2020 Data Breaches
In 2019 there were over 7.9 billion data records exposed. That was a 33% increase over 2018!
Last year, the Federal Trade Commission (FTC) imposed hefty fines and penalties on companies involved in data breaches such as the Equifax breach and Facebook data leaks, to settle charges of improper handling of Personally Identifiable Information (PII).
So, what about 2020 data breaches and what does the future hold? While we clearly don’t want to see any more of what we saw in the past few years, the odds are not looking good. In fact, data breaches aren’t going away.
Here are the 2020 Data Breaches so far.
Landry’s
Restaurant conglomerate Landry’s announced a point-of-sale malware attack that targeted customers’ payment card data – the company’s second data breach since 2015.
Peekaboo Moments
An unsecured database on an Elasticsearch server linking back to Peekaboo Moments, an app where parents post images and videos of their children, was left exposed.
Hanna Andersson
An undisclosed number of shoppers of the children’s clothing retailer, Hanna Andersson, had sensitive payment information exposed. This breach is the latest in a string of Magecart attacks, where hackers install malicious malware in Point of Sale (POS) systems to skim credit card information.
Microsoft
A customer support database holding over 280 million Microsoft customer records was left unprotected on the web. Microsoft’s exposed database disclosed email addresses, IP addresses, and support case details.
Marijuana Dispensaries
THSuite, a point-of-sale system of marijuana dispensaries across the U.S., disclosed personal information belonging to over 85,000 medical marijuana patients and recreational users after leaving their database unprotected.
Estee Lauder
An unsecured database belonging to the makeup company Estee Lauder exposed 440 million customer records.
Fifth Third Bank
Fifth Third Bank, a financial institution with 1,150 branches in 10 states, claims a former employee is responsible for a data breach, which exposed customers’ name, Social Security number, driver’s license information, mother’s maiden name, address, phone number, date of birth and account numbers.
Health Share of Oregon
The theft of an employee laptop from GridWorks IC, a third-party vendor of Health Share of Oregon, has exposed the personal and medical information of 654,000 members.
MGM Resorts
Over 10.6 million hotel guests who have stayed at the MGM Resorts have had their personal information posted on a hacking forum.
PhotoSquared
The photography app, PhotoSquared, has exposed the personal information and photos of the 100,000 individuals who have downloaded the app. Besides photos, user’s names, addresses, order receipts, and shipping labels were impacted in the unsecured database.
Slickwraps
Slickwraps, an online tech customization store, admitted to leaving the information of 850,000 customers in an unprotected database. The customer information disclosed includes names, email addresses, physical addresses, phone numbers, and purchase histories.
Walgreens
Walgreens, the second-largest US pharmacy chain, announced an error within their mobile app’s messaging feature that exposed not only personal messages sent within the app but also the names, prescription numbers and drug names, store numbers, and shipping addresses of its users.
Carnival Cruise Lines
Two cruise lines under the Carnival Corporation, one of the world’s largest cruise ship operator, divulged sensitive information of its employees and customers after a hacker accessed an employee’s work email.
J-Crew
Hackers accessed online accounts of customers of J-Crew, through a credential stuffing attack. Using exposed emails and passwords, the hackers were able to login to an unknown number of J-Crew customer accounts and gain access to stored information including the last four digits of credit card numbers, expiration dates, card types, billing addresses, order numbers, shipping confirmation numbers, and shipment status.
T-Mobile
An unknown number of customers’ sensitive information was accessed through a T‑Mobile employee email accounts after a malicious attack of a third-party email vendor.
Whisper
Whisper, an anonymous secret-sharing app, has left member information exposed in an unsecured database. Although the app does not collect names, the database included nicknames, ages, ethnicities, genders, and location data of over 900 million users.
TrueFire
The online guitar lessons website, TrueFire, notified its users that a hacker gained access to names, addresses, payment card account numbers, card expiration date, and security codes for the past six months.
