Media

Blockpass Data Breach Intelligence Report - March 2019

April 05, 2019




Over the course of March, the Blockpass Research Team analyzed 7 data breach events, chosen either for their scale, significant impact on consumers, or their implication on a global scene. This month, the largest single data breach was in Digital Marketing; although, a number of health-related services were also affected. 

Never before has our analysis of cybersecurity breaches gotten closer to the ‘b’ word. On March 22nd, a cybersecurity researcher revealed that a digital marketing firm, Validations.io, had leaked the personal information of the largest magnitude we have seen in our reports to date: just under one billion individuals. As a result, March turned out to be the worst month we’ve seen so far in terms of data security. Only taking into consideration the events that we analyzed, 13.1% of the world population was affected. This month stands as a testimony to the risk factor that is experienced when companies collect massive amounts of data for marketing purposes, and the lack of security we currently live with.

Blockpass' solution is this unsecured amassing of data. All Blockpass users are empowered to be in full control of their data. Only those companies that the user wants to approve have access to their data. Ultimately, Blockpass aims to put an end to huge leaks like the ones we have seen this month.



















# of Events Analyzed7
# of Identities Lostapprox. 988,757,520
% of World Population13.1%
Industry Hardest HitDigital Marketing

This report, for the month of March, is the fifth of our Data Breach Intelligence Reports. We encourage the Blockpass community and anyone who might be otherwise interested to let us know what kinds of information they would like to see provided in future reports by contacting us at [email protected] under the subject line “Suggestions for the blog.”

Validations.io| Digital Marketing | 982,000,000
Companies gathering large databases of the contact details of potential customers is common practice in business today. However, never before has that practice led to anything on as large a scale as the Validations.io security breach which was discovered by cybersecurity researcher Bob Diachenko on March 22nd.

As was reported by the Daily Mail on March 29th, Validations.io offered a service that enabled companies to submit their own email lists in order to find out which accounts were active and which were not. Validations.io maintained a massive database with nearly a billion email addresses against which client lists would be checked.

The database also contained certain kinds of personal information, including company addresses and annual revenue figures. Unfortunately, it was found that the database was available completely unprotected online. Following the discovery, validations.io has gone offline and has failed to provide any comment to the media or law enforcement.

Source:
https://www.dailymail.co.uk/sciencetech/article-6864029/Biggest-breach-recorded-982-MILLION-peoples-personal-information-exposed.html?ico=pushly-notifcation-small

Toyota| Automobile Manufacturing | 3,100,000
On March 29th, automobile manufacturer Toyota announced that it had experienced a data breach which affected as many as 3.1 million of its customers. The company has still not provided any information regarding the kind of data that had been leaked, but they have confirmed that the breach affected servers located at their headquarters and at subsidiaries in Japan.

Interestingly, this is Toyota’s second leak in five weeks, the previous one affecting only subsidiaries in Australia. Toyota has stated that they are working to investigate the issue and are collaborating with the relevant authorities.

Source:
https://www.zdnet.com/article/toyota-announces-second-security-breach-in-the-last-five-weeks/

Federal Emergency Management Agency (FEMA)| Disaster relief | 2,300,000
The Federal Emergency Management Agency, better known as FEMA, in the United States leaked the personal addresses and some banking information of more than 2.3 million survivors of Hurricanes Irma, Harvey, and Maria.  The data has not been leaked to the public, but rather has been shared with a private contractor that was not authorised to have access. It appears that a software error had caused more data to be shared than was intended.

According to the Department of Homeland Security, a total of 2.3 million people were affected by the incident, with 1.8 million having bank details leaked and 725,000 having their home addresses exposed. FEMA has stated that they have fixed the issue and are putting safeguards in place to prevent future incidents.

Source:
https://www.itpro.co.uk/data-breaches/33307/disaster-victims-sensitive-information-exposed-through-fema-data-breach

Health Sciences Authority (HSA)| Healthcare | 808,201
On March 15th, it was reported by TODAY Singapore that a security breach had led to the personal data of 808,201 Singaporean blood donors being leaked. Apparently, the data had originally been left unsecured in January and had remained online for nine weeks until March 13th, when the vulnerability was discovered by a cyber-security expert.

Originally, the data had been entrusted to the Singaporean Health Sciences Authority, which manages and operates blood banks in the country. Victims include past blood donors as well as individuals who had been unable to donate blood due to a medical condition.

Investigators have confirmed that the data had been mishandled by a vendor that had been engaged by the HSA, Secur Solutions Group. Leaked information included names, ID numbers, genders, blood types, heights, weights, and the dates of the individual’s last three donations.

Source:
https://www.todayonline.com/singapore/personal-data-808000-blood-donors-compromised-nine-weeks-hsa-lodges-police-report

Zoll| Medical Technology|277,319
On March 20th, Modern Healthcare reported that the medical device and software manufacturer Zoll had leaked the personal information of 277,319 customers. The breach, which happened sometime in January or February, but which was only discovered in March, likely occurred during a server migration. Zoll uses a 3rd party service provider to archive company emails. As a result, customer email addresses, addresses, dates of birth, and some medical information was leaked. Additionally, some social security number have been confirmed to have been leaked.

Source:
https://www.komando.com/happening-now/556695/zoll-medical-data-breach

Family Locator| Productivity App| 238,000
On March 23rd, it was reported by TechCrunch that the personal and location details of more than 238,000 families had been leaked by popular mobile family tracking application, Family Locator. The app, which works similar to popular GPS-tracking software like Find My Phone, enables families to see one another’s location in real-time. One of the app’s more popular features is the creation of ‘geofences,’ which are specifically labeled locations such as ‘school’ or ‘home.’ The application sends a notification whenever a family member enters or leaves one of these locations.


Unfortunately, the backend MongoDB database for this feature had been left unsecured online. This security breach was discovered by Sanyam Jain, a security research and member of the GDI Foundation. The database included usernames, email address, profile photos, passwords, and records of family members’ real time locations precise to a few feet. All of this data was available in plain text and unencrypted.

Source:
https://techcrunch.com/2019/03/23/family-tracking-location-leak/

Natural Health Services| Healthcare | 34,000
On March 28th, The Canadian Press reported that the records of medical marijuana company Natural Health Services, based in Windsor, Ontario, had been leaked. Apparently, the leaked information includes customers’ diagnostics as well as their contact information. NHS and their parent company, Sunniva, have taken responsibility. A class action lawsuit may be pursued by affected customers.

Source:
https://windsor.ctvnews.ca/personal-data-of-34-000-medical-marijuana-patients-accessed-in-data-breach-nhs-1.4356392