Data Breaches 2018



January 8, 2018: Electronic toymaker VTech Technologies has reached a settlement with the FTC following a two-year investigation. The company will pay $650,000 as a result of a cyberattack that exposed the personal data of an estimated 6.4 million children worldwide. VTech failed to get verifiable parental consent before collecting children’s information including their name, gender, birth date and more. In addition to not requiring parental consent, they failed to protect the data with reasonable security safeguards. This case shines a light on the rise of the electronic toy market, and the dangers it can present when not secured properly.


Jason’s Deli

January 11, 2018: A family-owned delicatessen with 275 locations across 28 states, Jason’s Deli confirmed it has been the victim of a large data breach. Criminals gained access to the company’s point-of-sale terminals and installed RAM-scraping malware to steal customers’ credit card information and sell it on the dark web. Data such as cardholder name, credit or debit card number, expiration date, cardholder verification value and service code were obtained via the magnetic stripe on payment cards. As many as 2 million payment cards may have been compromised in this breach, which impacted at least 164 Jason’s Deli locations.



January 17, 2018: Connecticut-based insurance giant, Aetna has agreed to pay $17 million in a settlement after violating the privacy of about 12,000 members. This breach resulted from a mailing to HIV-positive members in 23 different states. The envelope window, generally reserved for the recipient’s address, clearly revealed part of the letter reading, “filling prescriptions for HIV Medication.” This settlement, while still awaiting a judge’s approval, arrived relatively quickly as the lawsuit was just filed in late August.

SOURCE | AIDS Law Project


February 2, 2018: CarePlus Health Plans, a Florida-based health insurance provider, is notifying its members of a privacy breach. The breach occurred as a result of a mailing error, and disclosed information including member name, CarePlus identification number and plan name, dates of service, provider of service, and services provided. It’s been reported that the information of roughly 11,200 members were exposed as a result of this breach.


Partners HealthCare

February 5, 2018: Massachusetts’ largest private employer, Partners HealthCare, announced that a data breach may have exposed the personal information of 2,600 patients. The company’s network was breached via malware in May of last year, which compromised records including patients’ names, diagnoses, types of procedures and medications. Some patients’ Social Security numbers and financial data may also have been exposed. Partners has mailed letters to patients explaining the situation and is offering free credit monitoring and insurance to those whose Social Security numbers were revealed. In a statement, the company said it is “enhancing its security program, controls and procedures and continuing to monitor systems for unusual activity.” This marks the second major data breach for Partners, after a phishing scam exposed the personal and health information of 3,300 patients two years ago.


**Learn more about IdentityForce’s Data Breach Rapid Response Plan for businesses here.**


February 15, 2018: Researchers from Kromtech Security discovered the personal information of 119,000 FedEx customers sitting on an unsecured Amazon Web Services (AWS) cloud storage server. This information included passports, driver’s licenses, names, home addresses, phone numbers and ZIP codes. This server came into FedEx’s possession as a result of their 2014 acquisition of Bongo International. It has since been secured and, according to a statement from FedEx, there was “no indication” of data being “misappropriated.”

SOURCE | Gizmodo

BJC Healthcare

March 12, 2018: St. Louis-based healthcare provider, BJC Healthcare discovered a wrongly-configured server that exposed scanned images of documents from 33,420 patients. The company includes 15 hospitals and other health services organizations in Missouri and Illinois. Its server was left unsecured from May 2017 through January of this year, and may have revealed patients’ driver’s licenses, insurance cards, addresses, Social Security numbers, telephone numbers, treatment records and other personal information. These documents were collected from 2003 to 2009.

SOURCE | Belleville-News Democrat

St. Peter’s Surgery & Endoscopy Center

March 13, 2018: New York hospital, St. Peter’s Surgery & Endoscopy Center, has reported that it discovered a data breach on January 8th. According to the report, 134,512 individuals may have been impacted after a third party gained access to the hospital’s servers. The compromised information includes patient names, dates of birth, addresses, dates of service, diagnosis codes, procedure codes, insurance information, and, for those with Medicare, Social Security numbers. No banking or credit card information was involved.

SOURCE | St. Peter’s Surgery & Endoscopy Center


March 20, 2018: Subsidiary of Expedia, Inc., Orbitz announced it has discovered a possible data breach affecting 880,000 consumers. A hacker had used a legacy website to gain access to payment-card and other personal information between January 2016 and December of last year. This personal information includes birthdays, addresses, full names, phone numbers, email addresses and gender.

