20/Jun/2019
As we reach the middle of the year, sadly 2019 is proving to be a busy one for cyber breaches. At the moment, April seems to be the front-runner among the months to date, living up to its reputation as “the cruellest month”.
In January, Singapore’s Ministry of Health (MOH) revealed a data breach involving 14,200 individuals. While the number may not seem all that serious, the nature of the incident was, given that all of these people had been diagnosed with HIV. An unknown hacker managed to steal the information alongside 2,400 of their contacts. The records were published online.
April
A data blunder involving just two people occurred in April due to a UK council. The council disclosed the personal information of a couple who adopted abused children to a birth mother, with a history of violence, forcing them to relocate to protect their adopted children’s’ safety.
Needless to say, Facebook is a constant source of data leaks and security failures. An incident in April added to the list when two AWS servers were found by researchers to store over 540 million records including account names, Facebook IDs, and user interaction data. The servers in question were owned by third parties and were not properly secured.
Another April data breach involved the Georgia Institute of Technology. Apparently a vulnerable web application provided access to a database which stored the personal data of current and former staff and students. In total, 1.3 million individuals are believed to have been affected.
Yet another data breach in April involved Japanese car giant Toyota. Indeed, the company has recently faced several intrusions across Australia, Thailand, Vietnam, and Japan. In the last instance, as many as 3.1 million customers and employees were affected. Reports suggest that eight Toyota subsidiaries and dealerships were attacked and hackers were able to access internal computer systems. Names, dates of birth, and employment information – among other information – were all involved.
In the US, a data leak involving individuals seeking rehabilitation for addictions was another serious breach. An unsecured database stored 4.91 million records including patient names and the treatments they sought. Duplicate and multiple records were in play. However, the breach is believed to affect roughly 145,000 individuals, fewer people than those whose names were on the database.
US real estate and insurance giant First American said in April that a data breach of critical severity had revealed 885 million customer records. Dating back to 2003, these records included Social Security numbers, driver’s license images, financial data, and transaction records. What made matters worse was that the information was available on the firm’s website for anyone to steal!
May
A massive, but mysterious, data breach was revealed in a May report from the Office of the Australian Information Commissioner (OAIC) which documented the exposure of information belonging to 10 million individuals in a single incident. The OAIC did not say which organisation disclosed the breach, although they did reveal that the incident was reported between January 1, 2019, and March 31, 2019.
Another security incident in Australia was disclosed in May. Sydney startup Canva said that a hacker stole information belonging to approximately 139 million users. This data – including names, email addresses, and some physical location information – was later put up for sale on the Dark Web, as part of a larger stolen data dump.
By the end of May, hotels and leisure resorts became the victims of data exposure caused by an unsecured server. Researchers found the database through Shodan and were able to access roughly 85.4GB in security audit logs belonging to up to 96 hotels. The source of the leak was Pyramid Hotel Group, a property management firm, which did not admit its ownership of the server, although access was revoked at the same time as private disclosure.
June
In June, it was disclosed that information belonging to up to 11.9 million Quest Diagnostics patients had been compromised. AMCA, a billing collections partner, was at fault. A hacker managed to access the firm’s systems, and it is possible that financial information, Social Security numbers, and medical information has been either exposed or stolen outright.
Another June data breach involved the Australian National University. The university said that a “significant” number of staff and students – potentially as many as 200,000 people – were affected by a “sophisticated operator” able to steal data including names, addresses, dates of birth, phone numbers, email addresses, passport details, and academic records. The data taken extends back to 19 years.
