Media
Blockpass Data Breach Intelligence Report - June 2019
July 2019
During the month of June, the Blockpass Research Team analyzed 10 data breach events, chosen either for their scale, significant impact on consumers, or their implication on a global scene. This month, the largest single data breach was in the field of healthcare, with 6 companies in the healthcare industry being affected by data breaches this month.
As the summer sun arrives, it appears that hackers, or possibly the analysts that discover their work, might be on holiday, with this month showing the lowest number of people affected by data breaches since we began our monthly reports. Of course, even this comparatively low number is still almost 50 million people, and the impact it could have on their lives is potentially enormous.
Although the research team only found these significant cases, it’s worth bearing in mind that many data breach events do not make the news as soon as they happen, with word coming out months or even years later. At the Blockpass meetups we have heard from security experts that almost all systems will be hacked to some extent at one point or another; many companies and people aren’t even aware they’ve been hacked.
American Medical Collection Agency | Healthcare | over 20,522,600
Reported in a number of publications, a number of healthcare providers had their data leaked by a third party - the American Medical Collection Agency - which collects data for various healthcare-related organisations. Data was lost through a vulnerability in the payment system which lasted 8 months. Affected organisations include:
Quest Diagnostics: 11,900,000 patients
LabCorp: 7,700,000 patients
BioReference Laboratories: 422,600 patients
Carecentrix: 500,000 patients
Sunrise Laboratories: unknown
Patient data compromised included names, dates of birth, addresses, phone numbers, card information, bank account information, Social Security Numbers, and healthcare details.
Sources:
https://patch.com/maryland/annapolis/massive-medical-data-breach-could-put-md-consumers-risk
https://krebsonsecurity.com/2019/06/labcorp-7-7m-consumers-hit-in-collections-firm-breach/
https://techcrunch.com/2019/06/03/quest-diagnostics-breach/
Evite | Social Planning | 10,000,000
Providing a social planning platform and e-invitations service, Evite was hacked back in February of this year. The company was notified by business tech news website Zdnet in April but officially announced the breach on their website this month. The company believes that the information taken may include names, usernames, email addresses, passwords, dates of birth, phone numbers, and mailing addresses.
Investigation by data security firms hired by Evite found the hackers had retrieved an ‘inactive data store age file associated with user accounts’. The account is reported to be of older accounts with no information more recent than 2013. The company has since taken measures to improve its security measures and secure compromised accounts. The Evite website has contact details for those wanting further information.
Sources:
https://www.zdnet.com/article/evite-e-invite-website-admits-security-breach/
https://www.evite.com/security/update
EatStreet | Food Ordering | 6,000,000
It was revealed this month that online U.S. food ordering service EatStreet had suffered a data breach in May, in which a hacker stole information pertaining to the company, its customers and partners. Speaking to Zdnet, hacker ‘Gnosticplayers’ claimed they had perpetrated the attack, which occurred on the 3rd of May and was only discovered on the 17th of May.
Restaurants, delivery partners and customers of the app had their names, phone numbers, email addresses, billing addresses, credit card numbers, expiration dates, and card verification codes stolen, along with routing numbers for restaurants and delivery services. Corresponding with Zdnet, the hacker claimed that they had stolen 6 million user records, and Zdnet reports that this person has stolen over a billion user records from 45 companies over the past few months.
Source:
https://www.zdnet.com/article/eatstreet-food-ordering-service-discloses-security-breach/
Evernote | Note Taking | up to 4,600,000
On the 4th of June, Evernote provided a fix for a vulnerability in its Chrome browser extension that had been discovered towards the end of May by security company Guardio. The weakness had left users of Evernote open to exploitation from attackers which could have been used to obtain user data including email addresses, financial details, private conversations in social media, and other information.
An attacker also had the potential to infect users with malware which could steal personal information, as well as act as the user. Whilst it is unknown whether the vulnerability had been leveraged by malicious actors, potentially up to 4.6 million users may have been the unknowing victims of this weakness.
Source:
https://www.bleepingcomputer.com/news/security/critical-flaw-in-evernote-add-on-exposed-sensitive-data-of-millions/
Desjardins Group | Credit Union | over 2,900,000
The Canadian credit union Desjardins Group was the target of a hack this month with a data breach when a (now former) employee illegally, and without authorisation, used data. The company says its computer system was not compromised. The data involved related to over 2.7 million individuals and around 173 000 business customers and included names, dates of birth, Social Insurance Numbers, addresses and phone numbers; however, personal identification numbers were apparently not compromised.
