The biggest security breaches of 2019, so far

The biggest security breaches of 2019, so far

If you thought the number of data breaches was bad last year, 2019 is looking to be so much worse — think Capital One. So far this year, billions of consumers’ accounts have been breached either through hackers or plain carelessness.

But it’s important to remember that when it comes to data breaches the number of accounts hacked doesn’t always matter. One breach could affect millions but the data is fairly generic, while a smaller breach could contain highly sensitive information.

This year, major data breaches have hit medical companies, retailers, social media, and banking and financial firms. We’ve compiled the following list of major and dangerous breaches, plus we have tips on how to protect yourself if your information has been compromised.

Retailers hit by data breaches

Earl Enterprises

Earl Enterprises, the restaurant company that owns a number of national chains including Buca di Beppo, Planet Hollywood and Earl of Sandwich, suffered a data breach caused by malware being installed on its point-of-sale systems between May 23, 2018, and March 18, 2019.

The 10-month-long attack may have allowed hackers to steal the details of 2 million payment cards, which could include consumers’ credit and debit card numbers, expiration dates and even cardholder names.

Other restaurants affected were Chicken Guy! in Florida, Mixology in Los Angeles, and Tequila Taqueria in Las Vegas. A cybersecurity company found that the 2 million stolen credit and debit numbers were sold on the dark web.

Toyota

Toyota announced in April that hackers had accessed the company’s servers. It was declared that the stored sales information of 3.1 million Toyota and Lexus car owners was stolen.

Toyota did not know what information was stolen. However, company officials said customers’ financial details were not stored on the hacked servers.

Familiar social media site continues data breach streak

Facebook

Facebook is the poster boy for social media data breaches. There have been a few this year, but the largest one was due to carelessness.

In April it was discovered that hundreds of millions of Facebook users’ records were exposed publicly on Amazon servers by third-party app developers. Two separate Facebook app data sets were stored in their own Amazon S3 cloud server buckets, but both were configured to allow the files to be downloaded by anyone.

The bigger data set belongs to a Mexico-based media company. The massive 146 GB file contained information such as comments, likes, reactions, account names, and Facebook IDs.

The other data set is a backup from a now-defunct Facebook app called “At the Pool” and contains records of user IDs, friends, likes, interests, check-ins, groups and the unprotected plain-text Facebook passwords of 22,000 users.

Hackers zero in on banking, financial companies

Capital One

Capital One’s servers were hacked, affecting over 100 million people in the U.S. Hackers took information on credit scores, credit card limits, balances, credit history, home addresses, and most alarming, Social Security and bank account numbers.

The number of customers whose Social Security and bank information was stolen stands at 220,000. Capital One said it began working with law enforcement as soon as the breach was detected.

The FBI has apprehended a person it believes is responsible for the hack, but the investigation is still ongoing.

Ascension

Data analytics firm Ascension exposed around 24 million financial and banking documents due to a misconfigured server. The database was not password protected, allowing anyone to view and access the treasure trove of information.

The leaked information included documents related to loan and mortgage records from a number of major banking institutions such as CitiFinancial, HSBC Life Insurance, Wells Fargo, Capital One and even the Department of Housing and Urban Development.

The leak also exposed names, addresses, birth dates, Social Security numbers, bank and checking account numbers, tax documents and more. The actual number of people affected remains unclear and it is not known if the information was accessed by hackers.

First American Financial

First American Financial, one of the nation’s leading settlement and insurance providers, exposed 800 million records containing sensitive data. But hackers weren’t to blame for this breach.

A flaw in its database design made critical data visible to anyone using a web browser for more than two years. On its public-facing website, private mortgage information, tax records, and even Social Security and bank account numbers could be seen by anyone with an internet connection.

The data dated back nearly 16 years and required no username or password to view. And First American literally handed people access to the data.

The company regularly sends its users links to documents with each file labeled by number in the web address. If you ever received a document link from the company, all you would need to do to access another person’s information would be to change the number in the URL.

Related: Over 40? You could be a target in this latest data breach

One medical agency hacked, compromising three companies

American Medical Collection Agency (AMCA)

American Medical Collection Agency (AMCA) suffered a massive data breach that affected three of its major clients — Quest Diagnostics, LabCorp and Clinical Pathology Laboratories (CPL).

An unauthorized user had access to AMCA’s web payment system. The breach was not detected for eight months. The affected companies said lab results were not accessed.

The data of 11.9 million Quest, 2.2 million CPL and 7.7 million LabCorp patients were exposed. CPL said the names, addresses, phone numbers, dates of birth, dates of service, balance information and treatment provider information may have been stolen in the breach.

CPL added that the credit card or banking information of another 34,500 patients was compromised. The breach was limited to U.S. residents.

