorized access to 24,188 electronic medical records.

3/03/2016  Premier Healthcare

A locked laptop computer was stolen from the Billing Department which was locked and protected by an alarm system. The laptop was password-protected, but was not encrypted. Information exposed included material to address billing issues for 205,748 patients.

3/10/2016  22,000 exposed

A cyber security breach by a disillusioned ISIS member brings an intelligence prize with information with 22,000 names, addresses, telephone numbers and family contacts. More at Fortune

3/11/2016  2.2 million exposed

Cancer center hacked in October 2015.

21st Century Oncology is based in Fort Myers, Florida operates 145 cancer treatment centers in the United States and 36 more in seven Latin American countries. In November 13, 2015 they were notified by the FBI “that patient information was illegally obtained by an unauthorized third party who may have gained access to a 21st Century database.” Subsequent investigation found that the breach occurred October 3, 2015 and may have exposed patient names, Social Security number, physician names, diagnosis, treatment and insurance information. 21st CO revealed the number affected on March 4, 2016 as part of an 8-K filing with the Securities and Exchange Commission. That is five months after the breach and four months after being told about the breach by the FBI. The delay as at the request of the FBI so as not to compromise the investigation. More at Data Breach Today.

3/15/2016  LAZ Parking

About 14,000 employees of the LAZ parking company in southern California had their 2015 W2 information sent in response to an email.

3/24/2016  Kantar Group

A W2 phishing scam obtained information on about 28,000 employees of the market research firm Kantar Group. See KrebsOnSecurity

3/24/2016  1.5 million Verizon exposed

Earlier this week the sale contact information on some 1.5 million customers of Verizon Enterprise was offered for $100,000. Alternately $10,000 would buy 100,000 records. Detail are sparse but it appears Verizon found the weakness before the offering and is contacting affected customers. More at Krebs On Security.

3/28/2016  Mercy Clinics

15,625 patients have been informed that their name, address, date of birth, medical diagnoses, treatment information, and health insurance details. Some Social Security numbers may have been exposed by a data-capturing virus. Per HIPAA Journal

3/29/2016  UC students/staff/faculty monitored by … UC

470,000 exposed

When: Late in 2015 high-powered spyware was installed at the University of California, a large school system with undergraduate, graduate, medical programs and more in many locations.

Who: Who had it installed? No foreign hacker, no rogue federal government program. It was the University of California’s president, Janet Napolitano, former head of the Department of Homeland Security. (source)

Why: UC has been the target of some large-scale problems and protection was warranted. The question and outrage have to do with the secrecy with which the “protection” was installed. Without public announcement or disclosure, hardware and software were installed to monitor traffic patterns including what web sites are viewed by students, staff, and faculty.

Earlier this century, an attempt to track what books you read was met with withering criticism for its potential to muzzle free speech.

What: The office of the president has not explained what is being collected, what analysis is being performed, and how that collected data is itself being protected. Earlier practice was to delete the log files rapidly. Now these files continue to exist and are subject to exposure through legal or illegal means.

The official policy seems to have evaporated. The official word from UC-Davis on spyware says:

The use of programs to identify and remove spyware programs is strongly advised to help to maintain the privacy of personal information and Internet use. The use of an anti-spyware program must be accompanied by installing program updates on regular basis to ensure the ability to detect and remove new spyware or adware programs. This standard applies to computers connected to the campus network using Windows operating systems. [ source highlighting ours -ed ]

That quote is from the “UC Davis Cyber-Safety Program Policy”. There is a link to a document at https://security.ucdavis.edu/archive/pdf/310-22.pdf which appears to be non-existent.

Timeline and Faculty response A timeline and emails from the faculty are highly critical as are some responses from industry and UCLA faculty.

In general California students are not reluctant to make their unhappiness known. In early February several students sued Google for violating their contract regarding scanning email to target advertisements.

[ We are surprised this is below the national radar. The participants in this conflict are not lightweights. On one side is a major university that educates national-level computer science talent and has a long history of supporting free speech. The other served for four years as head of Homeland Security. While the motives may have been good, and may still be good, the secrecy with which the surveillance was begun is antithetical to our freedoms. Monitoring what people read is unsettling, as was the library issue earlier this century. In general, Secrecy begets Tyranny:

“Secrecy is the keystone to all tyranny. Not force, but secrecy and censorship. When any government or church for that matter, undertakes to say to its subjects, “This you may not read, this you must not know,” the end result is tyranny and oppression, no matter how holy the motives. Mighty little force is needed to control a man who has been hoodwinked in this fashion; contrariwise, no amount of force can control a free man, whose mind is free. No, not the rack nor the atomic bomb, not anything. You can’t conquer a free man; the most you can do is kill him.”

Robert A. Heinlein (source)

-ed ]

3/31/2016  State Department Visa Database

Half a billion records exposed.

In addition to common items such as name, address, birthday, Social Security number etc. this database contains a massive biometric treasure. Photographs and fingerprints make it highly valuable to a nation-level intelligence service. The exposure is being downplayed by public announcement of being “hard to exploit”, but being hard to do isn’t impossible to do. Who hacked the Office of Personnel Management in June 2015? That breach went undetected for almost a year. The number affected started at 4 million, then 10 million and, thanks to a second breach, totaled over 25 million records. Who did that? Perhaps more important is the potential for hackers to alter pending applications to obtain approval for a passport or a visa that would otherwise be turned down. More at ABCNews

4/04/2016  Massive Turk Exposure

49.6 million records exposed?

Using servers in Romania an Icelandic group specializing in divulging leaks has posted a database that appears to contain personal information. The content, partially verified by AP, contained names, national ID numbers, addresses, birthdates and parents’ names. Included in the disclosed information was Turkish President Recep Tayyip Erdogan, the prior President Abdullah Gul, and the current Prime Minister Ahmet Davutoglu. More at The Seattle Times

4/04/2016  Irked Hacker Strikes

237,000 records exposed or were they?

