Data Breaches

Breach Subtotal

Breach Type: all
Organization Type: all
Year(s) of Breach: 2017
Company or Organization: all
Date Made Public:
February 19, 2018
Company: FedEx
Location: , Tennessee
Type of breach:
DISC
Type of organization:
BSR
Records Breached:
119,000

Personal information of thousands of FedEx customers worldwide was exposed on the web due to an Amazon Web Services (AWS) cloud storage server which was not secured with a password. Security researchers from Kromtech Security found the open AWS bucket which contained 119,000 scanned documents, including passports, drivers’ licenses and Applications for Delivery of Mail Through Agent forms, which contain names, home addresses, phone numbers and ZIP codes. 

 

Information Source:
Media
Date Made Public:
February 13, 2018
Company: Pension Fund of the Christian Church
Location: Indianapolis, Indiana
Type of breach:
PHYS
Type of organization:
NGO
Records Breached:
10,981

On Dec. 16, 2017, Pension Fund learned that a password protected employee laptop had been stolen that contained personal information for 10981 records, including SS numbers, as well as credit card or financial account information. 

Information Source:
Security Breach Letter
Date Made Public:
February 13, 2018
Company: Mindlance, Inc.
Location: Union, New Jersey
Type of breach:
HACK
Type of organization:
BSO
Records Breached:
3,085

On 12/28/2017, Mindlance, Inc. suffered a system breach (hack) that affected 3085 records, including SS numbers and names. 

Information Source:
Security Breach Letter
Date Made Public:
February 8, 2018
Company: Riverside Unified School District
Location: , California
Type of breach:
DISC
Type of organization:
EDU
Records Breached:
1

On December 5, 2017, a San Diego County office of Education employee inadvertently sent an employee retirement contribution spreadsheet to San Diego County Office of Education's retirement contribution contacts at forty-four (44) school districts throughout Southern California. The impact likely affected 1 Idaho resident.

Information Source:
Security Breach Letter
Date Made Public:
February 7, 2018
Company: Nevro
Location: , California
Type of breach:
HACK
Type of organization:
MED
Records Breached:
500

 Nevro was recently the victim of a criminal break-in at our corporate headquarters in which several laptop computers were stolen. Nearby businesses were also targeted by the same perpetrators, who stole laptops from those businesses as well. Nevro has been unable to recover the stolen laptops on which limited information relating to you has been stored. Nevro has no indication that these laptops were stolen in order to acquire the data on them, nor any indication that the data on the laptops has been accessed or used in any way. All the stolen Nevro laptops were password-protected, although not all were encrypted. Because limited information about individual customer treatment relationships with Nevro was stored on one or more of the stolen laptops, and applicable state law considers this type of information sufficient to warrant a notification, we are reaching out to advise customers of these equipment thefts.

What Information Was Involved? Limited categories of information about certain patients who use Nevro’s HF10 therapy were contained in files stored on one or more of the unencrypted laptops. The categories of information varied by file or patient, but the data fields were limited to patient name, street address, birth date, procedure date, medical device identifiers (such as serial number), and contact information for the patient’s physician or other medical provider. Nevro does not possess, and none of these laptops contained, sensitive identifying information such as Social Security or other government-issued identification numbers or credit card or financial institution information. None of these laptops contained treatment or medical information other than the information directly related to the fact of the use of the device.

Information Source:
Security Breach Letter
Date Made Public:
February 2, 2018
Company: Ron's Pharmacy Services
Location: San Diego, California
Type of breach:
HACK
Type of organization:
MED
Records Breached:
500

On October 3, 2017, Ron’s Pharmacy identified unusual activity in an employee email account. Ron’s Pharmacy immediately changed the employee’s credentials and commenced an investigation, with the assistance of third-party forensic investigators, to determine what happened. As part of this investigation, determined that the employee’s email account was subject to unauthorized access and certain emails were viewed as a result of the unauthorized individual(s) using software to crack the employee’s email account password. On December 21, 2017, as part of Ron’s Pharmacy’s ongoing investigation, it was determined that the following information relating was accessed:  names,  internal account numbers at Ron’s Pharmacy, prescription medication information, and payment adjustment information, which relates to credits made to accounts. Importantly, no Social Security, health insurance, or financial account information was accessed.

