2022 Data Breaches 

November 2022

November 22

The Smith Family 

Children's charity, The Smith Family,  has become the latest major Australian organization to fall victim to a cyberattack, with hackers gaining access to its donors' confidential information, including credit card details.
The charity on Tuesday confirmed it detected a data breach in October, in which a hacker got into a staff member's email and stopped an attempt to steal the charity's funds. But after digital investigators completed an investigation last week, they found that files with donor names, addresses, and contact information were in the inbox along with the partial credit card data.

November 21

Commonwealth Care Alliance of California

Commonwealth Care Alliance of California ("CCA Health California") reported a data breach after an unauthorized party access files on the company's network containing sensitive information. According to CCA Health California, the breach resulted in the names, Social Security numbers, dates of birth, driver's license numbers and protected health information of certain people being compromised. 

November 21

Eagle Bank

Eagle Bank reported a data breach after an unauthorized party gained access to sensitive consumer information. According to Eagle Bank, the breach resulted in the names, Social Security numbers, financial account numbers and driver's license numbers of certain bank customers being compromised. 

November 21

The County of Tehama, California

The County of Tehama, California, reported that employees' personal information was compromised in a data breach. The investigation revealed that an unauthorized third party accessed the county's systems between November 18, 2021, and April 9, 2022. 
"The County of Tehama determined that information pertaining to certain current and former County of Tehama employees, recipients of services from the County of Tehama Department of Social Services, and other affiliated individuals was contained in one or more of those files," the county says. Compromised information included names, addresses, birth dates, Social Security numbers, driver's license numbers, and details about the services the impacted individuals might have received from the social services department.

November 21

Booz Allen Hamilton

US ​​management and information technology consulting firm Booz Allen Hamilton suffered a data breach after a now-former employee downloaded a copy of an internal report that was improperly stored on an internal SharePoint site. TechCrunch explains that the report contained data on active employees as of March 29, 2021, containing the personal data of tens of thousands of employees, many of whom are contracted to government, military, and intelligence agencies and hold high-level security clearances. 

November 20

AirAsia

Multiple reports from the cybersecurity world have noted that AirAsia may have become the latest victim of the Daixin ransomware group. The attack took place over two days earlier this month and has resulted in the leakage of personal data belonging to 5 million unique passengers as well as all of the group's employees.

November 18

The Rosewood Corporation 

The Rosewood Corporation reported a data breach after an unauthorized party accessed sensitive consumer information in the company’s possession. According to Rosewood, the breach resulted in the names, addresses, Social Security numbers, driver’s license numbers, government identification numbers, and health insurance information belonging to certain individuals being compromised. 

November 18

Christus Spohn Health System

According to a letter that Christus Spohn Health System sent its affected customers -- hackers obtained files from patients between April 9, and May 4 of 2022.

November 18

Community Health Network 

Community Health Network discovered that a data breach may have led to certain patient information being transmitted to web-tracking technology vendors.
Information that could have been transmitted, however, includes computer IP addresses; dates, times, or locations of scheduled appointments; health care provider information; type of appointment or procedure scheduled; communications that occurred through MyChart which could include first and last name and medical record numbers; information about insurance coverage and the names on MyChart accounts.

November 18

Sacramento County Correctional Health

Sacramento County Correctional Health reported that for nearly five months, thousands of their patients had their information exposed to the public internet in a data breach by a county contractor.

November 18

Uponor

Uponor reported a ransomware attack, that impacted its operations in Europe and North America. Based on the investigations, Uponor has evidence of a data breach affecting Uponor’s employee, customer, and other partners’ data. According to Uponor’s current knowledge, the breached data has not been published to the public domain.

November 18

NewYork-Presbyterian Hospital

NewYork-Presbyterian (NYP) Hospital notified approximately 12,000 patients of a breach that occurred in September 2022. The hospital received an alert of suspicious server activity on September 8, its notice to patients explained. Investigation revealed that the third-party had used a cloud-based, remote information technology customer support program to gain access to the laptops of several of its workforce members, copying and removing desktop files from some of the devices.

November 18

Innovative Service Technology Management Services

Innovative Service Technology Management Services, Inc. reported a data breach after the company experienced a ransomware attack targeting its computer system. According to IST Management, the breach resulted in the names, birth dates, Social Security numbers, driver’s license numbers, passport numbers, financial account information and medical billing information being compromised. 

November 18

Middletown Valley Bank

Middletown Valley Bank reported a data breach after the company discovered that an unauthorized party had gained access to files on the bank’s computer network containing sensitive consumer information: names, financial account numbers, Social Security numbers, driver’s license numbers, passport numbers, and other identifying information.

November 17

Old Point National Bank

Old Point National Bank reported a data breach after the company learned that an unauthorized party was able to access an employee’s email account that contained sensitive information belonging to certain bank customers. According to Old Point, the breach resulted in the names, driver’s license numbers and photos, Social Security numbers, and bank account numbers and balances being compromised. 

