Media

Blockpass Data Breach Intelligence Report - July 2019

August 05, 2019




Over the course of July, the Blockpass Research Team analyzed 10 data breach events, chosen either for their scale, significant impact on consumers, or their implication on a global scene. This month, the largest data breaches were in the field of banking and social planning, with over 100 million users affected in each of two hacks.

Both of the largest hacks this month individually affected more people than the total of people affected last month; although one one the incidents reported is an update to one from the previous month, as the Evite hack was found to be significantly worse than initially thought. This month also sees repeat hacks for other companies and a large number of US victims. 

Whilst these ten instances are the only ones covered this month, it should be noted that the vast majority of data breach events are not discovered or reported until well after they happen. Also this month we begin to see the effects of GDPR come in as big names receive even bigger fines from failing to protect personal data. These sorts of failings and fines are exactly the type of thing Blockpass hopes to prevent. 



















# of Events Analyzed10
# of Identities Lost> 216,333,724
% of World Population>2.87%
Industry Hardest HitBanking

Capital One | Banking | over 106,000,000
Coming in at the end of the month, it was reported that US Capital One customers had been the victim of a significant data breach following the actions of a former employee of an Amazon.com Inc. cloud service. The woman in question has since been arrested but the data, which reportedly went missing at some time in the past 5 months, affected over 100 million people, with the majority in the US but 6 million from Canada.   

Stolen data includes names, addresses, phone numbers, dates of birth, self-reported income, credit scores and elements of transaction histories. 140,000 individual’s social security numbers and 80,000 bank account numbers are also believed to have been leaked. 

Sources:
https://www.bloomberg.com/news/articles/2019-07-29/capital-one-data-systems-breached-by-seattle-woman-u-s-says
https://www.bbc.co.uk/news/world-us-canada-49159859
https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/


Evite  | Social Planning | 101,000,000
Originally reported last month, the Evite hack was originally thought to have affected 10 million individuals, but in the last few weeks has been revealed to have impacted closer to 101 million people - 10 times the number originally thought. The new information was brought to light by internet security website haveibeenpwned.com, which made the announcement following their receipt of a database containing new information. 

Though the data was claimed to be from no later than 2013, it is thought to include names, usernames, email addresses, passwords, dates of birth, phone numbers, mailing addresses, and genders.

Source:
https://gdpr.report/news/2019/07/16/evite-data-breach-bigger-than-initially-thought/ 

 

National Revenue Agency | Government | 5,000,000
In a similar vein to in incident a few months ago in Panama, more or less an entire country was found to have been hacked this month when the Bulgarian tax authority suffered a huge data breach, affecting approximately 5 in every 7 Bulgarians nationals and residents. There is speculation that that hack was politically motivated and was carried out by a Russian source. 

The information taken included names, addresses, incomes and social security information. The hacker sent an email to Bulgarian media afterwards to mock the cybersecurity standards of the government. The tax agency faces a hefty fine for the data breach.  

Sources:
Permalink/europe/bulgaria-hack-cyberattack.html
https://www.bbc.com/news/technology-49015511 

 

American Medical Collection Agency  | Healthcare | 2,200,000
Another update to June data breach intelligence report, the American Medical Collection Agency hack was found to involve the records of an extra 2.2 million individuals when the Texan-based Clinical Pathology Laboratories was discovered to have been compromised. Previous companies that came under the AMCA hack include Quest Diagnostics, LabCorp, BioReference Laboratories, Carecentrix and Sunrise Laboratories. This latest development brings the running total of people affected by the AMCA hack up to over 22,722,600.

US patients were the ones affected by this breach, which divulged patient names, addresses, phone numbers, dates of birth, dates of service, account balance details, credit card or banking information, and provider data. Clinical Pathology Laboratories has since terminated its working relationship with the AMCA.

Source:
https://healthitsecurity.com/news/2.2m-clinical-pathology-patients-included-in-amca-data-breach 

 

Flash Flash Revolution | Gaming | 1,858,124
Haveibeenpwned.com reported, with information from dehashed.com, another data breach this month with the game Flash Flash Revolution found to have lost data from over 1.8 million individuals. This is not the first time the game has been hacked, with another breach having occurred in 2016.

The compromised data is believed to include email addresses, IP addresses, usernames, dates of birth and salted MD5 hashes.

