Monthly Breach Report: May 2019 Edition May 10, 2019
Many might argue that people have reached their data-breach news saturation point, yet guarding the user data is more important than ever amidst the implementation of stringent data regulations. Businesses can’t just get away with announcing their data breach; they need to pay fines that can amount up to almost 4% of their annual turnover (if they have a presence in Europe) and may even end up losing customers. Going by reported trends, highly valued data propel hackers to commit data breach crime.
Businesses around the world are still struggling to ensure data safety. To a large extent, data thefts have now become regular affairs, and organizations are not yet prepared to handle accompanying issues. As data breaches continue to rise at a steady pace and rock customers’ trust, look at some of the most prominent data breaches that hit the globe in the month of April 2019.
April 22, 2019 – If you are a fitness enthusiast, then you may be in for a rude shock. Reason? One of the world’s largest and most popular online fitness retailers, Bodybuilding.com, recently disclosed that it had become a data breach victim. The customer data that may have been impacted includes name, email address, contact number, billing and shipping addresses, and order history.
Idaho-based Bodybuilding.com that specializes in fitness articles, exercises, workouts, supplements informed that it found out about the breach in February this year and hired a prominent data security enterprise to probe the matter. The investigation found that the security breach happened due to a phishing email that was received in July last year.
The company has clarified that there has been no evidence of data misuse so far. However, they have notified all their existing, former customers and users about the breach. To remediate the breach and contain such incidents from happening again, the retailer also collaborated with law enforcement and security agencies apart from engaging with third-party forensic consultants.
Moreover, to keep a close watch on its systems for all types of unauthorized access, the fitness company has already initiated extra security steps. For example, now when the customers’ login, they need to reset their passwords before proceeding further.
April 15, 2019 – While data breaches of any type are disturbing, the way Microsoft’s email services were breached is a cause of worry. Last month, Microsoft admitted that it suffered a data breach that involved Outlook.com, MSN.com, and Hotmail.com (web-based email services). News reports suggest that one of Microsoft support agent’s credentials got compromised allowing intruders to access information within Microsoft email account.
Although the tech player has not made any official announcement about the actual number of customer accounts that were affected due to this incident, they stated that between January 1 and March 28, webmail user email accounts were exposed in this breach.
According to reports, the breach lasted for three months, and upon detection, the compromised credentials were prohibited from being used to stop unauthorized access. According to an advisory issued by Microsoft, the incident did not impact any of the user email login credentials. As a precautionary measure, the user must reset their email password.
Microsoft further said that this incident impacted only a limited subset of consumer accounts and none of the enterprise email accounts were under any threat. Some key information impacted in this breach included the user’s email address, the email address of those also with whom the user communicated with, email subject lines, and folders users had created.
3. Georgia Tech
April 3, 2019 – Counted among the world’s most prestigious University with lauded computer science programs, Georgia Tech announced that it suffered a data breach allowing access to the personal data of 1.3 million existing and former faculty members, staff, students, and student applicants.
The coveted institute stated that the breach became possible because the unauthorized entity was able to exploit the vulnerability of its web application. Although it was clear that the first unauthorized access occurred on December 14, 2018, no information was available as to how long the unknown attacker(s) had accessed the University database.
The cybersecurity team of Georgia Tech has initiated a forensic probe to understand the depth of the breach and what data was extracted from the system, which likely includes names, addresses, date of births, and social security numbers. Last month the university’s IT team realized the vulnerability of its web app when the performance issue came to light.
Since discovering the breach, steps have been taken to patch the vulnerability, and the university sent email notifications to the affected individuals. It has already informed the U.S. Department of Education and University System of Georgia (USG) about the attack.
Source: SC Media
April 23, 2019 – : The data validation platform unknowingly leaked records of more than two billion people which in turn comprised important details like phone numbers, verified emails, date of birth, credit scoring, mortgage-related information like interest rates and mortgage data, account details of Facebook, LinkedIn, and Instagram.
Referred to as one of the biggest data breaches in history, this incident impacted 2,069,145,043 people. In an initial review, 808 million records were found to have been breached, but a more in-depth analysis revealed that the number rose to over two billion across four databases.
Security researcher Bob Diachenko and fellow researcher Vinny Troia discovered this colossal breach. Diachenko said that when he reported the incident to Verifications.io, his efforts were appreciated and immediate steps were made by the email verification service provider to ensure the security of the database.
April 17, 2019 – Many may be shocked to know that recently Wipro became the target of a phishing attack on its computer systems. Cybersecurity blog KrebsOnSecurity reported the attack which was confirmed by the software services company. The report mentioned that Wipro employee accounts were used to target their consumers over the span of months. Later the major IT company publicly gave notice that they had brought an independent forensics company on board to help with the investigation of this phishing attack.
In a move to prevent such incidents from happening again in the future, Wipro isolated the impacted employee accounts and undertook remedial actions. Apart from having informed customers about this mishap, Wipro noted that the incident didn’t hamper the organization’s crucial business functions in any way.
Termed as an advanced phishing campaign, Bengaluru-based Wipro mentioned in its regulatory filing that it identified abnormal activity within its network approximately ten days earlier.
6. EmCare Inc
April 22, 2019 – Dallas-based provider of physician practice management services EmCare Inc. encountered a data breach when an unauthorized entity accessed the email accounts of varied employees that compromised about 60,000 individuals’ information.
According to a statement issued by EmCare, the hacking incident impacted the personal data of employees, patients, and contractors. The data that was exposed includes the names, dates of birth and, for a few, clinical details as well. In some of the cases, the driver’s license and social security numbers were impacted as well.
Although on Feb 19, 2019, the company discovered impacted email content, there was no clarification as to when the company discovered that email accounts’ breach had happened.
The company has also clarified that there has been no evidence that showed data misuse happened since the breach. The company is offering Experian’s IdentityWorks credit monitoring and identity protection services to all those whose driver license information and social security numbers were impacted.
Source: Staffing Industry Analysts
7. Steps to Recovery
April 19, 2019 – Sensitive medical data was exposed in a searchable online database; the data belonged to approximately 145,000 patients from Steps to Recovery, the Pennsylvania-based addiction treatment facility. Justin Paine, Director of Trust and Safety at online security firm Cloudflare shared this information.
Paine said that he discovered an unencrypted database containing nearly 5 million rows of patients’ data who undertook treatment at various addiction rehabilitation centers during 2016-2018. The data comprising the patients’ names, along with types, dates, and costs of treatment was found when keywords were fed into the Shodan search engine.
After knowing about the breach, Paine informed Steps to Recovery and also the hosting provider of the database. Since then, the leaked data has been taken down and made unavailable to the public.
Steps to Recovery has decided to bring a cybersecurity enterprise on board to initiate an investigation. Also, the impacted patients will be notified about the breach if the investigation proves that the hackers had accessed or misused the information.
Dataguise understands the importance of data privacy and how frustrating data breaches can be for consumers and the businesses entrusted with their data. Although anyone can be a target, Dataguise DgSecure provides enterprise solutions for businesses small and large to combat these threats while ensuring all sensitive data across an organization is accounted for, protected, and compliant with industry and global data privacy laws. To learn more about Dataguise DgSecure, contact us for additional information.