Poor security practices of an adult website (ok, a porn provider) irked a hacker so much he hacked them and they never knew it until the data appeared in the dark web. Worse, because that one site was part of an affiliated group of adult web sites more information was exposed. The company says the data is recycled from an older breach. The company never removes old user identification, but those accounts are not useful after they expire. More at Motherboard

4/10/2016  Philippine Election Database

The Philippine Commission on Elections website was defaced and a few days later, Lulzsec Pilipinas dumped the voter database. The Commission claimed no sensitive information was exposed in the breach. Do you believe them? Probably good that you didn’t because over a million Philippine voters who are out of the country had their PII, including fingerprints, exposed. More …

4/11/2016  44k at FDIC

44,000 exposed in “inadvertent” breach

A former employee left FDIC on Friday February 26, 2016 with a personal storage device. FDIC detected the breach on Monday February 29, 2016. The device was returned Tuesday March 1, 2016. What was on the device? The FDIC isn’t saying only that the former employee had legitimate access to it “for bank resolution and receivership purposes.” More at Washington Post

March 2016

In addition to others shown here in March 2016, ITRC reported 2 incidents where the number affected was over 10,000 per incident. The incidents were considered non-financial and totaled 47,588. These included a W2 phishing scam that snagged about 21,000 W2s for employees of Sprouts in Arizona and an unauthorized access to computer records of the Illinois Valley Podiatry Group which exposed patient data on 26,588 persons.

4/14/2016  93.4 million Mexican voters exposed

Earlier in April 2016 the Philippine Election Database was compromised. In December 2015 over 191 million American voters were exposed. Now the voter database from Mexico, all Mexicans registered to vote as of February 2015, has been found on line. There were 93.4 million entries in 100+ gigabytes. The compromise was confirmed. Mexican authorities explain that the database is not on line, let alone on Amazon Cloud storage. When the database is provided to political parties it is sent via hard drive. The non-password protected database was found by the Shodan-Slueth Chris Vickery. A list of the fields exposed and more is at Motherboard / Vice

4/22/2016 Update  Mexican voter database off line

Vickery discovered the database 4/14 and reported it to the US State Department, the Department of Homeland Security, Mexico via the Mexican Embassy in Washington D.C., the Mexican Instituto Nacional Electoral (INE), and Amazon. The database was taken offline 4/22, eight days later. Vickery’s blog

4/27/2016  Minecraft Lifeboat springs leak

“Lifeboat” has been hacked to expose 7 million users. More

[ Were you exposed? See Have I Been Pwned website. Just enter email address to check against many (too many) breaches. -ed ]

4/27/2016  Beautiful People get hacked too

1.1 million users who were “beautiful” enough to be included on the dating site BeautifulPeople.com have had their height, weight, job, email address, telephone numbers, and other information contained in about 15 million “private” email messages exposed since December 2015. Some of the beautiful people found their exposed data but had not been notified by the company. 170 of these beautiful people used a .gov email address. More

[ BP validated the email addresses so whoever used it has access to those government email accounts. BP also requires an image of the applicant has to be posted for others to vote on acceptance. Is someone looking into the use of .GOV email addresses? Were you exposed? See Have I Been Pwned website. Just enter email address to check against many (too many) breaches. -ed ]

4/30/2016  Computer Distributor Infects Computers

12 million infected

On 12 million computers in Australia, France, Japan, New Zealand, Spain, the United Kingdom and the United States, there exists software with capabilities for adware and spyware. It was installed there by advertising company Tuto4PC. Discovered by Cisco’s Talos security intelligence and research group, the software has administrator rights and can download and install other software without user consent and gathers consumer personal information. The software is aware of sandboxes, antivirus and security tools including forensic software. As a result, Talos classified Tuto4PC as a “full backdoor capable of a multitude of undesirable functions on the victim machine.”

The French are investigating the installation of unwanted software and harvesting of users’ personal details. In response, Tuto4PC Group CEO stated the antivirus bypass technology is not used for malicious purposes, just to make it easier for users to install applications being blocked by antivirus software. More at Security Week.

[ If the bypass was for user benefit why isn’t it available with an on / off switch? Why was new software downloaded without user permission or notification? The Talos classification story is well worth the reading to learn how a seemingly benign piece of software was determined to have capabilities far in excess of expected and for purposes decidedly not benign. -ed ]

April 2016

In addition to others shown here in April 2016, ITRC reported 3 incidents where the number affected was over 10,000 per incident. The incidents were considered non-financial and totaled 5,109,247. These included:

4/6/2016 Office of Child Support Enforcement / Washington State. In February 2016 burglars stole a laptop and hard drives that may have contained up to 5 million names and Social Security numbers.

4/20/2016 Patient Treatment Centers of America was hacked exposing 19,397 patient names, addresses, identification numbers and Social Security numbers.

4/20/2016 The Archdiocese of Denver payroll system was accessed. W2 information was accessed for about 80 people, but 18,000 names, addresses and Social Security numbers are in the database.

5/03/2016  ADP weakness exposes W2s

ADP provides payroll, tax and benefits administration for more than 640,000 companies. U.S. Bancorp, the fifth-largest commercial bank in the United States, warned some of its employees that their W-2 data had been stolen thanks to a weakness in ADP’s customer portal.

How? ADP has an online portal allowing employees to access their data directly, without having to go through their company human resources. If an employee never created (registered) their account at the external portal a crook, relying on static information, could perform the registration, and obtain anything the original employee could have accessed. More at Krebs On Security.

5/05/2016  Millions of Credentials for $1

Hold Security researchers found for sale stolen credentials in 1.17 billion records. Eliminating duplicates there were over 150 million from Mail.ru accounts (57M, almost 90% of all Mail.Ru users), and tens of millions of credentials for Gmail (24M), Microsoft (Hotmail 33M) and Yahoo (40M), plus “hundreds of thousands of accounts” at German and Chinese email providers. More at Reuters

5/06/2016 Update  Maybe not

[ In September 2014 there was a reported exposure similar to this. We reported it, but did not include the numbers in our count of exposed accounts. There are reasons to exclude this one as well. See Business Insider. -ed ]

5/07/2016  Kroger employees exposed

Equifax allows employees of many companies, including Kroger, to download their W2, that document so prized by crooks because it has so much information allowing them to file for false tax returns.

