The Hidden Epidemic of Data Breaches
We all know by now that data breaches can do irreparable damage to your business. However, mental health professionals now believe that data breaches can also cause psychological harm.
This theory gets explored in a recent USA Today article called “Anxiety, Depression and PTSD: The Hidden Epidemic of Data Breaches and Cyber Crimes.” Breach-related stress takes its toll on the millions of Americans whose personal information got exposed and stolen. The breaches caused feelings of powerlessness, disrupted sleep and lower energy levels. But in more severe cases, it could cause depression, anxiety, PTSD, and even suicide.
Here are some data breach statistics from a survey by the nonprofit Identity Theft Resource Center:
- 86% of identity theft victims felt worried, angry and frustrated
- 70% said they could not trust others and also felt unsafe
- 59% reported sadness and depression related to the data exposure
- 57% reported symptoms including aches, pains and cramps
Without further ado, let’s dig into this month’s cyberattack news coverage. We start with a breach that struck close to CNS headquarters in Northern California.
CYBERATTACK NEWS COVERAGE (Feb. 12-March 10, 2020)
Lodi News-Sentinel: Student Data Breached at Two Lodi Schools
Lodi Unified School District (LUSD) recently announced a data breach of Chromebooks used by three staff members. One of the books contained PII that included student names, addresses, parent contact information and student medical records. The breach affects staff members and students at Ronald McNair High School and Bear Creek High School in Lodi. Fortunately, it turns out that the teachers’ Chromebooks on a different network than students’ Chromebooks. However, an investigation found that a student was able to breach and gain access to the teacher network.
Cincinnati.com: Fifth Third Warns Customers of Data Breach
Cincinnati-based financial institution First Third spent much of February warning bank customers about possible misuse of their personal information. The abuse came at the hands of former bank employees, and it dates back to Summer 2018. Exposed PII could include names, Social Security numbers, driver’s license information, mothers’ maiden names, home addresses, phone numbers, dates of birth, bank account numbers and more. Fifth Third is currently working with law enforcement on the investigation. Meanwhile, they will offer one free year of identity protection services and any necessary reimbursements to affected customers.
Associated Press: Puerto Rico Government Loses $2.6M in Phishing Scam
Already dealing with a decade-long recession, the American territory of Puerto Rico recently got taken by hackers for $2.6 million. Following a successful whaling campaign, the Puerto Rico Industrial Development Company sent the money to a fraudulent account on Jan. 17. However, it took them a couple of weeks to realize the error and notify law enforcement. The Puerto Rican government is still waiting for more details about lost or exposed data related to the attack.
Over 10 million hotel guests had their data exposed and published on a hacking forum following a breach at MGM Resorts. Exposed data includes full names, phone numbers, addresses, emails and dates of birth. Until MGM Resorts discovered the breach last summer, hackers accessed a cloud server that contained information on guests. Fortunately, no financial or credit card data got exposed by the leak. MGM Resorts properties include the Bellagio, Aria, MGM Grand, Mandalay Bay, Mirage, New York New York, Luxor and Excalibur.
KATU-TV News: Nine-Year-Old Boy’s Identity Stolen in Data Breach
Most of our cyberattack news coverage focuses on adults, and not on children. However, the Matthews family of Oregon recently discovered that their nine-year-old son fell victim to breach-related identity theft. This unusual circumstance is related to a breach at the Health Share of Oregon. Not only was the child’s data compromised, but hackers used it to open a U.S. Bank credit card account. Luckily, U.S. Bank sent the card to the Matthews residence, and the bank eventually closed the fraudulent account.
Local 21 News: Dozens of Rutter’s Locations Affected by Data Breach
A data breach at the convenience store and gas station chain Rutter’s affected customers at dozens of locations. The Rutter’s chain includes 72 locations in Central Pennsylvania, West Virginia and Maryland. Meanwhile, the breach could affect anyone who shopped at Rutter’s stores between Oct. 2018 and May 2019. In the attack, the installation of malware on the Rutter’s payment processing systems compromised customer payment cards. Exposed information includes card numbers, expiration dates and internal verification codes.
After finding “suspicious activity” on a third-party portal used by employees, Idaho Central Credit Union discovered a data breach last November. ICCU launched an investigation, which found that data exposed in the attack included names, dates of birth, Social Security numbers, financial account information and more.
If that’s not enough, ICCU discovered a second data breach in December, this time related to a compromised employee email account. Breach notification letters started going out on Feb. 6. ICCU plans to offer two years of complimentary identity monitoring and restoration services to affected customers.
Multiple compromised employee email accounts led to a data breach at Maine nonprofit PSL Services. Also known as Peregrine Corp., PSL provides services for people with intellectual disabilities. Personal data exposed in the breach includes names, medical information, home addresses, dates of birth, Social Security numbers and more. PSL Services first learned about the breach on Dec. 17. However, the nonprofit waited two months to release the information at 5 p.m. on the Friday before a holiday weekend.
After a data breach of smart security camera maker Wyze exposed PII on 2.4 million users, lawsuits seemed inevitable. Sure enough, Matthew Schoolfield of Texas became the first plaintiff, and he is seeking class-action status. The lawsuit alleges negligence by Wyze, who claimed that the security incident resulted from “human error.” In the lawsuit, Schoolfield claims that “it is now possible for any individual anywhere in the world to access the live video feeds of every single Wyze camera that was online.”
Fox 5 San Diego: Children’s Hospital Hit by Data Breach
Rady Children’s Hospital in San Diego recently experienced a data breach that affected as many as 2,360 patients. The incident occurred between June 2019 and Jan. 3, 2020. Exposed information did not include Social Security numbers or payment card information, but it did include names, genders, and the kinds of radiology studies ordered. Other compromised PII included dates of birth, medical record numbers and more. Meanwhile, the children’s hospital will notify affected patients and their families about the breach.
The Daily Tribune News: Records Reveal City of Cartersville Paid Ransomware Attackers $380K
After The Daily Tribune News filed an Open Records Request, the City of Cartersville in Georgia admitted it paid off the perpetrators of a May 2019 Ryuk ransomware attack. Cartersville officials released documents showing that the city paid the hackers $380,000 worth of Bitcoins. According to the Cartersville City Manager, the money “came out of our property and casualty insurance line item.” The city regained access to its file 48 hours after making the payment. Meanwhile, the system returned to full operation within the week.
Health IT Security: Walgreens Reports Data Breach
An internal error on the Walgreens app inadvertently exposed private messages to other customers. After discovering the vulnerability on Jan. 15, Walgreens launched an investigation into the incident. The investigation found that some health-related information got breached for a small percentage of customers. Exposed PII includes customer names, prescription numbers, drug names and shipping addresses. Walgreens is the second-largest pharmacy chain in the United States. This incident underlines the privacy concerns of third-party apps, which are not subject to HIPAA regulation.
Denver-based Visser Precision, a parts maker for space and defense contractors, recently got attacked in a ransomware incident. Visser also makes custom parts for the automotive and aeronautics industries. Hackers carried out the attack using DoppelPaymer ransomware, a new kind of file-encrypting malware. After exfiltration, the hackers threaten to publish the data if the ransom does not get paid. The hackers in the Visser attack published the stolen files on the dark web, even making some of them available for download. Meanwhile, some of the exposed companies include Tesla, SpaceX, Boeing and Lockheed Martin.