data breach that affected some of the fast food firm’s franchises in 2015 and 2016. Feb. 21. Business Continuity Institute and British Standards Institute release survey of more than 700 organizations in 79 countries finding that nearly nine out of 10 businesses (88 percent) worldwide are worried about the threat of cyberattacks. Feb. 21. Louisiana Department of Insurance says personal information is at risk of an estimated 8,000 former members of the failed Louisiana Health Cooperative after a data breach at the co-op’s reinsurance broker. Feb. 20. Accenture releases survey finding more than one in four (26 percent) Americans have had their personal medical information stolen from a technology system and that half those victims suffered medical identity theft, which cost them, on average, $2,500 in out-of-pocket expenses. Feb. 20. Nursing home chain American Senior Communities in Indiana states W-2 tax information of more than 17,000 employees has been compromised in a phishing scam. Feb. 18. Family Services of Rochester (Minn.) says an investigation is underway of a data breach that has compromised the personal information of an unspecified number of clients. Feb. 17. Memorial Health Care systems, an operator of six hospitals in South Florida, agrees to pay U.S. Department of Health and Human Services $5.5 million to settle case involving the theft of patient information by two employees. Feb. 17. A survey of 250 IT pros by iSense Solutions for Bitdefender finds 34 percent of companies have suffered a data breach in the last year and of those companies breached, 74 percent don’t know how it happened. Feb.16. New York Department of Financial Services releases “first in nation” cybersecurity regulations for the financial services industry. Feb. 16. The Philippines’ Commission on Elections confirms a laptop containing personal information, including biometrics, of 55 million voters was stolen from the election office of Wao, Lanao del Sur. Feb. 16. British Columbia Premier Christy Clark announces an investigation is underway into a data breach of the province’s PharmaNet system that compromised medical information of some 7,500 people. Feb. 16. Memorial Health Care System in Florida pays $5.5 million to settle potential violations of federal privacy and security rules after reporting the personal health information of 115,143 people was impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. Feb. 15. Yahoo warns its users that forged cookies were used to log into some of their accounts in 2015 or 2016 without the use of passwords. Feb. 15. U.S. Bureau of Indian Affairs says personal data of more than 20,000 members of two Montana American Indian tribes is at risk after an external hard drive was stolen from a law enforcement vehicle in Big Horn County. Feb. 15. Texas Department of Transportation confirms breach of an automated administration system which may have left some employee data altered and compromised. Feb. 15. Redspin releases annual data breach report revealing hacking attacks on healthcare providers increased 320 percent in 2016. Feb. 15. World Trademark Review reports that more than 100,000 websites have been hacked and defaced following the release WordPress 4.7.2 which contained a fix for a critical vulnerability. Feb. 15. Charter Oak Fire Insurance Company and Travelers Property Casualty Co. of America asks federal court in Florida to reject claim by 21st Century Oncology that data breach losses are covered by publication of confidential information clause in existing insurance policy. Feb.15. Horizon Healthcare Services of New Jersey agrees to pay state $1.1 million to settle case involving the theft of two laptops that allegedly compromised the personal information of 690,000 policyholders. Feb. 14. Verizon releases its 2017 data breach digest finding that the effects of breaches are spreading to even more parts of an enterprise and causing more problems outside of IT. Feb. 11. NBC News reports data breach at PIP, a printing chain with more than 400 outlets in 13 countries, has exposed thousands of sensitive documents from labor filings for NFL players to lawsuits against Hollywood studios. Feb. 10. Ercan Findikoglu is sentenced in a New York federal court to eight years in prison for conducting cyberattacks that netted him $55 million. Feb. 10. Bloomington Public Schools in Minnesota alerts several thousand employees their personal and financial information is at risk from a tax form phishing scam. Feb. 9. Arby’s alerts nearly 355,000 customers that their payment card information may have been compromised due to a malware infection of the point-of-sale system at some of its stores between October 25 and January 19. Feb. 9. Hacked-DB reports a hacker has leaked 1.3 million accounts stolen from staffing website eLance in 2009, as well as hundreds of thousands of Yahoo and Gmail accounts. Feb. 9. Mercer County School District in West Virginia is victimized by tax phishing scam that results in theft of personal and financial information of some 1,800 school employees. Feb. 8. Boeing reveals the personal information of some 36,000 employees is at risk after an employee sent a spreadsheet with the information to his spouse to resolve a formatting issue. Feb. 8. Brian Neff, who owns an online insurance company based in Texas, files putative class action lawsuit in a federal district court in California claiming fraudulent charges were made to his credit cards due to data breaches at Yahoo. Feb. 8. Russia’s Ministry of Internal Affairs announces it arrested in January nine suspected members of a cybercrime group known as Lurk alleged to have played a role in the theft of more than $17 million from the country’s banks. Feb. 7. GoCardless, a UK payment processing company, warns its customers that their personal data is at risk due to the theft of 19 laptops from its offices. Feb. 6. Federal Trade Commission announces Vizio, one of the world’s largest makers of “smart” televisions, agrees to pay $2.2 million to settle charges it installed software on its TVs to collect viewing data on 11 million consumer TVs without the knowledge or consent of their owners. Feb. 6. Marsh announces launch of Marsh CyberShield, a cyber risk and data breach insurance policy for mid- to large-sized organizations to cover up to $624 million in risk associated with cyber incidents and data breaches. Feb. 6. U.S. Appeals Court in West Virginia dismisses lawsuit arising from data breaches at the Bryan Dorn Veterans Affairs Medical Center in Columbia, S.C., saying plaintiffs “failed to show they were in any real and immediate danger of sustaining a direct injury as a result of some official conduct.” Feb. 6. Gdadebo Adebiyi pleads guilty to conspiracy to commit mail fraud for his role in a breach of the Bradley University data warehouse which resulted in the theft of $770,000. Feb. 3. Hacker dumps on the Internet a database of users of Freeedom Hosting II, as well as the