It was a big month for data breaches, with a confirmed 1,341,147,383 records being exposed in 87 incidents.
However, almost all of those came from one leaked database, the origin of which is unclear.
Here is a full list of data breaches in November – as always, those affecting the UK are listed in bold.
Cyber attacks
- Peer-to-peer lender company LendingCrowd reports security incident (unknown)
- Labour Party hit by “sophisticated” cyber attack (unknown)
- Another cyber attack on Labour Party as election nears (unknown)
- James Fisher and Sons says no data was lost in cyber attack (unknown)
- Perth Anaesthetic Group breached as hackers break into database (unknown)
- NordVPN users’ passwords exposed in mass credential-stuffing attacks (2,000)
- Brooklyn Hospital Center couldn’t recover data after malware attack (unknown)
- Indian startup Vedantu confirms breach of customer details (687,000)
- Four employees at Maine-based InterMed P.A fall for phishing scam (33,000)
- Dental Delta of Arizona discloses data breach caused by phishing attack (unknown)
- Connecticut’s Starling Physicians warns patients after phishing scam (unknown)
- University of North Carolina-Chapel Hill School of Medicine notifying patients after 2018 phishing incident (3,716)
- Online forum of cyber security firm ZoneAlarm hacked (unknown)
- California’s Solara Medical Supplies notifies authorities after phishing attack (114,007)
- TX-based Choice Cancer notifies patients about May security incident (unknown)
- Alabama-based CAH Holdings issues vague notice after company email account breached (unknown)
- Australian drug rehab centre Adele House exposes patient data after giving resident access (>200)
- Dublin-based Liver Wellness tells patients that a hacker accessed its email systems (unknown)
- Activist leaks files from Sayari after it demoed its software with US Immigrations and Customs Enforcement (unknown)
- France’s Rouen University Hospital-Charles Nicolle says 6,000 computers affected by malware infection (unknown)
- T-Mobile’s US customers affected by cyber attack (1.1 million)
- Florida Blue members’ personal information at risk following Magellen Health NIA breach (55,000)
- Select Health says patients affected after employee email accounts were compromised (unknown)
- South Korean cryptocurrency exchange Upbit ransacked, crooks steal $48.7M (unknown)
- US-based Ivy Rehab Physical Therapy tells customers their data has been compromised (unknown)
- New Mexico’s Youth Development, Inc. breached in suspected phishing attack (unknown)
- 12-year-old Florida student faces felony charge after hacking school computer to avoid doing schoolwork (unknown)
- OnePlus confirms second data breach in two years (unknown)
- Thousands of Disney+ fans say they’ve been hacked after signing up to new streaming service (>2,000)
Ransomware
- NM-based Las Cruces Public School computers still offline after ransomware (24,710)
- Two major Spanish companies have been hit by ransomware:
- IT consultancy Everis (unknown)
- Radio network Cadena SER (unknown)
- Watertown, CT, school system hit by ransomware (2,765)
- Ransomware at Lincoln County School District, Mississippi, shuts down systems (3,197)
- Hosting provider SmarterASP.NET hit by ransomware attack (440,000)
- Mexico’s Pemex Oil suffers ransomware attack, $4.9M demanded (unknown)
- Texas’s Port Neches-Groves Independent School District hit by ransomware (5,131)
- Louisiana state government’s IT systems hit by ransomware (unknown)
- US-based National Veterinary Associates crippled as 400 facilities hit with ransomware (unknown)
- Missouri-based Saint Francis Healthcare says not all records recovered after ransomware (unknown)
- Louisiana Office of Motor Vehicles closed for multiple days after ransomware attack (unknown)
- Massachusetts’ Chicopee Public School district computers, servers hit with ransomware (7,677)
- New York’s Sag Habor School District affected by ransomware attack (unknown)
- WI-based Virtual Care Provider held to ambitious $14M ransom (unknown)
- US-based security company Allied Universal raided after failing to act on ransomware attack (unknown)
- New Jersey’s Livingston Public Schools ransomware infection delays classes (unknown)