Despite the serious nature of the event, the financial authorities commented that Desjardins Group had handled the situation appropriately. Whilst this may be an inconvenience, the company reassured those affected that any financial cost would be recompensed. This incident highlights the danger of companies having access to personal information; even if their electronic security is competent, the risk of employees having access to data remains a danger.
Source:
https://montrealgazette.com/business/desjardins-rogue-employee-caused-data-breach-for-2-9-million-members
Emuparadise | Gaming | 1,131,229
More than a million user accounts were revealed to have been exposed this month with the news that gaming website Emuparadise had been hacked in April. The website allows files of old games to be downloaded to be played on emulators. News of this incident came about when dehashed.com informed data breach information website HaveIBeenPwned.
Email addresses, IP addresses, usernames and passwords were among the data exposed, the cause of which has been traced to a weak algorithm on its ‘vBulletin forum’ that was condemned all the way back in 2012. Whilst old games were its forte, old algorithms were its downfall.
Source:
https://www.zdnet.com/article/emuparadise-gaming-rom-repository-suffers-data-breach/
Various Russian Banks | Banking | 900,000
It was discovered by data-leak prevention software provider Devicelock last month, that a number of Russian banks have been revealed to have data leaked, impacting around 900,000 individuals. The largest commercial Russian bank, Alfa Bank, along with OTP Bank and HKF-Bank, were amongst those affected.
Full names, phone numbers, addresses, dates of birth, passport details and work details were compromised in the leaks, which have at least in part been potentially attributed to a former bank employee during previous layoffs of IT staff. The data involved also contains information on police officers and Federal Security Service officers. Some of the data involved is several years old but can still be used for fraud.
Sources:
https://beincrypto.com/russian-banks-leaked-personal-data-900k-clients/
https://www.kommersant.ru/doc/3997757
Australian National University | Education | 200,000
An estimated 200,000 people are believed to have their data stolen after a hacker accessed data from the Australian National University, affecting both staff and students. According to the university vice-chancellor, the data stolen was extensive and went back almost 20 years, detailing names, addresses, dates of birth, phone numbers, personal email addresses, emergency contact details, Tax File Numbers, payroll information, bank account details, passport details and student’s academic records. Other personal data, including medical records and credit card details, are believed to be safe.
The university is working with relevant authorities to investigate the situation. The university had previously upgraded its security systems following other hacking attempts and believes this allowed it to detect the attack this time round - although not to protect it. It was noted that a dedicated and intelligent attacker can almost always hack a system; maybe it is time to turn to blockchain and Blockpass to secure data.
Source:
https://www.theguardian.com/australia-news/2019/jun/04/australian-national-university-hit-by-huge-data-breach
OGusers | Cybercrime | 113,000
In a change from the normal story, a forum popular with cyber criminals was hacked last month by a rival band of cyber criminals known as ‘RaidForums’ who stole email addresses, hashed passwords, IP addresses and private messages.
Though the website admin tried to cover up the incident, the rival group claimed ownership of the attack and uploaded the data, taunting the hashing algorithm used by the website. The details exposed in the hack have the potential to be of use to law enforcement to identify and arrest bad actors.
Source:
https://www.itgovernance.co.uk/blog/cyber-criminals-steal-113000-data-records-from-rivals
Hong Kong Public Hospitals | Healthcare | Unknown
It was revealed last month that personal data in Hong Kong public hospitals was available to be accessed by anyone without the requirement of a password. Used in A&E wards, a program called Accident and Emergency Department Clinical Information System, also known as AEIS, enables anyone to see data on the system without needing login details or identification. There is concern by some that this has been used by police whilst the protests in Hong Kong have been going on, with some patients being arrested during and before receiving medical treatment.
Doctors in Hong Kong public hospitals have confirmed that there is a lack of security in the system, and have admitted to using the shortcut in their normal practice, though deny having used it to provide information to police in this case - which statements from the Commissioner of the Police corroborated. Against this, a printed list of patient names, ID card numbers, ages, conditions and location in the hospital was presented, with ‘for police’ marked in one corner. Whether or not it has really been used for this purpose is unclear, but the fact remains that the system storing personal data should be secured.
Source:
https://www.scmp.com/news/hong-kong/politics/article/3015075/leaked-video-exposes-how-patient-data-hong-kong-public
This report, for the month of June, is the eighth of our Data Breach Intelligence Reports. We encourage the Blockpass community and anyone who might be otherwise interested to let us know what kinds of information they would like to see provided in future reports by contacting us at [email protected] under the subject line “Suggestions for the blog.”
