The 10 Biggest Data Breaches of 2018… So Far

biggest-data-breaches-2018

Photo by simosmme

We’re only halfway through 2018, but the scale of some of the data breaches that have already been reported is staggering. Think Facebook was the biggest one? Guess again.

Six months is a long time in infosec, so it’s no surprise that numerous data breaches have emerged in the first half of 2018. Below is a countdown of 10 of the biggest incidents reported thus far in 2018 in terms of total number of records compromised.

10) Saks, Lord & Taylor

saks-fifth-avenue-2018-data-breach

Photo by Ronald Woan

  • 5 million records breached

  • Date disclosed: April 3, 2018

Near the end of March, security firm Gemini Advisory came across an announcement from the JokerStash hacking syndicate offering five million stolen credit and debit cards up for sale. With the help of various financial organizations, Gemini Advisory traced the sale back to a total system compromise of luxury department stores Saks Fifth Avenue and Lord & Taylor. Hudson Bay, the owner of both of the department stores, learned about the incident and took steps to remediate it. But that wasn’t enough for one Bernadette Beekman, who in April 2018 filed a class action lawsuit on behalf of all customers who used a payment card at Lord & Taylor stores during the breach period of March 2017 to March 2018. In her lawsuit, Beekman stated that Lord & Taylor had “failed to comply with security standards and allowed its customers’ financial information and other private information to be compromised by cutting corners on security measures that could have prevented or mitigated the security breach that occurred.”

9) PumpUp

pumpup-data-breach-2018

  • 6 million records breached

  • Date disclosed: May 31, 2018

On May 31, ZDNet reported that they had been contacted by security researcher Oliver Hough in regards to a backend server he had found exposed to the Internet with no password to protect it. The server belonged to the fitness app PumpUp, and it gave anyone who came across it access to a host of sensitive customer data including user-entered health information, photos, and private messages sent between users. The exposed data also contained Facebook access tokens and, in some cases, unencrypted credit card data including card numbers, expiry dates and card verification values.

When ZDNet reached out to PumpUp, the company did not issue a response, but it did quietly secure the server. It is unknown how long the asset had been sitting exposed.

8) Sacramento Bee

sacramento-bee-data-breach-2018

Photo by Marcin Wichary

  • 19.5 million records breached

  • Date disclosed: June 7, 2018

In February, an anonymous attacker seized two databases owned and operated by The Sacramento Bee, a daily newspaper published in Sacramento, California. One of those IT assets contained California voter registration data provided by California’s Secretary of State, while the other stored contact information for subscribers to the newspaper. Upon hijacking those resources, the attacker demanded a ransom fee in exchange for regaining access to the data. The newspaper refused and deleted the databases to prevent additional attacks from leveraging them in the future.

According to The Sacramento Bee, the hack exposed 53,000 subscribers’ information along with the personal data of 19.4 million California voters.

7) Ticketfly

ticketfly-data-breach-2018

Photo by Corey Denis

  • 27 million records breached

  • Date disclosed: June 7, 2018

On May 31, Ticketfly suffered an attack that resulted in the concert and sporting-event ticketing website being vandalized, taken down, and disrupted for a week. The hacker behind the attack had reportedly warned Ticketfly of a vulnerability and demanded a ransom to fix it. When the company refused, the hacker hijacked the Ticketfly website, replaced its homepage, and made off with a large directory of customer and employee data, including names, addresses, email addresses, and phone numbers for 27 million Ticketfly accounts.

6) Panera

panera-bread-2018-data-breach

Photo by Mike Mozart

  • 37 million records breached

  • Date disclosed: April 2, 2018

On April 2, security researcher Dylan Houlihan reached out to investigative information security journalist Brian Krebs and told him about an issue he had reported to Panera Bread back in August 2017. The weakness resulted in Panerabread.com leaking customers’ records in plaintext — data which could then be scraped and indexed using automated tools. Houlihan attempted to report the bug to Panera Bread, but told Krebs his reports had been dismissed. The security researcher checked the vulnerability every month thereafter for eight months until finally disclosing it to Krebs, who published the details on his blog. Panera Bread took its website temporarily offline following publication of Krebs’ report.