General Electric
The technology conglomerate, General Electric (GE), disclosed that a third party vendor experienced a data breach, exposing the personally identifiable information of over 280,000 current and former employees. The employee information accessed through Canon Business Process.
Marriott International
Using the login credentials of two employees through a third-party app used to provide guest services, Marriott International hotels exposed the information of 5.2 million guests. The personal information of the hotel guests impacted includes names, mailing addresses, email addresses, phone numbers, loyalty account numbers and points balances, company, genders, birth dates, linked airline loyalty programs and numbers, room preferences and language preferences. In a previous data breach in 2018, Marriott hotels exposed the personal information of 500 million guests.
Key Ring
A digital wallet app, Key Ring, left stored customer data of 14 million users accessible in an unsecured database. The app allows its users to easily upload and store scans and photos of membership and loyalty cards to a digital folder in their mobile device..
San Francisco International Airport (SFO)
Two websites hosted by the San Francisco International Airport (SFO), SFOConnect.com and SFOConstruction.com, suffered a security incident in which hackers injected malicious code to collect users’ login credentials. The malware gained access to usernames and passwords used to log on to the impacted websites.
Zoom
The credentials of over 500,000 Zoom teleconferencing accounts were found for sale on the dark web and hacker forums for as little as $.02. Email addresses, passwords, personal meeting URLs, and host keys are said to be collected through a credential stuffing attack.
Quidd
A collection of 4 million login records belonging to the online marketplace Quidd was breached through a hack then posted on the dark web forum for free. Once accessible, the usernames, email addresses, and hashed account passwords were shared among members of the forum. Although the passwords were hashed, cybercriminals are unhashing them and selling the data again.
Beaumont Health
The personal and medical information of over 112,000 employees and patients of Beaumont Health was accessed by a malicious actor after compromising employee email accounts through a phishing attack.
More than 267 million Facebook profiles have been listed for sale on the Dark Web – all for $600. Reports link these profiles back to the data leak discovered in December, with additional PII attached, including email addresses. Researchers are still uncertain how this data was exposed.
Nintendo
A credential stuffing attack using previously exposed user IDs and passwords of popular video game company, Nintendo, granted hackers access to over 160,000 player accounts.
Ambry Genetics
Ambry Genetics, a genetic testing laboratory based in the U.S., announced 233,000 medical patients had their personal and medical information accessed by a third party through an employee email.
GoDaddy
The web hosting site, GoDaddy, announced to its users that an unauthorized third party was granted access to login credentials. The site is said to have 19 million users and possibly 24,000 users had their usernames and passwords exposed. The company has reset passwords to prevent further access.
Fresenius Group
A reported ransomware attack on the Fresenius Group, a global healthcare company and one of the largest dialysis equipment providers in the U.S., impacted the company’s operations around the world. The organization claims their system was affected by a computer virus, but a source confirmed the hacker held the healthcare’s IT systems and data hostage in exchange for payment in bitcoin.
U.S. Marshals
The personal information of 387,000 former and current inmates was access by a hacker who exploited a server vulnerability in a U.S. Marshals Service database.
Magellan Health
Magellan Health, a Fortune 500 healthcare company, has sent a notice to its patients that it had fallen victim to a phishing scam and ransomware attack. The information held for ransom includes names, contact information, employee ID numbers, W-2 or 1099 information, including Social Security numbers or taxpayer identification numbers, as well as login credentials and passwords for employees.
Home Chef
The information belonging to 8 million users of the home meal delivery service, Home Chef, were found for sale in the dark web after a data breach. The information for sale includes names, email addresses, phone numbers, addresses, scrambled passwords, and last four digits of credit card numbers.
Wishbone
Over 40 million users of the mobile app, Wishbone, had their personal information up for sale in the Dark Web. Usernames, emails, phone numbers, location information and hashed passwords were exposed in a data breach before being advertised in a hacking forum.
For more information on Data Breaches, visit Top 15 Data Breach Blogs.