Information Source:
Date Made Public:
February 2, 2018
Company: Advanced-Online
Location: , California
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
500

Advanced-Online learned on January 3, 2018 that certain personal information housed on the company’s online platform may have been subject to unauthorized access. The date range for the incident appears to be April 29, 2017 until January 12, 2018. Upon becoming aware of the potential unauthorized access, Advanced-Online promptly engaged a nationally recognized cybersecurity and forensics firm to assess and address the situation.

WHAT INFORMATION WAS INVOLVED? Advanced-Online and our cybersecurity and forensics firm believe that the following categories of information may have been compromised: name, address, username/email address, password, and payment card information (account number, expiration date, CVV number).

Information Source:
Date Made Public:
February 1, 2018
Company: Department of Homeland Security
Location: , District Of Columbia
Type of breach:
HACK
Type of organization:
GOV
Records Breached:
246,167

A data breach at the Department of Homeland Security has exposed the personal information of more than 240,000 current and former DHS employees, such as their social security numbers, dates of birth, positions, grades, and duty stations, the agency saidOn January 3, 2018, select DHS employees received notification letters that they may have been impacted by a privacy incident related to the DHS Office of Inspector General (OIG) Case Management System.  The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized unauthorized transfer of data.

What we know: The department said the breach was not carried out as part of a "cyber-attack by external actors." Instead, the data was discovered in the possession of a former employee of the agency's Office of Inspector General during an ongoing criminal investigation last May

Go deeper with the department's full memo.

 

Information Source:
Government Agency
Date Made Public:
January 29, 2018
Company: Nevro
Location: Dublin, Ohio
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
1

What Happened? Nevro was recently the victim of a criminal break-in at our corporate headquarters in which several laptop computers were stolen. Nearby businesses were also targeted by the same perpetrators, who stole laptops from those businesses as well. Nevro has been unable to recover the stolen laptops on which limited information relating to you has been stored.

We have no indication that these laptops were stolen in order to acquire the data on them, nor any indication that the data on the laptops has been accessed or used in any way. All the stolen Nevro laptops were password-protected, although not all were encrypted. Because limited information about your treatment relationship with Nevro was stored on one or more of the stolen laptops, and applicable state law considers this type of information sufficient to warrant a notification, we are reaching out to advise you of these equipment thefts.

 

What Information Was Involved? Limited categories of information about certain patients who use Nevro’s HF10 therapy were contained in files stored on one or more of the unencrypted laptops. The categories of information varied by file or patient, but the data fields were limited to patient name, street address, birth date, procedure date, medical device identifiers (such as serial number), and contact information for the patient’s physician or other medical provider.

Nevro does not possess, and none of these laptops contained, sensitive identifying information such as Social Security or other government-issued identification numbers or credit card or financial institution information. None of these laptops contained treatment or medical information other than the information directly related to the fact of the use of the device

Information Source:
Security Breach Letter
Date Made Public:
January 26, 2018
Company: Jeffrey Born, CPA, Inc.
Location: Portland, Oregon
Type of breach:
PHYS
Type of organization:
BSF
Records Breached:
250

Office was physically broken into and that two password protected laptops were stolen. The Sacramento County Sheriff’s Department was immediately called and promptly arrived at the office, investigating the matter.

 What Information Was Involved? This may have included : full name, birthdate, telephone number, address, Social Security number, all employment (W-2) and self-employment information, 1099 information (including account number if provided to my office), entity identification and income earned/amounts received from participation in S-Corp/partnership/LLC/trust, Affordable Care Act insurance data (your medical insurance policy number if you provided us with a Form 1095-A), and direct deposit bank account information (including account number and routing information if provided to my office).

