In 2017, the world saw more data breaches than any year prior. On December 20th, the Identity Theft Resource Center (ITRC) reported that there were 1,293 total data breaches, compromising more than 174 million records. That’s 45% more breaches than 2016. This disturbing trend is only expected to continue for 2018.
As employees and consumers, we should be concerned about the threats facing our identities from hackers, cybercriminals and lackluster information security. If you’re interested in protecting yourself, your family, your employees or customers, you may be interested in reading these 10 privacy tips to increase your security.
Note: This post will be continuously updated with new information as additional 2018 data breaches are reported. Breaches appear in descending order, with the latest appearing at the bottom of the page.
January 8, 2018: Electronic toymaker VTech Technologies has reached a settlement with the FTC following a two-year investigation. The company will pay $650,000 as a result of a cyberattack that exposed the personal data of an estimated 6.4 million children worldwide. VTech failed to get verifiable parental consent before collecting children’s information including their name, gender, birth date and more. In addition to not requiring parental consent, they failed to protect the data with reasonable security safeguards. This case shines a light on the rise of the electronic toy market, and the dangers it can present when not secured properly.
January 11, 2018: A family-owned delicatessen with 275 locations across 28 states, Jason’s Deli confirmed it has been has been the target of a large data breach. Criminals gained access to the company’s point-of-sale terminals and installed RAM-scraping malware to steal customers’ credit card information and sell it on the dark web. Data such as cardholder name, credit or debit card number, expiration date, cardholder verification value and service code were obtained via the magnetic stripe on payment cards. As many as 2 million payment cards may have been compromised in this breach, which impacted at least 164 Jason’s Deli locations. The company has released a list of impacted locations, as well as advice for customers who may be impacted.
January 17, 2018: Connecticut-based insurance giant, Aetna has agreed to pay $17 million in a settlement after violating the privacy of about 12,000 members. This low-tech breach resulted from a mailing to HIV positive members in 23 different states. The envelope window, generally reserved for the recipient’s address, clearly revealed part of the letter reading, “filling prescriptions for HIV Medication.” This settlement, while still awaiting a judge’s approval, arrived relatively quickly as the lawsuit was just filed in late August. It’s cases like these that go to show how private information is compromised in more ways than just cybercrime.
February 2, 2018: CarePlus Health Plans, a Florida-based health insurance provider, is notifying its members of a privacy breach. The breach occurred as a result of a mailing error, and disclosed information including member name, CarePlus identification number and plan name, dates of service, provider of service, and services provided. It’s been reported that the information of roughly 11,200 members were exposed as a result of this breach. The company is encouraging customers who notice any unfamiliar changes in their records to call CarePlus at 800-794-5907.
February 5, 2018: Massachusetts’ largest private employer, Partners HealthCare, announced that a 2017 data breach may have exposed the personal information of 2,600 patients. The company’s network was breached via malware in May of last year, which compromised records including patients’ names, diagnoses, types of procedures and medications. Some patients’ Social Security numbers and financial data may also have been exposed. Partners has mailed letters to patients explaining the situation and is offering to free credit monitoring and insurance to those whose Social Security numbers were revealed. In a statement, the company said they are “enhancing its security program, controls and procedures and continuing to monitor systems for unusual activity.” This marks the second major data breach for Partners, after a phishing scam exposed the personal and health information of 3,300 patients two years ago.
February 15, 2018: Researchers from Kromtech Security discovered the personal information of 119,000 FedEx customers sitting on an unsecured Amazon Web Services (AWS) cloud storage server. This information included passports, drivers’ licenses, names, home addresses, phone numbers and ZIP codes. This server came into FedEx’s possession as a result of their 2014 acquisition of Bongo International, and apparently got lost in the shuffle. It has since been secured and, according to a statement from FedEx, there was “no indication” of data being “misappropriated.” This case goes to show the importance of tight security measures in the merger and acquisition process to prevent similar data breaches from occurring.
March 12, 2018: St. Louis-based healthcare provider, BJC Healthcare discovered a wrongly-configured server that exposed scanned images of documents from 33,420 patients. The company includes 15 hospitals and other health services organizations in Missouri and Illinois. Its server was left unsecured from May 2017 through January of this year, and may have revealed patients’ driver’s licenses, insurance cards, addresses, Social Security numbers, telephone numbers, treatment records, and other personal information. These documents were collected from 2003 to 2009. In a statement, BJC said their investigation didn’t reveal evidence that data had been misappropriated, but is offering free identity theft protection to its patients. For those potentially affected, questions can be addressed to 844.416.6281.
St. Peter’s Surgery & Endoscopy Center
March 13, 2018: New York hospital, St. Peter’s Surgery & Endoscopy Center, has reported that it discovered a data breach on January 8th. According to the report, 134,512 individuals may have been impacted after a third party gained access to the hospitals servers. The compromised information includes patient names, dates of birth, addresses, dates of service, diagnosis codes, procedure codes, insurance information, and, for those with Medicare, Social Security numbers. Luckily, no banking or credit card information was involved. St. Peter’s has mailed out letters notifying patients of the data breach, and has offered Medicare patients one free year of credit monitoring.
March 20, 2018: Subsidiary of Expedia, Inc., Orbitz announced it has discovered a possible data breach affecting 880,000 consumers. A hacker had used a legacy website to gain access to payment-card and other personal information between January 2016 and December of last year. This personal information includes birthdays, addresses, full names, phone numbers, email addresses and gender. The current Orbitz website was not affected by this breach. In an effort to maintain the trust of its customers and partners, the company is offering a year of complimentary credit monitoring and identity protection services.