2017 Data Breaches – The Worst So Far
In 2016, reported data breaches increased by 40%. Yahoo also announced the largest data breach in history last year, affecting more than one billion accounts. What will 2017 hold? We’re hoping for the best, but you may just see 2017 data breaches get even more messy and serious.
Note: This post will be continuously updated with new information as additional 2017 data breaches are reported.
E-Sports Entertainment Association (ESEA)
January 8, 2017: On December 30, 2016, ESEA, one of the largest video gaming communities, issued a warning to players after discovering a breach. At the time, it wasn’t known what was stolen and how many people were affected. However, in January, LeakedSource revealed that 1,503,707 ESEA records had been added to its database and that leaked records included a great deal of private information: registration date, city, state, last login, username, first and last name, bcrypt hash, email address, date of birth, zip code, phone number, website URL, Steam ID, Xbox ID, and PSN ID.
Xbox 360 ISO and PSP ISO
February 1, 2017: Security expert Troy Hunt, of the website Have I Been Pwned?, revealed that Xbox 360 ISO and PSP ISO had been hacked in September 2015. The websites, both forums which host illegal video game download files, housed sensitive user information that was taken. 1.2 million Xbox 360 ISO users and 1.3 million PSP ISO users were affected and may have had their e-mail addresses, IP addresses, usernames, and passwords stolen in the breach. At this time, it’s not clear who is responsible, but forum users were encouraged to change their passwords immediately.
InterContinental Hotels Group (IHG)
February 7, 2017: IHG, the company that owns popular hotel chains like Crowne Plaza, Holiday Inn, Candlewood Suites, and Kimpton Hotels, announced a data breach that affected 12 of its properties. Malware was found on servers which processed payments made at on-site restaurants and bars; travelers that used cards at the front desk did not have information taken. The malware was active from August 2016 to December 2016 and stolen data includes cardholder names, card numbers, expiration dates, and internal verification codes. Some targeted locations include Sevens Bar & Grill at Crowne Plaza San Jose-Silicon Valley, the Bristol Bar & Grille at the Holiday Inn in San Francisco’s Fisherman’s Wharf, InterContinental San Francisco, Aruba’s Holiday Inn Resort, and InterContinental Los Angeles Century City.
February 17, 2017: The national fast food chain acknowledged a data breach after being pressed by the website KrebsOnSecurity. The company admitted that they had been notified in mid-January about a possible breach in select restaurants, but the FBI asked them not to go public yet. Malware was placed on payment systems inside certain Arby’s corporate stores, which make up about one-third of all Arby’s in the nation. There are about 1,000 corporate Arby’s restaurants, and while not all were affected, it’s not clear yet how many were. The company says that the malware has been removed, but the scope of the breach is not yet known. Arby’s did not say when the breach occurred, but one credit union believes it may have been between October 25, 2016 and January 19, 2017.
River City Media
March 6, 2017: A group of spammers, operating under the name River City Media, unknowingly released their private data into cyberspace after failing to properly configure their backups. The leak known as Spammergate included Hipchat logs, domain registration records, accounting details, infrastructure planning, production notes, scripts, business affiliations, and more. The biggest discovery, however, was a database of 1.4 billion email accounts, IP addresses, full names, and some physical addresses. Thankfully, the “good guys” found the information—in this situation, it was Chris Vickery, a security researcher for MacKeeper—and reported everything to the proper authorities.
At this time, it’s unclear what’s going to happen to River City Media. While law enforcement is involved, groups like River City Media often have all sorts of aliases and affiliate programs—no one can be sure they will all be wiped out.
March 7, 2017: KrebsOnSecurity revealed that Verifone, the largest maker of point-of-sale credit card terminals used in the U.S., discovered a breach of its internal network in January 2017. When asked, Verifone said the breach didn’t affect its payment services network and was only within the corporate network. The company claims they responded to the breach immediately and “the potential for misuse of information is limited.” Sources say there’s evidence that a Russian hacking group is responsible for the breach, and that the intruders may have been inside Verifone’s network since mid-2016, but nothing has been confirmed.
Dun & Bradstreet
March 15, 2017: Dun & Bradstreet, a huge business services company, found its marketing database with over 33 million corporate contacts shared across the web in March 2017. The firm claims its systems were not breached, but that it has sold the 52GB database to thousands of companies across the country; it’s unclear which of those businesses suffered the breach that exposed the records. Millions of employees from organizations like the U.S. Department of Defense, the U.S. Postal Service, AT&T, Wal-Mart, and CVS Health had information leaked, and the database may have included full names, work email addresses, phone numbers, and other business-related data.
Saks Fifth Avenue
March 19, 2017: BuzzFeed broke the news that customer information was available in plain text via a specific link on the Saks Fifth Avenue website. The information for tens of thousands of customers was visible on a page where customers could join a wait list for products they were interested in. While payment details were not exposed, it was possible to see email addresses, phone numbers, product codes, and IP addresses. When BuzzFeed contacted Hudson Bay Company, the Canada-based organization that owns Saks Fifth Avenue, the pages containing customer information were taken down. At this time, it’s not clear how this happened, how customers may have been affected, and who was responsible.
