Business Continuity Incidents: Data Breaches

The leakage of sensitive information, although it may not actually cause a disruption of operational activities can quickly develop into a reputational and regulatory crisis and therefore business continuity plans and particularly incident or crisis management plans should accommodate this . In this section of the incident log, we highlight some of the most significant data breaches that have occurred over the past years.
Data breach hits Australian Government department following phishing attack
Service NSW confirmed that the personal information of 186,000 customers was stolen in the attack
E-commerce firm suffers data breach
Hackers were able upload a backdoor or Adminer on the Paytm Mall application website and gained unrestricted access to their entire databases
https://inc42.com/buzz/massive-data-breach-at-paytm-mall-claims-cyble-but-company-denies-it/
Payment systems & ecommerce firm hit by data breach & ransom demands
E-commerce payment system and financial technology company Paytm has reportedly suffered an extensive data breach following a hack targeting the company’s database. It is reported that the attackers are demanding a ransom in exchange for the data.
Popular stock image website Freepik suffers massive data breach
The stock image website, Freepik has suffered a data breach. It is reported that the attacker used an SQL injection vulnerability to obtain users' email addresses and hashed passwords. It is reported that the attacker used an SQL injection vulnerability to obtain users' email addresses and hashed passwords.
https://www.techradar.com/news/popular-stock-image-website-freepik-suffers-massive-data-breach
Credit reporting giant leaks personal details of millions
In an apparent social engineering "hack", Experian - the credit reporting agency - has suffered a major breach of customers’ personal information The breach has affected an estimated 24 million South Africans and nearly 800,000 businesses. Experian revealed in a statement yesterday that an individual fraudulently claimed to represent a client and then requested “services” from the firm, prompting the release of the data.
https://www.infosecurity-magazine.com/news/experian-data-breach-24-million/
Cyber security specialist hit by data breach
Cybersecurity training firm SANS has confirmed a data breach resulting from a phishing attack that allowed an attacker to compromise an employee's email environment and steal data.
Pharmacy chain reports data breach affecting 72k customers
Walgreen Co., the second largest pharmacy chain in the United States, recently reported a breach that may have involved the protected health information (PHI) of more than 72,000 individuals
Exam monitoring service suffers data breach
Online exam proctoring solution ProctorU has confirmed a data breach after hackers released a stolen database of user records on a hacker forum
Chip maker, Intel suffers data breach including IP loss
The breach reportedly includes everything from Intel presentation templates to BIOS code and debugging tools, and would represent one of the biggest intellectual property leaks from a chipmaker in years
https://www.anandtech.com/show/15962/intel-data-breach-20gb-of-ip-leaked
Communications app vendor, Zello, hit with data breach
Push-to-talk app vendor, Zello, has disclosed a data breach that could have potentially allowed hackers to gain access to users’ email addresses and hashed passwords
https://securityboulevard.com/2020/08/users-advised-to-reset-passwords-after-zello-data-breach/
Interior design firm, Havenly, suffers data breach
The hacked database contained information such as account login names, the names of customers, hashed passwords, phone numbers, zip codes, email addresses and website usage data.
Data breach at cosmetics company affects 19 million individuals
the cosmetics firm issued a public statement saying, cosmetics firm said: “Avon … after suffering the cyber incident... is planning to restart some of its affected systems in the impacted markets throughout the course of next week. Avon is continuing the investigation to determine the extent of the incident, including potential compromised personal data. Nevertheless, at this point it does not anticipate that credit card details were likely affected, as its main e-commerce website does not store that information.”
https://www.happi.com/contents/view_breaking-news/2020-08-02/data-breach-at-avon/
Data Breach Hits Crypto Wallet Firm Ledger Exposes User's Personal Info
Major cryptocurrency hardware wallet provider Ledger has notified customers to a data breach which occured in June and July 2020.
https://cointelegraph.com/news/data-breach-at-crypto-wallet-firm-ledger-exposes-users-personal-info
Kentucky unemployment system breached
Kentucky's unemployment system has undergone a further security breach, a state official has confirmed
Alcohol E-Commerce Giant Hit With Data Breach
Date-of-birth, address, and email could be enough to get through security questions on other sites; that's often the intent of using data in a breach.”.
Data breach affects 22 million users
Promo.com, a video creation platform for businesses and agencies, has confirmed a data breach after bad actors posted a database containing 22 million user records on a hacking forum.
Pharmacy Chain suffers patient data breach
Theft of physical information affected 21,289 individuals. The missing information included paper prescriptions, filled prescriptions that had been held in pharmacy waiting bins and vaccine consent forms. Information acquired included included names, birth dates, addresses, medication names and prescriber information in addition to information about primary care providers.
Fund administrator hit by data breach / ransomware attack
The attack accessed the corporate systems of M.J. Brunner, a Pittsburgh- and Atlanta-based fund administrator service provider which supports SEI’s investment dashboard and online enrollment portal. Hackers took files from Brunner that contained user names and emails—and in some cases names, physical addresses and phone numbers.
