Did you know that one in three data breach victims later go onto experience an identity crime? By now, it’s safe to assume that at least some of your Personally Identifiable Information (PII) has been compromised in a breach.
It’s for this reason that IdentityForce has been tracking all major breaches for the past 5 years, and will continue to do so. Check back often to read up on the latest breach incidents in 2019, and read our data breach resources to stay protected.
Note: This post will be continuously updated with new information as additional 2019 data breaches are reported. Breaches appear in descending order, with the latest appearing at the bottom of the page.
January 2, 2019: It didn’t take long for the first major breach announcement of 2019. Blur announced a breach after an unsecured server exposed a file containing 2.4 million user names, email addresses, password hints, IP addresses, and encrypted passwords. The password management company urged their users to change their Blur login credentials and enable two-factor authentication.
Town of Salem Video Game
January 3, 2019: The information of 7.6 million gamers was stolen in a hack of Town of Salem. BlankMediaGames (BMG) announced that its server was compromised and usernames, email addresses, IP addresses, game & forum activity, and purchased game premium features were exposed.
January 4, 2019: Online retailer of custom mugs and apparel, DiscountMugs.com was hacked for a four-month period in the latter half of 2018. The company announced that it had discovered malicious card skimming code placed on its payment website. Hackers were able to steal full payment card details (number, security code, and expiration date), names, addresses, phone numbers, email addresses, and postal codes.
January 7, 2019: U.S. provider of payroll, HR, and employer services, BenefitMall announced a data breach that occurred after an email phishing attack compromised employee login credentials. Though the exact number of records exposed hasn’t been released, the emails may have included customer names, addresses, Social Security numbers, dates of birth, bank account numbers, and information on the payment of insurance premiums.
January 10, 2019: New York-based manufacturer, OXO was hacked in two separate incidents over the past two years, exposing customer information entered on their website. The company discovered unauthorized code on its site which captured customer names, billing and shipping addresses, and credit card information.
Managed Health Services (MHS) of Indiana
January 11, 2019: The personal health information of more than 31,000 patients of Managed Health Services of Indiana has been exposed following a phishing attack. Names, insurance ID numbers, addresses, dates of birth, and medical conditions are among the potentially compromised data.
January 16, 2019: A flaw within the online video game Fortnite has exposed players to being hacked. According to the security firm Check Point, who discovered the vulnerabilities, a threat actor could take over the account of any game player, view their personal account information, purchase V-bucks (in-game currency), and eavesdrop on game chatter. Fortnite has 200 million users worldwide, 80 million of whom are active each month.
Oklahoma Department of Securities
January 17, 2019: Millions of government files, including records pertinent to FBI investigations, were left unprotected on an open storage server belonging to the Oklahoma Department of Securities (ODS). The oldest records exposed dated back to 1986 and ranged from personal data to login credentials and internal communication records.
January 17, 2019: Security researcher Troy Hunt discovered a massive database on cloud storage site, MEGA, which contained 773 million email addresses and 22 million unique passwords collected from thousands of different breaches dating back to 2008. The information was shared on a popular hacking forum where they could be shared about. If you’re concerned if your credentials could may have been compromised, visit Have I Been Pwned?
January 22, 2019: As many as 20,000 financial advisers had their information leaked by the world’s largest asset manager, BlackRock. The company posted confidential sales documents related to advisers who work with BlackRock’s iShares unit. Names, emails, and assets managed by advisers were among the information exposed.
Graeters Ice Cream
January 22, 2019: Cincinnati-based purveyor of sweets, Graeter’s Ice Cream has notified approximately 12,000 customers who purchased items through the company’s online store. Malicious code was found on the website’s checkout page, which could capture customer names, addresses, phone numbers, fax numbers, payment card type, payment card numbers, expiration dates, and verification codes.
Online Betting Sites
January 23, 2019: Three online betting sites copied data containing 108 million records to Elasticsearch cloud storage without securing it. If you’ve placed bets via kahunacasino.com, azur-casino.com, easybet.com, or viproomcasino.net your information was likely exposed, including: names, addresses, phone numbers, email addresses, birth dates, usernames, account balances, IP addresses, browser and OS details, games played, and win and loss information.
