No products in the cart.

Free shipping on any purchase of 75$ or more!



No products in the cart.

Home Blog Page 3

We has the Pandora Papers


So you’ve heard of the Offshore leaks, Paradise Papers, Panama Papers. Pandora Papers is the latest leaks

So who have been identified in this latest set of leaks? They include:

  • The owners of more than 1,500 UK properties bought using offshore firm. This include former Prime minister Tony Blair.
  • The Qatari ruling family
  • Sir Philip and Lady Green went on a property spree after off-loading the BHS retail chain.
  • A prominent Tory donor who was involved in one of Europe’s biggest corruption scandals
  • the King of Jordan’s £70m spending spree on properties in the UK and US through secretly-owned companies
  • Azerbaijan’s leading family’s hidden involvement in property deals in the UK worth more than £400m
  • the Czech prime minister’s failure to declare an offshore investment company used to purchase two French villas for £12m
  • how the family of Kenyan president Uhuru Kenyatta’s secretly owned a network of offshore companies for decades

Read more here:

KPMG acquires Certus


KPMG Australia has signed an agreement to acquire Certus APAC. The move, which will provide additional Oracle specialist skills to KPMG’s digital transformation and cloud services capabilities, comes at a critical time for clients challenged with navigating their organisations through COVID.

Announcing the deal today, KPMG Australia CEO Andrew Yates commented: “The pandemic has forced organisations to re-evaluate how they interact with their customers, staff and suppliers, and determine if their current systems are fit-for-purpose. Remote work and reduced face-to-face contact have changed mobility and virtual accessibility needs, and driven the requirement for more robust human capital management systems to engage with staff. Supply chains have become increasingly complex, requiring more sophisticated and flexible systems. Our clients are looking to us to help solve these problems, and Oracle cloud capabilities will add a further dimension to our technology enablement offering.” 

Founded in 2014, Certus APAC is an Oracle implementation partner that specialises in the delivery, training and support of cloud services to clients in industries such as financial services, utilities, retail and the public sector. Certus APAC is a recognised Oracle Platinum Specialised Partner and a training provider to Oracle University. 

Founder and Managing Partner Ian Wood will join KPMG as a partner, bringing with him his co-founders Richard Atkins, Rebecca Hodgson, Sumit Malhotra and Lee Martin and 36 team members located in Sydney, Melbourne and India. The Certus APAC team will be integrated into KPMG’s technology enablement teams, adding specialist Oracle cloud capabilities across a wide range of applications including ERP (Enterprise Resource Planning) and HCM (Human Capital Management). 

Ian Wood, Managing Partner of Certus APAC said: “Our rapid growth over the past four years has been fuelled by increasing demand for Oracle cloud transformation. This has accelerated significantly during the pandemic, and we have reached a stage where the resources and support of a large firm was the logical next step. Joining with KPMG will allow us to continue this growth trajectory and focus on what we do best. The alignment of opportunity and most importantly, culture, makes this the perfect fit for both sides. Innovation and agility are at the heart of what we do, and KPMG are as passionate as we are about creating measurable value for our clients.”

Certus APAC will become part of KPMG Australia in late 2021, subject to the successful completion of the acquisition. Commercial terms were not disclosed.

Andrew Yates added: “Ian and his team have an outstanding track record. We are delighted to welcome such a talented bunch of people, and I am excited to see what they can achieve as part of KPMG.”

Today’s announcement builds upon KPMG Australia’s strategic plan to expand into technology enablement. In 2015, the firm acquired Microsoft partner Hands-On Systems, followed by Murex software specialist IT Markets in 2016. In 2020, Alex Moreno joined the firm as the first national head of Salesforce capability.

Accenture acquires Industrie&Co


Founded in 2007, Industrie&Co has grown to a headcount of more than 170 staff spread across offices in Melbourne, Hong Kong, Singapore and its headquarters in Sydney, with 150 expected to cross to Accenture in Australia. Among them are current chief executive and co-founder Con Zeritis and Hong-Kong based managing director and one-time EY consultant Antony Morris, who both cross to Accenture as managing directors.

“We are delighted to have the opportunity to become part of Accenture, we share entrepreneurial values and ambition to drive innovation, growth and business outcomes,” said Zeritis. “Accenture’s vast client network, global scale and investment in their cloud-first strategy makes for an ideal home to enable us to accelerate our growth objectives for both our clients and team.”

Industrie&Co has completed over 200 client engagements with organisations like Macquarie Bank, NAB, ING, AMP, HSBC, the ASX and human capital consultancy Mercer. Services are grouped around strategy & design, agile delivery, software engineering, and cloud & devops.

“The Industrie&Co team brings to Accenture a strong industry footprint and culture of innovation, that will enable us to drive growth for our clients,” said Accenture’s Australia and New Zealand CEO Tara Brady, who took over just ahead of the recent cloud-acquisitions last year. “In the context of a constrained talent market, Industrie&Co’s skills will ensure we are well positioned to continue to accelerate our client’s growth and innovation capabilities.”

“The Industrie&Co team brings to Accenture a strong industry footprint and culture of innovation, that will enable us to drive growth for our clients,” said Accenture’s Australia and New Zealand CEO Tara Brady, who took over just ahead of the recent cloud-acquisitions last year. “In the context of a constrained talent market, Industrie&Co’s skills will ensure we are well positioned to continue to accelerate our client’s growth and innovation capabilities.”

Tor Browser


You might have heard of the Dark Web. Here is how you can get access:

If you want to know how the Tor network works, see:

CCP Membership Database Leaked


Here it is. It’s an information war. And the China Communist Party (CCP) membership database is the latest target. It’s pants down. Go get some data…

Oops. Too late. Have you tried the Dark Web?

Data Breaches 2021


January 2, 2020: Restaurant conglomerate Landry’s announced a point-of-sale malware attack that targeted customers’ payment card data. The collected data included credit and debit card numbers, expiration dates, verification codes and cardholder names.

SOURCE | Threatpost

Peekaboo Moments

January 14, 2020: An unsecured database on an Elasticsearch server linking back to Peekaboo Moments, an app where parents post images and videos of their children, was left exposed.  An undisclosed number of email addresses, geographic location data, detailed device data and links to photos and videos posted by parents have been impacted.

SOURCE | BankInfoSecurity

Hanna Andersson

January 20, 2020: An undisclosed number of shoppers of the children’s clothing retailer, Hanna Andersson, had sensitive payment information exposed. This breach is the latest in a string of Magecart attacks, where hackers install malicious malware in Point of Sale (POS) systems to skim credit card information. Customers who made online purchases from September 16, 2019, to  November 11, 2019, had their names, shipping addresses, billing addresses, payment card numbers, CVV codes and expiration dates skimmed and put for sale on the dark web.

SOURCE | BleepingComputer


January 22, 2020: A customer support database holding over 280 million Microsoft customer records was left unprotected on the web. Microsoft’s exposed database disclosed email addresses, IP addresses, and support case details. Microsoft says the database did not include any other personal information.


Marijuana Dispensaries

January 23, 2020: THSuite, a point-of-sale system of marijuana dispensaries across the U.S., disclosed personal information belonging to over 85,000 medical marijuana patients and recreational users after leaving their database unprotected. The data breach impacted names, date of births, phone numbers, emails, street addresses, patient names and medical ID numbers, cannabis variety and the quantity purchased, total transaction costs, date received and photographs of scanned government and employee IDs.

SOURCE | Security Magazine

Estee Lauder

February 11, 2020: An unsecured database belonging to the makeup company Estee Lauder exposed 440 million customer records. No payment or sensitive information was impacted but email addresses, IP addresses, ports, pathways and storage information were disclosed in the database.

SOURCE | Estee Lauder

Fifth Third Bank

February 11, 2020: Fifth Third Bank, a financial institution with 1,150 branches in 10 states, claims a former employee is responsible for a data breach, which exposed customers’ name, Social Security number, driver’s license information, mother’s maiden name, address, phone number, date of birth and account numbers. The total number of affected employees and banking clients remains undisclosed.

SOURCE | Cincinnati.com

Health Share of Oregon

February 13, 2020: The theft of an employee laptop from GridWorks IC, a third-party vendor of Health Share of Oregon, has exposed the personal and medical information of 654,000 members. The Health Share of Oregon data breach disclosed sensitive data, including names, addresses, phone numbers, dates of birth, Social Security numbers and Medicaid ID numbers.


MGM Resorts

February 20, 2020: Over 10.6 million hotel guests who have stayed at the MGM Resorts have had their personal information posted on a hacking forum. The data dump exposed includes names, home addresses, phone numbers, emails, and dates of birth of former hotel guests.  Updated July, 15 2020: Researchers found 142 million personal records from former guests at the MGM Resorts hotels for sale on the Dark Web, hinting that the original breach was larger than previously announced.



February 20, 2020: The photography app, PhotoSquared, has exposed the personal information and photos of the 100,000 individuals who have downloaded the app. Besides photos, user’s names, addresses, order receipts and shipping labels were impacted in the unsecured database.

SOURCE | vpnMentor


February 24, 2020: Slickwraps, an online tech customization store, admitted to leaving the information of 850,000 customers in an unprotected database. The customer information disclosed includes names, email addresses, physical addresses, phone numbers and purchase histories.