November 17

Sierra College

Sierra College reported a data breach after the school was the recent target of a ransomware attack. According to Sierra College, the breach resulted in the names, addresses, passport numbers, driver’s license numbers, Social Security numbers, financial account information, and medical information of certain students and employees being compromised.

November 17

Suffolk Police

The Suffolk Police force has suffered a data breach that led to information about sexual assault victims being posted online.  Hundreds of victims had their names, addresses, dates of birth and details of the alleged sexual offences committed published on the force website, according to the East Anglia Daily Times, which first reported the story.

November 16

Work Health Solutions

Work Health Solutions reported a data breach after an unauthorized party accessed an employee’s email account. According to WHS, the breach resulted in the full names, Social Security numbers, driver’s license numbers, health insurance information, and medical information being compromised. 

November 14

TransUnion

TransUnion filed a notice with the Massachusetts Attorney General regarding a data breach. According to that letter, an unauthorized party gained access to sensitive personal consumer data, including names, addresses, driver’s license numbers, financial data, and Social Security numbers.

November 14

Whoosh

The Russian scooter-sharing service Whoosh has confirmed a data breach after hackers started to sell a database containing the details of 7.2 million customers on a hacking forum.

November 13

Thales

Thales, the French defence and technology group confirmed to be aware that the ransomware group LockBit 3.0 claimed to have stolen some of its data.

November 12

Sobeys

Sobeys, the second-largest supermarket chain in Canada, was the victim of a ransomware attack conducted by the Black Basta gang.

According to the media, who shared the experience of customers and employees, it is still possible to shop at the stores, but it was not possible to process gift cards and refill prescriptions.

November 10

Louisiana Corrections Department

The Louisiana Department of Public Safety and Corrections reported a third-party data breach that impacted 85,466 inmates who received offsite medical care during their incarceration between January 2013 and July 2022.
The breach originated at CorrectCare, a third-party health administrator under contract with the department to process medical claims. The compromised file included names, birth dates, Social Security numbers, DOC IDs, and diagnosis codes. The breach did not impact the department’s EHR system.

November 7

Camping World and Good Sam

CWGS Group, a holding company that does business under the name Camping World and Good Sam reported a data breach that exposed sensitive consumer information. According to Camping World, the breach resulted in the following consumer information being compromised: names, dates of birth, Social Security numbers, driver’s license numbers, government ID numbers, tax ID numbers, financial account numbers, debit & credit card numbers, digital & electronic signatures, and usernames & passwords. 

November 7

Medibank

Australian health insurer Medibank today confirmed that the data of 9.7 million customers was compromised in a recent cyberattack. The incident was identified on October 12, before threat actors could deploy file-encrypting ransomware, but not before they stole data from the company’s systems. Medibank, which immediately initiated an incident response and launched an investigation into the attack, could not determine whether customer data was compromised until contacted by the threat actor behind the data breach.

November 6

Victorian Government

PNORS Technology Group, which works with several state departments, including the Department of Education and Training, was targeted by hackers. The breach exposed medical records and answers for The School Entrant Health Questionnaire (SEHQ), which is completed by nearly all families in the state.

November 4

Convergent Outsourcing

Convergent Outsourcing, Inc. experienced a ransomware attack. According to Convergent Outsourcing, the breach resulted in the names, contact information, financial account numbers, and Social Security numbers being compromised. 

November 4

Salud Family Health

Salud Family Health reported a data breach that exposed patient names, Social Security numbers, driver’s license numbers or state identification card numbers, financial account information, credit card numbers, passport numbers, medical treatment and diagnosis information, health insurance information, biometric data, and usernames and passwords. 

November 4

St. Luke’s Health

St. Luke’s Health notified 16,906 individuals of a third-party data breach that impacted Adelanto Healthcare Ventures (AHCV), a consulting services vendor. 
AHCV determined that the compromised email accounts contained St. Luke’s Health protected health information, including names, birth dates, addresses, Social Security numbers, dates of service, Medicaid numbers, medical record numbers, and limited clinical data.

November 4

Ethos Group

Ethos Group announced that the company recently experienced a data breach impacting the security of consumer information stored on its computer systems. 
Ethos determined that an unauthorized party had gained access to the company’s computer system and accessed files containing Social Security numbers, financial account information, protected health information, or government identification numbers.

November 3

WakeMed Health and Hospitals

WakeMed notified more than 495,000 individuals that their information was involved in the breach. Meta and a variety of health systems are facing scrutiny over the use of tracking pixels on hospital websites. Tracking pixels are typically used for targeted marketing and tracking user activity, but in the case of numerous hospitals, the pixel was found on password-protected patient portals.

November 3

Dropbox

Cloud storage company Dropbox has suffered a data breach after a phishing attack targeted its employees. The attack, which took place on October 14, saw a malicious actor pose as code integration and delivery platform CircleCI in order to harvest login credentials and authentication codes from employees and gain access to Dropbox's account on code repository site GitHub, as CircleCI login information can be used to access Github. 