All the crook needed was the 8-digit “default PIN code”. The first four digits are the last four digits of the employees Social Security number and the last four digits are their birth year. Kroger alone employs over 430,000 people. They, and all the other employees of Equifax customers, were exposed. More at Krebs On Security.

5/10/2016  InvestBank Breach

Exposes 100,000 payment cards and more

About 10GB of data appears to contain bank internal files, other financial documents, customers’ data and 100,000 Visa and MasterCard payment card numbers. Also included were bank statements for more than 3,300 InvestBank customers, ATM transaction records, extensive details relating to InvestBank’s employees, property records, scans of identity documents and other sensitive material. The breach seems to have been accomplished by the same group that hacked Qatar National Bank in late April 2016. More at Data Breach Today

5/13/2016  PORN dot GOV?

Not exactly. A hardcore fetish web site was injected with an SQL code to reveal information about its customers. Information included IP, email, username and passwords of more than 100,000 users. We’ve seen exposures like this before. What is perhaps new is the number of email addresses ending in dot-GOV and dot-MIL indicating a position with the US government or military. More at Hack Read.

[ Were you exposed? See Have I Been Pwned website. Just enter email address to check against many (too many) breaches. Thanks to Troy Hunt for finding this breach and maintaining such a great tool. As for those who used GOV/MIL email addresses, why not use Gmail? It might have saved an interview with the inspector general, the FBI or other people with the power to end your career or worse. -ed ]

5/19/2016 Update   No watchdogs, no verification

According to Troy Hunt no one from the US government or military has contacted him to get a list of the GOV or MIL addresses in the database. Also, if it wasn’t clear before, this web site didn’t verify the accuracy of the email address provided. So, anyone could have registered with any email email address. Unlike some other websites that don’t verify there were no publicly available glaring misrepresentations.

5/20/2016 Update  Social Scientists Swipe PII

70,000 people exposed by … social scientists?

Between November 2014 and March 2015 Danish researchers accessed a website and harvested the data of 70,000 people. Information included, age, gender, location, personality traits, usernames and more. The researchers didn’t hack the site, they viewed the profiles in the normal manner and used an automated “screen scraper” to harvest the data. The data was included in a document submitted for review, not published, but reviewers took objection.

Was it public? No. At best it was semi-public and protected by copyright. The contents may not be published or used to create derivative works for any public or commercial purpose. Perhaps worse, these were social scientists who generally take personal information and make it anonymous. This data had considerable personally identifiable information (PII).

The Open Science Framework (OSF, who had received the data for review prior to publication) removed the data following a Digital Millennium Copyright Act (DMCA) complaint from the web site and an investigation. The researchers say they will submit to other journals. Because the data was available there is a possibility it has already been taken for other, less beneficial, purposes than the advancement of social science. More at Naked Security / Sophos

5/23/2016  Bank Secrecy Exposed

100,000+ exposed in The Great Swiss Bank Heist.

Back in the mid-2000s one person was able to extract data on over 100,000 Swiss bank accounts. The exposure itself was shrouded in secrecy. Were honorable clients exposed? Yes. About 13% of the list had secret accounts, but declared them to their respective governments and paid taxes. About 87% did not.

The prosecution claimed that the privacy of thousands of honorable clients had been violated … this was hard to reconcile with the damning particulars of the list. Of six hundred and twenty-eight Indian names on the list, only seventy-nine had declared their assets to the Indian government. The proportion was similar for Argentina and Greece. Gabriel Zucman, the economist, estimates that eighty per cent of assets in offshore havens are undeclared. Tax evasion wasn’t incidental to H.S.B.C.’s Swiss bank, Henzelin concluded; it was the bank’s raison d’être. [ (source) Highlighting ours. -ed ]

In the case of Greece the amount hidden was a double digit percentage of their national gross product. Neighboring countries began to realize that the hidden banking system was siphoning funds that represented tax revenue and the amount was staggering. Much more at the New Yorker.

We didn’t have such large problems in the last century. Why today do we have a global economy that damages so many? Perhaps because in the ‘old’ days more people played by the same set of rules. This from the Bank of England describes the breach of trust where some participants simply don’t follow the same rules, taking benefit now for themselves and leaving the system in disarray.

Evidence has emerged, both micro and macro, to suggest trust may play a crucial role in value creation. At the micro level, there is now ample evidence the degree of trust or social capital within a company contributes positively to its value creation capacity,” said Haldane. “At the macro level, there is now a strong body of evidence, looking across a large range of countries and over long periods of time, that high levels of trust and co-operation are associated with higher economic growth. Put differently, a lack of trust jeopardizes one of finance’s key societal functions — higher growth.”[ (source 26 page PDF) Highlighting ours – ed ]

5/27/2016  MySpace

Exposed: 360,213,024 records that might have an email address, a username, some with one password and some with two passwords. 111,341,258 of the accounts included a username. 68,493,651 had a secondary password. Passwords were weakly protected. What appears to be a default password “homelesspa” was in use for over 850,000 records and was #1 in frequency followed by “password1”, “abc123” and “123456”. The top four email domains were @yahoo.com (over 126 million), @hotmail.com (almost 80 million), @gmail.com (over 25 million) and @aol.com (over 24 million). There is an open question of when MySpace was hacked and MySpace has not responded to requests for comment. More at Leaked Source.

7/01/2016 Update  MySpace

The compromised MySpace data was released and is now on the Have I Been Pwned website with over 1.1 billion compromised credentials. Just enter an email address to check against many (too many) breaches.

5/30/2016  65M Tumblr Accounts

Tumblr (now owned by Yahoo) posted note #69,375

We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password. For additional information on keeping your accounts secure, please visit our Account Security page. [ (source) Highlighting ours -ed ]

A cyber intelligence specialist for Hacked-DB got the breach data and reports the number of hacked accounts at 65,469,298. Tumblr refused to confirm, deny or comment on the accuracy of the number. More at Hack Read.