March 2, 2020: Walgreens, the second-largest US pharmacy chain, announced an error within their mobile app’s messaging feature that exposed personal messages sent within the app, names, prescription numbers and drug names, store numbers, and shipping addresses of its users. The total number of users affected has not been disclosed but the pharmacy’s app has over 10 million downloads.

SOURCE | Health IT Security

Carnival Cruise Lines

March 4, 2020: Two cruise lines under the Carnival Corporation, one of the world’s largest cruise ship operators, divulged sensitive information of its employees and customers after a hacker accessed an employee’s work email. The information accessed from the Princess Cruises and the Holland America Line includes names, addresses, Social Security numbers, government identification numbers, such as passport number or driver’s license number, credit card and financial account information and health-related information.

SOURCE | BleepingComputer


March 4, 2020: Hackers successfully accessed online accounts of customers of the apparel retailer, J-Crew, through a credential stuffing attack. Using exposed emails and passwords, the hackers were able to login to an unknown number of J-Crew customer accounts and gain access to stored information including the last four digits of credit card numbers, expiration dates, card types, billing addresses, order numbers, shipping confirmation numbers and shipment status.

SOURCE | BleepingComputer


March 5, 2020: An unknown number of customers’ sensitive information was accessed through a T‑Mobile employee email accounts after a malicious attack of a third-party email vendor. The personal information of T-Mobile customers accessed includes names and addresses, Social Security numbers, financial account information, and government identification numbers, as well as phone numbers, billing and account information and rate plans and features.

SOURCE | Security Magazine


March 11, 2020: Whisper, an anonymous secret-sharing app, has left member information exposed in an unsecured database. Although the app does not collect names, the database included nicknames, ages, ethnicities, genders and location data of over 900 million users.



March 18, 2020:  The online guitar lessons website, TrueFire, notified its users that a hacker gained access to names, addresses, payment card account numbers, card expiration dates and security codes for the past six months. The total number of users affected is still unknown, but TrueFire has millions of users worldwide.

SOURCE | Infosecurity Magazine

Unnamed U.K-Based Security Firm

March 19, 2020: An unprotected database containing over 5 billion individual records was discovered stored on Elasticsearch. This “database of data breaches” was managed by an undisclosed U.K.-based security firm, and has since been taken offline according to the security researcher who discovered the leak.  The records in the database come from various, previously breached sources dating back at least seven years, with records belonging to Adobe, Twitter, Tumbler, and LinkedIn, among many others. Data exposed includes leak dates, passwords, email addresses, email domains, and companies that were the source of the original leaks.

SOURCE | Security Discovery

General Electric

March 24, 2020: The technology conglomerate, General Electric (GE), disclosed that a third party vendor experienced a data breach, exposing the personally identifiable information of over 280,000 current and former employees. The employee information accessed through Canon Business Process Services included names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers and dates of birth.

SOURCE | BleepingComputer

Marriott International

March 31, 2020: Using the login credentials of two employees through a third-party app used to provide guest services, Marriott International hotels exposed the information of 5.2 million guests. The personal information of the hotel guests impacted includes names, mailing addresses, email addresses, phone numbers, loyalty account numbers and points balances, company, genders, birth dates, linked airline loyalty programs and numbers, room preferences and language preferences.

SOURCE | Naked Security

Key Ring

April 6, 2020: A digital wallet app, Key Ring, left stored customer data of 14 million users accessible in an unsecured database. The app allows its users to easily upload and store scans and photos of membership and loyalty cards to a digital folder in their mobile device. The exposed data includes names, full credit card details (including CVV numbers), email address, birth date, address, membership ID numbers, retail club and loyalty card memberships, government IDs, gift cards, medical insurance cards, medical marijuana IDs, IP address and encrypted passwords.

SOURCE | Security Boulevard

San Francisco International Airport (SFO)

April 13, 2020: Two websites hosted by the San Francisco International Airport (SFO), SFOConnect.com and SFOConstruction.com, suffered a security incident in which hackers injected malicious code to collect users’ login credentials. The malware gained access to usernames and passwords used to log on to the impacted websites.

SOURCE | Security Boulevard


April 14, 2020: The credentials of over 500,000 Zoom teleconferencing accounts were found for sale on the dark web and hacker forums for as little as $.02. Email addresses, passwords, personal meeting URLs and host keys are said to be collected through a credential stuffing attack.

SOURCE | BleepingComputer


April 14, 2020:  A collection of 4 million login records belonging to the online marketplace Quidd was breached through a hack then posted on the dark web forum for free. Once accessible, the usernames, email addresses and hashed account passwords were shared among members of the forum.


Beaumont Health

April 20, 2020: The personal and medical information of over 112,000 employees and patients of Beaumont Health was accessed by a malicious actor after compromising employee email accounts through a phishing attack. The information impacted includes names, birth dates, Social Security numbers, driver’s license numbers, medical condition data and bank account data.



April 21, 2020: More than 267 million Facebook profiles have been listed for sale on the Dark Web – all for $600. Reports link these profiles back to the data leak discovered in December, with additional PII attached, including email addresses. Researchers are still uncertain how this data was exposed, but have noted that 16.8 million of the Facebook profiles now include more data than originally exposed.

SOURCE | BleepingComputer


April 22, 2020:  A card payments processor startup, Paay, left a database containing 2.5 million card transaction records accessible online without a password. The exposed payment transaction belonging to 15 to 20 merchants includes full plaintext credit card number, expiry date and the amount spent.

SOURCE | TechCrunch

Small Business Administration

April 27, 2020:  The Small Business Administration (SBA) announced an unknown third party accessed a government portal, affecting the applications of 8,000 businesses applying for the Economic Injury Disaster Loan program. The breached portal exposed names, Social Security numbers, physical and email addresses, dates of birth, citizen status and insurance information of business owners applying for emergency loans during COVID-19.



April 27, 2020:  A credential stuffing attack using previously exposed user IDs and passwords of popular video game company, Nintendo, granted hackers access to over 160,000 player accounts. With unauthorized access to the accounts, the fraudsters may have purchased digital items using stored cards and viewed personal information including name, date of birth, gender, country/region and email address.

SOURCE | TechRepublic

Ambry Genetics

April 28, 2020:  Ambry Genetics, a genetic testing laboratory based in the U.S., announced 233,000 medical patients had their personal and medical information accessed by a third party through an employee email. The unauthorized party accessed names, information related to customers’ use of the genetic laboratory’s services and medical information as well as the Social Security numbers of some of the victims.

SOURCE | Security Boulevard


May 4, 2020:  The web hosting site, GoDaddy, announced to its users that an unauthorized third party was granted access to login credentials. Of the site’s 19 million users, as many as 24,000 users had their usernames and passwords exposed. The company has reset passwords to prevent further access.

SOURCE | BleepingComputer

Fresenius Group

May 5, 2020:  A reported ransomware attack on the Fresenius Group, a global healthcare company and one of the largest dialysis equipment providers in the U.S., impacted the company’s operations around the world. The organization claims their system was affected by a computer virus, but a source confirmed the hacker held the healthcare’s IT systems and data hostage in exchange for payment in bitcoin.

SOURCE | Krebs on Security

U.S. Marshals

May 13, 2020:  The personal information of 387,000 former and current inmates was access by a hacker who exploited a server vulnerability in a U.S. Marshals Service database. The information exposed includes names, dates of birth, social security numbers and home addresses.


Magellan Health

May 13, 2020:  Magellan Health, a Fortune 500 healthcare company, has sent a notice to its patients that it had fallen victim to a phishing scam and ransomware attack. The information held for ransom includes names, contact information, employee ID numbers, W-2 or 1099 information, including Social Security numbers or taxpayer identification numbers, as well as login credentials and passwords for employees.

SOURCE | Threatpost

Home Chef

May 20, 2020: The information belonging to 8 million users of the home meal delivery service, Home Chef, was found for sale on the dark web after a data breach. The data found for sale includes names, email addresses, phone numbers, addresses, scrambled passwords and the last four digits of credit card numbers.

SOURCE | TechCrunch


May 20, 2020: Over 40 million users of the mobile app, Wishbone, had their personal information up for sale on the dark web. Usernames, emails, phone numbers, location information and hashed passwords were exposed in a data breach before being advertised in a hacking forum.



May 24, 2020: At least 25 million Mathway app users, a top-rated mobile app calculator, had their email address and password exposed to data thieves, and the leaked database was quickly found for sale on the dark web. The breached data also included “back-end system data,” which wasn’t identified specifically, but is typically the type of data that runs behind the scenes on a server, powering the application for the end-user but is not visible to the user.

SOURCE | Komando


May 28, 2020: More than 5 million user records belonging to Minted, an online consumer marketplace for art, home decor and stationary, were sold by a hacker on the dark web. The information involved included customers’ names, login credentials, telephone number, billing address, shipping address and date of birth.

SOURCE | Minted


June 2, 2020: In a notification to its users, the passenger railroad service Amtrak announced an unknown third party accessed an undisclosed number of Amtrak Guest Rewards accounts. The company claims only usernames, passwords and some personal information was exposed, and no Social Security numbers or financial data was accessed.



June 15, 2020: The jewelry and accessories retailer Claire’s announced it was a victim of a magecart attack, exposing the payment card information of an unknown number of customers. The retailer has 3,500 locations worldwide and e-commerce operations and claims the breach only affected online sales.

