lolloj - Fotolia
This year has already seen a number of organizations disclose significant data breaches, including a single intrusion that affected several healthcare companies and exposed personal and financial information for millions of patients.
We have compiled some of the most notable 2019 data breach disclosures prior to July 15. These breaches vary in size, scope and types of information exposed, but they all involve unauthorized access to sensitive data by threat actors (either cybercriminals or, in one case, an insider threat).
Another common element among many of these 2019 data breach disclosures is the significant amount of time that passed between the initial intrusion and when the organization detected the malicious activity -- in some cases, more than six months. However, one organization detected and halted an intrusion on the same day the threat actor breached the network.
Here's a look at 10 of the biggest data breach disclosures so far this year (in alphabetical order):
500px, a Toronto-based photo sharing service, announced in February that it had suffered a data breach that affected all users of the service -- approximately 15 million accounts. According to the disclosure, 500px's engineering team discovered a "security issue" on Feb. 8 and began an investigation with a third-party security firm, as well as law enforcement. The investigation determined that a threat actor gained access to the company's network on July 5, 2018, and obtained "partial user data" including names, usernames, email addresses and hashed passwords encrypted with the deprecated MD5 algorithm, which is no longer considered secure.
In addition, birth dates, genders and physical addresses were also obtained from those users who provided 500px the information. The company issued a forced password reset for all users but said there was no indication that threat actors have accessed any user accounts. Have I Been Pwned? (HIBP), a free service that allows users to see if their email addresses and passwords have been compromised by data breaches, reported the 500px user data was available on the dark web.
2. Bulgaria National Revenue Agency
On July 15, a hacker operating under the name "Instakiller" informed media outlets that they had hacked Bulgaria's National Revenue Agency and obtained the names, physical addresses and other personally identifiable information on approximately 5 million citizens and residents (the country's population is 7.1 million people). The data, a port of which was released publicly, also included financial data such as tax information. The National Revenue Agency announced the intrusion was carried out approximately 20 days earlier, and despite it being the largest data breach in the country's history, the agency said the hacker had accessed only 3% of its data. Bulgarian authorities later arrested and charged Kristian Boykov, a 20-year-old Bulgarian cybersecurity professional, for the breach.
Canva, an Australian company that offers online graphic design services, announced on May 24 that it had detected a cyberattack on its network. The company's data breach disclosures claim the threat actor was "interrupted mid-attack," though it's unclear when they first gained access to the network; Canva said the threat actor, who began tweeting about the incident soon after being detected, accessed profile information for up to 139 million users, including names, usernames, country and any country, and user-supplied data about their city or homepage URLs. The threat actor also accessed encrypted passwords salted and hashed with bcrypt, and claimed to have OAuth login tokens for users who signed in via Google, but Canva said there was no evidence of this claim. Nevertheless, the company reset users' passwords and OAuth tokens.
On March 8, Citrix announced that two days earlier the FBI contacted the company about cybercriminals gaining access to its network. Citrix immediately began an investigation and was assisted by incident response experts, including FireEye Mandiant. The investigation determined the initial intrusion occurred on Oct. 13, 2018, and that cybercriminals used password spraying to compromise "a very limited number" of employee email accounts. Citrix said the attackers used those accounts to gain access to a shared network drive where they stole "current and historical business documents," though the company did not provide details on the nature of the documents.
In addition, the attackers accessed a separate drive for a web-based consulting tool. Citrix did not say if any customer data was stolen, though it did say it had begun notifying a "limited number of customers who may need to consider additional protective steps." Citrix also said it issued a worldwide password reset and improved its password management practices, though it did not specify how.
5. Clinical Pathology Laboratories
Clinical Pathology Laboratories Inc. (CPL) is one of three confirmed healthcare companies affected by a data breach at American Medical Collection Agency (AMCA), a U.S. medical bill collector [see additional entries on this list for more]. According to CPL, AMCA was alerted to a security incident in its network on March 21; AMCA notified several healthcare companies about the incident in May, but CPL said the collection agency didn't initially provide it with enough information to confirm how many of its customers were affected (CPL's disclosure was published on July 12).
