IdentityForce Logo IdentityForce Logo
Protect What Matters Most.
2018 Data Breaches
Posted on December 27, 2017 by in Data Breach & Technology, Personal

In 2017, the world saw more data breaches than any year prior. On December 20th, the Identity Theft Resource Center (ITRC) reported that there were 1,293 total data breaches, compromising more than 174 million records. That’s 45% more breaches than 2016. This disturbing trend is only expected to continue for 2018.

**Learn more about IdentityForce’s Data Breach Rapid Response Plan for businesses here.**

As employees and consumers, we should be concerned about the threats facing our identities from hackers, cybercriminals and lackluster information security. If you’re interested in protecting yourself, your family, your employees or customers, you may be interested in reading these 10 privacy tips to increase your security.

Note: This post will be continuously updated with new information as additional 2018 data breaches are reported. Breaches appear in descending order, with the latest appearing at the bottom of the page.

You may also be interested in:


January 8, 2018: Electronic toymaker VTech Technologies has reached a settlement with the FTC following a two-year investigation. The company will pay $650,000 as a result of a cyberattack that exposed the personal data of an estimated 6.4 million children worldwide. VTech failed to get verifiable parental consent before collecting children’s information including their name, gender, birth date and more. In addition to not requiring parental consent, they failed to protect the data with reasonable security safeguards. This case shines a light on the rise of the electronic toy market, and the dangers it can present when not secured properly.

Jason’s Deli

January 11, 2018: A family-owned delicatessen with 275 locations across 28 states, Jason’s Deli confirmed it has been has been the target of a large data breach. Criminals gained access to the company’s point-of-sale terminals and installed RAM-scraping malware to steal customers’ credit card information and sell it on the dark web. Data such as cardholder name, credit or debit card number, expiration date, cardholder verification value and service code were obtained via the magnetic stripe on payment cards. As many as 2 million payment cards may have been compromised in this breach, which impacted at least 164 Jason’s Deli locations. The company has released a list of impacted locations, as well as advice for customers who may be impacted.


January 17, 2018: Connecticut-based insurance giant, Aetna has agreed to pay $17 million in a settlement after violating the privacy of about 12,000 members. This low-tech breach resulted from a mailing to HIV positive members in 23 different states. The envelope window, generally reserved for the recipient’s address, clearly revealed part of the letter reading, “filling prescriptions for HIV Medication.” This settlement, while still awaiting a judge’s approval, arrived relatively quickly as the lawsuit was just filed in late August. It’s cases like these that go to show how private information is compromised in more ways than just cybercrime.


February 2, 2018: CarePlus Health Plans, a Florida-based health insurance provider, is notifying its members of a privacy breach. The breach occurred as a result of a mailing error, and disclosed information including member name, CarePlus identification number and plan name, dates of service, provider of service, and services provided. It’s been reported that the information of roughly 11,200 members were exposed as a result of this breach. The company is encouraging customers who notice any unfamiliar changes in their records to call CarePlus at 800-794-5907.

Partners HealthCare

February 5, 2018: Massachusetts’ largest private employer, Partners HealthCare, announced that a 2017 data breach may have exposed the personal information of 2,600 patients. The company’s network was breached via malware in May of last year, which compromised records including patients’ names, diagnoses, types of procedures and medications. Some patients’ Social Security numbers and financial data may also have been exposed. Partners has mailed letters to patients explaining the situation and is offering to free credit monitoring and insurance to those whose Social Security numbers were revealed. In a statement, the company said they are “enhancing its security program, controls and procedures and continuing to monitor systems for unusual activity.” This marks the second major data breach for Partners, after a phishing scam exposed the personal and health information of 3,300 patients two years ago.

**Learn more about IdentityForce’s Data Breach Rapid Response Plan for businesses here.**


February 15, 2018: Researchers from Kromtech Security discovered the personal information of 119,000 FedEx customers sitting on an unsecured Amazon Web Services (AWS) cloud storage server. This information included passports, drivers’ licenses, names, home addresses, phone numbers and ZIP codes. This server came into FedEx’s possession as a result of their 2014 acquisition of Bongo International, and apparently got lost in the shuffle. It has since been secured and, according to a statement from FedEx, there was “no indication” of data being “misappropriated.” This case goes to show the importance of tight security measures in the merger and acquisition process to prevent similar data breaches from occurring.

BJC Healthcare

March 12, 2018: St. Louis-based healthcare provider, BJC Healthcare discovered a wrongly-configured server that exposed scanned images of documents from 33,420 patients. The company includes 15 hospitals and other health services organizations in Missouri and Illinois. Its server was left unsecured from May 2017 through January of this year, and may have revealed patients’ driver’s licenses, insurance cards, addresses, Social Security numbers, telephone numbers, treatment records, and other personal information. These documents were collected from 2003 to 2009. In a statement, BJC said their investigation didn’t reveal evidence that data had been misappropriated, but is offering free identity theft protection to its patients. For those potentially affected, questions can be addressed to 844.416.6281.