November 3

Harcourts Melbourne 

Harcourts reported that it suffered a data breach exposing customers' names, addresses, and bank details to hackers. According to the email, an unknown third party had accessed the company's rental property database.  Harcourts said the data breach stemmed from its software service provider Stafflink, where the account of one of Stafflink's employees was allegedly compromised and made accessible to third parties.

November 3

Vodafone Italy 

Vodafone Italia reported a data breach, informing that one of its commercial partners, FourB S.p.A., who operates as a reseller of telecommunications services in the country, has suffered a cyberattack. According to the notice, the cyberattack resulted in the compromise of sensitive subscriber details. The exposed information includes subscription details, identity documents with sensitive data, and contact details.

November 3

OakBend Medical Center

OakBend Medical Center reported a data breach with the Attorney General of Texas after the company experienced what appears to have been a ransomware attack. According to OakBend, the breach resulted in the compromised names, contact information, Social Security numbers, and birth dates of current and former patients, employees, and other related parties. Recently, OakBend sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds. In all, an estimated 497,000 people were affected by the OakBend Medical Center data breach.

November 2

Pinnacle Claims Management

Pinnacle Claims Management, Inc. reported a data breach with the California Attorney General’s office after the company determined that an unauthorized party had accessed files containing sensitive consumer information. While PCMI has not yet publicly disclosed the data types that were leaked, based on the company’s business, it is likely that the compromised information consists of consumers’ protected health information and possibly their Social Security numbers. 

November 2

Multi-Color Corporation

Multi-Color Corporation, a major label printing firm, reported a  cyberattack that compromised the personal data of its current and former employees. After identifying unauthorized network access, they launched an investigation revealing the compromised data, including personnel files and benefits programs information. 

November 2

Louisiana Department of Public Safety

According to a press release, the Louisiana Department of Public Safety and Corrections has learned about a cybersecurity breach at a third-party health administrator that led to the exposure of health information of about 80,000 inmates over nine years.
The press release states that state and pre-trial inmates who received off-site medical care from the time frame of Jan. 1, 2013, to July 7, 2022, may have had their personal health information exposed.

November 1

Bed Bath & Beyond

Bed Bath & Beyond Inc reported a third party had improperly accessed its data through a phishing scam by accessing the hard drive of one of its employees.  They are reviewing the data accessed to determine whether the drives contained any sensitive or personally identifiable information.

November 1

U.S. Bank

U.S. Bank reported that the personal information of about 11K customers was accidentally shared by one of the bank's third-party vendors. The data accessed included names, Social Security numbers, closed account numbers, and outstanding balances. 

November 1

Twilio 

It was recently reported that the cloud communications company, Twilio was breached twice, not once, this past summer due to phishing attacks that combined led to the access of hundreds of customers' data.  In August, Twilio originally announced that its internal systems had been breached but in an update last week, Twilio said it and a forensic firm had conducted an "extensive investigation" into the August incident and confirmed the attack vector was indeed via compromised employees' credentials.

November 1

Shas Party Election Campaign 

The Shas party election campaign has reported that a hack exposed sensitive personal details of millions of citizens with the right to vote in the Israeli elections to be held this coming Tuesday. 
The breach was revealed following an anonymous leak received on the CyberCyber podcast of Ido Kenan and Noam Rotem. The breach was based on a known four-year-old weakness in an online system debugging tool, which could be easily exploited.

November 1

Australian Defence Force

Australian Defence Force confirms hackers have attacked an external IT provider used by military personnel and Defence department public servants. A spokeswoman for Defence Minister Richard Marles confirmed to NCA NewsWire a breach had taken place on the ForceNet service. 

November 1

Royal Mail 

Royal Mail has experienced a data breach where customers have seen the information of others users. 

V2verify Is The Key To Preventing Data Breaches

V2verify is the answer for preventing data breaches like these, but until they are no longer an issue, we want to provide you with tools and information to minimize your risk and exposure.  
 

Check to See If You're Information Is On the Dark Web

Check Have I Been Pawned to see if your personal information has been breached. 

What to Do If Your Data Is Breached

Major database breaches are a regular occurrence, meaning it’s not a matter of if you’ll get hit, but when. The good news is that being proactive when this happens can help prevent the headaches that come from the breach. 

V2verify Simplify Life Logo

October 2022

October 28

Michigan Medicine

 Michigan Medicine said Thursday that compromised employee email accounts may have exposed the health information of about 33,850 patients. The health system said in a press release that from August 15 through August 23, Michigan Medicine employees were targeted with a phishing scam through their email.

October 28

Australian Clinical Labs

Australian Clinical Labs reported its Medlab Pathology business suffered a data breach that affected about 223,000 accounts, marking corporate Australia's fourth major hack since September.

October 28

SeeTickets

Genshin Impact developer, HoYoverse has suffered a massive data breach. Over the weekend, huge batches of information were shared online that revealed details of new characters, quests, and events from version 3.3 until 3.8.

October 28

HoYoverse

Genshin Impact developer, HoYoverse has suffered a massive data breach. Over the weekend, huge batches of information were shared online that revealed details of new characters, quests, and events from version 3.3 until 3.8.

