Information on this security breach is provided by the Office of the Indiana Attorney General
Los Angeles Times reports:
The nonprofit organization that operates Los Angeles County's social services hotline inadvertently exposed personal information that was stored online, according to county officials and a private security firm that discovered the vulnerability.
UpGuard, a cybersecurity firm based in Mountain View, Calif., said it notified the county in April that it discovered exposed Social Security numbers, addresses and sensitive notes about calls regarding mental health and abuse.
. . . .
It was not immediately clear whether any unauthorized people accessed the data, which was kept in a cloud storage repository maintained by 211 L.A. County, the nonprofit group that operates the county's 211 hotline.
. . . . .
Chris Vickery, director of UpGuard's cyberspace risk research team, said the information he discovered included names, email addresses and weakly encrypted passwords of users operating the 211 system, potentially opening them to attack. He said it was available for public download from an Amazon web server.
The data also contained records for 3.5 million calls and a substantial amount of personally identifiable information, Vickery said. That included 33,000 Social Security numbers, and in many cases full names and addresses — as well as detailed notes for 200,000 calls logged between 2010 and 2016.
In one example, the notes described an elderly woman with dementia who was allegedly being abused by her son. In another, they described a meth addict who said she was suicidal. A third example included details about a woman who suffered from paranoia and was on the verge of being evicted. The firm provided The Times with screen shots of redacted records to document its discovery.
On Dec. 16, 2017, Pension Fund learned that a password protected employee laptop had been stolen that contained personal information for 10981 records, including SS numbers, as well as credit card or financial account information.
Remote DBA Experts, LLC experienced a phishing attack that resulted in the exposure of 281 records. According to the breach notification letter they provided to the Indiana Office of Attorney General, "On January 17, 2018, an unauthorized individual impersonating an RDX executive emailed an RDXemployee to request 2017 W-2 infonnation for our employees. Before we determined that the request wasfraudulent, the employee provided the data to the unauthorized third party. The data included your first name,last name, mailing address, Social Security number, and 2017 compensation and deduction information."
On 16/21/2017 Westminster Ingleside suffered a hack that affected 9769 records, including SS numbers, names, and credit card or financial account information.
On 9/21/2017 Valley of the Sun YMCA suffered a system breach (hack) that affected 2649 records, which included names as well as credit card or financial account information.
On October 27, 2017, SAY San Diego was notified by the County of San Diego Health & Human Services Agency (“HHSA”) that a citizen had returned some paper files to their office that were found in a filing cabinet purchased from a salvage store. The files were reviewed and assessed by our team on October 30, 2017 at which time we confirmed the documents in the files related to participants in SAY San Diego’s Dual Diagnosis youth program from January through June 2013. However, the files from March and April of 2013 were not returned, and have not been recovered to date. While we currently have no evidence that the information was subject to misuse, we have confirmed that the files contained the name, case number, dates and length of service, location of service, and provider name. The files did not contain any Social Security numbers, dates of birth, or Driver’s License numbers or financial account information.
On or about June 14, 2017, the YMCA became aware that an Excel spreadsheet containing personal information of certain YMCA employees was inadvertently sent over email to certain YMCA employees. Upon learning of the event, the YMCA immediately launched an investigation to determine its nature and scope, including remediating the incident with the assistance of the YMCA IT department.
What Information Was Involved?
While our investigation is ongoing, we determined the employee information contained in the Excel spreadsheet included: first and last name; Social Security number; address; date of birth; phone number; salary; former/maiden name; and disability code. This employee information was located in the second tab of a larger spreadsheet."
In mid-April, 2017, we discovered that an unauthorized individual had gained access to our network through an account with our security services provider. This unauthorized individual may have had access to certain systems that contained personal information of our donors. While our investigation is ongoing, we are providing this notice out of an abundance of caution to alert you to the incident because information about you was available through the affected system.
What Information Was Involved?
