Contents


    Executive Summary

    A data breach is a security incident in which sensitive, protected, or confidential data is copied, viewed, stolen, or used by an individual unauthorized to do so. Liability issues include negligence, violation of federal laws, breach of contract, and personal injury. Cyber insurance helps ease the significant costs of a data breach by offering coverage for network security and privacy liability. Data breaches of medical material, financial accounts, and personal data have skyrocketed in the past 5 years. According to Statista, more than 400 million individuals around the world were affected by data breaches in 2022.

    Background

    Around 60% of corporate data is stored in the cloud. As the reliance on online databases to store confidential information grows, data breaches have become more frequent and have gotten more media attention. Data breaches are defined as “the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.”

    Data breaches can be targeted towards companies, healthcare facilities, governments and individuals on any scale. Data breaches of financial institutions and healthcare services are worrisome because consumer’s financial information and personal health information can be exposed.

    Two recent examples show the effects of data breaches:

    Consumer: MOVEit

    In May 2023, the file transfer app MOVEit fell victim to a cyberattack that compromised the data of more than 300 organizations and 18.6 million individuals. The Russia-linked cybercrime group known for operating the “Cl0p” ransomware has taken responsibility for the hack. The group exploited a “zero-day” flaw in MOVEit’s file-transfer software in order to access sensitive data transferred through the app. MOVEit is an approved and accredited file-transfer service that meets regulatory compliance requirements for multiple government agencies and highly regulated industries. These strict accreditation standards made it a widely used service for organizations with sensitive data. As such, some of the world’s largest financial institutions, law firms, insurance providers, healthcare firms, education service providers, and government agencies have been involved in this breach. Two Department of Energy entities were among the “small number” of federal agencies that were impacted. Hackers accessed data including social security numbers, customers’ addresses, online banking usernames and other financial account information. The full extent of the breach hasn’t yet been realized as the number of organizations impacted by ongoing hacks of the MOVEit software continues to grow.

    Medical: Healthcare

    In 2022, more than 52 million people had their private health information exposed in more than 700 breaches. Protected health information (“PHI”), which includes sensitive information like Social Security numbers, medical record data, and date of birth, are highly valued on the black market. The average cost per lost or stolen record is $164, a number that skyrockets to $429 on average for healthcare organizations. 

    In 2015, Anthem Inc. suffered a data breach that exposed approximately 37 million records, affecting around 78.8 million people. Anthem’s cyber insurance policy, led by the American International Group, covers losses up to $100 million. However, given the scale of the breach, costs could have climbed above $100 million. A class action suit was filed and was scheduled to go to trial in July of 2016. As of June 2017, Anthem agreed to settle the litigation for $115 million, the largest settlement for a data breach in history. 

    Insider threats are reportedly the primary cause for 60% of data breaches. A recent study showed that the number of insider security incidents has risen by 47% since 2018. Insiders are typically defined as an individual with legitimate access to company assets who causes harm to the business either intentionally or unintentionally. Furthermore, about 91.5% of cyber-attacks involve some element of human error. These statistics demonstrate the critical need for employees to be well-educated regarding proper security procedures. Additionally, many jurisdictions have passed data breach notification laws that require companies that have been subject to a data breach to inform their customers and take steps to remediate possible injuries.

    Injuries and Damages

    As data breaches can target different entities and include different types of data, injuries can span a wide range. They may include:
    • Emotional distress
    • Identity theft
    • Fraud 
    • Privacy concerns

    The question of whether or not data theft alone is enough to satisfy the injury requirement of Article III of the Constitution was addressed by the Supreme Court in TransUnion LLC v. Ramirez. The court’s landmark decision was immediately recognized as having a significant impact on Article III standing, particularly in class actions, where claimed injuries must not only be concrete and particularized, but also shared class-wide. The court asserted that proof of concrete harm, not just legal injury, is a universal requirement of Article III standing. The court’s majority held that unless an inaccurate file was actually disclosed to a third-party, thus giving rise to a cognizable injury akin to that suffered in a defamation case, its mere existence could not constitute a concrete harm sufficient to support jurisdiction.

    Legislation and Regulation

    As of 2020, all 50 states, the District of Columbia and several U.S. protectorates have enacted legislation “requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information”. Most of these laws include provisions that outline which entities must comply with the law, how to define “personal information”, how a data breach is defined and the requirements for notice when a breach occurs.

    Legislation in various states across the U.S. is being introduced that includes expanded definitions of “personal information,” a shortened time span for businesses to report known data breaches, requirements for businesses to report breaches to the state’s attorney general, and provisions for victims of identity theft and credit freezes. Additionally, federal legislation that regulates data breaches was passed by President Biden in March 2022. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) creates legal protections and provides guidance to companies that operate in critical infrastructure sectors, including a requirement to report cyber incidents within 72 hours.

