Data Breach Reports
Total Page:16
File Type:pdf, Size:1020Kb
DATA BREACH REPORTS June 30, 2018 CONTENTS Information & Background on ITRC ........... Methodology .............................................. ITRC Breach Stats Report Summary .......... ITRC Breach Stats Report .......................... ITRC Breach Report .................................33 ,QIRUPDWLRQDQG%DFNJURXQGRQ,75& ,QIRUPDWLRQPDQDJHPHQWLVFULWLFDOO\LPSRUWDQWWRDOORIXVDVHPSOR\HHVDQGFRQVXPHUV)RU WKDWUHDVRQWKH,GHQWLW\7KHIW5HVRXUFH&HQWHUKDVEHHQWUDFNLQJVHFXULW\EUHDFKHVVLQFH ORRNLQJIRUSDWWHUQVQHZWUHQGVDQGDQ\LQIRUPDWLRQWKDWPD\EHWWHUKHOSXVWRHGXFDWH FRQVXPHUVDQGEXVLQHVVHVRQWKHQHHGIRUXQGHUVWDQGLQJWKHYDOXHRISURWHFWLQJSHUVRQDO LGHQWLI\LQJLQIRUPDWLRQ :KDWLVDEUHDFK"7KH,75&GHILQHVDGDWDEUHDFKDVDQLQFLGHQWLQZKLFKDQLQGLYLGXDOQDPH SOXVD6RFLDO6HFXULW\QXPEHUGULYHU¶VOLFHQVHQXPEHUPHGLFDOUHFRUGRUILQDQFLDOUHFRUG FUHGLW GHELWFDUGVLQFOXGHG LVSRWHQWLDOO\SXWDWULVNEHFDXVHRIH[SRVXUH7KLVH[SRVXUHFDQRFFXU HLWKHUHOHFWURQLFDOO\RULQSDSHUIRUPDW7KH,75&ZLOODOVRFDSWXUHEUHDFKHVWKDWGRQRWE\WKH QDWXUHRIWKHLQFLGHQWWULJJHUGDWDEUHDFKQRWLILFDWLRQODZV*HQHUDOO\WKHVHEUHDFKHVFRQVLVWRI WKHH[SRVXUHRIXVHUQDPHVHPDLOVDQGSDVVZRUGVZLWKRXWLQYROYLQJVHQVLWLYHSHUVRQDO LGHQWLI\LQJLQIRUPDWLRQ7KHVHEUHDFKLQFLGHQWVZLOOEHLQFOXGHGE\QDPHEXWwithoutWKHWRWDO QXPEHURIUHFRUGVH[SRVHGLQWKHFXPXODWLYHDQQXDOWRWDO 7KHUHDUHFXUUHQWO\WZR,75&EUHDFKUHSRUWVZKLFKDUHXSGDWHGDQGSRVWHGRQOLQHRQDZHHNO\ EDVLV7KH ITRC Breach ReportSUHVHQWVGHWDLOHGLQIRUPDWLRQDERXWGDWDH[SRVXUHHYHQWVDORQJ ZLWKUXQQLQJWRWDOVIRUDVSHFLILF\HDU%UHDFKHVDUHEURNHQGRZQLQWRILYHFDWHJRULHVDVIROORZV EXVLQHVVEDQNLQJFUHGLWILQDQFLDOHGXFDWLRQDO*RYHUQPHQW0LOLWDU\DQGPHGLFDOKHDOWKFDUH7KH ITRC Breach Stats ReportSURYLGHVDVXPPDU\RIWKLVLQIRUPDWLRQE\FDWHJRU\2WKHUPRUH GHWDLOHGUHSRUWVPD\EHJHQHUDWHGRQDTXDUWHUO\EDVLVRUDVGLFWDWHGE\WUHQGV ,WVKRXOGEHQRWHGWKDWGDWDEUHDFKHVDUHQRWDOODOLNH6HFXULW\EUHDFKHVFDQEHEURNHQGRZQ LQWRDQXPEHURIDGGLWLRQDOVXEFDWHJRULHVE\ZKDWKDSSHQHGDQGZKDWLQIRUPDWLRQ GDWD ZDV H[SRVHG:KDWWKH\DOOKDYHLQFRPPRQLVWKH\XVXDOO\FRQWDLQSHUVRQDOLGHQWLI\LQJLQIRUPDWLRQ 3,, LQDIRUPDWHDVLO\UHDGE\WKLHYHVLQRWKHUZRUGVQRWHQFU\SWHG 7KH,75&FXUUHQWO\WUDFNVVHYHQFDWHJRULHVRIGDWDORVVPHWKRGV,QVLGHU7KHIW+DFNLQJ ZKLFK LQFOXGHV6SHDUSKLVKLQJ5DQVRPZDUHDQG6NLPPLQJ 'DWDRQWKH0RYH(PSOR\HHHUURU 1HJOLJHQFH,PSURSHUGLVSRVDO/RVW$FFLGHQWDOZHE,QWHUQHW([SRVXUH3K\VLFDO7KHIWDQG 8QDXWKRUL]HG$FFHVV 3OHDVHQRWHWKDW$FFLGHQWDOHPDLOSUHYLRXVO\LQFOXGHGZLWK$FFLGHQWDO ZHE,QWHUQHW([SRVXUHKDVEHHQUHFDWHJRUL]HGXQGHUWKH(PSOR\HHHUURU1HJOLJHQFH,PSURSHU GLVSRVDO/RVWFDWHJRU\ 6XEFRQWUDFWRU7KLUG3DUW\%$LVLQFOXGHGKHUHEXWLVFRPELQHGZLWKRQH RIWKHDERYH,QWKHVHDVZHOODVVRPHRWKHUEUHDFKHVWKHUHPD\EHPRUHWKDQRQHFDWHJRU\ FKHFNHG 7KH,75&EUHDFKOLVWDOVRWUDFNVW\SHVRILQIRUPDWLRQFRPSURPLVHG x 6RFLDO6HFXULW\QXPEHU x &UHGLW'HELW&DUGQXPEHU x 3URWHFWHG+HDOWK,QIRUPDWLRQ 3+, x '095HFRUGV x )LQDQFLDO$FFRXQWV x (PDLO3DVVZRUG8VHU1DPH x 2WKHU8QGHILQHG7\SHRI5HFRUGV 0HWKRGRORJ\ 7KH,75&EUHDFKOLVWLVDFRPSLODWLRQRIGDWDEUHDFKHVFRQILUPHGE\YDULRXVPHGLDVRXUFHVRU QRWLILFDWLRQOLVWVIURPVWDWHJRYHUQPHQWDODJHQFLHV7KLVOLVWLVXSGDWHGGDLO\DQGSXEOLVKHGHDFK 7XHVGD\ %UHDFKHVRQWKLVOLVWW\SLFDOO\KDYHH[SRVHGLQIRUPDWLRQZKLFKFRXOGSRWHQWLDOO\OHDGWRLGHQWLW\WKHIW LQFOXGLQJ6RFLDO6HFXULW\QXPEHUVILQDQFLDODFFRXQWLQIRUPDWLRQRUPHGLFDOLQIRUPDWLRQ,75& IROORZV86)HGHUDOJXLGHOLQHVDERXWZKDWFRPELQDWLRQRISHUVRQDOLQIRUPDWLRQFRPSULVHDXQLTXH LQGLYLGXDODQGWKHH[SRVXUHRIZKLFKZLOOFRQVWLWXWHDGDWDEUHDFK 5HFRUGV5HSRUWHG 7KLVILHOGKDVEHHQFKDQJHGWRPRUHDFFXUDWHO\UHIOHFWWKHFLUFXPVWDQFHVVXUURXQGLQJWKHQXPEHU RIUHFRUGVH[SRVHG7KHQXPHUDO³´KDVEHHQUHSODFHGZLWK³8QNQRZQ´UHFRJQL]LQJWKHQXPEHU RIUHFRUGVPD\KDYHEHHQUHSRUWHGWRVRPHRWKHUHQWLW\ LHJRYHUQPHQWRUODZHQIRUFHPHQW EXWLV QRWSURYLGHGLQWKHLQIRUPDWLRQDYDLODEOHWRWKH,75& %UHDFKFDWHJRULHV Business7KLVFDWHJRU\HQFRPSDVVHVUHWDLOVHUYLFHVKRVSLWDOLW\DQGWRXULVPSURIHVVLRQDOWUDGH WUDQVSRUWDWLRQXWLOLWLHVSD\PHQWSURFHVVRUVDQGRWKHUHQWLWLHVQRWLQFOXGHGLQWKHRWKHUIRXUVHFWRUV ,WDOVRLQFOXGHVQRQSURILWRUJDQL]DWLRQVLQGXVWU\DVVRFLDWLRQVQRQJRYHUQPHQWVRFLDOVHUYLFH SURYLGHUVDVZHOODVOLIHLQVXUDQFHFRPSDQLHVDQGLQVXUDQFHEURNHUV QRQPHGLFDO Educational$Q\SXEOLFRUSULYDWHHGXFDWLRQDOIDFLOLW\IURPSUHVFKRROWKURXJKXQLYHUVLW\OHYHO 7KLVFDWHJRU\GRHVQRWLQFOXGHVFKRODUVKLSSURYLGHUVDIWHUVFKRROHQWLWLHVRUWXWRULQJRUJDQL]DWLRQV Medical/Healthcare: $Q\PHGLFDOFRYHUHGHQWLW\ &( RUEXVLQHVVDVVRFLDWH %$ DVGHILQHG E\+,3$$LQWKHKHDOWKFDUHLQGXVWU\$OVRLQFOXGHVKHDOWKFDUHIDFLOLWLHVDQGRUJDQL]DWLRQVZKLFK PD\EHDWWDFKHGWRVFKRROVDQGXQLYHUVLWLHVDQGmayLQFOXGHSKDUPDFHXWLFDOPDQXIDFWXUHUV ,QVXUDQFHFRPSDQLHVPD\YDU\E\LQGXVWU\±PHGLFDODQGORQJWHUPLQVXUDQFHSURYLGHUVZLOOEH FODVVLILHGDVPHGLFDOKHDOWKFDUH ,QFOXGHGRQKKVJRYOLVW Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Government/Military$Q\FLW\FRXQW\VWDWHQDWLRQDORUPLOLWDU\HQWLW\RUDGHSDUWPHQW ZLWKLQRQHRIWKHVHHQWLWLHV,QWKHHYHQWWKDWDPHGLFDOIDFLOLW\LVDOVRDJRYHUQPHQWRUPLOLWDU\ HQWLW\LWZLOOEHOLVWHGXQGHU*RYHUQPHQW0LOLWDU\(QWLWLHVVXFKDV9HWHUDQ$VVRFLDWLRQ0HGLFDO &HQWHUV 9$0& ZLOOEHLQFOXGHGLQWKLVVHFWRU Banking/Credit/Financial: 7KLVVHFWRULQFOXGHVHQWLWLHVVXFKDVEDQNVFUHGLWXQLRQVFUHGLW FDUGFRPSDQLHVPRUWJDJHDQGORDQEURNHUVILQDQFLDOVHUYLFHVLQYHVWPHQWILUPVDQGWUXVW FRPSDQLHVSD\GD\OHQGHUVDQGSHQVLRQIXQGV VDYLQJVSODQV Identity Theft Resource Center 2018 - Data Breach Category Summary How is this report produced? What are the rules? See below for details. Report Date: 7/2/2018 Totals for Category: Banking/Credit/Financial # of Breaches: 84 # of Records: 1,705,354 % of Breaches: 12.6 %of Records: 7.6% Totals for Category: Business # of Breaches: 309 # of Records: 15,213,588 % of Breaches: 46.3 %of Records: 67.9% Totals for Category: Educational # of Breaches: 45 # of Records: 642,270 % of Breaches: 6.7% %of Records: 2.9% Totals for Category: Government/Military # of Breaches: 49 # of Records: 1,598,501 % of Breaches: 7.3% %of Records: 7.1% Totals for Category: Medical/Healthcare # of Breaches: 181 # of Records: 3,248,545 % of Breaches: 27.1 %of Records: 14.5% Totals for All Categories: # of Breaches: 668 # of Records: 22,408,258 % of Breaches: 100.0 %of Records: 100.0% 2018 Breaches Identified by the ITRC as of: 7/2/2018 Total Breaches: 668 Records Exposed: 22,408,258 The Identity Theft Resource Center breach database is updated daily and published to our website weekly. A