administrative credentials for accessing the thousands of “Dark Web” websites it services. Feb. 3. Michigan Unemployment Insurance Agency says personal information of up to 1.87 million workers in the state is at risk after a software error in its computer system exposed their data to third-party payroll vendors and employers unauthorized to access it. Feb. 3. Toys R Us advises all loyalty customers to change their passwords because of data breaches at the vendor that runs its Rewards R Us program. Feb. 2. InterContinental Hotels Group confirms credit card data breach between August and December 2016 at restaurants and bars at 12 of its hotels. Feb. 1. U.S. Department of Health and Human Services announces Children’s Medical Center of Dallas has agreed to pay $3.2 million civil money penalty for impermissible disclosure of unsecured electronic protected health information and non-compliance over many years with federal security standards. Feb. 1. Licking County, Ohio, announces more than 1,000 computers have been shut down by a ransomwaree attack. Jan. 31. Officials at Scotty’s Brewhouse in Indianapolis reveal W-2 forms of 4,000 employees were emailed to an unknown party posing as the CEO of the company. Jan. 31. Data breach notification site Have I Been Pwned reports that 1.8 million user credentials have been stolen from online forum of Polish game development studio CD Projekt RED. Jan. 31. Cisco releases security report that finds for more than a third of organizations that suffered a data breach in 2016, the cost of the breach exceeded 20 percent of revenues. Jan. 31. The Irish Sun reports that data breaches at two popular forums for PlayStation and Xbox have resulted in the exposure of 2.5 million accounts. Jan. 30. Baseball Commissioner Rob Manfred strips the St. Louis Cardinals of its top two draft picks and orders the team to pay the Houston Astros $2 million for hacking into the Astros email system and scouting database. Jan.30. Belton (Texas) Independent School District officials discover W-2 forms of 1,700 current and former employees were emailed to an online scammer posing as the ISD’s superintendent. Jan. 29.Massachusetts releases online records showing sensitive information from nearly 3.4 million Bay State customer accounts have been inappropriately viewed, lost or stolen from businesses and state agencies since 2012. Jan. 29. The Romantik Seehotel Jägerwirt in Austria pays cyber extortionist $1,600 after ransomware attack disabled the hotel’s key lock, reservation and cash desk systems. Jan. 27. MacKeeper researchers say recordings of some 400,000 phone calls from at least one U.S.-based telemarketing firm has been exposed on the Internet due to a database misconfiguration error. Jan. 27. Singapore’s Personal Data Protection Commission fines PropNex Realty $10,000 after it accidentally exposed online the personal data of 1,765 people. Jan. 27. A data thief posing as the CEO of solar company Sunrun obtains W-2 forms of an unspecified number of employees in a phishing scam. Jan. 27. Lexington County School District 2 in Wisconsin reveals W-2 forms of employees who worked there between Jan. 1 and Dec. 31, 2016 were stolen in a phishing scam. Jan. 27. Superintendant Daniel Trevino announces personal information in the W-2 tax forms of some 950 employees of the Mercedes, Texas,school district is at risk after it was emailed to an unauthorized third-party in a phishing scam. Jan. 26. New York Attorney General Eric T. Schneiderman announces Acer Service Corporation has agreed to pay $115,000 in penalties and to shore up its data security after a data breach at its website exposed more than 35,000 credit card numbers. Jan. 26. UGI Utilities in Pennsylvania announces personal information of about 1,900 employees was acquired by perpetrators of an email phishing scam. Jan. 26. Website of LeakedSource, a for-profit breach notification service, disappears from Net amid reports it was raided by law enforcement. Jan. 26. Pew Research Center releases survey finding that 51 percent of American adults are “not at all confident” or “not too confident” in social media sites keeping their information safe and 49 percent feel the same way about the federal government. Jan. 26. Beazley, a provider of data breach response insurance, reports ransomware attacks in 2016 quadrupled over the previous year will double again in 2017. Jan. 25. Risk Based Security reports that in 2016 there were 4,149 data breaches that exposed 4.2 billion records. Jan. 25. Rosen Law Firm announces filing of investors class action lawsuit against Yahoo stemming from data breaches that resulted in theft of information for one billion user accounts. Jan. 23. Wall Street Journal reports SEC is investigating whether two massive data breaches at Yahoo should have been reported sooner. Jan. 23. Reuters reports that bandits who stole data from 29,000 clients of XP Investments SA of Brazil demanded a $7.1 million ransom to keep the security breach secret. Jan. 20. Federal appellate court in Philadelphia finds class action lawsuit against Horizon Healthcare stemming from data breach may proceed even though only intangible injuries are claimed by the plaintiffs. Jan. 20. Ohio State Veterinary Medical Center in Dublin, Ohio, alerts 4,611 clients that their personal data is at risk due to data breach caused by malware infection. Jan. 20. Bowlmor AMF, the world’s largest bowling center operator, says it has had a possible data breach at 21 of its more than 300 domestic locations in 12 states. Jan. 20. CSO Online reports a misconfigured synchronization program at Canadian ISP KWIC Internet has exposed its customers’ personal information and more on the public Internet. Jan. 19. Identity Theft Resource Center and CyberScout report U.S. data breaches reached all time high in 2016 of 1,093, a 40 percent increase over the 780 in 2015. Jan. 19. Army announces its first bug bounty program received 400 bug reports, 118 of which were unique and actionable and earned their programmers $100,000 in rewards. Jan. 19. Ransomware attack on St. Louis Public Library disables 700 computers and prevents books and other materials from being checked out of the library. Jan. 18. Supercell, the developer of the mobile game Clash of Clans, warns users a vulnerability in its forum software has exposed their emails and encrypted passwords to hackers. According to the breach notification website LeakBase, some 1.1 million accounts are affected by the breach. Jan. 18. CoPilot Provider Support Services, a health care provider in Hyde Park, New York, announces personal information of some 220,000 people is at risk after one of its databases was accessed by an unauthorized third-party. Jan. 17. Australian Prime Minister Malcom Turnbull orders his top cyber security adviser to prepare a report on claims that more than 3,000 government officials had private data stolen in the 2013 Yahoo data breach. Jan. 17. An analysis of 16,000 Android