March was an interesting month for data breaches in the U.S. because some of the bigger breaches appeared to be the result of mistakes within a company rather than identity thieves with malicious intent. Companies made errors that exposed customer data—and in one case, undercover spammers accidentally exposed their own data. These types of breaches aren’t to be taken lightly, though. Just because they weren’t initiated by a hacker doesn’t mean that the vulnerable data didn’t eventually fall into the hands of one.
Here are the recent data breaches that were making headlines in March 2017:
Saks Fifth Avenue
BuzzFeed broke the news that customer information was available in plain text via a specific link on the Saks Fifth Avenue website. Tens of thousands of customers had their personal information visible on a page where customers could join a wait list for products they were interested in. It was possible to see email addresses, phone numbers, product codes, and IP addresses; payment details were not exposed. Hudson Bay Company, the Canada-based organization that owns Saks Fifth Avenue, took the information down after they were contacted by BuzzFeed. At this time, it’s not clear how this happened, how customers may have been affected, and who was responsible.
Dun & Bradstreet
An enormous marketing database with over 33 million corporate contacts at companies like AT&T, Wal-Mart, CVS Health, and the U.S. Department of Defense, was shared across the web. Dun & Bradstreet, a large business services company, sells the database to thousands of companies around the country and it insists that its firm was not breached—one of the companies that purchased the 52GB database must have been breached instead. Currently, it’s not clear where the leak originated, but the database may have included full names, work email addresses, phone numbers, and other business-related data.
River City Media
A group of spammers, operating under the name River City Media, unknowingly released their private data into cyberspace after failing to properly configure their backups. The leak known as Spammergate included Hipchat logs, domain registration records, accounting details, infrastructure planning, production notes, scripts, business affiliations, and more. The biggest discovery, however, was a database of 1.4 billion email accounts, IP addresses, full names, and some physical addresses. Thankfully, the “good guys” found the information—in this situation, it was Chris Vickery, a security researcher for MacKeeper—and reported everything to the proper authorities. At this time, it’s unclear what’s going to happen to River City Media.
UNC Health Care
Patients who had received prenatal care in the University of North Carolina Health Care System were notified about a potential data breach they may have been affected by. 1,300 letters were sent out to women who had completed pregnancy home risk screening forms at prenatal appointments between 2014 and 2017 at the Women’s Clinic at N.C. Women’s Hospital and UNC Maternal-Fetal Medicine at Rex; they were told that their personal information may have been mistakenly sent to local county health departments. Breached information included full names, addresses, races, ethnicities, Social Security numbers, and a variety of health-related information. The county health departments are subject to federal and state privacy laws and must protect all information they received; it was also requested that they electronically purge electronic information about non-Medicaid patients.
Check back next month to stay up to date on the most recent data breaches.