October 28

Australia Liberal Party

South Australian Police are investigating another major security breach - this time involving members of the state Liberal Party.

October 28

Personal Finance Society

Personal Finance Society (PFS) reported that their partner, Chartered Insurance Institute (CII) had their IT systems hacked, exposing customers personal data.

October 26

Radiology Associates of Albuquerque (RAA Imaging)

RAA Imaging discovered that an unauthorized party had accessed email accounts at differing times between December 22, 2020, and July 15, 2021, and that patient data was exposed. In October of 2022, RAA Imaging reported the hack to their patients and notified them that the information stolen in 2021 involved names, contact information, Social Security number, medical conditions, medical history, treatment information, patient account numbers, health insurance, and other PHI.

October 26

Choice Health Insurance

Choice Health Insurance, LLC filed reported a data breach after they company learned that data was taken from the company's servers, the breach included first and last names; Social Security numbers; Medicare beneficiary identification numbers; dates of birth; addresses and contact information.

October 26

Vivendi Ticketing US

Vivendi Ticketing US, LLC reported a data breach after an unauthorized party accessed consumer information. According to Vivendi, the breach included names, addresses credit card numbers and bank account numbers.

October 24

EnergyAustralia

EnergyAustralia, the electricity company, reported that 323 residential and small business customers were affected by unauthorized access to their online platform, My Account. Details including customer names, addresses, email addresses, electricity and gas bills, phone numbers and the first six and last three digits of their credit cards are all included with those accounts.

October 24

Delaware's Department of Health and Social Services

Delaware's Department of Health and Social Services announced a data breach within its Division of Developmental Disabilities Services. The Division said a small number of users in their online records system may have had access to more than 7,000 sensitive patient records. The breach came when new users were added to the client record system, inadvertently giving them access to other client records.

October 20

Microsoft

Microsoft reported that some sensitive customer information was exposed by a misconfigured Microsoft server. According to Microsoft, the exposed information includes names, email addresses, email content, company name, and phone numbers.

October 20

iDeal Wine

iDealwine (France), informed its customers that their name, address, telephone number and email address may have been compromised.

October 20

Mexican Government

The Mexican government suffered a major cyber hack of data held by the armed forces, including details about President Andres Manuel Lopez Obrador's health problems.
According to media reports, the hack accessed six terabytes of data from the Defense Ministry, including information about criminal figures, transcripts of communications, and the monitoring of the U.S. ambassador to Mexico, Ken Salazar.

October 20

Medibank

Hackers claimed to have stolen data from Medibank and have threatened to sell confidential customer information, including sensitive health conditions and credit card details.

October 20

Advocate Aurora Health (AAH)

Advocate Aurora Health (AAH), a 26-hospital healthcare system in Wisconsin and Illinois, is notifying its patients of a data breach that exposed the personal data of 3,000,000 patients. The incident was caused by the improper use of Meta Pixel on AAH's websites, where patients log in and enter sensitive personal and medical information.

October 18

Keystone Health

Keystone Health of Pennsylvania recently notified patients of a cybersecurity incident; their subsequent investigation found an unauthorized party accessed between 7/28/22 & 8/9/22, exposing the personal data of nearly 250K patients, including names, Social Security numbers, and clinical information.

October 17

ofo

Australian online wine dealer, Vinomofo, is the latest to be targeted by a cyber-attack. Exposed in this attack are roughly 500K customer names, dates of birth, addresses, email addresses, & phone numbers.

October 16

Snap / Elevate

Messaging app Snap reported a data breach at a third-party document analysis firm, Elevate. Elevate notified Snap that an unauthorized party had accessed some of Elevate's computer systems in March 2022, resulting in the access of employee names, addresses, employment history, and compensation information. Reportedly, Snap is terminating its relationship with Elevate.

October 14

Woolworths / MyDeal

MyDeal.com.au, a subsidiary of the Woolworths Group, announced that data was exposed when its CRM system was compromised. The MyDeal breach exposed the data of Approximately 2.2 million customers.

October 13

Amerigroup Insurance Company

According to Amerigroup, the breach resulted in the names, addresses, Social Security numbers, and health insurance information. However, because Amerigroup has yet to post notice of the incident on its website or otherwise elaborate on the breach, the cause of the data breach remains unknown.

October 13

Medibank Group

Medibank Group, Australia's largest private health insurer, reported it was the target of a cyberattack. Preliminary investigations found no indication that data, including customers' information, had been compromised.

October 13

Singtel

Telecom goliath Singtel confirmed in a statement on Monday, that their consulting unit Dialog, was the victim of a hack
The breach potentially affected fewer than 20 clients and 1000 current Dialog employees as well as former employees.

October 11

BBRG TR, LLC

BBRG TR, LLC, and other related entities (BBRG Woburn, LLC, BBRG Waterfront, LLC, and BBRG Newport, LLC) reported that an unauthorized party accessed the companies' computer networks. The data accessed included names, Social Security numbers, driver's license numbers, passport numbers, credit or debit card information, financial account information, and health insurance information.