SOURCE | SC Magazine


June 17, 2020: Cognizant, one of the largest IT managed services company, announced its user’s information was accessed and stolen in a ransomware attack back in April 2020. The personal information involved in this incident included names, Social Security numbers, tax identification numbers, financial account information, driver’s licenses and passport information.

SOURCE | BleepingComputer


June 22, 2020: More than 296 GB of data was leaked from US law enforcement agencies and fusion centers and posted the files online on a searchable portal titled BlueLeaks. The leaked data contains over one million files, such as scanned documents, videos, emails, audio files, some of which included sensitive and personal information, such as names, bank account numbers and phone numbers.

SOURCE | BleepingComputer


June 23, 2020: security lapse at Twitter caused the account information of the social media company’s business users to be left exposed. The number of impacted business accounts has not been disclosed but its business users’ email addresses, phone numbers and the last four digits of their credit card number were impacted.

SOURCE | TechCrunch


July 7, 2020: Popular casino gambling app Clubillion has suffered a data leak, exposing the PII of millions of users around the world according to researchers at vpnMentor. While it was open to searchers, the Clubillion database was recording up to 200 million records a day, including users’ IP addresses, email addresses, amounts won and private messages within the app.

SOURCE | vpnMentor

Polk County

July 16, 2020: Over 450,000 residents of Polk County, Florida had their driver’s license numbers and Social Security numbers exposed after an employee at Polk County Tax Collector fell victim to a phishing attack.



July 16, 2020: An unprotected database belonging to the actor casting company, MyCastingFile.com, exposed the data of roughly 260,000 individuals. The personal information disclosed includes names, physical addresses, email addresses, phone numbers, work histories, dates of birth, height and weight, ethnicity and physical characteristics, such as hair color and length.



July 20, 2020: An unsecured server exposed the sensitive data belonging to 60,000 customers of the family history search software company, Ancestry.com. The details leaked include email addresses, geolocation data, IP addresses, system user IDs, support messages and technical details.

SOURCE | Wizcase


July 23, 2020: The personal details of over 17 million users of the free online lodging service, CouchSurfing, was found for sale on the dark web. The user information disclosed included names, email addresses, user IDs and CouchSurfing account settings but no passwords.


Dave Mobile Banking App

July 26, 2020: A third-party breach leaked the account details of over 7.5 million users of the digital banking app, Dave. Although no financial information was disclosed, the breach exposed names, phone numbers, emails, birth dates, home addresses and encrypted Social Security numbers.



July 28, 2020: The online alcohol delivery startup Drizly disclosed to its customers that a hacker accessed the account details of 2.5 million Drizly accounts. The customer information exposed included email addresses, date-of-birth and hashed passwords.

SOURCE | Crunchbase


July 28, 2020: The video creation platform, Promo.com, confirmed their 22 million customers have had their personal and account information exposed in a third-party data breach. The compromised data includes names, email addresses, IP addresses, user location, gender and encrypted passwords.

SOURCE | Security Boulevard


July 28, 2020: An unsecured database exposed the personally identifiable information (PII) of 19 million customers and potential employees of the cosmetic company, Avon. The leaked information included names, phone numbers, dates of birth, email and home addresses and GPS coordinates, as well as other technical information.

SOURCE | Infosecurity Magazine

Instagram, TikTok & Youtube

August 20, 2020: Researchers at Comparitech uncovered an unsecured database with 235 million Instagram, TikTok, and YouTube user profiles exposed online belonging to the defunct social media data broker, Deep Social. The scraped profile information in the data leak includes names, ages, genders, profile photos, account descriptions, statistics about follower engagement and demographic such as number of likes, followers, follower growth rate, engagement rate, audience demographic (gender, age and location) and whether the profile belongs to a business or has advertisements.

SOURCE | Forbes


August 21, 2020: Freepik, a free image database, sent out a breach notification to 8.3 million users that their account login information was exposed through injected malware on their website. The malware collected emails of all users and hashed passwords of 3.77 million users.


Dynasplint Systems

August 26, 2020: A motion rehabilitation device manufacturer, Dynasplint Systems, experienced an encryption attack on its business devices that exposed the personal and medical information of 103,000 patients. The accessed information includes names, addresses, dates of birth, Social Security numbers and medical information.


Utah Pathology Services

August 31, 2020: In an attempt to redirect funds from Utah Pathology Services, an unauthorized hacker gained access to an employee email account and the sensitive information of 112,000 medical patients. The accessed information includes patient names, gender, date of birth, mailing address, phone number, email address, health insurance information, internal record numbers, diagnostic information and a small number of Social Security numbers.



September 5, 2020:  Over 1 million inmates that have used the prison phone service, Telmate, have had their personal information exposed in an unsecured database. The information of both inmates and their contacts that was disclosed included names, gender, offense, religion, facility location, relationship status, medication history, emails, physical and IP addresses, phone numbers and driver’s license details.

SOURCE | National Cybersecurity News

Imperium Health

September 7, 2020:  A phishing attack led to the protected health information of 140,000 medical patients of Imperium Health Management to be exposed. The information accessed through the attack includes patient names, addresses, dates of birth, medical record numbers, account numbers, health insurance information, Medicare numbers, Medicare Health Insurance Claim Numbers (which can include Social Security numbers) and limited clinical and treatment information.


NorthShore University HealthSystem

September 9, 2020:  The Chicago based healthcare system, NorthShore University HealthSystem, disclosed the protected health information of 348,000 medical patients was exposed through a third-party data breach. The data breach exposed patient names, dates of birth, addresses, phone numbers, e-mails, admission and discharge dates, locations of services and physician names and specialties.

SOURCE | Healthcare Finance News


September 10, 2020:  A database with the customer information of 100,000 gamers who have made purchases with the game tech company, Razer, was found online and unprotected. The exposed information included name, email, phone number, customer internal ID, order number, order details, billing and shipping address.

SOURCE | Threatpost


September 14, 2020:  An undisclosed number of customers of the office retail giant, Staples, received email notification disclosing their information has been exposed in a data breach. The breached information includes customer names, addresses, email addresses, phone numbers, last four credit card digits and order details.

SOURCE | BleepingComputer

Children’s Hospitals and Clinics of Minnesota

September 16, 2020:  Children’s Hospitals and Clinics of Minnesota sent notification that a third-party data breach exposed over 160,000 patient records. The patient impacted in the breach includes names, addresses, phone numbers, ages, dates of birth, genders, medical record numbers, dates of treatment, locations of treatment, names of doctors and health insurance status.

SOURCE | Bring Me The News


September 21, 2020:  Over 500,000 gamer accounts of Activision, the video game publisher, were targeted in a credential stuffing attack. It has been reported that login data, such as email and password, was published publicly online, granting hackers access the Call of Duty accounts, often locking the rightful owner out of their account.

SOURCE | Forbes

Town Sports

September 24, 2020:  A researcher at Comparitech discovered an unsecured online database containing records of 600,000 gym members of the fitness chain, Town Sports International. The database exposed customer names, postal addresses, email addresses, phone numbers, check-in data, gym location, notes on customer accounts, last four digits of credit card, credit card expiration date and billing history.

SOURCE | Comparitech

Warner Music Group

September 29, 2020: A recent legal filing revealed entertainment and record label conglomerate, Warner Music Group (WMG), suffered a three-month-long Magecart attack that exposed an undisclosed number of customers’ personal and financial information. Hackers accessed customers’ details from Warner Music’s e-commerce websites hosted and supported by a third-party, capturing customer’s names, email addresses, telephone numbers, billing addresses, shipping addresses, and payment card details such as card numbers, CVC/CVV and expiration dates.

SOURCE | CPO Magazine


October 6, 2020: Blackbaud, a cloud-based fundraising database management vendor for non-profits and educational institutions, became victim to a ransomware attack beginning in February 2020, which remained undetected until May 2020. Blackbaud paid the ransom and received confirmation the data had been destroyed. Before deleting the data, the cybercriminals copied sensitive data from over 6 million donors, potential donors, patients and community members including names, emails, phone numbers, dates of birth, genders, provider names, dates of service, department visited and philanthropic giving history. A recent SEC filing in September 2020 reveals hackers gained access to more unencrypted data than originally reported, including Social Security numbers, financial accounts, and payment information. Hundreds of Blackbaud’s impacted clients continue to disclose the data incident, including Inova Health (1.5 million), Saint Luke’s Foundation (360,212), MultiCare Foundation (300,000), Spectrum Health (52,711), Northwestern Memorial HealthCare (55,983), and Main Line Health (60,595). Several organizations in Vermont were also included in the breach, such as the Vermont Foodbank, Middlebury College, and Vermont Public Radio.

SOURCE | Data Breach Today


October 6, 2020: Customers of the food delivery startup, Chowbus, received an email notification from the company that included a link to access the personal and account information of about 800,000 customers. The customer data in the data dump includes names, phone numbers and mailing and email addresses.

SOURCE | Cyberscoop

Barnes & Noble

October 15, 2020: Popular bookseller, Barnes & Noble, notified customers that a cybersecurity attack led to exposed customer information and caused service disruption of Nook e-reader books. The company has not disclosed how many customers have been impacted, but noted billing and shipping addresses, telephone numbers and email addresses were accessed in the data leak.