January 23, 2019: More than 24 million mortgage and banking documents sat unprotected in an online database for at least two weeks. According to the report from TechCrunch, the data leak was traced back to Fort-Worth, TX-based Ascension, a data analytics company who serves the financial services industry. The documents included people’s names, addresses, dates of birth, Social Security numbers, and financial information.
Alaska Department of Health & Social Services (DHSS)
January 23, 2019: A cyberattack targeting Alaska’s Division of Public Assistance has exposed data on at least 100,000 people. The attacker was able to access the names, Social Security numbers, dates of birth, addresses, health information, and income of people who applied for government programs.
January 29, 2019: IT security and cloud data management provider, Rubrik exposed a massive database containing customer information including names, contact information, and other details related to corporate accounts. The data leak was discovered on an unprotected Amazon Elasticsearch server that didn’t require a password.
Critical Care, Pulmonary & Sleep Associates (CCPSA)
January 31, 2019: Patients of the Colorado-based healthcare facility had their personal health information exposed after CCPSA employees fell for a phishing attack. Approximately 23,000 people have been notified of the breach, which included names, medical information, dates of birth, addresses, Social Security numbers, and driver’s licenses.
February 1, 2019: Popular home improvement startup, Houzz announced a data breach affecting users of the platform. In a statement, the company said that information such as names, city, state, country, profile description, username, and hashed passwords were taken by an unauthorized third party.
Catawba Valley Medical Center
February 4, 2019: Patients of North Carolina-based Catawba Valley Medical Center have had their names, birth dates, Social Security numbers, and Personal Health Information (PHI) exposed in a cyberattack. Three employee email accounts were hacked in a phishing scam between July and August 2018. An estimated 20,000 patients have been impacted.
February 4, 2019: The point of sale systems of U.S.-based restaurant chain, Huddle House were compromised through a third party vendor’s system, giving hackers the ability to install malware to capture the payment card information of customers between August 2017 and February 2019.
February 6, 2019: Over 24,000 patients of Georgia-based EyeSouth Partners are being notified of a breach. The breach occurred after an unauthorized third party gained access to an employee email account – a trend we’ve seen all too much of in recent times. Patient names, health insurance information, and some account balance information were compromised.
February 12, 2019: For the second time in three months, Dunkin’ Donuts announced a data breach affecting DD Perks rewards members. Hackers used credential stuffing attacks to gain access to customer accounts, and have been selling them on the Dark Web for profits.
Coffee Meets Bagel
February 14, 2019: Love was not in the air for users of dating app Coffee Meets Bagel, who announced a data breach on Valentine’s Day. The names and email addresses of all users who registered before May 2018 were exposed, impacting approximately 6 million people.
February 15, 2019: The accounts of 14.8 million users of 500px have been hacked, revealing full names, usernames, email addresses, birth dates, locations, and gender. The photo sharing website has notified its users and is forcing a password reset.
North Country Business Products
February 19, 2019: A data breach affecting North Country Business Products, a vendor of credit card processing services, has impacted at least 50 businesses across the state of Arizona. Customers of any of the following businesses between January 3rd and 24th, 2019, have had their name, credit card number, expiration date, and CVV compromised.
February 20, 2019: Patients of Florida-based Advent Health Medical Group are being notified of a 16-month long data breach. Approximately 42,000 individuals had their sensitive personal and health information exposed, including medical histories, insurance information, Social Security numbers, names, phone numbers, and addresses.
February 20, 2019: The usernames and hashed passwords of 450,000 users of Coinmama were recently posted on a dark web registry. The cryptocurrency broker has notified its customers and has encouraged all users to change their passwords.
February 20, 2019: Nearly 1 million patients have been notified of a UW Medicine data breach, which was discovered December 26, 2018. A vulnerability on the health network’s website server exposed protected health information including names, medical record numbers, and a description of each individual’s information.
February 22, 2019: In another major data breach of a university health facility, patients of UConn Health have had their personal information exposed after a third party accessed employee email accounts. About 326,000 people were affected in the breach, which compromised names, dates of birth, addresses, Social Security numbers, and limited medical information.
March 1, 2019: A database containing 2,418,862 identity records on government officials and politicians from every country in the world was leaked online from a Dow Jones watchlist. The watchlist is compiled from publicly available information on prominent individuals who have the ability to embezzle money, accept bribes, or launder funds.