October 7

Ferrari

Ferrari, the Italian car manufacturer, denied being the victim of a cyber-attack after ransomware gang RansomEXX claimed it had placed 7GB of stolen company data.
There is currently no information on how or when the hack took place.

October 7 

Toyota

On Friday, Toyota Motor Corp reported that 300K pieces of customer information, including email addresses and customer numbers, have been leaked.

October 7 

META

Meta alerted 1M Facebook users their login info may have been compromised through malicious apps. The social media giant found 400 malicious apps devised to steal Facebook login credentials.

October 6

Massachusetts Mutual Life Insurance

Massachusetts Mutual Life Insurance Company reported a data breach to the Texas Attorney General after a hacker gained access to the names, addresses, Social Security numbers, driver's license numbers, state identification numbers, and financial account information belonging to customers.

October 5

G4S

Employees of Australian security firm G4S have been alerted after personal information – including tax file numbers, bank account information, and medical checks – was stolen in a ransomware attack.

October 4

Telstra
Australia's largest telecoms firm Telstra Corp Ltd (TLS.AX) said on Tuesday it had suffered what it called a small data breach, a disclosure that comes two weeks after its main rival Optus was left reeling by a massive cyberattack. Telstra, which has 18.8 million customer accounts equivalent to three-quarters of Australia's population, said an intrusion of a third-party organisation exposed some employee data dating back to 2017.

October 4 

TD Bank

A group hackers believed to be part of a money mule scam, stole 600K from TD Bank in Brigantine, New Jersey.

October 3 

CHI Health Systems

In a statement on Monday, CHI Health in Omaha reported that they are dealing with an “IT security incident” affecting electronic health records and other systems.

According to Taylor Miller of CommonSpirit Health, CHI’s parent company, CHI was the victim of the security incident impacting facilities across the country. She said some information technology systems have been taken offline as a “precautionary measure.”

October 1 

Shangri-La Group

 A Cash App data breach affecting 8.2 million customers was confirmed by parent company Block on April 4, 2022, via a report to the US Securities and Exchange Commission. The breach had occurred way back in December 2021, with customer names and brokerage account numbers among the information taken.

October 1 

LAUSD (Los Angeles Unified School District)

Cybercriminals who targeted the Los Angeles Unified School District, the second largest in the nation, with a ransomware attack have released some of the hacked data online, according to a tweet from LAUSD Superintendent Alberto M. Carvalho.

"Unfortunately, as expected, data was recently released by a criminal organization," the tweet read. "In partnership with law enforcement, our experts are analyzing the full extent of this data release."

September 2022

September 30

Fast Company

Hackers Sent Offensive And Racist Push Notifications to Users

This week, an unknown hacker compromised the business magazine Fast Company and sent racist and sexual push notifications to Apple News users. 

September 22

Wolfe Eye Clinic

Iowa-based Wolfe Clinic (a member of Eye Care Leaders (ECL)) submitted a breach report to HHS stating that the third-party breach impacted 542,776 individuals connected to Wolfe.

In December 2021, Eye Care Leaders suffered a hack to its myCare Integrity system. Since ECL began notifying impacted organizations in March, more than two dozen organizations have submitted individual breach reports to OCR. The collection of breach notifications made the ECL breach one of the largest reported breaches of 2022.

September 22

Berry, Dunn, McNeil & Parker, LLC 

Berry, Dunn, McNeil & Parker, LLC confirmed that the company experienced a data breach after an unauthorized party accessed sensitive consumer data through a compromised employee email account.

Based on state reporting requirements, it's likely that the breach involved consumers' names, Social Security numbers, driver's license numbers, state identification numbers, health information &r financial account information.

September 22

2K Games

2K, the publisher of numerous video game series, including Borderlands, Civilization, and Bioshock, has warned customers that an unknown actor recently gained unauthorized access to its help desk platform. 2K's notice states, "Please do not open any emails or click on any links that you receive from the 2K Games support account."

September 22

U-Haul

U-Haul disclosed a data breach that exposed more than 2M clients' customer data over five months. U-Haul's investigation concluded that the hackers accessed customers' information between November 5, 2021, and April 5, 2022.

The Phoenix, Arizona-based transport and storage company disclosed that the data breach allowed unauthorized access to rental contracts for U-Haul, including the customer names, driver's licenses, or state identification numbers.

September 22

New York Racing Association

New York Racing Association ("NYRA") confirmed that they experienced a data breach and filed a notice of breach with the Vermont Attorney General. The NYRA was the target of a Hive ransomware attack, which enabled the hackers to obtain access to certain information belonging to certain current and former NYRA employees. According to NYRA, the breach compromised first and last names, Social Security numbers, driver's license numbers, health records, health insurance, and other personal information.

September 22

Optus

Optus confirmed the data breach in a statement on Thursday afternoon, after The Australian revealed some nine million Aussies could be affected.

"Information exposed includes customers' names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's license or passport numbers."

September 20

American Airlines

The personal data of a "very small number" of American Airlines customers has been accessed by hackers after they broke into employee email accounts, the airline has said. Information accessed could have included customers' date of birth, driver's license, passport numbers, and even medical information, they added.