St. Peter’s Surgery & Endoscopy Center

March 13, 2018: New York hospital, St. Peter’s Surgery & Endoscopy Center, has reported that it discovered a data breach on January 8th. According to the report, 134,512 individuals may have been impacted after a third party gained access to the hospitals servers. The compromised information includes patient names, dates of birth, addresses, dates of service, diagnosis codes, procedure codes, insurance information, and, for those with Medicare, Social Security numbers. Luckily, no banking or credit card information was involved. St. Peter’s has mailed out letters notifying patients of the data breach, and has offered Medicare patients one free year of credit monitoring.


March 20, 2018: Subsidiary of Expedia, Inc., Orbitz announced it has discovered a possible data breach affecting 880,000 consumers. A hacker had used a legacy website to gain access to payment-card and other personal information between January 2016 and December of last year. This personal information includes birthdays, addresses, full names, phone numbers, email addresses and gender. The current Orbitz website was not affected by this breach. In an effort to maintain the trust of its customers and partners, the company is offering a year of complimentary credit monitoring and identity protection services.

ATI Physical Therapy

March 22, 2018: Illinois-based ATI Physical Therapy has experienced a data breach where several employee email accounts were hacked by a phishing scam. These email accounts contained sensitive patient information, including Social Security numbers, driver’s license numbers, financial account numbers, Medicare or Medicaid ID numbers, and medical records. The company is notifying its 35,136 patients of the breach, which was initially discovered in January. This marks the latest in an ongoing string of hacks on healthcare organizations this year.

**Learn more about IdentityForce’s Data Breach Rapid Response Plan for businesses here.**

Massive Hack Sponsored by Iran

March 23, 2018: A government-backed Iranian hacking ring has been discovered by the U.S. Justice Department. These hackers systematically hacked into the computer networks of 144 U.S. universities by performing a phishing scam and breaching the email accounts of roughly 4,000 professors. Once inside, they stole 31 terabytes of intellectual property, totaling $3.4 billion worth of damages. Additionally, the Iranian hackers attacked 36 private American companies and infiltrated five U.S. government agencies, stealing the emails associated with thousands of accounts. This is an unprecedented and troubling case of cyberespionage that goes to show the ever-present threats facing us from cybercriminals around the globe.

Under Armour

March 29, 2018: In one of the largest cyberattacks on record, Under Armour has announced that 150 million users of its app, MyFitnessPal, had their information acquired by an unauthorized party. The data compromised in this breach included usernames, email addresses, and hashed passwords – the kind of information that can lead to identity theft. Under Armour is continuing their investigation into the data breach and notifying users of the MyFitnessPal app. After making their announcement, shares of the company dropped 3.8 percent as investors reacted to the news.

Saks Fifth Avenue, Lord & Taylor

April 1, 2018: In what we all wish was an April Fool’s joke, owner of retail stores Saks Fifth Avenue and Lord & Taylor, Hudson’s Bay Company (HBC), confirmed that hackers stole the data of more than 5 million credit and debit cards. This massive hack was discovered by cybersecurity firm, Gemini Advisory. Gemini’s analysis shows that the breach of payment systems began in May 2017. Fallout from the data breach is just now being seen, as those responsible have begun selling customers’ credit and debit card information on the Dark Web. 125,000 payment cards have been released so far with the rest likely to come available in the coming months. A breach of this scale makes it one of the largest and most-damaging cyberattacks against a retailer. HBC said it is “taking steps to contain it”, but there will no doubt be a significant negative impact on North American consumers.

Panera Bread

April 2, 2018: The St. Louis-based, bakery-cafe Panera Bread has left the information of up to 37 million customers in plain text accessible from its website. Customers who have created an account to order online can expect that their full name, email and physical address, phone number, birthday, and last four digits of credit or debit card have been compromised. It appears that the company’s catering application was also impacted. Panera was notified of this vulnerability in August of 2017 yet, according to reports, did not address the issue until today. There are more than 2,100 Panera locations in the United States and Canada.


April 16, 2018: Inogen, a supplier of oxygen concentrators headquartered in California, announced it is notifying 30,000 current  and former customers of a data breach that lasted from January 2 – March 14, 2018. The breach occurred after a hacker gained unauthorized access to an employee’s email account through a phishing scam. Some of the data that was compromised includes names, telephone numbers, email addresses, dates of birth, dates of death, Medicare identification numbers, insurance policy information, and the type of medical equipment the company provided. Inogen has disclosed the data breach to the Securities and Exchange Commission (SEC) and is providing those affected with free credit monitoring.

