Compromises in 2016 affecting less than 10,000

2016 Compromises affecting 10,000 or more
2016 Compromises affecting an unknown, or undisclosed number
2016 Summary of Compromises
2016 General Information

1/22/2016   Thousands of servers

Symantec found 3,500 servers that redirects victims to other websites.

Their Intrusion Prevention System detected a hidden script in a compromised website. All the compromised websites used the same content management system. Such a compromise could be used to download malware. The URL provides sample code that appears before the “< / head >” tag so administrators can easily check their sites. For more see Symantec.

1/25/2016   Uber Info Sharing

Tax time and techno-savvy Uber posted information for its drivers on a secure portal except for some they were looking at the personal information for a driver in New Port Richey, Florida. According to Uber, hers was the only one exposed and they will provide credit monitoring for her. How many people saw that information is unknown. The information distribution system was stopped until the problem was fixed. Apparently the problem was reported on various social media because Uber didn’t have a defined communications channel for this information. More at BusinessInsider

1/29/2016  University of Virginia hacked more than a year ago

An email phishing expedition that got users to access a malicious web site started a wedge that opened the University of Virginia and compromise 1,400 employes at the Charlottesville campus. The school didn’t uncover the compromise, the FBI told them.

Between early November 2014 and early February 2015 the crooks were able to reach the human resources information and obtain W-2 data for 2013 and 2014 along with direct deposit information of several dozen employees. What took a year for notification? “Affected employees were notified as soon as it was practical, consistent with the FBI investigation”. For more see BankRate.

[ How much damage was done to the victims during the year before they were told about the breach? -ed ]

1/29/2016  Neiman Marcus consumers

estimated 5,200 accounts affected.

Today NM customers received notices like this one (2 page PDF) reporting multiple improper purchases from their on line businesses including Bergdorf Goodman, Last Call, CUSP, Horchow and Neiman Marcus stores starting 12/26/2015. It appears the attacks were automated, using user names and passwords gathered from other breaches highlighting the dangers of re-using usernames and passwords. There is disagreement that this was the case. See this article from DataBreachToday.

January 2016

In addition to others shown here in January 2016, ITRC reported 17 incidents where the number affected was under 10,000 per incident. The total disclosed was 25,609.

2/17/2016  Ocean Lotus


Researchers at AlienVault have conducted a detailed analysis of the OS X version of a Trojan used in attacks aimed at Chinese organizations. The “OceanLotus” Trojan was initially exposed in May 2015 by a Chinese security firm who reported that it had been sighted back in April 2012. The trojan was distributed in the usual ways and has sprouted at least four variants and confirmed on more than 100 systems. On variant, targeted for OS X, has two sub variants. The most recent sub variant is detected by only two antivirus packages despite being uploaded for analysis late in 2015.

Mac and OS X infections are rising. As of 9/30/2015 the number of OS X systems infected with malware was already seven times higher than all of 2014. A/V detection is improving for this trojan. More …

2/24/2016  Hospital hacked

1400 employees exposed. Personally Identifiable Information (PII) including name, address, Social Security number and wages were stolen from York Hospital in Maine. The information was for employees hired in 2015 at its hospital and campuses in Wells, Berwick, Kittery and South Berwick. More…

2/25/2016  uKnowKids.com

Found another unsecured database with 1700 kid profiles and millions of images.

The researcher reported it to the company who secured the database in less than two hours. Then they castigated the researcher. This is the same researcher who discovered the Hello Kitty database which exposed over 3 million people, Hzone and others.

According to the Shodan search the database has been unsecured for more than a month exposing 6+ million private text messages, 2 million images many with kids, and 1,700+ child profiles with first name, last names, email address, birth date, GPS coordinates, social media access credentials, and more.

Here it gets a little legal. Websites that are collecting information from children under the age of thirteen are required to comply with Federal Trade Commission’s Children’s Online Privacy Protection Act (COPPA) which includes a requirement to “…establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected …”. Having failed it’s responsibility uKnowKids.com may face regulatory actions. See 2/23/2016 CSO Online and 2/25/2016 Sophos.

