Monthly Breach Report: March 2020 Edition

As more and more businesses are facing the wrath of data beaches globally, the wave of compromised data is getting worse. According to research by PCI Pal, an overwhelming 83% US consumers will stop their spending with an organization for several months in the immediate aftermath of a security breach, and more than 21% of US consumers will never do business with a company that experienced a data breach.

Data breaches are among the biggest threats for today’s businesses as they are reliant on consumer data and trust in order to focus more on using personal data to grow the business and less on managing risk or compliance.

By almost any measure, data breach incidents occurring in the US over the past month were disastrous. Here are our picks for the top 10 data leak reports over the last month.

1. Altice

Feb 11, 2020: The New York-based communications and media company Altice USA reported a phishing incident that downloaded the social security numbers, birth dates, and other key personal data of all 12,000 existing employees, some former employees, and records of a small number of customers. Altice is now facing legal class action claims.

The breach happened in November last year when an authorized third party gained access to the email account credentials of individual Altice USA employees. On Feb 5, Alstice, considered a significantly sized American business, issued a notice to those impacted by the breach stating that it has “no information at this time that would indicate that your personal information has been misused.1

Lisa Anselmo, a spokesperson for Altice, said, “During our investigation, we learned in January 2020 that certain downloaded mailboxes contained password-protected reports that included personal information for current employees and some former employees. A limited number of customers were also included.”

Official confirmation from Altice about the number of customers hit by this breach is yet to come. Meanwhile, Altice is offering one year of free identity and credit monitoring from Experian to those affected.

To more fully understand and mitigate the impact of this leak and avoid any future attacks, Altice hired a computer forensics service and initiated employee training.
Source: Newsday

2. DOD Defense Information Systems Agency (DISA)

Feb 21, 2020: Among the latest data breach victims, the Defense Information Systems Agency (DISA) became the target of a data breach exposing the personal data of about 200,000 individuals on a system run by the agency. The compromised data included names and social security numbers.

DISA, a division of the Department of Defense (DOD), is in charge of securing IT and communications support for the White House, US diplomats, and military troops. Letters issued by DISA said the breach occurred between May and July 2019 and as of February 11, 2020, the agency had not seen any indication personal information had been misued.

DISA is offering individuals whose personal information was possibly compromised free credit monitoring and steps to take to mitigate potential harm.

Soon after learning about the incident, DISA initiated investigations and took steps to secure the network and mitigate the damage.

Reuters reports, DISA “provides direct telecommunications and IT support for the president, Vice President Mike Pence, their staff, the U.S. Secret Service, the chairman of the Joint Chiefs of Staff, and other senior members of the armed forces, according to its website.” (https://www.disa.mil/) DISA employs approximately 8,000 military and civilian personnel.2

In a similar incident during October 2018, DOD experienced a security breach that exposed the personal and payment card details of over 30,000 military and civilian personnel.
Source: ZDNet

3. Nedbank

Feb 14, 2020: In total, 1.7 million Nedbank customers were hit by a data breach. Nedbank, a South African banking institution, discovered a vulnerability at its third-party service provider, Computer Facilities (Pty) Ltd, responsible for taking care of SMS and email marketing campaigns. During a routine monitoring procedure, Nedbank identified the security breach that affected up to 1.7 million clients.

The exposed information stored on the contractor’s systems included names, ID numbers, home addresses, phone numbers, and email addresses. No client bank accounts were compromised and the company is asking clients only to remain vigilant.

When they became aware of the incident, the bank engaged Computer Facilities (Pty) Ltd and top forensic experts in thorough investigations. Immediately after discovering the vulnerability, the company destroyed all Nedbank client data held by Computer Facilities (Pty) Ltd and disconnected its systems from the internet.

Nedbank CEO Mike Brown said, “We regret the incident that occurred at the third-party service provider, namely Computer Facilities (Pty) Ltd, and the matter is receiving our urgent attention. The safety and security of our clients’ information is a top priority. We take our responsibility to protect our client information seriously, and our immediate focus has been on securing all Nedbank client data at Computer Facilities (Pty) Ltd, which we have done. In addition to this, we are communicating directly with affected clients. We are also taking the necessary actions in close cooperation with the relevant regulators and authorities.”3

Nedbank is one of the biggest banks in Africa and currently operates in South Africa, Angola, Kenya, Lesotho, Malawi, Mozambique, Namibia, Swaziland, and Zimbabwe.