Rush University Medical Center
March 4, 2019: About 45,000 patients of Chicago-based Rush health system were exposed in a data breach. Names, addresses, birthdays, Social Security numbers, and health insurance information were compromised after an employee disclosed billing documents to an unauthorized third party.
Health Alliance Plan
March 6, 2019: The protected medical information of 120,000 patients has been exposed in a Health Alliance Plan data breach. The names, addresses, dates of birth, member ID numbers, healthcare provider names, patient ID numbers, and claim information were compromised after a ransomware attack infiltrated Wolverine Solutions Group, a third-party vendor who manages the network’s mailing services.
Pasquotank-Camden Emergency Medical Services
March 12, 2019: An estimated 20,420 people have been affected in a cyberattack on North Carolina-based EMS company, Pasquotank-Campden Emergency Medical Services. The company’s billing information server was infiltrated by an unauthorized third party, leading to the exposure of Social Security numbers, dates of birth, and medical information.
Spectrum Health Lakeland
March 15, 2019: Michigan-based Spectrum Health Lakeland has announced it was also impacted in the hack of Wolverine Services Group, a mail vendor that works with multiple healthcare networks. Approximately 60,000 patients had their names, addresses, health services rendered, health insurance and billing information exposed.
Rutland Regional Medical Center
March 19, 2019: More than 72,000 patients have had their personal information exposed in a Rutland Regional Medical Center data breach. Patient names, contact information, medical record numbers, and 3,683 Social Security numbers were compromised after several employees email accounts were accessed illegally.
March 20, 2019: The personal information of 277,319 patients has been exposed by a Zoll Medical data breach. The medical device manufacturer headquartered in Chelmsford, MA announced that data from emails was leaked during a server migration, including names, addresses, dates of birth, and medical information. Some patients also has their SSN exposed.
MyPillow & Amerisleep
March 21, 2019: Bedding retailers MyPillow & Amerisleep experienced a breach at the hands of Magecart, a hacking syndicate that targets eCommerce websites with credit card skimming software. Hackers also set up a dummy URL to trick shoppers who made a typo in trying to visit the site.
March 21, 2019: Facebook has admitted that since 2012 it has not properly secured the passwords of as many as 600 million users. These passwords were stored in plain text and able to be accessed by more than 20,000 of the company’s employees. If you use Facebook, change your password.
Oregon Department of Human Services (DHS)
March 21, 2019: The Oregon Department of Human Services announced a data breach after nine of its employees clicked on a phishing link, compromising nearly 2 million emails. These emails may have exposed the names, addresses, dates of birth, Social Security numbers, and other information of as many as 1.6 million clients.
Federal Emergency Management Agency (FEMA)
March 22, 2019: Survivors who sought shelter assistance after hurricanes Maria and Irma, as well as California wildfires, have had their PII exposed in a FEMA privacy incident. About 2.5 million disaster victims had information like names and addresses, bank account information and birth dates shared with a contractor, leaving them unprotected.
March 23, 2019: A tracking app that allows family members to track each other’s location in real-time, Family Locator leaked data exposing more than 238,000 users. The locations of users was left accessible on an unprotected server, and included additional information such as name, email address, profile photo, and passwords.
Milestone Family Medicine
March 25, 2019: The names, addresses, dates of birth, health insurance information, Social Security numbers, and service information of 32,178 patients may have been stolen in a Milestone Family Medicine data breach.
Verity Health Systems
March 26, 2019: A hacker gained access to three of Verity Health Systems employee email accounts, compromising the protected health information of 14,894 patients. The sensitive data included names, patient ID numbers, dates of birth, addresses, phone numbers, health insurance information, payment information, driver’s licenses, and Social Security numbers.
March 29, 2019: The parent company of Buca di Beppo, Earl of Sandwich, Planet Hollywood, Chicken Guy!, Mixology and Tequila Taqueria, Earl Enterprises announced a breach of its payment systems after discovering malware that stole customer credit and debit card information. More than 2 million customers were impacted.
March 29, 2019: A database controlled by email validation company Verifications.io was discovered on an unprotected server that was accessible to anyone who knew where to look. Nearly 1 billion email accounts, along with other personal information, were exposed in one of the largest single-source data breaches ever recorded. The company has seemingly closed its doors after news of the breach broke.
