Monthly Breach Report: December 2018 Edition

Another social media platform falls victim to software vulnerabilities, while a major Chinese airline is investigated by the GDPR – these are just some of the latest data breach news hitting headlines this last month.

1. Marriot

November 30, 2018 – Marriott International disclosed that there had been a breach in Starwood reservation system and hackers have stolen the personal data of up to 500 million guests. The breach has affected customers who had made reservations for the Marriott-owned Starwood hotel brands during the period of 2014 to September 2018. The properties include Sheraton, Design Hotels, Aloft, W Hotels, Four Points, Tribute, St. Regis, Westin, Le Méridien, Element, and the Luxury Collection. The names, phone numbers, birth dates, addresses, email addresses and encrypted credit card details of hotel customers were stolen. Also, travel histories and passport numbers of some guests were taken.

This invasion went unnoticed for about four years by Starwood, which was acquired by Marriott in 2016. It was only discovered this September when a security tool notified Marriott officials about an unauthorized attempt to access Starwood’s guest reservation database. This alert impelled Marriott to work with external security experts, who uncovered Starwood’s systems were hacked in 2014.

Marriott’s security is now facing probes from multiple government bodies, including the New York Attorney General’s office. European regulators like the U.K. information commissioner, are also looking into the case for any issues coming under General Data Protection Regulation (GDPR).

Source: NY Times

2. Dunkin Donuts

November 29, 2018 – The Donut Giant, Dunkin’ Donuts revealed that it found a recent digital security breach related to the DD Perks Program. The hackers might have accessed the details like names and email addresses of customers who had signed up for its DD Perks mobile app, a rewards program. Also, it is expected that customers’ 16-digit DD Perks account numbers and QR codes for the program may also be compromised. Though Dunkin’s security stopped most of the hack attempts, it depends on what data DD Perks customers had included in their accounts. The attack apparently occurred in October.

The company released a statement explaining how ‘third-parties’ acquired the information, “Although Dunkin’ did not experience a data security breach involving its internal systems, we’ve been informed that third-parties obtained usernames and passwords through other companies’ security breaches and used this information to log into some Dunkin’ DD Perks accounts.”

The company also said that “only a small percent” of accounts were affected. They have also launched an internal investigation which has forced a password reset for potentially impacted members.

Source: Today

3. Atrium Health

November 28, 2018 – An unauthorized user retrieved the personal information of about as 2.65 million Atrium Health patients in late September after gaining systems access to one of the Atrium’s third-party vendors. The affected information includes dates of birth, names, insurance policy information, addresses, account balances, medical record numbers, invoice numbers, dates of service and also some Social Security numbers.

Atrium spokesman said that approximately 700,000 of the records included Social Security numbers. However, according to Forensic Investigations, no information was removed or downloaded from AccuDoc’s (the third party vendor) systems. After the incident was discovered, AccuDoc terminated the unauthorized access, brought on a forensic firm and has worked to ensure its databases are secure.

Atrium Health may end up being only the first of several health systems affected by the breach to come forward. The accessed databases contained all the information provided to pay for services at Atrium Health along with the locations it manages. These include Scotland Physicians Network, New Hanover Regional Medical Center Physician Group, Blue Ridge Healthcare System, Columbus Regional Health Network, and St. Luke’s Physician Network.

The organizations are now contacting those individuals whose information was in the affected databases. The people whose Social Security numbers were involved have been offered free credit monitoring and identity protection services.

Source: MedCity News

4. Austal

November 1, 2018 – Australia based defense shipbuilder Austal has been affected with a data breach and an extortion attempt. None of the national security information was stolen but some staff email addresses and mobile phone numbers were accessed during the breach, quoted Austal. While the attacker tried to sell certain materials on the internet and engage in extortion, Austal did not respond to such threats.

The Defense shipbuilder also said that its US operations were unaffected by the breach as the computer systems in the US are not linked to the ones used in Australia. Also, a small number of stakeholders who were directly affected have been informed.

“Austal Australia’s Information Systems & Technology (IS&T) team have restored the security and integrity of the company’s data systems and have implemented, and continues to implement, additional security measures to prevent further breaches,” the company said in a statement.

However, it did indicate that the hackers have got access to or have stolen the drawings and designs of its ships. “Ship design drawings which may be distributed to customers and fabrication sub-contractors or suppliers are neither sensitive nor classified,” it said.

Source: IT News

Dataguise understands the importance of data privacy and how frustrating data breaches can be for consumers and the businesses entrusted with their data. Although anyone can be a target, Dataguise DgSecure provides enterprise solutions for businesses small and large to combat these threats while ensuring all sensitive data across an organization is accounted for, protected, and compliant with industry and global data privacy laws. To learn more about Dataguise DgSecure, contact us for additional information.

DgSecure OnDemand

Free Trial Offer!
Enjoy DgSecure OnDemand FREE for 7 days when you signup today. No credit card required!

Signup / Login

Datasheets

DgSecure GDPR Datasheet