2022 Data Breaches 

October 3 

CHI Health Systems

In a statement on Monday, CHI Health in Omaha reported that they are dealing with an “IT security incident” affecting electronic health records and other systems.
According to Taylor Miller of CommonSpirit Health, CHI’s parent company, CHI was the victim of the security incident impacting facilities across the country. She said some information technology systems have been taken offline as a “precautionary measure.”

October 1 

Fast Company

The luxury hotel, Shangri-La Group, announced on Friday that eight of its hotels had been hit by a data breach, targeting the personal information of tens of thousands of guests.

"We immediately engaged cyber forensic experts to investigate and contain the issue. The investigation revealed that between May and July 2022, a sophisticated threat actor managed to bypass Shangri-La's IT security monitoring systems undetected, and illegally accessed the guest databases," Shangri-La Group said.

October 1 

LAUSD (Los Angeles Unified School Distric)

Cybercriminals who targeted the Los Angeles Unified School District, the second largest in the nation, with a ransomware attack have released some of the hacked data online, according to a tweet from LAUSD Superintendent Alberto M. Carvalho.

"Unfortunately, as expected, data was recently released by a criminal organization," the tweet read. "In partnership with law enforcement, our experts are analyzing the full extent of this data release."

 

October 2022

September 2022

September 30

Fast Company

This week, an unknown hacker compromised the business magazine Fast Company and sent racist and sexual push notifications to Apple News users. 

September 29

Swachh City

A threat actor, LeakBase, has shared a database containing personal information affecting 16M users of Swachh City, an Indian platform. Leaked details include usernames, email addresses, password hashes, mobile numbers, one-time passwords, last logged-in times, and IP addresses, according to a report by The Hacker News.

September 23

TAP

Portugal's flag carrier TAP told customers on Thursday that hackers had stolen some of their personal data and published it on the dark web, although the state-owned airline said all payment details appeared to be safe. TAP CEO Christine Ourmieres-Widener would not disclose the number of affected clients, which some local media have put at around 1.5 million.

September 22

Wolfe Eye Clinic
Iowa-based Wolfe Clinic (a member of Eye Care Leaders (ECL)) submitted a breach report to HHS stating that the third-party breach impacted 542,776 individuals connected to Wolfe.  In December 2021, Eye Care Leaders suffered a hack to its myCare Integrity system. Since ECL began notifying impacted organizations in March, more than two dozen organizations have submitted individual breach reports to OCR. The collection of breach notifications made the ECL breach one of the largest reported breaches of 2022.

September 22

Berry, Dunn, McNeil & Parker, LLC  
Berry, Dunn, McNeil & Parker, LLC confirmed that the company experienced a data breach after an unauthorized party accessed sensitive consumer data through a compromised employee email account. Based on state reporting requirements, it's likely that the breach involved consumers' names, Social Security numbers, driver's license numbers, state identification numbers, health information &r financial account information. 

September 22

2K Games
2K, the publisher of numerous video game series, including Borderlands, Civilization, and Bioshock, has warned customers that an unknown actor recently gained unauthorized access to its help desk platform. 2K's notice states, "Please do not open any emails or click on any links that you receive from the 2K Games support account."

September 22

U-Haul 
U-Haul disclosed a data breach that exposed more than 2M clients' customer data over five months. U-Haul's investigation concluded that the hackers accessed customers' information between November 5, 2021, and April 5, 2022.
The Phoenix, Arizona-based transport and storage company disclosed that the data breach allowed unauthorized access to rental contracts for U-Haul, including the customer names, driver's license, or state identification numbers.

September 22

New York Racing Association
New York Racing Association (“NYRA”) confirmed that they experienced a data breach and filed a notice of breach with the Vermont Attorney General. The NYRA was the target of a Hive ransomware attack, which enabled the hackers to obtain access to certain information belonging to certain current and former NYRA employees. According to NYRA, the breach compromised first and last names, Social Security numbers, driver’s license numbers, health records, health insurance, and other personal information.

