Monthly Breach Report: October 2019 Edition

Data breaches have become the biggest curses of the Internet age. While they are a nightmare for consumers, it impacts organizations as well.

Here are the biggest data breaches from last month to hit news headlines.

1. DoorDash

September 26, 2019: A massive data breach marred about 4.9 million DoorDash users when a hacker stole the data of customers, delivery workers, and merchants. The San Francisco-based startup observed unusual activity early last month, and upon further investigation discovered “an unauthorized third party” had accessed their user data earlier this year.

The breach occurred on May 4 this year when a third party accessed DoorDash user data without permission.

The compromised data included key details like name, email addresses, delivery addresses, phone numbers, order histories and passwords and in some cases, last four digits of the payment cards and last four digits of their bank account numbers. The breach also affected driver’s license information of approximately 100,000 delivery workers who work for DoorDash.

DoorDash, in an official statement, clarified that the data of users who joined on or before April 5th, 2018 were not leaked in this incident. To lower the impact of the data mishap, DoorDash has blocked the unauthorized user’s access, ramped up security measures and collaborated with external expertise.

Source: The Verge

2. Instagram

September 12, 2019: Social networking giant Instagram incurred a security loophole, resulting in a data leak allowing access to account details like users’ real names and complete phone numbers. ZHacker13, an Israeli hacker, identified this security flaw. In August, Facebook, Instagram’s parent company, confirmed the presence of a bug that could have led to the breach.

Last month, Facebook discovered the leak when an online database listed the phone and account information for 419 million users. Facebook went on to clarify that it was a third-party breach as the storage location of the data didn’t belong to their servers.

While a data leak makes an organization vulnerable to security threats, for Instagram, the size of the mishap was small since it didn’t share any payment information.

Although Instagram has applied security measures to bridge the gap, the social networking giant has now fallen victim to two massive data breaches leaking millions of users’ data.

Source: Forbes

3. COMPANY

September 24, 2019: Malaysia’s Malindo Air and its Indonesian parent enterprise Lion Air encountered a data breach that leaked approximately 35 million customers’ passport details, home addresses, and phone numbers. Malindo Air CEO Chandran Rama Muthy confirmed the incident had occurred and informed the press that an independent cybersecurity firm was being hired to undertake a complete forensic analysis of the breach.

The airline has clarified that payment details of clients were not hit by the breach and that an auto-reset for all customer passwords were conducted as a precautionary step. While notifying authorities like CyberSecurity Malaysia about the incident, Malindo Air has taken steps to ensure that the breach doesn’t compromise customers’ information with regard to the Malaysian Personal Data Protection Act 2010.

Source: South China Morning Post

4. Ecuador

September 17, 2019: Last month, Ecuador was the victim of a humungous national data breach, which leaked information of approximately 20 million people; more than the country’s population. Currently, Ecuador has a population of about 17 million. According to Ecuador’s State Attorney General’s Office, the deceased citizens were the extra few million individuals hit by the breach.

News report suggests the breach affected 6.7 million minors, Ecuador’s President and WikiLeaks Founder Julian Assange. The personal data leaked encompassed full names, dates of birth, national identity card numbers, tax identification numbers, employment information, the names of family members, and financial information (such as bank customers’ account status, balance, and credit type).

vpnMentor reported the breach occurred on a server managed by Ecuadorian consulting and analytics company Novaestrat.

Soon after identifying the mishap, Ecuador took immediate measures to control its impact. Investigations are underway, and the telecommunications ministry claims the leak wasn’t a cyber-attack on the government data files and Novaestrat may have taken help from former civil servants to gain authorized data access.

Source: Engadget

5. Thinkful

September 20, 2019: Online coding bootcamp enterprise Thinkful acknowledged that a third-party gained unauthorized accessed to employee accounts credentials.

After finding out about the security breach, the organization informed the users, beefed up their security measures along with initiating a thorough probe.

Thinkful announced that data theft doesn’t grant the hackers access to users’ personal data such as financial information, social security numbers, and government-issued IDs. To curtail the effect of the attack, the enterprise updated credentials and prompted users to reset their passwords on priority.

This news of data theft comes right after Chegg confirmed the acquisition of Thinkful last month. In a similar incident, Chegg encountered a security breach after which they decided to reset their customers’ passwords.

Source: TechCrunch

6. Metro Mobility

September 23, 2019: Over 15,000 customers of Metro Mobility became target of a data breach last month when the Twin Cities transit service for individuals with disabilities exposed their personal data.

Metro Mobility alerted customers about the data theft, stating an unauthorized individual gained access to an employee’s email account compromising personal ride information between June 13-Aug 14.

The notice, sent by Metro Mobility, mentioned the hacker may have had access to individual rider names, pickup and drop-off addresses, times of rides and special instructions for Metro Mobility drivers, but the social security numbers and personal financial data were not compromised.

Metro Mobility, that offers shared rides to those who are unable to use regular fixed-route buses due to a disability or health condition, reported the breach to the St. Paul Police Department.

Source: Star Tribune

7. COMPANY

September 11, 2019: Personal data of approximately 50,000 ‘Get’ app users, comprising students involved in University communities and clubs, was available online in Australia last month.

A Reddit discovered the security lapse when other users’ information (comprising of name, email, date of birth, Facebook ID and phone numbers) was available for access using the company’s search function, API. The breach allowed data requests without special tokens.

Reports suggest that Get implemented initiatives to prevent such incidents from happening again in the future while analyzing the API call to evaluate the level of compromised data.

Get is an app built for university societies and clubs to support payments for events and merchandise. With a presence in four countries, currently, the platform has 159,000 active student users.

Source: The Guardian

8. Animates

September 13, 2019: Pet platform Animates issued an apology and informed its customers that a data breach had affected their operations. Soon after realizing that an entity gained unauthorized access to Animates’ web platform, the pet retailer notified and requested customers to maintain a strict vigil on their bank accounts.

Reports suggest debit card and credit card data were the target area of this breach, affecting around 2700 customers and forcing Animates to shut down their web platform. Animates has initiated a detailed probe into measuring potential vulnerabilities and will be unveiling a new web platform to ensure data security.

Animates has informed privacy and legal bodies about this data mishap and clarified that clients who opted for online purchases using Laybuy or PayPal or purchases made in physical stores purchases were safe from the leak.

Source: Newshub

9. Verlo Mattress Factory

September 20, 2019: Milwaukee-based mattress company Verlo Mattress was made aware of a data leak when a security researcher found 387,000 customer records from the mattress enterprise online in a non-password protected database.

On September 5th, it came to light that Verlo Mattress’ client records with names, phone numbers, emails, home addresses, and billing addresses were available online in a database labelled “Customers”.

The leaked database allowed access to view, edit, download and delete without any control.

Marcus Investments owns Verlo Mattress with 36 locations across the US.

Source: Threat Post

Dataguise understands the importance of data privacy and how frustrating data breaches can be for consumers and the businesses entrusted with their data. Although anyone can be a target, Dataguise DgSecure provides enterprise solutions for businesses small and large to combat these threats while ensuring all sensitive data across an organization is accounted for, protected, and compliant with industry and global data privacy laws. To learn more about Dataguise DgSecure, contact us for additional information.

Datasheets

DgSecure GDPR Datasheet