**Learn more about IdentityForce’s Data Breach Rapid Response Plan for businesses here.**

UnityPoint Health

April 20, 2018: A network of hospitals, clinics and home care services with locations in Iowa, Illinois, and Wisconsin, announced that it has been breached. UnityPoint Health has said about 16,000 people could be affected in the incident. According to company officials, several employees’ email accounts were compromised after a successful phishing attack. These accounts may have been accessed from November 1, 2017 until February 7, 2018. The information exposed could include patient Social Security numbers and financial information.

SunTrust Banks

April 20, 2018: SunTrust has experienced a data breach impacting 1.5 million clients. The Atlanta bank said a former employee is responsible for the data theft, which exposed customers’ names, addresses, phone numbers, and account balances. As a result of the breach, SunTrust is offering identity protection for all of its customers at no cost.

City of Goodyear

May 9, 2018: The city of Goodyear, AZ has confirmed a data breach leaving about 30,000 utility customers vulnerable. According to reports, the city learned about an issue with its bill pay system after a customer informed them of fraudulent activity on their bank account. City officials have taken the payment system offline as a response to the breach.


May 12, 2018: The restaurant chain, Chili’s has announced a data breach exposing customers’ credit and debit cards. Brinker International, who owns Chili’s, said that it believes hackers used malware to access guests’ payment card information. The company also stated that the incident occurred between March and April 2018. The number of customers affected is not yet known, but we will update this post as more details emerge.

Rail Europe

May 14, 2018: A popular website for Americans to book train travel overseas, Rail Europe confirmed it experienced a three-month data breach from November 2017 to mid-February 2018. The company filed a letter with the California attorney general saying that hackers placed skimming software on its website to capture customers’ credit card numbers, expiration dates, and CVV codes. Additional information that these hackers captured includes name, gender, address, telephone number, email address, username and password.

**Learn more about IdentityForce’s Data Breach Rapid Response Plan for businesses here.**

Nuance Communications

May 17, 2018: In yet another healthcare data breach, Burlington, MA-based, Nuance Communications has announced that 45,000 patient records were accessed by an unauthorized party. The records were hosted on one of the company’s medical transcription platforms, and included patient names, dates of birth, medical record numbers, and information about their medical condition and treatments. It has been determined that a former Nuance employee had hacked into the company’s servers, and it appears that none of the records were used for malicious purposes.

University at Buffalo

May 21, 2018: The accounts of more than 2,500 students, alumni, and staff were compromised in a University at Buffalo data breach. Those impacted had their login information stolen after visiting a third-party website not associated with the university. UB has informed the individuals who were affected, and instructed them to change their username and password.

LifeBridge Health

May 22, 2018: The names, addresses, birth dates, insurance information, and Social Security numbers of 500,000 patients have been exposed in a data breach of LifeBridge Health. The Baltimore-based healthcare system first recognized that it experienced a cyberattack in March, but the breach itself took place back in September of 2016, leaving patient records open for more than a year and a half. LifeBridge is offering one free year of credit monitoring to those affected.

Aultman Health Foundation

May 29, 2018: Ohio-based healthcare provider, Aultman Health Foundation discovered a data breach impacting a potential 42,600 patients. Hackers gained access to several employee email accounts through a phishing attack. The breached data included patient demographics, physical exam information, medical history, test results, and, for some, Social Security and driver’s license numbers.


June 3, 2018: Subsidiary of Eventbrite, concert ticketing service Ticketfly has announced a data breach impacting more than 26 million customer accounts. The company’s website is currently offline as a result of the cybersecurity incident, and they are directing visitors to this page for updates on the situation. The stolen information included customer names, addresses, email addresses, and telephone numbers.


June 5, 2018: In the latest major cybersecurity incident, MyHeritage, the genealogy and DNA testing service, experienced a data breach exposing the email addresses and hashed passwords of more than 92 million people. A file containing the data was found on a private, third-party server and then brought to the company’s attention. MyHeritage is encouraging all registered users to change their password immediately and sign up for their soon to be released two-factor authentication feature.

Dignity Health

June 7, 2018: An emailing error caused a data breach of California-based Dignity Health. Misaddressed emails were sent out, exposing the personal information of 55,947 patients. Fortunately, the only information disclosed were patient names and the name of their physician.


June 11, 2018: A hack of South Korean cryptocurrency, Coinrail, has made waves in the market. The company said in a statement that hackers stole up to 30 percent of the coins from its storage – valued at approximately $37.2 million. News of this hack prompted the value of more popular cryptocurrencies, Bitcoin and Ethereum, to plummet. According to cybersecurity company, Carbon Black, approximately $1.1 billion worth of cryptocurrency has been stolen so far this year.

Chicago Public Schools (CPS)

June 17, 2018: Officials have issued an apology for a recent Chicago Public Schools data breach. The breach occurred after an employee emailed students’ private information to more than 3,700 families. This information included names, email addresses, phone and student identification numbers.