Fintech company hit by data breach
US fintech giant, Dave, has suffered a breach of customers’ personal data via a third party supplier, after researchers found a database containing millions of records for sale online. LA-based Dave offers digital banking services, and in 2019 hit a valuation of $1bn after just two years in business.
https://www.infosecurity-magazine.com/news/us-bank-dave-admits-customer-data/
University subject of data breach
The University of York has disclosed a data breach caused by a cyberattack experienced by a third-party service provider.
College releases details of data breach
Rhode Island School of Design reported that data of the school has been breached. The data was held by a third party company.
On-line entertainment start-up suffers breach of user data
Online entertainment startup Wattpad has notified users that some of their data, such as email addresses, birth dates, IP addresses, and encrypted passwords, “may have been improperly accessed.”
DNA analysis site hit by data breach
The site allows users upload their DNA profile data to trace their family tree and ancestors. A statement issued on Wednesday, told users by email that it was hit by two security breaches on July 19 and July 20.
https://techcrunch.com/2020/07/22/gedmatch-investigating-dna-profile-law-enforcement/
Consumer Credit Fintech company hit by data breach
Overdraft protection and cash advance service Dave has suffered a data breach after a database containing 7.5 million user records was sold in an auction and then released later for free on hacker forums.Dave is a fintech company that allows users to link their bank accounts and receive cash advances for upcoming bills to avoid overdraft fees.
Social engineering used on Twitter employees to access high profile Twitter accounts
The firm said hackers “manipulated” some of its employees to access accounts in a high-profile attack, including those of Joe Biden and Elon Musk
Services organisation hit by data breach & ransomware
Exfiltrated data included workers' names, addresses, contact and social security numbers, dates of birth, employment benefits, and passport and immigration visa details. Providing everything required for identity theft. Collabra, a recruitment and staffing business ,employs more than 16,000 people globally
https://www.theregister.com/2020/07/14/collabera_ransomware/
Auction market place suffers data breach
LiveAuctioneers, an online auction platform headquartered in the United States, has confirmed a security incident after a database containing 3.4 million user records was put up for sale on the dark web.It was subsequently reported that live passwords were also obtained during the incident.
Phishing attack results in data breach at healthcare insurer
Stolen data includes details of Religare, its agents, several sensitive information of the company’s clients, including their names, phone numbers, email id, date of birth.
https://inc42.com/buzz/major-data-breach-at-religare-health-insurance-cyble-warns-of-phishing/
Energy company subject to ransom demand following data breach
Cyber criminals had leave a ransom note on EDP’s system asking for more than $10 million (1,580 Bitcoins) in return for a decryption key to restore over 10 TB of allegedly stolen data.
Gambling app exposes millions of users Information
Configuration errors expose the data of millions of users gaming apps
Data leaks and privacy breaches discovered on 5 different dating apps
In all cases database misconfiguration facilitated the breaches
https://www.hackread.com/5-dating-apps-leak-millions-of-user-data/
500,000 BMW, Mercedes and Hyundai owners hit by massive data breach
Personal information of almost 400,000 UK-based BMW customers is reportedly being auctioned on an online black market, according to Tel Aviv-based darknet intelligence experts KELA.
Hackers at a group called KelvinSecurity Team have gained access to a BMW customer database and listed it for sale on an underground forum used by cybercriminals
https://www.tomsguide.com/news/bmw-call-centre-data-breach
Healthcare provider agrees to $2.8 million settlement following data breach
UntityPoint, a US based healthcare provider, following a two year legal case agrees to a $2.8 million settlement for customers who may have been affected by their data breach. The settlement equates to $1000 per class member.
https://healthitsecurity.com/news/unitypoint-health-reaches-2.8m-settlement-over-2018-data-breach
Data breach exposes activities of police intelligence agency
The Maine Information and Analysis Center (MIAC), a unit of the Maine State Police already under intense scrutiny after allegations of surveillance abuses, has suffered a significant data breach.
350,000 Social Media Influencers and Users at Risk Following Data Breach
Personal data of an estimated 100,000 social media influencers has been accessed and partially leaked following a breach at social media marketing firm Preen.Me, Risk Based Security has discovered. The same breach has also led to more than 250,000 social media users having their information fully exposed
https://www.infosecurity-magazine.com/news/data-breach-social-media/
10,000 People Join Lawsuit Against EasyJet for Massive Data Breach
EasyJet Plc faces a lawsuit over a data breach disclosed last month that potentially exposed private details of 9 million passengers
https://www.insurancejournal.com/news/international/2020/06/24/573306.htm
Hacker Sells Over 1.3 Million User Records of Popular Stalker Online MMO Game
Cyber thieves are offering for sale more than 1.3 million user records from the free-to-play Stalker Online MMO game on dark web marketplaces.