Dickey’s BBQ

October 16, 2020: A year-long Point-of-Sale (POS) system breach has impacted 3 million customers of the popular national BBQ chain, Dickey’s Barbecue Pit. Hackers posted over 3 million customers’ payment card details for sale on the dark web, where each record is being sold for $17 per card.



October 20, 2020: Security researchers at Comparitech discovered an unsecured database containing the records of more than 350 million customers along with call transcripts belonging to the cloud-based communication company, Broadvoice. The exposed Elasticsearch database enclosed personal details such as caller names, caller identification number, phone number and location along with voicemail transcripts.

SOURCE | Comparitech


October 20, 2020:  The pharmaceutical corporation, Pfizer, exposed the personal and medical information of hundreds of medical patients taking cancer drugs through a data leak. A misconfigured Google Cloud database exposed names, phone numbers, home addresses, email addresses, customer support messages, health data, medical status, phone call transcripts and prescription information.

SOURCE | Oodaloop

Fragomen, Del Rey, Bernsen & Loewy

October 27, 2020:  The immigration law firm responsible for representing Google – Fragomen, Del Rey, Bernsen & Loewy – announced a security incident has exposed the personal information of current and former Google employees. An unauthorized third party gained access to an undisclosed number of employee Form I9’s, containing full name, date of birth, phone number, social security number, passport numbers, mailing address and email address.

SOURCE | Law.com

JM Bullion

November 3, 2020:  Malware embedded in the online shopping platform of precious metals dealer, JM Bullion, captured the personal and banking card information of customers who made purchases between February and July 2020. Using the malicious code, hackers we able to collect an undisclosed number of customer names, addresses and payment card details including account numbers, card expiration dates and the security codes.

SOURCE | TechRadar


November 5, 2020:  A database containing staff, users, and subscribers data of the online media company, Mashable.com, was leaked by hackers and reported publicly on November 8th. The breached data was later detected on the dark web on December 16th. The database contains 1,852,595 records, including names, email addresses, country, gender, job description, online behavior related details, date of registration, IP addresses, social media profile links and authentication tokens.

SOURCE | Hackread

Expedia, Hotels.com & Booking.com

November 6, 2020:  A unsecured database belonging to the hotel reservation platform, Prestige Software, leaked sensitive data from over 10 million hotel guests worldwide, dating as far back as 2013. The third-party data leak affected guests that have booked reservations through travel companies such as Expedia, Hotels.com, Booking.com, Agoda, Amadeus, Hotelbeds, Omnibees, Sabre and more. The information exposed in the data leak includes names, email addresses, national ID numbers, phone numbers of hotel guests and reservation details such as reservation number, dates of a stay and the price paid per night. The unsecured database also disclosed sensitive credit card details from over 100,000 guests, including card number, cardholder’s name, CVV, and expiration date and total cost of hotel reservations.

SOURCE | Website Planet

Animal Jam

November 11, 2020: Animal Jam, a popular online game for kids, was hacked and 46 million account records were compromised in a data breach. The databases belonging to WildWorks, the company behind Animal Jam, were posted to an online hacking forum on the dark web. The data included information related to children and parent accounts, including usernames, emails, passwords, birth dates and billing addresses connected to PayPal accounts.

SOURCE | Animal Jam


November 12, 2020: popular stock photo and vector site, 123RF, experienced a data breach, and exposed 8.3 million user records. The database was later put for sale on the Dark Web, impacting members’ full name, email address, MD5 hashed passwords, company name, phone number, address, PayPal email and IP address.

SOURCE | BleepingComputer


November 14, 2020: Vertafore, an insurance software firm, fell victim to a data breach and exposed the personal and driver’s license data of over 27 million Texas citizens. The files accessed by an unauthorized party contained Texas driver license numbers, as well as names, dates of birth, addresses and vehicle registration histories.

SOURCE | Bank Info Security


November 19, 2020: An unsecured database belonging to the app Pray.com exposed the personal information of over 10 million individuals – including users of the app and their contacts. The impacted information includes photos uploaded by the app’s users, names, home and email addresses, phone numbers, marital status and login information. The data breach expanded beyond just the direct users of Pray.com app, and also exposed the contact information belonging to any contact stored on their mobile device, such as contacts names, phone numbers, email, home and business addresses, company names and family ties.

SOURCE | Threatpost


November 25, 2020: Canon, a popular camera manufacturer, publicly disclosed a ransomware attack and resulting data breach targeting the firm had occurred for several weeks in July and August of 2020. Over 10TB of breached data belonging to potentially thousands of current and former employees working for Canon between 2005 and 2020 was compromised, including Social Security numbers, driver’s license numbers or government-issued identification, bank account information for direct deposits, dates of birth and beneficiary and dependent information.

SOURCE | BleepingComputer


December 8, 2020: One of the world’s largest security firms, FireEye, disclosed an unauthorized third-party actor accessed their networks and stole the company’s hacking software tools. The highly sophisticated hacker also attempted to search and gather information related to the company’s government customers.


Dental Care Alliance

December 10, 2020: A cyberattack on healthcare provider, Dental Care Alliance, exposed sensitive personal and medical information of over 1 million patients. The attack exposed patient names, addresses, dental diagnosis and treatment information, patient account numbers, billing information, bank account numbers, the name of the patient’s dentist and health insurance information.

SOURCE | Infosecurity Magazine


December 10, 2020: An undisclosed number of users of the audio streaming service, Spotify, have had their passwords reset after a software vulnerability exposed account information. A data breach notification filed by Spotify claims the data exposed “may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify.”

SOURCE | TechCrunch

Tufts Health Plan, Aetna, Blue Cross Blue Shield & EyeMed

December 11, 2020: A phishing attack on the vision benefits management company, EyeMed, exposed the personal and medical information of hundreds of thousands of health plan members, including 484,157 Aetna members, 60,545 members of Tufts Health Plan, and 1,300 members of Blue Cross Blue Shield of Tennessee. The information disclosed during the attack included names, addresses, dates of birth, phone numbers, email addresses, vision insurance account/identification numbers, health insurance account/identification numbers, Medicaid or Medicare numbers, driver’s license, birth or marriage certificates. For a smaller number of members, partial or full social security numbers and/or financial information, medical diagnoses and conditions, treatment information, and passport numbers were also included.


Commonwealth Data Protection Plan


Mooting in 2014, the Australian Government looks to strengthen data protection requirements for by requiring IT suppliers to provide a “Commonwealth Data Protection Plan” (CDPP).

The CDPP essentially describes how an agency would treat its data during the phases of its lifecycle. The data lifecycle typically entails:

  • Collection
  • Usage & Disclosure
  • Storage & Archival
  • Disposal & Destruction

It also looks to integrate with other data protection mechanisms like:

  • The ISM from
  • PSPF
  • Privacy Assessments from the Privacy Act
  • AML/CTF Laws
  • Archives Act
  • GDPR
  • Others…

Coronavirus Data


The 2019–20 coronavirus pandemic is an ongoing pandemic of coronavirus disease 2019 (COVID‑19) caused by severe acute respiratory syndrome coronavirus 2 (SARS‑CoV‑2). The outbreak was identified in Wuhan, China, in December 2019. The World Health Organization declared the outbreak a Public Health Emergency of International Concern on 30 January, and a pandemic on 11 March. As of 3 May 2020, more than 3.42 million cases of COVID-19 have been reported in 187 countries and territories, resulting in more than 243,000 deaths. More than 1.09 million people have recovered.

Get downloads to coronavirus dataset here:

Data Breaches 2019



January 2, 2019: Blur announced a data breach after an unsecured server exposed a file containing 2.4 million usernames, email addresses, password hints, IP addresses and encrypted passwords. The password management company urged their users to change their Blur login credentials and enable two-factor authentication.


Town of Salem Video Game

January 3, 2019: The information of 7.6 million gamers was stolen in a hack of the game Town of Salem. BlankMediaGames (BMG) announced that its server was compromised and usernames, email addresses, IP addresses, game & forum activity and purchased game premium features were exposed.



January 4, 2019: Online retailer of custom mugs and apparel, DiscountMugs.com was hacked for a four-month period in the latter half of 2018. The company announced that it had discovered a malicious card skimming code placed on its payment website. Hackers were able to steal full payment card details (number, security code and expiration date), names, addresses, phone numbers, email addresses and postal codes.

SOURCE | TechCrunch


January 7, 2019: U.S. provider of payroll, HR and employer services, BenefitMall announced a data breach that occurred after an email phishing attack compromised employee login credentials. Though the exact number of records exposed hasn’t been released, the emails may have included customer names, addresses, Social Security numbers, dates of birth, bank account numbers and information on the payment of insurance premiums.

SOURCE | Insurance Business America


January 10, 2019: New York-based manufacturer, OXO was hacked in two separate incidents over the past two years, exposing customer information entered on their website. The company discovered unauthorized code on its site which captured customer names, billing and shipping addresses and credit card information.


Managed Health Services (MHS) of Indiana

January 9, 2019: The personal health information of more than 31,000 patients of Managed Health Services of Indiana has been exposed following a phishing attack. Names, insurance ID numbers, addresses, dates of birth and medical conditions are among the potentially compromised data.

SOURCE | Health IT Security


January 16, 2019: A flaw within the online video game Fortnite has made players vulnerable to hackers. According to the security firm Check Point, a threat actor could take over the account of any game player, view their personal account information, purchase V-bucks (in-game currency), and eavesdrop on game chatter. Fortnite has 200 million users worldwide, 80 million of whom are active each month.

