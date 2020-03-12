Company Information Affected

Virgin Media (UK) On March 5th, 2020, Virgin Media disclosed a data breach incident caused by an incorrectly configured marketing database. The company reported that the database was accessed by an unauthorised party on at least one occasion. Information exposed on the database included names, home addresses, email addresses, and phone numbers. Highly sensitive data that could link customers to pornography or explicit websites was also reportedly exposed. 900,000

Multiple healthcare organisations (US) Harris Health System, Kaiser Permanente, Elk Ridge Dentistry, Menaul Clinic, Riverview Health, and Community Mental Health Council reported data breaches that may have exposed personally identifiable information. The data breaches were the result of data sent to wrong recipients, and stolen backups and servers. In the case of Community Mental Health Council, which has been closed since 2012, physical medical records of its former patients were found in an alley in Chicago. Potentially exposed data includes names, dates of birth, addresses, telephone numbers, health insurance information, Social Security numbers, and more. 8,701

Leadhunter (US) On January 30th, 2020, researchers at Security Discovery found an Elasticsearch instance that had been indexed by search engines. In total 110,378,874 records were exposed. The documents could be accessed by anyone with a web browser and were available for more than a month until the data was deleted by an unknown party on March 4th, 2020. The exposed data included addresses, names, emails, phone numbers and more. Unknown

Unknown Researchers at Comparitech identified an online database containing 201,162,598 records relating to personal and demographic data about properties and residents. The owner of the database has not been determined. Personal information includes names, addresses, email addresses, income, credit rating, and more. Other exposed information includes property types, market values, previous owners, tax assessment information, and more. The researchers do not know if any unauthorised parties accessed the data prior to the server being taken offline on March 4th, 2020. Unknown

Trident Crypto Fund (Malta) Ashot Oganesyan of DeviceLock told Russian news site IZ that hackers had stolen and published the usernames and passwords of 266,000 Trident Crypto Fund customers. Exposed data, which was uploaded to file sharing websites on February 20th, 2020, included email addresses, IP addresses, encrypted passwords, and more. Oganesyan also reported that hackers decrypted and published nearly 120,000 of the stolen passwords on March 3rd, 2020. 266,000

Multiple banks (South East Asia) Researchers at Technisanct have discovered 319,669 stolen card details, including CVV numbers, expiry dates and in some cases PIN numbers, for sale on dark web forums. The data was stolen from banks in Singapore, Malaysia, Indonesia, Thailand, Philippines, and Vietnam. The researchers found these card details whilst analysing a random data sample set and note that there may be even more stolen details for sale. 319,669

AnimeGame The gaming site AnimeGame suffered a data breach in February 2020. The data breach exposed email addresses, usernames, and passwords stored as salted MD5 hashes. The data has since been shared on hacking forums. 1,400,000

Foodmandu (Nepal) The food delivery service was targeted in a cyberattack on March 7th, 2020, which resulted in an unauthorised individual gaining access to the company’s customer data. According to Foodmandu, a vulnerability in its web applications has since been fixed. An individual going by the name of ‘Mr. Mugger’ on Twitter posted a link to data belonging to 50,000 customers and claims to have stolen data of 150,000 individuals. The stolen data includes names, mailing addresses, email addresses, and phone numbers. 150,000

Koodoo Mobile (Canada) Koodo Mobile has begun to notify customers about a data breach incident that occurred on February 13th, 2020. The breach was caused by an unauthorised party who accessed the company’s system by using compromised credentials. The stolen data, which covered the period from August to September 2017, included mobility account numbers and telephone numbers. The company warned that this data was being sold on the dark web. This was confirmed by security researchers at KELA who saw the information for sale on various dark web sites, with one marketplace offering over 21,000 Koodo accounts. Unknown

Multiple companies and organisations Researchers at Netskope found many organisations accidentally exposing sensitive data by using common misconfigurations in Google Groups. Exposed data included employee resumes, offer letters, salary details, employee background verification documents, travel itineraries and documents, bank statements, passports and more. In one case, an organisation exposed an email list for password resets, which allowed anyone to view user passwords. Unknown

Orsegups Participações (Brazil) ZDNet and The Hack investigated a configuration failure on an S3 bucket that exposed 25GB of data belonging to Orsegups Participações. The exposed data included tax documents which revealed contractual information, payments, employee social security documents, client names, addresses, Social Security Numbers, and more. Orsegups was notified of the issue on January 31st, 2020, but failed to close the database for several weeks. The company stated that the bucket contained ‘legacy files from a portal that had already been disabled in 2017.’ Unknown

WhisperText LLC (US) A public database with no password protection belonging to Whisper was discovered online. The database contained nearly 900 million Whisper app user records, dating back to the app’s release in 2012. Exposed data included the users’ ‘whispers’, or confessions, that could be tied to their age, location coordinates, ethnicity, gender, hometown, nickname, and more. No real names were exposed. According to Matthew Porter and Dan Ehrlich, who discovered the database, they could also access any user’s account and see the messages a user had responded to, as well as their last login. The company has since removed access to the database. Unknown

Melbourne Polytechnic (Australia) Melbourne Polytechnic disclosed a data breach that occurred between September and December 2018, during which time a total of 55,000 files containing personal, health and financial data were accessed. The school was first made aware of the breach in October 2019. The majority of individuals only had their usernames, passwords and email addresses accessed by an unauthorised individual. However, in some cases passports, drivers’ licences, credit or debit card information, superannuation accounts, tax file numbers, and Medicare details were also compromised. 90,000

Entercom (US) Whilst investigating a cyberattack that took place in September 2019, Entercom discovered a data breach had occurred on August 4th, 2019 on its third-party cloud hosting services. An unauthorised individual gained access to the company’s backup storage for about three hours, during which time information related to Radio[.]com users was accessed. This included names, usernames, and passwords. Unknown

Ministry of Health, Wellness, and Sport (Netherlands) Officials from the Dutch Ministry of Health, Wellness, and Sport revealed that they lost two external hard disks that contained the detail of more than 6.9 million organ donors. The disks, which had last been used in 2016, contained electronic copies of donor forms filed with the Dutch Donor Register. The data was collected between February 1998 and June 2010. The exposed information includes full names, genders, signatures, organ donation choices, and more. 6,900,000

Comcast (US) Comcast accidentally exposed the names, phone numbers and addresses of nearly 200,000 customers that paid to have their personal details delisted. The error occurred after the data was made available on Comcast’s directory Ecolisting, which was then picked up by third-party directories. 20,0000