List of data breaches and cyber attacks in October 2019 – 421 million records breached

In a month where security experts across Europe were boosting awareness of cyber security, organisations had mixed results in their own data protection practices.

On the one hand, the 421,103,896 data records that were confirmed to have been breached in October represents about 50% of the monthly average.

But on the other hand, there were a staggering 111 incidents, including several in which sensitive and financial information was compromised.

It was also a particularly bad month for the UK, with 9 confirmed breaches. As we have been doing for the past few months, we’ve listed UK-specific incidents in bold.

Cyber attacks

• Student hacked into school system to gain competitive advantage in water gun fight (unknown)
• Comodo Forums users told that their data has been stolen and traded online (170,000)
• Zynga confirms massive database on its Words with Friends database (218 million)
• ND-based St. Mary’s College announces breach connected to 2018 Chegg incident (unknown)
• IN-based Goshen Health leans that 2018 data security incident did need to be reported (9,160)
• Snapchat hack leads to Missouri-based school shooting threat (1)
• Tukwila, WA, School District hit by phishing scam (unknown)
• University of Alabama data breach exposes patients’ protected health info (20,000)
• Kent State students hit by credential harvesting (3,000)
• Malaysia-based Hibiscus Petroleum suffers cyber attack (unknown)
• Minnesota high school’s ventilation system hacked, destroying gym floor (unknown)
• IN-based Methodist Hospitals discloses breach after two employees fall for phishing scam (68,039)
• Dutch sex work forum hookers.nl hacked (250,000)
• Another prostitution forum hacked; this time Italian-based escortforum.xxx (unknown)
• Hackers target students at a Connecticut high school with phishing scam (unknown)
• The ‘word of honor hacker’ tricked guilty people into handing over their cash (17)
• California’s Central Valley Regional Center notifies patients of email account breach (unknown)
• Texas’ Hunt Memorial Hospital District notifies more patients of 2018 data breach (unknown)
• Students forced to reset passwords after learning platform Naivance hacked (1,343)
• Global cyber attack attributed to Iran was actually Russian, UK says (unknown)
• Hackers breach Avast antivirus network through insecure VPN profile (unknown)
• NordVPN, TorGuard and VikingVPN disclose data breaches dating back to 2017 (unknown)
• Phishing attack blamed as PA-based Geisinger Health Plan notifies patients of data breach (56,176)
• A DDoS gang is extorting business posing as Russian government hackers (unknown)
• Thousands of websites and a TV station in Georgia have been hit by cyber attack (unknown)

Ransomware

• Victoria government insists patient data is safe after ransomware attack (unknown)
• North Florida OB-GYN discloses ransomware incident (528,188)
• AL-based Sarrell Dental notifies patients of ransomware attack (391,472)
• Philadelphia school district says it paid $38,000 to free network from ransomware (2,515)
• DCH Health ransomware attack causes three Alabama hospitals to turn patients away (unknown)
• Cornelia, GA, has the right protocol to avoid ransom after systems infection (4,160)
• Bradford, PA, government has swift response to ransomware attack (8,305)
• Hacker shuts down computer systems of Spanish city of Jerez de la Frontera (212,879)
• Oregon-based Monterey Health Center confirms ransomware attack (unknown)
• The M6 Group, France’s largest private multimedia group, reports ransomware attack (unknown)
• Postal service Pitney Bowes announces ransomware attack (unknown)
• Indiana’s South Knox School Corporation back up after ransomware attack (unknown)
• Ransomware in Jasper Co., SC, affecting emergency services (unknown)
• German automation tools producer offline for a week after ransomware attack (unknown)
• Ransomware cripples San Bernardino City Unified School District (unknown)
• Johannesburg held to £28,000 ransom by cyber criminals (unknown)
• Missouri’s Betty Jean Kerr Health Center says some data gone after ransomware (152,000)
• Ransomware strikes TrialWorks, preventing lawyers from accessing documents (2,000)