September 19

Kiwi Farms

Notorious trolling and doxing website Kiwi Farms – known for its vicious harassment campaigns that target trans people and non-binary people – has been hacked. According to site owner Josh Moon, whose administrator account was accessed, all users should “assume your password for the Kiwi Farms has been stolen”, “assume your email has been leaked”, as well as “any IP you've used on your Kiwi Farms account in the last month”.

September 19

Revolut 

Revolut has suffered a cyberattack that facilitated an unauthorized third party accessing personal information pertaining to tens of thousands of the app's clients. 50,150 customers have reportedly been impacted. The State Data Protection Inspectorate in Lithuania, where Revolut holds a banking license, said that email addresses, full names, postal addresses, phone numbers, limited payment card data, and account data were likely exposed.

September 18

Rockstar 

Games company Rockstar, the developer responsible for the Grand Theft Auto series, was victim of a hack which saw footage of its unreleased Grand Theft Auto VI game leaked by the hacker. In addition, the hacker also claims to have the game's source code, and is purportedly trying to sell it. The breach is thought to have been caused through social engineering, with the hacker gaining access to an employee's Slack account. The hacker also claims to be responsible for the Uber attack earlier in the month.
In a statement, Rockstar said: “We recently suffered a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from our systems, including early development footage for the next Grand Theft Auto.”

September 15

Uber 

Uber's computer network has been breached, with several engineering and comms systems taken offline as the company investigates how the hack took place. Dubbed a “total compromise” by one researcher, email, cloud storage, and code repositories have already been sent to security firms and The New York Times by the perpetrator.
Uber employees found out their systems had been breached after the hacker broke into a staff member's slack account and sent out messages confirming they'd successfully compromised their network.

September 14

Fishpig 

 Ecommerce software developer Fishpig, which over 200,000 websites currently use, has informed customers that a distribution server breach has allowed threat actors to backdoor a number of customer systems. “We are quite used to seeing automated exploits of applications and perhaps that is how the attackers initially gained access to our system” lead developer Ben Tideswell said of the incident.

September 7

North Face

Roughly 200,000 North Face accounts have been compromised in a credential stuffing attack on the company's website. These accounts included full names

purchase histories, billing addresses, shipping addresses, phone numbers, account holders' genders, and XPLR Pass reward records. No credit card information is stored on site. All account passwords have been reset, and account holders have been advised to change their passwords on other sites where they have used the same password credentials.

September 6

IHG/Holiday Inn 

IHG released a statement saying they became aware of “unauthorized access” to its systems. The company is assessing the “nature, extent and impact of the incident”, with the full extent of the breach yet to be made clear.

September 3

TikTok 

Rumors started circulating that TikTok had been breached after a Twitter user claimed to have stolen the social media site's internal backend source code. However, after inspecting the code, a number of security experts have dubbed the evidence “inconclusive”, including haveibeenpwned.com's Troy Hunt. Users commenting on YCombinator's Hacker News, on the other hand, suggested the data is from some sort of ecommerce application that integrates with TikTok. Responding to a request for comment from Bloomberg UK, a spokesperson for TikTok said that the company's “security team investigated this statement and determined that the code in question is completely unrelated to TikTok’s backend source code.”

September 2

Samsung

Samsung announced that they'd fallen victim to a “cybersecurity incident” when an unauthorized party gained access to their systems in July. In August, they learned some personal information was impacted, including names, contact information, demographics, birth dates as well as product registration information. Samsung is contacting everyone whose data was compromised during the breach via email.

August 2022

August 29

Nelnet Servicing

The personal information of 2.5 million people who took out student loans with the Oklahoma Student Loan Authority (OSLA) or EdFinancial has been exposed after threat actors breached Nelnet Servicing's systems. The systems were compromised in June, and the unauthorized party remained on the network until late July.

August 27

Facebook/Cambridge Analytica

Meta agreed on this date to settle a lawsuit that alleged Facebook illegally shared data of its users with the UK analysis firm Cambridge Analytica. The data was subsequently used by political campaigns in the UK and US during 2016, a year which saw Donald Trump become president and Britain leave the EU via referendum.

August 25

DoorDash

"We recently became aware that a third-party vendor was the target of a sophisticated phishing campaign and that certain personal information maintained by DoorDash was affected," DoorDash said in a blog post.
The delivery service went on to explain that "the information accessed by the unauthorized party primarily included [the] name, email address, delivery address and phone number" of a number of DoorDash customers, whilst other customers had their "basic order information and partial payment card information (i.e., the card type and last four digits of the card number)" accessed.

August 25

LastPass

The password manager disclosed to its customers that it was compromised by an "unauthorized party". The company assured customers that this took place in its development environment and that no customer details were at risk. A September update confirmed that LastPass's security measures prevented customer data from being breached. The company reminded customers that they do not have access to or store users' master passwords.

August 24

Plex 

Client-server media streaming platform Plex is enforcing a password reset on all its user accounts after "suspicious activity" was detected on one of its databases. Reports suggest that usernames, emails, and encrypted passwords were accessed.

