Security News Survey – June 21, 2019

A look at a new U.S. data breach study, an update from Oregon DHS, another Gnosticplayers hack, and a massive employee-led data leak.

We see new data breaches pop up every week in across the United States, but have you ever wondered which state is taking the top spot for its data breach troubles? A new study published this week sheds light on that exact question. Let’s take a look.

New data reveals California most afflicted by data breaches
Some interesting new security breach data has been published by consumer group Comparitech. The company looked at the number of data breaches by state between 2008 and 2019 based on data collected by the Identity Theft Resource Center and Privacy Rights Clearinghouse and found that California tops the list of most data breaches and records exposed.

The state suffered 1,493 breaches affecting around 5.6 billion records during the 11 year period. New York came in second, although it suffered less than half of the number of breaches that California suffered (729 data breaches). The top five were rounded out by Texas (661), Florida (523), and Massachusetts (362). The fact that California has out-performed other states when it comes to data breaches may be due to the sheer volume of companies within the state, many of which are tech and internet companies that are frequently targeted. Regardless of the cause, California certainly has a mountain to climb in terms of curbing data breaches in the state.

The report also found that every lost or stolen record cost an average of $148, totaling around $1.6 trillion since 2008. The most records were exposed in 2016 (4.6 billion), and the most data breaches occurred in 2017 (1,683) thus far.

If you’re interested in taking a closer look at Comparitech’s data, check out their online spreadsheet that details every reported data breach by state.

Oregon DHS begins notification of clients impacted by January data breach
In March, we briefly discussed the Oregon Department of Human Services (DHS) data breach that impacted personal health information (PHI) of hundreds of thousands of people who were enrolled in the department’s welfare and children services program. This week, the total of impacted clients was confirmed to be 645,000—almost double the figure that was initially reported—and the department is now in the process of notifying these individuals. The breach occurred after nine employees fell victim to a phishing scam that gave the attacker access to their email accounts. The department has been investigating the incident with the help of outside security experts. The Oregon DHS Enterprise Security Office Cyber Security team shut down the accounts as soon as malicious activity was discovered, but it appears around 2 million emails had already been affected. The department is offering impacted individuals 12 months of identity theft monitoring and recovery services.

EatStreet suffers hack at hands of Gnosticplayers
Online food ordering service EatStreet disclosed a data breach this week that occurred after a hacker infiltrated a company database and stole customer and partner information. ZDNet has reported that the hacker behind the breach is Gnosticplayers, the same hacker who has recently wreaked havoc by breaching several big consumer brands like Canva, UnderAmor, Evite, and more. According to EatStreet, the hacker appeared to have access to the database between May 3rd and May 17th, at which point the intrusion was detected and terminated. Compromised customer information includes names, credit card details, billing addresses, and more. Compromised partner information includes names, contact information, bank accounts, and routing numbers.

Employee leaks information of 2.9 million Desjardins members
On Thursday, it was revealed that data belonging to 2.9 million members of Desjardins, the largest federation of credit unions in North America, have been shared with third parties. Affected information includes names, contact information, dates of birth, social insurance numbers, and more, but, according to Desjardins, no passwords or security information were exposed. According to reports, law enforcement authorities alerted the Quebec based cooperative to the breach on June 14. Desjardins has publicly confirmed that the breach occurred when an employee improperly accessed and shared the information. The employee has since been fired, and the company says it will offer impacted members credit monitoring and identity theft insurance for one year.