[ The company exposes location, names and age of kids and they castigate the researcher? Shooting the messenger is part of a smoke screen and WRONG! -ed ]

2/29/2016  SnapChat scammed. Employees compromised

Again. A single incoming communication got confidential information given away.

Friday 2/26/2016 an email from “Snapchat CEO Evan Spiegel” requested payroll send information on employees. They did. It wasn’t the boss. In an apology blog post SnapChat was honest about their failure and offered two years of identity-theft insurance and monitoring at no charge. That is better than average. More at Naked Security / Sophos. How many current and former employees were exposed was not disclosed. SnapChat had 330 current employees in December 2015.

February 2016

In addition to others shown here in February 2016, ITRC reported 14 incidents where the number affected was under 10,000 per incident. The total disclosed was 26,338.

3/06/2016  Seagate scammed of W2s

“several thousand” current and former employees exposed.

2/24/2016 alert employees caught a bad whiff from an odd request from “the boss” to send information. After another nose confirmed the bad smell investigation was started and a W2 scam stopped cold.

Too bad the human resources people at Seagate didn’t get that message. They got a letter via email from the organization’s CEO requesting current and former employee W-2 forms and they complied. This increases the exposure for identity theft and tax refund fraud just like the people from Snapchat. More at Krebs On Security

3/11/2016  Good Noses Save almost $1B USD

Wires between central banks are big bucks, but some didn’t pass the smell test.

Cyber-crooks targeted Bangladesh’s central bank, they studied the processes, people then used stolen credentials to generate transfer requests totaling about one billion US dollars. Other banks got suspicious with the number of requests and stopped the majority of fraudulent requests. About $80 million US was already gone.

An alert employee of Deutsche Bank (an intermediary bank) saw a spelling error which raised enough of a concern to pause the transfer and request clarification from the originating bank in Bangladesh, who said “Who? Us?” which was plenty enough to stop the transaction. Similarly the Federal Reserve Bank of New York (also an intermediary bank) alerted the Bangladesh central bank to a high volume of high value requests to transfer funds to private accounts vs the more common bank-to-bank transfers of high value. The Bangladeshi government has publicly blamed the US Federal Reserve for not spotting the suspicious transactions earlier. The Fed replied that its systems hadn’t been breached. More at BBC

3/16/2016 Update  Scam cost $81M & 4 top jobs

Bangladesh Central Bank transfers were “fully authenticated” using bank messaging

The unidentified hackers used “Swift”, the official electronic bank messaging technology, in an attempt to transfer almost $1 billion US dollars in early February. Atiur Rahman, the Bangladesh central bank governor and a respected economist, learned of the theft from the media. He resigned 3/15/2016 and the Finance Ministry fired two deputy central bank governors and the Bank and Financial Institutions division secretary, all accused of knowing of the transfers and not informing ban security or their superiors. The use of Swift indicates either a breach from the outside or improper internal use. Where did the money go? Can it can be traced? More at NT Times.

3/19/2016 Update  Security Researcher Missing

A 34-year old security researcher working on the Bangladesh Central Bank has gone missing

While there is speculation that the attempted e-heist of $1B US from the Bangladesh Central Bank was an inside job, security researcher Tanvir Hassan Zoha believed unknown hackers had installed malware weeks before to scout the system and obtain credentials. Zoha pointed a wagging finger at the officers of the bank for allowing weak security procedures that facilitated the loss of $81 million, the country’s largest bank heist ever. Zoha disappeared the evening of Wednesday 3/16/2016 while coming home. More at The Hacker News.

4/25/2016 Update  Bangladesh Bank hack

SWIFT is a messaging platform between 3,000+ organizations that banks use to transfer money. Specialized malware allowed someone to control the bank’s transfer capability for their own benefit. More at Data Breach Today.

