The latest Private Data breaches from our GDPR Services
– Week 37, 2019 –
This is a curated list about last week’s latest news from by our GDPR Services. Be informed about the latest Private Data breaches, identified and reported publicly during Week 37, 2019.
As these Private Data breaches have a severe negative impact on any business and highly serious legal consequences, consider a these GDPR Service packages: on-demand GDPR COMPLIANCE or a recurrent monthly service of GDPR COMPLIANCE ADD-ON together with your dedicated data protection OFFICER package.
- NZ Transport Agency admits data breach after lax security
- The New Zealand Transport Agency has admitted to a technology botch up leaving what was meant to be a highly secure data key wide open. “The Transport Agency can confirm the Google API was incorrectly left open as part of the Traffic Watcher pre-production set up,” NZTA said in statement. The key is a unique code used to access data from Google’s application programming interface (API), in this case through 2018 and in early 2019. It was used to build Traffic Watcher, an online tool for transport operations centres, maintenance contractors and the police. NZTA denies the bungle cost taxpayers but admits it did not keep track of such expenses
- 320,000 patient files at risk from ransomware in a Utah attack
- Now, as many as 320,000 patients will be notified by Premier Family– a large organization with 10 locations around Pleasant Grove, Utah—that their protected health information may have been put at risk. “Even though our investigation has found no reason to believe patient information was accessed or taken, we are very concerned that this event even occurred and have taken steps to further enhance the security of our systems,” says Robert Edwards, chief administrator. Premier Family Medicine was attacked with ransomware in July, preventing access to a number of information systems and the data within.
- New Mexico hospital alerts 14,000 patients of data breach
- Artesia (N.M.) General Hospital has notified 13,905 patients of a recent security incident that may have exposed patient information. Artesia General Hospital discovered that between June 11-18 an unauthorized third party had gained access to an employee’s email account. The hacker began sending unauthorized emails from the employee’s account. The hospital is unaware if the hacker viewed or downloaded any patient information that was stored in the email account. Artesia General Hospital said there has been no evidence that patient data has been misused. Patient data that may have been exposed included names, dates of birth, medical record or account numbers, health insurance information and limited treatment and/or clinical information. In some instances, patients’ Social Security numbers were also stored in the compromised email account.
- 198 Million Car-Buyer Records Exposed Online for All to See
- Over 198 million records containing information on prospective car buyers, including loan and finance data, vehicle information and IP addresses for website visitors, has been found exposed on the internet for anyone to see. The non-password protected Elasticsearch database belonged to Dealer Leads, which is a company that gathers information on prospective buyers via a network of SEO-optimized, targeted websites. According to Jeremiah Fowler, senior security researcher at Security Discovery, the websites all provide car-buying research information and classified ads for visitors. They collect this info and send it on to franchise and independent car dealerships to be used as sales leads. The exposed database in total contained 413GB of data. An ElasticSearch DB belonging to Dealer Leads exposed a raft of information collected by “research” websites aimed at prospective car buyers.
Discover more trending and viral stories from our GDPR Service. The remaining Private Data breaches made news headlines: UNICEF, Garmin, Monster.com, CircleCI, Pearson. All these news related to GDPR Services happened just in Week 37, 2019.
- Garmin SA Shopping Portal Breach Leads to Theft of Payment Data
- Garmin Southern Africa (Garmin SA) disclosed today in a series of notifications sent to its customers that payment and sensitive personal information were stolen from orders placed on the shop.garmin.co.za shopping portal. Garmin SA was previously a Garmin distributor named Garmin Distribution Africa (GDA) before being acquired by Garmin, a global leader in satellite navigation, on September 2011. Payment info including CVV codes stolen
- UNICEF data leak reveals personal info of 8,000 online learners
- BRUSSELS — The United Nations children’s agency, UNICEF, has inadvertently leaked personal information belonging to thousands of users of its online learning portal Agora. On Aug. 26, an email containing personal details of 8,253 users enrolled in courses on immunization went out to nearly 20,000 Agora users. The website offers free training courses to UNICEF staff and members of the public on issues such as child rights, humanitarian action, research, and data.
- Monster.com says a third party exposed user data but didn’t tell anyone
- The server contained résumés and CVs for job applicants spanning 2014 and 2017, many of which included private information like phone numbers and home addresses, but also email addresses and a person’s prior work experience. It’s not known exactly how many files were exposed, but thousands of résumés were found in a single folder dated May 2017. Other files found on the exposed server included immigration documentation for work, which Monster does not collect. An exposed web server storing résumés of job seekers — including from recruitment site Monster — has been found online.
- Monster Defends Data Leak Response
- Reports emerged late last week that résumés and other documents belonging to an undisclosed number of job-seekers were found unprotected on the internet by a security researcher: the latest in a long line of privacy snafus. However, although some were identified as having been posted to Monster, the jobs site clarified that the issue was actually the fault of one of its customers. “We alerted the customer and the customer immediately resolved the issue,” said the firm’s chief privacy officer, Michael Jones, in a statement sent to Infosecurity. “As a result of this incident, we have terminated the customer’s contract.” He went on to explain why Monster should not be held responsible for the incident. Sensitive personal data uploaded to a popular recruitment site has been found exposed on an unsecured web server after a third-party client failed to keep it secure.
- CircleCI Customer Data Exposed Through Third-Party Vendor
- CircleCI, a San Francisco-based company that specializes in continuous integration and delivery solutions, on Thursday informed customers that some of their information may have been exposed through a third-party analytics vendor. The DevOps firm said it became aware on August 31 that an attacker had gained access to some user data in its vendor account. An investigation is ongoing, but so far it appears that the incident impacts customers who accessed the CircleCI platform between June 30, 2019, and August 31, 2019. CircleCI Customer Data Exposed Through Third-Party Vendor
- Pearson, a British-owned education publishing company, is at the center of a lawsuit filed by an Illinois woman and her daughter over the handling of a data breach involving student personal information.
- An Illinois woman and her daughter filed a lawsuit Thursday against education publishing giant Pearson, accusing the British-owned company of negligently handling student data and causing a data breach that compromised the personal information of nearly one million students in 13 states, including tens of thousands in the Chicago area. The suit alleges the company concealed the breach from students and parents for more than four months. Pearson, headquartered in London but operating in all 50 states, is one of the largest publishers in the world, providing educational tools to schools. Lawsuit Alleges Publisher Breach Affected 1M Students