LabCorp said full names, dates of birth, addresses, phone numbers, dates of service, providers, balance information and in some cases, bank account and credit card information was exposed. AMCA notified 200,000 LabCorp customers whose financial data could have been accessed.

Data from Quest customers included banking information and credit card numbers, medical records and Social Security numbers. Because the breach went undetected for eight months it’s unclear just how far-reaching this breach could be.

ZOLL Medical Corporation

ZOLL Medical Corporation said it learned of the breach on January 24 during a server migration. ZOLL uses a third-party to archive company emails and during the migration data from those emails were exposed.

Along with names, addresses, dates of birth and some limited medical information, the company said that in some cases consumers’ Social Security numbers were also exposed. More than 277,000 people were affected by the breach.

ZOLL Medical Corporation develops and markets medical devices and software for emergency care.

Government breach re-victimized victims

FEMA

A report by the Department of Homeland Security’s Office of Inspector General found that the Federal Emergency Management Agency (FEMA) shared sensitive information about 2,3 million disaster victims. The people had endured four major disasters, such as hurricanes Harvey, Irma, and Maria or major wildfires in California.

The breach affected people who used FEMA’s Transitional Sheltering Assistance program. Names, addresses, partial Social Security numbers and banking information were shared with a private contractor managing the program.

Related: Popular fast food restaurants targeted in new data breach

Data company left database unprotected

Verifications IO

Verifications IO left more than 2 billion unencrypted records in an unprotected database. The information was broken into four separate collections.

The collections contained email addresses, last names, dates of birth, addresses, phone numbers, social media account details, credit scores, gender information and more.

Verifications IO approves or verifies email addresses for third-parties. Following the discovery of the breach, the company took down its website and domain name.

The company also removed the exposed records the same day the breach was discovered. So far there’s no indication that any of the records were stolen.

Hackers build mystery databases on the dark web

Collection #1, Collection #2-5

If data is stolen from a breached database, you often can find it for sale on the numerous marketplaces that circulate on the dark web. Sometimes the data can be pinpointed to a specific breach, but every once in awhile hackers will create collections from a variety of breaches.

This brings us to the mother of all data breaches. “Collection #1” is a compilation of stolen credentials from a number of other data breaches dating back to 2008. Collection #1 has nearly three-quarters of a billion email accounts, more than 20 million passwords and about information from 2,000 leaked databases.

This 87GB collection contains 2 billion records. Not long after Collection #1 was found, four more were found — “Collection #2,” the 37GB “Collection #3,” the 178GB “Collection #4,” and the 42GB “Collection #5.”

Collections #2-5 together are almost three times the size of Collection #1. That translates to about 25 billion records containing 2.2 billion unique usernames and passwords.

The dark web price tag for “access lifetime” to these collections is just $45.

No name database

In February, around 617 million account details stolen from 16 compromised websites ended up for sale on the dark web. The seller’s asking price for the stolen data was less than $20,000 in Bitcoin.

The databases were spotted on an underground trading site called The Dream Market, and samples tested from the collection appear to be legitimate. The cache of data includes account holder names, email addresses, and passwords.

The passwords, however, are either hashed or one-way encrypted so they have to be cracked before they can be used. Another 127 million accounts were added to the original cache. These records came from eight compromised websites.

How to avoid and what to do if you’re data is hacked

As you can see, databases are breached on a regular basis. Needless to say, if the information gets into the hands of scammers, it could lead to all kinds of malicious activity.

Here are some suggestion for protecting yourself if your data is stolen:

Beware of phishing scams – Scammers will try and piggyback on huge breaches like this. They will create phishing emails, pretending to be the affected company, hoping to get victims to click on malicious links that could lead to more problems. Take our phishing IQ test to see if you can spot a fake email.

Keep an eye on your bank accounts – You should be frequently checking your bank statements, looking for suspicious activity. If you see anything that seems strange, report it immediately.

Check your online accounts – Have I Been Pwned is an easy to use website with a database of information that hackers and malicious programs have released publicly. It monitors hacker sites and collects new data every five to 10 minutes about the latest hacks and exposures.

Get a credit freeze – If you think that your identity has already compromised, put a credit freeze on your accounts as soon as you can.

Have strong security software – Protecting your gadgets with strong security software is important. It’s the best defense against digital threats.

Use different passwords – It is always a bad idea to use the same password for a variety of websites. If you use the same password on multiple sites, and one site is breached, it puts your accounts on other sites at a greater risk.

With hackers seemingly always one step ahead of companies, don’t be surprised if you find out your data has been breached. Find out what the company is doing about it and use the above suggestions to either build a firewall against them or to contain the fallout.

Tags: Amazon, cybersecurity, Facebook, hackers, internet, malware, security, web browser