2018’s Worst Breaches, So Far

At 2018’s halfway point there are 668 breaches representing almost 23 million records exposed according to reports from the San Diego-based Identity Theft Resource Center and Providence, R.I.-based CyberScout (formerly IDT911).

The number of U.S. data breaches tracked through July 2, 2018 is less than 2017’s half-year high total of 791. However, this year some 22.5 million reported records exposed so far is almost double the 12.4 million records reported breached last year at this time (which came before Equifax’s 145.5 million exposed records).

Broken down by industry category:

• Business = 46%
• Medical/Healthcare = 27.1%
• Banking/Credit/Financial = 12.6%
• Government/Military = 7.3%
• Educational = 6.7%

Following are the worst 2018 U.S. data breaches, at the halfway point, based on ITRC’s list of confirmed, exposed PII records.

1. Hudson Bay Company dba Saks Fifth Avenue, Lord & Taylor, and Saks OFF 5th: 5 million records.

The Canadian corporation that owns the luxury retail chains, confirmed a breach had occurred. A ring of cybercriminals used malware planted into the cash register systems to collect customer payment card information, including cardholder name, payment card number and expiration date. The Toronto-based retail company announced the breach on April 1, 2018 but said the breach began as early as July 1, 2017 before its March 31, 2018 containment.

2. Firebase: 4.05 million records.

The security issue, referred to as the Firebase vulnerability, leaked 100 million records (113 gigabytes) of data from unsecured databases. Analysis of the exposed data revealed 2.6 million plain text passwords and user IDs; more than 4 million protected health information records (including chat messages and prescription details); 25 million GPS location records; 50 thousand financial records including banking, payment and bitcoin transactions; and over 4.5 million Facebook, LinkedIn, Firebase and corporate data store user tokens.

3. Jason’s Deli: 3.4 million records.

A family food chain with 275 delis in 28 states discovered criminals deployed RAM-scraping malware on several of its point-of-sales terminals at various corporate-owned restaurants starting on June 8, 2017. On December 22, 2017, payment processors notified the deli that a large quantity of its payment card information had appeared for sale on the dark web. The data possibly included cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code.

Read the full story in the August 1 issues of CU Times.