Information that may have been available includes names, contact information, donation amount and the checking and routing information displayed on your donation checks. While this information should not typically be sufficient to grant access to your accounts with your financial institutions, we place a high priority on the confidentiality of our donor information, and wanted to alert you to this incident so that you may be vigilant against phishing attempts or other fraudulent requests, and monitor your accounts for any suspicious activity."
"We are writing to inform you of an incident at International Code Council (“ICC”) that may have resulted in the disclosure of your name and payment card information. We take the security of your personal information very seriously, and sincerely apologize for any inconvenience this incident may cause. This letter contains information about steps you can take to protect yourself.
What happened and what information was involved: On December 16, 2016, we discovered an issue potentially impacting the processing of credit and debit card purchases made through our online store. We immediately took action to secure our system and conducted an investigation to determine what information may have been accessed. The independent forensics investigation, which took time, determined that customer payment card information, including name, address, and credit/debit card information may have been compromised between the dates April 25, 2016 – May 24, 2016, and July 11, 2016 - September 14, 2016. The security incident has been contained, and you may continue use your credit and debit cards securely."
"LASOC developed the I-CAN! web application, which was previously used by individuals, as part of the IRS's Free File Program, to prepare and file tax forms at no cost to the filer. On October 31, 2016, LASOC became aware that certain completed tax forms from the 2007 and 2008 tax years had become temporarily accessible to the general public through a directed search on certain internet search engines. However, LASOC is unaware of any attempted or actual misuse of personal data contained within the tax forms that were temporarily accessible on the internet as a result of this incident.
What Information Was Involved? As part of the investigation into this incident, LASOC determined a tax form containing the following information about you, as provided by the filer, was temporarily accessible to the general public through a directed search search on certain internet search engines: name and Social Security number."
More information: https://oag.ca.gov/system/files/Legal%20Aid%20Orange%20County%20NOTICE_0...?
"The California Environmental Health Tracking Program (CEHTP) of the Public Health Institute (PHI) became aware on August 4, 2016 that an electronic database containing email addresses and corresponding passwords for individual user accounts at one or more of the sites listed below was accessible on the internet without encryption or other security features for approximately 30 days."
The information compromised included email addresses and passwords.
More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64216
AspiraNet notified individuals of a databreach when a spoofing email went out on March 21, 2016. The spoofing email that resulted in W-2 information being disclosed.
The information compromised included names, residential addresses, and Social Security numbers.
The company is providing ProtectMyID Elite for free for two years.
More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60715
Community Catalysts of California notified customers of a data breach that may have compromised their information when a thumb drive was stolen from an employee's car.
The information included names, addresses, diagnosis, dates of birth, ages, genders and telephone numbers. They are claiming that no Social Security number, financial account numbers, medications or client identification numbers were compromised.
For those with questions call Alesia Forte at (888) 344-1237 Monday through Friday from 8:30 a.m. through 5:00 p.m, Pacific Time.
More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-58324
ICANN.org notified individuals of a data breach when they discovered unauthorized access to an external service provider. The non-profit believes that usernames/email addresses and encrypted passwords were compromised.
User profiles contain a users preference for the website, public bio, individual interests, subscription to newsletters and other information.
They are requiring that all members change their password to the site. The password change can be accessed via this link https://www.icann.org/users/password/new
More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57383
Community Technology Alliance (CTA) is notifying individuals of a potential compromise of their personal information, when an employee's laptop was stolen on July 28, 2014.
CTA is a non-profit organization that administers the Bay Area Homeless Management Information Systems (HMIS) and helps hundreds of partner agencies. The information in HMIS can include names and Social Security Numbers, and various other pieces of personal information.