4/29/2016 Update  SWIFT & Bangladesh Bank hack

Reuters is reporting that the Bangladesh Bank was not the first to be the victim of a compromised Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system for bank transfers. Somme organizations are reporting 3,000 financial institutions in SWIFT. Reuters is reporting11,000 financial institutions. More at Reuters. The malware used allowed attackers to steal money by altering the Oracle database underlying the SWIFT software. The sending SWIFT messages transfer money. More at Data Breach Today.

[ After the fact SWIFT informs users of problem? Their response? A “security update”. Really? Trillions of dollars moving through this system and they are pushing a mandatory security update that must be installed by … May 12, 2016. – ed ]

5/12/2016 Update  SWIFT hacked again

An unnamed commercial bank was confirmed as the second victim of theft via the Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system for bank transfers. Because valid credentials were used and deposited malware obfuscated records, some consider the criminals behinds these thefts may not be found. Initially the Bangladesh compromise was considered a rare event, but other hacks are expected. More at NY Times

[ The attacked occurred just before the “mandatory” security update before May 12, 2016. -ed ]

5/18/2016 Update  SWIFT attack 2015Q4 not shared

A Vietnamese bank reports an attempt was made in 2015 Q4 to exfiltrate funds via the SWIFT system. This pre-dates the Bangladesh incident. The Vietnamese report may not have been disseminated to warn others of the ongoing situation. More at The Guardian.

[ Some argue that keeping crime quiet is a preferred method of deterring crime. We disagree. Most business want to keep quiet so as not to advertise their own liability. The open discussion of security weaknesses is helpful. See this from pre-1900. -ed ]

5/19/2016 Update  Bank of England orders SWIFT review

Previously unreported, this action marks perhaps the first case of a central bank to a major economy to order its member banks to conduct a formal security review of the SWIFT system which was a conduit for multiple bank thefts. The request to update cyber security measures was sent in the latter half of April 2016. The Bank of England is one of the central banks that oversee SWIFT had no comment. More at Reuters

5/20/2016 Update  SWIFT attack 2015Q1 not shared

Another attack using Society for Worldwide Interbank Financial Telecommunication (SWIFT) not shared.

January 21, 2015: the Banco del Austro (BDA) in Ecuador instructed San Francisco-based Wells Fargo to transfer money to Hong Kong bank accounts. 12 times over 10 days Wells Fargo followed the instructions received from the “secure” SWIFT system. It appears crooks initiated the transfers. BDA says Wells Fargo “should have known” the transfer requests were suspicious and sued in January of 2016, about a year later. Wells Fargo replied that a BDA employee’s SWIFT logon credentials were used and there was nothing suspicious.

SWIFT requires customer to notify SWIFT of problems that can affect the “confidentiality, integrity, or availability of SWIFT service”, but neither bank reported the theft. SWIFT learned about it from a Reuters inquiry.

“The lack of disclosure may foster overconfidence in SWIFT network security by banks, which routinely approve transfer requests made through the messaging network without additional verification”. More at Reuters.

[ So which is worse? Suspecting that the system is vulnerable or knowing the system is vulnerable? Instead of getting informed of the attacks other banks were lulled into complacency by the lack of information about successful attacks. The open discussion of security weaknesses is helpful. See this from pre-1900. -ed ]

5/24/2016 Update  SWIFT expect to acknowledge the apparent

More than two months after the Bangladesh bank theft, SWIFT’s chief executive is expected to announce today that hackers may have targeted more banks than were previously reported. New security measures will be introduced. More at Bloomberg.

[ In the words of some younger people: “Well, DUH-UH!” and we agree. The lack of public disclosure keeps banking problems opaque. Had they been made more public, even within the banking community, more people would have been aware to question transactions. -ed ]

5/27/2016 Update  SWIFT attack 2013 not shared

In 2013 the systems at Sonali Bank of Bangladesh were infected with a keylogger which stole passwords. That was leveraged to navigate the bank network and issue transfer requests via the SWIFT system. Officials of Sonali Bank said SWIFT was informed at the time of the attack, but that information was not apparently disseminated to the public or the banking community. More at Reuters

