Between January and September 2019 there were over 7.9 billion data records exposed — a 33% increase from the same time in 2018! Although hackers are obvious culprits in uncovering this data, oftentimes they had a helping hand from human error resulting in a data breach.
Last year, we also began to see the Federal Trade Commission (FTC) impose hefty fines and penalties on organizations, such as those relating to the Equifax breach and Facebook data leaks, to settle charges of improper handling of Personally Identifiable Information (PII).
What does 2020 hold? While our hope does spring eternal, with the increase of information insecurity — from exposed databases to phishing attempts, from malware to third-party data leaks — the odds are not looking good. Data breaches aren’t going anywhere and we’re here to keep you up-to-date on the worst data breaches of the year putting you at risk of identity theft.
Note: This post will be continuously updated with new information as additional 2020 data breaches are reported. Breaches appear in descending order, with the most recent appearing at the bottom of the page.
January 2, 2020: Restaurant conglomerate Landry’s announced a point-of-sale malware attack that targeted customers’ payment card data – the company’s second data breach since 2015. The collected Personally Identifiable Information (PII) included credit and debit card numbers, expiration dates, verification codes, and cardholder names.
January 14, 2020: An unsecured database on an Elasticsearch server linking back to Peekaboo Moments, an app where parents post images and videos of their children, was left exposed. An undisclosed number of email addresses, geographic location data, detailed device data, and links to photos and videos posted by parents have been impacted. The app has been downloaded 1 million times since launching in 2012.
January 20, 2020: An undisclosed number of shoppers of the children’s clothing retailer, Hanna Andersson, had sensitive payment information exposed. This breach is the latest in a string of Magecart attacks, where hackers install malicious malware in Point of Sale (POS) systems to skim credit card information. Customers who made online purchases from September 16, 2019, to November 11, 2019, had their names, shipping addresses, billing addresses, payment card numbers, CVV codes, and expiration dates skimmed and put for sale on the Dark Web.
January 22, 2020: A customer support database holding over 280 million Microsoft customer records was left unprotected on the web. Microsoft’s exposed database disclosed email addresses, IP addresses, and support case details. Microsoft says the database did not include any other personal information.
January 23, 2020: THSuite, a point-of-sale system of marijuana dispensaries across the U.S., disclosed personal information belonging to over 85,000 medical marijuana patients and recreational users after leaving their database unprotected. The data breach impacted names, date of births, phone numbers, emails, street addresses, patient names and medical ID numbers, cannabis variety and the quantity purchased, total transaction costs, date received, and photographs of scanned government and employee IDs.
February 11, 2020: An unsecured database belonging to the makeup company Estee Lauder exposed 440 million customer records. No payment or sensitive information was impacted but email addresses, IP addresses, ports, pathways, and storage information were disclosed in the database.
Fifth Third Bank
February 11, 2020: Fifth Third Bank, a financial institution with 1,150 branches in 10 states, claims a former employee is responsible for a data breach, which exposed customers’ name, Social Security number, driver’s license information, mother’s maiden name, address, phone number, date of birth and account numbers. The total number of affected employees and banking clients remains undisclosed.
Health Share of Oregon
February 13, 2020: The theft of an employee laptop from GridWorks IC, a third-party vendor of Health Share of Oregon, has exposed the personal and medical information of 654,000 members. The Health Share of Oregon data breach disclosed sensitive data, including names, addresses, phone numbers, dates of birth, Social Security numbers, and Medicaid ID numbers.
February 20, 2020: Over 10.6 million hotel guests who have stayed at the MGM Resorts have had their personal information posted on a hacking forum. The data dump exposed includes names, home addresses, phone numbers, emails, and dates of birth of former hotel guests.
February 20, 2020: The photography app, PhotoSquared, has exposed the personal information and photos of the 100,000 individuals who have downloaded the app. Besides photos, user’s names, addresses, order receipts, and shipping labels were impacted in the unsecured database.
February 24, 2020: Slickwraps, an online tech customization store, admitted to leaving the information of 850,000 customers in an unprotected database. The customer information disclosed includes names, email addresses, physical addresses, phone numbers, and purchase histories.
March 2, 2020: Walgreens, the second-largest US pharmacy chain, announced an error within their mobile app’s messaging feature that exposed not only personal messages sent within the app but also the names, prescription numbers and drug names, store numbers, and shipping addresses of its users. The total number of users affected has not been disclosed but the pharmacy’s app has over 10 million downloads.
Carnival Cruise Lines
March 4, 2020: Two cruise lines under the Carnival Corporation, one of the world’s largest cruise ship operator, divulged sensitive information of its employees and customers after a hacker accessed an employee’s work email. The information accessed from the Princess Cruises and the Holland America Line includes names, addresses, Social Security numbers, government identification numbers, such as passport number or driver’s license number, credit card and financial account information, and health-related information.
March 4, 2020: Hackers successfully accessed online accounts of customers of the apparel retailer, J-Crew, through a credential stuffing attack. Using exposed emails and passwords, the hackers were able to login to an unknown number of J-Crew customer accounts and gain access to stored information including the last four digits of credit card numbers, expiration dates, card types, billing addresses, order numbers, shipping confirmation numbers, and shipment status.
March 5, 2020: An unknown number of customers’ sensitive information was accessed through a T‑Mobile employee email accounts after a malicious attack of a third-party email vendor. The personal information of T-Mobile customers accessed includes names and addresses, Social Security numbers, financial account information, and government identification numbers, as well as phone numbers, billing and account information, and rate plans and features.
March 11, 2020: Whisper, an anonymous secret-sharing app, has left member information exposed in an unsecured database. Although the app does not collect names, the database included nicknames, ages, ethnicities, genders, and location data of over 900 million users.
March 18, 2020: The online guitar lessons website, TrueFire, notified its users that a hacker gained access to names, addresses, payment card account numbers, card expiration date, and security codes for the past six months. The total number of users affected is still unknown but TrueFire has millions of users worldwide.
March 24, 2020: The technology conglomerate, General Electric (GE), disclosed that a third party vendor experienced a data breach, exposing the personally identifiable information of over 280,000 current and former employees. The employee information accessed through Canon Business Process Services included names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, and dates of birth.
March 31, 2020: Using the login credentials of two employees through a third-party app used to provide guest services, Marriott International hotels exposed the information of 5.2 million guests. The personal information of the hotel guests impacted includes names, mailing addresses, email addresses, phone numbers, loyalty account numbers and points balances, company, genders, birth dates, linked airline loyalty programs and numbers, room preferences and language preferences. In a previous data breach in 2018, Marriott hotels exposed the personal information of 500 million guests.