    National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law

    The NAIC Insurance Data Security Model Law was developed to respond to the increased levels of data breaches among several industries. Based on the model, insurers and companies that are licensed by the department of insurance are required to create and maintain “an information security program, investigate any cybersecurity events and notify the state insurance commissioner of such events.” The NAIC and the federal government have urged all states to adopt the model law. To date, 21 states have adopted the model law.

    General Data Protection Regulation (GDPR)

    The European Union passed the GDPR in 2016, which was a monumental piece of legislation for cyber security and privacy. Although the GDPR primarily applies to online databases operating in the European Union, most companies in the US engage in business with European Union members, meaning that they are also regulated by the GDPR. As of 2018, all organizations are expected to comply with the GDPR. The core components of the GDPR that concern cyber security include:

    • After discovering a data breach, businesses must notify authorities within 72 hours
    • Businesses must conduct compliance assessments
    • Businesses are now liable for personal data processing 
    • Businesses must request permission to process personal data using clear language
    • Enterprises that violate the GDPR can be fined up to 4% of annual global turnover

    Liability and Insurance

    As data breaches can target several entities, liability issues span a wide spectrum. Liability issues can include:
    • Negligence 
    • Violation of state and federal laws 
    • Willful misconduct 
    • Breach of contract
    • Property damage
    The average cost of data breach in the United States has risen to $9.44 million, more than twice the global average of $4.35 million. Consequently, many businesses are seeking protection in the form of cyber insurance. Importantly, there is a difference between “cyber liability insurance” and “data breach insurance” in terms of scope of coverage. Data breach insurance typically provides coverage for first-party losses incurred by the organization that has suffered a loss of data. Cyber liability insurance, on the other hand, provides more robust protection by also including coverage for third-party claims asserted against a company stemming from a network security event or data breach.
    First-party losses typically covered by data breach insurance policies include:
    • Business interruption losses
    • Legal fees
    • Investigating details/causes of breach
    • Costs incurred to notify affected individuals
    A cyber liability insurance policy will typically cover the above-mentioned losses as well as losses to other affected parties and any punitive damages such as regulatory fines.

    COVID-19

    As more than a billion people across the world were forced to stay home during the height of the pandemic, cyber criminals have become more active, exploiting the vulnerabilities of people working from home, attacking medical facilities, and even hacking unemployment claim databases.
    Companies, while trying to make working at home a more efficient process, inadvertently exposed vulnerabilities to data breaches. For example, some companies have removed permission procedures so that employees can complete tasks without advisor approval. This process leaves assets unsecured and makes the companies’ online databases more vulnerable. Additionally, employees working at home use networks that are not as secure, which present risks to employees conducting company business from home on private and personal computers.
    As employees continue to work remotely, the potential for cyberattacks has increased dramatically. In fact, in 2022 there was a 61% jump in phishing attacks. This dramatic shift in the digital landscape demonstrates the critical need for companies to implement proper cybersecurity measures. However, the pandemic has also contributed to the creation of a hard market with significant premium increases for cyber liability insurance, thus making it more difficult for companies to purchase protection. As the risk of cyberattacks have increased, so too have the prices and limitations of cyber liability insurance in an effort to avoid potentially catastrophic losses that could stem from the systemic nature of cyber risk.

    Litigation

    Since the Supreme Court’s ruling in TransUnion LLC v. Ramirez, the landscape of data breach litigation has shifted. Plaintiffs are now attempting to satisfy the new Article III requirements by characterizing the risk of future harms associated with the misuse of personal information as currently felt injuries. Such injuries take the form of claimed emotional distress, therapy costs associated with that claimed distress, or time and money spent canceling a credit card or purportedly mitigating otherwise non-cognizable harms. A number of courts across the country, including the U.S. Court of Appeals for the Third Circuit and the U.S. District Court for the Northern District of New York, have endorsed the view that such alleged harms are permissible under Article III. Authority regarding such claims is mixed, however, and rulings are often dependent on what kind of data was accessed, with credit card information less likely to yield standing than sensitive personal information like social security numbers.

    Data breaches can occur on any system that stores private information, so defendants can span a wide range of industries and class action suits can include thousands of plaintiffs. It is worth noting that many data breaches have been committed not by individuals, but on the orders of foreign governments. In such cases, litigation is focused more on a company’s failure to disclose the breach or properly defend against it than it is on punishing the perpetrator.

    Future Outlook

    Like all cyber security concerns, data breaches are expected to grow in number and severity as hackers stay one step ahead of law enforcement and security providers. At the same time, companies are expected to invest more money into cyber security policies and cyber insurance.

    Apart from company data breaches, some breaches are part of a global race to develop better cyber warfare capabilities. Some governments are believed to be using data breaches to test the boundaries of this new cyber weaponry and are targeting private companies to avoid retaliation. Companies, organizations, and the insurance industry are advised to stay educated and updated on how to manage the risk of data breaches, and how to recover from a breach when it occurs.

