2019 data breaches: 4 billion records breached so far
Mega-breaches grab headlines, but hundreds of less familiar data hacks also could increase your risk of identity theft.
Data breaches have run at a record pace in 2019. Consider these statistics for the first half of the year:
- 3,800: The number of publicly disclosed breaches.
- 4.1 billion: The number of records exposed.
- +54%: Increase in number of reported breaches vs. first six months of 2018.
Here’s a look at some of the 2019 data breaches arranged by business sector, including actions you could take help protect your personal information against identity theft.
Cyber threats have evolved, and so have we.
Norton 360™ with LifeLock™, all-in-one, comprehensive protection against viruses, malware, identity theft, online tracking and much, much more.
Try Norton 360 with Lifelock.
Date: March 22 and 23, 2019
Date: March 22 and 23, 2019
Number of records breached: 106 million
Information exposed: The largest category of information accessed during this breach was information that Capital One routinely collects when it receives credit card applications from consumers and small businesses, including names, addresses, ZIP codes, phone numbers, email addresses, birthdates and self-reported income. Also exposed, in some cases, were customer credit scores, credit limits, balances, payment history, and contact information. The hacker behind this breach also accessed about 140,000 Social Security numbers of potential Capital One credit card customers and about 80,000 linked bank account numbers of secured credit card customers. No credit card account numbers or log-in credentials were compromised. The government has stated they believe the data has been recovered and that there is no evidence the data was used for fraud or shared by this individual.
Description: This data breach ranks as one of the biggest in history. A hacker named Paige Thompson infiltrated the servers of a third-party cloud computing company contracted for use by Capital One. According to the U.S. Department of Justice, Thompson exploited a misconfigured web application firewall to gain access to the information.
According to Capital One, Thompson completed her hack on March 22 and 23, 2019. She has since been arrested. Overall, the breach affected about 100 million consumers in the United States and about 6 million in Canada.
The data breach has been a costly one. CNN Business reported that Capital One expected to suffer from $100 million to $150 million in costs related to the hack. These costs stem from notifying customers who were affected, providing these customers free credit monitoring, defending itself against legal actions, and upgrading its technology to fix the vulnerability.
What should you do?
- Capital One has notified by mail all individuals whose Social Security numbers or linked bank account numbers were accessed.
- Capital One has offered free credit monitoring and identity protection services to everyone affected, and you should consider taking the company up on this offer.
- Monitor your Capital One accounts for suspicious purchases or activity.
- Monitor your other online accounts, too, for suspicious activity.
- Order free copies of your credit reports from Experian, Equifax, and TransUnion at AnnualCreditReport.com to make sure no one has taken out new accounts in your name.
Date: February 22, 2019
Number of records breached: 100 million
Information exposed: Names, email addresses, passwords, and IP addresses of Evite customers.
Description: Evite reported that in February 2019, an unauthorized party acquired an inactive data storage file holding information about the company's users from 2013 and earlier. According to a security update from Evite, the information exposed could include names, usernames, email addresses, passwords, and, if users provided this information, dates of birth, phone numbers and mailing addresses.
Users affected by this breach don't have to worry about their Social Security numbers, bank account numbers, or credit card numbers. Evite says that its customers' financial and payment data was not affected because the company does not store this information.
What to do:
- First, change your password for your Evite account.
- Change your password for any account on which you used this same password. If you don't, someone could potentially access your other accounts using this now-exposed password.
- Review your other online accounts for suspicious or unfamiliar activity.
Date: May 4, 2019
Number of records breached: 4.9 million people potentially affected
Information exposed: DoorDash said user information accessed included names, email addresses, delivery addresses, phone numbers, and hashed and salted passwords (which can make the passwords indecipherable to third parties). For some users, additional information was exposed. The data breach accessed the last four digits of consumer payment cards for some customers, but not the full credit card information. Drivers and merchants may have had the last four digits of their bank account numbers accessed. Also, the driver’s license numbers of about 100,000 drivers was accessed.
