February saw plenty of data breaches, but some of the bigger ones didn’t actually happen this month—they were just announced. Data breach revelations that occur months, or even years, after the fact aren’t uncommon, though. As hackers become sneakier with their tactics, many are able to take what they want, sell the information, and get away before anyone knows what happened.
Here are the recent data breaches that were making headlines in February 2017:
Xbox 360 ISO and PSP ISO
Video game enthusiasts were surprised to learn this month that they were victims of a breach that happened back in September 2015. Security expert Troy Hunt, of the website Have I Been Pwned?, revealed that Xbox 360 ISO and PSP ISO had been hacked. The websites, both forums which host illegal game download files, housed sensitive user information that was taken. 1.2 million Xbox 360 ISO users and 1.3 million PSP ISO users were affected and may have had their e-mail addresses, IP addresses, usernames, and passwords stolen in the breach. At this time, it’s not clear who is responsible, but any forum users are encouraged to change their passwords immediately.
The national fast food chain acknowledged a data breach this month after being pressed by the website KrebsOnSecurity; the site had heard from independent sources at nearly a half dozen banks and credit unions to ask if there had been a breach at Arby’s. The company admitted that they had been notified in mid-January about a possible breach in select restaurants, but the FBI asked them not to go public yet.
Malware was placed on payment systems inside certain Arby’s corporate stores, which make up about one-third of all Arby’s in the nation (the other two-thirds are franchises). There are about 1,000 corporate Arby’s restaurants, and while not all were affected, it’s not clear yet how many were. The company says that the malware has been removed, but the scope of the breach is not yet known. Arby’s did not say when the breach occurred, but one credit union believes it may have been between October 25, 2016 and January 19, 2017.
InterContinental Hotels Group (IHG)
IHG, the company that owns popular hotel chains like Crowne Plaza, Holiday Inn, Candlewood Suites, and Kimpton Hotels, announced a data breach that affected 12 of its properties. Malware was found on servers which processed payments made at on-site restaurants and bars; travelers that used cards at the front desk did not have information taken. The malware was active from August 2016 to December 2016 and stolen data includes cardholder names, card numbers, expiration dates, and internal verification codes.
Affected customers are being notified by IHG. Some targeted locations include Sevens Bar & Grill at Crowne Plaza San Jose-Silicon Valley, the Bristol Bar & Grille at the Holiday Inn in San Francisco’s Fisherman’s Wharf, InterContinental San Francisco, Aruba’s Holiday Inn Resort, and InterContinental Los Angeles Century City.
Back in December 2016, Yahoo announced the largest data breach in history. Two months before, it revealed a 2014 data breach in which almost 500 million accounts were compromised. This month, the company released more information about that 2014 breach as the ongoing investigation discovered more details.
Account holders are being notified via e-mail, with Yahoo saying, “we believe a forged cookie may have been used in 2015 or 2016 to access your account.” A forged cookie can let a hacker access user accounts without a password, and Yahoo has identified specific accounts that may have been affected.
Check back next month to stay up to date on the most recent data breaches.