    In the News

    2024

    • Data Breach Impacts 800,000 Insurance Customers - Lars Daniel, Forbes (11/02/2024)
      Landmark Admin, a company that provides administrative services to several major U.S. insurance carriers, has recently announced that a cyberattack in May 2024 exposed the personal information of over 800,000 individuals.
    • Disney faces class action lawsuit over employee data breach - Christi Carras, Los Angeles Times (10/04/2024)
      Walt Disney Co. has been hit with a class action lawsuit accusing the Burbank-based entertainment giant of negligence, breach of implied contract and other misconduct in connection with a massive data breach that occurred earlier this year. Plaintiff Scott Margel submitted the complaint on Thursday in Los Angeles County Superior Court against Disney and Disney California Adventure. The 32-page document also accuses the company of violating privacy laws by not doing enough to prevent or notify victims of the extent of the leak.
    • 23andMe agrees to $30 million settlement over data breach that affected 6.9 million users - Mary Walrath-Holdridge, USA Today (09/16/2024)
      Ancestry and genetics-testing company 23andMe has agreed to pay a $30 million settlement after a class-action lawsuit was brought against the company for last year's data breach. The settlement, which is pending a judge's approval, comes after the company confirmed in October that "threat actors" used about 14,000 accounts, approximately 0.1% of the company's user base, to access the ancestry data of 6.9 million connected profiles. Leaked data included users' account information, location, ancestry reports, DNA matches, family names, profile pictures, birthdates and more.
    • LVHN reaches proposed $65M settlement in class-action suit over data breaches of medical records of 134,000 patients - Jim Lockwood, The Times-Tribune (09/12/2024)
      Lehigh Valley Health Network reached a proposed $65 million settlement in a class-action lawsuit over data breaches of medical records of 134,000 patients. While there have been larger class-action lawsuit settlements in terms of total dollars and numbers of plaintiffs in cases throughout the country, the proposed LVHN pact might be the largest class-action settlement per-capita in the nation, said plaintiffs' attorney Patrick Howard, of the Saltz, Mongeluzzi & Bendesky law firm in Horsham.
    • CMS says data breach at contractor could affect more than 946,000 Medicare beneficiaries - Emily Olsen, Healthcare Dive (09/09/2024)
      A data breach at a CMS contractor may have exposed the personal and health information of 946,801 current Medicare beneficiaries, the agency said Friday. Wisconsin Physicians Service Insurance Corporation, which manages Medicare Part A and B claims and related services for the CMS, notified the regulator in July that enrollee data may have been compromised last year due to a vulnerability in its MOVEit file transfer software.
    • Class action filed after Kootenai Health data breach - Kaye Thornbrugh, Coeur d'Alene Press (09/02/2024)
      Kootenai Health allegedly failed to protect the personally identifiable information and personal health information of patients, resulting in a large data breach that put patients at risk of fraud or identity theft, according to a proposed federal class action filed against the hospital.
    • Texas credit union discovers year-old data breach - Gabrielle Saulsbery, Banking Dive (08/29/2024)
      Texas Dow Employees Credit Union was one of several dozen financial institutions affected by last year’s MoveIt cybersecurity breach, the credit union announced Monday. The Lake Jackson, Texas-based credit union’s public acknowledgement adds it to a long list more than a year after the breach, which has affected more than 95 million individuals and 2,700 organizations, according to anti-virus firm Emsisoft’s most recent tally from public disclosures and securities filings.
    • Over 2 mil customer records leaked in breach of Japanese insurers - Japan Today (08/28/2024)
      An estimated 2 to 3 million customer records were leaked in a data breach involving Japan's four leading property and casualty insurers, sources close to the matter said Tuesday. Information leaked from the four firms -- Tokio Marine & Nichido Fire Insurance Co, Sompo Japan Insurance Inc, Mitsui Sumitomo Insurance Co and Aioi Nissay Dowa Insurance Co -- included customer names, insurance policy numbers, insurance types, maturity dates and premium amounts.
    • Privacy group fights European Parliament over ‘massive’ HR data breach - Antoaneta Roussi, Politico (08/22/2024)
      The European Parliament's headache over a major human resources data breach earlier this year just won't fade. Austria-based digital rights group noyb on Thursday said it had filed two complaints against the European Union institution for infringing the bloc's flagship privacy law, the General Data Protection Regulation (GDPR), over a data breach discovered before the summer.
