Another year has produced another batch of high-profile data breaches.
In a follow-up to SearchSecurity’s list of the 10 biggest breach disclosures for the first half of 2019, we have compiled a list of 10 more notable data breach disclosures from the second half of last year.
The details of these breaches vary widely in terms of how many users were affected as well as how long it took for a company to detect a breach; sometimes not long at all, like with Zynga, and sometimes several months, like with CafePress. The list of 2019 data breach disclosures also includes a variety of data types, along with some questionable approaches for informing affected customers and users.
Here’s a list of 10 more of the biggest data breach disclosures for the second half of this year (in alphabetical order):
- Capital One
A list of 2019 data breach disclosures wouldn’t be complete without Capital One. The financial services giant revealed on July 29th that it determined an outside actor gained unauthorized access and obtained information that affected approximately 100 million individuals in the United States and 6 million in Canada. The main category of information stolen was consumer and small business credit card applications from 2005 through early 2019. This included names, addresses, ZIP Codes, phone numbers, email addresses, dates of birth and self-reported income. Data stolen also included customer status data like credit scores, balances, payment history and contact information, as well as various fragments of transaction data. The outside actor also obtained about 140,000 Social Security numbers for credit card customers and 80,000 linked banked account numbers for “secured credit card customers.” The alleged hacker was arrested and charged by the FBI and is awaiting trial.
CafePress, a custom merchandise and clothing company, was hacked in late February, which resulted in the theft of 23 million email addresses as well as names, physical addresses, phone numbers and SHA-1 encrypted passwords (SHA-1 is an outdated encryption protocol that was officially deprecated by the NIST in 2011). Have I Been Pwned (HIBP), a free service that allows users to check if their data has been exposed, became aware of the breach in early August, but CafePress did not inform customers of the breach, via email, until September. The company also posted a public disclosure of the breach on its website, but the notice was later for removed for reasons unknown.
Food delivery service DoorDash was breached on May 4, 2019 involving 4.9 million users including consumers, delivery people (Dashers), and merchants. It only affected users who joined prior to April 5, 2018, but for those who were affected, stolen data included profile information (names, email addresses, hashed and salted passwords, delivery addresses, phone numbers and order history), the last four digits of certain users’ payment cards, the last four digits of bank account numbers of Dashers and merchants, and the driver’s license number of approximately 100,000 Dashers.
“We deeply regret the frustration and inconvenience that this may cause you. Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy,” the blog post announcing the breach said.
LifeLabs, a Toronto-based laboratory service provider, was breached in a cyberattack that resulted in the theft of up to 15 million Canadian customers in late October. Data potentially stolen includes names, addresses, email addresses, logins, passwords, dates of birth, health card numbers, gender, phone numbers, password security questions and lab test results, according to the company’s disclosure.
“There is information relating to approximately 15 million customers on the computer systems that were potentially accessed in this breach,” LifeLabs CEO Charles Brown said in a post on Dec. 17. “The vast majority of these customers are in B.C. and Ontario, with relatively few customers in other locations. In the case of lab test results, our investigations to date of these systems indicate that there are 85,000 impacted customers from 2016 or earlier located in Ontario; we will be working to notify these customers directly. Our investigation to date indicates any instance of health card information was from 2016 or earlier.”
- Lumin PDF
Lumin PDF, a cloud-based document management service, suffered a data breach in April 2019, but the incident was not made public until September when the stolen data was shared on a dark web forum. The exposed data was added to HIBP, which confirm that 15.5 million accounts had been affected. Lumin PDF confirmed the breach to media outlets but the company did not post a public disclosure.
According to HIBP, the exposed data included names, genders, email addresses, spoken languages, bcrypt-hashed passwords, and more.
Fashion marketplace Poshmark announced on Aug. 1 that an unauthorized third party obtained user information including username, first and last name, gender, city, email addresses, bcrypt-hashed passwords, user IDs, size preferences, and other preferences for email and push notifications of over 36 million users.
“We take the trust you have placed in us extremely seriously, and since learning of this incident, we’ve expanded our security measures even further. We’ve conducted an internal investigation, retained a leading security forensics firm, and have implemented enhanced security measures across all systems to help prevent this type of incident from happening in the future,” the official blog post announcing the breach said.
Initially, Poshmark recommended that all users changed their account passwords, but on Sept. 9, the company issued a forced password reset.
In May, StockX, a fashion trading platform, experienced a data breach that exposed nearly 7 million unique email addresses as well as physical addresses, purchases, names, hashed passwords and more. On Aug. 1, the company initiated a forced password reset email for what it called “system updates.” However, it was revealed by TechCrunch the next day that the password reset was in response to a data breach. On Aug. 8, the company sent an email to customers confirming the breach. In addition to the password reset, StockX said it upgraded the encryption it uses for customer passwords (though it didn’t say how) and offered a year of free fraud detection and identity theft protection services.
In November, T-Mobile confirmed a data breach that affected more than one million of its customers. For these customers, a malicious actor stole data including name, billing address, phone number, account number, and other info related to a customer’s rate plan and calling features. “Rate plan and features of your voice calling service are ‘customer proprietary network information‘ (“CPNI”) under FCC rules, which require we provide you notice of this incident,” T-Mobile wrote in its disclosure. It is unclear if T-Mobile would have informed customers of the data breach otherwise. The company said no financial data, Social Security numbers or passwords were compromised.
ToonDoo, a comic strip creation website, became aware of a breach on Nov. 11 that involved the usernames, passwords, email addresses, gender of over 6 million users, and in “a few instances,” the IP address used by users to sign up for a ToonDoo account. In response, the site shut down permanently. The homepage page now says “Adios,” with information about the breach, the site’s closure and what users can do to protect themselves.
“On November 11, 2019,” the site reads, “as soon as we discovered that ToonDoo user information had been compromised, JAMBAV, Inc. [the parent company of ToonDoo] immediately shut down the website. An independent forensics company to investigate the nature and extent of the breach is in the process to be engaged. We have filed a complaint with the U.S. Federal Bureau of Investigation (‘FBI’), are otherwise engaging with law enforcement authorities, and will cooperate and assist in any of their investigation activities.”
In early September, the popular mobile game Words with Friends was breached, with data stolen from nearly 220 million players of the Zynga-published game. According to Gnosticplayers, the hacker who took responsibility, they accessed a database that included Android and iOS player data of those who installed the game before Sept. 2. Stolen user information included names, email addresses, Login IDs, passwords, phone numbers, Facebook IDs, and Zynga account IDs. The hacker also claims to have accessed other Zynga-developed games including Draw Something and OMGPOP (now discontinued). Zynga confirmed that a breach had occurred on Sept. 12, saying that they’ve notified law enforcement and took steps to protect accounts, including requiring some users to change their passwords.