2022 Data Breaches
V2verify Is The Key To Preventing Data Breaches
V2verify is the answer for preventing data breaches like these, but until they are no longer an issue, we want to provide you with tools and information to minimize your risk and exposure.
Check to See If You're Information Is On the Dark Web
Check Have I Been Pawned to see if your personal information has been breached.
What to Do If Your Data Is Breached
Major database breaches are a regular occurrence, meaning it’s not a matter of if you’ll get hit, but when. The good news is that being proactive when this happens can help prevent the headaches that come from the breach.
November 2022
December 2022
December 30
Lake Charles Memorial Health System (LCMHS)
Lake Charles Memorial Health System (LCMHS) contacted its patients to inform them of the data breach.
The health system's website has posted a notice to its patients of a "cybersecurity incident" that occurred in October of this year, which affected nearly 270,000 patients.
December 30
Howard Memorial Hospital
A Howard County hospital is the latest Arkansas health care provider to announce a data security breach that could put patients and employees at risk, per a hospital release.
Howard Memorial Hospital became aware of suspicious network activity Dec. 4, the release says. An investigation discovered the potential for files to be stolen by an "unknown actor" between Nov. 14 and Dec. 4.
December 29
IBW Financial Corporation
IBW Financial Corporation (“IBW”), the holding company for Industrial Bank, reported a data breach with the Attorney General of Montana after discovering that sensitive consumer information was compromised following what appears to have been a cyberattack committed against the company’s computer network. According to Industrial Bank, the breach resulted in the full names, addresses, dates of birth, Social Security numbers, driver’s licenses or state identification numbers, health insurance information, and financial account information being compromised.
December 27
Lake Charles Health System
Lake Charles (La.) Health System is alerting its patients that in October, an unauthorized third party was able to access its network. The system's IT team detected that a third party may have accessed patient names, dates of birth, patient identification numbers, health insurance information, payment information, limited clinical information, and, in some instances, Social Security numbers.
December 24
Comcast
First, many of them are facing new year's price hikes and now the company's customers are dealing with another big problem. And while this issue may be beyond the cable and internet giant's control, it's still another kick in the teeth for the company's long-suffering customers.
It's also fair to say that Comcast -- while it is responsible for higher prices, slow service, and a lot of other things -- does not carry full responsibility for the huge holiday data breach impacting many of its customers.
Not being fully responsible, however, might make Comcast feel a little better, but it's not likely to make customers feel good about their private data. The cable and internet company was hacked and that makes for a less-than-merry Christmas.
December 23
Connexin Software
A Pennsylvania-based software company announced it was the victim of a recent data security incident that may impact people in the Central Valley.
Connexin Software provides electronic medical records management support to healthcare organizations.
The company confirmed a data security breach that could impact more than 2.2 million people nationwide and around 65,000 of those are connected to Valley Children’s Medical Group patients and parents/guardians in the greater Fresno area.
December 22
Ethos Technologies, Inc.
Consumer Protection, a division of the state’s attorney general’s office, after hackers successfully carried out a cyberattack against the company. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ Social Security numbers.
December 22
Avem Health Partners
Oklahoma-based Avem Health Partners, which provides administrative and technology services to healthcare organizations, notified 271,303 individuals of a healthcare data breach that occurred at 365 Data Centers, a vendor used by a third-party service provider utilized by Avem. 365 Data Centers discovered that an unauthorized party may have accessed information on its servers in May 2022.
December 21
Hope College
Personal information of students and other people associated with Hope College may have been leaked in a data breach, the school said.
Around Sept. 27, Hope College discovered “potential unauthorized access to its network,” and started working with its IT team and legal specialists outside of the college to conduct a full forensic investigation.
Investigation found that “certain sensitive information kept in the normal course of business” — like first and last names, birthdates, social security numbers, driver’s license numbers and student ID numbers — had been compromised.
December 21
Morley Companies Inc.
Morley Companies Inc. has set aside $4.3 million to settle a class action lawsuit following a ransomware attack that compromised data from its clients and customers.
The settlement class, which has been directly notified of the settlement, is defined as U.S. residents whose data was compromised during the data incident the defendant announced on or about Aug. 1, 2021. Morley notified more than 694,000 individuals of the data breach.
December 21
BetMGM
Sports betting service BetMGM said on Wednesday personal information of its customers were obtained in an unauthorized manner, but did not specify the number of users affected.
The issue affected customer information such as name, contact information, date of birth, hashed Social Security number, account identifiers and information related to transactions with BetMGM, the company said.
December 20
Nio Inc
China-based Nio Inc said on Tuesday that hackers had breached its computer systems and accessed data on users and vehicle sales, in the latest hacking incident to hit the global auto industry.
According to media reports, the hackers had sent an email to the electric carmaker demanding $2.25 million worth of bitcoin and claiming that they had its internal data.
The company said it was working with government authorities to investigate the data breach.
December 19
McGraw Hill
Education publishing company McGraw Hill had a data breach that potentially exposed hundreds of thousands of students’ email addresses and grades, a recent report from vpnMentor said. The online privacy firm said its research team detected the data breach in mid-June and spent months attempting to contact the company about the issue. The researchers found troves of data “apparently belonging to McGraw Hill” that were available to anyone with a web browser, according to the report.
December 19
San Diego Unified School District
The San Diego Unified School District has confirmed new details regarding the timeline of its cybersecurity incident in a report it filed with the state Attorney General's office on Dec. 12. The sample data breach letter filed with the Attorney General's office confirms that the cybersecurity incident occurred Oct. 25, five weeks prior to the district first notifying employees and student families.
December 19
Louise W. Eggleston Center, Inc.
Louise W. Eggleston Center, Inc. (“Eggleston Center,” “Eggleston”) reported a data breach with the Attorney general of Maine after the company learned that hackers were able to access sensitive consumer information in its possession following a ransomware attack. According to Eggleston, the breach resulted in consumers’ full names, Social Security numbers, driver’s license numbers, non-driver ID numbers, financial account numbers and access codes, and military ID numbers being compromised.
December 19
DraftKings
Sports betting company DraftKings revealed last week that more than 67,000 customers had their personal information exposed following a credential attack in November.
December 21
Hope College
Personal information of students and other people associated with Hope College may have been leaked in a data breach, the school said. Around Sept. 27, Hope College discovered “potential unauthorized access to its network,” and started working with its IT team and legal specialists outside of the college to conduct a full forensic investigation. The investigation found that “certain sensitive information kept in the normal course of business” — like first and last names, birthdates, social security numbers, driver’s license numbers and student ID numbers — had been compromised.
December 21
Morley Companies Inc.
Morley Companies Inc. has set aside $4.3 million to settle a class action lawsuit following a ransomware attack that compromised data from its clients and customers.
The settlement class, which has been directly notified of the settlement, is defined as U.S. residents whose data was compromised during the data incident the defendant announced on or about Aug. 1, 2021. Morley notified more than 694,000 individuals of the data breach.
December 21
BetMGM
Sports betting service BetMGM said on Wednesday personal information of its customers were obtained in an unauthorized manner, but did not specify the number of users affected.
The issue affected customer information such as name, contact information, date of birth, hashed Social Security number, account identifiers and information related to transactions with BetMGM, the company said.
December 20
Nio Inc
China-based Nio Inc said on Tuesday that hackers had breached its computer systems and accessed data on users and vehicle sales in the latest hacking incident to hit the global auto industry. The hackers had sent an email to the electric carmaker demanding $2.25 million worth of bitcoin and claiming that they had its internal data, according to media reports. The company said it was working with government authorities to investigate the data breach.
December 19
San Diego Unified School District
The San Diego Unified School District has confirmed new details regarding the timeline of its breach confirming that the cybersecurity incident occurred Oct. 25, five weeks prior to the district first notifying employees and student families.
December 19
Louise W. Eggleston Center, Inc.
Louise W. Eggleston Center, Inc. (“Eggleston Center,” “Eggleston”) reported a data breach with the Attorney general of Maine after the company learned that hackers were able to access sensitive consumer information in its possession following a ransomware attack. According to Eggleston, the breach resulted in consumers’ full names, Social Security numbers, driver’s license numbers, non-driver ID numbers, financial account numbers and access codes, and military ID numbers being compromised.