Information Source:
Security Breach Letter
Date Made Public:
January 26, 2018
Company: Goldleaf Partners Services, Inc.
Location: Bloomington, Minnesota
Type of breach:
HACK
Type of organization:
BSF
Records Breached:
6,020

On 10/31/2017 Goldleaf Partners Services, Inc. suffered a hack that affected 6020 records, including Social Security numbers as well as names and credit card or financial account information.

Information Source:
Security Breach Letter
Date Made Public:
January 26, 2018
Company: Member First Mortgage, LLC
Location: Grand Rapids, Michigan
Type of breach:
HACK
Type of organization:
BSF
Records Breached:
36,840

On 11/25/2017 Member First Mortgage, LLC, experienced an unauthorized access to their internal systems exposing 36840 records, including Social Security numbers as well as names and credit card or financial account information. 

Information Source:
Security Breach Letter
Date Made Public:
January 26, 2018
Company: Pentair Aquatic Eco Systems, Inc.
Location: Apopka, Florida
Type of breach:
HACK
Type of organization:
BSO
Records Breached:
239

Pentair Aquatic Eco Systems, Inc., suffered a hack on 12/19/2017 that resulted in the exposure of 239 records, which included names, credit card or financial account information and debit card numbers.

Information Source:
Security Breach Letter
Date Made Public:
January 25, 2018
Company: The National Registry of Emergency Medical Technicians
Location: Columbus, Ohio
Type of breach:
HACK
Type of organization:
MED
Records Breached:
843

On 11/17/2017 The National Registry of Emergency Medical Technicians suffered a hack affecting 843 records, including first and last names, address information ,and Social Security numbers. 

Information Source:
Security Breach Letter
Date Made Public:
January 24, 2018
Company: Gourmesso
Location: , Maine
Type of breach:
CARD
Type of organization:
BSR
Records Breached:
1

Discover Card account information of 1 Maine citizen breached. 

Information Source:
Government Agency
Date Made Public:
January 24, 2018
Company: Gourmesso
Location: , Maine
Type of breach:
UNKN
Type of organization:
BSR
Records Breached:
1

Discover Card account information of 1 Maine citizen breached.

Information Source:
Date Made Public:
January 22, 2018
Company: Tx: Team Rehab, Inc.
Location: Indianapolis, Indiana
Type of breach:
HACK
Type of organization:
MED
Records Breached:
56

Tx:Team suffered a hack on 10/30/2017 that affected 6 records, including SS numbers as well as names and credit card or financial account information.

Information Source:
Security Breach Letter
Date Made Public:
January 22, 2018
Company: The Coca-Cola Company
Location: Atlanta, Georgia
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
2,181

In July, 2017, The Coca-Cola company suffered a phishing attack that resulted in the exposure of 2181 records, which included social security numbers. 

Information Source:
Security Breach Letter
Date Made Public:
January 19, 2018
Company: Questar Assessment
Location: Apple Valley, Minnesota
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
52

A data breach at testing vendor Questar Assessment exposed personal information of about 52 students in five New York schools, state Education Commissioner MaryEllen Elia said Thursday.

Questar, headquartered in Apple Valley, Minnesota, reported that someone accessed a small amount of “personally identifiable” information from Dec. 30 to Jan. 2, Elia said. The data included some student names, identification numbers, grade levels and teachers’ names, but not student addresses, Social Security numbers, disability status or test scores.

Information Source:
Media
Date Made Public:
January 19, 2018
Company: OnePlus
Location: Shenzhen, Guangdong
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
40,000

OnePlus has confirmed that up to 40,000 customers have been affected by a credit card breach, in the latest embarrassing misstep for the Chinese handset maker. The news comes several days after OnePlus shut down credit card processing following complaints from customers about fraudulent charges landing on their cards after they bought products through OnePlus’s online store.

OnePlus offered an explanation of what had happened on its website.

“One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered,” the company said. “The malicious script operated intermittently, capturing and sending data directly from the user’s browser. It has since been eliminated. We have quarantined the infected server and reinforced all relevant system structures.”