The company said the names, addresses, phone numbers, dates of birth, dates of service, balance information and treatment provider information for 2.2 million CPL patients was accessed by threat actors. According to CPL, credit card or banking information for an additional 34,500 patients were affected; the company said Social Security numbers, clinical tests and medical histories were not affected by the AMCA breach.
6. Desjardins Group
Desjardins Group, a Canadian cooperative of credit unions, announced on June 20 that a police investigation discovered "an ill-intentioned employee" had stolen the information for approximately 2.7 million consumer clients and 173,000 businesses. The insider threat, who was subsequently fired, disclosed the customer data "to individuals outside Desjardins without authorization," according to the company. Desjardins, however, did not specify what customer data was accessed and who the individuals were who accessed it. The company only said that account passwords, security questions and PINs were not exposed. Desjardins said it "introduced additional monitoring and security measures" to protect customer information, though it did not specify what those measures entailed, and also offered affected customers a free credit monitoring plan for 12 months.
In early June, online invitation company Evite confirmed a data breach that was first reported in April when a hacker began selling troves of data from breached companies, including Evite. According to the company, the breach involved an "inactive data storage file" that contained user data from 2013 and earlier. Evite said it launched an investigation, which indicated the intrusion occurred on Feb. 22 and confirmed in May that the inactive storage file had been accessed. According to HIBP, which received a copy of Evite's stolen data, the information included 101 million unique email addresses (most of which were recipients of invites and not members). HIBP also reported the breach exposed names, phone numbers, addresses, dates of birth, genders and plaintext passwords for Evite members. Evite issued a password reset for members and introduced "additional security measures" but did not offer further details on what those measures were.
On July 13, Laboratory Corporation of America Holdings (LabCorp) disclosed that some of its patients were affected by the AMCA breach. LabCorp said it was notified by its former vendor AMCA on May 14; LabCorp said it immediately stopped sending any new collection requests to AMCA and also stopped any additional work on existing requests. According to LabCorp's SEC filing, the breach affected 7.7 million patients' names, dates of birth, addresses, phone numbers, dates of service, insurance provider information and balance information. LabCorp said that some patients' Social Security numbers may have been affected because some insurance providers use them as subscriber identification numbers. However, the company said no test results or diagnostic information were affected. LabCorp is offering free credit monitoring and identity protection services for 24 months to the patients whose Social Security numbers may have been accessed.
9. Quest Diagnostics
On June 3, Quest Diagnostics became the first company to disclose it was affected by the AMCA data breach. The clinical laboratory announced that data for 11.9 million customers was exposed, including personal information, Social Security numbers, medical information and "certain financial data." According to Quest Diagnostic's SEC filing about the breach, the financial data included credit card numbers and bank account information. However, the company said lab test results were not exposed in the breach. Quest Diagnostics also said it did not work directly with AMCA; instead, the company said AMCA provided collection services to Optum360, a healthcare technology vendor and Quest Diagnostics contractor. As a result of the breach, Quest Diagnostics said it and Optum360 suspended business with AMCA, and both companies are working with forensics experts to investigation the matter.
On March 29, Toyota Motor Corporation announced that several of its subsidiaries were affected by a data breach. According to Toyota, the subsidiaries discovered "unauthorized access on the network" that contained customer information from eight subsidiaries [Toyota Tokyo Sales Holdings Co. Ltd.; Tokyo Tokyo Motor Co. Ltd.; Tokyo Toyopet Co. Ltd.; Toyota Tokyo Corolla Co. Ltd.; Nets Toyota Tokyo Co. Ltd.; Lexus Koishikawa Sales Co. Ltd.; Jamil Shoji Co. Ltd. (Lexus Nerima); and Toyota West Tokyo Corolla Co. Ltd.]. According to the disclosure, 3.1 million Toyota and Lexus customers were affected by the breach. Toyota didn't say what specific customer information was accessed, but the company said that it did not include credit card data. In response, the company said it would "thoroughly implement information security measures at dealers and the entire Toyota Group," though it did not specify what those measures were.