Data Breaches

Breach Subtotal

Breach Type: all
Organization Type: all
Year(s) of Breach: 2016
Company or Organization: all
Date Made Public:
November 2, 2018
Company: El paso los angeles limousine express inc
Location:
Type of breach:
UNKN
Type of organization:
UNKN
Records Breached:
68,647

Information on this security breach is provided by the Office of the Indiana Attorney General

Information Source:
Indiana Attorney General
Date Made Public:
October 22, 2018
Company: Byram healthcare
Location:
Type of breach:
UNKN
Type of organization:
UNKN
Records Breached:
52

Information on this security breach is provided by the Office of the Indiana Attorney General

Information Source:
Indiana Attorney General
Date Made Public:
October 12, 2018
Company: Buehlers fresh foods llc
Location:
Type of breach:
UNKN
Type of organization:
UNKN
Records Breached:
2,040

Information on this security breach is provided by the Office of the Indiana Attorney General

Information Source:
Indiana Attorney General
Date Made Public:
August 29, 2018
Company: LÍLLÉbaby
Location:
Type of breach:
UNKN
Type of organization:
UNKN
Records Breached:
500

Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute.
Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents.
If you believe this number is inaccurate, please contact us at chronology@privacyrights.org

Information Source:
California Attorney General
Date Made Public:
April 24, 2018
Company: Atrium hospitality
Location:
Type of breach:
UNKN
Type of organization:
UNKN
Records Breached:
182

Information on this security breach is provided by the Office of the Indiana Attorney General

Information Source:
Indiana Attorney General
Date Made Public:
April 4, 2018
Company: Interval international inc
Location:
Type of breach:
UNKN
Type of organization:
UNKN
Records Breached:
1,413

Information on this security breach is provided by the Office of the Indiana Attorney General

Information Source:
Indiana Attorney General
Date Made Public:
March 20, 2018
Company: Orbitz
Location: Chicago, Illinois
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
880,000

Travel booking website Orbitz has announced that it discovered a potential data breach that exposed information for thousands of customers, as reported by Engadget. The incident, discovered by the company on March 1st, may have exposed information tied to about 880,000 credit cards.

The consumer data in question is from an older booking platform, where information may have been accessed between October and December 2017. Orbitz partner platform data, such as travel booked via Amex Travel, submitted between January 1st, 2016 and December 22nd, 2017 may have also been compromised. The Expedia-owned company says that names, payment card information, dates of birth, email addresses, physical billing addresses, gender, and phone numbers may have been accessed, but it doesn’t yet have “direct evidence” that any information was taken from the website.

Information Source:
Media
Date Made Public:
March 20, 2018
Company: Cenlar FSB
Location:
Type of breach:
UNKN
Type of organization:
UNKN
Records Breached:
100

Information on this security breach is provided by the Office of the Indiana Attorney General

Information Source:
Indiana Attorney General
Date Made Public:
February 23, 2018
Company: ACTIVE network
Location:
Type of breach:
UNKN
Type of organization:
UNKN
Records Breached:
207

Information on this security breach is provided by the Office of the Indiana Attorney General

Information Source:
Indiana Attorney General
Date Made Public:
January 23, 2018
Company: Union Hospital
Location: Terre Haute, Indiana
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1

Union Hospital suffered an inadvertent disclosure on approximately 1/18/16 that resulted in 1 record being exposed, which included social security numbers. 

Information Source:
Security Breach Letter
Date Made Public:
January 22, 2018
Company: Questar Assesment
Location: Jefferson County, Mississippi
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
663

 Mississippi education officials said Monday that a recently disclosed data breach by a testing vendor has exposed information from 663 students in Tupelo and Jefferson County.

State Superintendent Carey Wright said that Questar Assessment believes an unauthorized user gained access to records from 2016 tests for 490 students at Tupelo Middle School, 72 at Tupelo High School and 101 at Jefferson County Junior High on Dec. 31 or Jan. 1.

Among the items exposed were student names, state identification numbers, grade levels, teacher names and test results. Mississippi officials say they don't share addresses or Social Security numbers with Questar.