- Southern First Nations Network of Care, a California-based child welfare authority, hit by ransomware (unknown)
- Nebraska’s Great Plains Health infected with ransomware (unknown)
- NYPD pulls its fingerprint database offline after ransomware spreads through connected computers (unknown)
- Marriott notifies California Attorney General’s Office of a third-party incident (unknown)
- Spanish security company Prosegur says it’s been hit by ransomware (unknown)
Data breaches
- Three UK once again lets people see customers’ account data (unknown)
- University of Herfordshire investigating after classic email gaffe (unknown)
- Sex workers data exposed after VTS Media leaves camgirl website database unprotected (unknown)
- Facebook accidentally shared private group data with partners (unknown)
- California DMV mistakenly gave federal agencies access to Social Security info (3,200)
- Hacker dumps database of infamous IronMarch neo-Nazi forum (3,548)
- Newfoundland and Labrador Medical Care Plan have just noticed missing binder containing patient data (3,300)
- Hurricane Dorian to blame for missing patient files at Bahamas’ Rand Memorial Hospital (unknown)
- US-based retailer Orvis.com leaked hundreds of internal passwords (>200)
- Prank call service users on the wrong end of the joke after data breach (138 million)
- Personnel data from a Dutch fruit wholesaler ended up in criminal file of cocaine investigation (unknown)
- US-based Sunshine Behavioral Health leaves patient files exposed online (90,000)
- BT Security commits Cc/Bcc gaffe in email to information security pros (150)
- Queer Chart, a startup for Stanford’s queer community, exposes user data (unknown)
- Chinese credit rating firm Kaola accused of data breach (unknown)
- WeWork develops exposed contracts and customer data on GitHub (unknown)
- People Data Labs and OxyData.io implicated in massive data breach (1.2 billion)
- French hotel giant Gekko Group leaks 1 TB of client data (unknown)
- Singapore Accountancy Commission accidentally shared sensitive data by email (6,541)
Financial information
- Nikkei worker tricked into transferring millions into scammer’s bank account (unknown)
- Gaping ‘hole’ in Qualcomm’s Secure Word mobile vault leaked sensitive data (unknown)
- San Angelo, TX, government latest to investigate Click2Gov breach (unknown)
- College Station, TX, warns customers about Click2Gov breach (unknown)
- Macy’s breached as customer payment data stolen (unknown)
- Dothan, Alabama, the latest to report Click2Gov breach (unknown)
- Church’s Chicken restaurant chain probes data security breach at company-owned sites (unknown)
- US Virgin Islands and Power Authority is the latest victim of Click2Gov breach (unknown)
- Norman, Oklahoma, temporarily suspends utility payment portal after Click2Gov breach (unknown)
Malicious insiders and miscellaneous incidents
- The Guidance Center notifies patients are discovering insider wrongdoing (1,235)
- Staffer for Democratic presidential campaign resigns after abusing access rights (unknown)
- Trend Micro employee sold data that fuelled targeted scams (120,000)
- New Zealand’s Financial Markets Authority investigating third-party security incidents (unknown)
- Main Street Clinical Associates hit by looters after an explosion forced employees to evacuate premises (unknown)
- Mount Dora, FL, medical company caught an employee trying to sell patient info (2)
- Las Cruces Public Schools emails employees with Social Security numbers of vendors (unknown)
- Google sacks four employees, accusing them of data security violations (unknown)
- Pennsylvania-based UPMC Susquehanna says an employee spied on colleague’s file (1)
- NSW Labour party HQ reported for possible data breach (unknown)
- Washington University School of Medicine notifies patient of HIPAA breach (unknown)
In other news…
- The ICO quietly urged court to side with Morrisons in employee data breach case
- UK public sector IT chiefs shrug off breach threats, saying the data isn’t important
- Report: organisations that suffer a data breach will underperform in stock market
- Vigilante hacker Phineas Fisher offers $100,000 bounty to hack backs and oil companies
- Port Neches-Groves ISD recovers from ransomware attack, but only after paying hackers
Brilliant compilation of incidents