Despite the company initially downplaying the severity of the breach and indicating fewer than 10,000 customers had been affected, the true number is believed to be as high as 37 million.

5) Facebook

facebook-data-breach-2018

Photo by thoughtcatalog.com

  • At least 87 million records breached (though likely many more)

  • Date disclosed: March 17, 2018

Who can forget the data scandal that rocked Facebook in March 2018? At that time, reports emerged of how a political data firm called Cambridge Analytica collected the personal information of 50 million Facebook users via an app that scraped details about people’s personalities, social networks, and engagement on the platform. Despite Cambridge Analytica’s claim that it only had information on 30 million users, Facebook determined the original estimate was in fact low. In April, the company notified 87 million members of its platform that their data had been shared.

Unfortunately, with Facebook apps facing more scrutiny, it appears the Cambridge Analytica scandal may just be the tip of the iceberg. On June 27, security researcher Inti De Ceukelaire disclosed another app called Nametests.com had publicly exposed information of more than 120 million users.

4) MyHeritage

myheritage-data-breach-2018

  • 92 million records breached

  • Date disclosed: June 4, 2018

A security researcher reached out to the Chief Information Security Officer of online genealogy platform MyHeritage on June 4 and revealed they had found a file labeled “myheritage” on a private server outside the company. Upon inspection of the file, officials at MyHeritage determined that the asset contained the email addresses of all users who had signed up with MyHeritage prior to October 26, 2017. According to a statement published by the company, it also contained their hashed passwords but not payment information, as MyHeritage relies on third-party service providers to process members’ payments. Because the service also stores family tree and DNA data on servers separate from those that store email addresses, MyHeritage said there was no reason to believe that information had been exposed or compromised.

3) Under Armour

under-armour-data-breach-2018

Photo by Like_the_Grand_Canyon

  • 150 million records breached

  • Date disclosed: May 25, 2018

On 25 March, Under Armour learned that someone had gained unauthorized access to MyFitnessPal, a platform which tracks users’ diet and exercise. CNBC reported at the time that the criminals responsible for the breach accessed individuals’ usernames, email addresses, and hashed passwords. The incident did not expose users’ payment information, as Under Armour processes this data separately. Nor did it compromise Social Security Numbers or driver’s license numbers, as the apparel manufacturer said it doesn’t collect government identifiers.

Upwards of 150 million MyFitnessPal users are believed to have had their information compromised in the data breach.

2) Exactis

exactis-data-breach-2018

  • 340 million records breached

  • Date disclosed: June 26, 2018

Security researcher Vinny Troia discovered in June 2018 that Exactis, a marketing and data aggregation firm based in Florida, had left a database exposed on a publicly accessible server. The database contained two terabytes of information that included the personal details of hundreds of millions of Americans and businesses. As of this writing, Exactis has not confirmed the exact number of people affected by the breach, but Troia said he was able to find close to 340 million individual records. He also confirmed to Wired that the incident exposed affected consumers’ email addresses, physical addresses, phone numbers, and a host of other personal information, in some cases including extremely sensitive details like the names and genders of their children.

 

1) Aadhaar

aadhaar-data-breach-2018

  • 1.1 billion records breached

  • Date disclosed: January 3, 2018

In January, reporters with the Tribune News Service paid 500 rupees for login credentials to a service being offered by anonymous sellers over WhatsApp. Using the service, the reporters could enter any Aadhaar number, a 12-digit unique identifier assigned to every Indian citizen. Doing so would retrieve numerous types of information on the queried citizen stored by UIDAI (Unique Identification Authority of India). Those bits of data included name, address, photo, phone number and email address. An additional payment of 300 rupees to the sellers yielded access to software through which anyone could print an ID card for any Aadhaar number.

The data breach is believed to have compromised the personal information of all 1.1 billion citizens registered in India.

Equifax: US Breach Victim Tally Stands at 146.6 Million

Data broker Equifax continues to field queries from lawmakers about the full extent of its massive 2017 data breach (see Equifax Discloses 2.4 Million More Mega-Breach Victims).

Equifax said on Friday that in response to requests for additional information, it’s shared more breach details with several U.S. Congressional committees. Notably, the data broker said that its breach investigators found that consumers had uploaded images of various government-issued identity documents that were exposed in the attack, including 38,000 driver’s licenses, 12,000 Social Security or taxpayer ID cards, and 3,200 passports.

