October 14, 2019

Monthly Breach Report: October 2019 Edition


Data breaches have become the biggest curses of the internet age. While they are a nightmare for consumers, it impacts organizations as well.

Here are the biggest data breaches from last month to hit news headlines.


A massive data breach marred about 4.9 million DoorDash users when a hacker stole the data of customers, delivery workers, and merchants. The San Francisco-based startup observed unusual activity early last month, and upon further investigation discovered “an unauthorized third party” had accessed their user data earlier this year.

The breach occurred on May 4 when a third party accessed DoorDash user data without permission.

The compromised data included key details like names, email addresses, delivery addresses, phone numbers, order histories, and passwords, and in some cases, the last four digits of the payment cards and last four digits of their bank account numbers. The breach also affected driver’s license information of approximately 100,000 delivery workers who work for DoorDash.

In an official statement, DoorDash clarified that the data of users who joined on or before April 5, 2018, were not leaked in this incident. To lower the impact of the data mishap, DoorDash has blocked the unauthorized user’s access, ramped up security measures, and collaborated with external expertise.

The Verge


Social networking giant Instagram incurred a security loophole, resulting in a data leak allowing access to account details like users’ real names and complete phone numbers. ZHacker13, an Israeli hacker, identified this security flaw. In August, Facebook, Instagram’s parent company, confirmed the presence of a bug that may have led to the breach.

Last month, Facebook discovered the leak when an online database listed the phone and account information for 419 million users. Facebook went on to clarify that it was a third-party breach as the storage location of the data didn’t belong to their servers.

While a data leak makes an organization vulnerable to security threats, for Instagram, the size of the mishap was small because it didn’t share any payment information.

Although Instagram has applied security measures to bridge the gap, the social networking giant has now fallen victim to two massive data breaches leaking millions of users’ data.


Malindo Air

Malaysia’s Malindo Air and its Indonesian parent enterprise Lion Air encountered a data breach that leaked approximately 35 million customers’ passport details, home addresses, and phone numbers. Malindo Air CEO Chandran Rama Muthy confirmed the incident had occurred and informed the press that an independent cybersecurity firm was being hired to undertake a complete forensic analysis of the breach.

The airline has clarified that payment details of clients were not hit by the breach and that an auto-reset for all customer passwords was enforced as a precautionary step. While notifying authorities like CyberSecurity Malaysia about the incident, Malindo Air has taken steps to ensure that the breach doesn’t compromise customers’ information with regard to the Malaysian Personal Data Protection Act 2010.

South China Morning Post


Last month, Ecuador was the victim of a humungous national data breach, which leaked information of approximately 20 million people—more than the country’s population. Currently, Ecuador has a population of about 17 million. According to Ecuador’s State Attorney General’s Office, deceased citizens were the extra few million individuals hit by the breach.

News report suggests the breach affected 6.7 million minors. The personal data leaked encompassed full names, dates of birth, national identity card numbers, tax identification numbers, employment information, the names of family members, and financial information (such as bank customers’ account status, balance, and credit type). VpnMentor reported the breach occurred on a server managed by Ecuadorian consulting and analytics company Novaestrat.

Soon after identifying the mishap, Ecuador took immediate measures to control its impact. Investigations are underway, and the telecommunications ministry claims the leak wasn’t a cyberattack on the government data files and that Novaestrat may have taken help from former civil servants to gain authorized data access.



Online coding boot-camp enterprise Thinkful acknowledged that a third party gained unauthorized access to employee account credentials. After finding out about the security breach, the organization informed the users, beefed up their security measures, and initiated a thorough probe.

Thinkful announced that data theft doesn’t grant the hackers access to users’ personal data such as financial information, Social Security numbers, or government-issued IDs. To curtail the effect of the attack, the enterprise updated credentials and prompted users to reset their passwords.

This news of data theft comes right after Chegg confirmed the acquisition of Thinkful last month. In a similar incident, Chegg encountered a security breach after which they decided to reset their customers’ passwords.


Metro Mobility

Over 15,000 customers of Metro Mobility became the target of a data breach last month when the Twin Cities transit service for individuals with disabilities exposed their personal data.

Metro Mobility alerted customers about the data theft, stating an unauthorized individual gained access to an employee’s email account compromising personal ride information between June 13 and August 14, 2019.

The notice, sent by Metro Mobility, mentioned the hacker may have had access to individual rider names, pickup and drop-off addresses, times of rides, and special instructions for Metro Mobility drivers, but Social Security numbers and personal financial data were not compromised.

Metro Mobility, which offers shared rides to those who are unable to use regular fixed-route buses because of a disability or health condition, reported the breach to the St. Paul Police Department.

Star Tribune


Personal data of approximately 50,000 Get app users, including students involved in University communities and clubs, was available online in Australia last month.

A Reddit user discovered the security lapse when other users’ information (name, email, date of birth, Facebook ID, and phone numbers) became available for access using the company’s search function, API. The breach allowed data requests without special tokens.

Reports suggest that Get implemented initiatives to prevent such incidents from happening again in the future while analyzing the API call to evaluate the level of compromised data.

Get is an app built for university societies and clubs to support payments for events and merchandise. With a presence in four countries, currently, the platform has 159,000 active student users.

The Guardian


Pet platform Animates issued an apology and informed its customers that a data breach had affected their operations. Soon after realizing that an entity gained unauthorized access to Animates’ web platform, the pet retailer notified and requested customers to maintain a strict vigil on their bank accounts.

Reports suggest debit card and credit card data were the target area of this breach, affecting around 2,700 customers and forcing Animates to shut down their web platform. Animates has initiated a detailed probe into measuring potential vulnerabilities and will be unveiling a new web platform to ensure data security.

Animates has informed privacy and legal bodies about this data mishap and clarified that clients who opted for online purchases using Laybuy or PayPal or purchases made in physical stores were safe from the leak.


Verlo Mattress Factory

Milwaukee-based mattress company Verlo Mattress was made aware of a data leak when a security researcher found 387,000 customer records from the mattress enterprise online in a non-password protected database. On September 5, it came to light that Verlo Mattress’ client records with names, phone numbers, emails, home addresses, and billing addresses were available online in a database labelled “Customers.”

The leaked database allowed access to view, edit, download, and delete without any control.

Marcus Investments owns Verlo Mattress with 36 locations across the US.

Threat Post


Keep your business out of data breach headlines with the help of PK Protect. Learn more by requesting a demo now.

Share on social media
  • Apr'24 Breach Report-01
    PKWARE April 17, 2024
  • Data Retention: Aligning Data Protection Strategies with Compliance Requirements
    Ben Meyers March 13, 2024
  • Data Breach Report: March 2024
    PKWARE March 8, 2024
  • PCI DSS 4.0 Compliance: Safeguarding the Future of Payment Security
    PKWARE February 22, 2024