SOURCE | Check Point Research

Oklahoma Department of Securities

January 17, 2019: Millions of government files, including records pertaining to FBI investigations, were left unprotected on an open storage server belonging to the Oklahoma Department of Securities (ODS). The oldest records exposed dated back to 1986 and ranged from personal data to login credentials and internal communication records.


Collection 1

January 17, 2019: Security researcher Troy Hunt discovered a large database on cloud storage site, MEGA, which contained 773 million email addresses and 22 million unique passwords collected from thousands of different breaches dating back to 2008. The information was shared on a popular hacking forum where the data could be shared with cybercriminals. If you’re concerned your credentials may have been compromised, visit Have I Been Pwned?

SOURCE | Troy Hunt

BlackRock Inc.

January 22, 2019: As many as 20,000 financial advisors had their information leaked by the world’s largest asset manager, BlackRock. The company posted confidential sales documents related to advisors who work with BlackRock’s iShares unit. Names, emails and assets managed by advisers were among the information exposed.


Graeters Ice Cream

January 22, 2019: Cincinnati-based purveyor of sweets, Graeter’s Ice Cream has notified approximately 12,000 customers who purchased items through the company’s online store of a data breach. Malicious code was found on the website’s checkout page, which could capture customer names, addresses, phone numbers, fax numbers, payment card type, payment card numbers, expiration date and verification codes.


Online Betting Sites

January 23, 2019: Three online betting sites copied data containing 108 million records to Elasticsearch cloud storage without securing it. Your information was likely exposed if you’ve placed bets via kahunacasino.com, azur-casino.com, easybet.com or viproomcasino.net. This information includes names, addresses, phone numbers, email addresses, birth dates, usernames, account balances, IP addresses, browser and OS details, games played and win and loss information.

SOURCE | Naked Security


January 23, 2019: More than 24 million mortgage and banking documents sat unprotected in an online database for at least two weeks. According to the report from TechCrunch, the data leak was traced back to Ascension. The data analytics company serves the financial services industry. Affected documents included people’s names, addresses, dates of birth, Social Security numbers and financial information.

SOURCE | TechCrunch

Alaska Department of Health & Social Services (DHSS)

January 23, 2019: A cyberattack targeting Alaska’s Division of Public Assistance has exposed data on at least 100,000 people. The attacker was able to access the names, Social Security numbers, dates of birth, addresses, health information and income of people who applied for government programs.

SOURCE | Alaska’s News Source


January 29, 2019: IT security and cloud data management provider, Rubrik exposed a massive database containing customer information including names, contact information, and other details related to corporate accounts. The data leak was discovered on an unprotected Amazon Elasticsearch server that didn’t require a password.

SOURCE | TechCrunch

Critical Care, Pulmonary & Sleep Associates (CCPSA)

January 31, 2019: Patients of the Colorado-based Critical Care, Pulmonary & Sleep Associates (CCPSA) healthcare facility had their personal health information exposed after CCPSA employees fell victim to a phishing attack. Approximately 23,000 people have been notified of the breach, which included names, medical information, dates of birth, addresses, Social Security numbers and driver’s licenses.

SOURCE | Health IT Security


February 1, 2019: Popular home improvement startup Houzz announced a data breach affecting users of the platform. In a statement, the company said that information such as names, city, state, country, profile description, username and hashed passwords were taken by an unauthorized third party.

SOURCE | TechCrunch

Catawba Valley Medical Center

February 4, 2019: Patients of North Carolina-based Catawba Valley Medical Center have had their names, birth dates, Social Security numbers and Personal Health Information (PHI) exposed in a cyberattack. Three employee email accounts were hacked in a phishing scam between July and August 2018. An estimated 20,000 patients have been impacted.


Huddle House

February 4, 2019: The point of sale (POS) systems of U.S.-based restaurant chain, Huddle House, were compromised through a third-party vendor’s system, giving hackers the ability to install malware to capture the payment card information of customers between August 2017 and February 2019.


EyeSouth Partners

February 6, 2019: Over 24,000 patients of Georgia-based EyeSouth Partners are being notified of a data breach. The breach occurred after an unauthorized third party gained access to an employee’s email. Patient names, health insurance information and some account balance information were compromised.

SOURCE | Health IT Security

Dunkin’ Donuts

February 12, 2019: For the second time in three months, Dunkin’ Donuts announced a data breach affecting DD Perks rewards members. Hackers used credential stuffing attacks to gain access to customer accounts and have been selling them on the dark web.


Coffee Meets Bagel

February 14, 2019: Dating app Coffee Meets Bagel announced a data breach on Valentine’s Day. The names and email addresses of all users who registered before May 2018 were exposed, impacting approximately 6 million people.



February 15, 2019: The accounts of 14.8 million users of 500px have been hacked, revealing full names, usernames, email addresses, birth dates, locations and gender. The photo-sharing website has notified its users and is forcing a password reset.

SOURCE | Extreme Tech

North Country Business Products

February 19, 2019: data breach affecting North Country Business Products, a vendor of credit card processing services, has impacted at least 50 businesses across the state of Arizona. Customers of these businesses, between January 3rd and 24th, 2019, have had their name, credit card number, expiration date and CVV compromised.

SOURCE | Security Affairs

Advent Health

February 20, 2019: Patients of Florida-based Advent Health Medical Group are being notified of a 16-month long data breach. Approximately 42,000 individuals had their sensitive personal and health information exposed, including medical histories, insurance information, Social Security numbers, names, phone numbers and addresses.

SOURCE | Security Today


February 20, 2019: The usernames and hashed passwords of 450,000 users of Coinmama were recently posted on a dark web registry. The cryptocurrency broker has notified its customers and has encouraged all users to change their passwords.

SOURCE | Coin Telegraph

UW Medicine

February 20, 2019: Nearly 1 million patients have been notified of a UW Medicine data breach, which was discovered on December 26, 2018. A vulnerability on the health network’s website server exposed protected health information including names, medical record numbers, and a description of the individual’s information.

SOURCE | Fox 13 Seattle

UConn Health

February 22, 2019: In another major data breach of a university health facility, patients of UConn Health have had their personal information exposed after a third party accessed employee email accounts. About 326,000 people were affected in the breach, which compromised names, dates of birth, addresses, Social Security numbers and limited medical information.

SOURCE | Hartford Courant

Dow Jones

March 1, 2019: A database containing 2,418,862 identity records on government officials and politicians from every country in the world was leaked online from a Dow Jones watchlist. The watchlist is compiled from publicly available information on prominent individuals who have the ability to embezzle money, accept bribes or launder funds.


Rush University Medical Center

March 4, 2019: About 45,000 patients of Chicago-based Rush health system were exposed in a data breach. Names, addresses, birthdays, Social Security numbers and health insurance information were compromised after an employee disclosed billing documents to an unauthorized third party.

SOURCE | Chicago Tribune

Health Alliance Plan

March 6, 2019: The protected medical information of 120,000 patients has been exposed in a Health Alliance Plan data breach. The names, addresses, dates of birth, member ID numbers, healthcare provider names, patient ID numbers and claim information were compromised after a ransomware attack infiltrated Wolverine Solutions Group, a third-party vendor that manages the network’s mailing services.

SOURCE | Detroit Free Press

Pasquotank-Camden Emergency Medical Services

March 12, 2019: An estimated 20,420 people have been affected in a cyberattack on North Carolina-based EMS company, Pasquotank-Campden Emergency Medical Services. The company’s billing information server was infiltrated by an unauthorized third party, leading to the exposure of Social Security numbers, dates of birth and medical information.

SOURCE | Becker’s Health IT

Spectrum Health Lakeland

March 15, 2019: Michigan-based Spectrum Health Lakeland has announced it was also impacted in the hack of Wolverine Services Group, a mail vendor that works with multiple healthcare networks. Approximately 60,000 patients had their names, addresses, health services rendered, health insurance and billing information exposed.

SOURCE | The Herald Palladium

Rutland Regional Medical Center

March 19, 2019: More than 72,000 patients have had their personal information exposed in a Rutland Regional Medical Center data breach. Patient names, contact information, medical record numbers and 3,683 Social Security numbers were compromised after several employees’ email accounts were accessed illegally.

SOURCE | Rutland Herald

Zoll Medical

March 20, 2019: The personal information of 277,319 patients has been exposed by a Zoll Medical data breach. The medical device manufacturer headquartered in Chelmsford, MA announced that data from emails was leaked during a server migration, including names, addresses, dates of birth and medical information. Some patients also had their Social Security numbers exposed.

SOURCE | Modern Healthcare

MyPillow & Amerisleep

March 21, 2019: Bedding retailers MyPillow & Amerisleep experienced a breach at the hands of Magecart, a hacking syndicate that targets eCommerce websites with credit card skimming software. Hackers also set up a dummy URL to trick shoppers who made a typo in trying to visit the site.



March 21, 2019: Facebook has admitted that since 2012 it has not properly secured the passwords of as many as 600 million users. These passwords were stored in plain text and able to be accessed by more than 20,000 of the company’s employees. If you use Facebook, change your password.

SOURCE | Krebs on Security

Oregon Department of Human Services (DHS)

March 21, 2019: The Oregon Department of Human Services announced a data breach after nine of its employees clicked on a phishing link, compromising nearly 2 million emails. These emails may have exposed the names, addresses, dates of birth, Social Security numbers, and other information of as many as 1.6 million clients.