Information Source:
Media
Date Made Public:
January 10, 2018
Company: Alton Lane
Location: Concord, New Hampshire
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
1,208

In late Nov. 2017, Alton Lane received notice that in or about November of 2017, malicious code was injected into its IT systems, allowing unauthorized access to certain data, including personal and financial information, that was stored on or managed by the systems. The time period of this code appears to have impacted users is approximately November of 2016 through November of 2017, unauthorized users may have had access to consumer information collected by Alton Lane via its website, affecting five (5) New Hampshire residents.

 

 

Information Source:
Government Agency
Date Made Public:
August 16, 2017
Company: Virgin Mobile
Location: Warren, New Jersey
Type of breach:
HACK
Type of organization:
BSO
Records Breached:
0

"A privacy breach seems to be underway at Virgin Mobile. Customers attempting to access their voicemail messages are instead getting access to the voicemail messages of other people.

When dialing the 212 number used by Virgin Mobile that allows access to your own voicemail box, Virgin Mobile customers are instead reporting that they are hearing strangers' voicemail messages, getting access to their voicemail account menus, or being directed to leave messages on a stranger's voicemail.

Customers are already taking to social media to report the issue. One Facebook user, Alison, raised concerns with Virgin Mobile customer service. "This is clearly a security issue when I'm reaching other customers, I assume they're customers, voicemail inboxes."

Information Source:
Media
Date Made Public:
January 27, 2017
Company: Synergy Specialists Medical Group
Location: San Diego, California
Type of breach:
HACK
Type of organization:
MED
Records Breached:
0

"On December 9, 2016, we became aware that some patients had received an email from our office earlier that morning that we did not send. Specifically, it appeared to be an email alerting you that our office had a “Docusign” document waiting for you to review. Upon discovery of this fraudulent activity, we immediately sent an email alerting you not to open the email. We also immediately took action to secure our Gmail account and promptly hired forensic IT specialists to determine exactly what happened and whether any of our other systems were affected. Fortunately, the fraudulent activity was determined to be limited to our Gmail account only.

What Information Was Involved? Any information you sent to or received from our office on drjsbdpm@gmail.com. This could include completed patient registration forms if you emailed them to us, prescription or lab requests, and the content of voicemail messages you have left for our office as they would be email transcribed to us for quicker response. We do not send patient records electronically unless specifically requested by a patient so the information is limited to your requests. Further, our office email recipient list, which potentially included your first and last name, and email address may have been exposed."

More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66062

Information Source:
California Attorney General
Date Made Public:
January 27, 2017
Company: International Code Council
Location: Brea, California
Type of breach:
HACK
Type of organization:
NGO
Records Breached:
0

"We are writing to inform you of an incident at International Code Council (“ICC”) that may have resulted in the disclosure of your name and payment card information. We take the security of your personal information very seriously, and sincerely apologize for any inconvenience this incident may cause. This letter contains information about steps you can take to protect yourself.

What happened and what information was involved: On December 16, 2016, we discovered an issue potentially impacting the processing of credit and debit card purchases made through our online store. We immediately took action to secure our system and conducted an investigation to determine what information may have been accessed. The independent forensics investigation, which took time, determined that customer payment card information, including name, address, and credit/debit card information may have been compromised between the dates April 25, 2016 – May 24, 2016, and July 11, 2016 - September 14, 2016. The security incident has been contained, and you may continue use your credit and debit cards securely."

Information Source:
California Attorney General
Date Made Public:
January 26, 2017
Company: Cuddl Duds (Komar & Sons, Inc)
Location: Jersey City, New Jersey
Type of breach:
HACK
Type of organization:
BSO
Records Breached:
0

"Cuddl Duds is writing regarding a recent data security incident that may impact certain payment card information used by you at our e-commerce website. We wanted to provide you with information about this incident, our response, and steps you can take to prevent fraud, should you feel it necessary to do so.

What Happened? On or around December 1, 2016, we received reports of suspicious activity from our third party e-commerce partner. We immediately began to investigate these reports to identify what happened and what information was impacted. Third-party computer forensic investigators were retained to assist with the investigation into what happened and what data was impacted. The investigation initially identified suspicious files on the system. In an abundance of caution, all user passwords were reset as this incident was initially determined to impact only name, address, email address, and encrypted passwords. Further investigation identified a malicious code inserted into the e-commerce website. Upon identifying the malicious code, Cuddl Duds and its partner quickly took steps to remove the code and prevent further unauthorized access. A review of the code determined that it was capable of collecting information provided by customers on the checkout page of Cuddl Duds.