April 2, 2019: Personal information of current and former faculty, students, staff and student applicants of Georgia Tech were accessed by a hacker through a central database. The database affected by the breach includes names, addresses, Social Security Numbers and birth dates of 1.3 million individuals. This is the university’s second breach in less than a year.
April 2, 2019: Two third-party applications which hold Facebook datasets were left exposed to the public online. Over 540 million records, including account names, Facebook ID, and user activity were exposed through Cultura Colectiva. The second application, At the Pool, disclosed passwords along with information regarding photos, events, groups, check-ins and more.
April 8, 2019: An estimated 12,000 patients of Springfield, MA-based hospital, Baystate Health had their information exposed after a phishing attack compromised the email accounts of several employees. Patient names, dates of birth, health information, and some Medicare and Social Security numbers were involved in this healthcare data breach.
April 10, 2019: A phishing attack on Prisma Health of South Carolina gave hackers unauthorized access to several employee email accounts. The investigation into the attack determined that 23,811 patients had their protected health information exposed, including names, health insurance information, Social Security numbers, and financial information.
City of Tallahassee
April 15, 2019: Nearly $500,000 of the city of Tallahassee employees’ payroll was stolen by hackers who redirected direct deposits into an unauthorized account. City officials responsible for investigating the incident suspect the cyberattack came from a foreign nation.
Microsoft Email Services
April 15, 2019: In a statement to TechCrunch, Microsoft admitted a data breach of its non-corporate email services, including @msn.com, @hotmail.com, and @outlook.com. The breach, which lasted from January 1 to March 28, 2019, allowed hackers to access email accounts by misusing Microsoft’s customer support portal.
Steps to Recovery
April 19, 2019: Patients seeking treatment for drug and alcohol abuse have had their sensitive personal information exposed in a data breach of several addiction rehabilitation centers. The data was discovered unprotected by security researcher, Justin Paine. Approximately 145,000 patients have been impacted.
April 20, 2019: As many as 60,000 patients and employees of Florida’s EmCare have been notified of a data breach after a third party gained access to several employees’ email accounts. Those email accounts contained personal information including names, dates of birth, age, clinical information, and some Social Security and driver’s license numbers.
April 22, 2019: The largest online retailer of fitness supplements, Bodybuilding.com announced a data breach that potentially impacted its 7 million registered users. The company has since forced a password reset and notified its customers. The information that could have been stolen by hackers includes names, email addresses, billing/shipping addresses, phone numbers, order history, birth date, and information included in BodySpace profiles.
April 25, 2019: Magecart, a notorious hacking syndicate known for targeting online shopping portals, compromised the eCommerce website of the NBA’s Atlanta Hawks. The hackers installed a credit card skimming code on the site, stealing the names, dates of birth, and payment card details of anyone who shopped on the site after April 20, 2019.
April 29, 2019: Users have been notified of a Docker Hub data breach after hackers exposed the information of 190,000 account holders. The company offers cloud-based services to application developers and programmers. Information stolen in the breach includes usernames, hashed passwords, Github, and Bitbucket tokens.
April 29, 2019: Up to 65% of U.S. households have had their information exposed by an unsecured database housed on a Microsoft cloud server. While the owner of the data is unknown, over 80 million households have had their names, addresses, geographic location, age, dates of birth, and other demographic information compromised. VPNMentor, whose research team discovered the breach, is asking for help in identifying who the database belongs to.
May 2, 2019: In a letter to potential data breach victims, Citrix revealed that hackers gained access to the company’s internal systems between October 2018 and March 2019. The U.S. software company in investigating the cyber intrusion with help from the FBI, but thinks that the data stolen could include the Social Security numbers, financial information, and other data on current and former employees.
May 3, 2019: The personal information of 1.6 million subscribers of AMC Network’s premium streaming video platforms, Sundance Now and Shudder, were disclosed after the company’s database was left accessible to the public. The breach included names, email addresses, details about subscription plans and last four digits of credit cards. The exposed database also encompassed video analytics data gathered by Youbora, adding 441,943 exposed records including user IP addresses, country, city, state, ZIP code, and location coordinates.
May 7, 2019: An online tutoring marketplace with more than two million registered users and 80,000 instructors, Wyzant announced a breach of customer data. A hacker was able to break into one of the company’s databases, compromising names, email addresses, ZIP codes, and Facebook profile pictures of those who use single sign on to login to their Wyzant account.