SOURCE | Bleeping Computer

Federal Emergency Management Agency (FEMA)

March 22, 2019: Survivors who sought shelter assistance after hurricanes Maria and Irma, as well as California wildfires, have had their PII exposed in a FEMA privacy incident. About 2.5 million disaster victims had information like names and addresses, bank account information and birth dates shared with a contractor, leaving them unprotected.

SOURCE | Chicago Tribune

Family Locator

March 23, 2019: A tracking app that allows family members to track each other’s location in real-time, Family Locator leaked data exposing more than 238,000 users. The locations of users were left accessible on an unprotected server and included additional information such as name, email address, profile photo and passwords.

SOURCE | TechCrunch

Milestone Family Medicine

March 25, 2019: The names, addresses, dates of birth, health insurance information, Social Security numbers, and service information of 32,178 patients may have been stolen in a Milestone Family Medicine data breach.


Verity Health Systems

March 26, 2019: A hacker gained access to three of Verity Health Systems employee email accounts, compromising the protected health information of 14,894 patients. The sensitive data included names, patient ID numbers, dates of birth, addresses, phone numbers, health insurance information, payment information, driver’s licenses and Social Security numbers.

SOURCE | Health IT Security

Earl Enterprises

March 29, 2019: The parent company of Buca di Beppo, Earl of Sandwich, Planet Hollywood, Chicken Guy!, Mixology and Tequila Taqueria, Earl Enterprises announced a breach of its payment systems after discovering malware that stole customer credit and debit card information. More than 2 million customers were impacted.

SOURCE | Krebs on Security


March 14, 2019: A database controlled by email validation company Verifications.io was discovered on an unprotected server that was accessible to anyone who knew where to look. Nearly 1 billion email accounts, along with other personal information — an assortment of data points like mortgage amounts, interest rates on loans and social media email logins, and identifiers like gender and birthdate — were exposed in one of the largest single-source data breaches ever recorded. The Estonian company took down its website closed its doors after news of the breach broke.

SOURCE | Identity Theft Resource Center

Georgia Tech

April 4, 2019: Personal information of current and former faculty, students, staff and student applicants of Georgia Tech was accessed by an unkown threat actor through a central database. The database affected by the breach includes names, addresses, Social Security numbers and birth dates of 1.3 million individuals. This is the university’s second breach in less than a year.



April 2, 2019: Two third-party applications that hold Facebook user information were left exposed to the public online. Over 540 million records, including account names, Facebook ID numbers, comments and reactions were exposed through Cultura Colectiva. The second application, At the Pool, disclosed passwords along with information regarding photos, events, groups, check-ins and more. Email and passwords were not exposed.


Baystate Health

April 8, 2019: An estimated 12,000 patients of Springfield, MA-based hospital, Baystate Health had their information exposed after a phishing attack compromised the email accounts of several employees. Patient names, dates of birth, health information, and some Medicare and Social Security numbers were involved in this healthcare data breach.

SOURCE | Daily Hampshire Gazette

Prisma Health

April 10, 2019: A phishing attack on Prisma Health of South Carolina gave hackers unauthorized access to several employee email accounts. The investigation into the attack determined that 23,811 patients had their protected health information exposed, including names, health insurance information, Social Security numbers and financial information.


City of Tallahassee

April 15, 2019: Nearly $500,000 of the city of Tallahassee employees’ payroll was stolen by hackers who redirected direct deposits into an unauthorized account. City officials responsible for investigating the incident suspect the cyberattack came from a foreign nation.


Microsoft Email Services

April 15, 2019: In a statement to TechCrunch, Microsoft admitted a data breach of its non-corporate email services, including @msn.com, @hotmail.com and @outlook.com. The breach, which lasted from January 1 to March 28, 2019, allowed hackers to access email accounts by misusing Microsoft’s customer support portal.

SOURCE | TechCrunch

Steps to Recovery

April 19, 2019: Patients seeking treatment for drug and alcohol abuse have had their sensitive personal information exposed in a data breach of several addiction rehabilitation centers. The data was discovered unprotected by security researcher Justin Paine. Approximately 145,000 patients have been impacted.



April 20, 2019: Approximataely 60,000 patients and employees of Florida’s EmCare have been notified of a data breach after a third party gained access to several employees’ email accounts. Those email accounts contained personal information including names, dates of birth, driver’s license numbers, Social Security numbers, demographic information and clinical information.



April 22, 2019: The largest online retailer of fitness supplements, Bodybuilding.com announced a data breach that potentially impacted its 7 million registered users. The company has since forced a password reset and notified its customers. The information that could have been stolen by hackers includes names, email addresses, billing/shipping addresses, phone numbers, order history, birth date and information included in BodySpace profiles.


Atlanta Hawks

April 25, 2019: Magecart, a notorious hacking syndicate known for targeting online shopping portals, compromised the eCommerce website of the NBA’s Atlanta Hawks. The hackers installed a credit card skimming code on the site, stealing the names, dates of birth and payment card details of anyone who shopped on the site after April 20, 2019.

SOURCE | Naked Security by Sophos

Docker Hub

April 29, 2019: Users have been notified of a Docker Hub data breach after hackers exposed the information of 190,000 account holders. The company offers cloud-based services to application developers and programmers. Information stolen in the breach includes usernames, hashed passwords, Github and Bitbucket tokens.



April 29, 2019: Up to 65% of U.S. households have had their information exposed by an unsecured database housed on a Microsoft cloud server. While the owner of the data is unknown, over 80 million households have had their names, addresses, geographic location, age, dates of birth and other demographic information compromised. VPNMentor, whose research team discovered the breach, is asking for help in identifying who the database belongs to.



May 1, 2019: Job recruitment site Ladders exposed the data of 13.7 million users through an unsecured database that was left open without a password requirement. Consumers who used the site for job hunting had their names, email addresses, employment history and salary figures exposed. Many users had their resume details included, work authorizations and even security clearance status. The unsecured database also contained the information of nearly 380,000 recruiters.

SOURCE | TechCrunch


May 2, 2019: In a letter to potential data breach victimsCitrix revealed that hackers gained access to the company’s internal systems between October 2018 and March 2019. The U.S. software company in investigating the cyber intrusion with help from the FBI, but thinks that the data stolen could include the Social Security numbers, financial information, and other data on current and former employees.


AMC Networks

May 3, 2019: The personal information of 1.6 million subscribers of AMC Network’s premium streaming video platforms, Sundance Now and Shudder, were disclosed after the company’s database was left accessible to the public. The breach included names, email addresses, details about subscription plans and last four digits of credit cards. The exposed database also encompassed video analytics data gathered by Youbora, adding 441,943 exposed records including user IP addresses, country, city, state, ZIP code and location coordinates.

SOURCE | Engadget


May 7, 2019: An online tutoring marketplace with more than two million registered users and 80,000 instructors, Wyzant announced a breach of customer data. A hacker was able to break into one of the company’s databases, compromising names, email addresses, ZIP codes and Facebook profile pictures of those who use single sign-on to log into their Wyzant account.


Freedom Mobile

May 9, 2019: data breach of Freedom Mobile has affected an estimated 1.5 million customers after a database of information was found unprotected on an Elasticsearch server. The Canada-based telecommunications company exposed customer names, email addresses, phone numbers, physical addresses, dates of birth, account numbers and credit card information.


Pacers Sports & Entertainment (PSE)

May 13, 2019: The legal entity behind the basketball team Indiana Pacers, Pacers Sports & Entertainment (PSE), recently announced a phishing email campaign created a security breach of sensitive information. The number of affected individuals is still unknown, but the information exposed may include names, addresses, date of births, Social Security numbers, passport numbers, medical insurance information, driver’s license number, account number, payment card number, digital signature and username and password. PSE has not shared if the information disclosed belonged to employees or customers.



May 13, 2019: The largest retailer in Asia, Fast Retailing Co., revealed that hackers may have accessed as many as 460,000 Uniqlo shoppers‘ names, addresses and partial credit card information. The company is urging customers to change their login credentials.



May 14, 2019: Facebook is facing another data privacy scandal after a WhatsApp data breach. The messaging app, which has over 1.5 billion users worldwide, experienced a security flaw that left people vulnerable to malware designed by the NSO Group, an Israeli government surveillance agency. The malware could be planted on a victim’s phone by placing a call to that number.



May 20, 2019: More than 49 million Instagram influencers, celebrities and brands have had their private contact information exposed after an India-based social media marketing company left the data unprotected on an Amazon Web Services database. TechCrunch reported that the bio, profile photo, location, verification status, email address and phone number of high-profile accounts were exposed.

SOURCE | TechCrunch

Inmediata Health Group

May 23, 2019: The website of a healthcare company, Inmediata was breached after a setting allowed search engines to index internal pages that contained patient data. More than 1.5 million people may have had their names, addresses, dates of birth, gender, medical information and Social Security numbers may have been exposed. The company has notified those affected.

SOURCE | Becker’s Hospital Review

First American Financial Corp.

May 24, 2019: A massive data leak containing 885 million personal and financial records was found unprotected on the website of First American Financial Corp. The company, a leading title insurer for the U.S. real estate market, exposed consumers’ Social Security numbers, bank account numbers, mortgage and tax records, wire transaction receipts, and driver’s license images dating as far back as 2003. It is unclear if malicious actors accessed and stole any of the data, which sat unprotected and accessible to anyone who had the URL, for more than two years.