August 20

DESFA 

Greece's largest natural gas distributor confirmed that a ransomware attack caused an IT system outage, and some files were accessed. However, a quick response from the organization's IT team – including deactivating online servers – meant minimal damage caused by the threat.

August 10

Cisco 

Multi-national technology conglomerate Cisco confirmed that the Yanluowang ransomware gang had breached its corporate network after the group published data stolen during the breach online. Security experts have suggested the data is not of "great importance or sensitivity" and that the threat actors may instead be looking for credibility.

August 4

Twilio 

Messaging behemoth Twilio confirmed on this date that hackers accessed the data of 125 customers after they tricked company employees into handing over their login credentials by masquerading as IT department workers.

July 2022

July 26

Uber

Uber Data Breach Cover-Up: Although this data breach actually took place way back in 2016 and was first revealed in November 2017, it took Uber until July 2022 to finally admit it had covered up an enormous data breach that impacted 57 million users, and even paid $100,000 to the hackers just to ensure it wasn't made public. The case will see Uber's former chief security officer, Joe Sullivan, stand trial for the breach – the first instance of an executive being brought to the dock for charges related to a data breach.

July 22

Twitter 

Twitter Data Breach: The first reports that Twitter had suffered a data breach concerning phone numbers and email addresses attached to 5.4 million accounts started to hit the headlines on this date, with the company confirming in August that the breach was indeed genuine. The vulnerability that facilitated the breach was known by Twitter at the turn of the year and had been patched by January 13, 2022, so data theft must have happened within that short window.

July 19

Neopets

Neopets Data Breach: On this date, a hacker going by the alias “TarTaX” put the source code and database for the popular game Neopet’s website up for sale on an online forum. The database contained account information for 69 million users, including names, email addresses, zip codes, genders, and dates of birth.

July 18

Cleartrip 

Cleartrip Data Breach: Travel booking company Cleartrip – which is massively popular in India and majority-owned by Walmart – confirmed its systems had been breached after hackers claimed to have posted its data on an invite-only dark web forum. The full extent of the data captured from the company’s internal servers is unknown.

July 13

Infinity Rehab and Avamere Health Services

Infinity Rehab and Avamere Health Services Data Breach: The Department of Health and Human Services was notified by Infinity Rehab that 183,254 patients had had their personal data stolen. At the same time, Avamere Health Services informed the HHS that 197,730 patients had suffered a similar fate. Information stolen included names, addresses, driver’s license information, and more. On August 16, Washington’s MultiCare revealed that 18,165 more patients were affected in the same breach.

July 12

Deakin University 

Australia's Deakin University confirmed on this date that it was the target of a successful cyberattack that saw the personal information of 46,980 students stolen, including recent exam results. Around 10,000 of the university's students received scam text messages shortly after the data breach occurred.

July 5

Marriot

The Hotel group – which is no stranger to a data breach – confirmed its second high-profile data breach of recent years had taken place in June, after a hacking group tricked an employee and subsequently gained computer access. According to databreaches.net, the group claimed to be in possession 20 GB of data stolen from the BWI Airport Marriott’s server in Maryland. Marriot would be notifying 300-400 individuals regarding the breach.

June 2022

June 29

OpenSea 

NFT marketplace OpenSea –  lost $1.7 million of NFTs in February to phishers – suffered a data breach after an employee of Customer.io, the company's email delivery vendor, "misused their employee access to download and share email addresses provided by OpenSea users… with an unauthorized external party". The company said that anyone with an email account they shared with OpenSea should "assume they are affected."

June 17

Flagstar Bank 

1.5 million customers were reportedly affected in a data breach first noticed by the company on June 2, 2022. "We have no evidence that any of the information has been misused. Nevertheless, out of an abundance of caution, we want to make you aware of the incident," a letter from Flagstar bank to affected customers read.

June 14

Baptist Medical Center and Resolute Health Hospital 

The two health organizations – based in San Antonio and New Braunfels, respectively – disclosed that a data breach occurred between March 31 and April 24. Data lifted from its systems by an "unauthorized third party" included the social security numbers, insurance information, and patients' full names.

June 11

Choice Health Insurance 

On this date, Choice Health Insurance started to notify customers of a data breach caused by "human error" after it realized an unauthorized individual offered to make data belonging to Choice Health available online. The data dump consisted of 600MB of data with 2,141,006 files with labels such as "Agents" and "Contacts."

June 7

Shields Health Care Group 

Massachusetts-based healthcare company Shields was the victim of a data breach that affected 2,000,000 people across the United States. The breach was first discovered on March 28, 2022, and information such as Social Security numbers, Patient IDs, home addresses, and information about medical treatments was stolen. 

May 2022

May 26

Verizon

A threat actor got their hands on a database full of names, email addresses, and phone numbers of a large number of Verizon employees in this Verizon data breach. Vice/Motherboard confirmed these numbers were legitimate by ringing the numbers in the databases and establishing they currently (or used to) work at Verizon. According to Vice, the hacker infiltrated the system after convincing employees to give them remote access in a social engineering scam.