5/28/2016 Update  North Korea linked to bank heists

Symantec researchers report evidence linking multiple bank attacks to North Korea. If so, this is the first nation-level direct bank theft known. Why? North Korea does not publish economic data, and the estimated gross domestic product between $12 billion and $40 billion. A success in the millions is a huge return on investment and an economic boost. More at NYTimes

6/01/2016 Update  US Federal Reserve has cybersecurity problem

Related to bank thefts via SWIFT – Between 2011 and 2015 the US Federal Reserve has detected more than 50 cybersecurity intrusions with some described as “espionage”. This wasn’t published, it was pried out via a Freedom of Information Act request. Is it the whole story? No. They only include those reported to the Fed’s Board of Governors which is a federal agency subject to public records laws. There are 12 “privately owned” regional branches and their cybersecurity problems can’t be uncovered with a FOIA request. More at Reuters.

6/06/2016 Update  US Federal Reserve rejected Bangladesh SWIFT transactions

In February 2016 all 35 of the SWIFT transfer requests from Bangladesh were rejected by the New York Federal Reserve Bank for being improperly formatted and lacking information. A number were resubmitted and executed. Did the NY branch miss some warning signs? More at Reuters.

6/11/2016 Update  Another perpetrator?

North Korea may have been behind the bank heists via SWIFT transfer, but another potential perpetrator has been proposed. China has major cyber-warfare capabilities and works with North Korea on many topics. More at Epoch Times.

3/14/2016  Saved by my nose

Did you get a call from a US Marshal telling you about missed grand jury service? They had a signed certified mail receipt to prove I’d been notified. The judge had issued a warrant for me.

The first phone call I got on my new phone was from a “US Marshal” who wanted to let me know that a judge (he gave the name of a judge in the area) had issued a bench warrant for my arrest because I’d missed appearing for a federal grand jury. There was a receipt for certified mail with my signature on it (he said, I didn’t sign for any certified mail this year). The Marshals Service could pick me up any time. He was smooth, believable, convincing. He said I’d spend a week or two in jail or post bail while waiting my chance to appear and prove that I was innocent. My nose twitched.

The prosecution proves guilt. Innocent until proven guilty, right? The bail was about $1900 which seemed high. I offered to turn myself in and save them the effort. He gave me a location. Then I looked up a phone number for the local USMS office, called them, asked if they had a deputy marshal by the name of [ deleted ]. They didn’t. While I was the first to report this scam today, four others had called on Friday and this scam is not restricted to this area. I emailed them a statement with all the facts from my cell phone call log and all the information I’d noted.

Remember: Don’t take precipitous action (like emailing W2 information to anyone!) based on an incoming communication. Get confirmation. It saved me from being a victim. In the words of Festus Haggen: Git ’em Marshal! Put that crook away where he can’t prey on the public.

3/15/2016 Update  Why did it almost work?

What took so long for my nose to twitch? Turns out my “nose” is part of my cognitive brain.

The “sniff test” isn’t generally done with the nose on your face. It is accumulated knowledge and experience, stored subconsciously as a “feeling” when something isn’t right.

After sound sleep what amazes me is that I didn’t get any kind of a twitch for so long. I skipped right over questioning the precept and was dealing with a response to the potential arrest and incarceration. Why? Because the negative potential of arrest/detention moved my cognitive-brain into park and my emoting-brain (amygdala) into high speed.

I don’t want to tell the crooks how to get better, so I’ll tell you: The phone or email will not hiss, rattle, or uncoil to rise up and bite you. You are not in immediate danger. Take a breath. Enhance your calm. Shift from the immediate fear reaction to investigation and inquiry. Get your emoting-brain under control and use the intellect that moved mankind from Neanderthal to where we are today.

3/29/2016 Update  USMS Scam Widens

A bulletin from United States Courts was issued today on this matter. See also this from Naked Security / Sophos

5/05/2016 Update  USMS Scam / Crooks already in jail?

