In November, Americans begin to prepare for the holiday season, gather with friends and family, and get ready to wrap up another great year. Unfortunately, hackers also seemed to have a lot to be thankful for this November, with plenty of data breaches—both planned, and accidental—to go around.
This month, a popular ride-service app was in hot water for paying off hackers to hide a data breach. We also saw foster parents and children fall victim to human error, a clothing retailer discover infected point-of-sale systems, and an online image-sharing community find out about a past data breach—on Thanksgiving day, no less.
Here are the recent data breaches that were making headlines in November 2017:
In November 2017, 57 million Uber users and drivers learned that their personal information was compromised during an October 2016 data breach—a breach that had been kept hidden by the company until now. When the breach originally happened, hackers gained access to GitHub, a service that Uber’s engineers use to collaborate on software code. Two hackers downloaded the data stored on GitHub, which included names, email addresses, and phone numbers of Uber users worldwide.
The hackers demanded $100,000 from Uber in order to keep the stolen information off the Dark Web, along with a promise to delete the hacked data. Uber paid the money and tried to keep the situation secret from the public. That was the wrong decision, though. Now, Tech Crunch is reporting that the New York Attorney General’s office has opened a case to investigate the $100,000 cover up. There’s also a chance Uber may be in trouble with its home state of California, as under Civil Code 1798.82, businesses are required to disclose data breaches affecting more than 500 state residents to the Attorney General’s office “in the most expedient time possible and without reasonable delay.”
Maine Foster Care
Full names, addresses, and Social Security numbers of Maine residents receiving foster care benefits were among the private information accidentally exposed on a third-party website recently. A contractor hired by the Maine Office of Information Technology was conducting a system upgrade on September 21, 2017, and inadvertently posted the sensitive information to a public website for about four and a half hours.
Though the information was removed immediately when it was discovered, approximately 2,100 Maine residents were affected by the error. Maine’s Chief Information Officer, Jim Smith, doesn’t believe there is an indication the personal data was misused—though, the information was accessed once during that time period by an unknown individual.
Forever 21, a retailer that sells women’s, men’s, and children’s clothing, revealed a possible data breach which may have affected an unknown number of customers. The company believes some of its in-store payment systems may have been compromised between March 2017 and October 2017. After receiving a report from a third party suggesting that unauthorized access may have occurred, Forever 21 launched an investigation of its payment card systems with the assistance of a security and forensics firm.
The company said it implemented “encryption and tokenization solutions” in 2015 and that it appears the targeted PoS devices would have had encryption that was not operating. Forever 21 customers were encouraged by the company to keep an eye on their payment accounts and look for fraudulent charges.
A popular online image-sharing community—Imgur—received an unfortunate notification during the afternoon of Thanksgiving: Troy Hunt of the website Have I Been Pwned had discovered a potential data breach. Imgur said its Chief Operating Officer received the email late at night on November 23, 2017 and immediately responded to Hunt to learn more. By the early morning of November 24, Imgur confirmed that about 1.7 million user accounts (out of 150 million users) were compromised in 2014.
Compromised information only included email addresses and passwords, as Imgur does not ask for any kind of personally identifying information. Passwords had been encrypted with the older SHA-256 algorithm, which means hackers may have easily cracked the passwords. Imgur updated its algorithm last year. Impacted users were notified on November 24th and Imgur notified the public by 4PM PST on the same day.
Check back next month to stay up to date on the most recent data breaches.