December 19
DraftKings
Sports betting company DraftKings revealed last week that more than 67,000 customers had their personal information exposed following a credential attack in November.
December 19
GA Health System
Georgia-based Emory Healthcare reported a healthcare data breach that impacted more than 1,000 individuals and potentially exposed protected health information (PHI).
Through a notice from the United States Department of Labor (DOL), Emory Healthcare became aware of an employee inappropriately accessing at least 1,600 patient records between December 2020 and December 2021.
Further investigation revealed that the now-former employee released demographic information from several hundred employees to individuals involved in unemployment benefits fraud.
December 18
SevenRooms
Restaurant customer management platform SevenRooms has confirmed it suffered a data breach after a threat actor began selling stolen data on a hacking forum.
SevenRooms is a restaurant customer relationship management (CRM) platform used by international restaurant chains and hospitality service providers, such as MGM Resorts, Bloomin' Brands, Mandarin Oriental, Wolfgang Puck, and many more.
On December 15, a threat actor posted data samples on the Breached hacking forum, claiming to have stolen a 427 GB backup database with thousands of files containing information about SevenRooms customers.
December 16
Rochester Public Library
The City of Rochester is reporting a data breach that could affect Rochester Public Library customers.
A statement issued by the city late Friday afternoon says the public library when is notified that one of its service partners, MNLINK, experienced a data breach on Thursday. In what is been described as a random cyber attack, the names and email addresses of over 1700 Rochester Public Library customers may have been accessed.
December 16
Health Care Management Solutions
Social media analytics platform Social Blade has confirmed it suffered a data breach after its database was breached and put up for sale on a hacking forum.
Social Blade is an analytics platform that provides statistical graphs for YouTube, Twitter, Twitch, Daily Motion, Mixer, and Instagram accounts, allowing customers to see estimated earnings and projects.
December 15
Social Blade
Social media analytics platform Social Blade has confirmed it suffered a data breach after its database was breached and put up for sale on a hacking forum.
Social Blade is an analytics platform that provides statistical graphs for YouTube, Twitter, Twitch, Daily Motion, Mixer, and Instagram accounts, allowing customers to see estimated earnings and projects.
December 15
Avem Health Partners
Avem Health Partners reported a data breach with several state attorney general offices after the company learned of a cybersecurity incident at 365 Data Centers, a vendor used by one of Avem's service providers. According to Avem, the breach resulted in certain consumers' names, dates of birth, Social Security numbers, driver's license numbers, health insurance information, and diagnosis and treatment information being compromised.
December 15
Hope College
According to college officials Thursday, Hope College discovered potential unauthorized access into its network, targeting individuals' personal information. The information believed to be at risk included individuals' first and last names, in combination with date of birth, Social Security number, driver's license number, and Student ID number. No financial information for individuals was at risk, according to Hope College.A third-party vendor related to Gemini appeared to have suffered a data breach on or before Dec. 13. According to documents obtained by Cointelegraph, hackers gained access to 5,701,649 lines of information pertaining to Gemini customers’ email addresses and partial phone numbers. In the case of the latter, hackers apparently did not gain access to the full phone numbers, as certain numeric digits were obfuscated.
December 14
Centers for Medicare & Medicaid Services (CMS)
According to a Dec. 14 press release, the Centers for Medicare & Medicaid Services (CMS) is responding to a data breach at Healthcare Management Solutions, LLC (HMS), a subcontractor of ASRC Federal Data Solutions, LLC (ASRC Federal), that possibly involves Medicare beneficiaries' personally identifiable information (PII) and/or protected health information (PHI).
December 13
Gemini
A third-part vendor related to Gemini appeared to have suffered a data breach on or before Dec. 13. According to documents obtained by Cointelegraph, hackers gained access to 5,701,649 lines of information pertaining to Gemini customers’ email addresses and partial phone numbers. In the case of the latter, hackers apparently did not gain access to the full phone numbers, as certain numeric digits were obfuscated. After the news came to light, Gemini has since clarified in a blog post that the breach appeared to be "result of an incident at a third-party vendor" but also warned of ongoing "phishing campaigns" as a result of the data leak.
December 13
San Gorgonio Memorial Hospital
San Gorgonio Memorial Hospital in Banning, California, notified patients of a recent healthcare data breach. The hospital discovered that an unauthorized party had gained access to its network between October 29 and November 10, 2022. The unauthorized party copied some documents on the hospital’s system during that time.
The documents contained names, addresses, medical record numbers, visit ID numbers, health insurance information, clinical information, and dates of birth. The investigation is ongoing, but the hospital said it would update patients if it discovered that any additional information was involved in the incident, such as financial account information or government-issued ID numbers.
December 12
Uber
Uber has suffered a new data breach after a threat actor leaked employee email addresses, corporate reports, and IT asset information stolen from a third-party vendor in a cybersecurity incident. Early Saturday morning, a threat actor named 'UberLeaks' began leaking data allegedly stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches. The leaked data includes numerous archives claiming to be source code associated with mobile device management platforms (MDM) used by Uber and Uber Eats and third-party vendor services.
December 11
Telstra
Australia's largest telecoms firm Telstra Corp Ltd (TLS.AX) said on Sunday that 132,000 customers were impacted by an internal error that led to disclosure of customer details.
December 9
Veros Credit
Veros Credit reported a data breach with the Texas Attorney General’s office after the company learned that an unauthorized party was able to access confidential consumer information that had been entrusted to the company. According to Veros, the breach resulted in affected consumers’ names, addresses, Social Security numbers, driver’s license numbers, financial account information, insurance information and medical information being compromised.
December 9
Upper Peninsula Power Company
Upper Peninsula Power Company (“UPPCO”) reported a data breach with the Maine Attorney General’s office after the company learned that an unauthorized party was able to access sensitive consumer information by gaining access to its computer network. According to UPPCO, the breach resulted in the first and last names and Social Security numbers being compromised.
December 9
COVAXX
Beginning Friday, some 360,000 people will receive notices that their personal information was part of the November 2021 data breach of the COVAXX system, the Ministry of Public and Business Service Delivery said in a statement Friday.
The ministry said it had been working with the Ministry of Health, police and Ontario's privacy commissioner to determine the scale and impact of the breach. The ministry's statement does not say how it occurred.
December 9
Teleperformance USA
Teleperformance USA reported a data breach with the Texas Attorney General after learning that an unauthorized party had accessed confidential consumer information that was entrusted to the company. According to Teleperformance USA, the breach resulted in the names, addresses and Social Security numbers being compromised.
December 9
Wing Financial
Wing Financial (an independently owned franchise of Jackson Hewitt) reported a data breach with the Maine Attorney General after confirming that an unauthorized party could access confidential consumer information entrusted to the company. According to Wing Financial, the breach resulted in the following consumer information being compromised: names, Social Security numbers, addresses, dates of birth, government ID numbers, financial account information, health insurance information and medical history and treatment information.
December 8
Black, Gould & Associates, Inc
Black, Gould & Associates, Inc. (“BGA”) reported a data breach with the Maine Attorney General after the company discovered that consumer information stored on its computer system was compromised after an unauthorized party gained access to the BGA network. According to BGA, leaked information includes the first and last names, Social Security numbers, dates of birth, and addresses of certain people who purchased an insurance policy sold by a broker or agent associated with BGA.
December 8
CommonSpirit
Patients of at least seven hospitals in Washington state affiliated with CommonSpirit have been affected by a data breach involving the hospital chain's October ransomware incident.
Even more hospitals and their patients might be affected by breaches as the Chicago-based medical giant continues investigating the incident and reviewing files compromised in the attack.
December 8
Acuity Brands
Acuity Brands said it became aware of unauthorized access to its systems and data theft in early December 2021. The investigation into the incident revealed a separate, unrelated breach that occurred in October 2020, which also involved attempts to copy files from compromised systems.
An investigation revealed that the information compromised in the two incidents belonged to current and former employees and Acuity's health plan members.
December 8
Sequoia
HR, payroll, and benefits management company Sequoia said in disclosures to customers at the beginning of the month that it detected unauthorized access to a cloud storage repository that contained an array of sensitive and personal data related to the company's Sequoia One customers.
December 7
Suffolk University
Suffolk University reported a data breach with the attorney general offices of several states after learning that an unauthorized party was able to access and remove certain files containing sensitive student information from the school's computer network. According to Suffolk University, the breach resulted in the following student information being compromised: full names, Social Security numbers, driver's license numbers, state identification numbers, financial account information and protected health information.
