Monthly Breach Report: December 2019 Edition

With year-end rapidly approaching, the trend of growing cyber breaches continues. Here’s a list of prominent data breaches occuring over the last month.

1. T-Mobile

Nov 24, 2019: US-based T-Mobile issued a data breach notification stating that a million of its customers’ data got compromised including details like customers’ names, billing addresses, phone numbers, account numbers, rates, plans and calling features. The security mishap came to the forefront by T-Mobile early last month.

Representatives have clarified that payment and credit card data were not breached in this attack.

The wireless network operator has further revealed that the data leak affected less than 1.5% of its overall customer base.

For the second time in two years, T-Mobile became the target of a nasty data hack. A similar incident in August 2018, approximately two million customers of T-Mobile had to bear the brunt of a security hack. While the incident didn’t result in theft of any financial data or social security numbers, other key data exposed in the incident included names, billing zip code, phone number, email address, account number and account type (prepaid or post-paid).

A statement from T-Mobile said, “Our Cybersecurity team discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account. We promptly reported this to the authorities. None of your financial data (including credit card information) or social security numbers were involved, and no passwords were compromised.”

Source: PYMNTS

2. Church’s Chicken

Nov 25, 2019: A payment card breach affecting a minimum 160 Church’s Chicken restaurants in the US was result of a compromised payment processing systems.

While the breach happened in October this year, the company is yet to find out the scale of this security breach.

Atlanta-based Church’s Chicken is a quick-service restaurant chain with 1,500 locations across 23 countries globally. In the US, Church’s Chicken has 1,000 locations in 29 US states with the majority of them being franchised instead of corporate-owned.

According to a statement issued by Church’s Chicken, the breach impacted the corporate-owned restaurants only. None of the franchised locations and customers who placed orders via Uber Eats and DoorDash were part of this cyber breach that hit 11 US states, comprising of Alabama, Arkansas, Florida, Georgia, Illinois, Louisiana, Mississippi, Missouri, South Carolina, Tennessee, and Texas.

Church’s Chicken has initiated a probe into this matter by collaborating with a prominent cybersecurity forensics firm to understand the extent to which incident may have impacted. Moreover, it has informed the law enforcement authorities, payment card networks, and credit monitoring agencies about this cybersecurity breach.

Source: Mobile Payments Today

3. Macy’s

Nov 20, 2019: Data hackers infultrated Macy’s online store, exposing client payment information. A letter issued by Macy’s states the breach occurred on October 7 and was discovered and removed on October 15.

This has been the second time for Macy’s when a data hack involving credit card details of customers took place. The cyber-thieves had earlier attacked Macy’s last year in a similar incident.

This US-based, iconic retail giant notified the affected shoppers stating that the hackers stole payment data from the “Checkout” and “My Wallet” page. Reports suggest that Magecart, famous for injecting payment card skimmers into eCommerce websites, was the mastermind behind this attack. Considering the breach into account, Macy’s has ramped up security measures to avoid such incidents, informed the federal law enforcement about the mishap and collaborated with prominent forensics company to investigate the issue.
The retailer has also advised customers to keep a close watch on their credit card statement for any fraudulent activity. Meanwhile, Macy’s has decided to provide a free year of the Experian IdentityWorks credit monitoring service to the affected customers.
The Cincinnati-based retailer ranks among one of the most popular websites in the US.

Source: TechSpot

4. Disney Plus

Nov 19, 2019: A data breach impacted thousands of Disney Plus users after cyber thieves stole their account details and resold them on underground cybercrime forums. The news came as a rude shock because Disney Plus is a new subscription-based streaming service Disney launch the month prior.

News reports suggest the security breach occurred within hours of the Disney Plus’ launch. The compromised data (including the type of subscription and expiration date) were up for sale on the dark web for as little as $3.

Users complained that hackers accessed their Disney Plus accounts, changed the password & email associated their account, locking them out of the service.