Thankfully, the data broker hasn’t revised its breach tally, which for U.S. consumers stands at 146.6 million individuals.

“Equifax is confident that the additional detail about the 2017 cybersecurity incident does not identify new stolen data or newly impacted consumers and does not require additional consumer notification,” the company says in a statement. “Equifax is committed to working with Congress and providing accurate information about the cybersecurity incident.”

Breach Victim Tally

Data stolen in the 2017 Equifax data breach. Note: Some consumers had multiple personal details stolen. (Source: Equifax)

On Monday, Equifax reported via an 8-K filing and statement for the record submitted to the U.S. Securities and Exchange Commission that its tally of U.S. breach victims is approximate, owing, in part, to different database tables having elements that were “were not consistently labeled.”

Equifax’s statement explains: “For example, not every database table contained a field for driver’s license number, and for more common elements like first name, one table may have labeled the column containing first name as ‘FIRSTNAME,’ another may have used ‘USER_FIRST_NAME,’ and a third may have used ‘FIRST_NM.'”

But the company says it believes that it’s now identified all consumers whose personal details were exposed. “With assistance from Mandiant, a cybersecurity firm, forensic investigators were able to standardize certain data elements for further analysis to determine the impacted consumers and Equifax’s notification obligations,” it says, adding that all U.S. victims have been notified.

Equifax’s current tally of breach victims includes:

  • 143 million U.S. consumers whose names, Social Security numbers, birthdates, addresses and – in some instances – driver’s license numbers were exposed.
  • 182,000 U.S. consumers for whom “certain dispute documents with personal identifying information” were exposed.
  • 15 million U.K. consumers, of which about 860,000 are at risk of identity theft.
  • 8,000 Canadian consumers.

New CISO Creates Fusion Center

Equifax’s breach led to the departure of CEO Richard Smith and CSO Susan Mauldin, among others.

Following the breach, the company in February hired Home Depot veteran Jamil Farshchi as its new CISO.

Farshchi last week told the Wall Street Journal that he’s been overhauling Equifax’s approach to cybersecurity as well as disaster response. He’s created a so-called fusion center – blending information security, physical security and crisis management, and aimed at facilitating better information sharing – inside Equifax that’s modeled on how some public sector entities handle emergency response.

“Especially coming out of a breach, there are a tremendous number of demands from a security standpoint because everything becomes priority one,” Farshchi told the Wall Street Journal.

Equifax Failed to Patch Struts

Now-former Equifax CEO Smith blamed the breach on a single employee having failed to patch the company’s Apache Struts web application implementation after an emergency patch was issued for Struts (see Equifax Ex-CEO Blames One Employee For Patch Failures).

Last October, Smith told a Congressional committee that Equifax issued an internal alert on March 9, 2017, instructing all administrators to update Struts. But he said that at least one Struts application wasn’t patched, or caught by March 15 scans looking for vulnerable implementations.

Equifax said an attacker targeted and exploited the Struts flaw to gain access to its systems on March 10. Later, it said, the attacker exfiltrated massive amounts of data over a three-month period.

Unpatched Struts Implementations Abound

Equifax’s failure to patch or catch the vulnerable Struts implementation had consequences that are now well known. But the company is far from the only organization that has been using Struts and failing to keep it fully patched.

“Equifax was not alone,” says Derek E. Weeks, a DevOps advocate at cybersecurity startup Sonatype, which tracks code used by software developers.

From March 2017 through February 2018, nearly 11,000 organizations downloaded a version of Apache Struts that included known flaws, Weeks said in a presentation at last month’s RSA Conference in San Francisco titled “We Are All Equifax.”

Equifax Discloses 2.4 Million More Mega-Breach Victims

Breach Costs Hit $114 Million, But Data Broker Still Sees Profit Rise

Equifax Discloses 2.4 Million More Mega-Breach Victims

Equifax says it identified 2.4 million U.S. consumers whose names and snippets of their driver’s license numbers were stolen, adding to what is one of the largest and most sensitive data breaches on record.

