Cyberattacks & Breaches | Protecting Yourself
Updated: Jun 9, 2021
Too frequently we see the news headlines addressing massive data breaches involving a well-established company such as Yahoo, Equifax, Target, Marriot, etc. Data breaches have the potential to cause a complete breakdown of trust between a business and their customers. Based on the nature of the breach, organizations may have to compensate the affected customer(s) or pay legal fees. The monetary and reputational damages can be enormous! Companies of all sizes will become the victim of a disastrous breach at one point in time if security practices continue to be an afterthought.
In 2021 alone, there has been an explosion of scams and fraudulent activity. Data breaches continue to rapidly expose consumers’ Personally Identifiable Information (PII) at a disturbing rate. Close to three hundred million people have been at risk of identity theft due to a data breach. However, cybercriminals are also concentrating their time on other lucrative attacks, including ransomware, malware, credential stuffing, and Virtual Private Network (VPN) exploitation.
The breaches and scams that we hear about in headlines daily are not going anywhere. They are continuously emerging and evolving into bigger and more threatening attacks. We are here to help you be prepared, be secure, and stay informed to help you mitigate your risk of identity theft.
A recent article highlighted some of the largest data breaches in 2021. Let’s take a look!
Ubiquiti Inc.
January 11, 2021: One of the largest Internet of Things (IoT) vendors, Ubiquiti, Inc., alerted its customers of a data breach caused by unauthorized access to their database through a third-party cloud provider. The data exposed included an undisclosed number of customer names, email addresses, hashed and salted passwords, addresses and phone numbers.
Parler
January 11, 2021: News of the conservative social media app, Parler, having its data stolen by a hacker came to light after Amazon Web Services removed the platform from its servers. The 70TB of leaked information included 99.9% of posts, messages, and video data containing data of date, time and location. Users who had verified their identity by uploading their driver’s license or other government-issued photo ID, were also exposed.
Facebook, Instagram and LinkedIn
January 11, 2021: A Chinese social media management company, Socialarks, suffered a data leak through an unsecured database that exposed account details and PII of at least 214 million social media users from Facebook, Instagram and LinkedIn. The exposed information for each platform varied but included user’s names, phone numbers, email addresses, profile links, usernames, profile pictures, profile description, follower and engagement logistics, location, Messenger ID, website link, job profile, LinkedIn profile link, connected social media account login names and company name.
Mimecast
January 12, 2021: Mimecast is a cloud-based email management service that provides email security services for Microsoft 365 accounts. A cybercriminal compromised a certificate used to authenticate Mimecast’s Sync and Recover, Continuity Monitor, and Internal Email Protect (IEP) products to Microsoft 365. According to the company, approximately 10 percent of its customers used the compromised connection, but have since been prompted to reinstall a newly issued certificate.
Pixlr
January 20, 2021: A database containing 1.9 million user records belonging to Pixlr, a free online photo-editing application, was leaked by a hacker. The database was stolen at the same time as the attack on 123RF, which exposed over 83 million user records. The leaked records include email addresses, usernames, passwords, user’s country, whether they signed up for the newsletter, and other sensitive information.
Meet Mindful
January 24, 2021: The dating platform, MeetMindful.com, was hacked by a well known-hacker and had its user’s account details and personal information posted for free in a hacker forum. The leaked details of more than 2.28 million users registered included names, email addresses, location details, dating preferences, marital status, birth dates, IP addresses, Bcrypt-hashed account passwords, Facebook user IDs and Facebook authentication tokens.
Bonobos
January 22, 2021: Customer data was stolen from the men’s clothing retailer, Bonobos, was found for free in a hacker forum after a cybercriminal downloaded the company’s backup cloud data. The exposed database contains order information for over 7 million customers, including addresses, phone numbers, and account information for 1.8 million registered customers, and 3.5 million partial credit card records.
VIP Games
January 26, 2021: VIPGames.com, a free gaming platform, exposed over 23 million records for more than 66,000 desktop and mobile users due to a cloud misconfiguration. The leaked user records include usernames, emails, IP addresses, hashed passwords, Facebook, Twitter and Google IDs, bets and data on players who were banned from the platform.
U.S. Cellular
January 28, 2021: Through a targeted attack on retail employees of U.S. Cellular, the fourth-largest wireless carrier in the U.S., hackers were able to scam employees into downloading malicious software onto company computers. Once downloaded, the software granted remote access to the company devices and to the customer relationship management (CRM) software containing account records for 4.9 million customers. The company states that 276 customers were impacted and notified of the security incident. While viewing a customers’ account in the CRM, the hacker had access to names, addresses, PINs, cell phone numbers, service plans, and billing/usage statements.