SOURCE | Krebs on Security


May 24, 2019: The massively popular online design tool, Canva was hacked, exposing 139 million users. Criminals stole Canva customers’ usernames, real names and email addresses. The company is urging all users to change their passwords as a precaution.



May 29, 2019: Flipboard announced it was hacked after an unauthorized third party accessed databases containing user information. Names, usernames, email addresses and encrypted passwords are among the data that could have been stolen. Flipboard has 150 million monthly users.

SOURCE | Forbes


May 29, 2019: More than 100 had their point-of-sale systems hacked, compromising customers’ full payment card information. The restaurant discovered the attack in April 2019 but found that 15 percent of its locations’ systems had been compromised for years.

SOURCE | Checkers Data Breach Settlement

Quest Diagnostics

June 3, 2019: Nearly 12 million patients have been exposed in a . The breach occurred after hackers took control of the payments page of one of Quest’s billing collections vendors, AMCA, between August 2018 and March 2019. Financial account data, Social Security numbers and health information were likely stolen.

SOURCE | The Washington Post


June 4, 2019: LabCorp disclosed that 7.7 million of its customers were also impacted by the same hack. The records kept on LabCorp customers were less sensitive, however, exposing names, addresses, dates of birth and balance information.


Opko Health

June 6, 2019: Another healthcare-related company has been impacted by the hack of American Medical Collection Agency (AMCA), which compromised Quest Diagnostics and LabCorp. Opko Health announced a data breach affecting 422,600 customers. Credit card and bank account information, email addresses, addresses, phone numbers and balance information were exposed.

SOURCE | Bleeping Computer


June 10, 2019: More than 1.1 million users of the gaming website Emuparadise have had their IP address, username and password exposed in a data breach. This security incident originated from the site’s vBulletin forum.


U.S. Customs and Border Protection

June 10, 2019: Images of travelers’ faces and license plates were compromised in a cyberattack on a contractor for U.S. Customs and Border Protection. The agency said that fewer than 100,000 people were impacted while entering and exiting a border entry point.

SOURCE | Washington Post


June 11, 2019: More than 100 million users of online event planning service company, Evite, have had their information put up for sale on the dark web. A hacker who goes by the name Gnosticplayers released usernames, email addresses, IP addresses and cleartext passwords. In some cases, dates of birth, phone numbers and postal addresses were also included.


Total Registration

June 11, 2019: A misconfiguration of an Amazon S3 file storage service potentially compromised the information of students who registered for exams like the PSAT and Advanced Placement. Total Registration, a Kentucky-based facilitator of test registrations, admitted that names of students and parents, dates of birth, languages, grade level, gender, student ID, and some Social Security numbers were implicated.

SOURCE | Total Registration


June 12, 2019: A security vulnerability within gave hackers access to the online data of its 4.6 million users. Authentication, financials, private communications and more could have been accessed by malicious actors by exploiting a flaw in the Evernote code. The company has since corrected the issue, but it’s unclear how long user data may have been compromised.

SOURCE | Naked Security by Sophos


June 18, 2019: An unauthorized third party broke into the systems of popular food delivery service, EatStreet. The hacker was able to steal customer data including names, phone numbers, email addresses, bank accounts and routing numbers, full payment card information and billing addresses. While it’s unknown exactly how many customers were impacted, the hacker claims to have captured information on 6 million users.


Oregon Department of Human Services

June 18, 2019: Employees of the were targeted in a phishing attack that gave a cybercriminal control over their email accounts. As many as 2 million emails containing full names, addresses, dates of birth, Social Security numbers, case numbers, health information, and other record-keeping data were exposed.

SOURCE | Security Today


June 20, 2019: Data on 2.7 million individuals and 173,000 businesses was stolen by a Desjardins employee. Desjardins is Canada’s largest credit union, and it has fired said employee after containing the incident. Names, dates of birth, social insurance numbers, addresses, phone numbers and email addresses were compromised.

SOURCE | Naked Security by Sophos

Dominion National

June 26, 2019: The information of consumers, plan providers, and healthcare companies involving 95,000 Delaware residents was exposed in a Dominion National data breach. Names, addresses, dates of birth, email addresses, Social Security numbers, tax ID numbers, bank account, routing numbers and member ID numbers were among the data compromised.

SOURCE | Delaware.gov


July 1, 2019: The database of smart home IOT devices, Orvibo, exposed the personal information of over 2 billion customers. Impacted information includes email addresses, passwords, account reset codes, precise geolocation, IP address, username, user ID, family name, family ID, smart device, devices that accessed account and scheduling information.


Maryland Department of Labor

July 8, 2019: Multiple systems managed by the Maryland Department of Labor were reported as breached, containing files dating back to 2009. The stolen data is suspected to include names, social security numbers, dates of birth, and other sensitive personally identifiable information of 78,000 users of the state’s unemployment insurance services and Literacy Works Information System.

SOURCE | SecurityWeek

Los Angeles County Department of Health Services

July 10, 2019: A contractor for the Los Angeles County Department of Health Services fell victim to a phishing attack, exposing the personal information of 14,600 patients, including names, addresses, patient information, and social security numbers.


Essentia Health

July 10, 2019: Patients of Essentia Health were notified of a protected health information breach as the result of a third-party vendor, California Reimbursement Enterprises, being targeted by a phishing attack. Specific data impacted was not disclosed, but may have included medical records, billing information, and dates of birth, as types of information routinely shared with a billing services vendor.

SOURCE | Essential Health

Fieldwork Software

July 10, 2019: An unsecured database belonging to Fieldwork Software was discovered by vpnMentor researchers, exposing customer names, credit cards, alarm codes, client information, and other sensitive details of the company’s small business customers. Of significant concern was a direct access link to the company’s backend system, and communication logs that detailed such information as alarm codes, building access details, and the location of clients’ hidden keys.

SOURCE | vpnMentor

Clinical Pathology Laboratories (CPL)

July 17, 2019: Another clinical lab reported personal information of their patients was compromised following the previously-reported AMCA data breach. Clinical Pathology Laboratories (CPL) disclosed 2.2 million patients had their names, addresses, phone numbers, dates of birth, dates of service, balance information and treatment provider information exposed, and an additional 34,500 patients had their credit card or banking information affected.

SOURCE | TechCrunch


July 18, 2019: An unknown number of Sprint customer accounts were hacked via the Samsung.com “add a line” website. The information exposed by the mobile network operator includes names, billing addresses, phone numbers, device types, device IDs, monthly recurring charges, subscriber IDs, account numbers, account creation dates, upgrade eligibility and add-on services.


Los Angeles Personnel Department

July 29, 2019: A hacker has stolen personal information of about 20,000 Los Angeles Police Department officers, recruits, and applicants from the Los Angeles Personnel Department Candidate Application Program. The compromised data included names, birth dates, partial social security numbers, email addresses and applicant account passwords.

SOURCE | NBC Los Angeles

Capital One

July 29, 2019: A security incident was announced by Capital One, impacting credit card applications for 100 million consumers in the United States. Of those applications, approximately 140,000 included the applicant’s Social Security number, and 80,000 included linked bank account information. Included as part of the credit card application were names, addresses, phone numbers, email addresses, dates of birth and individual or household income. Also compromised were credit scores, credit limits and credit balances.

SOURCE | Capital One


August 5, 2019: The online marketplace, Poshmark, announced in a blog post that a hacker gained access to the names, usernames, genders, city data, email addresses, size preferences and scrambled passwords of its users. Poshmark has over 50 million users but has not confirmed how many were affected by the breach.

SOURCE | TechCrunch


August 5, 2019: Stock X, a fashion and sneaker trading platform, exposed the personally identifiable information of over 6.8 million customers. The company sent a password reset to its users after an unknown third party accessed customer names, email addresses, shipping addresses, usernames, hashed passwords and purchase histories.

SOURCE | TechCrunch

Presbyterian Healthcare Services

August 5, 2019:  A phishing attack on Presbyterian Healthcare Services of New Mexico gave hackers unauthorized access to the personal and medical information of 183,000 patients. The reported data breach exposed the names, dates of birth, Social Security numbers, along with health plan and clinical information.

SOURCE | Health IT Security


August 7, 2019: Over 23.2 million accounts were exposed by CafePress, a custom T-shirt and merchandise company, exposing the names, email addresses, physical addresses, phone numbers and hashed passwords of its customers. CafePress has not disclosed the breach leading back to February 2019 but has sent out a password reset notice claiming it has updated its password policy.

SOURCE | Engadget

State Farm

August 9, 2019: A hacker used usernames and passwords exposed from another company’s data breach to gain access to the accounts of State Farm insurance users, also known as a credential stuffing attack. No other personal information was exposed, and the number of affected victims has not been disclosed. State Farm has reset the passwords for accounts whose login credentials were impacted.



August 14, 2019: Hy-Vee has reported a security breach of its point-of-sale (PoS) system, impacting consumers who made purchases at Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants (Market Grilles, Market Grille Express, and Wahlburgers.) The company says the hackers did not access the separate PoS systems that run their grocery stores, drugstores, or convenience stores. Updated August 23, 2019: KrebsonSecurity discovered 5.3 million stolen credit and debit card accounts linked to the Hy-Vee breach were up for sale on the Dark Web under the name “Solar Energy” Breach.