applications by cybersecurity firm Fallible reveals 2,500 of them had some type of secret credential hard-coded into them by developers, including access tokens and API keys for services like Twitter, Dropbox, Flickr, Instagram, Slack and Amazon Web Services. Jan.17. Motherboard reports data traders are swapping details o more than one million user accounts belonging to Supercell. a maker of popular mobile games, such as Clash of Clans. Jan. 17. Sentara, a healthcare provider servicing Virginia and North Carolina says personal information of 5,454 patients is at risk due to data breach at third party vendor. Jan. 17. Children’s Hospital of Los Angeles warns 3,600 patients their personal data is at risk due to theft of an unencrypted laptop in October. Jan. 13. Protenus reports fewer patient records were stolen in health care data breaches in 2016 (27.3 million) than 2015 (113 million) but there were more data breaches in 2016 (450) compared to 2015 (253). Jan. 13. The Delaware Department 0f Insurance announces the personal information of 19,000 members of Highmark Blue Cross Blue Shield of Delaware is at risk following a data breach at two of the health care provider’s subcontractors. Jan. 13. Three Pennsylvania Superior Court judges uphold lower court ruling that health care provider UPMC, which suffered a data breach in which personal information of 62,000 employees was stolen, is not under any obligation to keep its employees data safe. Jan. 13. Federal appeals court in St. Louis affirms lower court ruling capping liability at $500,000 for data breach at Schmuck Markets in 2013. Jan. 13. Margarita Serrano files class action lawsuit in a federal district court in California alleging Automotive Recovery Services exposed her personal information to hackers after she donated a car to charity. Jan. 12. Motherboard reports it has received from a hacker 900 gigabytes of data stolen from Cellebrite — an Israeli mobile hacking company that’s done work for U.S. federal and state law enforcement agencies as well as Russia, the United Arab Emirates and Turkey — including customer information, databases, and a vast amount of technical data regarding its products. Jan. 12. Federal court in Tennessee approves $1.9 million settlement of class action lawsuit against Mapco Express for data breach in 2013. Jan.11. CSO Online reports that 68.5 percent of public-facing MongoDB databases or 32,820 installations have been infected by ransomware from multiple actors. Jan. 11. UK Information Commissioner’s Office fines Royal & Sun Alliance Insurance £150,000 for data breach resulting from theft of storage device containing information on nearly 60,000 customers. Jan. 11. Giulio Occhionero, 45, and Francesca Maria Occhionero, 49, are charged in a Roman court with hacking into the phones and computers of high-ranking government officials, business leaders and Freemasons in Italy. Jan. 10. Federal judge in Tennessee approves $1.9 million settlement in lawsuit against convenience store chain Mapco Express stemming from point of sale data breach in 2013. Jan. 9. Presence Health in Illinois agrees to pay $475,000 to settle case with U.S. Department of Health and Human Services over the untimely reporting of a breach of protected health information. Jan. 9. Owners of the Two Plus Two poker discussion forum confirms personal information about its members has been stolen and posted to the Internet for public access. Jan. 9. Sydney Morning Herald reports National Australia Bank mistakenly sent the bank account details of 60,000 customers to an email address controlled by Real Assets Limited, a domain name broker. Jan. 9. An investor files a lawsuit against the board of directors of Wendy’s claiming breach of fiduciary duties by mismanaging a data breach that resulted in the theft of customer data. Jan. 8. Online gambling site TwoPlusTwo tells some of its 400,000 customers to reset their passwords and take extra precautions trading or staking players because of data breach at the site. Jan. 7. Breach notification service LeakedSource announces it has obtained 1,503,707 customer records stolen in data breach in December from ESEA, one of the largest competitive video gaming communities on earth. Jan. 6. California Department of Insurance finds data breach that compromised 78.8 million consumer records at health insurer Anthem was performed on behalf of a foreign government. Jan. 6. Los Angeles Valley College pays $28,000 in bitcoin to hacker who locked out 1,800 staff and teachers from their computers with ransomware. Jan. 5. The Philipine National Privacy Commission recommends criminal charges be filed against Commission on Elections Chairman J. Andres D. Bautista for a data breach exposing online the personal data of 1.3 million overseas Filipino voters and the fingerprints of 15.8 million people. Jan. 5. Federal Trade Commission files complaint against D-Link for failing to take adequate measures to secure its routers and webcams which left them vulnerable to hackers and put consumer privacy at risk. Jan. 5. The University of Alberta in Canada warns more than 3,000 faculty, students and staff that their passwords are at risk due to malware infections on 300 computers at the institution. Jan. 4. Frederick County (Maryland) Board of Education refuses to send student information to state Education Department after suspected data breach at department exposed on the Inernet personal information of 1,000 students from the county. Jan. 4. Andrew Minty, Jamie Leong, and Michelle Craddock, plead guilty and are sentenced for conspiring to steal customer information from Enterprise Rent-A-Car in the UK and selling it for hundreds of thousands of pounds to accident claims companies who used it to make nuisance calls about personal injury claims. Jan. 3. U.S. Office of Management and Budget publishes new policies on how federal agencies should prepare for and address a breach of personally identifiable information. Jan. 3 The Massachusetts Office of Consumer Affairs and Business Regulation announces it is making reports of potential identity theft available to the public on its website and eliminating need to file a public records request to see them. Stay tuned for the Q2 2017 edition of the Data Breach Report. John P. Mello, Jr. a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security. The Data Breach Report provides a quarterly diary of noteworthy data breaches and cyber-attacks to CIOs, CSOs, CISOs, IT security teams, and the media. Yahoo, Friend Finder, Dropbox suffer biggest attacks Information on millions of people was exposed during the final calendar quarter of 2016. Among the big hacks during the period were the theft of information on more than one billion Yahoo accounts, the compromise of the Friend Finder network, which put at risk 412 million accounts and the posting to the Internet by a hacker of 68 million Dropbox accounts from a 2012 data breach. Cyber bank robbers were also busy during