“Compilation of Many Breaches” (COMB)
February 2, 2021: A database containing more than 3.2 billion unique pairs of cleartext emails and passwords belonging to past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin, Yahoo, and more were discovered online. This is the largest compilation of data from multiple breaches, which is where the name “Compilation of Many Breaches” or COMB comes from. The searchable and well-organized database was leaked to a popular hacking forum, giving hackers access to account credentials, including approximately 200 million Gmail addresses and 450 million Yahoo email addresses, and more.
Nebraska Medicine
February 10, 2021: A malware attack allowed a hacker to access and copy files containing the personal and medical information of 219,000 patients of Nebraska Medicine. The health network notified affected individuals that the accessed information includes names, addresses, dates of birth, medical record numbers, health insurance information, physician notes, laboratory results, imaging, diagnosis information, treatment information, and/or prescription information, and a limited number of Social Security numbers and driver’s license numbers.
California DMV
February 18, 2021: The California Department of Motor Vehicles (DMV) alerted drivers they suffered a data breach after billing contractor, Automatic Funds Transfer Services, was hit by a ransomware attack. The attack exposed drivers’ personal information from the last 20 months of California vehicle registration records, including names, addresses, license plate numbers and vehicle identification numbers (VINs).
Kroger
February 20, 2021: A third-party data breach at cloud solutions company, Accellion, allowed hackers to steal human resources data and pharmacy records belonging to the supermarket giant, Kroger. The records disclosed could include names, email addresses, phone numbers, home addresses, dates of birth, Social Security numbers as well as information on health insurance, prescriptions and medical history.
T-Mobile
February 26, 2021: An undisclosed number of T-Mobile customers were affected by SIM swap attacks, or SIM hijacking, where scammers take control of and switch phone numbers over to a SIM card they own using social engineering. With access to customer phone numbers, scammers receive messages and calls which allows them to log into the victims’ bank accounts to steal money, change account passwords, and even locking the victims out of their own accounts that use two-factor authentication. The attack also exposed customer information including names, addresses, email addresses, account numbers, social security numbers (SSNs), account personal identification numbers (PIN), account security questions and answers, date of birth, plan information, and the number of lines subscribed to their accounts.
Microsoft Exchange
March 3, 2021: Cybercriminals have targeted four security flaws in Microsoft Exchange Server email software. The attackers used the bugs on the Exchange servers to access email accounts of at least 30,000 organizations across the United States, including small businesses, towns, cities and local governments. The cyberattack gives the hackers total remote control over affected systems, allowing for potential data theft and further compromise. Microsoft has released security patches for these bugs and urges customers to apply the updates as soon as possible.
SITA
March 4, 2021: The global IT company, SITA, which supports 90% of the world’s airlines confirmed it fell victim to a cyberattack, exposing the PII belonging to an undisclosed number of airline passengers. The stolen information includes names, traveler’s service card numbers, and status level.
MultiCare
March 9, 2021: A third-party ransomware attack exposed the personal information of over 200,000 patients, providers and staff of MultiCare Health System, a non-profit health care organization. The attack allowed access to personal information including names, insurance policy numbers, Social Security numbers, dates of birth, bank account numbers, and more.
California State Controller’s Office (SCO)
March 23, 2021: A phishing attack targeting the California State Controller’s Office (SCO) Unclaimed Property Division led to an employee clicking on a malicious link, logging into a fake website, and granting a hacker access to their email account. The criminal had access to the account for 24 hours, allowing permission to view Personally Identifying Information (PII) contained in Unclaimed Property Holder Reports and to send more phishing emails to the hacked SCO employee’s contacts. The number of employees affected, and the types of personal information impacted have not been disclosed.
Hobby Lobby
March 23, 2021: A database containing records of over 300,000 customers of the arts and crafts chain store, Hobby Lobby, was exposed after the company suffered a cloud-bucket misconfiguration. The disclosed information included customer names, phone numbers, physical and email addresses, and the last four digits of their payment card, as well as the source code for the company’s app.
Cancer Treatment Centers of America
March 26, 2021: The Cancer Treatment Centers of America sent out notifications to 104,808 patients, alerting them a compromised email account led to medical information being accessed by an unknown third-party. The compromised account contained patient names, health insurance information, medical record numbers, CTCA account numbers, and limited medical information.
April 3, 2021: The personal data of 533 million Facebook users from 106 countries has been posted online for free in a low-level hacking forum. The data was scraped in a vulnerability that the company patched in 2019, and includes users’ phone numbers, full names, location, email address, and biographical information.