In March breach headlines, there was a trend of big brand names such as Walgreens, Marriott, General Electric being targeted through their third-party apps and vendors. These third parties, often small businesses themselves, often lack the time, money, and expertise to detect and repel cyber threats. In light of the COVID-19 pandemic, there’s a huge virtual workforce now, and we’re using personal and mobile devices, connected to our home networks – and many are doing so for the first time, with no previous work from home protocol in place. All of this introduces an entirely new element of risk for business security and as a result, the number of security incidents, breaches, and identity theft for both businesses and consumers is expected to grow exponentially.
Watch our 15-minute on-demand webinar to understand the threat of coronavirus scams to your identity and your business: https://www.identityforce.com/15-min-webinar-the-days-of-covid-19-frauds-and-scams
We’ve gathered resources and information on how to detect COVID-19 phishing fake websites and phishing emails: https://www.identityforce.com/identity-theft/coronavirus-scams
We’ve compiled the top digital scams related to COVID-19 fraud right now in this easy-to-share infographic: https://www.identityforce.com/six-covid-19-scams
Here are the recent data breaches that made headlines in March 2020:
Walgreens, the second-largest US pharmacy chain, announced an error within their mobile app’s messaging feature that exposed not only personal messages sent within the app but also the names, prescription numbers and drug names, store numbers, and shipping addresses of its users. The total number of users affected has not been disclosed but the pharmacy’s app has over 10 million downloads.
Carnival Cruise Lines
Two cruise lines under the Carnival Corporation, one of the world’s largest cruise ship operator, divulged sensitive information of its employees and customers after a hacker accessed an employee’s work email. The information accessed from the Princess Cruises and the Holland America Line includes names, addresses, Social Security numbers, government identification numbers, such as passport number or driver’s license number, credit card and financial account information, and health-related information.
Hackers successfully accessed online accounts of customers of the apparel retailer, J-Crew, through a credential stuffing attack. Using exposed emails and passwords, the hackers were able to login to an unknown number of J-Crew customer accounts and gain access to stored information including the last four digits of credit card numbers, expiration dates, card types, billing addresses, order numbers, shipping confirmation numbers, and shipment status.
An unknown number of customers’ sensitive information was accessed through a T‑Mobile employee email accounts after a malicious attack of a third-party email vendor. The personal information of T-Mobile customers accessed includes names and addresses, Social Security numbers, financial account information, and government identification numbers, as well as phone numbers, billing and account information, and rate plans and features.
Whisper, an anonymous secret-sharing app, has left member information exposed in an unsecured database. Although the app does not collect names, the database included nicknames, ages, ethnicities, genders, and location data of over 900 million users.
The online guitar lessons website, TrueFire, notified its users that a hacker gained access to names, addresses, payment card account numbers, card expiration dates, and security codes for the past six months. The total number of users affected is still unknown but TrueFire has millions of users worldwide.
Unnamed U.K-Based Security Firm
An unprotected database containing over 5 billion individual records was discovered stored on Elasticsearch. The records in the database are now twice leaked, as they come from previously breached sources dating back at least seven years, including records from known Adobe, Twitter, Tumbler, and LinkedIn breaches, among many others. Data exposed includes leak dates, passwords, email addresses, email domains, and companies that were the source of the original leaks.
The technology conglomerate, General Electric (GE), disclosed that a third party vendor experienced a data breach, exposing the personally identifiable information of over 280,000 current and former employees. The employee information accessed through Canon Business Process Services included names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, and dates of birth.
Using the login credentials of two employees through a third-party app used to provide guest services, Marriott International hotels exposed the information of 5.2 million guests. The personal information of the hotel guests impacted includes names, mailing addresses, email addresses, phone numbers, loyalty account numbers and points balances, company, genders, birth dates, linked airline loyalty programs and numbers, room preferences and language preferences. In a previous data breach in 2018, Marriott hotels exposed the personal information of 500 million guests.