SOURCE | Wall Street Journal

ATI Physical Therapy

March 22, 2018: Illinois-based ATI Physical Therapy has experienced a data breach where several employee email accounts were hacked by a phishing scam. These email accounts contained sensitive patient information, including Social Security numbers, driver’s license numbers, financial account numbers, Medicare or Medicaid ID numbers and medical records. The company is notifying its 35,136 patients of the breach, which was initially discovered in January.


**Learn more about IdentityForce’s Data Breach Rapid Response Plan for businesses here.**

Massive Hack Sponsored by Iran

March 23, 2018: A government-backed Iranian hacking ring has been discovered by the U.S. Justice Department. These hackers systematically hacked into the computer networks of 144 U.S. universities by performing a phishing scam and breaching the email accounts of roughly 4,000 professors. Once inside, they stole 31 terabytes of intellectual property, totaling $3.4 billion worth of damages. Additionally, the Iranian hackers attacked 36 private American companies and infiltrated five U.S. government agencies, stealing the emails associated with thousands of accounts.


Under Armour

March 29, 2018: Under Armour has announced that 150 million users of its app, MyFitnessPal, had their information acquired by an unauthorized party. The data compromised in this breach included usernames, email addresses and hashed passwords.

SOURCE | Threatpost

Saks Fifth Avenue, Lord & Taylor

April 1, 2018: Owner of retail stores Saks Fifth Avenue and Lord & Taylor, Hudson’s Bay Company (HBC), confirmed that hackers stole the data of more than 5 million credit and debit cards. This massive hack was discovered by cybersecurity firm, Gemini Advisory. The breach of payment systems began in May 2017 and 125,000 payment cards have been released so far.


Panera Bread

April 2, 2018: The St. Louis-based, bakery-cafe Panera Bread has left the information of up to 37 million customers in plain text accessible from its website. Customers who have created an account to order online may have had their full name, email and physical address, phone number, birthday and last four digits of credit or debit card compromised. It appears that the company’s catering application was also impacted.

SOURCE | Krebs on Security


April 16, 2018: Inogen, a supplier of oxygen concentrators headquartered in California, announced it is notifying 30,000 current  and former customers of a data breach that lasted from January 2 – March 14, 2018. The breach occurred after a hacker gained unauthorized access to an employee’s email account through a phishing scam. Some of the data that was compromised includes names, telephone numbers, email addresses, dates of birth, dates of death, Medicare identification numbers, insurance policy information, and the type of medical equipment the company provided.

SOURCE | Reuters

UnityPoint Health

April 20, 2018: A network of hospitals, clinics and home care services with locations in Iowa, Illinois and Wisconsin, announced that it has been breached. UnityPoint Health has said about 16,000 people could be affected in the incident. According to company officials, several employees’ email accounts were compromised after a successful phishing attack. These accounts may have been accessed from November 1, 2017 to February 7, 2018. The information exposed could include patient Social Security numbers and financial information.

SOURCE | Healthcare IT News

SunTrust Banks

April 20, 2018: SunTrust has experienced a data breach impacting 1.5 million clients. The Atlanta bank said a former employee is responsible for the data theft, which exposed customers’ names, addresses, phone numbers and account balances.


City of Goodyear

May 9, 2018: The city of Goodyear, AZ has confirmed a data breach leaving about 30,000 utility customers vulnerable. According to reports, the city learned about an issue with its bill pay system after a customer informed them of fraudulent activity on their bank account.

SOURCE | Identity Theft Resource Center


May 12, 2018: The restaurant chain, Chili’s has announced a data breach exposing customers’ credit and debit cards. Brinker International, who owns Chili’s, said that it believes hackers used malware to access guests’ payment card information. The company also stated that the incident occurred between March and April 2018.


Rail Europe

May 14, 2018: A popular website for Americans to book train travel overseas, Rail Europe, confirmed it experienced a three-month data breach from November 2017 to mid-February 2018. The company filed a letter with the California attorney general saying that hackers placed skimming software on its website to capture customers’ credit card numbers, expiration dates and CVV codes. Additional information that these hackers captured includes name, gender, address, telephone number, email address, username and password.


**Learn more about IdentityForce’s Data Breach Rapid Response Plan for businesses here.**

Nuance Communications

May 17, 2018: Burlington, MA-based Nuance Communications has announced that 45,000 patient records were accessed by an unauthorized party. The records were hosted on one of the company’s medical transcription platforms, and included patient names, dates of birth, medical record numbers and information about their medical condition and treatments. It has been determined that a former Nuance employee had hacked into the company’s servers, and it appears that none of the records were used for malicious purposes.

