List of data breaches and cyber attacks in December 2019 – 627 million records breached

The new year – and new decade – is underway, but before saying goodbye to 2019, we have one more monthly round-up to get to.

December saw 90 disclosed data breaches and cyber attacks, with 627,486,696 records being compromised. That’s about a third of the average monthly total, although the number of incidents has climbed steadily throughout the year.

We are currently working on an infographic summarising the data we’ve collected throughout the year – so look out for that in the coming weeks.

In the meantime, here’s the full list of December’s incidents (breaches involving UK organisations have been highlighted):

Cyber attacks

• UKIP embroiled in email blackmail as High Court refuses computer seizure attempt (143)
• Monash IVF Group warns patients of data theft after phishing attack (unknown)
• BMW and Hyundai hacked by Vietnamese cyber criminals (unknown)
• Hackers break into government system used by the country’s schools (unknown)
• Cyber crooks attack Indian armed forces with phishing scam (unknown)
• FBI investigating after City of Newnan, GA, breached by unauthorised individual (unknown)
• Pensacola, FL, not sure if cyber attack related to shooting at naval air station (unknown)
• Streaming pirate Helix Hosting taken offline by vengeful cyber criminals who threaten to leak users’ info (unknown)
• Cyber attack halts radiation treatment in Oahu cancer centre (unknown)
• Singapore-based retailer Love, Bonito apologises to customers after malware infection (unknown)
• Washington State-based Walla Walla University hit by malware (unknown)
• Canadian healthcare provider LifeLabs discloses cyber attack (15 million)
• Saudi hacker gives students full grades, faces jail and millions in fines (19)
• New Milford, CT, warns residents after email breach (unknown)
• RavnAir flights in Alaska cancelled after cyber attack (260)
• Juniata College, PA, notifies those affected by email breach (unknown)
• Singapore’s Ministry of Defence contractor ST Logistics caught in phishing scam (2,400)
• Chinese government-linked hacking group has been bypassing 2FA in a wave of attacks (unknown)
• Israeli spyware allegedly used to target Pakistani officials’ phones (+24)
• Roosevelt General Hospital, NM, discovers malware on radiology server (unknown)

Ransomware

• Illinois’ Sycamore School District 427 hit by ransomware (3,763)
• Data centre CyrusOne suffers ransomware attack (unknown)
• The Southeastern Minnesota Oral & Maxillofacial Surgery discloses ransomware (80,000)
• More than a hundred dental offices affected by ransomware at Colorado IT provider (unknown)
• NJ-based Hackensack Meridian Health operational again after week-long disruption (unknown)
• New Hampshire’s Sunapee Middle–High School resolute in the face of ransomware (unknown)
• East Greenwich, RI, government systems offline after ransomware attack (unknown)
• Shakespeare Theatre of New Jersey hit by ransomware (unknown)
• Louisiana Community College crippled by ransomware (unknown)
• Galt, CA, government suffers ransomware attack (unknown)
• Yerington Pauite Tribe hit by ransomware attack (unknown)
• Canadian insurance firm Andrew Agencies struck by ransomware (unknown)
• Henry Co., GA, spent $650k restoring its systems after ransomware attack (unknown)
• HMI Institute of Health Sciences hit by ransomware, affecting Singapore Armed Services (98,000)
• Arkansas-based telemarketing company The Heritage Company shut down by cyber attack (unknown)
• San Antonio mental health and substance abuse services provider hit by ransomware (unknown)
• California-based IT services provider Synoptek suffers ransomware attack (unknown)
• Ryuk ransomware takes down US Coast Guard facility (unknown)
• Secret Service investigating data hack at Bonny Eagle schools (unknown)