I spoke this morning with an agent of the FBI about a detail in the report sent in March. While the investigation is ongoing one detail was made public. Some of these calls are coming from contraband cell phones from people already in prison. In one sense they are already caught. In another, what penalty is there for someone already doing significant time? Don’t be a victim. If someone from “law enforcement” calls get their name and number. Look up a publicly available number and either ask for confirmation of the caller or ask to be connected to the caller. Don’t take precipitous action (like emailing all that W2 information) based solely on incoming communications.

3/16/2016  CS School skipped a step

Code.Org is a non-profit organization with the goal of improving computer science skills in the current crop of students. It offers online classes in almost 200 countries. They rely on volunteers and some of their email addresses were compromised. A hack from the outside? A data thief on the inside? Nope, this was a coding failure that left the list open to the internet. More at ZDnet.

3/17/2016  Moneytree Exposes employees

Again, an employee got scammed and exposed employee information.

Moneytree Inc. is a Seattle based firm offers check cashing, copying, facsimile, loans, money orders, mortgages, payday loans, wire transfers and more. They have a staff of over 1,200. Earlier this month they informed employees that someone impersonated co-founder Dennis Bassford. Exposed information included names, addresses, Social Security numbers, birthdays and complete W2 information. More at Krebs on Security.

3/30/2016  Law Firm Discloses Breach. Others outed

Multiple law firms breached. One discloses. Others mentioned. Were customers told?

The one firm, based in New York, is well known for corporate merger advisory work, making it an attractive target for those who seem pre-public information on such activities. It just revealed a breach last summer. (more details at Wall Street Journal and New York Times)

[ In March 2015 we pointed out that while law firms were not exempt from being hacked, they were almost completely absent from reported events. September 2015 the American Bar Association reported that 80% of the top 100 law firms had been breached. The unanswered question is: when were the affected customers informed of the breach? Or were they ever told? -ed ]

March 2016

In addition to others shown here in March 2016, ITRC reported 30 incidents where the number affected was under 10,000 per incident. The total disclosed was 70,149.

April 2016

In addition to others shown here in April 2016, ITRC reported 42 incidents where the number affected was under 10,000 per incident. The total disclosed was 71,850.

5/18/2016  CabCharge Breach

Risk Based Security of Virginia was using the Shodan.io specialized search engine to seek anything that connects to the internet. They found a database that required no login credentials belonging to CabCharge, an Australian taxi booking and payments service. Exposed were details on customer movements, drivers and partial credit card numbers. Cabcharge.com.au was rapidly alerted and the database was better secured. Exposed were 3.6 GB reflecting 3,443 FastCard (a charge card for transportation only) users. More at The Sydney Morning Herald.

5/23/2016  Japanese ATM thefts

100+ crooks used 1,600 cards made from stolen data to get 1,400 ATMs to dispense the yen equivalent to $13 million in under 3 hours. (descriptive graphic) More at The Japan News (English)

May 2016

In addition to others shown here in May 2016, ITRC reported 25 incidents where the number affected was under 10,000 per incident. The total disclosed was 56,082.

6/14/2016  Lets Encrypt Email oops

7,600 user email addresses were inadvertently transmitted to other users in a visible CC field. More

6/17/2016   Ether Experimental CyberCurrency – HACKED

Decentralized Autonomous Organization (DAO) raised $160 million for Ether an experimental cybercurrency similar to Bitcoin. More than $50 million has been removed from where it was supposed to be and may be trapped within the system, but not yet recovered. More at NY Times. Was this foreseeable? Could be. In late May a paper described multiple security vulnerabilities in the Ether cryptocurrency. Similarly Bitcoin was reported flawed in November 2013.

June 2016

In addition to others shown here in June 2016, ITRC reported 25 incidents where the number affected was under 10,000 per incident. The total disclosed was 40,431.

7/22/2016  DNC emails

17,252 emails from seven people of the Democratic National Committee were released by WikiLeaks. Included are 8,034 email attachments composed of 891 other documents, 175 spreadsheets and several thousand images. More releases are expected. You can search the database of emails several ways.