September 22

Optus
Optus confirmed the data breach in a statement on Thursday afternoon, after The Australian revealed some nine million Aussies could be affected.
“Information exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s license or passport numbers.”

September 20

American Airlines 
The personal data of a “very small number” of American Airlines customers has been accessed by hackers after they broke into employee email accounts, the airline has said. Information accessed could have included customers' date of birth, driver's license, passport numbers, and even medical information, they added.

September 19

Kiwi Farms
Notorious trolling and doxing website Kiwi Farms – known for its vicious harassment campaigns that target trans people and non-binary people – has been hacked. According to site owner Josh Moon, whose administrator account was accessed, all users should “assume your password for the Kiwi Farms has been stolen”, “assume your email has been leaked”, as well as “any IP you've used on your Kiwi Farms account in the last month”.

September 19

Revolut 
Revolut has suffered a cyberattack that facilitated an unauthorized third party accessing personal information pertaining to tens of thousands of the app's clients. 50,150 customers have reportedly been impacted. The State Data Protection Inspectorate in Lithuania, where Revolut holds a banking license, said that email addresses, full names, postal addresses, phone numbers, limited payment card data, and account data were likely exposed.

September 18

Rockstar
Games company Rockstar, the developer responsible for the Grand Theft Auto series, was victim of a hack which saw footage of its unreleased Grand Theft Auto VI game leaked by the hacker. In addition, the hacker also claims to have the game's source code, and is purportedly trying to sell it. The breach is thought to have been caused through social engineering, with the hacker gaining access to an employee's Slack account. The hacker also claims to be responsible for the Uber attack earlier in the month.
In a statement, Rockstar said: “We recently suffered a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from our systems, including early development footage for the next Grand Theft Auto.”

September 15

UBER 
Uber's computer network has been breached, with several engineering and comms systems taken offline as the company investigates how the hack took place. Dubbed a “total compromise” by one researcher, email, cloud storage, and code repositories have already been sent to security firms and The New York Times by the perpetrator.
Uber employees found out their systems had been breached after the hacker broke into a staff member's slack account and sent out messages confirming they'd successfully compromised their network.

September 14

FishPig
Ecommerce software developer Fishpig, which over 200,000 websites currently use, has informed customers that a distribution server breach has allowed threat actors to backdoor a number of customer systems. “We are quite used to seeing automated exploits of applications and perhaps that is how the attackers initially gained access to our system” lead developer Ben Tideswell said of the incident.

September 7

NorthFace 
Roughly 200,000 North Face accounts have been compromised in a credential stuffing attack on the company's website. These accounts included full names
purchase histories, billing addresses, shipping addresses, phone numbers, account holders' genders, and XPLR Pass reward records. No credit card information is stored on site. All account passwords have been reset, and account holders have been advised to change their passwords on other sites where they have used the same password credentials.

September 6

IHG/Holiday Inn 
IHG released a statement saying they became aware of “unauthorized access” to its systems. The company is assessing the “nature, extent and impact of the incident”, with the full extent of the breach yet to be made clear.

September 3

TikTok 
Rumours started circulating that TikTok had been breached after a Twitter user claimed to have stolen the social media site's internal backend source code. However, after inspecting the code, a number of security experts have dubbed the evidence “inconclusive”, including haveibeenpwned.com's Troy Hunt. Users commenting on YCombinator's Hacker News, on the other hand, suggested the data is from some sort of ecommerce application that integrates with TikTok.
Responding to a request for comment from Bloomberg UK, a spokesperson for TikTok said that the company's “security team investigated this statement and determined that the code in question is completely unrelated to TikTok’s backend source code.”

September 2

Samsung
Samsung announced that they'd fallen victim to a “cybersecurity incident” when an unauthorized party gained access to their systems in July. In August, they learned some personal information was impacted, including names, contact information, demographics, birth dates as well as product registration information. Samsung is contacting everyone whose data was compromised during the breach via email.

