CSO Online's 2016 data breach blotter

01 day breach

Another day, another data breach

There were 736 million records exposed in 2015 due to a record setting 3,930 data breaches. 2016 has only just started, and as the blotter shows, there are a number of incidents being reported in the public, proving that data protection is still one of the hardest tasks to master in InfoSec.

02 gyft

At least 83,000 impacted by breach at Gyft Inc.

According to a notice letter sent on February 4, an unknown party accessed two cloud providers used by Gyft Inc, and in doing so, they were able to view or download user information stored on the servers.

The information accessed might have included Gyft card numbers, names, addresses, date of birth, phone number, and email address. In addition, those who used Gyft between March 19 and December 4, 2015, might have had their login credentials compromised as well.

"An unauthorized party who acquired your credentials could have accessed your Gyft account and used any gift cards in your account with unused balances, or used available reward points or a Coinbase-enabled account to purchase additional gift cards," the notification explains.

Impacted accounts had their passwords and Coinbase tokens reset.

03 taobao

20 million Taobao accounts targeted

In February, hackers attempted to access 20 million accounts on the Taobao e-commerce website, owned by China's Alibaba Group Holding Ltd. The attack started with a list of 99 million usernames and passwords, compiled from several other breaches, which the attackers used against the e-commerce website. Of the 99 million accounts on the list, some 20 million of them were a direct match on Taobao.

Alibaba said in a statement that their servers were not compromised, and that they detected the intrusion attempt. Afterwards, they warned Taobao users against password sharing between domains, and encouraged password changes. The attackers started in October, and were detected by mid-November. Successfully compromised accounts were used to place fake orders.

04 ucf

63,000 records exposed at UCF

The University of Central Florida announced a network intrusion in February, which impacted 63,000 people. The breach exposed some PII, including Social Security numbers, first and last name, student ID, and Employee Identification Numbers.

There were two groups impacted by the breach, the first "includes some current student-athletes, as well as some former student-athletes who last played for UCF in 2014-15. This group also includes some student staff members, such as managers, supporting UCF teams. The second group includes current and former university employees in a category known as OPS, or Other Personal Services," the school reported.

05 taxact

TaxAct breach impacts 9,450

In January, TaxAct reported that 450 customers had their personal and tax-return information stolen, after criminals used usernames and password obtained elsewhere to access their accounts. The unauthorized access took place between November 10 and December 4, 2015.

In addition, 9,000 TaxAct customers were notified via email that their accounts were frozen due to suspicious activity. As a result, each of them will be subject to additional verification in 2016. The company didn't elaborate what was considered suspicious.

Stepping back and looking at the bigger picture, the incident serves as another example of why sharing passwords across multiple accounts is a poor security choice.

06 jbautosports
Falcon® Photography (Creative Commons BY or BY-SA)

JB Autosports Inc. - Checkout system compromised

At least 1,000 customers were impacted after the checkout system used by JB Autosports Inc. was compromised in 2015. The company says the attack timeline was narrowed down August 1, 2015 through November 9, 2015, but the company didn't release the total number of customers impacted.

Additional details from the breach notification letter says that the attackers had Russian IP addresses. Anyone who used a Visa, MasterCard, Discover card, or American Express to complete payment was targeted.

The data compromised included customer names, addresses, credit card numbers, credit card expiration dates, CID numbers, CAV2 numbers, CVC2 numbers, and CVV2 numbers. The data was intercepted on the checkout page before it was transmitted to PayPal for processing.

07 professor
Photo4jenifer (Creative Commons BY or BY-SA)

RateMyProfessors.com breach potentially impacts millions

RateMyProfessors.com says that potentially all registered users, which is more than 4 million college students according to the website, had their email addresses, passwords, and registration dates compromised.

In an email to users, the website says that on December 24, 2015, suspicious activity on one of its backend systems was observed and investigated.

As a result of that investigation, it's believed that on or about November 26, 2015, attackers gained access to one of the backend systems of RateMyProfessors.com through a decommissioned version of the RateMyProfessors.com website.

08 hyatt hotel

Hyatt data beach impacted 250 hotels in 50 countries

In January, Hyatt Hotels disclosed a data breach impacting payment card data at 250 hotels across 50 countries. An internal investigation determined that "payment card data from cards used onsite at certain Hyatt-managed locations, primarily at restaurants, between August 13, 2015 and December 8, 2015."

"A small percentage of the at-risk cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period. The at-risk window for a limited number of locations began on or shortly after July 30, 2015," the announcement explained.

A list of the impacted properties is available online.

09 cva

California Virtual Academies – 58,964 records exposed

A misconfigured MongoDB installation, discovered by researcher Chris Vickery, pushed a California charter school to notify parents and teachers.

The database was hosted and maintained by third-party, and once Vickery reported the issue, it was quickly secured. The exposed data included details on payroll as well as some student information.

A full report on the breach itself was published by Databreaches.net in December 2015. CAVA issued their notification letters in early January, 2016.

10 baileys
New York National Guard (Creative Commons BY or BY-SA)

Bailey's Inc. – 15,000 credit cards compromised, Windows Server 2008 blamed

In January, Bailey's Inc., an outdoor equipment and tree care supplies retailer in California, disclosed that 15,000 credit cards were compromised, after attackers exploited a Windows Server 2008 system.

The compromised server had a key logging software installed, which allowed the attackers to capture credit card numbers, cardholder names, addresses, phone numbers, email addresses, CCV numbers, card expiration date, usernames and passwords, as well as any other information entered on the website, Baileysonline.com.

11 neiman marcus
Massachusetts Office of Travel & Tourism (Creative Commons BY or BY-SA)

Neiman Marcus – 5,200 accounts compromised

Upscale retailer Neiman Marcus reported a breach towards the end of January that impacted 5,200 people.

On or around December 26, 2015, crooks used usernames and passwords that were previously compromised elsewhere to make guess attempts on the Neiman Marcus, Bergdorf Goodman, Last Call, and CUSP websites. They were able to access 5,200 accounts and use 70 of those accounts to make fraudulent purchases.

The account data, including customer names, saved addresses and contact information (email or phone), last four digits of the account's credit card number, and purchase history were also exposed.

12 taxslayer

TaxSlayer breach impacts 8,800 customers

Tax prep software publisher, TaxSlayer, reported a data breach that was discovered in January, but started last October. According to their disclosure letter and customer notifications, an unnamed third-party was compromised, exposing usernames and passwords. The attackers responsible then used those harvested credentials to access TaxSlayer accounts.

"As a result of ongoing security reviews, TaxSlayer identified on January 13, 2016 that an unauthorized third party, whom we believe obtained your username and password from another online service, may have accessed your TaxSlayer account between 10/10/2015 and 12/21/2015. In order to protect your account, we have temporarily disabled access," the notice explains.

"The unauthorized third party may have obtained access to any information you included in a tax return or draft tax return saved on TaxSlayer, including your name and address, your Social Security number, the Social Security numbers of your dependents, and other data contained on your 2014 tax return."

Copyright © 2016 IDG Communications, Inc.

Related Slideshows