The disclosure came Thursday, the same day Equifax announced a 40 percent rise in profit for the fourth quarter last year compared to the same period a year prior.

Equifax says that its latest breach-related finding came from an ongoing analysis of proprietary company records and information from an “external data provider.”

The number of affected U.S. consumers now totals about 147.9 million, up from 145.5 million. The company says it will notify the victims and offer them prepaid identity theft protection and credit file monitoring services.

Investigation Continues

Equifax offered an explanation for why it is still uncovering victims six months after it first announced the breach on Sept. 7, 2017.

The company used Social Security numbers and names as the “key data elements” to figure out who was affected. Digital forensics experts had determined that the attackers were “predominantly” focused on stealing those numbers.

The latest group of people had portions of their driver’s license numbers stolen but not at the same time as their Social Security numbers, Equifax says.

For most of the 2.4 million new breach victims, the stolen data did not include addresses, the states that issued their driver’s licenses, or license issue or expiration dates.

Paulino do Rego Barros Jr., Equifax’s interim CEO, claims his company’s latest disclosure “is not about newly discovered stolen data.”

Instead, it appears that Equifax is still trying to get to the bottom of everything that attackers may have accessed in the massive data sets that the company knows were exposed. “It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers and making connections that enabled us to identify additional individuals,” he says.

Congressional Questions

No information has been released on who attacked Equifax. But the company admitted that it failed to quickly patch a known vulnerability in one of its installations of Apache Struts, a web application development framework (see Equifax’s Colossal Error: Not Patching Apache Struts Flaw).

Attackers accessed names, addresses, Social Security numbers and in some cases, driver’s license numbers. The breach also exposed credit card numbers for 209,000 U.S. consumers and credit dispute documentation for 182,000.

“Equifax needs to put consumers first and shouldn’t be trying to clean up its mess in a piecemeal fashion.”
—Sen. John Thune

U.K. and Canadian consumers were also affected, but in a much lower volume than in the U.S., where personal data for most adults was exposed.

Equifax is facing a range of class-action lawsuits, probes by regulators and continuing questions from the U.S. Congress. And the reaction to the company’s latest disclosure was unsparing.

The U.S. Senate Committee on Commerce, Science and Transportation plans to query Equifax for more information related to the latest disclosure, says Sen. John Thune, R-S.D., chairman of the committee.

“The company knew the incident affected nearly the entire population of credit-active consumers in the United States and had every reason to believe this number could grow,” Thune says. “Equifax needs to put consumers first and shouldn’t be trying to clean up its mess in a piecemeal fashion.”

Money Rolling In

On Thursday, Equifax said that through Dec. 31, the breach had cost the company $114 million after insurance reimbursements, according to an 8-K filing with the U.S. Securities and Exchange Commission.

(Source: Equifax)

Of the $114 million, $64.6 million was spent on product costs and consumer support, including its offer of prepaid credit monitoring and identity theft protection services to U.S. consumers, using Equifax’s own services. The company also spent $99.4 million on professional fees.

Equifax received $50 million from insurance payouts.

Despite the breach, Equifax did well for its fourth quarter of last year. Revenue was $838.5 million, up 5 percent over the fourth quarter of 2016. Net income was $172.3 million, an increase of 40 percent from the same period a year prior.

Equifax reaped a reward from President Donald Trump’s tax cuts. The company says it gained a net tax benefit of $48.3 million in the fourth quarter from the Tax Cuts and Job Acts of 2017.

US Data Breaches Hit All-Time High

Millions of Payment Cards and Social Security Numbers Exposed 

US Data Breaches Hit All-Time High
Data breaches by attack type. (Source: Identity Theft Resource Center)

What do AetnaAnthemChipotleDow JonesEquifaxForever 21Hyatt HotelsKmartSabreTrump HotelsVeriFoneVerizon and Whole Foods Market have in common?

All suffered and disclosed a data breach in 2017. And they weren’t the only ones.

In fact, the Identity Theft Resource Center, a U.S. non-profit organization set up to help ID theft victims, reports that in 2017, the number of U.S. data breaches reached an all-time high.