December 7
Rhode Island Department of Health
The Rhode Island Department of Health is investigating a data breach that happened earlier this year, which compromised the personal information of approximately 8,800 Rhode Islanders.
December 6
Rackspace Technology, Inc
Starting on December 2, 2022, Rackspace observed and began investigating connectivity issues within its Hosted Exchange environment. Over the next few days, its reports developed from an acknowledged lack of information to identify the event as a "security incident" to a report issued today that the cause was ransomware. Meanwhile, countless Rackspace customers could not access email service and were advised to migrate to a Microsoft 365 platform and take various steps to protect and access their data.
December 6
Macmillan
Macmillan reported a data breach with the Texas Attorney General after an unauthorized party bypassed its data security system and gained access to sensitive consumer information on the company's computer system. According to Macmillan, the breach resulted in compromised consumer names, addresses, Social Security numbers, driver's license numbers, and financial account information.
December 6
South Staffordshire Water
Cambridge Water customers are the latest to be revealed as victims of the South Staffordshire Water cyberattack. Names, addresses, and bank account details of victims have been found on the dark web. The company has warned that criminals could use the data to submit fraudulent direct debit requests from victim accounts.
December 5
Rackspace
Rackspace’s Hosted Exchange service, which makes it easier for organizations to use Microsoft Exchange servers for email, started experiencing problems on Friday, December 2. The company confirmed the problems early in the day and told customers that it had to shut down the Exchange environment due to what it described as “significant failure”.
On Saturday, nearly 24 hours after the disruption started, Rackspace revealed that the issues were caused by a “security incident”.
Rackspace has not said whether this is a ransomware or other type of cyberattack, and it's also unclear if there was any data breach involving customer or other type of information.
December 2
Florida Department of Revenue
A security researcher revealed a flaw on the Florida Department of Revenue website, exposing at least hundreds of tax filers' Social Security Numbers and bank account numbers.
December 2
Keralty
SC Media reports that Colombian healthcare provider Keralty was hit with a ransomware attack last weekend at the hands of the RansomHouse threat group. Keralty is a multinational healthcare organization with a network of twelve hospitals and over three hundred medical centers in Latin America, Spain, the US, and Asia, serving over 6 million patients.
December 2
U.S. Immigration and Customs Enforcement
More than 6,000 asylum seekers U.S. custody had their names and other personally identifiable information, as well as immigration details, "erroneously" posted by the U.S. Immigration and Customs Enforcement on its website on Monday, according to The Register. The Los Angeles Times reported that the breach exposed immigrants' names, nationalities, birthdates, case status, and detention locations.
December 2
HIVE
According to the German security collective Zerforschung, Hive had grievous software vulnerabilities that exposed all of its users’ personal data to the internet.
According to Zerforschung’s blog:
“The issues we reported allow any attacker to access all data, including private posts, private messages, shared media and even deleted direct messages. This also includes private email addresses and phone numbers entered during login. Attackers can also overwrite data such as posts owned by other users...”
December 1
California's Department of Justice
California's Department of Justice mistakenly posted the names, addresses and birthdays of nearly 200,000 gun owners on the internet because officials didn't follow policies or understand how to operate their website, according to an investigation released Wednesday.
The investigation, conducted by an outside law firm hired by the California Department of Justice, found that personal information for 192,000 people was downloaded 2,734 times by 507 unique IP addresses during a roughly 12-hour period in late June. All of those people had applied for a permit to carry a concealed gun.
December 1
Lynnwood
A security breach at a Lynnwood-based debt collection agency jeopardized sensitive personal information for more than 3 million people across the country last year.
The Lynnwood company now faces a slew of lawsuits in federal court in Seattle. The complaints allege the company violated state law due to an alleged lack of security and the delay in notifying people of the breach.
December 1
Virginia Mason Franciscan Health
A hacking incident in October that impacted workers at Virginia Mason Franciscan Health and its patients was determined to be ransomware and patient information was accessed.
A review of the data is ongoing, but data in the files related to patients, family members or caregivers of patients could possibly include locations St. Joseph Hospital, St. Francis Hospital, St. Elizabeth Hospital, St. Clare Hospital, St. Anthony Hospital, St. Anne Hospital, St. Michael Medical Center and clinics associated with Franciscan Health.
November 30
GoTo
LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022.
The company added that, once in, the threat actors also managed to access customer data stored in the compromised storage service.
This is the second security incident disclosed by Lastpass this year.
In a subsequent update, the company revealed that the attackers behind the August security breach maintained internal access to their systems for four days until they were evicted.
November 30
LastPass
NHS Highland has apologized to all affected patients after medical files were left outside a Highland hospital.
It is not known at which hospital the breach occurred but is the latest of more than 9500 data breaches across NHS Scotland in the past four years.
November 29
NHS Highland
NHS Highland has apologized to all affected patients after medical files were left outside a Highland hospital.
It is not known at which hospital the breach occurred but is the latest of more than 9500 data breaches across NHS Scotland in the past four years.
November 29
Klamath County Developmental Disability Services
Klamath County Developmental Disability Services (KCDDS) notified 547 individuals of a breach of unsecured personal patient-protected health information after discovering the event on October 21.
The information that was involved included individual names, date of birth, address, and Medicaid numbers.
November 29
Connexin Software
Connexin Software, a company that offers pediatric-specific health IT solutions and operates under the name Office Practicum, notified more than 2.2 million individuals of a healthcare data breach that occurred in August 2022. Nearly 120 pediatric physician practices and practice groups were impacted by the breach.
Further investigation revealed that an unauthorized party was able to access an offline set of patient data used for troubleshooting and data conversion and subsequently remove some of that data.
November 27
Coinsquare
Canada's first IIROC-regulated cryptocurrency marketplace, Coinsquare, recently said that the client data is breached and claimed the breached personal data was not likely seen "by the bad actor" and also added that the customers' assets are "secure in cold storage and are not at risk."
November 27
Over 5.4 million Twitter user records containing non-public information stolen using an API vulnerability fixed in January have been shared for free on a hacker forum.
The data consists of scraped public information as well as private phone numbers and email addresses that are not meant to be public.
November 25
On November 16, an actor posted an ad on a well-known hacking community forum, claiming they were selling a 2022 database of 487 million WhatsApp user mobile numbers.
The dataset allegedly contains WhatsApp user data from 84 countries. Threat actor claims there are over 32 million US user records included.
Another huge chunk of phone numbers belongs to the citizens of Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), and Turkey (20 million).
The dataset for sale also allegedly has nearly 10 million Russian and over 11 million UK citizens' phone numbers.
November 24
Sonder
Hospitality company Sonder has confirmed a data breach that has potentially compromised guest records.
The data potentially compromised in the breach reportedly include usernames and encrypted passwords, names, phone numbers, dates of birth, addresses and email addresses.
November 23
Wright & Filippis
Wright & Filippis reported a data breach after the company learned it had been the target of a ransomware attack. According to Wright & Filippis, the breach resulted in the names, dates of birth, patient numbers, Social Security numbers, financial account numbers, and health insurance information being compromised.
November 23
Cleveland Hopkins International Airport
Security breach at Cleveland Hopkins International Airport causes temporary shutdown. The Cleveland Division of Police has apprehended the suspect.
November 23
Disability Services of the Southwest
DSSW, Inc. reported that its website experienced an intrusion. The site is operated by a third-party company, Internap Holding Inc., and the platform provider's systems experienced the intrusion.
The intruder accessed DSSW's employee names, emails, phone numbers, addresses, and training history.
November 23
GATE Petroleum
GATE Petroleum Company reported a data breach after the company learned that an unauthorized party had gained access to sensitive information stored on its computer network. According to GATE, the breach leaked the names and Social Security numbers of individuals.
November 23
Health Care Management Solutions
Health Care Management Solutions, LLC reported a data breach after the company was the target of a recent cyberattack compromising patients' sensitive information.
November 23
Doctors' Center Hospital
Doctors' Center Hospital reported a data breach after the company learned that an unauthorized party was able to gain access to sensitive patient information. While Doctors' Center Hospital has not yet posted notice of the breach on its website, based on the company's filing with the Office for Civil Rights, it would appear that the breach resulted in patients' protected health information being compromised.
