September 7, 2019

Monthly Breach Report: September 2019 Edition


Data hacks have become an unfortunate reality happening all over the world. Despite the advances made by security experts, the breaches of last month show that organizations must do better when it comes to data security.

Here are some of the top trending breaches to hit news headlines last month.

NPP Australia

A fresh data breach involving records from PayID, a function of the New Payments Platform (NPP), has put thousands of Australian bank customers at risk. Within two months, PayID suffered its second breach this year. In the past, Westpac became a target of a breach that affected PayID’s address lookup functionality. PayID enacts the role of an online lookup where it allows users to create their own numbers and register them with their banks. Users need to share their PayID when they make and receive payments instead of sharing their BSB code and account number.

Official reports divulged that the online hackers broke into NPP database to access the personal banking details of tens of thousands of Australians—customer names, phone numbers, BSB and account numbers linked to PayID—to scam millions of dollars. According to NPP Australia, this unsavory activity impacted the clients of Australia’s four major banking institutions: the Commonwealth Bank, National Australia Bank, ANZ, and Westpac.

Termed as the second major attack on the payment management system in recent times, the hack initiated from one of the NPP banks secured by Australia-based payments provider Cuscal Limited. The breach happened due to the customer-side technical issues.

As cybersecurity is of prime importance to NPP Australia, the payments platform immediately informed the impacted banking players so that they can resort to actions, comprising issuance of customer notification and due diligence. Cuscal notified both the Australian Prudential Regulation Authority (APRA) and the Office of the Australian Information Commissioner (OAIC) about the mishap.


Massachusetts General Hospital

A third-party privacy breach hit approximately 10,000 research participants at Massachusetts General Hospital (MGH) that exposed their test results, medical diagnoses, and genetic details. The leaked data includes first and last names, demographic data, date of birth, medical record number, genetic data, medical histories, etc. MGH has clarified that Social Security numbers and financial data were not impacted by this incident.

A detailed probe by third-party forensic investigation revealed that an unauthorized entity accessed MGH databases used by certain neurology researchers between June 10-16. Apart from contacting federal law enforcement, the Boston-based hospital continues to review and strengthen processes for its research programs.

Cybersecurity strategists believe that medical data is of great value to hackers because it can be later used in varied types of identity theft, blackmail patients, and engage in impersonation attacks.

Security Magazine

Arizona State University

Last month, Arizona State University became the target of a data mishap when it mistakenly revealed email addresses of about 4000 students.

The Tempe-based public research university notified the students mid-July about the incident when the University office sent bulk emails about health insurance coverage without hiding the identities of the recipients. The notification included details related to assistance resources provided to the students, faculty, and staff.

Reports suggest that few of the email addresses displayed the names of the recipients. Under the Health Insurance Portability and Accountability Act (HIPAA), this incident is a data breach. Apart from the email addresses, the leak did not compromise other protected health information (PHI).

The University stated that it was able to restrict the release of data by deleting over 2,540 of the messages from ASU email inboxes, while over 1,130 of those emails were not read. ASU announced that it took measures to strengthen data protection by formulating more stringent review and approval levels for mass emails disbursements.

Becker Hospital Review


Educational software maker Pearson fell prey to a data breach that impacted the accounts of over 13,000 students, mainly affecting school and university AimsWeb accounts in the US. A statement issued by the London-based enterprise said that the affected accounts stored details like first and last names, email addresses, and dates of birth. On July 31, Pearson started notifying the school districts about the hacking incident.

So far, Pearson has no proof of data misuse of compromised Social Security numbers or financial information. As a precautionary measure, the British publishing house will offer complimentary credit monitoring services.

Currently, Pearson is among one of the most prominent publishers of print and digital textbooks in the UK.

Fast Company


Detroit-based ecommerce platform StockX encountered a data hack that exposed sensitive data of over 6.8 million users globally. The breached data included customer name, email address, shipping address, username, hashed passwords, and purchase history. On August 1, the fashion and sneaker marketplace sent a password reset email to the users stating it to be a “system update.” While many users claimed that the email appeared to be suspicious, the organization called it a planned activity.