the frame. They compromised 3.2 million payment cards in India and stole $31 million from the central bank of Russia. Dec. 29. FBI and U.S. Department of Homeland Security issue joint report detailing the tools and infrastructure used by Russian intelligence services to compromise and exploit networks and infrastructure associated with the recent U.S. election, as well as a range of U.S. government, political and private sector entities. Dec. 29. Nevada takes its marijuana portal offline after a data breach exposed confidential information on some 12,000 applications for cards used to obtain medical marijuana. Dec. 28. InterContinental Hotel Group, which operates more than 5,000 hotels worldwide, says it’s investigating reports of a possible data breach at a small number of its hotels located in the United States. Dec. 27. Three Chinese citizens charged by United States of engaging in conspiracies to commit insider trading, wire fraud and computer intrusion in an indictment filed in federal court in Manhattan. Dec. 24. The Daily Caller reports a Russian hacker breached The Russian Visa Center and exposed information on some 3,000 people seeking assistance in obtaining Russian visas. Dec. 14. Yahoo discloses data breach dating back to 2013 resulting in theft of information on more than one billion accounts. Dec. 2. Reuters reports hackers using a client’s credentials stole more than $31 million from the central bank of Russia. Dec. 1. MacKeeper Security Researcher Chris Vickery reports sensitive information of explosives handling company Allied-Horizontal is at risk after a Network-Attached Storage device was exposed to the public Internet. Dec. 1. International law enforcement authorities announce dismantling of Avalanche, a malware delivery and money mule recruiting platform that produced hundreds of millions of euros in revenues for its operators. Nov. 30. Camelot, the operator of the UK’s national lottery, announces some 26,500 player accounts are at risk after a data breach of its systems. Nov. 30. Europol reports sensitive data on terrorism investigations conducted from 2006 to 2008 is at risk after an employee brought the data home in violation of agency policy and stored it on a hard drive connected to the Internet without password protection. Nov. 29. Barrett Brown, a self-proclaimed spokesman for the hacktivist collaborative known as Anonymous, is released from federal prison five months before scheduled. Nov. 29 Idaho Fish & Game announces it is again selling licenses and posting hunter reports online. The service was knocked offline in August by a data breach. Nov. 29. Deutsche Telecom and German Office for Information Security announce system disruption over the weekend affecting some 900,000 customers was part of a failed global attempt by hackers to hijack routers and use them to disrupt Internet traffic. Nov. 28. The Japan Times reports a cyberattack by a state actor in September may have compromised Japan’s internal military network. Nov. 28. U.S. Navy warns more than 130,000 sailors their personal information is at risk after a laptop by a contractor is compromised. Nov. 19. Russian telecom watchdog Roskomnadzor discovers data breaches at 55 websites which contain personal information of children who have written to “Father Frost,” the Russian Santa Claus. Nov. 18. Michigan State University announces it will notify some 400,000 current and former students and staff of data breach that has compromised their personal information. Nov. 16. GulfNews reports personal records of more than 34 million residents of the Indian state of Kerala was posted to Facebook by a hacker disenchanted with the security of the state’s computer systems. Nov. 16. Protenus reports month-to-month decline in health care data breaches to 35 in October from 37 in September, although the number of patient records increased to 776,533 from 246,876. Nov. 16. Workers at Indian security firm AI solutions discovered selling phone records of Australians from call centers of Optus, Telstra and Vodaphone. Nov. 15. Seventeen-year-old boy pleads guilty in UK to data breach last year at telecommunications provider TalkTalk which resulted in unauthorized access to personal data of nearly 160,000 people. Nov. 14. Adobe agrees to pay $1 million to 15 states to settle case stemming from 2013 data breach at the company which resulted in unauthorized access to some 552,000 people. Nov. 14. Data breach at Friend Finder Network places at risk personal information in more than 412 million accounts. Nov. 3. New Zealand Nurses Organization announces “tens of thousands” member’s contact details were emailed to someone posing as the chief executive of the organization. Nov. 2. Business Insider announces its website was compromised by OurMine, a group that hacks websites to expose security flaws. Nov. 2. U.S. District Judge Rosemary Collyer dismisses class action lawsuit stemming from 2015 data breach at the IRS in which the personal and financial information of 330,000 taxpayers and their family members was compromised by hackers who infiltrated the now defunct “Get Transcript” service, which allowed taxpayers to access their tax filings online. Oct. 31. Hacker group calling itself Shadow Brokers releases data dump of alleged computer servers around the world compromised by The Equation Group, which is believed to be linked to the NSA. Oct. 31. U.S. Office of Personnel Management announces it is changing credit monitoring and identity protection service providers and that some of the 25 million people affected by a data breach at the agency will have to re-enroll to continue coverage. Oct. 31. Attorney General of Washington reports that from July 2015 to July 2016 39 data breaches in the state affected some 450,000 people. Oct. 20. Weebly, a San Francisco-based website creation company, starts notifying more than 43 million customers their personal information is at risk due to data breach that ocurred in February. Oct. 20. National Payments Corporation of India reports some 3.2 million payment cards have been compromised in massive ATM security breach. Oct. 19. Federal Reserve, FDIC and OCC issue notice of proposed rulemaking seeking comments on a set of enforceable cybersecurity standards for banks with more than $50 billion in assets. Oct. 18. Redbus, an Indian online travel ticketing platform, confirms data breach that may have compromised more than four million accounts. Company advises all its users to reset their passwords. Oct. 19. Czech police announce they have arrested Russian citizen in Prague wanted by the FBI in connection to 2012 data theft of 117 million passwords at LinkedIn. Oct. 17. Katy Independent School District in Texas warns 78,000 students and staff members their personal data is at risk due to a data breach. Oct. 7. U.S. government formally accuses Russia of a campaign of cyber attacks against Democratic Party organizations ahead of the Nov. 8 presidential election. Oct. 