[ We have repeatedly indicated our opinion that breaches are not being reported. (see When Do You Get Told?) This and the bank heists via SWIFT are just two recent examples. This one appears to have Yahoo/Tumblr management speaking with two voices. One: it was years ago, before new management, no big deal, etc. Two: We won’t say how many there were and (even though it is no big deal, right?) we’ll be requiring a password reset for affected users. Hardly the way to give us the warm and fuzzy security feeling. -ed ]

May 2016

In addition to others shown here in May 2016, ITRC reported 10 incidents where the number affected was over 10,000 per incident. The incidents were considered non-financial and totaled 732,286. See below.

5/31/2016  Brunswick Corporation / Mercury Marine

13,000 people were exposed thanks to a successful phishing expedition that caught W2s for current and former employees about 5/3/2016 per ITRC 20160503-04.

5/31/2016  FDIC

In October 2015 a former FDIC employee walked out with thousands of sensitive records including 10,000 Social Security numbers. The data was recovered in December 2015 but not reported until May 2016 during which various FDIC officers debated over whether or not the exposure constituted a “major” incident. Per ITRC 20160509-08.

5/31/2016  Ohio Department of Mental Health and Addiction Services

A survey was sent via postcard instead of envelopes exposing health care information for 59,000 patients about 5/9/2016 per ITRC 20160509-01.

5/31/2016  Mayfield Clinic of Cincinnati

In February 2016 23,341 patients were sent email with an attachment of malware. How many were actually infected is unknown. The data to send the email was obtained by an individual who gained access to a database held by a vendor to Mayfield per ITRC 20160510-03.

5/31/2016  National Counseling Group

On 3/21/2016 email was hacked exposing information on 23,000 per ITRC 20160510-05.

5/31/2016  Medical Colleagues of Texas

The computer system was hacked exposing names, addresses, health insurance information and Social Security numbers for 68,631 people per ITRC 20160512-06.

5/31/2016  California Correctional Health Care Services

On 2/25/2016 a password protected, but unencrypted, laptop was stolen from a personal vehicle exposing medical information on 400,000 people per ITRC 20160516-02.

5/31/2016  Poway Unified School District of California

A parent asked for information on her own name using a public records request. The district released information on 36,000 students including their name, nicknames, addresses, phone number, hearing exam results, vision exam results, language fluency, academic test results, and parent occupation.

5/31/2016  San Juan County of New Mexico

A system was hacked exposing healthcare information for 12,000 patients exposing personal helth care information per ITRC 20160524-04.

5/31/2016  Southwest Eye Institute

Information on 87,314 patients were exposed by a network hack per ITRC 20160524-17.

6/01/2016  Major Utility Open to the Internet?

Chris Vickery has had excellent success at trolling the internet and finding poorly secured or totally unsecured data. At the end of May he posted that a major utility had exposed 47,000 computers, servers, and other devices left wide open. “We’re talking about IP addresses, operating systems, hostnames, locations, MAC addresses, and more” “This would be a treasure trove for any hostile nation-state hacking group.” Dangerous? Yes. Back in March 2016 the Ukraine power grid was hacked affecting over a million people. In response the company said this data was all “fake”. There are fake networks specifically designed to lure intruders. This might have been the most detailed such “honeypot” ever. If so, why did the company take it down rapidly after being notified? This company delivers delivers natural gas and electricity to about 16 million people in California. Do they have no security?

6/02/2016  NFL players

This past April a football trainer’s laptop was stolen along with paper records in a backpack. Combined, the two have electronic and paper medical records for thousands of players, including NFL Combine attendees since 2004. HIPAA rules may not apply because the NFL is not a “covered health care provider”, but the exposure is the same. More at DeadSpin and Data Breach Today.

6/03/2016  Multi MongoDB

36 million records were compromised from over 110 IP addresses. Specific information varied by server but included were full name, username, password, telephone, physical address, over half a million email addresses and more. The primary vulnerability was poor security configuration. More at Hack Read.

6/07/2016  Driver’s Licenses from Louisiana

For sale on the dark net: 290,000 records with first name, middle name, last name, birthday, license number, addresses, city, state, zip code and phone numbers. Some records have emails. Where did the information come from? Consider two more fields: state that issued driver’s license and offense. That has the appearance of a police database for driving infractions. Records are primarily from Louisiana, but include Delaware and Texas. The hacker asking $12,153,960,000 USD, over 12 billion dollars, or some agreeable price. Bitcoin only. More at Hack Read.

6/08/2016  VK.COM

VK.com is Russia’s largest social networking site with more than 350 million users over all Europe. 100 million records containing, full names, email addresses (sometimes two), location, and telephone number were offered for sale. Also included were [gulp] plain text passwords. LeakedSource has part of the database added to its service. You can check it. You might not believe the most common passwords. See The Hacker News for more.

6/08/2016  State Farm

DAC Group had a security breach to a development system populated with production data. 93,000 customer accounts were exposed. 77,000 of those accounts were for State Farm, a group of insurance and financial services companies. More at Hack Read

6/09/2016  Karma Bites Crooks

ShOping.su is known for selling hacked accounts. They got hacked and 16,000 ShOping.su’s registered accounts plus 15,000 stolen accounts and 9,000 sets of charge card data were taken. Hacked-DB confirmed data is indeed from platforms across the web and contains ID card numbers, social security numbers, charge card numbers, zip code, phone numbers, usernames, email addresses and more. See Hack Read.

6/10/2016  uTorrent Hacked

385,000 sets of user credentials compromised by the vendor hosting the forum. More at Hack Read.

6/13/2016  iMesh

iMesh of New York was one of the first peer-to-peer (P2P) file sharing services. It started in the late 1990s, grew to be among the most popular about 2009 and, according to their web site, is no longer available as of May 2016. Their database was compromised about 9/22/2013. Why does it matter now? Just recently all 51 million records surfaced for sale at 0.5 BitCoins, about $330 USD. Many people use the same userid and password on other sites. If you do, change your passwords.

Compromised information included username, password, email addresses, IP addresses, location and more. The users were from US (13.7M), Turkey (±4M), UK (3.5+M) and other countries. The most common email domains used were HotMail (14.3M) and Yahoo (10.5M). The password “123456” was used by almost a million users. All passwords were protected by MD5 which was found to have a significant vulnerability. More at The Hacker News.