V2verify Is The Key To Preventing Data Breaches

V2verify is the answer for preventing data breaches like these, but until they are no longer an issue, we want to provide you with tools and information to minimize your risk and exposure.  
 

Check to See If You're Information Is On the Dark Web

Check Have I Been Pawned to see if your personal information has been breached. 

What to Do If Your Data Is Breached

Major database breaches are a regular occurrence, meaning it’s not a matter of if you’ll get hit, but when. The good news is that being proactive when this happens can help prevent the headaches that come from the breach. 

V2verify Simplify Life Logo
 

August 27

Facebook/Cambridge Analytica
Meta agreed on this date to settle a lawsuit that alleged Facebook illegally shared data of its users with the UK analysis firm Cambridge Analytica. The data was subsequently used by political campaigns in the UK and US during 2016, a year which saw Donald Trump become president and Britain leave the EU via referendum.

August 25

DoorDash
"We recently became aware that a third-party vendor was the target of a sophisticated phishing campaign and that certain personal information maintained by DoorDash was affected," DoorDash said in a blog post.
The delivery service went on to explain that "the information accessed by the unauthorized party primarily included [the] name, email address, delivery address and phone number" of a number of DoorDash customers, whilst other customers had their "basic order information and partial payment card information (i.e., the card type and last four digits of the card number)" accessed.

August 25

LastPass
The password manager disclosed to its customers that it was compromised by an "unauthorized party". The company assured customers that this took place in its development environment and that no customer details were at risk. A September update confirmed that LastPass's security measures prevented customer data from being breached. The company reminded customers that they do not have access to or store users' master passwords.

August 24

Plex
Client-server media streaming platform Plex is enforcing a password reset on all its user accounts after "suspicious activity" was detected on one of its databases. Reports suggest that usernames, emails, and encrypted passwords were accessed.

August 20

DESFA 
Greece's largest natural gas distributor confirmed that a ransomware attack caused an IT system outage, and some files were accessed. However, a quick response from the organization's IT team – including deactivating online servers – meant minimal damage caused by the threat.

August 10

CiscoMulti-national technology conglomerate Cisco confirmed that the Yanluowang ransomware gang had breached its corporate network after the group published data stolen during the breach online. Security experts have suggested the data is not of "great importance or sensitivity" and that the threat actors may instead be looking for credibility.

August 4

Twilio Messaging behemoth Twilio confirmed on this date that hackers accessed the data of 125 customers after they tricked company employees into handing over their login credentials by masquerading as IT department workers.

August 29

Nelnet Servicing 
The personal information of 2.5 million people who took out student loans with the Oklahoma Student Loan Authority (OSLA) or EdFinancial has been exposed after threat actors breached Nelnet Servicing's systems. The systems were compromised in June, and the unauthorized party remained on the network until late July.

August 2022

July 22

Twitter  
The first reports that Twitter had suffered a data breach concerning phone numbers and email addresses attached to 5.4 million accounts started to hit the headlines on this date, with the company confirming in August that the breach was indeed genuine. The vulnerability that facilitated the breach was known by Twitter at the turn of the year and had been patched by January 13, 2022, so data theft must have happened within that short window.

July 19

Neopets 
A hacker going by the alias “TarTaX” put the source code and database for the popular game Neopet’s website up for sale on an online forum. The database contained account information for 69 million users, including names, email addresses, zip codes, genders, and dates of birth.

July 18

Cleartrip
 Travel booking company Cleartrip – which is massively popular in India and majority-owned by Walmart – confirmed its systems had been breached after hackers claimed to have posted its data on an invite-only dark web forum. The full extent of the data captured from the company’s internal servers is unknown.

July 13

Infinity Rehab and Avamere Health Services     
The Department of Health and Human Services was notified by Infinity Rehab that 183,254 patients had had their personal data stolen. At the same time, Avamere Health Services informed the HHS that 197,730 patients had suffered a similar fate. Information stolen included names, addresses, driver’s license information, and more. On August 16, Washington’s MultiCare revealed that 18,165 more patients were affected in the same breach.

