Data Breaches Caused By Third-parties

2019 Data Leaks

Data Leaks for 2019

Date Company  Data Breached Use of 3rd Party 3rd-party Company
November Palo Alto Networks seven current and former employees’ information includes names, dates of birth, and Social Security numbers, not disclosed not disclosed
November Facebook and Twitter email addresses, usernames and recent tweets SDK kit One Audience
November The city of Charlottesville not disclosed tax collections not disclosed
November TennCare 44,000 members information pharmacy management vendor Magellan Health System
November Macy’s first and last names, physical addresses, ZIP codes, email addresses, payment card numbers, card security codes, and expiration dates Website Javascript not disclosed
November City of San Angelo not disclosed online water bill payments software company Click2Gov
November Pompano Beach City 4,000 residents’ data online water bill payments software company Click2Gov
November Florida Blue 5 million members’ information managed care company Magellan Health Inc
October UniCredit 400,000 Italian clients’ information not disclosed not disclosed
October NordVPN some of the browsing habits of customers data center provider not disclosed
October Geisinger Health Plan undisclosed number of patients’ information manage radiology benefits Magellan National Imaging Associates
October The Clark County School District 560,000 students’ information learning assessment platform Pearson Clinical Assessment (AIMSweb)
October CenturyLink 2.8 million CenturyLink customer information which including names, addresses, phone numbers, email addresses and CenturyLink account numbers notification platform not disclosed
October GW community members thousands of usernames, passwords and addresses educational technology company Chegg
October Uber, Slack, and FCC 10,000 Zendesk Support and Chat accounts customer service software provider Zendesk
September Ames parking ticket payments 1,498 individuals’ information includes encrypted credit or debit card numbers, first names, last names, addresses and email addresses payment software system Click2Gov
September City of Broken Arrow, Deerfield Beach, Palm Bay, Milton, Bakersfield, Coral Springs, Pocatello, Ames online payment system not disclosed payment software system Click2Gov
September DoorDash 4.9 million consumers, Dashers, and merchants service provider not disclosed
September Malinda Air Malinda’s passengers information not disclosed not disclosed
September Yves Rocher 2.5 million Canadian customers’ personal data Consulting services Aliznet
September GitHub And Bitbucket usernames and email addresses associated with GitHub and Bitbucket and IP addresses and user agent strings & organisation name, repository URLs and names, branch names, and repository Analytics company CirclCI
August Mastercard 90,000 customers’ names, addresses, and credit card numbers loyalty program not disclosed
August Cable One 14 Cable One employee accounts may include addresses, Social Security numbers, government-issued identification numbers, financial account numbers, digital signatures or medical and health insurance information not disclosed not disclosed
August Naperville Unit District 203, Indian Prairie Unit District 204, St. Charles Unit District 303 and Geneva Unit District 304 3,700 students information in District 203, 49,000 students information in District 204, 3,206 students information in District 303 and 8,000 students information in District 304 learning assessment platform Pearson Clinical Assessment (AIMSweb)
August DeKalb School District 428, Wilmette Public Schools District 39,The School District of Clayton,Brighton, Brockport, East Irondequoit, Fairport, East Rochester, Greece, Pittsford, Rochester, Spencerport, Victor, Webster and West Irondequoit school districts
students’ and teachers’ information (names, surnames, birthdates) learning assessment platform Pearson Clinical Assessment (AIMSweb)
July Shenandoah County Public School, Wallingford School student’s name, date of birth and email address learning assessment platform AIMSweb
July American Esoteric Laboratories, Sunrise Medical Laboratories, CBLPath, Laboratory Medicine Consultants, Austin Pathology Associates, South Texas Dermatopathology, Pathology Solutions, Laboratory of Dermatopathology ADX, Seacoast Pathology, Western Pathology Consultants, Arizona Dermatopathology, Natera 534,500 patients information and 7,400 financial data of AEL, 412,000 patients information with 15,000 financial data of SML, 145,100 patients information with 3,800 financial data of CBLPath, 143,400 patients information with 4,200 financial data of LMC, 44,700 patients information with 1,800 financial data of APA, 14,900 patients information and 1,200 financial data of STD, 12,700 patients information with 600 financial data of PS, 4,000 patients information and 240 financial data of ADX, 9,200 patients information with 800 financial data of SP, 4,200 patients information with 350 financial data of WPC, 6,500 patients information with 500 financial data of AD, unknown number of Natera collections vendor American Medical Collection Agency