The data leak was discovered by the team overseeing the dark web-monitoring project
AMT healthcare data breach impacts nearly 50,000 patients
Healthcare provider American Medical Technologies (AMT) announced it has suffered a data breach affecting almost 50,000 patients
https://portswigger.net/daily-swig/amt-healthcare-data-breach-impacts-nearly-50-000-patients
Babylon Health hit by major data breach
Digital health provider Babylon Health acknowledged that its video appointment application, aimed at general practitioners, suffered a data breach.
Twitter apologises for business data breach
Twitter has emailed its business clients to tell them that personal information may have been compromised.
Unbeknownst to users, billing information of some clients was stored in the browser's cache, it said.
https://www.bbc.co.uk/news/technology-53150157
Australia hit by massive cyber attack, Chinese hackers suspected
A massive cyber attack hit Australian Government and businesses last week which is reported to be handiwork of a nation-state backed hacking group and China is top on the suspect list
‘BlueLeaks’ Exposes Files from Hundreds of Police Departments
Hundreds of thousands of potentially sensitive files from police departments across the United States were leaked online last week. The collection, dubbed “BlueLeaks” and made searchable online, stems from a security breach at a Texas web design and hosting company that maintains a number of state law enforcement data-sharing portals
https://krebsonsecurity.com/2020/06/blueleaks-exposes-files-from-hundreds-of-police-departments/
EasyJet Cyber Attack Likely the Work of Chinese Hackers
The recent high-profile cyber attack that struck British budget airline easyJet may have been carried out by Chinese hackers
Cyber-Attack Hits US Nuclear Missile Sub-Contractor
According to researchers, sensitive and confidential documents have been obtained from Westech International, a US military nuclear missile contractor, after a cyberattack. Experts believe the cyberattack was likely the work of threat group Maze, a well-known and sophisticated group.
https://www.oodaloop.com/briefs/2020/06/04/cyber-attack-hits-us-nuclear-missile-sub-contractor/
South African healthcare provider hit by cyber-attack
Life Healthcare, a South African healthcare provider, is investigating a cyber-attack that targeted some of the group’s IT systems. Life Healthcare said it immediately took systems offline as it sought to contain the incident. “The extent to which sensitive data has been compromised is yet to be ascertained, as we are still in the process of investigating,” the organization said.
https://portswigger.net/daily-swig/south-african-healthcare-provider-hit-by-cyber-attack
South Africa’s PostBank is Replacing 12 Million Bank Cards After Major Security Breach
South Africa’s Postbank has suffered a major data breach, forcing the financial institution to replace 12 million bankcards after rogue employees stole its 36-digit master key.
Macy's Pays $192,000 to Settle Data Breach Suit
US department store giant Macy's has agreed to pay almost $200,000 to settle a lawsuit brought over a data breach
https://www.infosecurity-magazine.com/news/macys-pays-192k-to-settle-data/
Californian Business Sued Over Data Breach
Online stationery and craft marketplace Minted Inc. has been sued in a class action under California’s new consumer privacy law.
Even when the breach is fixed - the issues do not go away, especially if there are legal and regulatory considerations
University of Utah Health patient info was breached through ‘phishing schemes’
The University of Utah Health fell victim to a phishing scheme in which an outside party accessed patient information such as birthdates and clinical information through employee emails, the organization announced Friday
ST Engineering Aerospace's US subsidiary suffers massive data breach
Singapore-based ST Engineering Aerospace's United States subsidiary has suffered a massive ransomware attack, resulting in the exposure of confidential data such as contract details with various governments, government-related organisations and airlines.
IT Services Giant Conduent Suffers Ransomware Attack, Data Breach
Conduent, which says it provides services (including HR and payments infrastructure) for “a majority of Fortune 100 companies and over 500 governments”, was hit on Friday, May 29. Conduent’s European operations experienced a service interruption on Friday, May 29, 2020. Our system identified ransomware, which was then addressed by our cybersecurity protocols.
https://www.cbronline.com/cybersecurity/breaches/conduent-ransomware-maze/
Nintendo Confirms Additional 140,000 Accounts Compromised in April Data Breach
A major gaming company leaks personal information
Joomla Data Breach
Content management software supplier is hit by a data breach caused by weak configuration of it's Amazon Web Service facilities.
https://www.informationsecuritybuzz.com/expert-comments/expert-insight-joomla-data-breach/
Aveanna Healthcare Faces Lawsuit Over Month-long Data Breach
Aveanna Healthcare is facing a class-action lawsuit filed by more than 100 patients impacted by a month-long data breach from 2019. Over 166,000 patients were affected by the security incident, which breach victims claim was caused by inadequate security
https://healthitsecurity.com/news/aveanna-healthcare-faces-lawsuit-over-monthlong-data-breach
Amtrak discloses data breach, potential leak of customer account data
The National Railroad Passenger Corporation (Amtrak) has disclosed a data breach that may have resulted in the compromise of customer personally identifiable information
Payment App Data Breach Exposes Millions of Indians' Data
A major data breach at mobile payment app Bharat Interface for Money (BHIM) has exposed the personal and financial data of millions of Indians.
https://securityaffairs.co/wordpress/104495/data-breach/beml-data-leak.html