Category: Data Breach
7. January 2019
The French Data Protection Authority CNIL imposed a fine of €250.000,00 on telecom operator BOUYGUES TELECOM for not taking required security measures to protect the personal data of its clients.
BOUYGUES TELECOM offered their clients an option to create a profile on their webpage to have easier access to their contract details and telephone bills.
In March 2018, CNIL was informed that a lack of security measures gave free access to personal data of clients of B&You, a subsidiary company of BOUYGUES TELECOM. Each profile had its own URL address, which involved the first and last name of the client. Just by exchanging the name in the URL address, one gained free access to first and last name, date of birth, e-mail address, address and phone number as well as contracts and bills. The violation of data security went on for two years and had an impact on over two million clients.
Shortly after CNIL was informed, BOUYGUES TELECOM notified the data breach to CNIL. The company explained that the incident occurred after the computer code, which depends on user authentication, was deactivated for a test phase, but was forgotten to be re-activated after completion of the test phase. After noticing the data breach, the company quickly blocked the access to the personal data.
Nevertheless, CNIL stated that the company failed to protect the personal data of its clients and violated its obligation to take all required security measures, especially as appropriate measures would have revealed the data breach earlier.
As the incident occurred before the legal validity of GDPR, CNIL decided to impose a fine of €250.000,00 on BOUYGUES TELECOM.
4. January 2019
In the last weeks, several data breaches in different US states were discovered. The latest one occurred in the Choice Rehabilitation Center based in Missouri. Data of 4,309 patients was breached in a hack on a corporate email account from July 1 until the end of September. Choice discovered the hack in November and started an investigation after consulting with Microsoft. Provider’s emails were forwarded to a personal account, which was later deactivated.
The sent emails contained billing data for different medical services such as physical or speech therapy services. These included for example patient names, medical record numbers, treatment information, diagnoses and the beginning and end of treatment dates.
Just a few weeks before, the largest healthcare breach of 2018 became public. Due to a cyberattack on the health’s systems billing vendor AccuDoc Solutions, data of more than 2.65 million Atrium Health patients was breached. AccuDoc Solutions prepares bills and operates the online billing system for Atrium Health, which is a hospital network that comprises 44 hospitals in Georgia, North Carolina and South Carolina.
The compromised database contained data of patients and guarantors, comprising full names, addresses, dates of birth, insurance policy details, medical record numbers, account balances and dates of service. 700,000 patient’s social security numbers were also among the hacked data.
However, financial data such as credit card numbers are not affected. Even though the data breach is contained to AccuDoc Solutions, Atrium Health has hired a team to investigate the occurrence and has reviewed its security precautions. Those patients whose Social Security numbers were hacked are being offered one year of free credit monitoring.
27. December 2018
Uber’s major data breach of 2016 still has consequences as it has also been addressed by the French Data Protection Authority “CNIL”.
As reported in November 2017 and September 2018, the company had tried to hide that personal data of 50 million Uber customers had been stolen and chose to pay the hackers instead of disclosing the incident to the public.
1,4 million French customers were affected as well which is why the CNIL has now fined Uber 400K Euros (next to the settlement with the US authorities amounting to $148 Million).
The CNIL came to find out that the breach could have been avoided by implementing certain basic security measures such as stronger authentication.
Great Britain and the Netherlands have also already imposed a fine totalling €1 million.
17. December 2018
The Irish Data Protection Commission announced in a press release on December 14, 2018 that it had initiated a statutory inquiry into Facebook.
Due to the frequent, especially in the recent past, data breaches of the American company and the total number of reported data breaches since the GDPR came into force on May 25, 2018, the Irish Data Protection Commission has initiated an investigation into compliance with the relevant provisions of the GDPR against Facebook.
In recent weeks, reports of renewed breaches of data protection by Facebook have continued.
Most recently, it became known that the Italian competition authority AGCM had imposed a fine of 10 million euros on Facebook because the company had passed on data to other platforms without the express consent of the users and that a bug in the programming interface for picture processing led to third-party apps having access to pictures of 6.8 million Facebook users, some of which had not even been published by the users.
3. December 2018
Marriott International Inc., the world’s largest hotel company, was hit by a data breach affecting up to 500 million customers.
Marriott said it has found a data breach in the Starwood guest reservation database regarding the hotels ‘Westin’, ‘Sheraton’, ‘Le Méridien’, ‘St. Regis’ and ‘W Hotels’. The main brand Marriott does not belong to it. Marriot had bought its competitor Starwood in 2016 and thus obviously their security gap at the same time.
Up to 500 million customers may have been affected by the breach and, of those impacted, roughly two-thirds had their names, addresses, phone numbers, email addresses, passport numbers and duration of stay compromised. It is also possible that payment card information were caught in the breach.
An internal tool alerted a potential data breach on September 8th, 2018. An investigation subsequently initiated revealed that the guest database may have been compromised since 2014. At the moment Marriott could not rule out the possibility that the files needed for decryption had also been stolen. This would mean that the attackers could also use the stolen data to, for example, shop with them.