6. Central Ohio Urology Group reports to U.S. Department of Health and Human Services that 300,000 patients were affected by data breach in August, the eighth largest breach in the nation this year. Oct. 6. Montana Department of Justice reports 110,000 citizens of the state were victims of data breaches in the last 12 months. Oct. 6. American 1 Credit Union in Jackson, Mich., announced it will decline all purchases made at Wendy’s by its payment card holders because it doesn’t believe the fast food chain has removed all the malware that infected its point-of-sale systems in more than 1,000 locations in 2-15. Oct. 5. The BBC reports Fancy Bears, the hackers who published online medical records stolen from the World Anti-Doping Agency, may have doctored some of the data in those records. Oct. 5. UK Information Commissioner’s Office orders TalkTalk to pay fine of£400,000 in connection to 2015 data breach that affected 150,000 customers. Oct. 5. The New York Times reports the FBI has arrested Harold T. Martin, a former employee of NSA contractor Booz Allen Hamilton, and is investigating whether he stole and disclosed classified security code developed by the agency to compromise the networks of foreign governments. Oct. 4. Personal data of more than 1.5 million users of websites run by C&Z Tech Limited, which include HaveAFling.mobi, HaveAnAffair.mobi and HookUpDating.mobi, is at risk after a database for the sites was found exposed to the Internet without a password. Oct. 4. Thomas White, aka The Cthulhu, posts to his website as a free download information from more than 68 million Dropbox accounts stolen in a 2012 data breach of the service. Oct. 4. The Sunday Express reports that Amazon has alerted some its customers that their passwords have been reset after it discovered their Amazon email address and password corresponded to a login list posted online. Oct. 4. Reuters reports that last year Yahoo built a custom program to search all its customers’ incoming emails for information provided to it by U.S. intelligence officials. Yahoo later denied the claims in the report. Oct. 3. U.S. District Court Judge Andrea R. Wood dismisses class action lawsuit against Barnes & Noble related to a compromise of its point-of-sale systems in 2012. She found that plaintiffs failed to show they had suffered any actual damages because of the data breach. Oct. 3. U.S. Surgeon General warns 6,600 medical professionals in his “commissioned corps” that their personal information is at risk by a breach of the agency’s personnel system. Stay tuned for the Q1 2017 edition of the Data Breach Report. John P. Mello, Jr. a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security. Robert Herjavec Talks "Petya" Ransomware Attack on CNN CyberNB is Canada's epicentre for cybersecurity 300 billion passwords by 2020, report predicts The AlienVault Approach to Unified Security Cybercriminals are Hacking Your Employees Right Now Skybox Security: The most powerful security analytics Kevin Mitnick Interviewed at 2017 Cyber Investing Summit The Most Trusted Hacker-Powered Security Platform PhishMe CEO Shows CNBC How To Spot Phishing Emails Girl Scouts of the USA Announce Cybersecurity Badges Why Employees Need Security Awareness Training htmlDiv.innerHTML = htmlDiv.innerHTML + htmlDivCss; htmlDiv.innerHTML = htmlDiv.innerHTML + htmlDivCss; {c: '#videofooter', gridwidth: [720], gridheight: [405], sliderLayout: 'fullwidth'}); revslider_showDoubleJqueryError("#videofooter"); /revslider/public/assets/js/", keyboard_direction: "horizontal", mouseScrollReverse:"default", swipe_direction: "horizontal", easing: "Power3.easeInOut", visibilityLevels:[1240,1024,778,480], levels:[2,3,4,5,6,7,12,16,10,50,47,48,49,50,51,55], }()); /* END OF WRAPPING FUNCTION */ htmlDiv.innerHTML = htmlDiv.innerHTML + htmlDivCss; htmlDiv.innerHTML = '' + htmlDivCss + ''; htmlDiv.innerHTML = htmlDiv.innerHTML + htmlDivCss; htmlDiv.innerHTML = '' + htmlDivCss + ''; such coverage as a separate policy. Oct. 25. Appelby, a Bermuda-based law firm that caters to the super rich, announces it suffered a data breach in 2016 and that it’s being contacted about it by the International Consortium of Investigative Journalists. Oct. 25. Rasmussen Reports survey of 1,000 American adults reveals 41 percent of them have been victims of payment card information theft. Oct. 25. F-Secure releases analysis of email addresses of more than 200 CEOs from top businesses in 10 countries finding 30 percent of the executives had their passwords leaked when a service they subscribe to suffered a data breach. Oct. 24. Specialty insurer Beazley reports rapid rise in data breaches of its clients caused by social engineering attacks. It says during first three months of 2017, social engineering data breaches increased nine percent, compared to one percent for the same period in 2016. Oct. 23. Hacker group that calls itself The Dark Overlord breaches systems at London Bridge Plastic Surgery in the UK and steals an undisclosed amount of data. Clinic is known for its celebrity clients, including some members of the Britain’s royal family. Oct. 23. Georgia Revenue commissioner Lynne Riley says state has blocked $108 million in fraudulent tax returns in 2017, compared to $19 million in 2015. Oct. 23. Coinhive, a cryptocurrency mining software provider, acknowledges a compromised password led to the hijacking of its mining scripts , which allowed thieves to redirect funds intended for Coinhive into a virtual wallet controlled by the attackers. Oct. 23. COL financial, a major online Philippines brokerage firm, warns clients it has discovered a possible data breach of its systems. It says client account balances, stock positions and account transactions were not affected by the incident, but recommends passwords be changed. Oct. 20. Federal court in Manhattan sentences Yuri Lebedev, a Florida software engineer, to 16 months in prison for role in data breach at JPMorgan Chase & Co. in 2014 that exposed information on more than 83 million accounts. Oct. 20. Kromtech reports Tarte Cosmetics has secured two databases containing information on nearly two million online customers after a misconfiguration error exposed the data to the public Internet for more than 10 years. Oct. 19. Verisk Analytics estimates losses to Merk & Co. due to “NotPetya” data breach in June could cost insurers $275 million. Oct. 19. Class action lawsuit filed against home respiratory care and medical equipment provider Lincare Holdings of Clearwater, Fla. by employees who allege they were harmed by data breach that exposed their tax information to online thieves. Oct. 17. IRS Commissioner John Koskinen says his agency doesn’t expect the Equifax data breach to have a major impact on 2018 tax filings since 100 million Americans had already had their personal identifying information stolen by digital thieves prior to the breach. Oct. 17. Reuters reports Microsoft’s database for tracking bugs in its