If services were being received from an HMIS Partner Agency in Santa Cruz California, those individuals are the ones at risk. The partner agencies include the following:
Community Action Board, Families in Transition, Homeless Services Center, Salvation Army of Watsonville, Pajaro Valley Shelter Services, Housing Authority of the County of Santa Cruz, Encompass, Front Street Housing, Inc., Mountain Community Resource Center, Catholic Charities, Veterans Resource Center, Santa Cruz County Office of Education, Santa Cruz County Health and Human Services Agency, Housing Services Center, Pajaro Rescue Mission, and New Life Community Services.
More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-46834
BayBio.org has notified individuals of a data breach to their online payment system. The non-profit organization has notified that the hacking to their payment system compromised credit card numbers in process.
The hacker inserted files that captured keystrokes of visitors to their site which included credit card numbers when individuals were either paying for a membership or an event being held by the non-profit. Payments are being taken by phone until the breach has been repaired.
More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-46727
Geekface LLC, which runs the online sites Hatchwise.com and eLogoContest.com notified customers of a data breach to their server that compromised personal information.
The information breached included names, addresses, birth dates, usernames, passwords, and Social Security numbers.
For those with questions or needing further assistance they can call 1-800-303-09111-800-303-0911 between 10:00 a.m and 5:00 p.m. EST Monday through Friday or visit hatchwise.com.
Central City Concern in Oregon suffered a data breach when an unauthorized access resulted in the breach of clients data.
"On April 2, 2014, a federal law enforcement official notified Central City Concern that a former Central City Concern employee has been accused of improperly copying information from approximately 15 Central City Concern clients from its Employment Access Center (EAC) program with the intent of processing fraudulent tax returns in their names".
The information breached included names, dates of birth, Social Security numbers, addresses, and health information of EAC clients.
Client inquiries regarding this incident may be directed to 866-778-1144866-778-1144, Monday through Friday from 6:00 AM to 6:00 PM Pacific Time.
The office of The Veterans Of Foreign Wars Of The United States notified members that an unauthorized party accessed VFW's webserver through the use of a trojan and malicious code. The hacker, thought to be in China, was able to download tables containing the names, addresses, Social Security numbers of approximately 55,000 VFW members.
The motivation of the hacker, according to IT experts, was to gain access to information regarding military plans or contracts and not for purposes of identity theft, although they have not ruled that out.
VFW is providing 12 months free of AllClearID. Members can call 1-855-398-6437 with any questions. A security code must be provided and was provided in the letter sent to those affected.
Central City Concern, a non-profit in Portland Oregon, notified individuals of a data breach that was perpetrated by an ex-employee of the agency. Federal law enforcement officers notified the non-profit that this former employee copied files from approximately 15 clients from its Access Center with the intention of filing fraudulent tax returns.
CCC began an investigation and has noted that this former employee may have accessed files from March 23, 2010 through May 24, 2013. The former employee stated to authorities that they had only copied 15 files. The non-profit has set up 12 months free monitoring through Experians ProtectMyID alert. Any questions for the agency, those affected are asked to call 1-866-778-1144 Monday through Friday 6:00 a.m to 6:00 p.m.
A cyber attack caused the information of clients associated with the L.A. Gay and Lesbian Center to be affected between September 17, 2013 and November 8, 2013. Names, Social Security numbers, credit card information, dates of birth, contact information, medical information, and health insurance account numbers may have been exposed.
Group Health member identification numbers and chronic conditions were accidentally printed on the outside of letters that were mailed on September 16. The issue was discovered on September 23.
The August 12 office burglary of 10 laptops resulted in the exposure of client information. The laptops were used by Legal Aid Society attorneys to assist individuals in getting services. Names, Social Security numbers, dates of birth, medical information, and health information may have been exposed.
The July 27 or 28 office theft of an unencrypted laptop resulted in the exposure of current and former employee information. Names, Social Security numbers, dates of birth, and employee ID numbers were exposed.
A Chinese national who worked as a contractor for the National Institute of Aerospace had access to NASA's Langley Research Center. He was caught boarding a plane with two external hard drives, two laptops, a memory stick, and an SIM card on March 16. He originally did not reveal the second laptop, hard drive, and SIM card when detained. The information he was attempting to steal was not revealed.