July 12

Deakin University
Australia's Deakin University confirmed on this date that it was the target of a successful cyberattack that saw the personal information of 46,980 students stolen, including recent exam results. Around 10,000 of the university's students received scam text messages shortly after the data breach occurred.

July 5

Marriott  
The Hotel group – which is no stranger to a data breach – confirmed its second high-profile data breach of recent years had taken place in June, after a hacking group tricked an employee and subsequently gained computer access. According to databreaches.net, the group claimed to be in possession 20 GB of data stolen from the BWI Airport Marriott’s server in Maryland. Marriot would be notifying 300-400 individuals regarding the breach.

July 26

Uber
Although this data breach actually took place way back in 2016 and was first revealed in November 2017, it took Uber until July 2022 to finally admit it had covered up an enormous data breach that impacted 57 million users, and even paid $100,000 to the hackers just to ensure it wasn't made public. The case will see Uber's former chief security officer, Joe Sullivan, stand trial for the breach – the first instance of an executive being brought to the dock for charges related to a data breach.

July 2022

June 17

Flagstar Bank 
1.5 million customers were reportedly affected in a data breach first noticed by the company on June 2, 2022. "We have no evidence that any of the information has been misused. Nevertheless, out of an abundance of caution, we want to make you aware of the incident," a letter from Flagstar bank to affected customers read.

June 14

Baptist Medical Center and Resolute Health Hospital  
The two health organizations – based in San Antonio and New Braunfels, respectively – disclosed that a data breach occurred between March 31 and April 24. Data lifted from its systems by an "unauthorized third party" included the social security numbers, insurance information, and patients' full names.

June 11

Choice Health Insurance 
Choice Health Insurance started to notify customers of a data breach caused by "human error" after it realized an unauthorized individual offered to make data belonging to Choice Health available online. The data dump consisted of 600MB of data with 2,141,006 files with labels such as "Agents" and "Contacts."

June 7

Shields Health Care Group 
Massachusetts-based healthcare company Shields was the victim of a data breach that affected 2,000,000 people across the United States. The breach was first discovered on March 28, 2022, and information such as Social Security numbers, Patient IDs, home addresses, and information about medical treatments was stolen. 

June 29

OpenSea 
NFT marketplace OpenSea –  lost $1.7 million of NFTs in February to phishers – suffered a data breach after an employee of Customer.io, the company's email delivery vendor, "misused their employee access to download and share email addresses provided by OpenSea users… with an unauthorized external party". The company said that anyone with an email account they shared with OpenSea should "assume they are affected."

June 2022

May 7

SuperVPN, GeckoVPN, and ChatVPN 
A breach involving several widely used VPN companies led to 21 million users having their information leaked on the dark web; full names, usernames, country names, billing details, email addresses, and randomly generated passwords strings were among the information available. Unfortunately, this is not the first time supposedly privacy-enhancing VPNs have made the headlines for a data breach

May 2022

May 26

Verizon 
A threat actor got their hands on a database full of names, email addresses, and phone numbers of a large number of Verizon employees in this Verizon data breach. Vice/Motherboard confirmed these numbers were legitimate by ringing the numbers in the databases and establishing they currently (or used to) work at Verizon. According to Vice, the hacker infiltrated the system after convincing employees to give them remote access in a social engineering scam.

May 23

Texas Department of Transportation
According to databreaches.net, personal records belonging to over 7,000 individuals had been acquired by someone who hacked the Texas Dept. for Transportation.

May 20

Alameda Health System 
Located in Oakland, California, Alameda Health System notified the Department of Health and Human Services that around 90,000 individuals had been affected by a data breach after suspicious activity was detected on some employee email accounts, which was later found to be an unauthorized third party.

