Leaky databases and servers seemed to be the overriding theme for September, with phishing scams taking a close second. Phishing attacks hit five healthcare providers, while discovered data leaks were associated with Facebook, a mattress company, and the entire nation of Ecuador. As always, our Month in Hacks roundup emphasizes the importance of internet security across the board (and the planet).
Phishing attacks are still successfully baiting individuals, this time hooking employees from five different healthcare providers. The five providers reported potential patient data breaches in early September, although the workers fell prey to the phishing attacks earlier in the year. Several University of Cincinnati Health employees were victimized in July, with attacks that potentially comprised patient data stored in email accounts. The self-funded insurance trust of East Central Indiana School Trust attack involved one employee, leaving the personal data of the trust's more than 3,000 members at risk in May. A phishing attack that lasted a full week hit New Mexico's Artesia General Hospital in June, potentially compromising data of nearly 14,000 patients. Hackers gained access to several employee email accounts at Conway Regional Medical Center in Arkansas, giving them access to patient personal and health information stored in the accounts. Three employees at Carle Foundation Hospital in Illinois also fell victim to phishing scams in a three-week June attack. It gave hackers access to data related to more than 1,600 patients.
An online stash of hundreds of millions of phone numbers associated with Facebook accounts was discovered this month, all stored on a server accessible to anyone who found it. The server was not password-protected, and it contained more than 400 million records of Facebook users in the U.S., the U.K., Vietnam, and beyond. The individual records each had a user's Facebook ID and phone number listed with the account. Some records also contained the user name, along with the user's country and gender. Not only are users at risk for spam calls, but phone numbers can also be used to force-reset passwords on internet accounts associated with the number. A Facebook spokesperson said the data set is old and appears to have been scraped prior to Facebook making changes that eliminated the ability to find people by using their phone numbers.
The personal information of the more than 20 million Ecuador citizens was leaked by an unprotected server, with information that included names, phone numbers, national identity cards and dates of birth. While the server was hosted in Florida, it was run by the Ecuadorian data company of Novaestrat. The data appeared to have been obtained by both government and private sources, such as a bank, automotive association and government registries. Ecuadorian authorities rapidly raided the Novaestrat legal rep's home, and they're following up with a criminal investigation into the company. Ecuador residents learned of the breach Sept. 16. The compromised data included info on adults as well as their children.
An unprotected online database was to blame for leaking records of more than 380,000 customers of Milwaukee's Verlo Mattress. The database had no password protection, exposing the customer data to anyone who found it online. Data included names, emails, home and billing addresses, and phone numbers. Additional data in the files contained login credentials for internal users, along with information that would allow potential hackers to dive deeper into the network. Verlo Mattress did not respond to requests for comment from the cyber security researcher who discovered the leak, although access to the data was limited after the initial request for comment was sent.