UNC Health Care
March 20, 2017: 1,300 letters were sent to prenatal patients who had received care in the University of North Carolina Health Care System about a potential data breach they may have been affected by. UNC Health Care revealed that women who had completed pregnancy home risk screening forms at prenatal appointments between 2014 and 2017 at the Women’s Clinic at N.C. Women’s Hospital and UNC Maternal-Fetal Medicine at Rex may have mistakenly had their personal information transmitted to local county health departments. Breached information included full names, addresses, races, ethnicities, Social Security numbers, and a variety of health-related information. The county health departments are subject to federal and state privacy laws and must protect all information they received; it was also requested that they electronically purge electronic information about non-Medicaid patients.
March 21, 2017: America’s JobLink, a web-based system that connects job seekers and employers, revealed its systems were breached by a hacker who exploited a misconfiguration in the application code. The criminal was able to gain access to the personal information of 4.8 million job seekers, including full names, birth dates, and Social Security numbers.
Activity was uncovered in the ten states that use the America’s JobLink system: Alabama, Arkansas, Arizona, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma, and Vermont. The code misconfiguration was discovered and eliminated on March 14, 2017, so anyone who had an account with America’s JobLink before March 14, 2017 may have been affected and had their personal information compromised.
FAFSA: IRS Data Retrieval Tool
April 6, 2017: The IRS revealed that up to 100,000 taxpayers may have had their personal information stolen in a scheme involving the IRS Data Retrieval Tool, which is used to complete the Free Application for Federal Student Aid (FAFSA). In March 2017, federal officials observed a potential data breach and took the tool down. The IRS said it shut down the Data Retrieval Tool because identity thieves that had obtained some personal information outside of the tax system were possibly using the tool to steal additional data.
Currently, the agency suspects that less than 8,000 fraudulent returns were filed, processed, and returns issued, costing $30 million. 52,000 returns were stopped by IRS filters and 14,000 illegal refund claims were halted as well.
InterContinental Hotels Group (IHG) – UPDATE
April 19, 2017: When IHG first announced a data breach in February 2017, it was believed that only 12 of its properties had been affected. It’s been revealed, however, that the initial 12 has jumped to 1,200. IHG said the dozen hotels initially named were only the ones they run directly and at the time, they did not know the full scope of the breach; the other hotels are IHG-branded franchise properties. The malware had infected hotel servers, but was eradicated in all locations by the end of March.
April 25, 2017: Chipotle posted a “Notice of Data Security Incident” on its website to let customers know about unauthorized activity it detected on the network that supports in-restaurant payment processes. It believes payment card transactions that occurred from March 24, 2017 through April 18, 2017 may have been affected. The investigation is still ongoing and at the time the notice was published, the company did not have any additional information; it just said that it believes it has stopped the unauthorized activity and it’s too early to give more details.
Sabre Hospitality Solutions
May 2, 2017: Sabre Hospitality Solutions, a tech company that provides reservation system services for more than 36,000 properties, revealed a breach that allowed hotel customer payment information to be compromised. The company shared the information in its quarterly filing report and did not say when the breach happened or which locations may have been affected. The unauthorized access has been shut off and the company does not believe any other Sabre systems have been compromised.
May 3, 2017: Gmail users were targeted in a sophisticated phishing scam that was seeking to gain access to accounts through a third-party app. The emails were made to look like they were from a user’s trusted contact and notified the individual that they wanted to share a Google Doc with them. Once clicked, the link led to Google’s real security page where the person was prompted to allow a fake Google Docs app to manage his or her email account. Google put a stop to the scam in about one hour and the company says they estimate about 1 million users may have been affected.
Bronx Lebanon Hospital Center
May 10, 2017: Thousands of HIPAA-protected medical records were exposed in a data breach due to a misconfigured Rsync backup server hosted by a third party, iHealth. At least 7,000 patients who visited the Bronx Lebanon Hospital Center in New York between 2014 and 2017 may have had extremely personal information compromised. Leaked information has been reported to include names, home addresses, religious affiliations, addiction histories, mental health and medical diagnoses, HIV statuses, and sexual assault and domestic violence reports. Once the breach was detected, the hospital and iHealth took immediate steps to protect the exposed data.
May 12, 2017: If you shopped at a Brooks Brothers retail store or outlet in the last year and used a credit or debit card, you may have had your card data stolen. Brooks Brothers revealed a breach that affected some of their stores between April 4, 2016, and March 1, 2017; the retailer has not revealed which exact locations were targeted yet. A forensic investigation showed an unauthorized individual installed malicious software on some payment processing systems that was capable of collecting payment card information. Brooks Brothers said the issue has been resolved but did not provide any other details upon announcing the breach.
May 17, 2017: Customers and users of the electronic signature provider DoguSign were targeted recently by malware phishing attacks. DocuSign says that hackers breached one of its systems, but they only obtained email addresses and no other personal information. The hackers used the email addresses to conduct a malicious email campaign in which DocuSign-branded messages were sent that prompted recipients to click and download a Microsoft Word document that contained malware. If you received a suspicious DocuSign email, forward it to email@example.com; moving forward, only access documents directly through the DocuSign website and not by clicking email links.
Latest posts by Heidi Daitch (see all)
- Recent Data Breach Roundup: May 2017 - May 23, 2017
- 2017 Data Breaches – The Worst So Far - May 22, 2017
- Have You Changed Your Password Yet? Over 560 Million Logins Have Been Exposed - May 18, 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013