Blockpass Data Breach Intelligence Report - November 2018

December 2018
In November, the Blockpass Research Team analyzed 13 independent incidents of data insecurity. Of these incidents, ten occurred to private companies, two to public institutions, and one to a non-profit organization. Together, the incidents affected nearly 600 million people. Amazon, the world’s largest e-commerce platform, failed to disclose how many of its customers were affected by its late November leak, so this number could increase by many millions in future reporting.

In November, the Blockpass Research Team analyzed 13 independent incidents of data insecurity. Of these incidents, ten occurred to private companies, two to public institutions, and one to a non-profit organization. Together, the incidents affected nearly 600 million people. Amazon, the world’s largest e-commerce platform, failed to disclose how many of its customers were affected by its late November leak, so this number could increase by many millions in future reporting.

Of the incidents that were reported, at least four were the work of malicious parties (“hackers”). Most data breaches appear to have been the results of bugs or ineptitude. In several cases, security researchers have no clear idea of how long personal user data was publicly available and who may have accessed it. In only one instance out of those analyzed has the perpetrator been arrested.

# of Events Analyzed13
# of Identities Lostapprox. 571,371,872
% of World Population7.4%
Industry Hardest HitHospitality

This report, for the month of November, is the first of what will become a monthly occurrence here on the Blockpass blog. We encourage the Blockpass community and anyone who might otherwise interested to let us know what kinds of information they would like to see provided in future reports by contacting us at [email protected] under the subject line “Suggestions for the blog.”

Marriott | Worldwide | 500 Million
Friday, November 30th, Marriott announced that a major security breach had affected the reservation system for its subsidiary company, Starwood. The company admitted that the personal details of as many as 500 million customers had been stolen. Preliminary investigations show that Starwood’s database has been regularly accessed by some unauthorized party since 2014.

Marriott acquired Starwood properties in 2016. Starwood is a conglomerate which includes such popular chains as St. Regis, Westin, Sheraton, Aloft, Le Meridien, Four Points, and W Hotels. The databases of Marriott properties had been kept separate following the acquisition and appear to have been unaffected by the security breach.

According to an email notifying customers of the breach, the leaked data included “...some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.” For many millions of customers, payment information was also leaked, although with card numbers encrypted.

The security breach was discovered on September 8th during an internal assessment that was being carried out by the company’s security staff. Following the discovery, Marriott immediately consulted security experts and are now cooperating with authorities.

Voxox | Worldwide | 10s of Millions
Voxox, a major cloud communications company, exposed tens of millions of text messages sent to its clients’ customers. Messages included shipping and payment information, password reset and two-factor authentication codes, billing inquiries, and information about medical appointments.

The company’s services enable big name clients such as Amazon and Booking, hospitals, and other institutions to communicate directly with their clients via SMS messaging. As was revealed by Sébastien Kaul, a Berlin based security research, Voxox stored millions on these messages on a non-password protected server located in San Diego, California. When Katz accessed the server in the middle of November, the database held over 26 million text messages.

The database has now been taken offline, but it seems that the data had been exposed for quite some time, and the consequences could be enormous. Voxox’s CTO said that his team was “looking into the issue…”


FIESP | Brazil | Greater than 34.8 Million
The Federation of Industries for the Brazilian state of São Paolo (FIESP), which represents 130,000 companies, has been accused of leaking millions of personal data records from its databases. One of these databases included the data of 34.8 million individuals.

The leak was discovered to be readily accessible online through a search engine by a security researcher on November 12th. Leaked information included names, ID, social security, and telephone numbers, addresses, and emails. The incident is now being investigated by the prosecutor's office.
Source: | Worldwide | 9.3 Million, a marketing firm which sells access to a database which includes the contact information of 37 million people, including the data of C- and director level executives was found to be unsecured. The exposed data was found by the same security researcher who discovered the FIESP breach.

Information that was readily available online as a result of the breach included names, phone numbers, email addresses, and social media data. Of course, as a data aggregator, holds a great deal of responsibility regarding the data of which it is the custodian. It appears, however, that the company had put its trust into the wrong third-party server operator.

High Tail Hail | Worldwide | 500,000
Almost half a million users of furry erotica site High Tail Hail have had their personal information stolen. The stolen information, which includes names, email addresses, and order histories, was posted on a popular hacking forum. The value of this data has not been calculated.