The affected users entered their card information on OnePlus’s store between mid-November and January. Customers who made purchases with a saved card “should not” be affected, OnePlus said. The same goes for ones who paid with PayPal or credit card via PayPal. Affected users will be offered a year of credit monitoring.

Information Source:
Media
Date Made Public:
January 19, 2018
Company: Rosewood Hotel Group
Location: , Maine
Type of breach:
UNKN
Type of organization:
BSR
Records Breached:
8

Guest name and payment card information (cardholder name, payment card number, exp date and security code) for 8 records breached.

Information Source:
Government Agency
Date Made Public:
January 19, 2018
Company: Westminster Ingleside King Farm Presbyterian Retirement Communities, Inc.(Rockville, MD)
Location: Rockville, Maryland
Type of breach:
UNKN
Type of organization:
BSR
Records Breached:
12

Name, address, birthdate, SSN, financial account information & protected health information for 12 Maine citizens breached.

Information Source:
Government Agency
Date Made Public:
January 19, 2018
Company: Mindlance, Inc.
Location: Union, New Jersey
Type of breach:
UNKN
Type of organization:
BSR
Records Breached:
3

Name or other personal identifier information in combination with SSN of 3 records breached. 

Information Source:
Date Made Public:
January 19, 2018
Company: Idaho Transportation Department
Location: , Idaho
Type of breach:
HACK
Type of organization:
GOV
Records Breached:
8

On Jan. 2, 2018, the Idaho Transportation Department's Cyber Security Unit discovered an internal email account was compromised through a phishing attack. The Division of Motor Vehicles employee account was accessible from Nov. 11, 2017 through Dec. 7, 2017. The email account contained personal identifiable and payment card information for eight individuals. 

Information Source:
Security Breach Letter
Date Made Public:
January 19, 2018
Company: Westminster Ingleside King Farm Presbyterian Retirement Communities, Inc.
Location: Rockville, Maryland
Type of breach:
HACK
Type of organization:
NGO
Records Breached:
9,769

On 16/21/2017 Westminster Ingleside suffered a hack that affected 9769 records, including SS numbers, names, and credit card or financial account information. 

Information Source:
Security Breach Letter
Date Made Public:
January 18, 2018
Company: Employer Leasing Company
Location: Powway, California
Type of breach:
UNKN
Type of organization:
BSO
Records Breached:
1

Name or other personal identifier in combination with SSN and Driver's license number or non-driver ID number for one Maine citizen breached.

Information Source:
Government Agency
Date Made Public:
January 18, 2018
Company: University of Idaho
Location: , Idaho
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
257

The university detected that one of their accounts was being used to send phishing email. An investigation determined that the employees email messages contained personal information for 257 individuals. Information included names, addresses and social security numbers. 

Information Source:
Security Breach Letter
Date Made Public:
January 17, 2018
Company: Ameriprise Financial, Inc.
Location: Minneapolis, Minnesota
Type of breach:
DISC
Type of organization:
BSF
Records Breached:
56

Ameriprise Financial suffered an inadvertent disclosure of 56 records, including SS numbers and names. 

Information Source:
Security Breach Letter
Date Made Public:
January 17, 2018
Company: Valley of the Sun YMCA
Location: Phoenix, Arizona
Type of breach:
HACK
Type of organization:
NGO
Records Breached:
2,649

On 9/21/2017 Valley of the Sun YMCA suffered a system breach (hack) that affected 2649 records, which included names as well as credit card or financial account information.

Information Source:
Security Breach Letter
Date Made Public:
January 16, 2018
Company: Pension Fund o the Christian Church
Location: Indianapolis, Indiana
Type of breach:
UNKN
Type of organization:
NGO
Records Breached:
10

Name or other personal identifier in combination with SSN and  financial account number or credit or debit card number, in combination with the security code, access code, password, or PIN for the account for 10 Maine citizens breached.