July Clinical Pathology Laboratories 2.2 million patients information and 34,500 financial information collections vendor American Medical Collection Agency
June Westpac Bank Up to 100,000 Australians’ personal information payments platform PayID
June Komodo Komodo hacked its customers and unauthorisedly transferred nearly 8 million KMD and 96 Bitcoins from their cryptocurrency wallets to a new address owned by the company to protect its customers’ funds. JavaScript library not disclosed
June Opko Health 422,600 patients information collections vendor American Medical Collection Agency
June Quest Diagnostics, Laboratory Corporation of America (LabCorp) 12 million patients of Quest Diagnostics,7.7 million Laboratory Corporation of America (LabCorp) patients information collections vendor American Medical Collection Agency
May U.S. Customs and Border Protection 100.000 traveller photos and licence plate image not disclosed not disclosed
May VAG, Ericsson, Leica, MAN, Toshiba, UniCredit, and British Telecom (BT) 312,570 files in 51,025 folders, over 516 Gb of data financial and private information on all clients IT Company CITYCOMP
May Instagram personal information including contact details social media marketing firm Chtrbox
May Truecaller 140 million user names, phone numbers and email addresses not disclosed not disclosed
May Bank, Axis, ICICI, IndusInd, RBL 50.000 credit card holders information data management company not disclosed
May Webstorage users not disclosed to storage ASUS Webstorage
May 4,600 websites not disclosed analytics service and open-source project Picreel and Alpaca Forms
May UNIQLO 460,000 online store accounts not disclosed not disclosed
May Forbes credit card information to build website not disclosed
April Freedom Mobile 15,000 customers information service provider for customer support processes Apptium Technologies
April 176 colleges and universities 201 online stores including payment card information e-commerce platform PrismRBS
April Facebook 540 million records, including account names, Facebook ID, and user activity to develop app Cultura Colectiva
March The Bank of Queensland customer names, contact information (including phone numbers and email addresses) and other details related to property evaluations fund management company and provider of property valuations LandMark White Limited
March Healthcare institutions including Blue Cross Blue Shield of Michigan, Health Alliance Plan, McLaren Health Care, and others the personal and medical information of hundreds of thousands of people may have been compromised contractor that provides mailing and other services for hospitals and healthcare companies Wolverine Solutions Group
March Rush System for Health patient names, addresses, Social Security numbers, birth dates and health insurance information for 45,000 patients was exposed claim processing MiraMed
February Equifax, Experian and TransUnion personal information including Social Security numbers, names, dates of birth and home addresses may have been stolen employee and background screening software Image-I-Nation Technologies
February Huddle House credit card payment information since Aug. 2017 Point-of-sale systems not disclosed
February China Railway millions of train passengers’ information Ticketing not disclosed
February Houzz user names, salted and hashed passwords, IP addresses and, for users who logged into Houzz using Facebook, their Facebook IDs not disclosed not disclosed
January LocalBitcoins theft of almost 8 bitcoins ($28,200) from five of the victims Forum software not disclosed
January Ascension 24 million financial and banking documents, representing tens of thousands of loans and mortgages from some of the biggest banks in the US OCR Services OpticsML
January Highmark BCBS, Aetna, Emblem Health, Humana, and UnitedHealth 650 consumer data Online payroll, benefits, tax compliance & HR services BenefitMall
January all sites that use PHP PEAR and downloaded PHP PEAR package manager from its official website in past 6 months the extent is unknown open-source library PHP PEAR
January 141 airlines that partner with Amadeus flight information of passengers online flight booking system Amadeus
January e-commerce sites that partner with Adverline credit card information of visitors Javascript for advertising Adverline
January Hanover County credit card information of citizens online parking ticket payment system Click2Gov
January City of Saint John, NB credit card information of 6,000 people online parking ticket payment system Click2Gov
January Humana name, address, date of birth, partial info of the SSN, and some info about policy type of unknown number of customers Bankers Life LCP Corp.

