On May 7, a devastating ransomware attack forced the City of Baltimore offline, halting home sales and crippling municipal services.  Last week, Baltimore took its first tentative steps back online, as a small number of city email accounts got restored.

However, the damage was already done.  Just three weeks after the ransomware attack, and Baltimore has already spent nearly $5 million on recovery efforts.  Furthermore, the city’s budget office estimates that the entire recovery effort will cost the city at least $18.2 million.

It’s not just the public sector suffering from malicious cyber attacks.  A recent McAfee study found that 61 percent of IT security professionals experienced a data breach at their current employer.

Meanwhile, Verizon’s 2019 Data Breach Investigations Report found that 70 percent of ransomware attacks last year targeted small businesses.  Even worse, ransomware attacks are already up nearly 200 percent in 2019, and we’ve still got seven months to go.

At the same time, California and other U.S. states are enacting new laws that punish businesses for not adequately protecting against data breaches.  Last month, New Jersey Gov. Phil Murphy approved amendments to the state’s data breach notification law.

On May 25, the European Union’s data breach notification law, known as GDPR, celebrated its first birthday.  Since GDPR went into effect a year ago, the European Data Protection Board recorded:

  • 65,000 data breach notifications
  • 206,326 data breach complaints
  • $63 million in imposed fines

What’s more, Bitglass found that a company’s stock value drops an average of 7.5 percent following a data breach.  Think about those numbers the next time you consider skimping on cyber security.  Now for this week’s data breach news stories from across the country.

U.S. DATA BREACH NEWS (May 19-31, 2019)

Data Breaches cyber securityQC Online: Augustana College alumni demanding answers after data breach

Rock Island, Ilinois-based Augustana College suffered a ransomware attack in February.  Hackers accessed personal data of current and former students, including social security numbers and dates of birth.  Augustana officials have not offered information about the perpetrators of the attack, or about how many people were affected.

Seattle Times: Phishing email leads to Oregon State Hospital data breach

A successful spear-phishing attack on an Oregon State Hospital employee caused a data breach on May 6.  Exposed patient information included names, dates of birth, medical record numbers and more.  

Forbes: Facebook messaging app WhatsApp exposes phones to Israeli spyware

More bad news for Facebook.  A few weeks ago, the company’s “flagship messaging application” admitted to a significant data breach.  This breach allowed spyware created by Israeli company NSO Group to get remotely installed through voice calls.  At the time of the attack, WhatsApp had 1.5 billion users.

Consumer Reports: Nearly 885 million records leaked in First American Financial data breach

Website Krebs on Security first discovered security flaws in the website of this real estate title insurance company.  Those flaws left exposed documents relating to mortgage deals going back to 2003.  Client information including bank account numbers, tax records and Social Security numbers got left on the company’s website without any login or password protection.  

Atlanta Journal-Constitution: Equifax still paying for 2017 data breach

Over two years ago, a cyber attack Equifax exposed the data of 148 million people.  Since then, costs related to the breach have topped $1.25 billion.  On May 22, Moody’s downgraded the Equifax rating outlook to negative.  Moody’s specifically called out cyber security at Equifax “as an issue for its future strength.”

TechCrunch: Stack Overflow confirms hackers breached its systems

One of the 50 most popular sites on the internet, knowledge sharing site Stack Overflow suffered a data breach on May 11.  The investigation is ongoing, but Stack Overflow, which boasts 50 million monthly active users, insists that “customer data is unaffected.”

Becker Hospital Review: Independent Health alerts 7,600 members of data breach

On March 19, an employee at this New York-based insurer emailed personally identifiable information about 7,600 members to a fellow Independent Health member.  This exposed member information such as names, ID numbers and claim numbers.  Becker Hospital Review also recently reported on a Seattle blood bank notifying nearly 1,900 patients of a data breach.

Toledo Blade: Harbor Behavioral Health becomes latest Ohio provider hit with data breach

Mental health provider Harbor Behavioral Health notified clients that “an unauthorized person gained access to an employee’s email account” in early February.  This notification follows April data breach notifications from Rehabilitation Hospital of Northwest Ohio and Columbus Community Hospital.

Tech Crunch: Millions of Instagram influencers had their contact data scraped and exposed

Even more bad news for Facebook, which owns the hugely popular social media app Instagram.  A massive database containing personal information on millions of Instagram users was left exposed by the Mumbai social media marketing firm Chtrbox.

Forbes: Shubert Organization suffers data breach

Employee emails got accessed at the New York-based Shubert Organization, a company that owns 17 Broadway theaters and the ticketing service Telecharge.  The emails contained customer information that included names as well as credit card numbers and expiration dates.  Shubert is offering 24 months of free credit monitoring to affected customers.

MLive: Mercy Health alerts 1,000 patients of data breach

Data security concerns surrounding a private Mercy Health server were discovered on March 25, but the company only started notifying patients on May 24.  Information related to almost 1,000 people, including names, addresses, emails, dates of birth and social security numbers, was “vulnerable to potential access by unauthorized users.”

KGNS-TV News: City of Laredo still recovering from cyber attack

Two weeks after a cyber attack shut down email and internet connections, the City of Laredo continues to recover.  Most city services are getting delivered, although the legal department is still shut down, delaying public information requests and other legal correspondences.

WCYB-TV News: Medical records company settles data breach lawsuit for $900,000

Medical Informatics Engineering, Inc. settled a $900,000 lawsuit with 16 states, led by the state of Indiana.  The suit alleged that MIE violated the Health Insurance Portability and Accountability Act (HIPPA) when hackers breached their network in May 2015.

WTSP-TV News: Checkers and Rally’s restaurant chain announces data breach

The popular fast food drive-in chain found malware on computers at over 100 locations.  These breaches occurred between October 2016 through April 2019, happening at 15 restaurants in Florida, as well as at locations in 19 other states.

Govtech.com: Cyber attack forces system shutdown in Luzerne County

An employee clicking a phishing email likely set off a cyber attack that crippled the courthouse computer network in this Pennsylvania county.  Officials limited the damage by shutting down the system, forcing many county offices to provide paper receipts.

Techradar.com: Flipboard hit by user data breach

Hackers accessed the internal systems of this news aggregation service for nine months before getting noticed.  The hackers entered databases containing user names, passwords, email addresses and more.  In response, Flipboard reset passwords for all 145 million users.

ZDNet: New York non-profit suffers data breach

The non-profit human services agency People, Inc. announced a data breach affecting up to 1,000 clients.  Hackers entered the network through an employee email account, which exposed customer information that included names, addresses, Social Security numbers, medical data and more.