    • 47% of US firms suffered data breach resulting in severe financial loss - Alexei Alexis, CFO Dive (08/20/2024)
      Nearly half (47%) of U.S. businesses have suffered significant revenue loss due to a data security incident, according to a survey by data protection company Arcserve. “For those laser-focused on growing revenue and controlling costs, this revenue downside perspective should be a wake-up call,” according to a report on the findings released Tuesday.
    • Florida-based data firm faces lawsuits after massive data breach - Ron Hurtibise, South Florida Sun Sentinel (08/18/2024)
      Multiple class-action lawsuits have been filed against a Coral Springs, Florida-based data firm following disclosures that a massive data breach might have compromised millions of Americans’ personal information, including Social Security numbers.
    • United Healthcare breach may affect 45% of U.S. population; victims to start getting notices - Richard Craver, Winston-Salem Journal (08/17/2024)
      Victims of a massive data breach involving the United Healthcare Group/Change Healthcare prescription claims systems are this week receiving the first official notice from the groups. UnitedHealth had more than 152 million customers at the time of the Feb. 17-20 data breach, which means about 45% of Americans have been affected.
    • Global Average Cost of a Data Breach Reaches $4.88M in 2023 - R&I Editorial Team, Risk & Insurance (08/07/2024)
      The global average cost of a data breach has risen to $4.88 million, a 10% increase from $4.45 billion the previous year, according to IBM’s annual Cost of a Data Breach Report for 2024.
    • French cybercrimes team called in after Israeli athletes’ data leak - The Straits Times (07/28/2024)
      France’s cybercrime unit is pushing to get private data on several Israeli athletes competing in the Paris Olympic Games removed from social media, police sources said on July 27.
    • There are 1 billion victims of data breaches so far this year. Are you one of them? - Betty Lin-Fisher, USA Today (07/18/2024)
      he number of data breach victims has surpassed 1 billion for the first half of 2024, according to the Identity Theft Resource Center. That's a 409% increase from the same time period last year: 1.07 billion victims compared to 182.65 million in the first half of 2023.
    • AT&T says hackers stole call records of ‘nearly all’ wireless customers - Joseph Menn and Aaron Gregg, The Washington Post (07/12/2024)
      Hackers stole records detailing the phone contacts of almost all AT&T Wireless customers in one of the most serious breaches of sensitive consumer data in recent years, the company disclosed in a securities filing Friday.
    • MOVEit legal liabilities, expenses pile up for Progress Software - Matt Kapko, Cybersecurity Dive (07/10/2024)
      One year after a flurry of zero-day attacks targeted MOVEit customers, the legal liabilities for Progress Software, the company behind the file-transfer service, are still piling up. Progress Software is party to at least 144 class-action lawsuits, which have been consolidated with a subrogation claim from an insurer in the U.S. District Court for the District of Massachusetts, the company said in a Monday filing with the Securities and Exchange Commission.
    • Debt collection agency says data breach affected more than 4 million people - Joe Warminsky, The Record (07/09/2024)
      A data breach discovered in February potentially exposed information on more than 4 million people, debt collection agency Financial Business and Consumer Solutions (FBCS) said in an updated regulatory filing Monday.
    • Close to 10 Billion Passwords Exposed in Possibly the Biggest Leak Ever - Karthik Kashyap, Spiceworks (07/08/2024)
      One of the most significant data leaks in recent history is reported to have occurred on July 4. The leak, dubbed RockYou2024 by the original poster, “ObamaCare”, on a leading hacking forum, compiled 9,948,575,739 unique passwords into plain text. This means close to ten billion passwords were leaked.
    • AMD investigating possible data breach after internal company data put up for sale online - Sead Fadilpašić, Tech Radar (06/19/2024)
      Computing powerhouse AMD is apaprently investigating a data breach after a hacker put a database on a dark web forum, claiming it came from the company. Known leaker IntelBroker posted a short thread on a hacking forum, advertising sensitive employee data for sale.
    • Truist Bank confirms data breach after stolen data appears online - Sead Fadilpašić, Tech Radar (06/14/2024)
