The 10 Biggest Data Breaches Of 2017 (So Far)
The Year In Breaches
Data breach activity continued to accelerate in the first half of 2017, with the number of breaches jumping 29 percent to 791, according to a report from Identity Theft Resource Center and CyberScout. This year has not only seen some familiar breach targets, including credit card information and Social Security numbers, but also attacks on third-party data aggregators and companies that could provide information for second-wave attacks. In this roundup, CRN has also included significant data exposures, as 2017 has seen a rising number of large security incidents due to misconfigured or poorly secured cloud servers (even if it's not clear whether the data had actually been breached). As we move through the latter half of 2017, take a look at some of the biggest data breaches and security incidents since January.
(For more on the "coolest" of 2017, check out "CRN's Tech Midyear In Review.")
10. Arby's
Fast food giant Arby's announced in February that it had been hit by a security breach as a result of malicious software installed on the company's point-of-sale systems. The company said the incident affected around 1,000 of its 3,300 locations across the country, primarily in its corporate stores (Franchised locations didn't appear to be impacted.). Stolen information included credit card and debit data used at the stores between Oct. 25, 2016 and Jan. 19, 2017. Arby's said it has since removed the malicious software from its POS systems and has engaged Mandiant and other security experts to investigate the incident.
9. OneLogin
OneLogic, a single-sign on and identity and access management company, announced in June that it had been breached. The company said a hacker had gained access to a set of AWS keys, which allowed them to access several instances of the company's infrastructure through the AWS API. The company said it shut down the database activity and the keys. And it advised customers to take steps beyond the usual password reset, including generating new API keys, OAuth tokens, security certificates and credentials, and having end users update passwords.
8. E-Sports Entertainment Association
Video gamers had their information exposed in January, as the E-Sports Entertainment Association (ESEA) announced it had been hacked in December. The hack compromised a database that included information on 1.5 million subscribers to the competitive video gaming community. Information exposed included registration dates, locations, last logins, user names, first and last names, email addresses, dates of birth, zip codes, phone numbers, website URLs, Steam IDs, Xbox IDs, and PSN IDs. The breach announcement occurred after hackers reportedly demanded a ransom of at least $50,000 in order to keep silent about the attack. The company refused those demands.
7. Dow Jones & Co.
Dow Jones & Co. said in July that records on approximately 2.2 million subscribers were left exposed on an Amazon Web Services S3 server. Dow Jones owns multiple prominent publications, including the Wall Street Journal, Barron's magazine, and the Dow Jones news wire. Security researchers said the number of exposed records could reach as high as 4 million subscribers. While it's not clear if the records were accessed by a hacker, the records were exposed to public viewing by any AWS authenticated users. The database included customer names, internal Dow Jones customer IDs, home and business addresses, the last four digits of customer credit cards, and email addresses.
6. World Wrestling Entertainment
Wrestling fans had their personal information exposed in July, as a database containing information on more than 3 million subscribers was stored on an unprotected AWS S3 server. While there is no clear evidence that hackers accessed the data, it was stored in plain text without a user name or password and was accessible by anyone who could access the site. Data potentially exposed included names, educational backgrounds, earnings, ethnicity, home and email addresses, and age ranges of users' children. Security researchers also discovered a second WWE database that was also incorrectly secured with information on European fans. The WWE has since moved to properly secure the AWS S3 server, it said.
5. America's JobLink
Job seekers had their information exposed in March as America's JobLink revealed that around 4.8 million accounts had been breached by a hacker. The company said the hacker gained personal information on the subscribers, including full names, birthdates, and Social Security numbers. Account holders impacted had addresses in Alabama, Arkansas, Arizona, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma, and Vermont. The company said the breach occurred due to a code misconfiguration made in October 2016. America's JobLink said it has since fixed the misconfiguration.
4. Kansas Department of Commerce
Personal information on more than 5.5 million people was accessed by hackers in a breach of a Kansas Department of Commerce database. The database is used by multiple websites to help people find jobs and includes data from people in more than 16 states. The exposed data includes Social Security numbers, as well as personal information on 850,000 additional accounts that did not include SSNs.
3. Verizon
Personal data on more than 14 million Verizon customers was reportedly exposed in July, in an incident that highlighted the importance of moving data protection practices to the cloud. The security lapse, first reported on ZDNet and discovered by research firm UpGuard, involved technology supplier Nice Systems, which left Verizon customer data unprotected on an Amazon Web Services S3 storage instance. The data contained names, phone numbers and PINs that could be used to access Verizon accounts. The report did not say if hackers had accessed the data, only that it was left exposed and easily accessible by guessing a simple URL that led to the improperly configured cloud drive.The report said the affected subscribers accounted for about 10 percent of Verizon's 108 million total subscribers. Those affected were primarily subscribers who called Verizon's customer services line in the last six months, the report said.
2. Dun & Bradstreet
A March breach at a commercial corporate database put the spotlight on risks posed by third-party vendors. Approximately 33.7 million unique email addresses and contact information were exposed as part of a leak of a 52-GB database owned by Dun & Bradstreet, according to a report in ZDNet. The database also contains names, job titles, job functions, work email addresses and phone numbers, as well as general corporate information. The database brings together information on corporations and their employees, to then be sold in bulk or in part to marketers or other companies for targeted sales campaigns. This leaked database, in particular, includes information on tens of thousands of employees at AT&T, Boeing, Dell, FedEx, IBM and Xerox, the report said. The database also includes extensive records on employees at a variety of government agencies, including more than 100,000 at the Department of Defense.
1. Republican National Committee Contractor
In June, security researchers at UpGuard discovered voting data on nearly 200 million people had been exposed. The data was exposed by a misconfigured database owned by the Republican National Committee-contracted marketing firm Deep Root Analytics and stored on a publicly accessible cloud server, hosted on Amazon Web Services' Simple Storage Service (S3). The data exposed, more than 1.1 terabytes, included personal information on more than 198 million American voters, including names, dates of birth, home addresses, phone numbers, and voter registration details. UpGuard said the data repository "lacked any protection against access" and could be downloaded by anyone with Internet access. While it's not clear if anyone accessed the data inappropriately, partners at the time said the incident shows the importance of having thorough cloud security measures.