July 8, 2019

Monthly Breach Report: July 2019 Edition


With every passing year, data breach threats are growing at a robust pace and showing no signs of slowing down. Moreover, these threats are not just regarding the overall number of data breach incidents but also their cost, giving sleepless nights to people from the technology side of an enterprise as well as C-level executives.

Trends show a notable surge in hacked and breached data from sources commonly used in the workplace. Unprotected data and weak cybersecurity practices are some of the reasons why businesses have become soft targets of data breaches.

Here are some of the most prominent data breaches that just emerged last month.

Quest Diagnostics

Last month, US-based clinical laboratory Quest Diagnostics became a target of a data breach that approximately impacted 12 million of its consumers’ personal, financial, and medical data. It was impacted when one of its vendor’s system was accessed by an unauthorized entity.

AMCA, one of the billing collections vendor of Quest Diagnostics, encountered this issue between August 1, 2018, and March 30, 2019. Reports suggest that the breached information included credit card numbers, bank account information, and Social Security numbers.

In a filing with securities regulator, Quest announced that the medical data of customers was compromised in this breach. But the vendor didn’t have the actual lab results of the affected patients, which signifies that the data was not affected.

The diagnostics lab, which has operations spread across 2,200 locations in the US, has collaborated with forensic experts to take stock of the situation with interest to control similar incidents from happening in the future.

CNN Business


Soon after Quest Diagnostics witnessed a data breach, US-based global life sciences enterprise LabCorp encountered a data hack as well. The mishap happened at Quest Diagnostics’ billings collection firm affecting the personal data of 7.7-million customers.

LabCorp further revealed that third-party collections enterprise AMCA witnessed an unauthorized activity between August 2018 and March 30, 2019. The affected information included first and last name, date of birth, address, phone, date of service, provider, balance information, and credit card or bank account information that was shared by the customers.

AMCA has decided to notify only those customers whose information was included and to offer credit monitoring and identity protection services for a period of two years.

Also, a third-party external forensics team has been hired to probe the attack in detail and adopt measures to increase their systems’ security.

USA Today

Mermaids Transgender Charity

Mermaids Transgender Charity issued an apology after it was hit by a data breach causing some of its email database to leak online. Reported by Sunday Times, the data leak made information of more than 1,000 pages of confidential emails sent between 2016 and 2017 available online. The affected data comprised details—such as names, addresses, telephone numbers—of the people Mermaids Transgender Charity was planning to help.

When Mermaids UK was informed about the incident, they removed the content immediately and issued a clarification that there was no evidence of any misuse of the leaked data. They also stated that they have the necessary resources and support to contain such incidents from occurring in the future.

With the European GDPR already in effect, the charity has informed the stakeholders, Charity Commission, as well as families impacted by the breach.


AIA Singapore

Personal Data Protection Commission (PDPC) recently slapped a hefty penalty worth SG$10,000 on AIA Singapore. The fine was imposed when the insurance player mistakenly shared 245 letters meant for various customers sent to just two customers. Generated between December 22-27, 2017, the letters included 237 integrated shield plan premium notice letters, four integrated shield plan premium notice reminder letters, three change-of-payroll letters, and one modified terms-of-coverage letter. One of the customers received 179 letters and the other one got the remaining 66.

AIA learned about the incident when one of the customers, who received these confidential letters, pointed out the mistake on a social media post. While AIA has taken complete responsibility for this mishap and resorted to remedial steps, the insurance player also announced the implementation of new software to resolve the error in the system.

A statement from PDPC claimed that AIA Singapore has breached section 24 of the Personal Data Protection Act 2012 (PDPA). During March this year, AIA Singapore faced a similar incident when its web portals became publicly accessible. That included data of about 200 existing agents, previous agents, and their family members.

Marketing Magazine


Partners and customers of EatStreet became the victims of a data breach when their data comprising payment card information was exposed.

EatStreet learned about the incident in May 2019 with a post which informed the diners, delivery, and restaurant partners about this leak. It was on May 3 when a third party attacked the firm’s network. Although EatStreet was able to shut down access, it couldn’t control data misuse.

So far, no information has been shared by the business about the exact count of impacted customers or partner businesses. The US-based company, with operations spread across 38 states and the District of Columbia, has strengthened its system security by updating and making necessary changes to coding practices, initiating multi-factor authentication and rotating credential keys.


Desjardins Credit Union

One of the ex-employees of Canada’s largest credit union intentionally exposed the personal data of about 2.9 million credit union members.

According to a statement issued by Desjardins, Laval police informed the Quebec-based institution last month when personal data from 2.7 million individual clients and 173,000 business members was leaked online. The company further went on to say that the former employee responsible for this incident had been fired, possibly triggering him to take this extreme step.

Considered as one of Canada’s largest data hacks, Desjardins has beefed up security and initiated an internal probe to determine the reason for this incident. The banking major clarified that the impacted data includes names, birthdates, social insurance numbers, email addresses, phone numbers, street addresses, and details on banking habits. Also, as this intrusion wasn’t a cyber attack, other key details like passwords, security questions, and personal identification numbers were not impacted.

The News

Oregon Department of Human Services (DHS)

More than 645,000 Oregonians who signed up for the benefits with the state’s Department of Human Services (DHS) became the victim of a phishing attack. This incident occurred when phishing emails were used to fool nine DHS employees.

Oregon DHS stated that the phishing attack took place about January 8, 2019. Soon after, the hackers were able to access the email accounts of the affected employees. It took 20 days for the DHS staff to secure the impacted email accounts after the hackers first got in. The incident allowed access to more than 2 million emails.

It is still unclear whether any of the user data was downloaded and misused. The state department initiated informing the affected individuals this month, although the incident was made public in March this year. DHS has decided to send out an email with necessary details about the incident and instructions on a free program that offers one year of identity theft monitoring and recovery services.

Oregon Live

Graceland University, Oregon State University, Missouri Southern State

Data leaks have become rampant in the education industry and a series of US universities were hit by them last month. The three hubs of higher learning, Graceland University, Oregon State University, and Missouri Southern State University, stated that their data mishaps leaked personally identifiable information of not just their working staff but also of students.

The students’ data that was compromised included their full name, date of birth, address, Social Security number, telephone number, email address, parents/children, salary, and financial aid details for enrollment.

The universities have notified the impacted individuals and also shared that there has been no malicious use of the personal data so far.

Reports suggest that Oregon State University had 636 student records and family information that were affected. Meanwhile, Graceland University clarified intruders gained access to the individual accounts on March 29, 2019, from April 1-30, and from April 12-May 1, 2019.

Also, Missouri Southern State University (MSSU) informed the Office of the Vermont Attorney General about the cyber-espionage as a consequence of phishing email that occurred on January 9, 2019.

Bleeping Computer

Keep your business out of data breach headlines. Find out how with a free demo now.

Share on social media
  • Apr'24 Breach Report-01
    PKWARE April 17, 2024
  • Data Retention: Aligning Data Protection Strategies with Compliance Requirements
    Ben Meyers March 13, 2024
  • Data Breach Report: March 2024
    PKWARE March 8, 2024
  • PCI DSS 4.0 Compliance: Safeguarding the Future of Payment Security
    PKWARE February 22, 2024