Data breaches

• Brechin High School leaks health conditions of students in assembly slideshow (52)
• Fashion rental company HURR Collective notifies users of security incident (400)
• Government publishes home address of Elton John and other New Year’s Honest list recipient on Cabinet Office website (1,000)
• SMS provider TrueDialog leaks unencrypted records online (+20 million)
• New Zealand police investigating after potential breach in gun buy-back scheme (+70,000)
• Choice Hotels discovers breach that occurred under a specific set of circumstances (88,000)
• New Mexico-based Presbyterian Health says May breach was bigger than initially thought (96,000)
• Sprint contractor left phone bills on the Internet by mistake (261,300)
• Japan’s Kanagawa Prefecture says nine HDDs with personal data were auctioned off (unknown)
• HackerOne pays $20,000 bounty for identification of bug on its platform (unknown)
• Katy Independent School District says staff info was ‘inadvertently’ released (unknown)
• Bug in Indian mobile network provider Airtel exposes users’ information (300 million)
• Marketing firm iPR Software leaks personal details and passwords of its users (512,000)
• Months-long privacy breach at Zuckerberg San Francisco General Hospital (1,174)
• Spartan Technology employee uploaded South Carolina residents’ info onto public database (5.2 million)
• Washington DC consultancy firm IMGE accidentally doxxed Boeing employees (6,000)
• Honda North America responds quickly after data breach is revealed (1 million)
• China Citizen Watch finally secures 150 TB of leaking data (unknown)
• SonyLIV fixes leaky Elasticsearch in record time (unknown)
• Ring camera leak exposed customers’ personal information (3,672)
• Facebook exposed users’ names, phone numbers and profiles, researcher says (267 million)
• Healthcare startup denies leaking patients’ medical images (unknown)
• Vistaprint Logomaker files publicly accessible due to insecure Amazon S3 bucket (unknown)
• Belgian-based Allianz Partners says strongbox containing sensitive data was stolen (160,000)
• IoT provider Wyze confirms server leak (2.4 million)

Financial information

• Massachusetts-based Smith & Wesson store hit by malware infection (unknown)
• Fort Worth Water Department say customers may have had their info stolen (3,000)
• Colorado’s Sunrise Community Health notifies patients of hack (unknown)
• Cucamonga Valley Water District, CA, the latest Click2Gov victim (unknown)
• Leesport, PA, residents warned that local tax collector was hacked (unknown)
• Wisconsin-based Cheyenne Regional Medical Center notifies patients of payroll hack (unknown)
• Waco, TX, discloses Click2Gov breach (2,500)
• Thief stole banking info from Facebook employees after hard drives were left in a car (29,000)
• Iranians’ debit card info exposed as the nation’s banks fall victim to cyber warfare (15 million)
• Odessa, TX, notifies residents of Click2Gov breach (unknown)
• Rooster Teeth Productions breach allowed hackers to steal credit card data (unknown)
• Sugarland, TX, becomes third Texas city to disclose Click2Gov breach this month (unknown)
• Web skimmers suspected as Turkish payment card details put up for sale (455,000)
• Residents of Marietta, GA, the latest affected by Click2Gov breach (8,800)
• US convenience store chain Wawa discloses malware attack on payment systems (unknown)
• Aurora Water, CO, announced data breach involving Click2Gov payment system (unknown)

Malicious insiders and miscellaneous incidents

• NHS radiographer faces used female patient info to hound them for dates (+200)
• Nebraska Medical Center says employee gained unauthorised access to sensitive info (unknown)
• Former Rhode Island court clerk charged with illegally accessing records (unknown)
• NYC Health & Hospitals Corp. investigating employee who sold health records to law firms (unknown)
• The Canada Revenue Agency lost tax information in truck accident (unknown)
• Canadian telecoms company Shaw notifies customers after computer containing sensitive information is breached (unknown)
• ‘Curious’ employee at the North Ottawa Community Health System improperly accessed patient files (4,013)
• Former employees at Arizona-based Freedom Financial Network accused of theft, computer tampering (unknown)
• Former employee at Lurie Children’s Hospital of Chicago wrongfully accessed patient data (unknown)

In other news…

• A former Dorset County Council Social Services Support Officer has been prosecuted for data theft
• The NHS lost hundreds of thousands of letters between 2011 and 2016
• Malicious insider behind Jet2 cyber attack sentenced to 10 months in prison
• Dutch politician faces three years in prison for hacking Cloud account and leaking nudes
• Victims of 2018 Ticketmaster Ireland breach are filing lawsuits