This month, we’ve seen an abundance of sensitive personal, medical, tax and financial information make its way into the hands of cybercriminals through unsecured databases and data leaks. As we head into the holiday shopping season, be on the lookout for signs of credential stuffing and account takeover fraud. That means the thief is using previously stolen emails, user IDs, and passwords, and finds other accounts using the same login to take control of. It’s a relatively easy method for even unsophisticated hackers to use to gain access.
Check your bank and credit card statements thoroughly, and review your credit reports for suspicious activity such as credit checks you didn’t initiate, or new accounts you didn’t open. If you start to see emails from your accounts that you’re locked out after too many sign-in attempts or your orders are on hold because payment information is incorrect, that’s a red flag. And if you receive notification that you were part of a data breach, change your passwords!
Here are the recent data breaches that made headlines in October 2020:
Blackbaud, a cloud-based fundraising database management vendor for non-profits and educational institutions, became victim to a ransomware attack beginning in February 2020, which remained undetected until May 2020. Blackbaud paid the ransom and received confirmation the data had been destroyed. Before deleting the data, the cybercriminals copied sensitive data from over 6 million donors, potential donors, patients, and community members including names, emails, phone numbers, dates of birth, genders, provider names, dates of service, department visited, and philanthropic giving history. A recent SEC filing in September 2020, reveals hackers gained access to more unencrypted data than originally reported, including Social Security numbers, financial accounts, and payment information. Hundreds of Blackbaud’s impacted clients continue to disclose the data incident, including Inova Health (1.5 million), Saint Luke’s Foundation (360,212), MultiCare Foundation (300,000), Spectrum Health (52,711), Northwestern Memorial HealthCare (55,983), and Main Line Health (60,595). Several organizations in Vermont were also included in the breach, such as the Vermont Foodbank, Middlebury College, and Vermont Public Radio.
Customers of the food delivery startup, Chowbus, received an email notification from the company that included a link to access the personal and account information of about 800,000 customers. The customer data in the data dump includes names, phone numbers, and mailing and email addresses.
Barnes & Noble
Popular bookseller, Barnes & Noble, notified customers that a cybersecurity attack led to exposed customer information and caused service disruption of Nook e-reader books. The company has not disclosed how many customers have been impacted, but noted billing and shipping addresses, telephone numbers, and email addresses were accessed in the data leak.
A year-long Point-of-Sale (POS) system breach has impacted 3 million customers of the popular national BBQ chain, Dickey’s Barbecue Pit. Hackers posted over 3 million customers’ payment card details for sale on the Dark Web, where each record is being sold for $17 per card.
Security researchers at Comparitech discovered an unsecured database containing the records of more than 350 million customers along with call transcripts belonging to the cloud-based communication company, Broadvoice. The exposed Elasticsearch database enclosed personal details such as caller names, caller identification number, phone number, and location along with voicemail transcripts.
The pharmaceutical corporation, Pfizer, exposed the personal and medical information of hundreds of medical patients taking cancer drugs through a data leak. A misconfigured Google Cloud database exposed names, phone numbers, home addresses, email addresses, customer support messages, health data, medical status, phone call transcripts, and prescription information.
Fragomen, Del Rey, Bernsen & Loewy
The immigration law firm responsible for representing Google, Fragomen, Del Rey, Bernsen & Loewy, announced a security incident has exposed the personal information of current and former Google employees. An unauthorized third party gained access to an undisclosed number of employee Form I9’s, containing full name, date of birth, phone number, social security number, passport numbers, mailing address, and email address.