May 17

National Registration Department of Malaysia 
A group of hackers claimed to hold the personal details of 22.5 million Malaysians stolen from myIDENTITI API. This database lets government agencies like the National Registration Department access information about Malaysian citizens. The hackers were looking for $10,000 worth of Bitcoin for the data.

May 17

Cost Rican Government
In one of the most high-profile cyberattacks of the year, the Costa Rican government – which was forced to declare a state of emergency – was hacked by the Conti ransomware gang. Conti members breached the government's systems, stole highly valuable data, and demanded $20 million in payment to avoid leaking it. 90% of this data – amounting to around 670GB – was posted to a leak site on May 20.

April 2022

April 4

Cash App
A Cash App data breach affecting 8.2 million customers was confirmed by parent company Block, via a report to the US Securities and Exchange Commission. The breach had occurred way back in December 2021, with customer names and brokerage account numbers among the information taken.

April 4

Emma Sleep
Customer credit card information was skimmed using a “Magecart attack.” “This was a sophisticated, targeted cyber-attack on the checkout process on our website, and personal information entered, including credit card data, may have been stolen,” an email to customers read.

March 2022

March 30

Apple & Meta 
According to Bloomberg, in late March, two of the world’s largest tech companies were caught out by hackers pretending to be law enforcement officials. Apple and Meta provided the threat actors with customer addresses, phone numbers, and IP addresses in mid-2021. The hackers had already gained access to police systems to send out fraudulent demands for the data. Some of the hackers were thought to be members of the Lapsus$ hacking group, who reportedly stole the Galaxy source code from Samsung earlier in the month.

March 26

US Department of Education 
820,000 students in New York had their data stolen in January 2022, with demographic data, academic information, and economic profiles all accessed. Chancellor David Banks blamed software company Illuminate Education for the incident.

March 24

Texas Department of Insurance

The state agency confirmed on March 24 that it had become aware of a “data security event” in January 2022, which had been ongoing for around three years. “Types of information that may have been accessible”, the TDI said in a statement in March, included “names, addresses, dates of birth, phone numbers, parts or all of Social Security numbers, and information about injuries and workers’ compensation claims. 1.8 million Texans are thought to have been affected.

March 18

Morgan Stanley 

US investment bank Morgan Stanley disclosed that a number of clients had their accounts breached in a Vishing (voice phishing) attack in February 2022, in which the attacker claimed to be a representative of the bank in order to breach accounts and initiate payments to their own account. This was, however, not the fault of Morgan Stanley, who confirmed its systems “remained secure”.

February 2022

February 25

Nvidia
Chipmaker Nvidia confirmed in late February that it was investigating a potential cyberattack. In the breach, Nvidias' leaked information of more than 71,000 employees. Hacking group Lapsus$ claimed responsibility for the intrusion into Nvidia's systems.

May 20

Alameda Health System 
Located in Oakland, California, Alameda Health System notified the Department of Health and Human Services that around 90,000 individuals had been affected by a data breach after suspicious activity was detected on some employee email accounts, which was later found to be an unauthorized third party.

January 6

Flexbooker 
Data breach tracking site HaveIBeenPwned.com revealed on Twitter that 3.7 million accounts had been breached in the month prior. Flexbooker only confirmed that customer names, phone numbers, and addresses were stolen, but HaveIBeenPwned.com said “partial credit card data” was also included. Interestingly, 69% of the accounts were already in the website’s database, presumably from previous breaches.

January 2022

January 20

Crypto.com
On January 20, 2022, Crypto.com made the headlines after a data breach led to funds being lifted from 483 accounts. Roughly $30 million is thought to have been stolen, despite Crypto.com initially suggesting no customer funds had been lost.

January 19

Red Cross
More than 515,000 “extremely vulnerable” people, some of whom were fleeing from warzones, had been seized by hackers via a complex cyberattack. The data was lifted from at least 60 Red Cross and Red Crescent societies across the globe via a third-party company that the organization uses to store data.