May 9, 2019: A data breach of Freedom Mobile has affected an estimated 1.5 million customers after a database of information was found unprotected on an Elasticsearch server. The Canada-based telecommunications company exposed customer names, email addresses, phone numbers, physical addresses, dates of birth, account numbers, and credit card information.
Pacers Sports & Entertainment (PSE)
May 13, 2019: The legal entity behind the basketball team Indiana Pacers, Pacers Sports & Entertainment (PSE), recently announced a phishing email campaign caused a security breach of sensitive information. The number of affected individuals is still unknown, but the information exposed may include names, addresses, date of births, Social Security numbers, passport numbers, medical insurance information, driver’s license number, account number, payment card number, digital signature, and username and password. PSE has not shared if the information disclosed belonged to employees or customers.
May 13, 2019: The largest retailer in Asia, Fast Retailing Co., revealed that hackers may have accessed as many as 460,000 Uniqlo shoppers‘ names, addresses, and partial credit card information. The company is urging customers to change their login credentials.
May 14, 2019: Facebook is facing another data privacy scandal after a WhatsApp data breach. The messaging app, which has over 1.5 billion users worldwide, experienced a security flaw that left people vulnerable to spyware designed by the NSO Group, an Israeli government surveillance agency. Those affected would have been able to be spied on through their phone’s microphone and camera, WhatsApp messages and connected apps.
May 20, 2019: More than 49 million Instagram influencers, celebrities, and brands have had their private contact information exposed after an India-based social media marketing company left the data unprotected on an Amazon Web Services database. TechCrunch reported that the bio, profile photo, location, verification status, email address and phone number of high-profile accounts were exposed.
Inmediata Health Group
May 23, 2019: The website of a healthcare company, Inmediata was breached after a setting allowed search engines to index internal pages that contained patient data. More than 1.5 million people may have had their names, addresses, dates of birth, gender, medical information, and Social Security numbers may have been exposed. The company has notified those affected.
First American Financial Corp.
May 24, 2019: A massive data leak containing 885 million personal and financial records was found unprotected on the website of First American Financial Corp. The company, a leading title insurer for the U.S. real estate market, exposed consumers’ Social Security numbers, bank account numbers, mortgage and tax records, wire transaction receipts, and driver’s license images dating as far back as 2003. It is unclear if malicious actors accessed and stole any of the data, which sat unprotected and accessible to anyone who had the URL, for more than two years.
May 24, 2019: The massively popular online design tool, Canva was hacked, exposing 139 million users. Hacker(s) stole Canva customers’ usernames, real names, and email addresses. The company is urging all users to change their passwords as a precaution.
May 29, 2019: Flipboard announced it was hacked after an unauthorized third party accessed databases containing user information. Names, usernames, email addresses, and encrypted passwords are among the data that could have been stolen. Flipboard has 150 million monthly users.
May 29, 2019: More than 100 Checkers and Rally’s restaurants had their point-of-sale systems hacked, compromising customers’ full payment card information. The restaurant discovered the attack in April 2019, but found that 15 percent of its location’s systems had been compromised for years.
June 3, 2019: Nearly 12 million patients have been exposed in a Quest Diagnostics data breach. The breach occurred after hackers took control of the payments page of one of Quest’s billing collections vendors, AMCA, between August 2018 and March 2019. Financial account data, Social Security numbers, and health information were likely stolen.
June 4, 2019: One day after Quest Diagnostics reported a data breach, LabCorp disclosed that 7.7 million of its customers were also impacted by the same hack. The records kept on LabCorp customers were less sensitive, however, exposing names, addresses, dates of birth, and balance information.
June 6, 2019: Another healthcare-related company has been impacted by the hack of American Medical Collection Agency (AMCA), which compromised Quest Diagnostics and LabCorp. Opko Health announced a data breach affecting 422,600 customers. Credit card and bank account information, email addresses, addresses, phone numbers, and balance information were exposed.
June 10, 2019: More than 1.1 million users of gaming website, Emuparadise have had their IP address, username, and password exposed in a data breach. This security incident originated from the site’s vBulletin forum.