6/14/2016  Greenwich University / UK

Greenwich University, based in London with multiple facilities, was hacked. According to a defacement page, the hack was accomplished by a former student who had been dismissed by the university. The entire 2.7GB database included sensitive information on over 21,000 students, staff, exams, grades, personal conversations, full name, email address, password, location and more. More at Hack Read.

6/15/2016  VerticalScope / MultiCompany

VerticalScope “specializes in the acquisition and development of websites and online communities for the Automotive, Powersports, Power Equipment, Pets, Sports and Technology vertical markets.” The automotive list has over 500 domains. Outdoor (80+), Sports (20+) and there are many, many more. An estimated 42 million user accounts have been compromised. Exposed were the user’s user name, password(s), email address and IP address (giving general location.) Over 40 million passwords were protected with the now-deprecated MD5 protocol. How weak is that? 11 million were cracked in 10 days by researchers in 2015. Users didn’t help by choosing “123456” as the most frequent password with “password” coming in third.

Time to say again change your password if you use any of VerticalScope’s domains, use one password for one site (not many) and use a strong passphrase (ex: I_HatePasswords2!). More at Naked Security / Sophos.

6/20/2016  Bizmatics

In early July 2016 we reported on the dangers of using a cloud-based provider. Later we found information on three of that provider’s customers. See below.

6/20/2016  Bizmatics / Stamford Podiatry Group

Medical and personal information for 40,491 people was compromised in a security incident where an unauthorized person, or persons, had access between 2/22/2016 and 4/14/2016. Information included full name, medical history, referring doctors, treating doctors, treatment, Social Security number, gender, birthday, marital status, telephone number, email address, and insurance. More at SC Magazine.

6/20/2016  Bizmatics / Integrated Health Solutions, P.C.

IHS was informed by Bizmatics, Inc. that Bizmatics experienced unauthorized access to its records which may have included access to 19,776 patient records.

6/20/2016  Bizmatics / ENT and Allergy Center of Arkansas

In early April Bizmatics notified EACA “that at least some of our electronic patient medical records were potentially accessed and obtained by unauthorized persons. The information contained in the records that may have been accessed included patient names, addresses, health visit information, and at least the last four digits of the patient’s Social Security number.” EACA reported to HHS that 16,200 patient records may have been exposed. More at Data Breaches.

6/23/2016  154 million US voters very exposed

L2 is a data brokerage firm. They sold a large database with 154 million US voter records to a client. The database contained much more than voter registration information. Personal information included name, address, age, ethnicity, email, Facebook profiles, gun ownership, position on gay marriage, and “pro-life” position. All of this was legally sold to an L2 customer.

Chris Vickery, who has found many an inappropriate data set unsecured on the web, found this on rented server space from Google’s Cloud services. It was a CouchDB database, configured for public access without requiring username, password, or any other authentication. He traced it to L2. L2 indicated the data set was about a year old and was their data, but the location wasn’t theirs. In a stunning burst of speed, within three hours the database was taken down. L2 located the original customer who indicated they had been breached and the data taken from them. No information on how many people may have already downloaded it or how long it had been available. Vickery’s blog post at MacKeeper and more at Naked Security / Sophos.

[ The “we were hacked” explanation has to be taken with a little skepticism until supported by cyber-forensic evidence. This is not the first large scale exposure of voter records. In December 2015 over 191 million US voters were exposed. In April 2016 over 93 million Mexican voters were exposed. The speed with which the data was taken down is worthy of applause. That the data was not detected by the hacked company (if they were hacked) is lamentable. Are we yet outraged at the leaky kettle called “big data”? My HACKED stamp is getting cracked from excessive use. -ed ]

6/23/2016  T-Mobile Hacked by Employee

A T-Mobile employees in the Czech Republic took 1.5 million customer records with name, email address, account numbers and more with intent to sell it. The Czech Republic has refused to provide any “additional specific information” about what data was leaked citing an ongoing police investigation. More at The Hacker News

6/29/2016  2.2M “suspect” persons

Security researcher Chris Vickery has found another unsecured database on line. Access does not require a username or password. This is the same researcher who found the database with 154 million US voters.

This new discovery is called “World-Check” and lists individuals around the world. It is used by over 300 government and intelligence agencies, 49 of the 50 biggest banks, and 9 of the top 10 global law firms. The current version lists 93,000 individuals “suspected” of having terrorist ties and millions of others. This data is openly for sale. The exposed version is from mid-2014 and has 2.2 million people on it. It is not hosted by Thomson Reuters (who acquired the company that created World-Check). It is still on line.

[ Compare this response to L2 response which got the exposed data off line in hours after being notified. While this data is created and sold legally it has since become exposed. -ed ]

6/30/2016  10M health records

Four databases totaling about 10 million are available for sale on the Dark Web. The records are reportedly from:
      a large, nationwide health insurer
      a healthcare organization based in Georgia (stored in plain text)
      a healthcare provider in the central and midwest
      a healthcare organization in Farmington, MO (also in plain text)

More at Data Breach Today

June 2016

In addition to others shown here in June 2016, ITRC reported two incidents where the number affected was over 10,000 per incident. These included Acer Service Corporation (34,500 financial / exposed charge card information) and Wal-Mart AR (27,393 non-financial / refund checks were sent to wrong person improperly exposing some medical information)

7/10/2016   80K exposed at Amazon

A hacker found a major stash of Kindle subscriber information and submitted it to Amazon for bug bounty on critical security flaws in Amazon’s server. When he didn’t hear back he released the information which was confirmed to be “new” in the sense it had not been seen before. Information may have contained user’s email, password, address including zipcode, phone number, and more. See Hack Read.

[ The first of four stories on 7/10/2016 describing over 100 million compromises. Are you sick of it yet? Are you practicing safe hex? Are you telling companies that have your information to be [deleted] protective of it? Just wait until your unchangeable biometric identifier is compromised! -ed ]

7/10/2016  615K exposed at Netia

Friday Reuters reported what may have been a breach at Netia, a major telecommunications provider in Poland. Saturday Hack Read reported that the data for 615,000 subscribers had been posted on line. Information included full name, home address and IP address. The only glimmer of good news is that the data was last updated in 2014.