Source: ITRC

In 2017, ITRC counted 1,579 U.S. breaches, up 45 percent from 2016. That doesn’t reflect every U.S. data breach last year. Rather, it’s a count based on the data breach notifications that an organization is legally required to issue to authorities or residents of most states, if it suspects that their personal details may have been exposed (see Health Data Breach Tally Update: A Puzzling Omission).

Source: ITRC

Hardest Hit: Business Sector

A new report from ITRC, sponsored by identity theft monitoring service CyberScout, finds that out of all 1,579 breaches, most hit the business sector:

  • Business: 55 percent;
  • Medical/healthcare: 24 percent;
  • Banking/credit/financial: 9 percent;
  • Education: 8 percent;
  • Government/military: 5 percent.

Of the 179 million records exposed last year, nearly 158 million were Social Security numbers, accounting for 88 percent of all exposed records, according to ITRC. Nearly 20 percent of breaches resulted in credit and debit card information being exposed.

Source: ITRC

Top Breach Vector: Hacking

Most breaches were the result of hack attacks, ITRC’s research determined.

Here’s a breakdown of how information got exposed in 2017:

  • Hacking: 60 percent, including phishing (21 percent), malware/ransomware (12 percent) and skimming (2 percent);
  • Unauthorized access: 11 percent; ITRC says this category involves “some kind of access to the data but the publicly available breach notification letters do not explicitly include the term hacking”;
  • Employee error, negligence, improper disposal or loss: 10 percent;
  • Subcontractor, third party or business associate: 8 percent;
  • Accidental exposure: 6 percent;
  • Insider theft: 5 percent;
  • Physical theft: 5 percent;
  • Data on the move: 2 percent.

Source: ITRC

Caveat: 37 percent of breach notifications fail to quantify the number of records – such as Social Security numbers and payment card data – that was exposed, ITRC reports.

Still, that’s an improvement from previous years, Eva Velasquez, ITRC’s president and CEO tells Information Security Media Group. “It is getting better,” she says. “We’re seeing more transparency from companies, including the actual number of records impacted.” In 2017, 13.7 percent more organizations released such information than did so in 2016.

More Information: Better

In general, releasing more details to victims is always better. “Understanding the type of personal information that has been exposed is absolutely critical for affected consumers,” says Karen Barney, the ITRC’s director of program support (see Data Breach Notifications: What’s Optimal Timing?).

“While a Social Security number continues to be the most valuable piece of information in the hands of a thief, even the exposure of emails, passwords or usernames can be problematic as this information often plays a role in hacking and phishing attacks,” Barney says.

$3.5 Million Penalty for Five Small 2012 Breaches

Fresenius Medical Care North America Agrees to HIPAA Settlement 

$3.5 Million Penalty for Five Small 2012 Breaches

In one of the largest HIPAA settlements ever, federal regulators have signed a $3.5 million settlement with a Massachusetts-based healthcare organization that reported five small health data breaches in 2012 involving lost or stolen unencrypted computing devices.

See Also: Ransomware: The Look at Future Trends

The breaches, which affected a total of about 521 individuals, were all reported to federal regulators on Jan. 21, 2013, by Waltham, Mass.-based Fresenius Medical Care North America. While breaches impacting 500 or more individuals must be reported to the Department of Health and Human Services within 60 days of discovery, breaches affecting fewer than 500 individuals must be reported annually.

Data exposed in the breaches included patient names, addresses, dates of birth, telephone numbers, insurance information, and, in some cases, Social Security numbers.

5 Largest HIPAA Penalties

Organization Penalty
Advocate Health Care Network $5.55 million
Memorial Healthcare System $5.5 million
New York-Presbyterian Hospital and Columbia University $4.8 million
Cignet Health of Prince George County $4.3 million
Fresenius Medical Care North America $3.5 million

(Note: All were HIPAA settlements except Cignet Health, which was a civil monetary penalty. Source: HHS)

FMCNA is a provider of products and services for people with chronic kidney failure; it has over 60,000 employees who serve over 170,000 patients. FMCNA’s network comprises dialysis facilities, outpatient cardiac and vascular labs, and urgent care centers, as well as hospitalist and post-acute providers.

FMCNA was cited for a lack of a risk analysis, a common theme in the OCR’s HIPAA enforcement activities.