June 20, 2018: In the second major cryptocurrency heist of the month, Bithumb has been hacked. Bithumb is the world’s sixth largest cryptocurrency exchange. Like Coinrail (see above), the company is also based in South Korea. As a result of this breach, $32 million worth of cryptocurrencies were stolen.

Med Associates

June 21, 2018: A health billing company in Latham, NY, Med Associates experienced a healthcare data breach potentially exposing the protected health information of 270,000 patients. The breach occurred when an employee’s workstation was compromised by a third party. Patient information including names, dates of birth, diagnosis codes, and insurance information could have been compromised.


June 25, 2018: A spokeswoman from freelance labor-for-hire website, TaskRabbit confirmed the company experienced a data breach affecting more than 3.75 million users. A hacker targeted the site and the names, birth dates, Social Security numbers, and bank account numbers of both customers and laborers may have been compromised. TaskRabbit is offering those affected 12 months of free identity restoration services.

Click2Gov – Midwest City

June 25, 2018: Officials from Midwest City, OK have learned that an unauthorized party had gained access to the city’s online payment system Click2Gov. Initial reports show that 2,300 customers who used the service between May 25 and June 21 may have been affected. The compromised data includes customer names, billing addresses, and payment card information.


June 27, 2018: In one of the largest data breaches in history, marketing and data aggregation firm, Exactis, left its database unprotected on a publicly accessible server. The leak was found by security researcher, Vinny Troia earlier this month. In it were approximately 340 million records. 230 million of those records were consumer information and 110 million were from businesses. Consumer PII included phone numbers, home addresses, and email addresses, along with a slew of 400 other variables to characterize individuals.


June 27, 2018: Event goers may have had their credit card information compromised in a Ticketmaster data breach. Hackers who go by the name Magecart altered code on the company’s website to skim payment card data entered at checkout. It’s been reported that at least 800 other e-commerce sites have been affected by similar attacks. We’ll report news of those breaches as they arise.


June 30, 2018: Online customers of Adidas have been notified of a data breach that compromised their contact information, usernames, and encrypted passwords. Hackers targeted the Adidas U.S. website, capturing the information of millions of consumers.


July 7, 2018: Hackers launched a Fourth of July attack on the popular social media app Timehop. The security breach compromised the names and emails of all its 21 million users, 4.7 million of whom also had a phone number exposed. Timehop said that it has taken steps to include multifactor authentication to improve their cloud security.

Polar Fitness Trackers

July 9, 2018: Another major fitness tracking app has been breached, this time revealing highly sensitive personal and geographical information of military and counter intelligence personnel. The leak was found on the Polar Flow social platform where users share their exercise data. Beyond fitness information, the data collected includes GPS tracking information, allowing anyone in possession of it to locate and identify the often confidential location of military bases, embassies, airfields, nuclear storage sites, and intelligence agencies. This cyberthreat is clearly a serious and frightening vulnerability. Users of such fitness tracking apps should enable all available privacy settings and watch what they share in online forums.


July 10, 2018: If you shopped online at Macy’s between April 26 and June 12 of this year, expect a letter in the mail. The giant retailer is informing customers that a third party accessed their accounts, gaining access to names, phone numbers, email addresses, birth dates, and credit and debit card numbers with the expiration dates. This marks the latest in a string of massive retail data breaches, with no signs of slowing down.

U.S. Air Force

July 11, 2018: In the latest military data breach, an amateur hacker gained access to an Air Force captain’s computer and obtained classified information about MQ-9A Reaper drones and their operators. The hacker who stole the documents did so by exploiting a known security flaw, then tried to sell them on the dark web for just $150.

Nashville Metro Public Health

July 11, 2018: The personal information identifying thousands of HIV patients sat unprotected on a server at Nashville Metro Public Health. This highly personal and protected health information included the names, addresses, Social Security numbers, dates of birth, sexual preference, illegal drug use history, and more. The breached patient data included both the alive and deceased, and could have been accessed, modified, or stolen by any one of more than 500 Metro Public Health employees.

UMC Physicians (UMCP)

July 12, 2018: An employee of Texas-based healthcare provider, UMC Physicians, had their email account hacked, exposing the personal health information of more than 18,000 patients. This healthcare data breach included names, addresses, phone numbers, medical record numbers, diagnoses, Social Security numbers, dates of birth, and health insurance information. UMCP is providing patients with one year of free credit monitoring and identity theft protection.

LabCorp Diagnostics

July 17, 2018: The IT network of LabCorp, the largest blood testing laboratory in the U.S., was breached by hackers. After recognizing the suspicious activity, the diagnostics company took its systems offline to investigate what information may have been compromised. As a result, some customers may experience delays in receiving test results.


Data Breach Response Plan