What Information Was Involved? Cuddl Duds’s investigation has revealed that the malicious code collected demographic and credit card information entered on our e-commerce site checkout page between March 1, 2015 and December 1, 2016. The information collected included the cardholder’s name, shipping address, billing address, email address, card number, card type, expiration date, and CVV. If you were a registered user at our site, your login and password would also have been collected. All user passwords were changed in December after the discovery of the files."

More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66044

Information Source:
California Attorney General
Date Made Public:
January 23, 2017
Company: Pool Supply Unlimited
Location: Ontario, California
Type of breach:
HACK
Type of organization:
BSO
Records Breached:
0

"On January 11, 2017 Pool Supply Unlimited learned that a third party computer server utilized for our website was hacked.  In the last week poolsupplyunlimited.com has been held hostage by a group of hackers in Iran.  Unfortunately, this specific group of hackers have been cuasing problems for American companies big ans small for years.

We have been working closely with the FBI since the breach. It was only this morning that we learned the extent of the information stolen during the hack.

More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65971

Information Source:
California Attorney General
Date Made Public:
January 18, 2017
Company: California Department of Justice
Location: Sacramento, California
Type of breach:
DISC
Type of organization:
GOV
Records Breached:
3,424

"Radio (KPCC), an NPR affiliate, sought all information on Firearms Safety Certifications available from the California Department of Justice.

The information was released in October, and a clerical error gave the reporter wide access to the personal information of 3,424 firearms instructors -- whose dates of birth, driver’s license numbers and California identification numbers were handed over, according to NRA-ILA, the legislative arm of the National Rifle Association.

The error was caught two months later, and the California DOJ sent out a letter to all of the Golden State’s instructors letting them know their personal information had been compromised."

More information:http://www.foxnews.com/us/2017/01/18/california-snafu-releases-personal-...

Information Source:
Media
Date Made Public:
December 31, 2016
Company: KeepKey
Location: Redmond, Washington
Type of breach:
HACK
Type of organization:
BSO
Records Breached:
0

"On the last day of 2016, KeepKey, a vendor of Bitcoin hardware wallets, has notified users of a security breach that inadvertently exposed some of its customers' details.

According to Darin Stanchfield, KeepKey founder and CEO, the attack took place on Christmas Day, December 25, when an unknown attacker had activated a new phone number with Stanchfield's Verizon account.

This allowed the attacker to request a password reset for his Verizon email account, but receive the password reset details on the newly activated phone number.

Attacker hijacked CEO's Verizon account by activating a rogue phone number

A few minutes later, the attacker had taken over Stanchfield's email account and proceeded to request password resets for several services where the KeepKey founder had used that email address to register profiles.

In no time, the attacker had taken over several of Stanchfield's accounts on other sites, such as KeepKey's official Twitter account, and several of KeepKey's side services, such as accounts for sales distribution channels and email marketing software."

More information: https://www.bleepingcomputer.com/news/security/attacks-on-phones-of-bitc...

Information Source:
Media
Date Made Public:
December 31, 2016
Company: Topps
Location: Brooklyn, New York
Type of breach:
HACK
Type of organization:
BSO
Records Breached:
0

"Topps, the iconic maker of Star Wars, Frozen and various sports-related trading cards, has just notified its customers of security breaches that happened earlier this year. In it, the company has admitted that one or more intruders infiltrated its system and "may have gained access to [customers'] names, addresses, email addresses, phone numbers, debit or credit card numbers, card expiration days and card verification numbers." Topps said it didn't find out about the intruders until October 12th, but anyone who bought items through its website from June 30th to that date could be affected. Upon discovering the breaches, it worked with a security firm to fix the vulnerability the hackers exploited and to fortify its system."

More information: https://www.engadget.com/2016/12/31/topps-trading-card-maker-security-br...

Information Source:
Media
Date Made Public:
December 30, 2016
Company: Sheet Metal Workers' Local Union No.104
Location: Cupertino, California
Type of breach:
DISC
Type of organization:
BSO
Records Breached:
0

"On November 16, 2016, we were made aware of a blog post claiming that the author was able to access sensitive member data on October 3, 2016.  Immediately after being made aware of the report, we launched an internal investigation to ensure the security of our systems.  We also retained third-party forensic experts to assist in the investigation of the incident and determine if our systems were accessed without authorization.  While the investigation is ongoing, we have no reason to believe that any member data has been used to engage in the identity theft or fraud.  We have no evidence the Local 104's systems were subject to unauthorized access; rather, we believe that the blogger may have accessed data on a system maintained by a Local 104 third-party vendor.