Source: ZDNet

4. Monroe County Hospital & Clinics

Feb 18, 2020: Monroe County Hospital & Clinics (MCHC), an Iowa-based healthcare provider, has notified its customers that their personal information may have been hacked in a data breach.

There was unauthorized access to access employees’ email accounts as early as October 28, 2019. Through compromised email and email attachments patient data, such as full names, dates of birth, addresses, insurance information, and clinical information may have been accessed. MCHC learned about the incident on December 19, 2019.4 The organization discovered its email system had been compromised, impacting about 7,500 patients.

Monroe County launched a probe and involved computer forensic scientists immediately. News report suggests that hackers had obtained access to several employees’ email accounts from October 28, 2019 to January 20, 2020.

As the healthcare provider investigates the impact of the breach, all MCHC employees reset their email account passwords and underwent new cybersecurity training. MCHC offered impacted individuals enrollment to one year of Equifax credit monitoring services and information on how to request fraud alerts and a security freeze on their credit files.
Source: Beckers Hospital Review

5. Fifth Third Bank

Feb 11, 2020: Fifth Third Bank, Cincinnati’s largest locally based bank and the nation’s ninth-largest US-based consumer bank, fell prey to a data breach last month when they learned a few of its employees had been stealing customer information such as social security numbers, addresses, and account numbers since 2018.5 The bank hasn’t specified the number of customers impacted or the number of employees responsible for this breach.

A statement from Fifth Third Bank said, “The information was stolen by a small number of employees who provided it to people outside of the bank. According to the authorities, and based on our own internal investigation, we have terminated the employees involved in any wrongdoing.”6

While acknowledging the breach, the financial institution said the breach was uncovered in an internal investigation, and all affected customers have been notified.

The bank has announced that any customer who has suffered a financial loss as a result of this breach will be reimbursed along with free fraud alert for one year to those whose data was personally accessed.
Source: The Business Journals

6. Wake County

Feb 15, 2020: Over 1,900 Wake County, North Carolina government employees became target of a data breach. The county’s former flexible benefit spending accounts administrator of Interactive Medical Systems (IMS) was targetd by the data security breach that leaked employee information including names, dates of service, and partial and full social security numbers.

The breach began July 19, 2019 and continued until IMS found about it on Dec 31, 2019. Wake County ended its contract with IMS that day.

No personal information of any county residents was compromised. Bill Greeves, Chief Information and Innovation Officer, Wake County, said, “It’s important to note that this was not a breach of a county system, nor was it caused by a county employee. IMS has confirmed the breach was the result of a phishing attack against an IMS employee.”7

In addition to notifying affected individuals on how to protect themselves, IMS implemented stringent password policies, upgraded security systems, and unveiled trainings for employees to prevent further phishing attacks. A free hotline is also available to help employees have their queries resolved.
Source: Databreaches.net

7. PSL Services

Feb 18, 2020: PSL Services/STRIVE, also known as Peregrine Corporation of Maine, reported a data breach incident that may have affected the security of personal data relating to some Maine residents. PSL Services has yet to identify the impacted individuals and the exact number affected, and whether the individuals were employees, clients, or others.

The compromised data include patient names, addresses, Social Security numbers, dates of birth, driver’s license numbers, medical data, and Maine Care numbers.8 PSL initiated an investigation with assistance from a third-party forensics specialist after discovering suspicious activity in one employee’s email account on December 17, 2019. The probe found that few employee email accounts witnessed unauthorized access last year between December 16 and December 19, 2019.

PSL informed the Office of Civil Rights at the US Department of Health and Human Services, the Maine Attorney General, and prominent news media outlets throughout the state of Maine about the breach. The company engaged a cybersecurity firm to thoroughly investigate the incident. Maine law mandates any data hacks affecting over 1,000 state residents must be publicly reported.

Founded in 1992, PSL Services offers residential and community services, mental health care, case management, and other support for adults and teens with intellectual, developmental, and emotional disabilities.
Source: MaineBiz

8. Generate

Feb 12, 2020: The New Zealand-based Generate was struck by a data hack impacting around 26,000 of its 90,000 customers. An unauthorized malicious third-party accessed the Auckland-based company’s online application system between December 29, 2019, and January 27, 2020, that led to the breach.9

The savings scheme provider discovered the breach last month and implemented additional security measures to prevent data misuse. Generate, a provider of savings funds as part of the government-run KiwiSaver firm. Generate reported the customers who have been hit by this security breach joined them in the last seven years.

