Monthly Breach Report: January 2019 Edition
From cities to schools, here’s a short list of major data breaches that occurred in the final month of 2018.
Saint John, New Brunswick, Canada
Saint John, a Canadian city, is the latest victim of a data breach. As per the official statement, a third-party software product, Click2Gov, which allows residents to pay parking tickets through the Saint John website, was breached by hackers who compromised users’ sensitive information. The city administration said that it has suspended the payment site temporarily and contacted CentralSquare Technologies, the operator of Click2Gov, to investigate the incident.
The security officials at Saint John stated the breach could have affected a number of municipalities across North America, exposing around 6000 users’ personal information, including addresses and names, as well as credit card information. The people of Saint John have been advised to check their financial statements to look for any unauthorized activity.
The city recommends citizens to closely monitor their financial accounts and if any unauthorized activity is discovered, promptly contact their financial institution. Anyone who believes they may have been a victim of identity theft must contact the police.
“The City of Saint John takes protection of our data systems very seriously and sincerely apologizes for the inconvenience this incident may have caused,” the public statement said.
BevMo, a California-based retailer of alcoholic beverages, is notifying thousands of customers about a data breach that affected the online store and exposed credit card information used between August 2 and September 26.
A disclosure BevMo filed with the California Attorney General’s office on December 14 indicated that hackers were able to capture names, expiration dates, credit/debit card numbers, shipping addresses, security codes, billing addresses, and phone numbers. “We believe that an unauthorized individual was able to gain access to the BevMo website and install malicious code on our checkout page.” BevMo wrote in the disclosure. “BevMo takes the privacy of our customers’ personal information seriously and we deeply regret that this incident occurred.”
BevMo stated that the company is conducting its own independent investigation, and has contacted law enforcement and payment card companies. It’s also advising customers to keep an eye on their credit reports as well as payment card accounts.
Famous US-based restaurant chain Bruegger’s Bagels recently informed about a data breach that they identified on November 28, 2018, which exposed its customers’ data including names, debit/credit card numbers, expiration dates, and card security code. Bruegger’s stated that the information of the customers visiting the restaurant between August 28, 2018, and December 03, 2018, may have been compromised. However, the company did not say how many customers may have been affected by the breach.
Bruegger’s approached cybersecurity company Mandiant to investigate the incident and they found unauthorized access to Bruegger’s point-of-sale systems that compromised the customers’ data. Bruegger’s said it was continuing to investigate the breach and was in contact with the FBI as well. The security professionals at Bruegger’s have also been advising its customers to check their payment card information to find any unusual transactions.
Tyler Ricks, president of Bruegger’s Bagels, said that the company is working on to strengthen its network and payment systems to prevent any future attacks.
San Diego School District (SDSD)
California’s second largest school district, The San Diego Unified School District (SDUSD), discovered in October 2018 that PII of more than a half million students and staff were compromised. This may be the result of a phishing attack that would have occurred in January 2018.
On December 21, the school district disclosed the attack on its website with additional details on the linked “Data Safety” page, which stated that the impacted individuals were given notice via email by district staff, although it didn’t say when it happened. The potential data on risk included student and parent/guardian names, Social Security numbers, date of birth, home addresses and phone numbers as well as select staff payroll and compensation information. It also included some members’ health benefits enrollment information, beneficiary identify information, dependent identity information, savings or flexible spending account information.
However, the SDUSD has taken the necessary steps to eliminate the threat to the personal data and implemented improvements to prevent such attacks in the future. The district also notified that police have identified “a subject of the investigation” and blocked all stolen credentials. Meanwhile, those staff members whose accounts were compromised had the security of their accounts reset.