7/10/2016  20M exposed at MTN

Earlier in July, the second largest cell provider in Iran (MTN) was hacked exposing personal information on 20 million MTN subscribers. Worse, anyone could send a Telegram bot (popular messaging app) with a cell number to access information which included full name, address, landline number, city and postal code. More at Hack Read

7/10/2016  Malware increases click-costs to advertisers

An advertising firm in China distributed malware so cell phones “clicked” on their advertisements allowing them to bill their customers an estimated additional $300,000 per month. The malware was HummingBad for Android and Yispecter for iOS. The latter can infect jailbroken and NOT-jailbroken i-phones. The malware was hidden in over 200 applications. HummingBad is known to be in 85 million phones world-wide. The Yispecter spread isn’t reliably known. More at The Hacker News.

7/11/2016  Penton Media / 5 sites / 1.8M users

The databases underlying five web sites are for sale with about 1.8 million users among them. See Salted Hash

  Mac-Forums about 300,000 accounts
  Hot Scripts 1+ million users
  Web Hosting Talk about 500,000 users

A little later Leaked Source reported that Penton, the host media company, was breached on July 4, 2016 and, in addition to the above, the databases of dBforums, and A Best Web were compromised. The databases are hashed and salted using the now-deprecated MD5 protocol. [ NonTechTranslation: they were protected, but that protection system was seriously eroded years ago. -ed ] The most common password in all of the Penton exposures was “123456”. Penton has not confirmed the breach.

7/13/2016  Omni Hotels / 50k charge cards

7/8/2016 Omni Hotels posted a notice on point of sale (POS) malware that collected charge card information including name, charge card number, security code and expiration date. It was discovered 5/30/2016, about five weeks before disclosure. The malware may have operated as early as 12/23/2015, almost six months before the notice, and operated through 6/14/2016.

What Omni didn’t say is how many of its 40+ properties were affected, how the malware was introduced, or how they learned of it. The latter is understandable because the first Omni heard of it was when someone reported 50,000 charge cards for sale in February 2016. More at Data Breach Today.

7/13/2016  34+k patients exposed

The data for 34,621 patients, almost all from Big Apple Ortho-Med Supply Inc. (Bronx, NY), is available for sale. Data includes full name, complete address, email, date of birth, and multiple telephone numbers. More at Hack Read.

7/16/2016  Ubuntu Forum / 2M exposed

Forums for Ubuntu, a popular flavor of Linux, have been hacked. Exposed data includes username, email address and IP address for two million users. Preliminary cause was a known, but unpatched, SQL injection vulnerability in the ForumRunner add-on. Announcement from SlashDot.

[ Earlier this year Linux Mint was hacked. In addition to forum information a web page was redirected to a clone whose downloads were infected with malware. -ed ]

7/18/2016  4 Dating Sites Hacked / 2.2M exposed

Four dating websites have been hacked in the last two weeks. Passwords from one were in plain text format, one other in now-deprecated MD5 hash. The most common password was “12345”. One site had 2,035,020 users and collectively 2.2 million were exposed. SoftPedia and Hack Read.

7/23/2016  Clash of Kings Forum Hacked / 1.6M exposed

The forum for the popular Android and iOS game with over 100 million installations was vulnerable because it was using a 2013 versions of vBulletin and did not use HTTPS for transactions. Exposed were 1,597,717 sets of usernames, email, IP addresses, device identifiers and passwords. Users used their social media accounts to access the site also exposed that information. More at Hack Read

7/31/2016  Internet Mall Hacked / 10+M exposed

With annual transactions reaching nearly a billion dollars an internet mall was an attractive target. In May 2016 they were hacked and personally identifiable information including name, email addresses, telephone number and more were exfiltrated. The company did not detect the breach. In July they were surprised to receive a ransom message: Pay $2.6 billion dollars or we’ll leak the information.

The ransom actually was for an astonishing 2.891 trillion (2,891,460,000,000) won, the currency of South Korea. The hackers were tracked to North Korea’s General Bureau of Reconnaissance, North Korea’s main foreign intelligence agency. The intrusion had used some of the same code and came from the same IP addresses as in previous breaches. More at NY Times.

July 2016

In addition to others shown here in July 2016, ITRC reported 6 incidents where the number affected was over 10,000 per incident. The incidents were considered non-financial and totaled 139,674. These included:

7/05/2016 22,000 Massachusetts General Hospital Dental Group
7/11/2016 38,000 exposed via phishing email at North Carolina State University.
7/12/2016 13,000 Ransomware attack on Ambulatory Surgery Center of St. Mary Medical Center, Middletown PA.
7/12/2016 13,671 Uncommon Care of PA, exposed via Bizmatics
7/12/2016 31,000 Unauthorized accss to Laser & Dermatologic Surgery Center MO.
7/12/2016 22,000 North Ottawa Medical Group of MI, exposed via Bizmatics.

8/01/2016  House of the Mouse, hacked. 391K exposed

Disney Consumer Products and Interactive Media “became aware” on July 12, 2016 that an unauthorized party had accessed servers at least twice on 7/9/2016 and 7/12/2016 and acquired user information from the PlaydomForums.com domain. More from their 7/29 FAQ and from GameInformer.