What Information Was Involved?

We determined that the unauthorized individual was able to obtain files containing certain types of your personal information including your name, address, phone number, date of birth, driver's license number and Social Security number. "

More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65675

Information Source:
California Attorney General
Date Made Public:
December 30, 2016
Company: Horizon Healthcare Services Inc. doing business as Horizon Blue Cross Blue Shield of New Jersey and its affiliates
Location: , New Jersey
Type of breach:
DISC
Type of organization:
MED
Records Breached:
55,700

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 30, 2016
Company: State of New Hampshire, Department of Health and Human Services
Location: , New Hampshire
Type of breach:
HACK
Type of organization:
MED
Records Breached:
15,000

Location of breached information: Desktop Computer

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 30, 2016
Company: Bryan Myers, MD PC, Ashley DeWitt, DO PC, Michael Nobles, MD PC
Location: , Tennessee
Type of breach:
HACK
Type of organization:
MED
Records Breached:
13,150

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 29, 2016
Company: New Hampshire Department of Health and Human Services
Location: Concord, New Hampshire
Type of breach:
INSD
Type of organization:
MED
Records Breached:
15,000

"State officials are working to strengthen the security of the state’s computer network, after a data breach last year leaked the confidential information of thousands of New Hampshire Department of Health and Human Services clients.

A former patient at New Hampshire’s state psychiatric hospital used a computer in the hospital library to access information of about 15,000 individuals who received department services, according to a DHHS statement.

While on the state’s network, the patient accessed confidential information including names, addresses, Social Security numbers and Medicaid ID numbers and posted the information on social media sites."

More information: http://www.concordmonitor.com/NH-state-officials-working-to-make-network...

 

Information Source:
Date Made Public:
December 29, 2016
Company: PathGroup
Location: Brentwood, Tennessee
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,443

As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services.

More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...

Information Source:
Government Agency
Date Made Public:
December 29, 2016
Company: PrimeWest Health
Location: Alexandria, Minnesota
Type of breach:
HACK
Type of organization:
MED
Records Breached:
2,441

As reported by Health and Human Services hacking/IT incident. No specific information as to what information was compromised as provided by health and human services.

More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...

Information Source:
Government Agency
Date Made Public:
December 29, 2016
Company: PrimeWest Health
Location: , Minnesota
Type of breach:
HACK
Type of organization:
MED
Records Breached:
2,441

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 29, 2016
Company: PathGroup
Location: , Tennessee
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,443

Location of breached information: Other

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 28, 2016
Company: InterContinental Hotels Group (IHG)
Location: Denham, Buckinghamshire
Type of breach:
HACK
Type of organization:
BSO
Records Breached:
0

"InterContinental Hotels Group (IHG), the parent company for more than 5,000 hotels worldwide including Holiday Inn, says it is investigating claims of a possible credit card breach at some U.S. locations.

Last week, KrebsOnSecurity began hearing from sources who work in fraud prevention at different financial institutions. Those sources said they were seeing a pattern of fraud on customer credit and debit cards that suggested a breach at some IHG properties — particularly Holiday Inn and Holiday Inn Express locations.

Asked about the fraud patterns reported by my sources, a spokesperson for IHG said the company had received similar reports, and that it has hired an outside security firm to help investigate. IHG also issued the following statement:

“IHG takes the protection of payment card data very seriously. We were made aware of a report of unauthorized charges occurring on some payment cards that were recently used at a small number of U.S.-based hotel locations.  We immediately launched an investigation, which includes retaining a leading computer security firm to provide us with additional support.  We continue to work with the payment card networks.”

“We are committed to swiftly resolving this matter. In the meantime, and in line with best practice, we recommend that individuals closely monitor their payment card account statements.  If there are unauthorized charges, individuals should immediately notify their bank. Payment card network rules generally state that cardholders are not responsible for such charges.”

Headquartered in Denham, U.K., IHG operates more than 5,000 hotels across nearly 100 countries. The company’s dozen brands include Holiday Inn, Holiday Inn Express, InterContinental, Kimpton Hotels, and Crowne Plaza."