November 22
Receivables Performance Management LLC
Receivables Performance Management LLC reported a data breach after the company learned that it had been the target of a 2021 ransomware attack compromising sensitive consumer information stored on its computer network. According to RPM, the breach resulted in the names and Social Security numbers belonging to certain individuals being compromised.
November 22
HomeTrust Mortgage
HomeTrust Mortgage reported a data breach after hackers carried out a successful ransomware attack against the company, compromising consumer data stored on the company's computer system. The breach resulted in the names, addresses and Social Security numbers of customers compromised.
November 22
AAA Collections
AAA Collections reported that many of their customers' names and Social Security numbers could be compromised.
November 22
Meta
Meta has allegedly fired more than 12 employees for hacking into users' Facebook and Instagram accounts.
According to the Wall Street Journal (WSJ), which broke the story on November 17, some of the hacking cases involved bribery, with employees being paid thousands of dollars to hack into the accounts.
According to an internal investigation into the account hijacking, those fired by Meta included contractors employed at the company's facilities as security guards.
November 22
California's Tahoma County
California's Tahoma County had personally identifiable information compromised following a data breach of their system. Data exposed includes names, birthdates, addresses, Social Security numbers, driver's license numbers, SSNs, and driver's license numbers.
November 22
YAKIMA NEIGHBORHOOD HEALTH SERVICES
Washington-based Yakima Neighborhood Health Services (YNHS) notified 2,689 individuals of a data security incident.
A file containing individuals' personal and protected information was inadvertently distributed.
The file contained names, birth dates, medical treatment locations, and medical record numbers. YNHS said it has no evidence that any information involved in the incident has been misused.
November 22
Gateway Rehabilitation Center
Pennsylvania-based Gateway Rehabilitation Center notified 130,000 individuals of a data breach it discovered in June 2022.
Gateway Rehab discovered an "incident disrupting access to certain systems" and immediately took steps to secure its systems. Further investigation revealed that the names, birth dates, Social Security numbers, medical information, health insurance information, and financial account information of current and former patients were potentially compromised.
November 22
University Medical Center (UMC) of Southern Nevada
University Medical Center (UMC) of Southern Nevada notified 1,861 individuals of a breach that occurred when a workforce member accessed EHR information without an appropriate reason for doing so.
The incident came to light during a review conducted in September. UMC discovered that the employee had accessed patient records between May 19, 2021, and September 22, 2022. The data accessed potentially included demographic information, clinical information, and insurance information.
November 22
The Smith Family
Children's charity, The Smith Family, has become the latest major Australian organization to fall victim to a cyberattack, with hackers gaining access to its donors' confidential information, including credit card details.
The charity on Tuesday confirmed it detected a data breach in October, in which a hacker got into a staff member's email and stopped an attempt to steal the charity's funds. But after digital investigators completed an investigation last week, they found that files with donor names, addresses, and contact information were in the inbox along with the partial credit card data.
November 21
Commonwealth Care Alliance of California
Commonwealth Care Alliance of California ("CCA Health California") reported a data breach after an unauthorized party access files on the company's network containing sensitive information. According to CCA Health California, the breach resulted in the names, Social Security numbers, dates of birth, driver's license numbers and protected health information of certain people being compromised.
November 21
Eagle Bank
Eagle Bank reported a data breach after an unauthorized party gained access to sensitive consumer information. According to Eagle Bank, the breach resulted in the names, Social Security numbers, financial account numbers and driver's license numbers of certain bank customers being compromised.
November 21
The County of Tehama, California
The County of Tehama, California, reported that employees' personal information was compromised in a data breach. The investigation revealed that an unauthorized third party accessed the county's systems between November 18, 2021, and April 9, 2022.
"The County of Tehama determined that information pertaining to certain current and former County of Tehama employees, recipients of services from the County of Tehama Department of Social Services, and other affiliated individuals was contained in one or more of those files," the county says. Compromised information included names, addresses, birth dates, Social Security numbers, driver's license numbers, and details about the services the impacted individuals might have received from the social services department.
November 21
Booz Allen Hamilton
US management and information technology consulting firm Booz Allen Hamilton suffered a data breach after a now-former employee downloaded a copy of an internal report that was improperly stored on an internal SharePoint site. TechCrunch explains that the report contained data on active employees as of March 29, 2021, containing the personal data of tens of thousands of employees, many of whom are contracted to government, military, and intelligence agencies and hold high-level security clearances.
November 20
AirAsia
Multiple reports from the cybersecurity world have noted that AirAsia may have become the latest victim of the Daixin ransomware group. The attack took place over two days earlier this month and has resulted in the leakage of personal data belonging to 5 million unique passengers as well as all of the group's employees.
November 18
The Rosewood Corporation
The Rosewood Corporation reported a data breach after an unauthorized party accessed sensitive consumer information in the company’s possession. According to Rosewood, the breach resulted in the names, addresses, Social Security numbers, driver’s license numbers, government identification numbers, and health insurance information belonging to certain individuals being compromised.
November 18
Christus Spohn Health System
According to a letter that Christus Spohn Health System sent its affected customers -- hackers obtained files from patients between April 9, and May 4 of 2022.
November 18
Community Health Network
Community Health Network discovered that a data breach may have led to certain patient information being transmitted to web-tracking technology vendors.
Information that could have been transmitted, however, includes computer IP addresses; dates, times, or locations of scheduled appointments; health care provider information; type of appointment or procedure scheduled; communications that occurred through MyChart which could include first and last name and medical record numbers; information about insurance coverage and the names on MyChart accounts.
November 18
Sacramento County Correctional Health
Sacramento County Correctional Health reported that for nearly five months, thousands of their patients had their information exposed to the public internet in a data breach by a county contractor.
November 18
Uponor
Uponor reported a ransomware attack, that impacted its operations in Europe and North America. Based on the investigations, Uponor has evidence of a data breach affecting Uponor’s employee, customer, and other partners’ data. According to Uponor’s current knowledge, the breached data has not been published to the public domain.
November 18
NewYork-Presbyterian Hospital
NewYork-Presbyterian (NYP) Hospital notified approximately 12,000 patients of a breach that occurred in September 2022. The hospital received an alert of suspicious server activity on September 8, its notice to patients explained. Investigation revealed that the third-party had used a cloud-based, remote information technology customer support program to gain access to the laptops of several of its workforce members, copying and removing desktop files from some of the devices.
November 18
Innovative Service Technology Management Services
Innovative Service Technology Management Services, Inc. reported a data breach after the company experienced a ransomware attack targeting its computer system. According to IST Management, the breach resulted in the names, birth dates, Social Security numbers, driver’s license numbers, passport numbers, financial account information and medical billing information being compromised.
November 18
Middletown Valley Bank
Middletown Valley Bank reported a data breach after the company discovered that an unauthorized party had gained access to files on the bank’s computer network containing sensitive consumer information: names, financial account numbers, Social Security numbers, driver’s license numbers, passport numbers, and other identifying information.
November 17
Old Point National Bank
Old Point National Bank reported a data breach after the company learned that an unauthorized party was able to access an employee’s email account that contained sensitive information belonging to certain bank customers. According to Old Point, the breach resulted in the names, driver’s license numbers and photos, Social Security numbers, and bank account numbers and balances being compromised.
November 17
Sierra College
Sierra College reported a data breach after the school was the recent target of a ransomware attack. According to Sierra College, the breach resulted in the names, addresses, passport numbers, driver’s license numbers, Social Security numbers, financial account information, and medical information of certain students and employees being compromised.
November 17
Suffolk Police
The Suffolk Police force has suffered a data breach that led to information about sexual assault victims being posted online. Hundreds of victims had their names, addresses, dates of birth and details of the alleged sexual offences committed published on the force website, according to the East Anglia Daily Times, which first reported the story.
November 16
Work Health Solutions
Work Health Solutions reported a data breach after an unauthorized party accessed an employee’s email account. According to WHS, the breach resulted in the full names, Social Security numbers, driver’s license numbers, health insurance information, and medical information being compromised.
November 14
TransUnion
TransUnion filed a notice with the Massachusetts Attorney General regarding a data breach. According to that letter, an unauthorized party gained access to sensitive personal consumer data, including names, addresses, driver’s license numbers, financial data, and Social Security numbers.