software was breached by hackers in 2013 and the company never revealed the intrusion to its customers or the public. The defects were eventually corrected, but in the interim, the threat actors could have used the bug data to attack any computer using Microsoft software. Oct. 17. Troy Hunt, founder of the data breach information search site HaveI BeenPwned, announces he’s found a database containing unique personal information of more than 30 million South Africans. He says the data breach that exposed the information took place around March 2017, although some data dates back to the 1990s. Oct. 16. Pizza Hut informs some 60,000 customers who placed orders with the company’s mobile app or at its website that their payment card information has been stolen by a hacker. Oct. 16. Beazley, a specialist insurer, reports that during the first nine months of 2017, unintended disclosure accounted for 41 percent of data breach incidents reported to the company by health care organizations. That’s more than twice the second most frequent cause for data loss, hacking or malware (19 percent). Oct. 13. We Heart It, a teen-oriented website, reveals eight million accounts may have been affected by a data breach that took place in 2013. It advises users who have not changed their passwords since 2013 to do so now. Oct. 12. Equifax takes down one of its web pages after discovering it contained malicious code from a third-party vendor. The code on the company’s credit report assistance page uses an Adobe Flash document to infect a computer with malware. Oct. 12. IRS temporarily suspends $7.2 million contract it awarded Equifax to verify taxpayers’ identities and help combat fraud. Suspension comes about a month after a data breach at Equifax compromised confidential information of 145.5 million Americans. Oct. 12. Hyatt Hotels acknowledges it’s discovered unauthorized access to customer payment card information at 41 properties worldwide, including 18 in China, between March 18, 2017 and July 2, 2017. In 2015, a similar incident affected 250 of the chain’s hotels in 50 countries. Oct. 11. Washington Attorney General Bob Ferguson releases second annual data breach report for the state. It finds that three million state residents were affected by data breaches between July 2016 and July 2017. That’s six times more residents affected than in the previous 12-month period. Oct. 11. ZDNet reports Victory Phones, an automated phone research and data compilation firm in Grand Rapids, Mich. was hacked and several databases stolen. It says theft exposes data on hundreds of thousands of Americans who submitted donations to political campaigns. Oct. 10. Kromtech Security reports an Amazon S3 repository belonging to Patient Home Monitoring exposed to the public Internet blood test results of an estimated 150,000 people. PHM offers a variety of monitoring services to manage respiratory diseases and sleep apnea, as well as blood testing for patients on anticoagulants. Oct. 10. Motherboard reports a bug on a T-Mobile website has put at risk sensitive information about 76 million of the company’s customers. Oct. 9. First class action lawsuit arising from a data breach begins in London’s High Court. The litigation was brought by 5,500 employees of UK supermarket giant Morrisons whose former auditor exposed personal information of nearly 100,000 employees online over a “personal grievance” with the company. Oct. 9. Domino’s Australia says it’s investigating a potential data leak at a former supplier after some of its customers began receiving spam that contained information about where they bought their pizza. Oct. 6. US Office of the Inspector General reports Federal Deposit Insurance Corp., which is responsible for insuring the nation’s banks, suffered more than 50 data breaches in 2015 and 2016. The OIG also notes the average time the FDIC took to notify people affected by the hacks was 288 days. Oct. 6. Disqus, the Internet’s largest provider of hosted commenting systems, announces one of its databases from 2012, which included information dating back to 2007, was exposed in a data breach. It says 17.5 million users may be affected by the attack. Oct. 6. Forrester Research reveals intruders using stolen credentials accessed some confidential reports intended for clients but did not access any client data. Oct. 6. Cabrillo College in Aptos, Calif. notifies 40,000 students their personal information may have been exposed in a breach of the school’s computer systems. College says Social Security numbers of 12,000 students and personal information of 28,000 others may have been compromised. Oct. 4. Fast food chain Sonic reveals malware attack on some of its outlets may have exposed their customers payment card information to hackers. Oct. 4. Catholic United Financial, a financial services company servicing Catholic Church members in the upper US Midwest, informs 127,310 current and former members of a data breach. It says hacker accessed first and last names, mailing addresses, dates of birth, email addresses, insurance policy information and Social Security numbers of members. Oct. 3. Equifax CEO Richard Smith, appearing before a congressional committee examining a data breach at his company, blames a single IT person failing to patch an Apache flaw that led to the exposure of sensitive personal information of 145.5.million Americans. Oct. 3. Verizon Communications reveals all three billion Yahoo user accounts were affected by data breach in 2013. Verizon purchased Yahoo for $4.48 billion in June. Oct. 3. Federal investigators warn Atlanta public school system that confidential data on the system’s 6,000 employees may have been compromised in data breach. Oct. 2. Information security research firm Kromtech reports a misconfigured Elasticsearch database has exposed to the public Internet private information of more than 1,100 NFL players and agents. Oct. 2. Equifax reveals an additional 2.5 million Americans were affected by a data breach at the company in July. New tally brings the total number of people affected by the breach to 145.5 million. Oct. 1.Vermont Attorney General T.J. Donovan announces SAManage USA will pay $264,000 fine for exposing online Social Security numbers of 660 Vermont Health Connect users. Stay tuned for the Q2 2018 edition of the Data Breach Report. John P. Mello, Jr. a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security. BreachDiary.com — sponsored by ThreatBook — provides a quarterly diary of noteworthy data breaches and cyber-attacks to CIOs, CSOs, CISOs, IT security teams, and the media. Massive data breaches dominate the news in third quarter of 2017 Massive data breaches at credit reporting agency Equifax and subscription television service HBO dominated data breach news during this year’s third quarter. Sensitive information for more than 140 million Americans was compromised by the Equifax data breach, which set off a cascade of resignations, lawsuits and