To get support help, victimized Disney Plus users waited on telephone and online chat lines for several hours. Meanwhile, Disney said that they pay utmost importance to their users’ security and didn’t find any indication of a security hack to its systems. The entertainment giant said that the hackers may have used spyware on users’ devices or stole re-used login credentials.

Disney launched the streaming service to compete with Netflix where members could view its 500 movies and 7,500 TV episodes from Disney, Pixar, Marvel, Star Wars, National Geographic. In the first week of Disney Plus’s launch, ten million people signed up for it. Currently, it is available in the US, Australia, Canada, New Zealand, and the Netherlands only.

Source: BBC

5. Desjardins Group

Nov 1, 2019: Desjardins Group announced that a data breach from earlier this year impacted its 4.2 million members. The scope of the breach is much larger than previously anticipated. When first discovered, the government took steps to safeguard the personal data in Quebec.

In June, the Canadian Cooperative clarified that unauthorized use of internal data by an employee led to personal data being breached for 2.7 million members and 137,000 business customers. Last month, Desjardins Group shared an update claiming that the breach affected 4.2 million members compromising information such as social insurance numbers, addresses, and banking habit details of the data.

With seven million members, the Canadian cooperative is the largest federation of credit unions (also known as caisses) in North America. From July this year, Desjardins identity protection offering coverage of up to CA $50,000 (£30,930) for the expenses related to identity theft offered protection to all members engaged in banking activities in Quebec and Ontario.

To help the affected members, the co-op will provide access to lawyers and experts apart from reimbursing them for the expenses incurred due to the theft. Members may choose to avail the credit monitoring service of Desjardins that sends alerts if personal data undergoes change or requests for new credit inquiries.

Source: Reuters

6. Palo Alto Networks

Nov 28, 2019: American Multinational Palo Alto Networks encountered a nasty digital attack, leaking personal information of both previous and existing employees. According to news reports, a former employee of Palo Alto Networks revealed that a breach has hit the business giant.

The cybersecurity company confirmed that a third party vendor posted the personal data of about seven present and former employees online in February this year. Compromised information included names, date of birth, and social security numbers of the employees. The company didn’t disclose the external contractor’s name who was responsible for this security lapse as Palo Alto Networks wasn’t sure of the motive of the breach.

Meanwhile, a statement from the cybersecurity company said, “We took immediate action to remove the data from public access and terminate the vendor relationship. We also promptly reported the incident to the appropriate authorities and to the impacted individuals. We take the protection of our employees’ information very seriously and have taken steps to prevent similar incidents from occurring in the future.”

Source: TechRadar

7. One Plus

Nov 22, 2019: Chinese smartphone manufacturer OnePlus encountered a data leak last month when an unauthorized party accessed their user data. The Shenzhen-based company confirmed on its website’s FAQ page that the data breach exposed sensitive details from particular customers’ orders comprising their phone number, name, and address details.

It also stated that an existing vulnerability resulted in the data breach and the hackers leveraged this security lapse to gain access to the order details of few customers only. The security team of OnePlus discovered the breach. They clarified that payment-related data, passwords, accounts were safe and the breach didn’t target all its customers.
The company has issued a security notification to the impacted users via email that included the possible reason of breach and remedial steps taken. Post this security hack, the business major has ramped up its security measures and requested affected customers to be cautious.

According to an official statement from OnePlus, “We are continually upgrading our security program — we are partnering with a world-renowned security platform next month and will launch an official bug bounty program by the end of December.”

For the second time in two years, OnePlus became the target of cybercriminals. In January last year, a similar incident affected up to 40,000 customers of OnePlus forcing the smartphone maker to stop credit card payments on its eCommerce platform.

Source: ZDNet

Dataguise understands the importance of data privacy and how frustrating data breaches can be for consumers and the businesses entrusted with their data. Although anyone can be a target, Dataguise DgSecure provides enterprise solutions for businesses small and large to combat these threats while ensuring all sensitive data across an organization is accounted for, protected, and compliant with industry and global data privacy laws. To learn more about Dataguise DgSecure, contact us for additional information.

Datasheets

DgSecure GDPR Datasheet