SOURCE | Health IT Security

University at Buffalo

May 21, 2018: The accounts of more than 2,500 students, alumni and staff were compromised in a University at Buffalo data breach. Those impacted had their login information stolen after visiting a third-party website not associated with the university.


LifeBridge Health

May 22, 2018: The names, addresses, birth dates, insurance information and Social Security numbers of 500,000 patients have been exposed in a data breach of LifeBridge Health. The Baltimore-based healthcare system first recognized that it experienced a cyberattack in March, but the breach itself took place back in September of 2016, leaving patient records open for more than a year and a half.

SOURCE | Baltimore Sun

Aultman Health Foundation

May 29, 2018: Ohio-based healthcare provider, Aultman Health Foundation discovered a data breach impacting a potential 42,600 patients. Hackers gained access to several employee email accounts through a phishing attack. The breached data included patient demographics, physical exam information, medical history, test results and, for some, Social Security and driver’s license numbers.

SOURCE | Healthcare IT News


June 3, 2018: Subsidiary of Eventbrite, concert ticketing service Ticketfly has announced a data breach impacting more than 26 million customer accounts. The stolen information included customer names, addresses, email addresses and telephone numbers.



June 5, 2018: MyHeritage, the genealogy and DNA testing service, experienced a data breach exposing the email addresses and hashed passwords of more than 92 million people. A file containing the data was found on a private, third-party server and then brought to the company’s attention.

SOURCE | The Verge

Dignity Health

June 7, 2018: An emailing error caused a data breach of California-based Dignity Health. Misaddressed emails were sent out, exposing the personal information of 55,947 patients, including patient names and the name of their physician.

SOURCE | Health IT Security


June 11, 2018: A hack of South Korean cryptocurrency, Coinrail, has made waves in the market. The company said in a statement that hackers stole up to 30 percent of the coins from its storage – valued at approximately $37.2 million. News of this hack prompted the value of more popular cryptocurrencies, Bitcoin and Ethereum, to plummet.

SOURCE | TechCrunch

**Learn more about IdentityForce’s Data Breach Rapid Response Plan for businesses here.**

Chicago Public Schools (CPS)

June 17, 2018: Officials have issued an apology for a recent Chicago Public Schools data breach. The breach occurred after an employee emailed students’ private information to more than 3,700 families. This information included names, email addresses, phone and student identification numbers.

SOURCE | CBS Chicago


June 20, 2018: In the second major cryptocurrency heist of the month, Bithumb has been hacked. Bithumb is the world’s sixth largest cryptocurrency exchange. Like Coinrail (see above), the company is also based in South Korea. As a result of this breach, $32 million worth of cryptocurrencies were stolen.


Med Associates

June 21, 2018: A health billing company in Latham, NY, Med Associates experienced a healthcare data breach potentially exposing the protected health information of 270,000 patients. The breach occurred when an employee’s workstation was compromised by a third party. Patient information including names, dates of birth, diagnosis codes and insurance information could have been compromised.

SOURCE | Health IT Security


June 25, 2018: A spokeswoman from freelance labor-for-hire website, TaskRabbit confirmed the company experienced a data breach affecting more than 3.75 million users. A hacker targeted the site and the names, birth dates, Social Security numbers and bank account numbers of both customers and laborers may have been compromised.

SOURCE | San Francisco Business Times

Click2Gov – Midwest City

June 25, 2018: Officials from Midwest City, OK have learned that an unauthorized party had gained access to the city’s online payment system Click2Gov. Initial reports show that 2,300 customers who used the service between May 25 and June 21 may have been affected. The compromised data includes customer names, billing addresses, and payment card information.

SOURCE | News 9


June 27, 2018: Marketing and data aggregation firm, Exactis, left its database unprotected on a publicly accessible server. In the server were approximately 340 million records. 230 million of those records were consumer information and 110 million were from businesses. Consumer PII included phone numbers, home addresses, and email addresses, along with a slew of 400 other variables to characterize individuals.



June 27, 2018: Event goers may have had their credit card information compromised in a Ticketmaster data breach. Hackers who go by the name Magecart altered code on the company’s website to skim payment card data entered at checkout. It’s been reported that at least 800 other e-commerce sites have been affected by similar attacks.



June 28, 2018: Online customers of Adidas have been notified of a data breach that compromised their contact information, usernames and encrypted passwords. Hackers targeted the Adidas U.S. website, capturing the information of millions of consumers.

