Blockpass Data Breach Intelligence Report - August 2019
September 04, 2019
During the month of August, the Blockpass Research Team analyzed 14 data breach events, chosen either for their scale, significant impact on consumers, or their implication on a global scene. Whilst information around many data breaches remains clouded, with the companies or numbers of people involved unknown, we are still seeing millions of people’s personal information being stolen.
From the 14 events this month, the largest confirmed data loss affected 68 million people, with another hack suspected in exposing the data of 83 million people or more; however, a data breach involving Twitter - with a reported 125 million+ daily users, has the potential to be much higher. Despite the uncertainty of these events, the likely minimum number of people affected still amounts to over 160 million - over 2% of the world’s population. In a particularly worrying development this month, a cybersecurity company itself was hacked, calling into question the safety of methods we have previously been relying on to keep us protected. These developments and unhalting flow of data breaches continues to point to the need for a new solution with new technology - Blockpass.
It should be noted that the data in the report below only covers personal information incidents, and that there are other data breaches that target information belonging to companies, about research or products, or on organisations.
# of Events Analyzed
14
# of Identities Lost
>160,822,328
% of World Population
>2.14%
Industry Hardest Hit
E-Commerce
StockX | E-Commerce | 68,000,000 Footwear trading platform StockX came under fire for its lack of honesty recently when claiming a password reset was for a system update before admitting the next day that it was due to a suspected hack. The company was contacted by someone who stated they had obtained user information following a hack earlier in the year and StockX later admitted it seemed to be genuine.
Personal data of 68 million customers, including names, email address, shipping address, usernames, hashed passwords, and purchase history, were all believed to have been stolen and put up for sale on the dark web. Fortunately, financial details are believed to be uncompromised.
Unnamed | Healthcare | 6,800,000 An anonymous healthcare company was the target of this data breach which left the information of 6,800,000 individuals exposed. Based in India, the targeted company was discovered by FireEye, a US-based cybersecurity firm, who revealed that both doctors and patients had information stolen.
The hackers behind the attack are believed to be mostly China-based cyber criminals. Many healthcare companies have been the victims of attacks in recent months and it is suspected by FireEye that information on cancer research is in high demand at the moment, particularly in China, due to high mortality rates.
Luscious | Adult Entertainment | 1,195,000+ Over a million people may have cause to be worried with news this month that adult website Luscious was the victim of a data breach. A supposedly anonymous site that allowed users to upload photos and animations, Luscious reportedly left data unsecured and unencrypted, leaving users exposed in more ways than they were expecting.
Among the visible data was user gender, activity, uploads, comments, likes, and blog posts. In addition, email addresses which contained full names were involved. Interestingly, the report of the incident also revealed that users from Brazillian, Australian, Italian, Malaysian and Australian governmental and educational institutions were amongst those signed up to the site.
Suprema | Biometric Security | 1,000,000+ Normally when personal data is lost or stolen it’s an inconvenience but it’s recoverable; bank details can be changed, passports can be renewed with new numbers, phone numbers and email addresses can be changed. Some things however, can’t be changed. Of these, possibly the most personal information - that of your fingerprints - was found to be the subject of a data breach this month, when researchers with VPNMentor, a cyber-security firm, discovered personal data linked to security tool ‘Biostar 2’ - a product of biometric security firm Suprema.
In addition to fingerprints, researchers also discovered photographs, facial recognition data, names, addresses, passwords, employment history and other personal data. Companies around the world were using the Biostar 2 system and the exposed data affected enterprises as diverse as a gym franchise in India and Sri Lanka, a festival in the UAE, and human resources firm in Belgium.
Pearson Plc | Education | 980,625+ A data breach that originally occurred last year has been revealed this month as London-based Pearson Plc admitted that the accounts of thousands of educational institutions, mostly in the US, had been compromised.
Each account that involved could potentially hold information on thousands of students at schools and universities. Though the confirmed total affected remains unknown, Nevada alone was reported by the Wall Street Journal to have 114,000 students in schools affected by the breach, and 980,625 or more estimated to have been impacted in total. The personal data involved includes first names, last names, dates of birth, and some email addresses.
MoviePass | Entertainment | Tens of thousands An unsecured database led to the exposure of tens of thousands of cinema-goers this month as MoviePass failed to encrypt or assign a password to the records. The company has since secured its database.
Tens of thousands of people had their credit card information, including card numbers, left open to be viewed by anyone, with over 160 million records from tens of thousands of users involved according to SpiderSilk, a cybersecurity company who investigated the issue.