November 14
Whoosh
The Russian scooter-sharing service Whoosh has confirmed a data breach after hackers started to sell a database containing the details of 7.2 million customers on a hacking forum.
November 13
Thales
Thales, the French defence and technology group confirmed to be aware that the ransomware group LockBit 3.0 claimed to have stolen some of its data.
November 12
Sobeys
Sobeys, the second-largest supermarket chain in Canada, was the victim of a ransomware attack conducted by the Black Basta gang.
According to the media, who shared the experience of customers and employees, it is still possible to shop at the stores, but it was not possible to process gift cards and refill prescriptions.
November 10
Louisiana Corrections Department
The Louisiana Department of Public Safety and Corrections reported a third-party data breach that impacted 85,466 inmates who received offsite medical care during their incarceration between January 2013 and July 2022.
The breach originated at CorrectCare, a third-party health administrator under contract with the department to process medical claims. The compromised file included names, birth dates, Social Security numbers, DOC IDs, and diagnosis codes. The breach did not impact the department’s EHR system.
November 7
Camping World and Good Sam
CWGS Group, a holding company that does business under the name Camping World and Good Sam reported a data breach that exposed sensitive consumer information. According to Camping World, the breach resulted in the following consumer information being compromised: names, dates of birth, Social Security numbers, driver’s license numbers, government ID numbers, tax ID numbers, financial account numbers, debit & credit card numbers, digital & electronic signatures, and usernames & passwords.
November 7
Medibank
Australian health insurer Medibank today confirmed that the data of 9.7 million customers was compromised in a recent cyberattack. The incident was identified on October 12, before threat actors could deploy file-encrypting ransomware, but not before they stole data from the company’s systems. Medibank, which immediately initiated an incident response and launched an investigation into the attack, could not determine whether customer data was compromised until contacted by the threat actor behind the data breach.
November 6
Victorian Government
PNORS Technology Group, which works with several state departments, including the Department of Education and Training, was targeted by hackers. The breach exposed medical records and answers for The School Entrant Health Questionnaire (SEHQ), which is completed by nearly all families in the state.
November 4
Convergent Outsourcing
Convergent Outsourcing, Inc. experienced a ransomware attack. According to Convergent Outsourcing, the breach resulted in the names, contact information, financial account numbers, and Social Security numbers being compromised.
November 4
Salud Family Health
Salud Family Health reported a data breach that exposed patient names, Social Security numbers, driver’s license numbers or state identification card numbers, financial account information, credit card numbers, passport numbers, medical treatment and diagnosis information, health insurance information, biometric data, and usernames and passwords.
November 4
St. Luke’s Health
St. Luke’s Health notified 16,906 individuals of a third-party data breach that impacted Adelanto Healthcare Ventures (AHCV), a consulting services vendor.
AHCV determined that the compromised email accounts contained St. Luke’s Health protected health information, including names, birth dates, addresses, Social Security numbers, dates of service, Medicaid numbers, medical record numbers, and limited clinical data.
November 4
Ethos Group
Ethos Group announced that the company recently experienced a data breach impacting the security of consumer information stored on its computer systems.
Ethos determined that an unauthorized party had gained access to the company’s computer system and accessed files containing Social Security numbers, financial account information, protected health information, or government identification numbers.
November 3
WakeMed Health and Hospitals
WakeMed notified more than 495,000 individuals that their information was involved in the breach. Meta and a variety of health systems are facing scrutiny over the use of tracking pixels on hospital websites. Tracking pixels are typically used for targeted marketing and tracking user activity, but in the case of numerous hospitals, the pixel was found on password-protected patient portals.
November 3
Dropbox
Cloud storage company Dropbox has suffered a data breach after a phishing attack targeted its employees. The attack, which took place on October 14, saw a malicious actor pose as code integration and delivery platform CircleCI in order to harvest login credentials and authentication codes from employees and gain access to Dropbox's account on code repository site GitHub, as CircleCI login information can be used to access Github.
November 3
Harcourts Melbourne
Harcourts reported that it suffered a data breach exposing customers' names, addresses, and bank details to hackers. According to the email, an unknown third party had accessed the company's rental property database. Harcourts said the data breach stemmed from its software service provider Stafflink, where the account of one of Stafflink's employees was allegedly compromised and made accessible to third parties.
November 3
Vodafone Italy
Vodafone Italia reported a data breach, informing that one of its commercial partners, FourB S.p.A., who operates as a reseller of telecommunications services in the country, has suffered a cyberattack. According to the notice, the cyberattack resulted in the compromise of sensitive subscriber details. The exposed information includes subscription details, identity documents with sensitive data, and contact details.
November 3
OakBend Medical Center
OakBend Medical Center reported a data breach with the Attorney General of Texas after the company experienced what appears to have been a ransomware attack. According to OakBend, the breach resulted in the compromised names, contact information, Social Security numbers, and birth dates of current and former patients, employees, and other related parties. Recently, OakBend sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds. In all, an estimated 497,000 people were affected by the OakBend Medical Center data breach.
November 2
Pinnacle Claims Management
Pinnacle Claims Management, Inc. reported a data breach with the California Attorney General’s office after the company determined that an unauthorized party had accessed files containing sensitive consumer information. While PCMI has not yet publicly disclosed the data types that were leaked, based on the company’s business, it is likely that the compromised information consists of consumers’ protected health information and possibly their Social Security numbers.
November 2
Multi-Color Corporation
Multi-Color Corporation, a major label printing firm, reported a cyberattack that compromised the personal data of its current and former employees. After identifying unauthorized network access, they launched an investigation revealing the compromised data, including personnel files and benefits programs information.
November 2
Louisiana Department of Public Safety
According to a press release, the Louisiana Department of Public Safety and Corrections has learned about a cybersecurity breach at a third-party health administrator that led to the exposure of health information of about 80,000 inmates over nine years.
The press release states that state and pre-trial inmates who received off-site medical care from the time frame of Jan. 1, 2013, to July 7, 2022, may have had their personal health information exposed.
November 1
Bed Bath & Beyond
Bed Bath & Beyond Inc reported a third party had improperly accessed its data through a phishing scam by accessing the hard drive of one of its employees. They are reviewing the data accessed to determine whether the drives contained any sensitive or personally identifiable information.
November 1
U.S. Bank
U.S. Bank reported that the personal information of about 11K customers was accidentally shared by one of the bank's third-party vendors. The data accessed included names, Social Security numbers, closed account numbers, and outstanding balances.
November 1
Twilio
It was recently reported that the cloud communications company, Twilio was breached twice, not once, this past summer due to phishing attacks that combined led to the access of hundreds of customers' data. In August, Twilio originally announced that its internal systems had been breached but in an update last week, Twilio said it and a forensic firm had conducted an "extensive investigation" into the August incident and confirmed the attack vector was indeed via compromised employees' credentials.
November 1
Shas Party Election Campaign
The Shas party election campaign has reported that a hack exposed sensitive personal details of millions of citizens with the right to vote in the Israeli elections to be held this coming Tuesday.
The breach was revealed following an anonymous leak received on the CyberCyber podcast of Ido Kenan and Noam Rotem. The breach was based on a known four-year-old weakness in an online system debugging tool, which could be easily exploited.
November 1
Australian Defence Force
Australian Defence Force confirms hackers have attacked an external IT provider used by military personnel and Defence department public servants. A spokeswoman for Defence Minister Richard Marles confirmed to NCA NewsWire a breach had taken place on the ForceNet service.
November 1
Royal Mail
Royal Mail has experienced a data breach where customers have seen the information of others users.
October 2022
October 28
Michigan Medicine
Michigan Medicine said Thursday that compromised employee email accounts may have exposed the health information of about 33,850 patients. The health system said in a press release that from August 15 through August 23, Michigan Medicine employees were targeted with a phishing scam through their email.
October 28
Australian Clinical Labs
Australian Clinical Labs reported its Medlab Pathology business suffered a data breach that affected about 223,000 accounts, marking corporate Australia's fourth major hack since September.
October 28
SeeTickets
Genshin Impact developer, HoYoverse has suffered a massive data breach. Over the weekend, huge batches of information were shared online that revealed details of new characters, quests, and events from version 3.3 until 3.8.
October 28
HoYoverse
Genshin Impact developer, HoYoverse has suffered a massive data breach. Over the weekend, huge batches of information were shared online that revealed details of new characters, quests, and events from version 3.3 until 3.8.
