Monthly Breach Report: March 2019 Edition
If it seems like words and phrases “data breach,” “compromised data,” and “data leak” are constantly in the news, it’s not just you. There’s no denying that the frequency of data breaches is rising at an alarming rate. Talking about figures, according to a report by 4IQ, an identity intelligence company, 2018 had witnessed a shocking 424 percent jump in confirmed data breaches as compared to 2017. This proves the fact that cyber hackers are becoming increasingly smarter in their means of infiltrating companies’ network and accessing sensitive data despite businesses having certain security measure in place.
In fact, last month a handful of spectacularly bad security fails occurred at the hands of cybercriminals who took advantage of security issues with data storage, misconfigured security settings, and overall absence of security solution to protect data. Here are a few of the nastiest and most damaging data breaches of February.
State Bank of India (SBI)
Arguably the most talked about breach of last month, India’s largest public sector lender, State Bank of India (SBI), became a victim of a data breach when it left a server with the banking information of its customers unprotected for an unknown period of time.
Reports stated that the unprotected server of the banking institution, housed in a Mumbai data center, was not protected by a password and included two months of data from SBI Quick, a missed call banking service primarily designed for the non-smartphone users to get basic information about their account with the bank. Apart from storing the most recently dispatched information, the server also retained daily archives of nearly a month. The bank has 740 million active accounts. A security researcher discovered the leak and said that the data server was open for unauthorized access.
According to cyber experts, this appalling controversy underlines the fact that banking institutions must regularly update their password management systems and follow the white hacker approach to take care of data breach.
Ironically, a couple of days ago, SBI had informed the Unique Identification Authority of India (UIDAI) that the biometrics and logins of their operations were misused to generate unauthorized Aadhaar cards.
Online photo-sharing website 500px announced last month that it faced a security breach that compromised the personal information of about 14.8-million users. The Toronto-based entity announced in an official statement that while the hackers breached the site last year on July 5, the breach was only discovered by its engineering team on February 8 this year.
Although 500px concluded that the data hack affected certain sensitive information (such as first and last names of the users, username, email address, password, birth date, addresses, and gender details) provided by the users while filling out their profiles, it clarified that there has been no evidence of any misuse of the compromised data.
A press statement released by 500px stated, “If you are a 500px user on or prior to July 5, 2018, you have been affected.” As part of a precautionary drive, the Canadian photo sharing community owned by Visual China Group is notifying all of its affected users and urged them to change their passwords immediately.
Also, it announced its collaboration with a third-party security firm to investigate this hacking incident and is expected to conclude a year-long process to upgrade its network infrastructure to avoid such mishaps in the future.
Home improvement startup Houzz was marred by a data breach, which allowed third parties to gain access to a file comprising private account and publicly visible user information. The California-headquartered business, which has about 40 million members, caters to home design aficionados, homeowners and home improvement professionals. Houzz first learned about the data breach in December 2018 and has yet to find out if the file was accessed via an unsecured database, a rogue employee, or through a hacked system.
The $4 billion-valued home improvement business has claimed that not all customers were affected and hence emailed only those users who may have been affected requesting them to reset their passwords. It also clearly mentioned that the unauthorized third party gained access to a file including user information (like user names, salted and hashed passwords, IP addresses and, for users who logged into Houzz using Facebook, their Facebook IDs), but Social Security numbers and payment related information were not part of this data breach.
Keeping this incident in mind, cybersecurity experts stated that criminals use the stolen sensitive information they “harvested” from one breach to access other services or websites and Houzz should advise users to enable multi-factor authentication immediately to mitigate the effects of this data theft.
LandMark White (LMW)
Property valuation service provider LandMark White (LMW) was found to be exposing data of up to 100,000 customers through an unprotected online service. News reports suggest that the disclosed customer related directly to the valuations completed by the Australian property firm and includes customer name, contact details like the phone or email address, details related to valued property, and banking data.