New York City Fire Department | Emergency Services | 10,253 A lost hard drive has led to a data breach for the NYC Fire Department with over ten thousand previous patients having their details lost. Despite the fact that the fire department may have saved lives by treating or transporting those people in emergencies, it has unfortunately misplaced data which could include social security numbers.
The affected individuals have been contacted and the fire department has offered free credit monitoring to those suspected of having their social security numbers exposed.
Binance | Exchange | Potentially 10,000+ An event that was covered in one of the Blockpass blogs recently, the Binance cryptocurrency exchange was purportedly the victim of a breach this month when a hacker claimed to have possession of thousands of photos of Binance user’s KYC data.
It should be noted that the veracity of this claim is still being questioned, as the ‘proof’ that the hacker posted onto a Telegram channel lacked the company's watermark and nothing has yet been confirmed.
Regardless of the truth of the situation, Binance suffered all the negative PR as if it had been confirmed, with users flooding their Twitter and Telegram to complain. The final effects of this alleged attack are as yet unknown.
Tribal | Software and Services | 9,300 A number of people in the education sector suffered this month when software and services provider Tribal discovered a data leak that affected one of its Australian customers.
The data in question came from a student information system being used by educational group MEGT. Around 9,300 people are believed to have been affected but the extent of the impact has not yet been disclosed. Financial costs have not been ruled out.
Entertainment Software Association | Gaming | 2,000+ The personal data of journalists, YouTube content creators, financial analysts and others were exposed during E3 this year when a spreadsheet intended to allow the companies in attendance to organise press meetings and coverage was left unsecured on the ESA website.
Brought to the company’s attention by YouTuber Sophia Narwitz, ESA immediately tried to secure the data, but not before it had been accessed by others. Whilst some of those affected only included their work email address and phone number for contact information, others had given their name, phone number and home address.
Facebook | Social Media | 50+ Facebook has once again been subject to a data breach, this time for the leak of audio clips send with the Voice Chat function. The leak affected users in both the US and Europe but the company has only revealed that 50 Europeans were affected, not detailing the number of US citizens affected.
Audio clips from users were collected and transcribed by third parties, employed by Facebook without permission from the users who had been under the impression that only AI would be involved in the process. With significant scandals around data privacy and security in the past years, this new development couldn’t have come at a worse time for Facebook as it seeks to launch its own cryptocurrency, Libra, with assurances that privacy and security will be its utmost concern.
State Farm | Insurance | Unclear, up to 83 million or more
This month, US-based insurance provider State Farm was attacked when a hacker obtained a list of user IDs and passwords illegally and used them to access State Farm user accounts. The company has not yet confirmed the number of accounts that were compromised but the State Farm serves over 83 million users.
It is believed that the hacker was able to get in thanks to peoples propensities for using the same password for multiple sites through a credential stuffing attack. By finding leaked usernames and passwords from other websites and data breach incidents, an attacker can attempt to use the same login details with other companies, gaining access if the user has duplicated their password and username and the website doesn’t have further login measures such as two-factor authentication. The company reset user passwords and requested users not reuse passwords.
Twitter | Social Media | Unknown Social media giant Twitter has fallen afoul of user privacy standards by, potentially, inadvertently allowing user data to be shared with third parties and advertising companies despite users privacy settings being set to forbid this.
The flaw, which is thought to have been live since May, could have exposed user country codes, details on the adverts they clicked and if they engaged with it. In addition, the company admitted to targeting ads at users. There have not been any details released of how many people were affected by this, but given that Twitter was reporting around 125 million daily users, the potential number impacted could be very high.
Imperva | Cybersecurity | Unknown “Quis custodiet ipsos custodes” has been given a slightly different spin this month as cybersecurity company Imperva were themselves the victims of a data breach. The company, which provides Internet firewall services, was informed that a vulnerability in its Incapsula product which had exposed sensitive information.
A spokesperson from the company revealed that email addresses, passwords which were hashed and salted (combined with additional random data before hashing to make decrypting them harder for attackers), some API keys and customer-provided SSL certificates were all taken. This could potentially allow the hacker to set themselves up in place of the companies involved. The number of people that have been or will be affected by this attack is so far unknown.
This report, for the month of August, is the tenth of our Data Breach Intelligence Reports. We encourage the Blockpass community and anyone who might be otherwise interested to let us know what kinds of information they would like to see provided in future reports by contacting us at [email protected] under the subject line “Suggestions for the blog.”
If you believe you have been the victim of a data breach there may be resources available to help you; check with the relevant company to find out any details you can and see what their recommendations are. You can contact the security services for your country to intervene or ask for guidance on security forums online.