October 28
Australia Liberal Party
South Australian Police are investigating another major security breach - this time involving members of the state Liberal Party.
October 28
Personal Finance Society
Personal Finance Society (PFS) reported that their partner, Chartered Insurance Institute (CII) had their IT systems hacked, exposing customers personal data.
October 26
Radiology Associates of Albuquerque (RAA Imaging)
RAA Imaging discovered that an unauthorized party had accessed email accounts at differing times between December 22, 2020, and July 15, 2021, and that patient data was exposed. In October of 2022, RAA Imaging reported the hack to their patients and notified them that the information stolen in 2021 involved names, contact information, Social Security number, medical conditions, medical history, treatment information, patient account numbers, health insurance, and other PHI.
October 26
Choice Health Insurance
Choice Health Insurance, LLC filed reported a data breach after they company learned that data was taken from the company's servers, the breach included first and last names; Social Security numbers; Medicare beneficiary identification numbers; dates of birth; addresses and contact information.
October 26
Vivendi Ticketing US
Vivendi Ticketing US, LLC reported a data breach after an unauthorized party accessed consumer information. According to Vivendi, the breach included names, addresses credit card numbers and bank account numbers.
October 24
EnergyAustralia
EnergyAustralia, the electricity company, reported that 323 residential and small business customers were affected by unauthorized access to their online platform, My Account. Details including customer names, addresses, email addresses, electricity and gas bills, phone numbers and the first six and last three digits of their credit cards are all included with those accounts.
October 24
Delaware's Department of Health and Social Services
Delaware's Department of Health and Social Services announced a data breach within its Division of Developmental Disabilities Services. The Division said a small number of users in their online records system may have had access to more than 7,000 sensitive patient records. The breach came when new users were added to the client record system, inadvertently giving them access to other client records.
October 20
Microsoft
Microsoft reported that some sensitive customer information was exposed by a misconfigured Microsoft server. According to Microsoft, the exposed information includes names, email addresses, email content, company name, and phone numbers.
October 20
iDeal Wine
iDealwine (France), informed its customers that their name, address, telephone number and email address may have been compromised.
October 20
Mexican Government
The Mexican government suffered a major cyber hack of data held by the armed forces, including details about President Andres Manuel Lopez Obrador's health problems.
According to media reports, the hack accessed six terabytes of data from the Defense Ministry, including information about criminal figures, transcripts of communications, and the monitoring of the U.S. ambassador to Mexico, Ken Salazar.
October 20
Medibank
Hackers claimed to have stolen data from Medibank and have threatened to sell confidential customer information, including sensitive health conditions and credit card details.
October 20
Advocate Aurora Health (AAH)
Advocate Aurora Health (AAH), a 26-hospital healthcare system in Wisconsin and Illinois, is notifying its patients of a data breach that exposed the personal data of 3,000,000 patients. The incident was caused by the improper use of Meta Pixel on AAH's websites, where patients log in and enter sensitive personal and medical information.
October 18
Keystone Health
Keystone Health of Pennsylvania recently notified patients of a cybersecurity incident; their subsequent investigation found an unauthorized party accessed between 7/28/22 & 8/9/22, exposing the personal data of nearly 250K patients, including names, Social Security numbers, and clinical information.
October 17
ofo
Australian online wine dealer, Vinomofo, is the latest to be targeted by a cyber-attack. Exposed in this attack are roughly 500K customer names, dates of birth, addresses, email addresses, & phone numbers.
October 16
Snap / Elevate
Messaging app Snap reported a data breach at a third-party document analysis firm, Elevate. Elevate notified Snap that an unauthorized party had accessed some of Elevate's computer systems in March 2022, resulting in the access of employee names, addresses, employment history, and compensation information. Reportedly, Snap is terminating its relationship with Elevate.
October 14
Woolworths / MyDeal
MyDeal.com.au, a subsidiary of the Woolworths Group, announced that data was exposed when its CRM system was compromised. The MyDeal breach exposed the data of Approximately 2.2 million customers.
October 13
Amerigroup Insurance Company
According to Amerigroup, the breach resulted in the names, addresses, Social Security numbers, and health insurance information. However, because Amerigroup has yet to post notice of the incident on its website or otherwise elaborate on the breach, the cause of the data breach remains unknown.
October 13
Medibank Group
Medibank Group, Australia's largest private health insurer, reported it was the target of a cyberattack. Preliminary investigations found no indication that data, including customers' information, had been compromised.
October 13
Singtel
Telecom goliath Singtel confirmed in a statement on Monday, that their consulting unit Dialog, was the victim of a hack
The breach potentially affected fewer than 20 clients and 1000 current Dialog employees as well as former employees.
October 11
BBRG TR, LLC
BBRG TR, LLC, and other related entities (BBRG Woburn, LLC, BBRG Waterfront, LLC, and BBRG Newport, LLC) reported that an unauthorized party accessed the companies' computer networks. The data accessed included names, Social Security numbers, driver's license numbers, passport numbers, credit or debit card information, financial account information, and health insurance information.
October 7
Ferrari
Ferrari, the Italian car manufacturer, denied being the victim of a cyber-attack after ransomware gang RansomEXX claimed it had placed 7GB of stolen company data.
There is currently no information on how or when the hack took place.
October 7
Toyota
On Friday, Toyota Motor Corp reported that 300K pieces of customer information, including email addresses and customer numbers, have been leaked.
October 7
META
Meta alerted 1M Facebook users their login info may have been compromised through malicious apps. The social media giant found 400 malicious apps devised to steal Facebook login credentials.
October 6
Massachusetts Mutual Life Insurance
Massachusetts Mutual Life Insurance Company reported a data breach to the Texas Attorney General after a hacker gained access to the names, addresses, Social Security numbers, driver's license numbers, state identification numbers, and financial account information belonging to customers.
October 5
G4S
Employees of Australian security firm G4S have been alerted after personal information – including tax file numbers, bank account information, and medical checks – was stolen in a ransomware attack.
October 4
Telstra
Australia's largest telecoms firm Telstra Corp Ltd (TLS.AX) said on Tuesday it had suffered what it called a small data breach, a disclosure that comes two weeks after its main rival Optus was left reeling by a massive cyberattack. Telstra, which has 18.8 million customer accounts equivalent to three-quarters of Australia's population, said an intrusion of a third-party organisation exposed some employee data dating back to 2017.
October 4
TD Bank
A group hackers believed to be part of a money mule scam, stole 600K from TD Bank in Brigantine, New Jersey.
October 3
CHI Health Systems
In a statement on Monday, CHI Health in Omaha reported that they are dealing with an “IT security incident” affecting electronic health records and other systems.
According to Taylor Miller of CommonSpirit Health, CHI’s parent company, CHI was the victim of the security incident impacting facilities across the country. She said some information technology systems have been taken offline as a “precautionary measure.”
October 1
Shangri-La Group
A Cash App data breach affecting 8.2 million customers was confirmed by parent company Block on April 4, 2022, via a report to the US Securities and Exchange Commission. The breach had occurred way back in December 2021, with customer names and brokerage account numbers among the information taken.
October 1
LAUSD (Los Angeles Unified School District)
Cybercriminals who targeted the Los Angeles Unified School District, the second largest in the nation, with a ransomware attack have released some of the hacked data online, according to a tweet from LAUSD Superintendent Alberto M. Carvalho.
"Unfortunately, as expected, data was recently released by a criminal organization," the tweet read. "In partnership with law enforcement, our experts are analyzing the full extent of this data release."
September 2022
September 30
Fast Company
Hackers Sent Offensive And Racist Push Notifications to Users
This week, an unknown hacker compromised the business magazine Fast Company and sent racist and sexual push notifications to Apple News users.
September 22
Wolfe Eye Clinic
Iowa-based Wolfe Clinic (a member of Eye Care Leaders (ECL)) submitted a breach report to HHS stating that the third-party breach impacted 542,776 individuals connected to Wolfe.
In December 2021, Eye Care Leaders suffered a hack to its myCare Integrity system. Since ECL began notifying impacted organizations in March, more than two dozen organizations have submitted individual breach reports to OCR. The collection of breach notifications made the ECL breach one of the largest reported breaches of 2022.