SOURCE | Fortune


July 7, 2018: Hackers launched a Fourth of July attack on the popular social media app Timehop. The security breach compromised the names and emails of all its 21 million users, 4.7 million of whom also had a phone number exposed. Timehop said that it has taken steps to include multifactor authentication to improve their cloud security.

SOURCE | TechCrunch

Polar Fitness Trackers

July 9, 2018: Another major fitness tracking app has been breached, this time revealing highly sensitive personal and geographical information of military and counterintelligence personnel. The leak was found on the Polar Flow social platform where users share their exercise data. Beyond fitness information, the data collected includes GPS tracking information, allowing anyone in possession of it to locate and identify the often-confidential location of military bases, embassies, airfields, nuclear storage sites and intelligence agencies. This cyberthreat is clearly a serious and frightening vulnerability. Users of such fitness tracking apps should enable all available privacy settings and watch what they share in online forums.



July 10, 2018: If you shopped online at Macy’s between April 26 and June 12 of this year, expect a letter in the mail. The giant retailer is informing customers that a third party accessed their accounts, gaining access to names, phone numbers, email addresses, birth dates and credit and debit card numbers with the expiration dates.

SOURCE | Chicago Tribune

U.S. Air Force

July 11, 2018: An amateur hacker gained access to an Air Force captain’s computer and obtained classified information about MQ-9A Reaper drones and their operators. The hacker who stole the documents did so by exploiting a known security flaw, then tried to sell them on the dark web for just $150.


Nashville Metro Public Health

July 11, 2018: The personal information identifying thousands of HIV patients sat unprotected on a server at Nashville Metro Public Health. This highly personal and protected health information included the names, addresses, Social Security numbers, dates of birth, sexual preference, illegal drug use history, and more. The breached patient data included both the alive and deceased, and could have been accessed, modified, or stolen by any one of more than 500 Metro Public Health employees.

SOURCE | Tennessean

UMC Physicians (UMCP)

July 12, 2018: An employee of Texas-based healthcare provider, UMC Physicians, had their email account hacked, exposing the personal health information of more than 18,000 patients. This healthcare data breach included names, addresses, phone numbers, medical record numbers, diagnoses, Social Security numbers, dates of birth and health insurance information.


LabCorp Diagnostics

July 17, 2018: The IT network of LabCorp, the largest blood testing laboratory in the U.S., was breached by hackers. RDP brute-force attacks were able to install SamSam ransomware in an effort to extort the organization.

SOURCE | Bleeping Computer

Boys Town National Research Hospital

July 20, 2018: Another healthcare data breach has occurred after Nebraska-based, Boys Town Hospital discovered an employee’s email account had been hacked. The PHI of 105,309 patients and employees may have been exposed as a result. The information compromised included names, dates of birth, Social Security numbers, Medicare or Medicate ID numbers, treatment information, medical record numbers, billing information and health insurance information.

SOURCE | Health IT Security


July 20, 2018: A major tax preparer for small and mid-sized businesses, cloud-based human resources company ComplyRight experienced a data breach affecting 662,000 people. The breach may have exposed the names, addresses, phone numbers, email addresses and Social Security numbers of those impacted.

SOURCE | Krebs on Security


July 25, 2018: Identity theft protection company, LifeLock, has exposed millions of its customers’ email addresses in what is believed to be a security flaw on its website.  It is being reported that this vulnerability could have allowed anyone to easily index customer accounts, unsubscribe them from LifeLock email communications, and conduct phishing attacks to harvest personal data.

SOURCE | Krebs on Security

UnityPoint Health (2)

July 31, 2018: In their second data breach this year, 1.4 million patients of UnityPoint Health may have had their records breached after a successful phishing attack. Hacked accounts included health information, names, addresses, medical data, insurance information and possibly payment card and Social Security numbers.

SOURCE | Healthcare IT News


August 1, 2018: Hackers broke into the Reddit system, and stole current email addresses, and passwords from 2007. The Reddit data breach occurred because it was using an outdated form of two-factor authentication on its employee accounts.


TCM Bank

August 3, 2018: A website misconfiguration of credit card issuer TCM Bank exposed the names, addresses, dates of birth and Social Security numbers of approximately 10,000 people who applied for credit cards between March 2017 and July 2018.

SOURCE | Krebs on Security

SSM Health St. Mary’s Hospital

August 7, 2018: Jefferson City, MO-based, SSM Health St. Mary’s Hospital has disclosed a data breach potentially affecting 301,000 patients. Documents and other materials containing patient health information were discovered remaining at a former hospital campus that was set for demolition.