If you believe you have been the victim of a data breach there may be resources available to help you; check with the relevant company to find out any details you can and see what their recommendations are. You can contact the security services for your country to intervene or ask for guidance on security forums online.
Although the research team only found these significant cases, it’s worth bearing in mind that many data breach events do not make the news as soon as they happen, with word coming out months or even years later. At the Blockpass meetups we have heard from security experts that almost all systems will be hacked to some extent at one point or another; many companies and people aren’t even aware they’ve been hacked.
| # of Events Analyzed | 10 |
| # of Identities Lost | > 46,366,829 |
| % of World Population | > 0.6% |
| Industry Hardest Hit | Healthcare |
American Medical Collection Agency | Healthcare | over 20,522,600
Reported in a number of publications, a number of healthcare providers had their data leaked by a third party - the American Medical Collection Agency - which collects data for various healthcare-related organisations. Data was lost through a vulnerability in the payment system which lasted 8 months. Affected organisations include:
Quest Diagnostics: 11,900,000 patients
LabCorp: 7,700,000 patients
BioReference Laboratories: 422,600 patients
Carecentrix: 500,000 patients
Sunrise Laboratories: unknown
Patient data compromised included names, dates of birth, addresses, phone numbers, card information, bank account information, Social Security Numbers, and healthcare details.
Sources:
https://patch.com/maryland/annapolis/massive-medical-data-breach-could-put-md-consumers-risk
https://krebsonsecurity.com/2019/06/labcorp-7-7m-consumers-hit-in-collections-firm-breach/
https://techcrunch.com/2019/06/03/quest-diagnostics-breach/
Evite | Social Planning | 10,000,000
Providing a social planning platform and e-invitations service, Evite was hacked back in February of this year. The company was notified by business tech news website Zdnet in April but officially announced the breach on their website this month. The company believes that the information taken may include names, usernames, email addresses, passwords, dates of birth, phone numbers, and mailing addresses.
Investigation by data security firms hired by Evite found the hackers had retrieved an ‘inactive data store age file associated with user accounts’. The account is reported to be of older accounts with no information more recent than 2013. The company has since taken measures to improve its security measures and secure compromised accounts. The Evite website has contact details for those wanting further information.
Sources:
https://www.zdnet.com/article/evite-e-invite-website-admits-security-breach/
https://www.evite.com/security/update
EatStreet | Food Ordering | 6,000,000
It was revealed this month that online U.S. food ordering service EatStreet had suffered a data breach in May, in which a hacker stole information pertaining to the company, its customers and partners. Speaking to Zdnet, hacker ‘Gnosticplayers’ claimed they had perpetrated the attack, which occurred on the 3rd of May and was only discovered on the 17th of May.
Restaurants, delivery partners and customers of the app had their names, phone numbers, email addresses, billing addresses, credit card numbers, expiration dates, and card verification codes stolen, along with routing numbers for restaurants and delivery services. Corresponding with Zdnet, the hacker claimed that they had stolen 6 million user records, and Zdnet reports that this person has stolen over a billion user records from 45 companies over the past few months.
Source:
https://www.zdnet.com/article/eatstreet-food-ordering-service-discloses-security-breach/
Evernote | Note Taking | up to 4,600,000
On the 4th of June, Evernote provided a fix for a vulnerability in its Chrome browser extension that had been discovered towards the end of May by security company Guardio. The weakness had left users of Evernote open to exploitation from attackers which could have been used to obtain user data including email addresses, financial details, private conversations in social media, and other information.
An attacker also had the potential to infect users with malware which could steal personal information, as well as act as the user. Whilst it is unknown whether the vulnerability had been leveraged by malicious actors, potentially up to 4.6 million users may have been the unknowing victims of this weakness.
Source:
https://www.bleepingcomputer.com/news/security/critical-flaw-in-evernote-add-on-exposed-sensitive-data-of-millions/
Desjardins Group | Credit Union | over 2,900,000
The Canadian credit union Desjardins Group was the target of a hack this month with a data breach when a (now former) employee illegally, and without authorisation, used data. The company says its computer system was not compromised. The data involved related to over 2.7 million individuals and around 173 000 business customers and included names, dates of birth, Social Insurance Numbers, addresses and phone numbers; however, personal identification numbers were apparently not compromised.
Despite the serious nature of the event, the financial authorities commented that Desjardins Group had handled the situation appropriately. Whilst this may be an inconvenience, the company reassured those affected that any financial cost would be recompensed. This incident highlights the danger of companies having access to personal information; even if their electronic security is competent, the risk of employees having access to data remains a danger.
