2018's Biggest Data Breaches So Far
Just five months in, and 2018 has already seen its fair share of data breaches. From retail to healthcare, millions of user accounts have been compromised, with personally identifiable information up for grabs on the dark web. Here are the some of the biggest headlines since January, and a quick guide to protecting your information in an increasingly pernicious cyber threat landscape.
Year to Date
1. Jason's Deli - January 11th
The fast casual delicatessen chain reported a breach, after it was discovered that malware had been collecting customer data through point-of sale devices. This malware extracted information by reading payment cards' magnetic strips, which include the cardholder's name, credit or debit card number, expiration date, verification value, and service code. The breach began in June 2017, and was confirmed when customer information was found for sale on the dark web. An estimated 2 million cards have been compromised, in 164 (of 275) locations, across 28 states.
2. Partners HealthCare - February 5th
Massachusetts General and Brigham & Women's hospitals experienced a hack in May of 2017, that targeted their computer network. The breach affected 2,600 patients, whose social security numbers, names, diagnoses, medications, and financial information was harvested. Partners is currently providing access to free credit monitoring and insurance to those affected. It was also reported that Partners' medical record system, which is housed separately, was not compromised in the attack.
Tip: Security doesn't have to be complicated or expensive. Here are a few simple ways to protect your business from cyber attacks.
3. FedEx - February 15th
In February, it was discovered that 119,000 scanned documents were left publicly accessible on an Amazon S3 server. These documents included passports and photo IDs of FedEx customers, as well as accompanying attached forms. These forms divulged even more information, including customer names, home addresses, phone numbers, and zip codes. The documents were dated from 2009-2012, and were on a server that originally belonged to Bongo International LLC, a company that specialized in shipping calculations and currency conversions. FedEx acquired Bongo in 2014. This particular breach highlights the importance of conducting an audit of all digital assets prior to acquisition, to ensure the proper handling and securing of customer data.
Image courtesy of Gizmodo.
4. Orbitz - March 20th
Travel site Orbitz discovered a potential data breach on March 1st, affecting 880,000 associated credit cards and accounts. The data was taken from an older booking form, and was accessed between October and December 2017. In addition to payment card info, the breach also included customer names, dates of birth, email and physical billing addresses, gender, and phone numbers.
Related: 5 Pennsylvania Data Breaches in 2017 & How to Avoid Them in 2018
5. Under Armour - March 29th
Currently the largest data breach of 2018, Under Armour's nutrition logging app "MyFitnessPal" was hacked, affecting 150 million account holders. This breach was discovered on March 25th, when it was noted that an unauthorized party had accessed user data. Usernames, email addresses, and hashed passwords were stolen. Fortunately, payment card data, which is processed separately, was not impacted. Under Armour has since notified affected parties, urging them to change their passwords.
6. Saks Fifth Avenue, Lord & Taylor - April 1st
The Hudson Bay Company, which owns Saks Fifth Avenue, Saks Off Fifth, and Lord & Taylor, was the target of a Fin7 attack. Hackers targeted the stores' payment systems, and stole payment card information as far back as May 2017. The majority of data was stolen in New York and New Jersey. Some 83 Saks Fifth Avenue locations were affected, as was the entire Lord & Taylor network. More than 5 million customers were affected, and 125,000 have had their information released for sale on the dark web.
Image courtesy of Forbes.
7. Panera Bread - April 2nd
Panera Bread leaked account information for 37 million customers, who had registered for the MyPanera program to order food online. Panera was alerted in August that one of their webpages was leaking data offline, including customers' names, email and mailing addresses, birthdays, and the last four digits of their payment cards. Panera loyalty card numbers were also exposed. It is believed that any customer " including corporate and catering clients - who used Panera's online system to order food (for pick-up or delivery) in the U.S. and Canada" was affected.
8. SunTrust Bank - April 20
The most recent of this year's major breaches, SunTrust Bank reported that a former employee stole the data of 1.5 million customers. This information included names and account balances, but not Social Security or account numbers, or passwords. Although the bank has not identified "significant fraudulent activity", the compromised account information was shared with a malicious third party.
Keeping Your Info Safe
If you think that your information has been compromised in a data breach, consider taking the following steps:
- Review your account information, and determine if you were impacted by a given breach
- Change the passwords associated with your account
- Implement multi-factor authentication for extra security
- Determine if the company responsible is providing assistance, perhaps in the form of complementary credit reporting
- Monitor your credit report for suspicious activity
- Request a new payment card
The Proactive Approach
While the above named corporations are all large enterprises, businesses of all size are experiencing data breaches that can damage their reputation, customer trust, and bottom line. So how can your business be proactive to help you avoid a similar disaster in the future?
By leveraging third party expertise that provides tailored, proactive IT infrastructure. In partnering with an IT provider, such as iCorps, you can utilize resources including, but not limited to, the following:
- Anti-virus protection
- Managed network security
- Data backup and disaster recovery plans
- Vulnerability and network monitoring
- Email encryption and SPAM filtering
Unfortunately, many companies wait until it is too late to develop a security posture befitting their size, scope, and clientele. Others operate under the assumption that cybersecurity ends with setting up a firewall - the "set it and forget it" mindset. This is simply not the case. There is no substitute for a well thought out, customized cybersecurity plan. Do not let the growing threat of cybercrime and data theft distract from your businesses' goals, profits, and prospects. While reviewing the state of your security posture, remember to:
- Stay informed – connect with industry experts, who can position your business for success through proactive defense
- Streamline cyber defense – incorporate defense-in-depth enterprise-class security features, tailored to your businesses' unique needs
- Implement these basic resources
- A data and recovery plan
- Routine employee training
- An executive-level strategy including proactive cybersecurity
policies, insurance, regulatory responses, and IT resources
Learn more about iCorps' managed services.