As a result, Starwood’s IT systems will be phased out.
Since Friday, those affected have also been informed and customer can find out more on the website.
24. October 2018
As part of a court settlement filed Monday, Yahoo agreed to pay $50 million in damages and to provide two-years of free credit monitoring for services to 200 million people.
Around 3 billion Yahoo accounts were hacked in 2013 and 2014 but the company, which is now owned by Verizon, did not disclose the breach until 2016. Affected are U.S. and Israel residents and small businesses with Yahoo accounts at any time from January 1, 2012 to December 31, 2016. Apart from usernames and email addresses, millions of birthdates and security questions and answers were stolen. Not among the stolen information were passwords, credit card numbers and bank account information.
According to the settlement, the fund will compensate accountholders who paid for email services, who had out-of-pocket losses or who already have credit monitoring services. A refund of $25 per hour will be made for the time spent handling issues caused by the breach. Those with documented losses can ask for up to 15 hours of lost time ($375) whereas those who cannot document losses can ask for up to 5 hours ($125).
A hearing to approve the preliminary settlement is scheduled for November 29.
2. October 2018
Ireland’s Data Protection Commission, the company’s lead privacy regulator in the EU, could fine Facebook Inc. up to $1.63 billion for a data breach disclosed Friday, reports the Wall Street Journal. Hackers compromised the accounts of at least 50 million users, bypassing security measures and possibly giving them full control of both profiles and linked apps.
The Commission is now requesting more information on the scale and nature of the data breach in order to find out which EU residents could be affected. Facebook announced that it would respond to follow-up questions. The incident results in the latest legal threat Facebook is facing from U.S. and European officials over its handling of user data and is a severe setback to their efforts to regain trust after a series of privacy and security breaches.
The way in which this data breach is handled by data protection authorities could mark one of the first important tests under the GDPR, which came into force in May earlier this year. The handling could provide conclusions regarding the application of breach-notifications and data-security provisions by companies in the future.
The law requires companies to notify data protection authorities of breaches within 72 hours, under threat of a maximum fine of 2% of worldwide revenue. Furthermore, under the GDPR companies that fail to safeguard their users’ data risk a maximum fine of €20 million ($23 million), or 4% of a firm’s global annual revenue for the prior year, whichever is higher. Taking the larger calculation as a basis Facebook’s maximum fine would be $1.63 billion.
28. September 2018
Due to an initially concealed data breach in 2016, the U.S. company Uber has to pay a fine of €126 million, as the Attorney General Barbara Underwood announced in a statement.
On November 21, 2017, Uber announced that a hacker attack would take place in 2016, in which the hackers would capture approximately 50 million customer data as well as seven million data from Uber drivers. The company paid the hackers blackmail money instead of reporting the data breach (we reported).
Now a settlement was reached between Uber and the relevant US authorities. The settlement includes the highest fine ever imposed, $148 million (€126 million), flanked by further obligations to improve data security.
30. July 2018
A cyberattack has impacted data of 1.5 Mio patients of SingHealth clinics by stealing name, ID Card number, address, gender, race and date of birth as reported by ARN Net.
Due to “operational security reasons”, the authorities haven’t disclosed the identity of the responsibles behind the attack.
Even Singapore’s Prime Minister, Lee Hsien Loong, “had his personal particulars stolen as well as his outpatient dispensed medicines record.”
The report further states that all patients, whether or not they were affected will receive an SMS notification over the next five days, with patients also able to access the Health Buddy mobile app or SingHealth website to check if they are affected by this incident.
According to Channel Asia the SingHealth IT system was compromised through an initial breach on a particular front-end workstation, gaining privileged account credentials to gain access to the database.
It is believed that the attack began on June 27th, 2018 and was detected on July 4th, 2018. Apparently, no further illegal exfiltration has been detected since and all Patient records in SingHealth’s IT system remain intact.
Several measures have been taken in terms of IT-security such as controls on workstations and servers, resetting user and systems accounts and installment of additional system monitoring controls.
24. July 2018
A security researcher from the UpGuard Cyber Risk Team detected that various data from carmakers like Volkswagen, Ford and Toyota were exposed. UpGuard is an Australian cybersecurity group that among other things detects data breaches.
The source of the data leak is a small Canadian company called Level One Robotics and Controls. On a publicly accessible backup server of the engineering company were files from more than a hundred companies in business with said company. Belonging to the group of companies affected by the leak are some of the biggest carmakers like Tesla, VW, Toyota, General Motors, Chrysler and ThyssenKrupp.
The 47.000 unsecured files contained inter alia product designs, invoices, bank accounts and contracts. Some of these data are among the industry’s most closely guarded and confidential trade secrets. In addition, a number of non-disclosure agreements explaining the sensitivity of the leaked information formed part of the exposed data.
The researcher issued a leakage warning and since then the accessible information was taken offline within 24 hours.
Pages: Prev 1 2 3 4 5 6 7 8 9 10 11 Next 