Source:
https://montrealgazette.com/business/desjardins-rogue-employee-caused-data-breach-for-2-9-million-members
Emuparadise | Gaming | 1,131,229
More than a million user accounts were revealed to have been exposed this month with the news that gaming website Emuparadise had been hacked in April. The website allows files of old games to be downloaded to be played on emulators. News of this incident came about when dehashed.com informed data breach information website HaveIBeenPwned.
Email addresses, IP addresses, usernames and passwords were among the data exposed, the cause of which has been traced to a weak algorithm on its ‘vBulletin forum’ that was condemned all the way back in 2012. Whilst old games were its forte, old algorithms were its downfall.
Source:
https://www.zdnet.com/article/emuparadise-gaming-rom-repository-suffers-data-breach/
Various Russian Banks | Banking | 900,000
It was discovered by data-leak prevention software provider Devicelock last month, that a number of Russian banks have been revealed to have data leaked, impacting around 900,000 individuals. The largest commercial Russian bank, Alfa Bank, along with OTP Bank and HKF-Bank, were amongst those affected.
Full names, phone numbers, addresses, dates of birth, passport details and work details were compromised in the leaks, which have at least in part been potentially attributed to a former bank employee during previous layoffs of IT staff. The data involved also contains information on police officers and Federal Security Service officers. Some of the data involved is several years old but can still be used for fraud.
Sources:
https://beincrypto.com/russian-banks-leaked-personal-data-900k-clients/
https://www.kommersant.ru/doc/3997757
Australian National University | Education | 200,000
An estimated 200,000 people are believed to have their data stolen after a hacker accessed data from the Australian National University, affecting both staff and students. According to the university vice-chancellor, the data stolen was extensive and went back almost 20 years, detailing names, addresses, dates of birth, phone numbers, personal email addresses, emergency contact details, Tax File Numbers, payroll information, bank account details, passport details and student’s academic records. Other personal data, including medical records and credit card details, are believed to be safe.
The university is working with relevant authorities to investigate the situation. The university had previously upgraded its security systems following other hacking attempts and believes this allowed it to detect the attack this time round - although not to protect it. It was noted that a dedicated and intelligent attacker can almost always hack a system; maybe it is time to turn to blockchain and Blockpass to secure data.
Source:
https://www.theguardian.com/australia-news/2019/jun/04/australian-national-university-hit-by-huge-data-breach
OGusers | Cybercrime | 113,000
In a change from the normal story, a forum popular with cyber criminals was hacked last month by a rival band of cyber criminals known as ‘RaidForums’ who stole email addresses, hashed passwords, IP addresses and private messages.
Though the website admin tried to cover up the incident, the rival group claimed ownership of the attack and uploaded the data, taunting the hashing algorithm used by the website. The details exposed in the hack have the potential to be of use to law enforcement to identify and arrest bad actors.
Source:
https://www.itgovernance.co.uk/blog/cyber-criminals-steal-113000-data-records-from-rivals
Hong Kong Public Hospitals | Healthcare | Unknown
It was revealed last month that personal data in Hong Kong public hospitals was available to be accessed by anyone without the requirement of a password. Used in A&E wards, a program called Accident and Emergency Department Clinical Information System, also known as AEIS, enables anyone to see data on the system without needing login details or identification. There is concern by some that this has been used by police whilst the protests in Hong Kong have been going on, with some patients being arrested during and before receiving medical treatment.
Doctors in Hong Kong public hospitals have confirmed that there is a lack of security in the system, and have admitted to using the shortcut in their normal practice, though deny having used it to provide information to police in this case - which statements from the Commissioner of the Police corroborated. Against this, a printed list of patient names, ID card numbers, ages, conditions and location in the hospital was presented, with ‘for police’ marked in one corner. Whether or not it has really been used for this purpose is unclear, but the fact remains that the system storing personal data should be secured.
Source:
https://www.scmp.com/news/hong-kong/politics/article/3015075/leaked-video-exposes-how-patient-data-hong-kong-public
This report, for the month of June, is the eighth of our Data Breach Intelligence Reports. We encourage the Blockpass community and anyone who might be otherwise interested to let us know what kinds of information they would like to see provided in future reports by contacting us at [email protected] under the subject line “Suggestions for the blog.”
If you believe you have been the victim of a data breach there may be resources available to help you; check with the relevant company to find out any details you can and see what their recommendations are. You can contact the security services for your country to intervene or ask for guidance on security forums online.