SOURCE | Becker’s Hospital Review

Adams County, WI

August 10, 2018: The computer systems of Adams County, WI were breached between January 1, 2013 and March 28, 2018. Whomever gained access breached multiple departments including the Veterans Service Office, Health and Human Services, Child Support and the Sherriff’s Office. As a result, the names, addresses, personal information, photographs, health and tax information of 258,120 individuals were exposed.

SOURCE | Wisconsin Rapids Review

MedSpring Urgent Care

August 14, 2018: More than 13,000 patients of Austin, Texas-based MedSpring Urgent Care are being notified of a data breach that occurred after an employee fell victim to a phishing attack. The information included may have included patient names, account numbers, medical record numbers and dates of medical service received.



August 15, 2018: Thousands of users of the popular photo sharing app Instagram have reported their accounts have been hacked. Once in control of the account, hackers are changing the contact information linked to the account, making it extremely difficult for users to regain access. Most reported cases involve the user’s email address being changed to a .ru domain.


**Learn more about IdentityForce’s Data Breach Rapid Response Plan for businesses here.**

Augusta University

August 16, 2018: The protected health information of 417,000 people has been exposed after a cyberattack on Augusta University. This data breach occurred after several email accounts were compromised in a phishing attack. The individuals affected are primarily patients of Augusta University Health, Augusta University Medical Center, Children’s Hospital of Georgia and more than 80 outpatient clinics around the state.



August 17, 2018: VPN company,, has discovered a hack of the popular video game, Fortnite. Children’s personal data was found for sale on the dark web, where scammers can purchase credentials and rack up huge in-play charges on the video game. Cybercriminals can also use the pirated credentials to gain access to bank accounts or payment card information.

SOURCE | The Sun

Eastern Maine Community College

August 17, 2018: Victims of a recent data breach at EMCC include students at the school between 1998 and 2018, or workers there between 2008 and 2018. The college’s system was compromised after a malware attack. Usernames, passwords, names, addresses, Social Security numbers and dates of birth of 42,000 people may have been accessed.

SOURCE | Bangor Daily News

Legacy Health

August 20, 2018: Legacy Health experienced a data breach exposing about 38,000 patients’ personal, medical, and billing information. According to the Portland, Oregon-based health system, someone breached multiple employees’ email accounts. The compromised data includes patient names, dates of birth, health insurance information, billing information, medical records, Social Security numbers and driver’s license information.

SOURCE | The Oregonian


August 21, 2018: Cloud-based video service, Animoto, has announced a data breach that exposed users’ names, usernames, email addresses, hashed passwords, geolocation, gender and date of birth. The company stated that payment information, which is stored in a separate system, was not accessed.


Cheddar’s Scratch Kitchen

August 22, 2018: An unauthorized third party accessed the payment system of Cheddar’s Scratch Kitchen between November 2017 and January 2018. This breach may have compromised the payment card information of 567,000 customers who dined at the restaurant during that period.

SOURCE | Reuters


August 23, 2018: The personal data of 93,000 users of the popular babysitting booking app, Sitter, was temporarily exposed in an unsecured database. The information contained phone numbers, addresses, transaction details, phone contacts, partial credit card numbers and encrypted account passwords.

SOURCE | Naked Security by Sophos


August 27, 2018: Cell phone giant, T-Mobile experienced a data breach affecting 2 million customers. Hackers breached the company’s systems and stole customer names, billing zip codes, phone numbers, email addresses, account numbers and account types. Luckily, it appears that no financial or billing data was compromised.


Air Canada

August 29, 2018: The mobile app of Air Canada has been breached, exposing the personal information of about 20,000 customers. In total, the app has about 1.7 million users, and the airline has locked down all accounts as a precaution. The data that may have been compromised includes names, email addresses, telephone numbers, Aeroplan numbers, passport information and dates of birth.



September 4, 2018: Millions of sensitive records have been leaked online by mSpy for the second time in three years. The mobile spyware maker that allows customers to spy on the cell phone usage of their kids and partners left passwords, call logs, text messages, contacts, notes and location data unprotected on an open database. Every customer who logged into the site or purchased a mSpy license within the past six months was exposed.

SOURCE |  Krebs on Security


September 6, 2018: Alabama-based fast food restaurant, Foosackly’s has warned customers of a data breach. An unauthorized third party gained access to the restaurant’s payment system, compromising payment card data of an estimated 165,000 customers.