Source:
https://haveibeenpwned.com/PwnedWebsites#FlashFlashRevolution2019

 

Households | DNS Servers | 180,000
In a trend that has been seen throughout this year, the UK National Cyber Security Centre has discovered a number of Domain Name System attacks, lately targeted at users in Brazil which is believed to have compromised 180,000 people. Through this method, attackers can infect computers with malware, potentially gaining control of people’s computers and the information stored within. 

There are a number of consequences from having a compromised computer which includes stealing banking details, app logins, usurping computer power to run programmes, and redirecting users with false adverts or websites. To combat these types of attacks and the effects of malware, it is recommended that users maintain the latest anti-virus software. 

Sources:
https://www.infosecurity-magazine.com/news/ncsc-dns-hijackers/
https://www.ncsc.gov.uk/news/ongoing-dns-hijacking-and-mitigation-advice

 

Maryland Dept. of Labor  | Employment | 78,000
Vulnerabilities in old databases are thought to have led to a data breach this month that impacted people who had received unemployment benefits or applied for a General Equivalency Diploma (GED) in Maryland, USA. An unemployment insurance database and adult literacy database are believed to have been the databases in question, with names and social security numbers being taken. 

Maryland has been the location for a number of hacks in the past few years. The state governor has since dedicated increased resources to cyber security and state officials have offered compensation to those affected in this attack. 

Sources:
https://news.yahoo.com/dept-labor-reveals-data-breach-222823513.html
https://www.washingtonpost.com/local/md-politics/maryland-data-breach-accessed-up-to-78000-names-and-social-security-numbers/2019/07/05/a14c2760-9f41-11e9-85d6-5211733f92c7_story.html?noredirect=on&utm_term=.dc2d69ddd807

 

Los Angeles County Department of Health Services  | Healthcare | 14,600
Healthcare continues to suffer in data breaches recently with news revealed this month of the Los Angeles County Department of Health Services falling prey to a phishing attack. An employee of a contractor, Nemadji Research Corporation, had their account compromised, which led to the exposure of personal information of almost 15,000 patients. 

Names, addresses, phone numbers and patient information were all exposed, along with the social security numbers of at least two patients. The contractor has stated that its security measures are being upgraded and that the relevant authorities have been notified. 

Source:
https://losangeles.cbslocal.com/2019/07/10/data-breach-la-county-department-of-health-services-phishing/

 

Vitagene Inc. | DNA Testing | over 3,000
When it comes to personal data, it doesn’t get much more personal than DNA, and this month Vitagene Inc. was found to have left more than 3000 client genealogy reports unsecured online for years. The services of Vitagene Inc. are used by customers for dieting and exercise planning, but the information involved can be used to ascertain other details. 

This highly sensitive data was comprised of full names, dates of birth and gene-based health information including the likelihood of developing specific medical conditions. The company has apologised for the failure and has said it is reviewing security procedures to provide the highest level of privacy. 

Source:
https://www.bloomberg.com/news/articles/2019-07-09/dna-testing-service-exposed-thousands-of-customer-records-online

 

Sprint | Mobile Network | Unknown
For the second time this year, Sprint has been the victim of a data breach. The exact leaked details and number of compromised accounts are not known but could have affected millions of customers. Information on the previous attack was similarly vague, but the company will no doubt be reviewing its security measures and practices after suffering two breaches in one year. 

The potentially exposed data could include phone numbers, device types, device IDs, first and last names, billing addresses, monthly recurring charges, subscriber IDs, account numbers, account creation dates, upgrade eligibilities, and add-on services.

Source:
https://www.securitymagazine.com/articles/90560-sprint-confirms-data-breach-for-second-time-in-2019 

 

Companies see consequences for previous data breaches
This month sees the first major repercussions for companies affected by data breaches under new GDPR rules. Following an incident in September 2018, British Airways faces a fine of over £180 million. Whilst this is a significant fine, it pales in comparison to the $5 billion fine being levied against Facebook by the Federal Trade Commission (FTC) for the data misuse in the Cambridge Analytica event. 

Whilst companies remain in control of user data, these types of events and fines are likely to remain commonplace. Hopefully, in the near future, Blockpass will be able to confine these types of news story to the annals of history. 

This report, for the month of July, is the ninth of our Data Breach Intelligence Reports. We encourage the Blockpass community and anyone who might be otherwise interested to let us know what kinds of information they would like to see provided in future reports by contacting us at [email protected] under the subject line “Suggestions for the blog.”

If you believe you have been the victim of a data breach there may be resources available to help you; check with the relevant company to find out any details you can and see what their recommendations are. You can contact the security services for your country to intervene or ask for guidance on security forums online.