      The Sp1d3r cybercrime gang is making quite a name for itself as it is now selling sensitive data on thousands of Truist banking employees. Sp1d3r says they stole information on 65,000 employees, including bank transactions with names, account numbers, balances, and IVR funds transfer source code. The going price is $1 million.
    • Frontier Communications says cyberattack snagged data from 751,000 people - David Jones, Cybersecurity Dive (06/07/2024)
      Frontier Communications, based in Dallas, is a major provider of phone and internet services and calls itself the largest pure-play fiber provider in the U.S. The RansomHub threat group claimed credit for the attack earlier this month, but said it had a larger cache of personal data, according to Brett Callow, threat analyst at Emsisoft. Callow posted screenshots of the allegedly stolen data on the social media platform X, which RansomHub claimed were from the attack.
    • Data breach exposes details of 25,000 current and former BBC employees - Josh Halliday, The Guardian (05/29/2024)
      The BBC has launched an investigation after the details of more than 25,000 current and former employees were exposed in a data breach. The corporation’s pension scheme wrote to members on Wednesday to say their details had been stolen in a data security incident that it was taking “extremely seriously”.
    • First American says personal data of 44K breached in December cyberattack - David Jones, Cybersecurity Dive (05/29/2024)
      First American Financial said about 44,000 people had their personal information breached in a December cyberattack, according to Tuesday filing with the Securities and Exchange Commission. The title insurance firm is in the process of notifying customers, however it did not detail what specific information was breached.
    • Data breach at medical giant Cencora exposes info from multiple drug companies - Sead Fadilpašić, Tech Radar (05/27/2024)
      Almost a dozen pharmaceutical companies, including several major players, have lost sensitive customer data due to a supply chain cyberattack that trickled down from pharma giant Cencora.
    • Kaiser exposed up to 13.4M plan member records to third parties - Susanna Vogel, Healthcare Dive (04/26/2024)
      Kaiser Foundation Health Plan disclosed a data breach impacting 13.4 million current and former plan members to the federal government on Thursday. The health plan said in a statement to Healthcare Dive that it may have unwittingly shared patients’ information with third-party advertisers, including Google, Microsoft and X, the company formerly known as Twitter.
    • AT&T notifies users of data breach and resets millions of passcodes - Matt O'Brien, The Associated Press (03/30/2024)
      AT&T said it has begun notifying millions of customers about the theft of personal data recently discovered online. The telecommunications giant said Saturday that a dataset found on the “dark web” contains information such as Social Security numbers for about 7.6 million current AT&T account holders and 65.4 million former account holders.
    • Health-care hack spreads pain across hospitals and doctors nationwide - Daniel Gilbert, Dan Diamond, Christopher Rowland and Kim Bellware, The Washington Post (03/03/2024)
      The fallout from the hack of a little-known but pivotal health-care company is inflicting pain on hospitals, doctor offices, pharmacies and millions of patients across the nation, with government and industry officials calling it one of the most serious attacks on the health-care system in U.S. history.
    • U-Haul admits thousands of customers had data stolen in breach - Sead Fadilpašić, Tech Radar (02/26/2024)
      U-Haul has confirmed it suffered a data breach which resulted in sensitive customer data being stolen. The company confirmed the news via breach notification emails being sent to affected victims noting the incident happened on December 5, after an unnamed threat actor managed to steal login credentials for the U-Haul Dealer and Team Member system.
    • Health care data breaches hit 1 in 3 Americans last year: Is your data vulnerable? - Ken Alltucker, USA Today (02/18/2024)
      Patients were inundated with spam texts and other annoyances after the massive HCA Healthcare data hack disclosed last July compromised the records of more than 11 million people.
    • Thousands of DoD personnel may have had their private data leaked — US government admits 20,000 could be affected - Sead Fadilpašić, Tech Radar (02/15/2024)
      A year after a cybersecurity incident, the US Department of Defense (DOD) has begun notifying affected individuals about exactly what happened. In February 2023, cybersecurity researcher Anurag Sen discovered a US government email server that sat without a proper password to protect its content - essentially, leaking sensitive information to anyone who knew where to look.
    • Bank of America customer data exposed in IT provider breach - Rajashree Chakravarty and Naomi Eide, Cybersecurity Dive (02/13/2024)