May 23

Texas Department of Transportation

According to databreaches.net, personal records belonging to over 7,000 individuals had been acquired by someone who hacked the Texas Dept. for Transportation.

May 20

Alameda Health System

Located in Oakland, California, Alameda Health System notified the Department of Health and Human Services that around 90,000 individuals had been affected by a data breach after suspicious activity was detected on some employee email accounts, which was later found to be an unauthorized third party.

May 17

National Registration Department of Malaysia 

A group of hackers claimed to hold the personal details of 22.5 million Malaysians stolen from myIDENTITI API. This database lets government agencies like the National Registration Department access information about Malaysian citizens. The hackers were looking for $10,000 worth of Bitcoin for the data.

May 17

Cost Rican Government

In one of the most high-profile cyberattacks of the year, the Costa Rican government – which was forced to declare a state of emergency – was hacked by the Conti ransomware gang. Conti members breached the government's systems, stole highly valuable data, and demanded $20 million in payment to avoid leaking it. 90% of this data – amounting to around 670GB – was posted to a leak site on May 20.

May 7

SuperVPN, GeckoVPN, and ChatVPN 

A breach involving several widely used VPN companies led to 21 million users having their information leaked on the dark web; full names, usernames, country names, billing details, email addresses, and randomly generated passwords strings were among the information available. Unfortunately, this is not the first time supposedly privacy-enhancing VPNs have made the headlines for a data breach.

April 2022

April 4

Cash App 

 A Cash App data breach affecting 8.2 million customers was confirmed by parent company Block on April 4, 2022, via a report to the US Securities and Exchange Commission. The breach had occurred way back in December 2021, with customer names and brokerage account numbers among the information taken.

April 4

Emma Sleep 

Customer credit card information was skimmed using a “Magecart attack.” “This was a sophisticated, targeted cyber-attack on the checkout process on our website, and personal information entered, including credit card data, may have been stolen,” an email to customers read.

March 2022

March 30

Apple & Meta 

According to Bloomberg, in late March, two of the world’s largest tech companies were caught out by hackers pretending to be law enforcement officials. Apple and Meta provided the threat actors with customer addresses, phone numbers, and IP addresses in mid-2021. The hackers had already gained access to police systems to send out fraudulent demands for the data. Some of the hackers were thought to be members of the Lapsus$ hacking group, who reportedly stole the Galaxy source code from Samsung earlier in the month.

March 26

US Department of Education 

 It was revealed that 820,000 students in New York had their data stolen in January 2022, with demographic data, academic information, and economic profiles all accessed. Chancellor David Banks blamed software company Illuminate Education for the incident.

March 24

Texas Department of Insurance 

The state agency confirmed on March 24 that it had become aware of a “data security event” in January 2022, which had been ongoing for around three years. “Types of information that may have been accessible”, the TDI said in a statement in March, included “names, addresses, dates of birth, phone numbers, parts or all of Social Security numbers, and information about injuries and workers’ compensation claims. 1.8 million Texans are thought to have been affected.

March 18

Morgan Stanley Client 

US investment bank Morgan Stanley disclosed that a number of clients had their accounts breached in a Vishing (voice phishing) attack in February 2022, in which the attacker claimed to be a representative of the bank in order to breach accounts and initiate payments to their own account. This was, however, not the fault of Morgan Stanley, who confirmed its systems “remained secure”.

Feburary 2022

February 25

Nvidia

Chipmaker Nvidia confirmed in late February that it was investigating a potential cyberattack. In the breach, Nvidias' leaked information of more than 71,000 employees. Hacking group Lapsus$ claimed responsibility for the intrusion into Nvidia's systems.

February 20

Credit Suisse 

Although this is technically a "data leak," it was orchestrated by a whistleblower against the company's wishes and one of the more significant exposures of customer data this year. Information relating to 18,000 Credit Suisse accounts was handed over to German publication Süddeutsche Zeitung, and showed the Swiss company had a number of high-profile criminals on their books. The incident kickstarted a fresh conversation about the immorality of Switzerland's banking secrecy laws.

January 2022

January 20

Crypto.com

On January 20, 2022, Crypto.com made the headlines after a data breach led to funds being lifted from 483 accounts. Roughly $30 million is thought to have been stolen, despite Crypto.com initially suggesting no customer funds had been lost.

January 19

Red Cross

More than 515,000 “extremely vulnerable” people, some of whom were fleeing from warzones, had been seized by hackers via a complex cyberattack. The data was lifted from at least 60 Red Cross and Red Crescent societies across the globe via a third-party company that the organization uses to store data.

January 6

Flexbooker

Data breach tracking site HaveIBeenPwned.com revealed on Twitter that 3.7 million accounts had been breached in the month prior. Flexbooker only confirmed that customer names, phone numbers, and addresses were stolen, but HaveIBeenPwned.com said “partial credit card data” was also included. Interestingly, 69% of the accounts were already in the website’s database, presumably from previous breaches.