investigations. CEO of the company, Richard Smith, resigned, as did Chief Information Officer David Webb and Chief Security Officer Susan Mauldin. Nearly a dozen lawsuits were filed in the federal and state courts, as well as in a Canadian court where consumers are seeking $450 billion in damages. Meanwhile, the Federal Trade Commission announced it is probing the breach. In addition, 40 states have banded together to investigate the incident. Equifax, too, is looking into the breach, as well as $1.8 million in stock sales made by senior executives just weeks before the event was made public. At HBO, hackers calling themselves Mr. Smith pilfered 1.5 terabytes of data from HBO and dribbled it on the Internet during August. They started with unaired episodes of Ballers and Room 104, as well as written material for an episode of Game of Thrones. They then moved on to dropping four unaired episodes of GoT and prior to that show’s season finale, released a detailed outline of that installment. Some arrests were made in connection with the data theft in India. Police there collared three employees and one former employee of Prime Focus Technology which stores and processes GoT for the Indian streaming website Hotstar. Past massive data breaches also made headlines during the period. An arrest was made in connection with the June 2015 data breach at the U.S. Office of Personnel management in which sensitive data for more than 21 million people was stolen. Yu Pingan, a Chinese national, was arrested in Los Angeles and later charged with having a hand in the malware that was used for the breach. Meanwhile, the OPM got off the hook for any legal ramifications from the incident when a federal district court judge in D.C. dismissed two lawsuits filed against the agency over the breach. An arrest was also made in connection to the huge data breach at Yahoo which affected more than a billion user accounts. Karim Baratov, 22, pleaded not guilty in a San Francisco federal court to charges he participated in the Yahoo hack. Yahoo wasn’t as lucky as the OPM in avoiding litigation, though. A federal district court in California ruled that a class action lawsuit could proceed against the company. According to the Identity Theft Resource Center, there were 791 data breaches during the first six months of the year, a 29 percent jump over the same period in 2016. Breaches continued to climb in the second half of the year. Many of those breaches involved household names. For example, Dow Jones & Company, Time Warner, Viacom, Verizon and World Wrestling Entertainment all put customer data at risk by misconfirguring cloud servers. Wells Fargo placed information about its wealthiest customers at risk when it accidently sent the data to opposing attorneys in a lawsuit involving the bank. Customer credit card information at Whole Foods and Sonic was compromised by point-of-sale attacks. Instagram’s security, too, was compromised due to a software bug. Meanwhile, Hard Rock Hotels & Casinos discovered payment card information over an eight month period was compromised by a breach ast a third-party reservation system. Some significant penalties and settlements were also announced during the period. SAManage USA paid a $264,000 fine for exposing the data of Vermont Health Connect users, and TalkTalk, a U.K. IT services provider, paid a £100,000 fine for a breach affecting 21,000 customers. Meanwhile, Ruby Corp. settled a lawsuit against Ashley Madison for $11.2 million, Nationwide Insurance paid $5.5 million to put to rest a case arising from a 2012 data breach that exposed the personal information of 1.27 million customers and healthcare insurer Anthem received preliminary approval of a $115 million settlement of litigation arising from 2015 breach that allowed intruders to access personal identifying information of 80 million people. Sep. 29. Equifax tells U.S. House of Representatives it is investigating sale of stock by senior executives weeks before a massive data breach at the company was made public. Executives made $1.8 million off the stock sale. Sensitive information on some 143 million Americans was compromised in the breach. Sep. 29. Crystal Bray and Samuel Cook file putative class action lawsuit against GameStop over six-month data breach that compromised payment cards of its customers. Plaintiffs allege the company’s cavalier approach to data security led to the breach. Sep. 29. Vermont Attorney General T. J. Donovan announces SAManage USA, which provides support services for Vermont Health Connect, will pay a $264,000 fine for a data breach affecting 660 VHC users. Sep. 28. Whole Foods, a grocery chain recently acquired by Amazon, reveals a data breach compromised credit card information at taprooms and restaurants at some of its stores. It adds that Payment cards used at its grocery stores were not affected by the breach. Sep. 28. Chicago files lawsuit in state court against Equifax in connection with data breach at company. City alleges Equifax violated the city’s consumer fraud ordinance and state laws regarding information privacy, consumer fraud and deceptive practices. Sep. 27. San Francisco files lawsuit in California state court seeking tens of millions of dollars in civil penalties against Equifax in connection with data breach at company. Sep. 26. Krebs on Security reports data breach at Sonic Drive-In may have compromised some five million payment card accounts. Sonic is a fast-food chain with 3,600 locations in 45 states. Sep. 26. Richard Smith resigns as CEO of Equifax. During Smith’s tenure at the company, it experienced a data breach in which sensitive information on 143 million Americans was compromised. Sep. 22. Law firms Robbins Geller and Hagens Berman announce they’ve filed proposed class-action lawsuit on behalf of people in 43 states in federal district court in Atlanta against Equifax in connection with data breach at company, Sep. 21. Webroot reports an average of 1.4 million phishing sites are created every month. Phishing is a prime method for creating data breaches. Sep. 21. Kromtech discovers data repository of vehicle device and monitoring company SVR exposed on the Internet due to a configuration error in an Amazon Web Services S3 bucket. Data included information on SVR’s customers and re-seller network, as well as on tracking devices on vehicles. Sep. 19. U.S. District Court in Washington, D.C. dismisses two lawsuits filed against the Office of Personnel Management over June 2015 data breach in which sensitive data on more than 21 million people was stolen. Sep. 19. Upguard, a cybersecurity firm, reports about a gigabyte of credentials and configuration files belonging to entertainment giant Viacom were exposed on the Internet via an unsecured server. Sep. 15. Equifax announces resignations of Chief Information Officer David Webb and Chief Security Officer Susan Mauldin. Resignations follow data breach that affected 143 million U.S. customers. Sep. 