“OCR’s investigation revealed FMCNA … failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI,” the agency notes in the statement. “FMCNA … impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by the HIPAA Privacy Rule.”

Small Breaches, Big Penalty

The settlement is particularly notable because it shows that it does not take a breach that affects millions to get OCR’s attention, says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.

“And just as we have seen in other OCR enforcement actions … an information security incident that results in a breach is seen to be a symptom of larger issues that indicate general failures to have appropriate safeguards in place,” he says.

“Just as there were common threads into how the incidents occurred, OCR found a systemic failure across Fresenius in which there had been a lack of attention to putting into place basic safeguards electronic protected health information. Not only had FMCNA not conducted organizationwide information security risk analysis and risk management plans to address the vulnerabilities found by the assessment, there was a general lack of attention paid to protecting work stations and portable devices on which PHI was stored.”

While the provisions of a corrective action plan FMCNA agreed to carry out require taking action at only the five health centers that experienced breaches, Holtzman says it’s likely that the organization “will use this as a wake-up call to implement organizationwide changes into how it manages and safeguards its information system assets and protected health information.”

Five Breaches

The five breaches at the center of the settlement include these incidents:

  • On Feb. 23, 2012, two unencrypted desktop computers were stolen during a break-in at Fresenius Medical Care Duval, in Jacksonville, Florida. One of the computers contained the electronic protected health information of 200 individuals.
  • On April 3, 2012, an unencrypted USB drive, containing information on 245 individuals, was stolen from a workforce member’s car while it was parked in the lot at the Fresenius Medical Care Magnolia Grove facility in Semmes, Alabama.
  • On June 18, 2012, the FMCNA compliance line received an anonymous report that a hard drive from a desktop computer, which had been taken out of service to be replaced, was missing on April 6, 2012, from the Fresenius Medical Care Ak-Chin facility in Maricopa, Arizona. The workforce member whose hard drive, containing information on 35 individuals, was missing promptly notified the area manager, but the manager failed to report the incident to FMCNA’s corporate risk management department.
  • On June 16, 2012, an unencrypted laptop of a staff member at Fresenius Vascular Care in Augusta, Georgia, was stolen from her car while parked overnight at her home, where it was stored in a bag with a list of her passwords. The laptop contained the ePHI of 10 individuals.
  • On or around June 17-18, 2012, three desktop computers and one encrypted laptop were stolen from an FMC location in Blue Island, Illinois. One of the desktop computers contained the ePHI of 31 individuals.

Other Cases

The OCR settlement with FMNCA is the first for 2018, and one of only a handful of HIPAA enforcement actions handed down since the Trump administration took office a year ago.

In December, a federal bankruptcy court approved a $2.3 million settlement between OCR and bankrupt cancer care clinic chain, 21st Century Oncology pertaining to a 2015 cyberattack that impacted 2.2 million individuals. The payment was to be made by 21st Century Oncology’s cyber insurer, Beazley Group (see Bankrupt Cancer Clinic Chain’s Insurer to Cover Breach Fine).

In May 2017, OCR signed a $387,000 settlement with St. Luke’s-Roosevelt Hospital Center in New York to settle a case involving “careless handling of HIV information” for two patients (see Big Settlement in Privacy Case Involving 2 Patients’ HIV Data).

According to the resolution agreement, as part of a corrective action plan, FMCNA has also agreed to:

  • Conduct a risk analysis;
  • Develop and implement a risk management plan;
  • Implement a process for evaluating environmental and operational changes;
  • Develop a report regarding FMCNA’s implementation of encryption;
  • Review and revise policies and procedures on device and media controls;
  • Review and revise policies and procedures on facility access controls;
  • Develop an enhanced privacy and security awareness training program.

In a statement provided to Information Security Media Group, FMCNA says it takes the protection of patients’ health information “very seriously.”

FMCNA says the settlement with HHS OCR resolves “alleged HIPAA violations stemming from incidents that occurred in 2012, most of which involved theft of company computers and equipment. The settlement is not an admission that we violated HIPAA, and there is no evidence that any of our patients’ health information was improperly accessed or misused. We have and will continue to take additional steps to protect patient data. We strive to enhance security, better train staff and reduce incidence of equipment theft.”