Description: DoorDash, an app-based food-delivery service, on September 26, 2019, disclosed a data breach affecting 4.9 million people who joined prior to April 5, 2018. Delivery workers, restaurants, and customers could be affected. The company said user information was accessed by an unauthorized third party.
What to do:
- Reset your password on your account. In general, it’s a good idea to create unique, strong passwords on all your accounts. If you used your DoorDash password for any of your other accounts, be sure to update those login credentials, as well.
- Monitor your payment card statements. Although the DoorDash breach didn’t expose full bank card numbers, it’s always a good idea to check your statements for suspicious or unfamiliar charges.
American Medical Collection Agency
Date: August 1, 2018, to March 30, 2019
Number of records breached: More than 20 million
Information exposed: Social Security numbers, dates of birth, payment card data, and credit card information.
Description: American Medical Collection Agency collects overdue payments for medical labs such as Quest Diagnostics, Laboratory Corporation of America, CareCentrix, and Conduent. A long-running data breach exposed the records of these labs' customers, including such sensitive information as Social Security numbers and bank account information.
Cybersecurity firm Gemini Advisory on February 28 discovered this information on the dark web. The firm's analysis determined that the information was probably stolen from the online portal of American Medical Collection Agency.
American Medical Collection Agency has since filed for bankruptcy protection, a move it took in June 2019. The company cited IT costs, possible lawsuits, and the loss of business from its biggest medical laboratory customers in its bankruptcy filing.
What to do:
- Monitor your credit card and bank accounts for suspicious activity.
- Change the passwords at your online banks. Do the same for the web portals of your bank and credit card providers.
- Sign up for a credit-monitoring service.
- Consider freezing your credit at the national credit bureaus of Experian, Equifax and TransUnion at AnnualCreditReport.com.
Date: From November 8 through December 28, 2018. Zoll discovered the breach on January 24, 2019.
Number of records breached: 277,319
Information exposed: Patient names, addresses, birth dates, Social Security numbers, some medical information may have been among the information exposed.
Description: Zoll Medical, based in Chelmsford, Massachusetts, manufactures medical devices and software. It also relies on a third-party provider to archive its old email messages, including messages that include personal information such as the Social Security numbers, birth dates and addresses of patients. During a server migration in late 2018, some of the information in those emails was exposed, Zoll said. The manufacturer, in a statement, said that the information was exposed during a period that lasted from November 8 through December 28, 2018.
According to published reports, Zoll would not say whether the records were exposed because of a hacker or if the exposure happened because of a mistake by the third-party servicer.
In a statement regarding the data breach, Zoll said that the vendor has since secured the exposed information. Zoll also said it is not aware of any fraud or identity theft to any individual as a result of the exposure.
What should you do?
- Zoll is offering free credit and identity monitoring services to impacted patients for a year. If the company contacts you, take it up on its offer.
- If you are worried that your information has been exposed, contact Zoll at 1-833-231-3358, the number set up by the company to deal with the breach.
- Order free copies of your credit reports from Experian, Equifax and TransUnion at AnnualCreditReport.com to make sure no one has taken out new accounts in your name.
Date: December 14, 2018, to March 22, 2019
Number of records breached: 1.3 million
Information exposed: Names, addresses, Social Security numbers and birth dates.
Description: Starting in December 2018, an unknown outside entity accessed a central database maintained by Georgia Tech University. The database contained the names, addresses, Social Security numbers, and birth dates of current and former students, faculty members, and staffers at the school. Georgia Tech said the information of 1.3 million people might have been exposed in the breach.
Georgia Tech says it is notifying 1.265 million people and offering credit monitoring and identity theft protection services to those whose Social Security numbers were exposed. The university has also established a dedicated call center for individuals who have questions about the breach.
What to do:
- Georgia Tech recommends that university students, faculty, and staff actively monitor their credit reports, credit card statements, and bank statements for unauthorized activity.
- If the university did offer you free credit monitoring and identity theft protection, consider taking it up on the offer. These services could help you determine if someone is using your information to make unauthorized purchases or opening accounts or loans in your name.