Information Source:
Government Agency
Date Made Public:
January 16, 2018
Company: Pension Fund of the Christian Church
Location: , Oregon
Type of breach:
UNKN
Type of organization:
BSO
Records Breached:
20,996
Information Source:
Government Agency
Date Made Public:
January 15, 2018
Company: Jason's Deli - Deli Management, Inc.
Location:
Type of breach:
CARD
Type of organization:
BSR
Records Breached:
2,000,000

On December 22, 2017, Jason’s Deli was notified by payment processors that credit card security personnel had informed it that a large quantity of payment card information had appeared for sale on the “dark web,” and that an analysis of the data indicated that at least a portion of the data may have come from various Jason’s Deli locations. From our initial investigation findings, criminals deployed RAM-scraping malware on a number of our point-of-sales (POS) terminals at various corporate-owned Jason’s Deli restaurants Based on the facts known to Jason’s Deli at this time, the Company believes that the criminals used the malware to obtain payment card information off of the POS terminals beginning on June 8, 2017. Our investigation has determined that approximately 2 million unique payment card numbers may have been impacted in total.

Information Source:
Government Agency
Date Made Public:
January 12, 2018
Company: PharMerica Corporation
Location: , Maine
Type of breach:
UNKN
Type of organization:
MED
Records Breached:
135

Demographic info, medication and clinical info, health insurance info and SSN of 135 Maine Citizens breached..  Some may have had their financial account info impacted as well

Information Source:
Government Agency
Date Made Public:
January 12, 2018
Company: Monticello Central School District
Location: Monticello, New York
Type of breach:
UNKN
Type of organization:
EDU
Records Breached:
2

Name or other personal identifier in combination with SSN for 2 Maine citizens breached.

Information Source:
Government Agency
Date Made Public:
January 12, 2018
Company: Guaranteed Rate, Inc.
Location: Chicago, Illinois
Type of breach:
UNKN
Type of organization:
BSR
Records Breached:
557

Name or other personal identifier in combination with SSN, Driver's license number or non-driver ID number and  financial account number or credit or debit card number, in combination with the security code, access code, password, or PIN for the account for 557 Maine citizens breached.

Information Source:
Government Agency
Date Made Public:
January 12, 2018
Company: Guaranteed Rate, Inc.
Location: Chicago, Illinois
Type of breach:
HACK
Type of organization:
BSF
Records Breached:
187,788

Guaranteed Rate, Inc. suffered a breach on 6/9/2017 until 10/2/2017 affecting 187,788 records, including Social Security numbers, names, driver's license numbers, credit and debit card information and account information, and state ID numbers. 

Information Source:
Security Breach Letter
Date Made Public:
January 12, 2018
Company: Onco360 and CareMed Speciality Pharmacy
Location: Louisville, Kentucky
Type of breach:
HACK
Type of organization:
MED
Records Breached:
53,173

Breach affecting 53,173 records was reported on 1/12/2018, including social security numbers, names, and credit card or financial account information. 

Information Source:
Security Breach Letter
Date Made Public:
January 12, 2018
Company: Hallmark Home Mortgage
Location: Columbus, Ohio
Type of breach:
INSD
Type of organization:
BSF
Records Breached:
2,816

Hallmark suffered a breach on 11/17/2017 that affected 2816 records, including SS numbers, Names, Drivers License Numbers, and Credit Card or Financial Account Information.

Information Source:
Security Breach Letter
Date Made Public:
January 12, 2018
Company: Deconess Hospital
Location: Evansville, Indiana
Type of breach:
INSD
Type of organization:
MED
Records Breached:
4

On 12/08/2017, as a result of insider wrong-doing, Deaconess Hospital suffered a breach that resulted in the exposure of 4 records including Social Security numbers.

Information Source:
Security Breach Letter
Date Made Public:
January 11, 2018
Company: Multnomah Athletic Club
Location: Portland, Oregon
Type of breach:
PHYS
Type of organization:
BSR
Records Breached:
250

Multiple shredding bins on the premises were stolen on Dec. 2, 2017. It is possible that one or more of the bins contained name, addresses, social security numbers, passports, drier's license numbers and or bank account information. To date they are not aware of any reports of identity fraud or improper use of PII as a direct result of the incident. 

Information Source:
CSV