British Airways

September 7, 2018: Hackers are behind a recent British Airways data breach that’s affected 380,000 customers. Travelers who booked flights on the airline’s website or mobile app between August 21 and September 5, 2018, were compromised. The information stolen included names, physical and email addresses and full credit card details.


September 17, 2018: KrebsOnSecurity has reported a data leak by Government Payment Service Inc., exposing more than 14 million customer records dating back to 2012. The Indianapolis-based business serves approximately 2,600 government agencies across 36 states to facilitate the online payment of traffic citations, licensing fees, bail payments, and court-ordered fines. Customer names, addresses, phone numbers and partial credit card information was compromised.

SOURCE | Krebs on Security

MongoDB Server

September 18, 2018: A massive customer database containing 11 million records was discovered unprotected on a MongoDB server. The ownership of the database remains unknown, but signs point toward affiliate marketing program, SaverSpy. The information exposed included names, email addresses, and physical addresses.

SOURCE | Bleeping Computer


September 19, 2018: Hacking group Magecart is behind the Newegg data breach which exposed customer credit card information. From August 14 until September 18, 2018, the payment page was compromised by a skimming code that captured payment card numbers. The exact number of victims has not been reported.


Independence Blue Cross

September 19, 2018: The Blue Cross health plan for the Philadelphia region, Independence Blue Cross experienced a data breach impacting 17,000 of its members. The breach occurred after an employee uploaded protected health information onto a public-facing website. The information exposed included member name, date of birth, diagnosis codes, provider information, and other information used for claim processing purposes, such as claim number, referral number, and service dates.

SOURCE | Health IT Security


September 25, 2018: Nearly 6.5 million shoppers of online retailer SHEIN have been exposed in a data breach. The breach began in June 2018 and was discovered in August. It’s been revealed that hackers targeted SHEIN’s servers in a “concerted criminal cyberattack,” revealing customer email addresses and encrypted password credentials.

SOURCE | The Hacker News


September 26, 2018: More than 40 million customers have been affected by a Chegg data breach. The education technology company discovered that a company database was hacked back in April of 2018, exposing customer names, email and physical addresses, username and passwords. No Social Security numbers or payment information was compromised.



September 28, 2018: In yet another privacy issue for the social media giant, Facebook announced that about 90 million user accounts have been compromised by hackers. A weakness in a line of code exposed a vulnerability in Facebook’s “View As” feature, which allows users to see how their profile looks to the public or others on the site.



October 1, 2018: Hackers infiltrated the corporate email system of Toyota Industries North America, with an estimated 19,000 individuals being affected as a result. The information exposed includes names, home addresses, dates of birth, phone numbers, financial information, Social Security numbers and at least 12 additional types of sensitive data.

SOURCE | HealthData Management


October 2, 2018: A startup sales engagement company Apollo suffered a hack that exposed more than 200 million contact records from its prospect database. Names, email addresses, company names and other business contact information was included in the data. No financial or Social Security information was compromised.

SOURCE | SC Magazine

Central Main Power

October 3, 2018: The low-income assistance program of Central Maine Power improperly secured online customer letters, leading to the exposure of 77,300 names, addresses and former utility account numbers.

SOURCE | Sun Journal


October 8, 2018: A Google security bug discovered in March 2018 became public on October 8, 2018. Google+ user profile data sat unprotected dating back to 2015 and could be accessed by third-party developers. The information of 496,951 Google+ users, including names, email addresses, dates of birth, gender, photos, location, occupation and relationship status were among the data exposed.

SOURCE | TechCrunch

Department of Defense

October 14, 2018: Pentagon officials have announced a data breach in which hackers accessed a system that maintained employee travel records. At least 30,000 employees were affected in this latest Department of Defense breach. Personal information and credit card numbers were among the data exposed.

SOURCE | Forbes

U.S. Centers for Medicare & Medicaid Services (CMS)

October 19, 2018: The files of approximately 75,000 individuals were exposed in a CMS data breach. The breach was detected after the agency recognized anomalous activity in the Direct Enrollment program used by brokers to help consumers get insurance coverage. It has not revealed what information may have been compromised.


Cathay Pacific

October 25, 2018: A data breach of Hong Kong-based airline, Cathay Pacific has exposed the personal data and travel histories of 9.4 million people. Hackers gained access to phone numbers, dates of birth, frequent flier membership numbers, passport and government ID number and email addresses. After revealing the news Cathay Pacific’s share price plummeted to a 9-year low, showing just how damaging a data breach can be.