Central Hudson learned of a cyber attack that occurred over President's Day weekend. Customers were notified the day after the holiday and encouraged to monitor their bank accounts and credit reports. Customer banking information and other personal information may have been accessed during the attack.
Information related to over 4,000 American bank executive accounts was exposed by hackers. Hackers placed an Alabama Criminal Justice Information Center spreadsheet with the login information, credentials, contact information, and IP addresses of bank executives online.
A concerned citizen investigated a pile of documents next to a dumpster. The documents contained names and Social Security numbers. A local news team responded to the story and contacted a representative from West Pittsburgh Partnership. West Pittsburgh Partnership began an investigation into how the job placement program documents dating back to 1992 were exposed.
Sensitive information from Southern Environmental Law Center was placed online. Credit card, medical, and donor information such as addresses, phone numbers, and client files were exposed. The data was accessible via Google search for an unspecified amount of time. Southern Environmental Law Center is warning people not to open emails about the security failure or click on any links in emails that appear to be from Southern Environmental Law Center.
A dishonest employee accessed and misused CHEERS client names, Social Security numbers, and birth dates. She, her sister, and her husband filed 180 tax returns under stolen identities and claimed over $1 million in tax refunds. The three face between three years and five years in prison.
An office burglary resulted in the exposure of personal information. Two or more laptops with donor information and a docking station were stolen.
An incident occurred on July 31 that may have caused sensitive health information to be exposed. The information was in the form of paper records that were exposed in some undisclosed way.
A July 25 office burglary resulted in the theft of at least 33 laptops and iPads. The personal information of an unspecified number of former employees may have been affected.
UPDATE (11/28/2012): The laptops contained employee names, Social Security numbers, addresses, dates of birth, passport numbers, credit card information, bank account numbers, and possibly life insurance dependent information. The IT department remotely locked access to the devices after discovering they had been stolen earlier in the same day.
A laptop stolen on or around September 2, 2012 contained current and former patient names, Social Security numbers, and other personal information. The laptop was taken from the car of a contractor or employee and may have also contained current and former patient mailing addresses, dates of birth, and medical information. Participants in about 50 different research studies that date back an unknown number of years were affected.
UPDATE (3/17/2016): Feinstein Institute for Medical Research was fined $3.9 million dollars to settle HIPAA violations by the organization when a laptop that was stolen containing personal information of individuals. The fine was in response to the organizations lack of, or incomplete security management processes which violates HIPAA.
ERIC began an effort to remove personally identifiable information from their full text documents in August of 2012. The information had been publicly available through other means, but it was appearing more frequently in internet searches and becoming easier to access because of web advances. Access to many full text documents on ERIC's database was temporarily disabled. Every document will be checked for personally identifiable information before being restored.
The May theft of a laptop that contained Towards Employment client data may have exposed personal information. The laptop was password protected and contained the names, Social Security numbers, and addresses of clients. Towards Employment is altering its policy so that only the last four digits of clients' Social Security numbers are tracked and used.
A dishonest employee working as a receptionist for the Minnesota Board of Psychology was part of a fraud ring that included nearly 30 co-conspirators. The receptionist was employed from December 2006 until May 2011. She pled guilty to conspiracy to commit bank fraud and aggravated identity theft and faces six years in prison. Those convicted in the case will be jointly responsible for $358,780 in restitution to victims.
Fifteen people have pleaded guilty and 10 others have pleaded not guilty in the case. The identity fraud ring was able to make at least $2 million in fraudulent purchases and bank withdrawals. The fraud ring used a variety of methods that included dishonest employees and theft of sensitive information from cars, businesses, trash cans, and mailboxes.
A hacker or hackers accessed and posted sensitive information from the Masons of California. Names, addresses, phone numbers, and emails were exposed.