 

Information Source:
Krebs On Security
Date Made Public:
December 28, 2016
Company: Graphik Dimensions, Ltd. (pictureframes.com)
Location: High Point, North Carolina
Type of breach:
HACK
Type of organization:
BSO
Records Breached:
1,614

"On or around November 9, 2016, Graphik Dimensions was advised that it had been identified as a common point of purchase for credit card fraud. On or around November 29, 2016, Graphik Dimensions’ investigation confirmed that an unidentified third party had injected malicious code into the pictureframes.com e-commerce site. The malicious code enabled the unidentified third party to acquire credit card information while the purchase took place. Graphik Dimensions’ investigation revealed that the exploit existed between July 12, 2016 and November 30, 2016.

The specific information that may have been obtained by the unidentified third party included customers’ name, billing address, full credit card number, expiration date, CVV number, and user name and password. Graphik Dimensions removed the malicious code from the affected system, and continues to take steps to ensure the security of its systems. It worked with the investigators, along with other subject matter experts, to ensure the security of its customers’ data and to implement a remediation plan to improve security in Graphik Dimensions’ network."

More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65625

Information Source:
California Attorney General
Date Made Public:
December 28, 2016
Company: Maryland Medical Center/Dr. Morrill
Location: , Maryland
Type of breach:
HACK
Type of organization:
MED
Records Breached:
10,000

Location of breached information: Desktop Computer

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 27, 2016
Company: Susan M. Hughes Center
Location: Cherry Hill, New Jersey
Type of breach:
HACK
Type of organization:
MED
Records Breached:
11,400

As reported by Health and Human Services hacking/IT incident. No specific information as to what information was compromised as provided by health and human services.

More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...

Information Source:
Government Agency
Date Made Public:
December 27, 2016
Company: Susan M Hughes Center
Location: , New Jersey
Type of breach:
HACK
Type of organization:
MED
Records Breached:
11,400

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 23, 2016
Company: Waiting Room Solutions Limited Liability Limited Partnership
Location: Goshen, New York
Type of breach:
DISC
Type of organization:
MED
Records Breached:
700

As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services.

More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...

Information Source:
Government Agency
Date Made Public:
December 23, 2016
Company: Waiting Room Solutions Limited Liability Limited Partnership
Location: , New York
Type of breach:
DISC
Type of organization:
MED
Records Breached:
700

Location of breached information: Email

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
December 23, 2016
Company: Brandywine Pediatrics, P.A.
Location: , Delaware
Type of breach:
HACK
Type of organization:
MED
Records Breached:
26,873

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 22, 2016
Company: Dover Federal Credit Union
Location: Cheswold, Delaware
Type of breach:
INSD
Type of organization:
BSF
Records Breached:
0

"On September 20, 2016, DFCU learned that an employee had transferred DFCU files to the employee’s personal Dropbox account to access the information from the employee’s home computer for business purposes.  Although DFCU had no indication that any of the transferred information was compromised, DFCU managers immediately began an investigation to determine what information had been transferred.  DFCU hired a computer forensic firm to help investigate the incident.  The investigation determined on November 18, 2016, that it was unlikely that any information was accessed by any unauthorized person, as the employee was the only authorized user of the Dropbox account and did not provide the Dropbox credentials to any other individual.  DFCU determined on November 23, 2016, that the files transferred to the employee’s Dropbox account included personal information of all DFCU members.
 
What information was involved? The information included your name, address, DFCU account number, and your Social Security number."

More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65580

Information Source:
California Attorney General
Date Made Public:
December 22, 2016
Company: Claremont University Consortium
Location: Claremont, California
Type of breach:
PORT
Type of organization:
EDU
Records Breached:
0

"On November 15, 2016, several items, including a password-protected laptop, were stolen from a Claremont University Consortium employee’s locked vehicle. The theft was discovered the same day and the employee promptly notified the College and the Berkeley Police Department. We have been working with law enforcement but, to date, they have been unable to locate the suspects or the stolen items.

What information was involved? Our investigation has confirmed that the stolen laptop may have contained information regarding your 1099 tax form, including your name, address, date of birth, and Social Security number."

More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65602

Information Source:
California Attorney General
Date Made Public:
December 22, 2016
Company: ADVANTAGE Health Solutions
Location: , Indiana
Type of breach:
HACK
Type of organization:
MED
Records Breached:
2,387

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
CSV