U.S. Customs and Border Protection
June 10, 2019: Images of travelers’ faces and license plates were compromised in a cyberattack on a contractor for U.S. Customs and Border Protection. The agency said that fewer than 100,000 people were impacted while entering and exiting a border entry point.
June 11, 2019: More than 100 million users of online event planning service company, Evite, have had their information put up for sale on the dark web. A hacker who goes by the name Gnosticplayers released user names, email addresses, IP addresses, and cleartext passwords. In some cases, dates of birth, phone numbers, and postal addresses were also included.
June 11, 2019: A misconfiguration of an Amazon S3 file storage service potentially compromised the information of students who registered for exams like the PSAT and Advanced Placement. Total Registration, a Kentucky-based facilitator of test registrations, admitted that names of students and parents, dates of birth, languages, grade level, gender, student ID, and some Social Security numbers were implicated.
June 12, 2019: A security vulnerability within Evernote’s Web Clipper Chrome extension gave hackers access to the online data of its 4.6 million users. Authentication, financials, private communications, and more could have been accessed by malicious actors by exploiting a flaw in the Evernote code. The company has since corrected the issue, but it’s unclear how long user data may have been compromised.
June 18, 2019: An unauthorized third party broke into the systems of popular food delivery service, EatStreet. The hacker was able to steal customer data including names, phone numbers, email addresses, bank accounts and routing numbers, full payment card information, and billing addresses. While it’s unknown exactly how many customers were impacted, the hacker claims to have captured information on 6 million users.
Oregon Department of Human Services
June 18, 2019: Employees of the Oregon DHS were targeted in a phishing attack that gave a cybercriminal control over their email accounts. As many as 2 million emails containing full names, addresses, dates of birth, Social Security numbers, case numbers, health information, and other record keeping data were exposed.
June 20, 2019: Data on 2.7 million individuals and 173,000 businesses was stolen by a Desjardins employee. Desjardins is Canada’s largest credit union, and it has fired said employee after containing the incident. Names, dates of birth, social insurance numbers, addresses, phone numbers, email addresses were compromised.
June 26, 2019: The information of consumers, plan providers, and healthcare companies involving 95,000 Delaware residents was exposed in a Dominion National data breach. Names, addresses, dates of birth, email addresses, Social Security numbers, tax ID numbers, bank account and routing numbers, and member ID numbers were among the data compromised.
Maryland Department of Labor
July 8, 2019: Multiple systems managed by the Maryland Department of Labor were reported as breached, containing files dating back to 2009. The stolen data is suspected to include names, social security numbers, dates of birth, and other sensitive personally identifiable information of 78,000 users of the state’s unemployment insurance services and Literacy Works Information System.
Los Angeles County Department of Health Services
July 10, 2019: A contractor for the Los Angeles County Department of Health Services fell victim to a phishing attack, exposing the personal information of 14,600 patients, including names, addresses, patient information, and social security numbers.
July 10, 2019: Patients of Essentia Health were notified of a protected health information breach as the result of a third-party vendor, California Reimbursement Enterprises, being targeted by a phishing attack. Specific data impacted was not disclosed, but may have included medical records, billing information, and dates of birth, as types of information routinely shared with a billing services vendor.
July 10, 2019: An unsecured database belonging to Fieldwork Software was discovered by vpnMentor researchers, exposing customer names, credit cards, alarm codes, client information, and other sensitive details of the company’s small business customers. Of significant concern was a direct access link to the company’s backend system, and communication logs that detailed such information as alarm codes, building access details, and the location of clients’ hidden keys.
Clinical Pathology Laboratories (CPL)
July 17, 2019: Another clinical lab reported personal information of their patients were compromised following the previously-reported AMCA data breach, shortly after the Quest Diagnostics, LapCorp, and Opko Health data breaches. Clinical Pathology Laboratories (CPL) disclosed 2.2 million patients had their names, addresses, phone numbers, dates of birth, dates of service, balance information and treatment provider information exposed and an additional 34,500 patients had credit card or banking information affected.
July 18, 2019: An unknown number of Sprint customer accounts were hacked via the Samsung.com “add a line” website. The information exposed by the mobile network operator includes names, billing addresses, phone numbers, device types, device IDs, monthly recurring charges, subscriber IDs, account numbers, account creation dates, upgrade eligibility, and add-on services.