A statement issued by Generate read, “As well as outlining the steps the company is taking in response to this incident, advice has been provided to affected members about what steps they can take to minimize risks associated with inappropriate use of their personal information. We have engaged external cybersecurity specialists to advise on our immediate response to this situation, as well as to conduct a broader audit and testing of all of our systems.”

Generate has notified the Financial Markets Authority, Inland Revenue, the New Zealand Police, and the Privacy Commissioner about the breach.
Source: Portswigger

9. Hanna Andersson

Jan 24, 2020: The Portland-based children’s clothing retailer Hanna Andersson issued a warning to its customers in January this year that their credit card information may be compromised. Attackers infected its third-party e-commerce platform, Salesforce Commerce Cloud “with malware that may have scraped information entered by customers into the platform during the purchase process.”10

The data breach took place last year between September 16 and November 11, 2019, when the malware was removed. “In this type of attack dubbed Magecart, threat actors are hacking into vulnerable e-commerce platforms used by online stores and inject malicious JavaScript-based scripts into checkout pages.
The scripts known as web skimmers or e-skimmers are then used to collect the customers’ payment info and send it to attacker-controlled remote sites.”11
The unauthorized intruder gained access to customers’ data, including payment card numbers, expiration dates and CVV codes, names, billing addresses, and shipping addresses. The US-based apparel maker has not been able to determine yet the number of customers or exactly who among them have been affected by this breach.

A statement from Hanna Andersson said, “We recognize that this incident will test our customers’ trust in us, and we are committed to doing everything we can to earn back that trust.” The clothing brand is offering a year of free credit card monitoring to customers.

The first California Consumer Privacy Act (CCPA) lawsuit has been filed, alleging that “both Hanna Anderson and Salesforce failed to properly safeguard customers’ sensitive data and failed to detect the breach (and subsequent sale of information on the dark web).” The breach discovery was made by law enforcement who informed Hanna Anderson on December 5, 2019, “credit cards used on its website were available for purchase on a dark web site.”12

The business house is working with federal authorities in the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) and three other companies to probe the attack and strengthen security measures.

Source: Multichannelmerchant

10. Rutter’s

Feb 14, 2020: The US-based chain of convenience stores and gas stations Rutter’s issued a warning statement last month on its website. It stated that its stores located in Pennsylvania and West Virginia were hit by a data hack that allowed a third-party to access customers’ credit card information from Oct. 1, 2018, until May 29, 2019.

It further added that the “malware collected data from the point-of-sale (POS) devices installed inside convenience stores and a few of its fuel pumps.” The breach did not impact the payment card transactions made at Rutter’s car washes, ATMs, or lottery machines.

Soon after discovering the breach, Rutter’s removed the malware and notified the affected customers.

The official statement issued by the store chain read, “Rutter’s recently received a report from a third party suggesting there may have been unauthorized access to data from payment cards that were used at some Rutter’s locations. We launched an investigation, and cybersecurity firms were engaged to assist. We also notified law enforcement.”13

Rutter’s provides gas stations and convenience stores in over 70 locations in Pennsylvania, West Virginia, and Maryland.
Source: ZDNet

1. https://ago.vermont.gov/wp-content/uploads/2020/02/2020-02-06-Altice-USA-Inc-Notice-of-Data-Breach-to-Consumers.pdf
2. https://www.reuters.com/article/us-usa-defense-breach-idUSKBN20E27A
3. https://www.nedbank.co.za/content/nedbank/desktop/gt/en/info/campaigns/nedbank-warns-clients.html
4. https://www.mchalbia.com/news/notice-regarding-recent-security-incident/
5. https://local12.com/news/local/fifth-third-bank-warns-customers-of-data-breach-at-hands-of-former-employees-cincinnati
6. https://www.bizjournals.com/cincinnati/news/2020/02/11/fifth-third-customers-hit-by-data-breach-involving.html
7. https://abc11.com/5931683/
8. https://local12.com/news/local/fifth-third-bank-warns-customers-of-data-breach-at-hands-of-former-employees-cincinnati
9. https://securitybrief.co.nz/story/kiwisaver-firm-generate-hit-by-data-breach
10. https://attorneygeneral.nd.gov/sites/ag/files/documents/DataBreach/2020-01-15-HannaAndersson.pdf
11. https://www.bleepingcomputer.com/news/security/us-retailer-hanna-andersson-hacked-to-steal-credit-cards/
12. https://www.secureworldexpo.com/industry-news/first-ccpa-lawsuit-is-about-hacking-and-privacy-hanna-andersson-salesforce
13. https://www.wgal.com/article/local-rutters-full-statement-on-data-breach/30925553#