US-based breach, as identified by our current process, is considered public when one of these occur: 1) Published by a credible source (sources include Offices of the Attorney General, and established media – TV news, radio, newspapers) 2) A letter notifying a potential victim has been received ITRC will provide attribution of the source and include the relevant data to the extent that has been made public in our findings. If the number of records is not made publicly available, ITRC will note that in the report as “unknown” indicating we do not have the specifics of the actual number impacted. Identity Theft Resource Center reserves the right to make an educated estimate to the potential of impact based on our knowledge and understanding of the specifics of the policies of the reporting entity. The ITRC would like to thank CyberScout for its financial support of the ITRC Breach Report, ITRC Breach Stats Report and all supplemental breach reports. Copyright 2018 Identity Theft Resource Center Identity Theft Resource Center 2018 Breach List: Breaches: 668 Exposed: 22,408,258 How is this report produced? What are the rules? See last page of report for details. Report Date: 7/2/2018 Page 1 of 134 ITRC Breach ID Company or Agency State Published Date Breach Type Breach Category Records Exposed? Records Reported ITRC20180702-14 Palo Alto Unified School CA 2/14/2018 Electronic Educational Yes - Published # 353 District Regrettably, we are writing to inform you that during an audit of our information storage practices on January 18, 2018, the District learned that an employee was storing confidential parent information on his laptop. (Type of information exposed per NY AG's office) Attribution 1 Publication: NY AG's office Author: Article Title: Palo Alto Unified School District Article URL: Per FOIL NY AG's office ITRC Breach ID Company or Agency State Published Date Breach Type Breach Category Records Exposed? Records Reported ITRC20180702-13 Jay Zabel & Associates, LTD IL 2/5/2018 Electronic Business Yes - Published # 191 Attribution 1 Publication: NY AG's office Author: Article Title: Jay Zabel & Associates, LTD Article URL: Per FOIL NY AG's office ITRC Breach ID Company or Agency State Published Date Breach Type Breach Category Records Exposed? Records Reported ITRC20180702-12 Metropolitan Life Insurance NY 2/1/2018 Electronic Business Yes - Published # 335 Company After investigation, including communications with the policyholder and the policyholder’s agent, we concluded that an unauthorized individual possessing the agent’s account credentials (obtained from a source other than MetLife) had contacted MetLife in November 2017, posing as the agent and using the agent’s credentials, to obtain a copy of the policyholder’s MetLife policy application. This document included the policyholder’s name, address, date of birth and Social Security number. Attribution 1 Publication: NY AG's office Author: Article Title: Metropolitan Life Insurance Company Article URL: Per FOIL NY AG's office ITRC Breach ID Company or Agency State Published