Federal Emergency Management Agency (FEMA)
Date: The Office of the Inspector General issued its findings on March 15, 2019
Number of records exposed: 2.3 million
Information exposed: Street addresses, financial institution names, electronic funds transfer numbers, and bank transit numbers of survivors of hurricanes Harvey, Irma, and Maria, and the California wildfires.
Description: Not all data breaches are the result of hackers. Sometimes errors on the parts of government agencies or private companies can expose the personal information of people. That is the case of 2.3 million records that were unnecessarily exposed by the Federal Emergency Management Agency, better known as FEMA.
According to the Office of the Inspector General, in March FEMA released sensitive personally identifiable information of the survivors of several natural disasters: hurricanes Harvey, Irma, and Maria, and the California wildfires. The information should not have been released, the Office of the Inspector General said, saying that FEMA violated the Privacy Act of 1974 in doing so.
According to the Office's complaint, FEMA released unnecessary personal information to a contractor that runs a program designed to help survivors find temporary lodging at hotels. The office says that FEMA gave the contractor information from more than 20 unnecessary data fields, including the names of applicants' financial institutions, electronic funds transfer numbers, and bank transit numbers.
The Office of the Inspector General said that by releasing this information, FEMA put the survivors of these disasters at increased risk of identity theft and fraud.
What to do:
- If your information was exposed, monitor your bank accounts for suspicious or unfamiliar activity.
- Freeze your credit at the three national credit bureaus of Equifax, TransUnion and Experian. You can do this online and the process is free.
- Office of Inspector General
Palm Bay, Florida
Date: August 29, 2019
Number of records breached: Up to 8,500.
Information exposed: The billing information of up to 8,500 Palm Bay residents who pay their utility bills through the city's online portal.
Description: A third-party company that operates the payment portal Click2Gov told the city of Palm Bay that it found evidence of malware that may have compromised the billing information of thousands of the city's utility customers.
The good news is that the billing information contained on Click2Gov is encrypted. This means that if someone attempted to access the exposed information, they would be unable to do so without the unique decryption key to unlock and decipher it. This adds an extra layer of protection for Palm Bay customers.
According to news channel WFTV, the city of Palm Bay has since moved the billing information to a new server and removed any malware from the system.
What you should do
- Monitor your credit card statements and bank accounts for any suspicious activity. Make sure you recognize all the charges, withdrawals and payments associated with your accounts. If you see unfamiliar activity, call your bank or credit card provider.
- Freeze your credit with the national credit bureaus of Experian, Equifax and TransUnion, something you can do online at each of these bureaus. Doing so can help prevent criminals from opening new accounts in your name.
- Change your passwords. It’s always a good idea after your information might have been exposed to change the passwords of your credit and bank accounts and any other sensitive sites where you use the same passwords.
BioStar 2, a Suprema-based security platform.
Date discovered: August 5, 2019.
Number of records breached: 28 million records of over 1 million people worldwide.
Information exposed: Fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, personal details of staff.
Description: Security researchers with Vpnmentor discovered the unencrypted database belonging to Suprema, a global biometrics, security and identity company. Thousands of companies use BioStar 2, Suprema’s web-based security platform, which is a biometrics lock system. It uses fingerprints and facial recognition to give a company’s employees access to buildings, offices, and other facilities. Security researchers say BioStar’s database was unprotected, meaning someone could access the information and potentially steal it.
What to do:
- There’s not much you can do to prevent an accidental exposure or intentional breach of your personal information, though you can take steps to limit who collects your biometric data.
- If an employer or any other business or organization asks to collect your biometric data, check to see if you can supply an alternate form of identification.
Victim of a data breach? LifeLock monitors for identity theft and threats.
Norton joined forces with LifeLock, we offer a comprehensive digital safety solution that helps protect your devices, connections and identity.
Editorial note: Our articles provide educational information for you. Norton LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.
Copyright © 2020 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.