[ Good news: They noticed it on their own and didn’t have to wait until a ransom demand arrived. Why didn’t they become aware on 7/9? Great news: they are not knee-jerking the “your security is important to us”. -ed ]

8/05/2016  Banner Health 3.7M exposed

On June 17, 2016 hackers commenced to infiltrate Banner Health. They were discovered July 7, 2016, two weeks later. Cyber attackers may have gained unauthorized access to computer systems that process payment card data at food and beverage outlets at some Banner Health locations. Six weeks after the attack started Banner Health issued a statement (2 page PDF). Exposed were payment card data (cardholder name, card number, expiration date and internal verification code). Unauthorized access to patient information, health plan member and beneficiary information, about information and healthcare provider information may also have been exposed. More at Data Breach Today

8/11/2016  Dota2 Forum 1.9M exposed

The developer forum for Defense of the Ancients 2 (Dota2), a multiplayer online battle arena video game, was breached 7/10/2016 exposing emails, IP addresses, usernames, user identifier and hashed passwords. On 8/9/2016 an unknown sender sent the information to LeakedSource (a data mining company) who reported the passwords were salted and hashed with deprecated MD5. Over 80% of the passwords have been converted to plain text. As the breach was determined to be considerably in advance of any action it appears reasonable to state the administrators of the forum were unaware of the breach until after the data had been delivered. More at Hack Read

[ Search LeakedSource to see if your data is in the thousands of recorded breaches. I checked using my email and it was found in two known breaches among 1.9 billion emails – ed ]

8/12/2016  VW does it again, bigger

VM has admitted to vulnerabilities affecting almost every VW made since 1995, an estimated 100,000,000 vehicles. Researchers at University of Birmingham in the UK extracted a cryptographic key common to many vehicles. Add the unique value encoded on the matching remote key fob (electronic eavesdropping can read it) and a functional fob clone can access that car. The paper (17 page PDF) was presented at Usenix and included in the Proceedings of the 25th USENIX Security Symposium August 10–12, 2016 in Austin, Texas.

This affects many of Volkswagen’s vehicles including the Audi A1, Q3, Ibiza, Leon, Alhambra, Skoda’s Fabia 1, 2, Octavia, SuperB, Yeti, Amarok, Caddy, e-Up Golf 4, 6, and Polo. Some later versions of Audi use a different system. A second vulnerability affects more makes including Alfa Romeo, Citroën, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot that use an older crypto design in HiTag2 fobs. Electronic eavesdropping gathers codes sent by the key fob and the encryption scheme can be cracked in under a minute. What fantastically complex technologies can do this? How about a $40 Arduino processor and software defined radio (SDR)? More at Ars Technica and Reuters.

[ Volkswagen took a public relations bath for knowingly and falsely representing diesel emissions on many cars. That this security vulnerability existed for so long isn’t going to make consumers any happier. Some day insurance companies will realize the lack of stout security makes these cars easier to steal and, because they are undamaged, easier to sell. Read an opinion on how to better create car software -ed ]

8/28/2016   Opera sync hacked

About 1.7 million users of Opera browser’s synchronization service have had their login details exposed. Opera is resetting all affected account passwords. More at Engadget.

8/29/2016   68+ million credentials exposed

Credentials from 2012 known breach of DropBox have appeared on line. DropBox has confirmed the data is valid and is again forcing a password change. About 47% of the exposed passwords were secured with the strong function bcrypt. The remaining 53% were secured with SHA-1, a deprecated function. Motherboard / Vice

[ Why were not the accounts secured with the deprecated SHA-1 provided a forced reset and stored with the stronger function? -ed ]

9/02/2016   42+ million credentials exposed

Account details from a breach of Last.fm website were taken in March 2012. The company admitted the breach months later. They didn’t force a password reset. They “encouraged” users to change their passwords. That 2012 data appeared on line just recently. It was “protected” with the MD5 hash which was shown to be weak in 2004. Because of the weaknesses 96% of all the passwords in the exposed data were hacked in two hours. More at The Hacker News

[ With this revelation NC3 has recorded over TWO BILLION compromises in 2016 to date. Why didn’t the company phase-force (say 20% of accounts per month) a password change and store the new passwords with the available better protection? -ed ]

9/07/2016   98+ million credentials exposed

Another very delayed notification: 2012 saw some large data breaches including almost 100 million credentials from Rambler.ru, a Russian web portal and email provider. This one included passwords in plain text. The breach was not reported. LeakedSource reported it had a copy of the data. Rambler has responded that a password reset was forced, passwords are now encrypted, and users are prohibited from using a prior password. More at Naked Security / Sophos.

9/07/2016   1+ million compromised ‘things’

Malware was written in the C language for easy compilation across multiple platforms. The many variants are infecting devices we don’t always consider “computers” such as security camera digital video recorders that use the internet for communication. Once compromised these devices become part of a network of robots (botnet) that can be used to find other devices to compromise and used to mount distributed denial-of-service attacks either by hire or for ransom. How powerful is this ‘bot army? Very. Over one million devices were observed in these attacks. The majority were generically named “H.264 DVRs” and located in Taiwan, Brazil, Columbia, US, Mexico, China, India and more. Poor security design is one part, but the human installers often left the default security settings. More at Level3

9/07/2016   790+ thousand exposed

The forum for Brazzer’s porn site was hacked exposing over 790,000 users and their plaintext passwords. Some users who did not join the forum may have also had their credentials exposed. Incredibly this data was from another unreported 2012 breach. The breach was due to outdated vBulletin software. More at Motherboard / Vice.

9/12/2016   11.6+ million more exposed in August

We gather our information from multiple publications. We get them from readers and friends. Lastly we check ITRC to find the smaller breaches that didn’t make the news. August 2016 is the first month where there were 11 exposures over 10,000 each for a total of 11,665,927. They were:

Prosthetic & Orthotic Care in Missouri had 23,015 patent identifications, diagnostic codes, appointment dates, last billing amount, Social Security number, birthday, name of insurance, and images of procedures exposed because of a weakness in purchased software.

Athens Orthopedic Clinic in Georgia exposed 201,000 patient records during a cyber attack in Late July. Information on current and former patients included names, addresses, Social Security numbers, birth date, telephone number and more.

Midwest Orthopedics Group in Missouri was breached in late May 2016 exposing 29,153 patient names, address, Social Security number, birth date, diagnosis, laboratory results and more.

Newkirk Products is a manufacturer of identification cards for health insurance companies. They were beached exposing 3,300,000 insured names, mailing address, plan types, group ID number, and the names of covered dependents.

FDIC in Washington D.C. had an employee return all electronic devices when she left her job in late September 2015. A USB device was not returned exposing sensitive personal information including Social Security numbers on 28,000 to 30,000 individuals.

[ Reporting was almost a year after the loss and they don’t know how many? -ed ]

A business associate of Bon Secours Health Systems in Maryland left information on 655,000 patients exposed on the internet for four days in April 2016.