2018 Data Leaks

Data Leaks for 2018

Date Company  Data Breached Use of 3rd Party 3rd-party Company
December Managed Health Services of Indiana 31,000 Patient Records Transportation LCP Corp.
December BevMo credit card data of nearly 15,000 customers online payment system NCR Corp.
December City of Saint John 6,000 citizens’ payment information online payment system Click2Gov
December Redwood Eye Center 16,000 patients’ health information including names, birth dates, insurance information and addresses application-hosting service provider IT Lighthouse
December Baylor Scott & White Medical Center – Frisco approximately 47,000 patients or guarantors whose payment information, including partial credit card information credit card processing system not disclosed
December Taobao, Tmall, Alipay, Baidu Cloud, 163 email service, and JD.com account and password data of almost 50,000 users Programming software Easy Programming Language
November Marriott personal information of as many as 500 million guests Hotels (acquired) Starwood
November The Australian Defence Department unknown amount of data exposed small and mid-tier suppliers not disclosed
November BitPay users of CoPay mobile cryptocoin wallet were targeted for cryptocoin theft, but none stolen JavaScript Library Right9ctrl
November Atrium Health 2.65 M patient records including names, addresses, dates of birth, invoice numbers, account balances, dates of service, insurance policy information and Social Security numbers billing services AccuDoc Solutions Inc.
November City of York Council potentially almost 6,000 individual’s personal info including name, address, postcode, email, phone, and encrypted password mobile app for One Planet York program Appware
November Nordstrom personal info of employees including names, SSNs and dates of birth, checking account and routing numbers, salaries, etc. management of direct deposits of wages Not Disclosed
November City of Bakersfield 2,400 user accounts with payment information Online Payment Click2Gov
November El Centro Regional Medical Center Social Security numbers of thousands of individuals who applied for a job online employment application services Jobscience, Inc.
November Huntsville Hospital in Alabama Social Security numbers of thousands of individuals who applied for a job online employment application services Jobscience, Inc.
November Ontario Cannabis Store names and addresses of 4500 consumers Online tracking tool Canada Post
November gate.io (cryptocurrency exchange) potential theft of BTC from customers Web Analytics StatCounter
October VestaCP managed to launch DDoS attacks not disclosed not disclosed
October Department of Defense (Pentagon) personal and payment card info of 30K employees and service members Maintenance of travel records not disclosed
October The Indio Water Authority unknown amount of customers’ names and credit card numbers Online Payment Click2Gov
October A few e-commerce sites customers of Shopper Approved unknown amount of payment card info (still in investigation) 3rd-party Javascript for customer rating Shopper Approved
October Many major companies including Amazon, Apple, etc. Unknown amount of data Microchip in servers and online portal for software update Supermicro
September All Platfroms that use Facebook Login Accounts of more than 50 million users compromised Social Media Connection Facebook
September The Conservative Party (UK) Sensitive information about MPs, journalist and conference attendees, including personal mobile numbers Conference App CrowdComms
September Perth Mint Names, addresses, passport and bank account of 3200 customers Online depository Not disclosed
September British Airways Financial and personal details of 380,000 customers Website Javascript Still in investigation
September Foosackly Unauthorized access to 165K customers’ payment card information Cash register system Not disclosed
September University of Lousville Names, employee IDs, physician’s name of hundreds of employees and retirees Fitness vendor Health Fitness Corp
September e-commerce sites of Feedify payment card data from customers of hundreds of e-commerce websites may have been stolen due to the compromise of the cloud service firm Feedify Cloud service provider Feedify
September The Washoe County School District Teachers’ emails, usernames and passwords were exposed Instructional tool Edmodo
September Blue Cross Blue Shield of Rhode Island Names, their BCBSRI ID numbers, service providers, types of service provided and costs of claims for 1.5K customers Responsible for sending members’ benefits explanations Not disclosed
September Wegmans cost the grocery chain over $900,000 Seafood supplier Invermar
August 150 businesses including those in transport, local government and large franchise chains like Piggly Wiggly, KFC, and Hampton Inn. 7GB cache of data exposed with medical information for employees of 181 business locations and social security numbers for nearly 3000 individuals Back-up pharmacy services MedCall Healthcare Advisers
August Mention Data at risk of exposure includes names and email addresses, account profile info (plan value, # of alerts and mentions) Marketing Not disclosed
August A (probably) Mexican government healt agency The personal data of 2M patients was left exposed online Telemedicine company Hova Health
August GoDaddy Sensitive data on 31,000 GoDaddy servers exposed online Cloud data storage Amazon S3 Bucket
August South Korean Organizations Unknown amount of data Remote support Remote support solution provider
August Air Canada Profile data, including names, email addresses and phone numbers, passport info, NEXUS numbers, dates of birth,etc. Mobile app Not disclosed
August Fiserv-affiliated financial institutions Customer’s email address, phone number and full bank account number and alert details Website providers Fiserv
June TicketMaster 40K UK citizens’ info Website application Inbenta
June Reddit Access data: email addresses of current Reddit users and a 2007 database SMS login system Not disclosed
June Monzo, Adidas, TicketMaster, Harvey Norman, Fortnum & Mason, Research4Me Passwords, usernames, contact info of millions Online Survey Tool Typeform
June More than a dozen US cities Over 10K individuals’ names, credit card numbers, card expiration dates and security codes Online payment system Click2Gov
June Whitbread (Costa Coffee, Premier Inn) Any data submitted in the course of recruitment Online recruitment services PageUp
June Klook Personal data and credit card info of undisclosed number of customers Web-based analytics tool SOCIAPlus
June UC San Diego Health Personal information of hundreds of patients Transcription services Nuance Communications
June The Central Bank of the Bahamas No indication that any personal information was been accessed or viewed Website hosting Not disclosed
May Some Fortune 500 firms 5,6K customer info (PII) Domain registiration, agent for service of process for clients Corporation Service Company
May Universal Music Group Internal FTP credentials, AWS Secret Keys/Passwords, the internal and SQL root password Cloud data storage contractor Agilisium
May Chili’s Grill & Bar Credit card data belonging to an undisclosed number of customers Point-of-sale system Not disclosed
April BestBuy, Sears, Kmart, Delta Hundreds of thousands of customer data (per company) Online chat application Not disclosed
February Orlando Orthopaedic Center 19K patients’ records Transcription services Not disclosed
February Applebee’s Credit card information from unknowing diners at more than 160 Applebee’s restaurants Point-of-sale system Not disclosed
January Western Union Undisclosed # of customers’ contact info, bank names, WU internal ID numbers, transaction amounts, times and ID numbers Cloud-based or off-site backup storage provider Not disclosed
January Reddit No access to Reddit’s systems or to any Redditors’ email accounts Third-party software vendor to send account emails (e.g., reset password e-mails) Mailgun