[ Back in June 2016 Russia (reportedly) hacked the DNC to obtain opposition research on a Republican candidate. That lengthy document was published. Where did WikiLeaks get this information? A hacker “Guccifer 2.0” claimed credit, but there is some skepticism. Support for Russian involvement on the email harvest comes the the analysis done by Crowdstrike who discovered two groups associated with the Russian government had hacked the DNC systems. Russia denies involvement. More at The Washington Post -ed ]

7/23/2016 Update:  DNC Donors Exposed

Attachments to the email leak earlier reported at least one email or attachment had donor information including complete names, complete addresses, telephone numbers, occupation, employer, charge card numbers, passport numbers, IP addresses, operating system and browser. Searching the email for “contribution data” (without the quotes) found over 400 records. More at Hack Read.

[ The very first email with “contribution data” had a telephone number with area code “122”. The address was in “Nyon” which is in the Vaud Canton of Switzerland. The IP address was SwissCom of Switzerland has the block 178.198.11.xxx. The box that said “ I am a United States citizen or a permanent resident alien…” was checked. Was this a legal contribution? Could be a US citizen living abroad, but … – ed ]

7/23/2016 Update:  Erdogan’s Emails Exposed

The DNC isn’t the only national organization who got hacked and exposed by WikiLeaks. Nearly 300,000 emails from Turkey’s President Erdogan’s ruling party were placed on line. They span from 2010 to July 6, 2016, before the attempted coup and the response. Turkey has blocked its residents from accessing WikiLeaks. More at eHacking News

7/24/2016 Update:  DNC email hack: Who did it? Who benefits?

We wrote earlier questioning who hacked the DNC email and set the release timing. While Russia has denied involvement a cybersecurity firm has connected two groups with affiliation to Russia to the breach. When faced with a perplexing circumstance it can be useful to ask “Cui Bono”? To whom the good? Raising a problem for Clinton helps Trump. Who benefits from that?

Over the last year there has been a recurrent refrain about the seeming bromance between Donald Trump and Russian President Vladimir Putin. More seriously, but relatedly, many believe Trump is an admirer and would-be emulator of Putin’s increasingly autocratic and illiberal rule. But there’s quite a bit more to the story. At a minimum, Trump appears to have a deep financial dependence on Russian money from persons close to Putin. And this is matched to a conspicuous solicitousness to Russian foreign policy interests where they come into conflict with US policies which go back decades through administrations of both parties. There is also something between a non-trivial and a substantial amount of evidence suggesting Putin-backed financial support for Trump or a non-tacit alliance between the two men. [ source highlights ours – ed ]

[ Are campaign contributions from foreign governments or interests legal? Were they disclosed? Is this the source of funding for “personal loans” to the campaign? -ed ]

7/25/2016  Brokerage Account Hacks

6/22/2016 the US Securities & Exchange Commission (SEC) issued a press release about a complaint (10 page PDF) filed against one Idris Dayo Mustapha, a British citizen who had hacked into five customer accounts of one US brokerage firm and four of two foreign firms. Mustapha’s activity involved thinly traded (low volume) securities where the price could be manipulated in one direction by the hacked account and in another direction by Mustapha’s own account. In the end Mustapha profited and the hacked account lost. More at Data Breach Today.

July 2016

In addition to others shown here in July 2016, ITRC reported 15 incidents where the number affected was under 10,000 per incident. The total disclosed was 42,018.

August 2016

In addition to others shown here in August 2016, ITRC reported 35 incidents where the number affected was under 10,000 per incident. The total disclosed was 108,328.

September 2016

In addition to others shown here in September 2016, ITRC reported 27 incidents where the number affected was under 10,000 per incident. The total disclosed was 59,482.


In addition to sources cited above the Chronology of Data Base Breaches maintained by the Privacy Rights Clearinghouse was used. Their website is a valuable resource for those seeking information on basic privacy, identity theft, medical privacy and much more. They are highly recommended. We also recommend The Identity Theft Resource Center (ITRC).
2016 Compromises affecting 10,000 or more
2016 Compromises affecting an unknown, or undisclosed number
2016 Summary of Compromises
2016 General Information
Return to References page
Return to Year links page

Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.