Valley Anesthesiology and Pain Consultants of Arizona reported in August that a third party may have gained unauthorized access to 882,590 patient records on June 13, 2016.

In June the Washington Department of Fishing & Wildlife was the target of a cyber-vandalism attack which may, or may not, have exposed information on 2,435,452 people who applied for licenses. Information potentially exposed name, birth date, address, driver’s license number, last four digits of the Social Security number, height, weight, and eye color. In some cases email address and telephone number were also potentially exposed.

The Kentucky Department of Fish & Wildlife was hacked by a social hacker who reported the weaknesses but did not publicize them until they were patched. 2,126,449 records containing name, birth date, address, and more were exposed.

The Oregon Department of Fish and Wildlife was hacked by a social hacker who reported the weaknesses but did not publicize them until they were patched. 1,195,204 records containing name, birth date, address, and more were exposed.

The Idaho Department of Fish and Game was hacked by a social hacker who reported the weaknesses but did not publicize them until they were patched. 788,064 records containing name, birth date, address, and more were exposed.

9/14/2016   6.6+ million more exposed

ClixSense pays people to view adds, take surveys, etc. It was hacked and 6.6 million sets of credentials taken. 2.2 million of them were placed on PasteBin. Have I Been Pwned has verified the authenticity of that data. The remaining 4.4 million sets are up for sale. Contents include full names, home address, email and IP address, birth date, gender, payment history and other banking details. The big kicker? plain text passwords. Also offered are Social Security numbers, complete source code of the ClixSense website, and internal emails. ClixSense posted a note describing that a production server no longer in use had been compromised. From there the hackers reached current data. New security measures have been implemented. ClixSense didn’t really address the unauthorized disclosures or poor security practices that allowed the breach to occur. Hackers also ran SQL code to change account names to “hacked account” and set user account balances zero. Hackers also changed all the internal email passwords and set up a DNS redirection for ClixSense to a “gay porn site”. The hackers communicated that the 2.2 million record dump was done only after ClixSense refused to admit the breach had occurred. PasteBin has removed the post including the 2.2 million records. As of 9/14/2016 ClixSense was displaying 6,626,048 members. More at Ars Technica and The Hacker News.

9/22/2016   Recode: Yahoo to confirm massive 2014 breach

Back in 2014 Yahoo reported a breach of unknown size. Earlier in 2016 Yahoo said it was investigating a breach where hackers claimed 200 million user accounts had been compromised. At 2am Recode reported that the expected announcement was “massive”.

9/22/2016   Yahoo confirms: Massive!

The New York Times has reported Yahoo confirmed the 2014 breach had compromised “at least” 500 million users including name, email, telephone number, birth date, passwords and more .

[ A breach in 2014 took two years to confirm? Why? Was the highly paid executive trying to keep the potential liability under wraps to boost the purchase price and her personal fortune at the risk for literally hundreds of millions of users? -ed ]

9/23/2016   324k cards exposed with CVV

Over 300,000 cards with card verification value (CVV, that three or four digit code generally on the back) were posted on a web site. The data was not encrypted and included the CVV which is not supposed to be retained long term. The name of the file was Bluesnap, which is a payment processor and they report they have not been hacked, even going to the extent of hiring an outside security consultant to examine their site. Regpack is a customer of Bluesnap. They first denied having been hacked and their data was encrypted. then revised the statement to say that occasionally Regpack stored unencrypted versions for analysis. Human error placed this file on a publicly accessible server. More at Naked Security / Sophos including some guidance for non-IT managers of businesses that receive CVV codes.

9/23/2016 update  Regpack & The Streisand Effect

Regpacks denial, update, confusion and more is not the clear response a company wants to project when their security is demonstrably weak. Trying to hide an issue from technologically knowledgeable journalists can initiate the Streisand Effect (Wikipedia) where what someone is trying to hide actually gains attention. Regpack is trying not to lose trust and customers. Might be too late. More at Data Breach Today.

September 2016

In addition to others shown here in September 2016, ITRC reported 6 incidents where the number affected was over 10,000 per incident. The incidents were considered non-financial and totaled 102,685. These included:

18,399 Franciscan Healthcare Highline
21,880 New York State Psychiatric Institute
10,700 Planned Parenthood of Greater Washington
15,478 University Gastroenterology, Inc. RI
20,000 M Holdings Securities of Oregon
16,228 King of Prussia Dental Associates PA

9/29/2016 New Jersey Spine Center was attacked by CryptoWall which encrypted their patient files making them inaccessible The files included payment information, but there is no evidence the files were exfiltrated. While this was an “unauthorized access” we didn’t include the 28,000 records because they were not exposed to an outside party.

11/14/2016   412+ million users compromised

Login credentials for adult websites run by California-based FriendFinder Networks Inc. were compromised in the largest hack of 2016. The sites include Adultfriendfinder.com (340M), cams.com (63M) and Penthouse.com (7M). Based on review of the email addresses it appears that over 15 million accounts were deleted by users, but retained by the sites.

What was FriendFinder’s response? “FriendFinder takes the security of its customer information seriously…” Passwords were in plain text or SHA1, a deprecated hashing algorithm. Over 99% of the SHA1 hashed passwords have been cracked. Considering FriendFinder was breached in May 2015 and exposed about 65 million credentials why any passwords were in still plain text is not security in any sense of the word. User passwords continue to be weak. The top six passwords by frequency were the numeric sequence starting with 12345. 12345 (2nd place), 123456 (1st place), 1234567 (6th place), 12345678 (4th place), 123456789 (3rd place) and 1234567890 (5th place). Why was there no password strength meter to disallow these? A general description at Reuters. Details at LeakedSource.

In one breach we just surpassed THREE BILLION compromised accounts.


In addition to sources cited above the Chronology of Data Base Breaches maintained by the Privacy Rights Clearinghouse was used. Their website is a valuable resource for those seeking information on basic privacy, identity theft, medical privacy and much more. They are highly recommended. We also recommend The Identity Theft Resource Center (ITRC).
2016 Compromises affecting less than 10,000
2016 Compromises affecting an unknown, or undisclosed number
2016 Summary of Compromises
2016 General Information
Return to References page
Return to Year links page

Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.