15. U.S. Rep. Jim Himes, D-Conn., files bill to protect consumers affected by data breach at a credit reporting agency. Measure allows consumers to ask for a security freeze on their information free of charge following a breach. Sep. 14. Scott Meyers, Judey Meyers and Karl Gordon Eikost file a proposed class-action lawsuit in a Chicago federal court against Equifax in connection with data breach at company. Sep. 12. Jennifer Mertlich and others file proposed class-action lawsuit in a Seattle federal court against Equifax in connection with data breach at company. Sep. 14. Federal Trade Commission announces investigation of data breach at Equifax. Sep. 13. Reuters reports nearly 40 states have joined an investigation into data breach at Equifax. Sep. 12. Canadian consumers seek $450 billion in class-action lawsuit filed in Toronto against Equifax in connection with data breach at company. Sep. 11. Five citizens of Utah file proposed class-action lawsuit in Salt Lake City federal court against Equifax. Citizens are seeking $5 billion in damages. Sep. 9. Brian F. Spector of Florida and James McGonnigal of Maryland file proposed class-action lawsuit in an Atlanta federal court against Equifax.. Sep. 8. ZDNet reports Alexander Filinov and Konstantin Teplyakov, two members of the Humpty Dumpty hacker gang have been sentenced by a Moscow court to three years in a penal colony for compromising computers, smartphones and tablets of Russian citizens and stealing data from them. It adds that accounts of high ranking Kremlin officials were also hacked by the group, including the Twitter account of Prime Minister Dmitry Medvedev. Sep. 7. Credit reporting agency Equifax reveals data breach of its systems placing at risk sensitive information of 143 million American consumers. Sep. 7. Roman Seleznev, 33, pleas guilty in federal courts in Nevada and Georgia to his role in a cyber theft ring that allegedly stole $50 million using credit card numbers stolen from online sources. Seleznev is the son of Valery Seleznev, a member of Russia’s lower house of parliament who has been critical of U.S. policies. Sep. 5. Times of London reports data breaches at British universities have doubled in the last two years to 1,152. It notes cyber gangs behind the attacks seek information that they can sell to nation-states. Sep. 4. Hacker News reports massive data breach at Taringa, known as the Reddit of Latin America. Breach compromised login details of 28 million users. HN says LeakBase, a breach notification service, has obtained a copy of the stolen data. Sep. 4. Upguard, a security research firm, reports third-party contractor for private military contractor TigerSwan accidentally exposed on the Internet resume files of 9,402 people. Data includes job histories of U.S. military veterans, mercenaries and Iraqi and Afghan nationals who worked in their countries with U.S. forces and government institutions. Sep. 1. Kromtech reports four million records containing personal information of Time Warner customers were stored without a password on an Amazon server. More than 600 GB of data was exposed, which included usernames, email addresses, MAC addresses, device serial numbers and financial transaction information. Sep. 1. Crown Records Management releases survey finding that in the U.K. pharmaceutical industry 23 percent of IT decision makers chose not to report a data breach to management or appropriate authorities; 23 percent know someone who hasn’t reported a breach; and 15 percent don’t know to whom to report a breach. Sep. 1. U.K. Information Commissioner’s Office fines Nottinghamshire County Council £70,000 for exposing to the public Internet personal data of elderly and disabled people in an online directory. Sep. 1. AXA insurance notifies 5,400 customers some of their personal data is at risk after a data breach at its online health portal. It says email addresses, birth dates and mobile numbers were exposed in the breach. Aug. 31. U.S. District court Judge Lucy Koh rules class action lawsuit may proceed against Yahoo over three data breaches from 2013 to 2015 which affected more than a billion user accounts. Aug. 30. CeX, a technology and video game retailer, says personal details of up to two million customers may have been compromised in a “sophisticated breach.” Aug. 30. Instagram, a Facebook company, announces hackers exploited a software bug in its software that allowed them to access the accounts of an unspecified number of “high profile” users. The company says email addresses and phone numbers may have been obtained by the data thieves but not the passwords for the accounts. Aug. 30. U.S. Food and Drug administration issues recall of 465,000 St. Jude pacemakers so their firmware can be patched to prevent unauthorized tampering with the devices. Aug. 30. Mid-Michigan Physicians Imaging Center notifies more than 106,000 patients that their personal health information is at risk due to a data breach at a third-party service provider, McLaren Medical Group. Aug. 30. Silver Cross Hospital in Lenox, Ill. reveals data breach at third-party service provider has exposed health information for up to 9,000 patients. Aug. 30. U.S. Appeals Court in St. Louis upholds most of lower court ruling dismissing lawsuit stemming from two 2014 data breaches at SuperValu, a supermarket wholesaler and retailer based in Minnesota. However, the court reinstated the case of one of the plaintiffs who demonstrated his credit card was misused because of the data breach. Aug. 29. Security researcher with the handle Benkow discovers server in the Netherlands containing information on 711 million email accounts for the Onliner spambot. Onliner is used to deliver banking malware and is responsible for more than 100,000 infections around the world, according to Benkow. Aug. 28. Legal Action Center files lawsuit against Aetna accusing the insurer of breaching the privacy rights of 12,000 customers in 23 states by allowing the words “filling prescriptions for HIV” to be seen in window envelopes sent to the clients. Lawsuit seeks unspecified damages, a change in Aetna’s mailing practices and legal fees and costs. Aug. 28. Major League Lacrosse sends email to its players informing them a link on the player registration web page directed browsers to a spreadsheet containing social security numbers, email addresses, phone numbers and mailing addresses of everyone in the league’s player pool. Aug. 26. Hackers known as Mr. Smith, who claim to have stolen 1.5 terabytes of data from HBO, post on Reddit a detailed outline of the much anticipated season finale of the HBO series Game of Thrones. Aug. 25. U.S. District Court Judge Lucy Koh gives preliminary approval of $115 million settlement of litigation against healthcare insurer Anthem over massive data breach in 2015 when intruders accessed personal identifying information and other data on some 80 million people. Aug. 25. Taiwan’s
05 Jul 2018
9 min read
2808
41213