SOURCE | Hy-Vee and Krebs on Security

Choice Hotels

August 15, 2019: A database containing 700,000 guest records of the hotel franchise, Choice Hotels, was found exposed and left with a ransom note. The hackers requested 0.4 Bitcoin, approximately $4,000, to stop further exposure of the stolen information, including names, addresses, and phone numbers.


BioStar 2

August 16, 2019: Security researchers and the VPNMentor team uncovered a data breach containing the fingerprint data of 1 million individuals along with the facial recognition information, and unencrypted usernames and passwords of 27.8 million individuals. The exposed database belongs to BioStar 2, a biometric security platform used by organizations worldwide.

SOURCE | vpnMentor


August 21, 2019: Personal and credit card information of 58,000 subscribers to movie ticket subscription service, MoviePass, were left unsecured on a server that was not password protected. MoviePass customers are issued cards that function like debit cards. Names, addresses, MoviePass debit card number, card expiration date, card balance and activation date were impacted in this breach.

SOURCE | TechCrunch


August 28, 2019: The web hosting company, Hostinger, sent out password reset emails to 14 million clients whose information was hacked through an API server. The company is urging its clients to update their passwords after first names, usernames, email addresses, IP addresses and hashed passwords were exposed in the data breach.

SOURCE | TechCrunch


August 30, 2019: Over 328,000 users of Foxit, a PDF Reader software company, were sent a password reset email after they discovered a hacked had access to names, email addresses, passwords, phone numbers, company names and IP addresses.


Providence Health Plan

September 5, 2019: Providence Health Plan has notified 122,000 of its members that their personal information was impacted after an unauthorized party accessed their servers. The hackers accessed names, addresses, email addresses, dates of birth, Social Security numbers, member identification numbers, group numbers and subscriber numbers.



September 5, 2019: An unprotected server containing over 419 million records of Facebook users was discovered, giving hackers access to Facebook users’ unique ID and phone numbers. In some cases, user’s names, genders and locations were also included.

SOURCE | TechCrunch

Dealer Leader, LLC.

September 16, 2019: The personal information of 198 million prospective car buyers was left exposed in an unsecured database belonging to Dealer Leader, a digital marketing company for car dealerships. The information exposed included names, email addresses, phone numbers, home addresses and IP addresses.



September 27, 2019: DoorDash, a food delivery service, confirmed a data breach through a third-party vendor, exposing the information of 4.9 million customers, delivery workers, and merchants. The leaked data includes names, delivery addresses, phone numbers, hashed passwords, order history, last four digits of both customers’ credit cards and employee bank account numbers. The driver’s license information of 100,000 delivery drivers was also disclosed.

SOURCE | TechCrunch


September 12, 2019: Players of the popular games Draw Something, Words With Friends, and Farmville have been notified by mobile game maker Zynga that their system was breached and user data was accessed illegally. The hacker claiming responsibility says he accessed a database that included data from 218 million Android and iOS players, including names, email addresses, login IDs, hashed passwords, phone numbers, Facebook IDs and Zynga account IDs. The number of users impacted has not been confirmed by Zynga.


Methodist Hospitals of Indiana

October 17, 2019: After two employees fell victim to an email phishing scam, the personal information of over 68,000 patients of Indiana-based Methodist Hospitals was accessed by hackers. The information compromised in the hack includes names, addresses, dates of birth, Social Security numbers, driver’s license/state ID/passport numbers, credit card information, and patient health records.



October 21, 2019: The cybersecurity team at vpnMentor discovered an open database belonging to Autoclerk, a hotel property management system, impacting the information of hundreds of thousands of individuals, including those belonging to U.S. government and military personnel. The records exposed include names, dates of birth, home addresses, phone numbers, dates and travel costs, check-in times, room numbers and masked credit card details.


Kalispell Regional Healthcare

October 22, 2019: After a phishing attack in the summer of 2019, the information of over 130,000 patients of Kalispell Regional Healthcare. Hackers were given access to patient names, Social Security numbers, addresses, medical record numbers, dates of birth, telephone numbers, email addresses, medical history and treatment information, dates of service, treating/referring physicians, medical bill account numbers and/or health insurance information.



October 26, 2019: The account information of over 7.5 million users of Adobe Creative Cloud was exposed due to an unprotected online database, including email addresses, usernames, location, Adobe products, account creation dates, dates of last login, subscriptions and payment status.


Network Solutions

October 30, 2019: Millions of individuals who have used the world’s first internet domain name provider, Network Solutions, had their personally identifiable information (PII) accessed by a third party. NetworkSolutions.com along with Register.com and Web.com confirmed the hacker accessed names, addresses, phone numbers, email addresses and service information of their customers and recommended a password reset.

SOURCE | BleepingComputer


November 16, 2019: Users of the newly released Disney+ streaming services were locked out of their accounts after being hijacked by fraudsters. Disney+ members’ login credentials, including usernames and passwords, were found up for sale on the Dark Web starting at $3 per record.


Macy’s E-Commerce Website

November 19, 2019: Macy’s e-commerce site was hacked by a third party, embedding malicious code into Macy’s “checkout” and “My Wallet” pages. A skimming code was also placed on the Macy’s Wallet page, used by account holders to store payment credentials. The malware gathered names, full addresses, phone numbers, email addresses, payment card numbers, card security codes and payment expiration dates of shoppers who made purchases through the Macy’s website.

SOURCE | Bleeping Computer


November 22, 2019: Over 1 million T-Mobile customers had their personal information accessed by a hacker. Their names, billing addresses, phone numbers, account numbers, rates, plans and calling features were exposed, but no financial or password data were compromised.

SOURCE | TechCrunch


November 22, 2019: Security researchers discovered an unsecured server containing four billion records on over 1.2 billion individuals. These records include over 1 billion personal email addresses, over 420 LinkedIn URLs, over 1 billion Facebook URLs and over 400 million phone numbers with more than 200 million U.S.-based valid cell phone numbers. While the data comes from two data aggregators and enrichment companies, the owner of the server and database remains unknown.

SOURCE | SC Magazine


December 4, 2019: A database belonging to American communications company, TrueDialog, exposed tens of millions of SMS text messages as well as the personal information of more than 1 billion subscribers. Impacted information includes names of recipients, account holders and users, email addresses, phone numbers of recipients and users, content of messages, dates and times messages were sent, message status and account details.

SOURCE | TechCrunch


December 16, 2019: Online retailer, LightInTheBox, left an unsecured database exposed, impacting the information of over 1.6 billion customers. The information exposed includes consumer’s email addresses, IP addresses, countries of residence, destination pages and user activity. Although no personally identifiable information was disclosed, users’ email addresses can be used in targeted phishing scams.

SOURCE | SC Magazine


December 19, 2019: A breach first reported in September 2019 has been updated with confirmation by HaveIBeenPwned that more than 170 million players of Zynga’s popular mobile games Draw Something and Words With Friends had their account information accessed. The data stolen includes names, email addresses, login IDs, hashed passwords, phone numbers, Facebook IDs and Zynga account IDs.

SOURCE | HaveIBeenPwned


December 19, 2019: Over 267 million Facebook records were discovered, exposing Facebook users’ names, Facebook IDs, and phone numbers. The unsecured webpage was open to cybercriminals for at least two weeks.

SOURCE | Threatpost


December 20, 2019: Popular East Coast convenience store and gas station operator, Wawa, has reported the discovery of malware on their payment processing servers. This malicious software captured credit and debit card numbers, cardholder name and card expiration dates from payments made in-store and at gas pumps. The number of customers impacted by the breach has not been disclosed.


Wyze Labs

December 30, 2019: Smart home device maker Wyze Labs has disclosed a data leak impacting more than 2.4 million customers. Production databases belonging to Wyze were left exposed for most of the month, containing usernames and email addresses, WiFi network names, camera names and tokens that identified smartphone and personal digital assistant device connections. The databases also included the personal health information for some users doing beta testing for the company. The company asserts that no passwords or financial account details were included in the database records.


Luscious.net – exposed data


Luscious.net loses 1million user details. According to the team at vpnMentor, an exposed database allowed access to Luscious account holders’ personal details. 

The accessible data included usernames, email addresses, activity logs, and location data for all 1.195 million users.

“Our team was able to access this database because it was completely unsecured and unencrypted,” writes the vpnMentor team. 

If Luscious users happened to use email addresses associated with their real names to register accounts, that information — tied to location data — could be more than enough to associate specific Luscious accounts with their owners. Users’ video uploads to the site were also accessible.

The breach was discovered on Aug. 15, and, after being notified by vpnMentor, Luscious fixed the issue on Aug. 19. That doesn’t mean, however, that no harm was done. 

“While the data breach is now closed,” write the researchers, “it’s still possible that other hackers could have accessed it earlier and extracted the same data we viewed.” 

“A greater issue of concern is the fact that many users joined Luscious on official government emails,” notes vpnMentor. “We found examples of this from users in Brazil, Australia, Italy, Malaysia, and Australia.”

The 2015 Ashley Madison hack demonstrated how this type of information is practically designed for blackmail. In that case, a dating site purportedly offering to put married men in touch with women was breached, and its database consisting of usernames and emails fell into the hands of hackers.