September 22
Berry, Dunn, McNeil & Parker, LLC
Berry, Dunn, McNeil & Parker, LLC confirmed that the company experienced a data breach after an unauthorized party accessed sensitive consumer data through a compromised employee email account.
Based on state reporting requirements, it's likely that the breach involved consumers' names, Social Security numbers, driver's license numbers, state identification numbers, health information &r financial account information.
September 22
2K Games
2K, the publisher of numerous video game series, including Borderlands, Civilization, and Bioshock, has warned customers that an unknown actor recently gained unauthorized access to its help desk platform. 2K's notice states, "Please do not open any emails or click on any links that you receive from the 2K Games support account."
September 22
U-Haul
U-Haul disclosed a data breach that exposed more than 2M clients' customer data over five months. U-Haul's investigation concluded that the hackers accessed customers' information between November 5, 2021, and April 5, 2022.
The Phoenix, Arizona-based transport and storage company disclosed that the data breach allowed unauthorized access to rental contracts for U-Haul, including the customer names, driver's licenses, or state identification numbers.
September 22
New York Racing Association
New York Racing Association ("NYRA") confirmed that they experienced a data breach and filed a notice of breach with the Vermont Attorney General. The NYRA was the target of a Hive ransomware attack, which enabled the hackers to obtain access to certain information belonging to certain current and former NYRA employees. According to NYRA, the breach compromised first and last names, Social Security numbers, driver's license numbers, health records, health insurance, and other personal information.
September 22
Optus
Optus confirmed the data breach in a statement on Thursday afternoon, after The Australian revealed some nine million Aussies could be affected.
"Information exposed includes customers' names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's license or passport numbers."
September 20
American Airlines
The personal data of a "very small number" of American Airlines customers has been accessed by hackers after they broke into employee email accounts, the airline has said. Information accessed could have included customers' date of birth, driver's license, passport numbers, and even medical information, they added.
September 19
Kiwi Farms
Notorious trolling and doxing website Kiwi Farms – known for its vicious harassment campaigns that target trans people and non-binary people – has been hacked. According to site owner Josh Moon, whose administrator account was accessed, all users should “assume your password for the Kiwi Farms has been stolen”, “assume your email has been leaked”, as well as “any IP you've used on your Kiwi Farms account in the last month”.
September 19
Revolut
Revolut has suffered a cyberattack that facilitated an unauthorized third party accessing personal information pertaining to tens of thousands of the app's clients. 50,150 customers have reportedly been impacted. The State Data Protection Inspectorate in Lithuania, where Revolut holds a banking license, said that email addresses, full names, postal addresses, phone numbers, limited payment card data, and account data were likely exposed.
September 18
Rockstar
Games company Rockstar, the developer responsible for the Grand Theft Auto series, was victim of a hack which saw footage of its unreleased Grand Theft Auto VI game leaked by the hacker. In addition, the hacker also claims to have the game's source code, and is purportedly trying to sell it. The breach is thought to have been caused through social engineering, with the hacker gaining access to an employee's Slack account. The hacker also claims to be responsible for the Uber attack earlier in the month.
In a statement, Rockstar said: “We recently suffered a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from our systems, including early development footage for the next Grand Theft Auto.”
September 15
Uber
Uber's computer network has been breached, with several engineering and comms systems taken offline as the company investigates how the hack took place. Dubbed a “total compromise” by one researcher, email, cloud storage, and code repositories have already been sent to security firms and The New York Times by the perpetrator.
Uber employees found out their systems had been breached after the hacker broke into a staff member's slack account and sent out messages confirming they'd successfully compromised their network.
September 14
Fishpig
Ecommerce software developer Fishpig, which over 200,000 websites currently use, has informed customers that a distribution server breach has allowed threat actors to backdoor a number of customer systems. “We are quite used to seeing automated exploits of applications and perhaps that is how the attackers initially gained access to our system” lead developer Ben Tideswell said of the incident.
September 7
North Face
Roughly 200,000 North Face accounts have been compromised in a credential stuffing attack on the company's website. These accounts included full names
purchase histories, billing addresses, shipping addresses, phone numbers, account holders' genders, and XPLR Pass reward records. No credit card information is stored on site. All account passwords have been reset, and account holders have been advised to change their passwords on other sites where they have used the same password credentials.
September 6
IHG/Holiday Inn
IHG released a statement saying they became aware of “unauthorized access” to its systems. The company is assessing the “nature, extent and impact of the incident”, with the full extent of the breach yet to be made clear.
September 3
TikTok
Rumors started circulating that TikTok had been breached after a Twitter user claimed to have stolen the social media site's internal backend source code. However, after inspecting the code, a number of security experts have dubbed the evidence “inconclusive”, including haveibeenpwned.com's Troy Hunt. Users commenting on YCombinator's Hacker News, on the other hand, suggested the data is from some sort of ecommerce application that integrates with TikTok. Responding to a request for comment from Bloomberg UK, a spokesperson for TikTok said that the company's “security team investigated this statement and determined that the code in question is completely unrelated to TikTok’s backend source code.”
September 2
Samsung
Samsung announced that they'd fallen victim to a “cybersecurity incident” when an unauthorized party gained access to their systems in July. In August, they learned some personal information was impacted, including names, contact information, demographics, birth dates as well as product registration information. Samsung is contacting everyone whose data was compromised during the breach via email.
August 2022
August 29
Nelnet Servicing
The personal information of 2.5 million people who took out student loans with the Oklahoma Student Loan Authority (OSLA) or EdFinancial has been exposed after threat actors breached Nelnet Servicing's systems. The systems were compromised in June, and the unauthorized party remained on the network until late July.
August 27
Facebook/Cambridge Analytica
Meta agreed on this date to settle a lawsuit that alleged Facebook illegally shared data of its users with the UK analysis firm Cambridge Analytica. The data was subsequently used by political campaigns in the UK and US during 2016, a year which saw Donald Trump become president and Britain leave the EU via referendum.
August 25
"We recently became aware that a third-party vendor was the target of a sophisticated phishing campaign and that certain personal information maintained by DoorDash was affected," DoorDash said in a blog post.
The delivery service went on to explain that "the information accessed by the unauthorized party primarily included [the] name, email address, delivery address and phone number" of a number of DoorDash customers, whilst other customers had their "basic order information and partial payment card information (i.e., the card type and last four digits of the card number)" accessed.
August 25
LastPass
The password manager disclosed to its customers that it was compromised by an "unauthorized party". The company assured customers that this took place in its development environment and that no customer details were at risk. A September update confirmed that LastPass's security measures prevented customer data from being breached. The company reminded customers that they do not have access to or store users' master passwords.
August 24
Plex
Client-server media streaming platform Plex is enforcing a password reset on all its user accounts after "suspicious activity" was detected on one of its databases. Reports suggest that usernames, emails, and encrypted passwords were accessed.
August 20
DESFA
Greece's largest natural gas distributor confirmed that a ransomware attack caused an IT system outage, and some files were accessed. However, a quick response from the organization's IT team – including deactivating online servers – meant minimal damage caused by the threat.
August 10
Cisco
Multi-national technology conglomerate Cisco confirmed that the Yanluowang ransomware gang had breached its corporate network after the group published data stolen during the breach online. Security experts have suggested the data is not of "great importance or sensitivity" and that the threat actors may instead be looking for credibility.
August 4
Twilio
Messaging behemoth Twilio confirmed on this date that hackers accessed the data of 125 customers after they tricked company employees into handing over their login credentials by masquerading as IT department workers.
July 2022
July 26
Uber
Uber Data Breach Cover-Up: Although this data breach actually took place way back in 2016 and was first revealed in November 2017, it took Uber until July 2022 to finally admit it had covered up an enormous data breach that impacted 57 million users, and even paid $100,000 to the hackers just to ensure it wasn't made public. The case will see Uber's former chief security officer, Joe Sullivan, stand trial for the breach – the first instance of an executive being brought to the dock for charges related to a data breach.
July 22
Twitter Data Breach: The first reports that Twitter had suffered a data breach concerning phone numbers and email addresses attached to 5.4 million accounts started to hit the headlines on this date, with the company confirming in August that the breach was indeed genuine. The vulnerability that facilitated the breach was known by Twitter at the turn of the year and had been patched by January 13, 2022, so data theft must have happened within that short window.