SOURCE | New York Times

Jones Eye Clinic

October 25, 2018: Patients who registered between 2003 and August 2018 at Sioux City-based Jones Eye Clinic were exposed in a data breach. It’s been estimated that the names, dates of birth, dates of service, medical record numbers and Social Security numbers of 40,000 people were compromised.

SOURCE | Health IT Security


October 26, 2018: Approximately 10,000 customers have been affected in a Raley’s pharmacy data breach. A laptop containing the names, genders, dates of birth, health plans, plan ID number and medical conditions was stolen on September 24th.



October 29, 2018: EDM festival-goers who attended Tomorrowland 2014 have had their personal information exposed. Hackers gained access to the ticketing system Paylogic, compromising the names, addresses, ages, postcodes and genders of 64,000 attendees.

SOURCE | SC Magazine

**Learn more about IdentityForce’s Data Breach Rapid Response Plan for businesses here.**


November 7, 2018: From October 4-14, 2018, HSBC bank was breached by hackers in a credential-stuffing attack. These incidents occur when criminals take usernames, passwords and other data stolen from social media or other sites, and applies them to gain access to different accounts. It’s been estimated that 14,000 U.S. customers had their names, addresses, phone numbers, email addresses, dates of birth, account numbers, account types, account balances and transaction history exposed.

SOURCE | Bank Info Security

Canada Post

November 8, 2018: The Ontario Cannabis Store (OCS) has reported a data breach that occurred through Canada Post, affecting the information of 4,500 customers. The information was accessed by a person using a Canada Post delivery tracking tool, and included names or initials, postal codes, dates of delivery, OCS reference numbers, tracking numbers and OCS corporate names and business addresses.


Huntsville Hospital

November 8, 2018: Alabama-based, Huntsville Hospital has reported that a vendor that they used for employment applications, Jobscience, experienced a data breach that exposed applicant records dating back to 2006. Approximately 15,000 individuals had their personal information exposed in the breach. The hospital is providing identity theft protection to those affected and no longer uses this vendor’s services.


Bankers Life

November 9, 2018: More than 566,000 individuals have been affected in a newly reported Bankers Life data breach. The breach resulted from a hacking incident in which the unauthorized third party accessed employee credentials to various company websites. Names, addresses, dates of birth, insurance information and the last four digits of Social Security numbers were among the exposed data. This breach represents the fifth largest instance reported to the HIPAA Breach Reporting Tool in 2018.

SOURCE | Bank Info Security


November 9, 2018: A contract worker at Seattle-based retailer Nordstrom accessed sensitive employee information in a security breach. Nordstrom employs about 72,500 people. The information exposed in the breach included their names, Social Security numbers, dates of birth, checking account and routing numbers and salaries. The company has notified those affected and is offering them 2 years of identity theft protection.

SOURCE | Seattle Times

Health First

November 12, 2018: Florida-based healthcare provider, Health First reported a data breach that occurred between February and May 2018. The breach occurred after a small number of employees fell victim to a phishing scam, which compromised the information of 42,000 customers. Social Security numbers, addresses and dates of birth were among the information exposed.


US Postal Service (USPS)

November 12, 2018: The U.S. Secret Service has issued an alert to law enforcement about identity thieves taking advantage of USPS’ Informed Delivery. Informed Delivery allows users to digitally preview their mail and track delivery. However, ID thieves are using it to watch people’s activity and intercept their mail. The fraudsters also sign victims up for credit cards, then steal them. An estimated 60 million people have had their email address, username, user ID, account number, street address, phone number and tracking data exposed.



November 16, 2018: A provider of cloud-based communication services, San Diego-based Vovox exposed at least 26 million text messages on an unprotected server. Security researchers discovered the vulnerability, which allowed them to see, in real time, millions of SMS messages being transmitted. These included sensitive information like password reset links, two factor authentication codes and other data.

SOURCE | TechCrunch


November 21, 2018: An unknown number of Amazon customers received a cryptic email saying that their email address had been disclosed due to a technical error. Despite the Amazon breach, the company did not recommend that users change their passwords.

SOURCE | TechCrunch

Atrium Health

November 28, 2018: At least 2.65 million patient names, addresses, dates of birth, insurance information, medical record numbers and payment records have been exposed in a data breach of Atrium Health. To make matters worse, approximately 700,000 Social Security numbers were compromised in this security incident. The breach was caused by a third-party billing vendor called AccuDoc Solutions. Those who had their SSN implicated are being offered free credit monitoring services.