      A November 2023 “cybersecurity event” at Infosys McCamish Systems exposed Bank of America customer data, according to a breach notification letter from the bank’s outside counsel filed with the Office of the Maine Attorney General.
    • Data breach reported at Connecticut College - Katie Langley, NBC Connecticut (02/08/2024)
      Connecticut College has brought in cybersecurity experts to investigate a data security incident that might have compromised files in the college's computer system, including social security numbers.
    • Montefiore Medical Center pays $4.8M after OIG investigation of insider data breach - Dave Muoio, Fierce Healthcare (02/07/2024)
      Montefiore Medical Center has agreed to a $4.75 million settlement over data security failures federal officials uncovered when investigating an employee who had sold patient information to criminals.
    • Mother of all breaches reveals 26 billion records: what we know so far - Vilius Petkauskas, Cyber News (01/29/2024)
      The supermassive leak contains data from numerous previous breaches, comprising an astounding 12 terabytes of information, spanning over a mind-boggling 26 billion records. The leak, which contains LinkedIn, Twitter, Weibo, Tencent, and other platforms’ user data, is almost certainly the largest ever discovered.
    • 23andMe unveils more of the truth about massive DNA data breach - Patricia Battle, The Street (01/26/2024)
      Genetic testing company 23andMe is coughing up more of the truth about that major cyberattack last year that breached its system and stole the DNA data of about 6.9 million people.
    • US data compromises surged to record high in 2023 - Matt Kapko, Cybersecurity Dive (01/25/2024)
      The number of data compromises reported in the U.S. last year jumped 78% to a record high of 3,205 incidents, the non-profit organization said Thursday. These compromises ultimately impacted more than 353 million victims, including individuals affected multiple times.
    • Hackers leak data on nearly a million Halara customers - Sead Fadilpašić, Tech Radar (01/12/2024)
      Hackers have leaked sensitive information on almost a million people claimed to be customers of Hong Kong-based activewear firm Halara. A hacker under the alias Sanggiero posted a new thread on a dark net forum, and in a Telegram channel, with the details of the hack.
    • US School Shooter Emergency Plans Exposed in a Highly Sensitive Database Leak - Matt Burgess, Wired (01/11/2024)
      Every year, hundreds of millions of files, personal records, and documents are accidentally exposed online. Owners of dating apps, colossal marketing databases, and even a spy agency have published information to the web by leaving it in unsecured databases. But the regularity with which these leaks happen doesn’t make them any less alarming—especially when the data is from thousands of schools.
    • Fidelity National Financial confirms data of 1.3 million customers exposed in cyberattack - Steve Zurier, SC Media (01/11/2024)
      Fidelity National Financial disclosed in an 8K filing with the Securities and Exchange Commission (SEC) on Dec. 10 that 1.3 million customers had their data exposed in a cyberattack. However, the large real estate services company did not confirm in the filing if it was the victim of a ransomware attack.
    • X: Compromised phone number caused SEC hack that led to false bitcoin post - Clyde Hughes, UPI (01/10/2024)
      Social media platform X said that the Security and Exchange Commission's account was compromised due to a third party gaining access to a related phone number.
    • 23andMe attempts to wipe its hands clean of blame for DNA data breach - Patricia Battle, The Street (01/04/2024)
      After a data breach compromised the DNA data of about 6.9 million users of genetic testing company 23andMe last fall, the company now appears to have shifted the blame for the breach towards the customers who were affected, according to an alleged letter from the company’s lawyers that was sent to victims suing the company for the breach.
    • First American Financial confirms threat actors stole and encrypted data - David Jones, Cybersecurity Dive (01/04/2024)
      First American Financial said the threat actors behind a previously disclosed Dec. 20 cyberattack accessed and stole non-production systems company data, which was later encrypted, according to an amended 8-K filing on Friday with the Securities and Exchange Commission.
    • Xerox discloses a subsidiary’s breach following ransomware claim of data theft - David Jones, Cybersecurity Dive (01/03/2024)
      Xerox on Saturday disclosed a cyber intrusion at its Xerox Business Solutions subsidiary, which resulted in a limited amount of personal data being accessed. Xerox said company personnel detected and contained the attack.