While the hack and publication of the stolen data occurred in August, it would not be widely reported until November 21st. The company claims to have fixed the vulnerability that made the hack possible in October. It remains unclear what restitution will be made to victims.

Sberbank | Russia | 421,000
A massive data breach affected the employees of Russia’s largest bank. A database containing the emails and logins of more than 421,000 current and former employees of the bank was published online by an anonymous user. How this user came across the data and his or her motive remains unclear.

The bank immediately claimed that the breach would have no negative effect on employees and failed to provide any intelligence in term of how the anonymous user was able to come across the data. However, the data has likely already been used as a basis for phishing scams.
Source: | United States | 75,000
At the start of November, officials from the American Department of Health and Human Services admitted to exposing the personal details of 75,000 people who had submitted insurance applications on, a government-run online marketplace where US residents can compare and purchase health insurance. Details leaked included applicants’ names, the last four digits of Social Security numbers, names of employers, and immigration statuses.

While the data leak occurred sometime in October, officials did not inform those affected until November 9th. While it appears that no “bank account numbers, credit card numbers, or diagnosis or treatment information” were exposed as a result of the breach, the announcement did not come until more than one week after open enrollment for 2019 health plans began, on November 1st. How early officials knew of the leak remains unclear.

Chicago Public Schools | United States | 70,000
A former contractor for the Chicago Public Schools system was arrested on November 1st after allegedly having stolen the personal information of 70,000 employees, volunteers, and vendors. The database that was breached included such information as names, employee ID numbers, addresses, criminal records, and dates of birth.

The alleged perpetrator, Kristi Sims, 28, had been hired as an IT specialist to help work on a background check project for the school system’s Office of Safety and Security. She held the data for about 24 hours before being arrested. All victims were immediately notified by email and the teacher’s union is considering the best course of action on behalf of its members.

Health First | United States | 42,000
About 42,000 Health First customers in Florida, United States had their data exposed between February and May of 2018. The data breach was not publicized by company officials until more than six months later, on November 12th.

Representatives of Health First claim that the data breach occurred at a low level, however it might have made vulnerable some Health First customers’ Social Security numbers. The officials claimed that no medical information had been compromised.

Initial analysis indicates that the data breach was linked to a phishing scam, perpetrated against Health First employees. All affected customers have been notified and offered identity protection services from a third-party provider at no cost.

Flunch | France | 33,572
The popular French restaurant chain, Flunch, exposed the data of 33,572 of its website’s users. The site,, serves as a web portal for potential employees to submit their applications. Information that was exposed included full names, mailing addresses, telephone numbers, and email addresses. The unsecure database contained no bank or payment information.

The data leak was discovered by a user who was applying for a job as an IT professional with Flunch. Upon submitting the application, he noticed a link that was “coded in a strange manner” within an automatic email response. Upon learning of the issue, Flunch immediately secured the database and called an emergency board meeting on November 9th. How long the data remained exposed and who might have accessed that data during that time remains unclear.

Vision Direct | United Kingdom | 16,300
The United Kingdom’s largest online contact lens retailer, Vision Direct, was subject to a malicious attack that affected about 16,300 customers. According to a company spokesperson, stolen data included both personal and financial information, including names, addresses, credit card numbers, CVV codes, and card expiration dates.

The attack began on the 3rd of November when a malicious script was inserted into the website’s code and continued until the 8th, when it was discovered. Those customers that were the most severely affected were those who had updated their payment information on the Vision Direct website during that time. Customers who paid using Paypal, which didn’t require credit card information to be submitted, only had personal information leaked.

Following the discovery of the attack, the company emailed and phoned all affected customers. Victims were instructed to change their account details and block any affected payment cards.

HSBC | United States | 14,000
A major data breach that affected American users of Europe’s largest bank was reported on November 2nd. The breach, which occurred between October 4th and 14th, involved the leak of a full picture of each client’s finances. Client names, mailing addresses, phone numbers, email addresses, dates of birth, account numbers, account types, account balances, transaction histories, payee account information and statement histories were leaked.

Bank administrators did not give an official or complete accounting of how many users were affected but admitted that it was about 1% of HSBC account holders in the United States. There are about 1,400,000 American customers of HSBC, so there could be inferred to be 14,000 victims.

Amazon | Worldwide | Undisclosed
An undisclosed number of customer names and email addresses were leaked from an Amazon database just two days before Black Friday, an extremely active day for retail spending. Amazon has contacted all affected users and has fixed the issue. How much the leak affected Black Friday has yet to be assessed.