List of data breaches and cyber attacks in March 2020 – 832 million records breached

With organisations across the globe turned upside down by the COVID-19 pandemic, there has never been a worse time to suffer a data breach or cyber attack.

And the bad news is that unsettled employees, many of whom are being asked to work from home, and depleted workforces mean there is an increased chance of an incident occurring.

Thankfully, we’ve only found 67 incidents this month, with a total of 832,486,418 affected records – which is only slightly higher than last month’s figures.

However, it bears reminding that most breaches take 100 days or more to be discovered, so we could be seeing the effects of the coronavirus for months after our everyday lives get back to normal.

As always, incidents affecting UK organisations are listed in bold, and you can find more information on the most notable breaches by subscribing to our Weekly Round-up.

Cyber attacks

• Tesco issues customers new cards after credential-stuffing attack (600,000)
• Boots says its Advantage Card database was hit by hackers (150,000)
• Wellington-based Hutt Valley High School comes under attack from cyber criminals (unknown)
• Princess Cruises and Holland America Line caught out by phishing scam (unknown)
• T-Mobile notifies customers of cyber attack on third party (unknown)
• Australia’s Defence Force Recruiting systems were taken offline after security breach (unknown)
• University of Kentucky and UK HealthCare hit by ‘most substantial cyber attack ever in university history’ (unknown)
• European electricity association says criminal hackers infiltrated its systems (unknown)
• Victoria, Australia, school says former student gained unauthorised access to sensitive data (90,000)
• Oklahoma’s Jay Public School District recovering from cyber attack (unknown)
• Czech hospital bit by cyber attack as it battles to contain COVID-19 (unknown)
• South African utility provider Eskom is still feeling effects of a cyber security incident (unknown)
• Wichita State University notifies students and staff of a security incident (1,762)
• Koodo Mobile says customer data was hacked and is being sold on the dark web (unknown)
• Tandem Diabetes Care notifies patients of phishing incident (unknown)
• Oregon Department of Human Services employee hit by phishing email (unknown)
• University of Utah Health notifies patients of phishing attacks that began in January (unknown)
• Cyber attack on Indian property PropTiger exposes customers’ data online (2,156,921)
• Thousands of sites offline after dark web hosting provider hacked (unknown)
• Staff at Teaching Council hit by phishing email (9,735)
• Hacker group has been infiltrating DrayTek enterprise routers to spy on corporate networks (unknown)

Ransomware

• London-based clinical pharmacology testing firm recovers swiftly from Maze ransomware (unknown)
• Minnesota-based Community Development Bank struck by ransomware (unknown)
• Prince Edward Island notifies patients of ransomware attack (unknown)
• Canada’s Simon Fraser University notifies students, alumni and staff of ransomware attack (unknown)
• Legal services giant Epiq Global offline after ransomware attack (unknown)
• Four Queens Hotel and Casino and Binion’s Casino machines out of action in suspected ransomware attack (unknown)
• Spartanburg School District 1 hit with ransomware (5,082)
• Fort Worth ISD becomes the latest Texas city hit by ransomware (unknown)
• Perth-based multinational stops trading amid $30m ransomware demand (unknown)
• Illinois public health agency hit by ransomware amid coronavirus outbreak (unknown)
• Randleman Eye Center says some files were encrypted in cyber attack (unknown)
• Durham, NC, targeted by Ryuk ransomware (unknown)
• Urgent care walk-ins in Texas and Florida locked down after suspected ransomware attack (unknown)
• Houlton, ME, police department hit by ransomware again (unknown)
• Finastra shuts down key systems in suspected ransomware attack (unknown)
• Police investigate ransomware incident at Jamaica National Group (unknown)
• Ohio-based LTI Power Systems targeted by ransomware (unknown)
• South Carolina’s Bluffton Township Fire District systems attacks with ransomware (unknown)
• Medical and military contractor Kimchuk hit by ransomware (unknown)

Data breaches

• Nursing home probed after leaving disabled patients’ data on street (36)
• Virgin Media database was left publicly available for 10 months (900,000)
• Australia’s Alinta Energy accused of putting customers’ sensitive information at risk (unknown)
• Detectives investigate data breach at Jefferson Co. School District (+24)
• US property and demographics database leaked onto the web (201,162,598)
• Malta-based Trident Crypto Fund leaks customer data online (266,000)
• Millions of Brazilians’ data leaked after being stored in unprotected database (81.5 million)
• Anonymous secret-sharing app Whisper exposed sensitive personal data (unknown)
• Dutch government loses two external hard drive containing personal data (6.9 million)
• Northeast Radiology notifies patients after database leaked online (unknown)
• Illinois’ College of DuPage says data breach could affect current and former employees (1,755)
• Rogers notifies patients of data breach after leaving database exposed online (unknown)
• Names of Montenegrin coronavirus patients published on social media (2)
• Chinese microblogging site Weibo confirms that user records were leaked (538 million)
• India-based electronics retailer Vijay Sales made to pay for misconfigured database (unknown)
• Golden Valley Health Centers notifies patients of security incident (unknown)
• Toronto government leaks personal data of elderly and vulnerable (7,227)

Financial information

• Hackers hit NutriBullet with credit card-stealing malware (unknown)
• Financial companies embroiled in massive data leak after failing to encrypt info (500,000)
• Asian credit card details dumped online in massive breach (235,263)

Malicious insiders and miscellaneous incidents

• West Suffolk Hospital apologises after dog walker finds medical records in nature reserve (12)
• Henry Mayo Newhall Hospital fires employees for snooping on medical records (1)

In other news…

• Cathay Pacific Airways fined £500,000 for failing to secure customer data
• Settlement reached in lawsuit over 2016 hack of Quest Diagnostics
• Former Homeland Security Acting Inspector General indicted for stealing personnel information
• Sunshine Behavioral Health Group faces lawsuit after CCPA violation
• NHS suspends cyber security checks amid coronavirus concerns