2017 Data Leaks

Data Leaks for 2017

Date Company  Data Breached Use of 3rd Party 3rd-party Company
November Forever 21 Credit card data belonging to an undisclosed number of customers Point-of-sale system Not disclosed
October Domino’s Australia Thousands of customer names and e-mails Management of an online rating system A former supplier
October Hyatt Hotels Credit card data belonging to an undisclosed number of customers at 41 hotels Point-of-sale system Not disclosed
October Uber Confidential information of 57M Uber users (names, driver licence #, etc) Coding site used by Uber engineers GitHub
September Samsung, Sony, Asus, Intel, VMWare, O2, Singtel, Gauselmann, Dyn, Chunghwa and Fujitsu, and many others Unknown Computer cleaner/ad removal tool CCleaner
July Equifax Personal info (SSNs, names, addresses) of 143M consumers 3rd party tool to build web applications Not disclosed
July Verizon 14M customer data including account and personal info Providing customer service analytics NICE Systems
July Hard Rock Hotels & Casinos Credit card data belonging to an undisclosed number of customers at 11 hotels Travel services (reservation) Sabre Corp. (SynXis)
July Hundreds of Large Companies around the World Unknown Server management software NetSarang
June Republican National Committee Personal info 200M voters Marketing Deep Root
June Many Ukrainen companies and everal global corporations were also infected – including shipping giant Maersk, advertising firm WPP, pharmaceutical outfit Merck, and FedEx’s TNT Express division. Unknown (lost of hundreds of million dollars to ransonware) Accounting software MeDoc
May Bronx-Lebanon Hospital Center in New York City Tens of thousands (possibly up to millions) of patient records Management of record backups iHealth Innovations
May Companies with Mac-user employees who use Handbrake tool Unknown Open source video transcoder Handbrake
March Brand New Day 14K patient info A vendor system used by a contracted provider Not disclosed
March Four major telecommunications providers, 10+ western military organizations, 24+ Fortune 500 companies., 5 major defense contractors, 36+ major IT product manufacturers or solutions providers, 24+ western government organizations, 24+ banks and financial institutions, 45+ higher educational institutions. Unknown Network Logs and Event-monitoring Tool Altair Technologies
February New Jersey Diamond Institute for Fertility and Menopause 14K patients’ sensitive info (name, address, SSNs, birth dates, medical info) Server containing its electronic health records database Not disclosed

2015 Data Leaks

Data Leaks for 2015

Date Company  Data Breached Use of 3rd Party 3rd-party Company
September T-Mobile 15M customer records (SSNs, birth dates, driver licence #, etc) Customer credit assessment Experian
September Sam’s Club, Costco, CVS, RiteAid, Walmart Canada, Tesco Customers’ credit card and personal info Online photo order and print PNI Digital Media

2014 Data Leaks

Data Leaks for 2013

Date Company  Data Breached Use of 3rd Party 3rd-party Company
October JPMorgan Chase & Co Contact info for 76M households and 7M small business Management of its Corporate Challenge Race Registration Not disclosed
July Lowe’s Current and former drivers’ records (SSNs, birth dates, driver licence #, etc) Online database to store driver info SafetyFirst – E-Driver File
April Boston Medical Records about 15K patients posted withoout authentication Transcription services MDF Transcription Services

2013 Data Leaks

Data Leaks for 2013

Date Company  Data Breached Use of 3rd Party 3rd-Party Company
November Target Data of 70M customers and 40M credit/debit card Heating, ventilaion, and air conditioning (HVAC) Fazio Mechanical Services
July RT Jones Capital Personal Info of 100K individuals and 1000s of clients Web server hosting Not disclosed