November 28, 2018: Data on nearly 57 million Americans, including names, email addresses, home addresses, states, ZIP codes, phone numbers, and IP addresses, has been leaked online for two weeks by an unsecured ElasticSearch server. An additional database of business information totaling nearly 26 million records was also uncovered on the server, which has since been taken offline.


Dunkin’ Donuts

November 29, 2018: Customers of Dunkin’ Donuts’ DD Perks loyalty program may have had their accounts hacked. The company issued a warning to members stating that hackers may have had access to their private information. That information included names, email addresses, DD Perks account numbers and DD Perks QR codes. It is unclear how many customers were affected in the hack.



November 30, 2018: In the largest breach of the year (to date), Marriott announced a data breach affecting 500 million guests. The hotelier’s Starwood guest reservation database was hacked dating back to 2014, exposing the names, addresses, email addresses, dates of birth, phone numbers, gender, passport numbers, Starwood rewards information, travel detail and communication preferences of half a billion customers. An undisclosed number of guests also had their payment card numbers and expiration dates compromised.


Signet Jewelers

December 3, 2018: The parent company of popular retailers Jared and Kay Jewelers leaked data on all of its online customers. In November of 2018 a customer noticed that by slightly modifying the confirmation link he received via email, he was able to see other customers’ order details. The information included names, billing addresses, shipping addresses, phone numbers, email addresses, items purchased, delivery dates, tracking link and the last four digits of credit card numbers.

SOURCE | Krebs on Security


December 4, 2018: Question and answer site, Quora announced a mega breach impacting 100 million users. Hackers gained access to the company’s servers, which contained users’ names, email addresses, encrypted passwords and publicly posted questions/ answers/ comments. Quora has informed law enforcement and those affected.


Google+ (2)

December 10, 2018: In its second security issue since August, Google has announced that an update to the Google+ API on November 7th exposed the data of 52.5 million users. This data included people’s name, email address, occupation, and some additional profile information.


City of Topeka

December 10, 2018: About 10,000 residents have been exposed in a data breach of the Topeka Utilities Department. Anyone who went online to make a payment between October 31st and December 7th may have been compromised. The city of Topeka is sending notification letters to all who may have been affected.


Baylor Scott and White Medical Center – Frisco

December 11, 2018: A hack of Texas-based Baylor Scott and White Medical Center-Frisco exposed the payment information of nearly 48,000 patients. The information also included names, dates of service, medial record numbers, account data, insurance information and invoice numbers.

SOURCE | Health IT Security


December 14, 2018: In yet another data privacy incident, Facebook announced a security bug that allowed third-party app developers to view the private photos of 6.8 million users. Private photos, Facebook Stories and Marketplace photos were exposed over the course of 12 days in September.


Wright County, Minnesota

December 14, 2018: An IT employee of Wright County has been fired after took private citizen data so that he could work from home. As many as 72,000 people were impacted, with data including Social Security numbers and financial information potentially compromised.


University of Vermont Health Network – Elizabethtown

December 18, 2018: Patients of UVM’s Elizabethtown Community Hospital have had their personally identifiable information (PII) exposed after an unauthorized individual gained control of an employee’s email account. The names, dates of birth, addresses and medical information of 32,000 patients were involved in the breach. An additional 1,200 individuals had their Social Security numbers implicated.


Warby Parker

December 21, 2018: Prescription glasses online retailer, Warby Parker, has reported that hackers attempted to log in to Warby Parker accounts between September and November, 2018. The company believes the cybercriminals may have used stolen information, including usernames and passwords, obtained through security breaches at other companies. The names, email addresses, last four digits of payment cards, and prescription information of 198,000 customers were potentially accessed during the hack.

SOURCE | Philadelphia Inquirer

San Diego Unified School District

December 26, 2018: A phishing attack against San Diego Unified School District has given a hacker access to the sensitive information of over 500,000 staff and students. After investigating suspected phishing emails throughout the district, officials found the hacker had gathered login information from more than 50 staff members who fell victim to the attack. The cybercriminal had access to school systems between January to November, 2018, and was able to access data dating back to the 2008-2009 school year. Information attained in the security breach includes names, addresses, Social Security numbers, date of birth, phone numbers, payroll and compensation information and health benefits enrollment information.



December 26, 2018: Concord, California-based online retailer of alcohol, BevMo! announced a data breach impacting as many as 14,000 customers. In a statement, the company reported that a hacker was able to place malicious code on its checkout page, capturing information including names, full credit and debit card details, billing addresses, shipping addresses and telephone numbers.



Please enter your comment!
Please enter your name here