Data breaches

• Sioux Falls Veteran Affairs Health Care System warning patients about privacy breach after mail room gaffe (unknown)
• Canadian pharmacy left patient data in a landfill (unknown)
• Two Greater Manchester secondary schools affected after pupils’ data ‘misplaced’ (425)
• Administrator at the University of Pittsburgh apologies after sharing student data (7)
• Maine-based St. Mary’s Hospital won’t say whether it notified patients’ of ‘wall of shame’ (unknown)
• IL-based Advocate Christ Medical Center demonstrates how not to respond to a data breach (1)
• Russian mobile phone operator Beeline implicated in data breach (8.7 million)
• Canadian woman receives someone else’s medical data from Interior Health (1)
• Alberta Health Services says hard drive containing personal data has been missing since August (650)
• Mail provider Click2Mail alerting customers to data breach (unknown)
• Brazilians’ personal details auctioned on underground forums (92 million)
• Auckland woman sent ‘fully identifiable’ mental health notes about another patient (1)
• Norfolk and Norwich University Hospital patients furious after their health records sent to the wrong address (11)
• Philadelphia Department of Health exposes names of people with hepatitis (23,000)
• Devon woman’s answerphone message somehow became Devon hospital’s voicemail (1)
• Databases belonging to two popular cashback services operating in the UK and India breached (3.5 million)
• Employees at Canada’s Lucia Mar School District at risk after email gaffe (unknown)
• Job seekers in the UK and US hit after recruitment sites misconfigure Cloud databases (250,000)
• Mercedes-Benz app glitch exposed car owners’ personal info to other users (100,000)
• Cyber security firm WizCase uncovered a spate of data breaches at:
  • Brazillian Medical office practice management system Cadlin (1.2 million)
  • Canadian dental software firm ClearDent (60,000)
  • US firm JintelHealth, now known as DeepThink Health (700,000)
  • International ophthalmic optics group Essilor (1,700)
  • NAISS (the Nigerian HIV/AIDS Indicator and Impact Survey) (80,000)
  • Saudi Arabian data analytics platform Stella Prism (300,000)
  • US-based pharmacy software provider VScript (800)
  • Tsinghua University Clinical Medical College in China (50,000)
  • Sichuan Lianhao Technology Group in China (24 million)
• US-based reservations management system Autoclerk leaks hotel guest data (>2,000)
• British charity Home Group warns customers after data breach (4,000)
• Patients’ data exposed on Malaysia’s national neurology website (17,000)
• Virginia-based CARFAX files lawsuit alleging data theft (unknown)
• Adobe exposed personal data of its creative-software providers (7.5 million)
• Southeast Missouri State University email gaffe breaches students’ privacy (50)
• CenturyLink discovered that database containing customer info was exposed online for months (2.8 million)
• Irish beauty chain Thérapie Clinic investigating data breach (unknown)
• European bank UniCredit says compromised file caused data leak (3 million)
• Ontario Science Centre breaches donors’ names, email addresses (174,000)
• US retailer Kroger reports ‘isolated incident’ involving pharmacy records (unknown)
• Unified Carrier Registration’s website leaking Social Security numbers and tax info (23,000)
• SC-based Prisma Health discloses its third data breach in two months (22,000)
• West Berkshire Council notifies ICO after email gaffe (1,107)
• Esports players furious after FIFA 20 promo results in data leak (1,600)
• ZenDesk says it’s discovered a historic data breach (10,000)

Financial information

• US-based McAlister’s Deli investigating hack designed to copy payment card data (unknown)
• Hacker breaches TransUnion Canada web portal and steals credit files (unknown)
• Cloud-hosted online store Volusion hacked, with malicious code stealing payment card data (unknown)
• North Carolina-based Mission Health warns patients of years-long data breach (unknown)
• Hackers hit Click2Gov bill-paying portals in 8 cities (300,000)
• IL-based First National Bank of Brookfield investigating card skimmer on drive-thru ATM (unknown)
• Pine County, MN, government hit my payroll scam (4,400)
• US fast-food chain Krystal had disclosed breach of its payment systems (unknown)
• American Cancer Society’s online store hit with payment card data-stealing malware (unknown)
• French fashion retailer Sixth June victim of payment card skimming scam (unknown)

Malicious insiders and miscellaneous incidents

• Employee at Canadian medical clinic fired for snooping on patient data (2)
• ‘Disgruntled source’ behind breaches at New Zealand government (unknown)
• UKIP party leader suspended over data theft allegations (unknown)
• Hard drive containing criminal casework stolen from court in Ghana (unknown)
• Police receptionist used her force’s database ‘like Facebook’ to keep tabs on friends’ family (unknown)
• Wells Fargo bank teller arrested for identify fraud (unknown)
• Louisiana-based health insurance firm Humana notifies customers of privacy breach (500)
• Russia’s largest bank, Sberbank, is investigating credit card data leak (60 million)
• Computer containing meeting and interview transcripts stolen from New Zealand’s Commerce Commission (unknown)
• Winnipeg Children’s Hospital says someone stole patient data from locked cabinet (53)

In other news…

• US intel official charged with leaking classified info to journalist, who is also his partner
• Singaporean charged in US with identity theft; accused of meth possession
• Lawsuit reveals that Equifax used ‘admin’ as username and password for database containing sensitive data
• Former Met Police detective loses court battle over data breach pay-out
• Texan man sentenced to 12 years in prison for phishing LA County Court

Source: IT Governance