Data researchers and security analysts found files with LMW data on a Dark Web server and began indexing the information so that customers can be informed. On further investigation, it was revealed that the data was reportedly exposed from an internal file service at LMW, which may have been set up to facilitate information-sharing between agents and clients. Since the web service did not require authentication, it made the data vulnerable. Based on the present findings, it was concluded that the downloaded data has been from the past five years and appears to have been replicated from the company’s website.
While independent experts in data breaches and cybersecurity have been brought on board by LMW to assist with this incident’s investigation, a number of the company’s clients (such as Westpac, Commonwealth Bank of Australia [CBA], and ANZ Bank) have decided to suspended LandMark White services until the situation has been resolved.
Coffee Meets Bagel
The users of Coffee Meets Bagel, a popular online dating app, were in for a rude shock this Valentine’s Day when they woke up to the unsettling news that their personal information had been compromised.
The company alerted the users that they were hit by a data breach stating that an unauthorized party gained access to a partial list of user details that they found out on February 11, 2019. Although Coffee Meets Bagel didn’t divulge on who was responsible for it or when it took place, it did inform users that the data hack was part of a larger breach impacting 620 million accounts that got leaked across sixteen companies.
The free dating app also informed its users that the account details from other popular apps like Dubsmash, MyFitnessPal, and more were also dumped on the dark web for less than $20,000 in bitcoin and advised users to avoid clicking on links or downloading attachments from suspicious emails.
Founded by three sisters Arum Kang, Dawoon Kang, and Soo Kang, the online dating service has resorted to measures to protect user data, including reviews of its infrastructure and systems by forensic security experts, audits of external systems and vendors, persistent monitoring of suspicious activity, collaborating with law enforcement authorities, and boosting its system to identify and prevent breaches in the future.
Rutland Regional Medical Center
While cyber-attacks have become a common thing for online businesses, even the healthcare industry wasn’t spared. Vermont’s largest community hospital, Rutland Regional Medical Center, became a victim of a data breach as hackers gained access to the email accounts of nine employees and potentially accessed the patients’ protected health information.
One of the Rutland Regional Medical Center’s employees found on December 21, 2018, that their email account had been misused to share large quantities of spam emails and seven days later, the medical center’s IT department was informed about a potential security breach.
On December 31 last year, the IT department confirmed that an unauthorized individual had remotely accessed the employee’s email account and called in a third-party forensic expert to conduct an investigation who stated that nine email accounts were compromised between November 2, 2018, and February 6, 2019.
The information in the compromised email accountsincluded patients’ full names, dates of birth, contact details, patient ID numbers, medical record numbers, financial information, diagnoses, treatment information, Social Security numbers, and health insurance data. It was confirmed by the hospital authorities that the breach was only limited to email accounts and the EMR system and other internal systems were not hit by the breach.
The Department for Health and Human Services’ Office for Civil Rights has already been informed about the breach. The Medical Center will be implementing additional safeguards to prevent further breaches of this nature in the future and will also send notification letters to patients whose PHI may have been accessed in this incident. Reports suggest that over 70,000 patients have been affected by the attack.
The Rutland Herald
University of Connecticut Health Center (UConn Health)
The University of Connecticut Health Center said in an official statement that an unauthorized third party illegally accessed a limited number of employee email accounts made up of approximately 326,000 potentially impacted individuals, including some individuals’ names, dates of birth, addresses, and medical information like billing and appointment information.
Although this attack may emerge as the second largest health data breach reported so far this year, the academic medical center has clarified that this incident had not affected its computer networks or electronic medical record systems. The attack on the University of Washington Medicine was the largest health data breach revealed so far in 2019, resulting in a breach affecting 974,000 individuals.
Connecticut-based UConn Health is offering prepaid identity theft protection services to those 1,500 individuals whose Social Security numbers may be impacted. The organization has notified law enforcement officials and retained a forensics firm to investigate this happening.
Earlier in 2013, UConn Health informed over 1,550 patients that two former employees had accessed patient records inappropriately.
Keep your business out of data breach headlines with help from PKWARE. Find out how with a free demo.