While it is likely that the breach activity of 2018 won’t reach the level of 2017, a look back at the first nine months suggests that 2018 is on pace to be another significant year for breaches, according to Risk Based Security.
The 2018 Q3 Data Breach QuickView Report found that 3,676 data compromise events were disclosed between 1 January and 30 September, exposing 3.6 billion records. However high those numbers might seem, and despite the consistent pace at which disclosures are reported, 2018 is not expected to see the record number of breaches reported in 2017.
Bankers Life is notifying more than 566,000 individuals, including Medicare supplemental insurance policyholders, that their personal information was exposed in a hacking incident. Employee credentials were compromised, enabling unauthorized third parties to gain access to certain company websites containing personal data on policyholders and applicants, the insurer says.
The incident, which was reported by Bankers Life’s parent company, CNO Financial Group, to the Department of Health and Human Services as an “unauthorized access/disclosure” breach, is the fifth largest incident added to the HIPAA Breach Reporting Tool website so far this year. Commonly called the “wall of shame,” the HHS website lists health data breaches impacting 500 or more individuals.
Pakistan says the nation’s banks have not been hacked, but adds that they are taking defensive steps after nearly 20,000 payment card details appeared for sale online. The State Bank of Pakistan says banks are implementing restrictions on international transactions.
The State Bank of Pakistan did note that one bank was reportedly compromised on Oct. 27, but says that a data breach did not occur. It did not provide further details. Instead, card details may have been harvested from ATMs or merchant point-of-sale machines in skimming attacks.
International banking giant HSBC has reported that it was breached in October, as a result of a credential-stuffing attack.
In a notice [PDF] filed with the state of California, the bank said that it became aware of some online accounts being accessed by unauthorized users between October 4 and 14. The hack affected a segment of the bank’s U.S. customers — less than 1 percent of its U.S. client base, it told the BBC, though exact numbers have not been released.
The incident exposed names, addresses and dates of birth, along with banking-specific information like account numbers and balances, statement and transaction histories, and payee account numbers.
Read more about the HSBC data breach on Threatpost.
Thousands of sensitive documents pertaining to nuclear power plants, prisons and tram networks have been stolen from the servers of a French company in a cyberattack, German and French media have reported. The data illegally accessed from the French company Ingerop back in June amounted to more than 65 gigabytes, according to reports by German public broadcaster NDR, the daily Süddeutsche Zeitung and French newspaper Le Monde.
A spokeswoman from Ingerop said more than 11,000 files from a dozen projects were obtained. They were said to include plans showing the planned locations of video cameras for a French high-security prison, documents about a planned nuclear-waste dump in northeastern France and personal information on more than a thousand Ingerop workers.
Hackers have published what they claim are private messages from at least 81,000 Facebook accounts – and they say the trove contains a fraction of the details they have from a larger cadre of 120 million accounts. In an English-language Dark Web advertisement (now taken down), the perpetrators offered the messages for 10 cents per account.
The BBC Russian Service investigated the supposed heist along with cybersecurity firm Digital Shadows. The team found that within the 81,000 Facebook users in the sample posting, those in the Ukraine and Russia are the main targets (although some others were also impacted. The BBC found evidence that the leaked portion of the archive is real.
Read more about the new Facebook data breach on Threatpost.
The Radisson Hotel Group has experienced a data breach impacting members of the firm’s loyalty and rewards scheme. The chain accounts for over 1,400 hotels in over 70 countries and includes the Park Plaza brand, Country Inn & Suites, Park Inn, and Radisson Collection.
Radisson Rewards members were directly informed on October 30 and 31 that a security incident was discovered on the first of the month which may have involved the leak of personal information. A “security incident” which impacted a “small percentage of Radisson Rewards members” took place weeks before, on September 11. The hotel chain says that no financial data or passwords were involved in the breach.
Read more about the Radisson Hotel Group data breach on ZDNet.
FIFA officials are bracing for new damaging leaks to be published this week after soccer’s governing body fell victim to a phishing attack. FIFA President Gianni Infantino admitted to the new hack while talking to the press after a FIFA Council meeting last week in Kigali, Rwanda.
He said that both FIFA, soccer’s global governing entity, but also UEFA, Europe’s soccer body, had received hundreds of questions from journalists about subjects only recorded in FIFA confidential documents. Officials believe that someone at FIFA fell victim to a phishing attack this March, the New York Times reported on Tuesday.
Austral, a top Australian defence firm with major US Navy contracts has admitted its personnel files were breached and that it was the subject of an extortion attempt. The firm said its “data management system” had been infiltrated by an “unknown offender”.
In a statement, the company claimed that there was “no evidence to date” that “information affecting national security nor the commercial operations of the company have been stolen”. However it said staff email addresses and mobile phone numbers were accessed and the offender purported to offer materials for sale on the internet and “engage in extortion”. “The company has not and will not respond to extortion attempts.”
If data breaches were a film genre, third-party cyber-risk would be the talk of producers and casting agents; it’s where the money is. Third-party breach scenarios dominate the headlines. The scares are all different — compromised health records, weapons designs, or automakers’ trade secrets — but the plot is the same: leaked and stolen files via compromised contractors, supply chains, or business partners.
The ephemeral specter of third-party cyber-risk haunts the C-suite. Leaders complain they can spend untold sums and time ratcheting down their company’s internal security measures only to see their data and reputation suffer the consequences of errors and carelessness at other companies.
Read about how to confront third-party risks on DarkReading.