According to a statement issued by StockX CEO Scott Cutler, in late July the organization learned about the suspicious activity involving customer information, after which the company initiated a comprehensive forensic investigation.

This breach has put the US-based organization in a tight spot as it faces the danger of incurring a hefty fine (up to 4 percent of annual revenue) and other damages under the GDPR.

Besides offering one year of fraud protection to its users, StockX will also offer CyberScan monitoring, ID theft recovery services, a $1,000,000 insurance reimbursement policy, and 12 months of free credit monitoring.

Tech Crunch

State Farm

US-based insurance company State Farm fell victim to a credential stuffing attack where the cyber miscreants take advantage of those users who use the same passwords across different online accounts. In a credential stuffing attack, the attackers buy or take stolen user names and passwords from past data hack incidents to access victim’s account. The insurance giant sent a “Notice of Data Breach” email advising users to reset passwords of their State Farm online accounts on priority.

Although the exact count of customer accounts the attackers accessed is unclear, the property and casualty insurance provider services approximately 83 million policies and accounts in the US.

Insurance Business


Eighteen months after a data breach hit Astro Malaysia Holdings, which impacted 60,000 of its customers, the business suffered another one last month that exposed the customers’ MyKad data. The affected data included name, identity card number, date of birth, gender, race, and address. According to the media group, the breach had a low to moderate impact as it affected less than 0.2 percent of the customers and didn’t disclose their financial details.

Astro has informed the Malaysian Communications and Multimedia Commission (MCMC), the Department of Personal Data Protection and the police about the data mishap.

In June last year, the breach had compromised the Astro IPTV (Internet Protocol TV) customers’ details—names, installation addresses, IC numbers, mobile numbers, equipment and portal ID numbers, information on the subscribed package—and sold online at 45 sen per record.

The Star


MoviePass, the US-based movie ticket subscription service player, reported a security lapse that exposed customers’ records online, including credit card details. The breach occurred because a critical server was not password protected. An official statement from MoviePass confirmed that soon after discovering the security lapse, they ramped up the security of impacted systems.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, identified the exposed database comprising about 161 million records. It further came to light that some of these records included sensitive user information, such as MoviePass customer card numbers, and details related to the service’s daily operations.

The MoviePass customer cards are like normal debit cards issued by Mastercard. They store a cash balance which the users can use to watch movies.

Tech Crunch

Focus Brands Inc.

Atlanta-based restaurant franchising group Focus Brands Inc. announced that it suffered a data breach at the corporate and franchised locations for Moe’s Southwest Grill, McAlister’s Deli, and Schlotzsky’s.

The company further revealed that an unauthorized computer activity came to light on the payment processing computers at different locations for three of its brands. After learning of the breach, Focus Brands initiated an investigation with the help of a cybersecurity player with emphasis on transactions that occurred from April 2019 into July 2019.

Focus Brands, which also owns Auntie Anne’s, Carvel, Cinnabon, and Jamba Juice, has already notified payment card networks and law enforcement about the mishap.



vpnMentor’s research team confirmed that adult website Luscious leaked the personal information of 1.195 million users from France, Germany, Russia, Brazil, Italy, Canada, and Poland without their knowledge. The disclosed data mainly comprises usernames, country, gender, email addresses, user activity logs, and some of the users’ full names. While the breach detection happened on August 15, the adult web platform fixed the issue on August 19.

According to vpnMentor, the leak impacted 8,00,000 genuine accounts and actively used emails. This breach has also affected 20 percent of the accounts that used fake email addresses.

This hack could come as a serious blow for government agencies and departments since many users joined Luscious platform using their government email addresses.

IT Pro


Keep your business out of data breach headlines with the help of PKWARE. Get a free demo now.

Share on social media
  • Apr'24 Breach Report-01
    PKWARE April 17, 2024
  • Data Retention: Aligning Data Protection Strategies with Compliance Requirements
    Ben Meyers March 13, 2024
  • Data Breach Report: March 2024
    PKWARE March 8, 2024
  • PCI DSS 4.0 Compliance: Safeguarding the Future of Payment Security
    PKWARE February 22, 2024