    2023

    • Comcast Faces Lawsuits over Breach of 36M Accounts - D. Howard Kass, MSSP Alert (12/28/2023)
      Comcast already faces at least two class action lawsuits over a massive data breach that exposed nearly 36 million U.S. Xfinity accounts after cyber attackers broke into its systems in mid-October, 2023, by exploiting a vulnerability in Citrix software.
    • Data breach impacts over 1 million Corewell Health patients - Jenna Prestininzi, Detroit Free Press (12/27/2023)
      Over 1 million patients' information is at risk after the latest data breach on Michigan health care facilities. A recent cyberattack on a Corewell Health vendor facility breached the data of over 1 million patients in the state, Attorney General Dana Nessel announced Tuesday.
    • Paramount and CBS owner confirms significant breach affecting data of thousands of users - Sead Fadilpašić, Tech Radar (12/27/2023)
      Cinema and media powerhouse National Amusements has confirmed suffering a breach in which hackers stole sensitive information from thousands of users, putting them at risk of identity theft. The conglomerate has filed a report with the Office of the Maine Attorney General in which it reported suffering a data breach in December 2022. During the incident, the attackers stole sensitive personal information from 82,128 people.
    • Class action: 23 & Me over data breach failed to protect against data breach - Cook County Record (12/26/2023)
      A class action lawsuit filed in Chicago has become one of the latest local class actions amid many cases nationwide accusing genetic screening company 23&Me of not doing enough to protect customer data amid a data breach.
    • Xfinity notifies its customers of data breach linked to software vulnerability - The Associated Press (12/19/2023)
      Hackers accessed Xfinity customers’ personal information by exploiting a vulnerability in software used by the company, the Comcast-owned telecommunications business announced this week.
    • Hackers leak game plans in Insomniac Games breach - Sam Sabin, AXIOS (12/19/2023)
      The Rhysida ransomware gang has leaked a trove of internal documents stolen from Sony's Insomniac Games, including game roadmaps, character art, budgets and details about the highly anticipated Wolverine game release.
    • Major data breach leaks highly sensitive donor records of multiple charities - Craig Hale, Tech Radar (12/13/2023)
      A database of nearly one million records, including information of a donor platform, has been discovered online without password protection. Cybersecurity researcher Jeremiah Fowler is credited with finding more than 948,000 records in a database measuring over 465GB that is believed to belong to DonorView, a software provider for nonprofits.
    • Apple urges governments not to weaken security as it says billions of personal records stolen in data breaches - Andrew Griffin, The Independent (12/07/2023)
      Apple has governments and others to keep the internet secure with encryption as it reveals the huge scope of data breaches in recent years. The total number of data breaches has more than tripled over the last ten years, the company said, with 2.6 billion personal records stolen in the last two years.
    • 23andMe sees personal data on 6.9 million customers stolen by hackers - Jacob Knutson, AXIOS (12/04/2023)
      Hackers stole personal data belonging to 6.9 million people who used services from the genetic testing company 23andMe in October, a company spokesperson confirmed to Axios on Monday.
    • Breaches by Iran-affiliated hackers spanned multiple U.S. states, federal agencies say - Frank Bajak and Marc Levy, The Independent (12/03/2023)
      A small western Pennsylvania water authority was just one of multiple organizations breached in the United States by Iran-affiliated hackers who targeted a specific industrial control device because it is Israeli-made, U.S. and Israeli authorities say.
    • Blue Shield of California customer data stolen in cyberattack - Andrea Chang, Los Angeles Times (12/01/2023)
      An unknown number of Blue Shield of California members may have had their personal data, including Social Security numbers, birth dates and treatment information, stolen during a cybersecurity breach this spring.
    • More than 1 million Michiganders affected by Welltok cyberattack - Kristen Jordan Shamus, Detroit Free Press (11/30/2023)
      More than 1 million Michiganders were affected by a cybersecurity breach at Welltok Inc., a software company contracted to provide communication services for Corewell Health's southeastern Michigan properties along with a healthy lifestyle portal for Priority Health, an insurance plan owned by Corewell.
    • All Okta support system customers caught in previously disclosed breach - Matt Kapko, Cybersecurity Dive (11/29/2023)
      The fallout from an Okta breach earlier this fall expanded dramatically this week after the single sign-on provider said an incident it previously determined to affect 1% of its customer support system clients, in fact, compromised them all.
    • 9M health records spilled by transcription firm - Simon Hendery, SC Media (11/16/2023)
      Personal and health information belonging to 9 million Americans was compromised in a cyberattack against medical transcription service provider Perry Johnson & Associates (PJ&A).
    • Digital pharmacy startup Truepill confirms hackers accessed health data for 2.3M users - Heather Landi, Fierce Healthcare (11/15/2023)
      Postmeds, doing business as Truepill, confirmed that hackers accessed the personal data of more than 2.3 million patients. Postmeds, a pharmacy company that fulfills mail-order prescriptions, said in a data breach notice on its website it experienced a cybersecurity incident in late August, and a "bad actor" gained access to a subset of files used for pharmacy management and fulfillment services.
    • Mercer University seeks dismissal of cyber attack data-breach lawsuit - Joe Kovac Jr., The Telegraph (11/07/2023)
      Lawyers for Mercer University have asked a federal judge to dismiss a lawsuit filed by four former students and a past instructor seeking unspecified damages in the wake of a data-security breach pulled off by cybercriminals early this year.
    • Cook County Health Says Information of 1.2 Million Patients Has Potentially Been Compromised - Steve Alder, HIPAA Journal (11/06/2023)
      Cook County Health in Chicago, Illinois has recently confirmed that the protected health information of up to 1.2 million patients has potentially been obtained by an unauthorized individual in a cyberattack on one of its business associates.
    • Stanford says it is investigating after hacker group threatens to release confidential information - Austin Turner, The Mercury News (10/31/2023)
      Stanford University said Monday it was investigating a “cybersecurity incident” after a ransomware group threatened to release confidential information from the university’s Department of Public Safety on the dark web.