July 19
Neopets
Neopets Data Breach: On this date, a hacker going by the alias “TarTaX” put the source code and database for the popular game Neopet’s website up for sale on an online forum. The database contained account information for 69 million users, including names, email addresses, zip codes, genders, and dates of birth.
July 18
Cleartrip
Cleartrip Data Breach: Travel booking company Cleartrip – which is massively popular in India and majority-owned by Walmart – confirmed its systems had been breached after hackers claimed to have posted its data on an invite-only dark web forum. The full extent of the data captured from the company’s internal servers is unknown.
July 13
Infinity Rehab and Avamere Health Services
Infinity Rehab and Avamere Health Services Data Breach: The Department of Health and Human Services was notified by Infinity Rehab that 183,254 patients had had their personal data stolen. At the same time, Avamere Health Services informed the HHS that 197,730 patients had suffered a similar fate. Information stolen included names, addresses, driver’s license information, and more. On August 16, Washington’s MultiCare revealed that 18,165 more patients were affected in the same breach.
July 12
Deakin University
Australia's Deakin University confirmed on this date that it was the target of a successful cyberattack that saw the personal information of 46,980 students stolen, including recent exam results. Around 10,000 of the university's students received scam text messages shortly after the data breach occurred.
July 5
Marriot
The Hotel group – which is no stranger to a data breach – confirmed its second high-profile data breach of recent years had taken place in June, after a hacking group tricked an employee and subsequently gained computer access. According to databreaches.net, the group claimed to be in possession 20 GB of data stolen from the BWI Airport Marriott’s server in Maryland. Marriot would be notifying 300-400 individuals regarding the breach.
June 2022
June 29
OpenSea
NFT marketplace OpenSea – lost $1.7 million of NFTs in February to phishers – suffered a data breach after an employee of Customer.io, the company's email delivery vendor, "misused their employee access to download and share email addresses provided by OpenSea users… with an unauthorized external party". The company said that anyone with an email account they shared with OpenSea should "assume they are affected."
June 17
Flagstar Bank
1.5 million customers were reportedly affected in a data breach first noticed by the company on June 2, 2022. "We have no evidence that any of the information has been misused. Nevertheless, out of an abundance of caution, we want to make you aware of the incident," a letter from Flagstar bank to affected customers read.
June 14
Baptist Medical Center and Resolute Health Hospital
The two health organizations – based in San Antonio and New Braunfels, respectively – disclosed that a data breach occurred between March 31 and April 24. Data lifted from its systems by an "unauthorized third party" included the social security numbers, insurance information, and patients' full names.
June 11
Choice Health Insurance
On this date, Choice Health Insurance started to notify customers of a data breach caused by "human error" after it realized an unauthorized individual offered to make data belonging to Choice Health available online. The data dump consisted of 600MB of data with 2,141,006 files with labels such as "Agents" and "Contacts."
June 7
Shields Health Care Group
Massachusetts-based healthcare company Shields was the victim of a data breach that affected 2,000,000 people across the United States. The breach was first discovered on March 28, 2022, and information such as Social Security numbers, Patient IDs, home addresses, and information about medical treatments was stolen.
May 2022
May 26
Verizon
A threat actor got their hands on a database full of names, email addresses, and phone numbers of a large number of Verizon employees in this Verizon data breach. Vice/Motherboard confirmed these numbers were legitimate by ringing the numbers in the databases and establishing they currently (or used to) work at Verizon. According to Vice, the hacker infiltrated the system after convincing employees to give them remote access in a social engineering scam.
May 23
Texas Department of Transportation
According to databreaches.net, personal records belonging to over 7,000 individuals had been acquired by someone who hacked the Texas Dept. for Transportation.
May 20
Alameda Health System
Located in Oakland, California, Alameda Health System notified the Department of Health and Human Services that around 90,000 individuals had been affected by a data breach after suspicious activity was detected on some employee email accounts, which was later found to be an unauthorized third party.
May 17
National Registration Department of Malaysia
A group of hackers claimed to hold the personal details of 22.5 million Malaysians stolen from myIDENTITI API. This database lets government agencies like the National Registration Department access information about Malaysian citizens. The hackers were looking for $10,000 worth of Bitcoin for the data.
May 17
Cost Rican Government
In one of the most high-profile cyberattacks of the year, the Costa Rican government – which was forced to declare a state of emergency – was hacked by the Conti ransomware gang. Conti members breached the government's systems, stole highly valuable data, and demanded $20 million in payment to avoid leaking it. 90% of this data – amounting to around 670GB – was posted to a leak site on May 20.
May 7
SuperVPN, GeckoVPN, and ChatVPN
A breach involving several widely used VPN companies led to 21 million users having their information leaked on the dark web; full names, usernames, country names, billing details, email addresses, and randomly generated passwords strings were among the information available. Unfortunately, this is not the first time supposedly privacy-enhancing VPNs have made the headlines for a data breach.
April 2022
April 4
Cash App
A Cash App data breach affecting 8.2 million customers was confirmed by parent company Block on April 4, 2022, via a report to the US Securities and Exchange Commission. The breach had occurred way back in December 2021, with customer names and brokerage account numbers among the information taken.
April 4
Emma Sleep
Customer credit card information was skimmed using a “Magecart attack.” “This was a sophisticated, targeted cyber-attack on the checkout process on our website, and personal information entered, including credit card data, may have been stolen,” an email to customers read.
March 2022
March 30
Apple & Meta
According to Bloomberg, in late March, two of the world’s largest tech companies were caught out by hackers pretending to be law enforcement officials. Apple and Meta provided the threat actors with customer addresses, phone numbers, and IP addresses in mid-2021. The hackers had already gained access to police systems to send out fraudulent demands for the data. Some of the hackers were thought to be members of the Lapsus$ hacking group, who reportedly stole the Galaxy source code from Samsung earlier in the month.
March 26
US Department of Education
It was revealed that 820,000 students in New York had their data stolen in January 2022, with demographic data, academic information, and economic profiles all accessed. Chancellor David Banks blamed software company Illuminate Education for the incident.
March 24
Texas Department of Insurance
The state agency confirmed on March 24 that it had become aware of a “data security event” in January 2022, which had been ongoing for around three years. “Types of information that may have been accessible”, the TDI said in a statement in March, included “names, addresses, dates of birth, phone numbers, parts or all of Social Security numbers, and information about injuries and workers’ compensation claims. 1.8 million Texans are thought to have been affected.
March 18
Morgan Stanley Client
US investment bank Morgan Stanley disclosed that a number of clients had their accounts breached in a Vishing (voice phishing) attack in February 2022, in which the attacker claimed to be a representative of the bank in order to breach accounts and initiate payments to their own account. This was, however, not the fault of Morgan Stanley, who confirmed its systems “remained secure”.
Feburary 2022
February 25
Nvidia
Chipmaker Nvidia confirmed in late February that it was investigating a potential cyberattack. In the breach, Nvidias' leaked information of more than 71,000 employees. Hacking group Lapsus$ claimed responsibility for the intrusion into Nvidia's systems.
February 20
Credit Suisse
Although this is technically a "data leak," it was orchestrated by a whistleblower against the company's wishes and one of the more significant exposures of customer data this year. Information relating to 18,000 Credit Suisse accounts was handed over to German publication Süddeutsche Zeitung, and showed the Swiss company had a number of high-profile criminals on their books. The incident kickstarted a fresh conversation about the immorality of Switzerland's banking secrecy laws.
January 2022
January 20
Crypto.com
On January 20, 2022, Crypto.com made the headlines after a data breach led to funds being lifted from 483 accounts. Roughly $30 million is thought to have been stolen, despite Crypto.com initially suggesting no customer funds had been lost.
January 19
Red Cross
More than 515,000 “extremely vulnerable” people, some of whom were fleeing from warzones, had been seized by hackers via a complex cyberattack. The data was lifted from at least 60 Red Cross and Red Crescent societies across the globe via a third-party company that the organization uses to store data.
January 6
Flexbooker
Data breach tracking site HaveIBeenPwned.com revealed on Twitter that 3.7 million accounts had been breached in the month prior. Flexbooker only confirmed that customer names, phone numbers, and addresses were stolen, but HaveIBeenPwned.com said “partial credit card data” was also included. Interestingly, 69% of the accounts were already in the website’s database, presumably from previous breaches.