    • Colorado Calls for Inquiry Into Delayed Data Breach Reporting - David Migoya, The Gazette (10/31/2023)
      Colorado House Republican leaders on Monday, Oct. 30, called for an investigation into why Colorado's higher education agency allegedly failed to timely report a massive data breach this summer.
    • 2023 toll of data breaches and leaks already tops 2022 - Sam Sabin, Axios (10/13/2023)
      The total number of data breaches and leaks in 2023 so far has already outpaced last year's numbers, according to new data from the Identity Theft Resource Center.
    • Equifax's U.K. Arm Fined Over Data Breach - Margot Patrick, The Wall Street Journal (10/13/2023)
      Equifax’s (EFX) U.K. arm was fined around $13.6 million Friday for failing to protect the data of millions of British customers in a 2017 hack of the credit-reporting company.
    • Sony confirms data breach impacting thousands of workers - Sead Fadilpašić, Tech Radar (10/05/2023)
      Sony has confirmed reports that sensitive data from current and former employees had been stolen by outside forces. In a breach notification letter sent out to affected individuals, Sony said that hackers leveraged a flaw in the MOVEit managed file transfer software to steal sensitive personal information belonging to them, or possibly their family members.
    • The fundraising software company Blackbaud agreed Thursday to pay $49.5 million to settle claims brought by the attorneys general of 49 states and Washington, D.C., related to a 2020 data breach that exposed sensitive information from 13,000 nonprofits. - The Associated Press (10/05/2023)
      The fundraising software company Blackbaud agreed Thursday to pay $49.5 million to settle claims brought by the attorneys general of 49 states and Washington, D.C., related to a 2020 data breach that exposed sensitive information from 13,000 nonprofits.
    • Fort Myers health care billing company faces data breach; notifies patients - Liz Freeman, Naples Daily News (10/03/2023)
      A Fort Myers-based health care billing company faced a data breach that put patients’ personal data in jeopardy of unlawful use. Arietis Health LLC., with offices in Fort Myers, Durham, N.C., and India, has sent notice to patients of the data breach that occurred May 31 and was confirmed July 26 after an investigation, according to a press release.
    • MOVEit breach hit nearly 900 colleges, says National Student Clearinghouse - Natalie Schwartz, Higher Ed Dive (09/27/2023)
      The National Student Clearinghouse said nearly 900 colleges suffered a data breach during the mass hack of the file-sharing tool MOVEit, according to filings last week with the California attorney general’s office.
    • Many firms aren't reporting breaches to the proper authorities - Lewis Maddison, Tech Radar (09/26/2023)
      Research conducted by Keeper Security found that nearly half (48%) of the IT and security leaders it surveyed that have experienced a cybersecurity incident did not report it to the appropriate authorities. What's more, 41% of such attacks were not event reported to leadership within the company itself.
    • J&J, IBM face class-action lawsuit over patient data breach - Angus Liu, Fierce Pharma (09/26/2023)
      J&J and IBM were hit with a proposed class action over a recent data breach at J&J’s patient assistance program, Janssen CarePath, which is managed by IBM.
    • Air Canada reports data breach, employee data affected - Sead Fadilpašić, Tech Radar (09/25/2023)
      Air Canada has suffered a cyberattack in which some employee information was accessed. The news was confirmed by the airline itself, via a press release published on the company’s website, where a statement revealed, "an unauthorized group briefly obtained limited access to an internal Air Canada system related to limited personal information of some employees and certain records."
    • Insurers fear rise in sensitive data theft as cyber crime tops list of the sectors key concerns - PwC (09/11/2023)
      The potential theft of sensitive data, as well as phishing and ransomware attacks pose the greatest global threat to the insurance sector according to new research from PwC and CSFI, the financial services think tank. The findings track the opinions of insurance leaders around the world about what they see as the most significant risks facing the sector over the next two to three years.
    • L.A. Care must pay $1.3M settlement over data breaches that violated HIPAA: HHS - Frank Diamond, Fierce Healthcare (09/11/2023)
      L.A. Care, the country's largest public operated health plan, has reached a $1.3 million settlement with the feds to settle potential Health Insurance Portability and Accountability Act (HIPAA) violations linked to data breaches.
    • Some Eversource customers had personal information stolen in larger data breach - NBC Connecticut (08/31/2023)
      More than 3,000 Eversource customers in Connecticut have had personal information stolen as part of a larger data breach, according to the company. It's part of the cyber attack involving MOVEit, which has affected big companies across the globe. It's the same data breach that has affected some M&T Bank customers in Connecticut.
    • Lawsuit accuses University of Minnesota of not doing enough to prevent data breach - ABC News (08/30/2023)
      A lawsuit filed on behalf of a former student and former employee at the University of Minnesota accuses the university of not doing enough to protect personal information from a recent data breach.
    • Tesla Sues Two Ex-Employees For Data Breach That Affected 75,000 - Dan Mihalascu, Inside EVs (08/22/2023)
      Tesla has filed lawsuits against two unnamed former employees accusing them of a data breach that impacted more than 75,000 people as a result of "insider wrongdoing." According to a notice posted by the office of the Maine Attorney General seen by Bloomberg, a total of 75,735 people were affected by the data breach, including nine residents of Maine. The people appear to be current or former employees of Tesla.
    • Tesla data breach affects over 75K people, starts notifying workers - ET Auto (08/20/2023)
      Elon Musk-run Tesla has started notifying current and former employees whose information was involved in a confidential data breach in May that affected 75,735 people.
    • University of Missouri System data breach impacts thousands, investigation launched - Joey Schneider, Kansas City FOX 4 News (08/16/2023)
      Officials have launched an investigation into a recent University of Missouri System data breach, which has impacted thousands of organizations and led to some personal data being compromised.
    • UMass Chan hit by MOVEit hack - SC Staff, SC Media (08/16/2023)
      Massachusetts' Executive Office of Health and Human Services has disclosed that UMass Chan Medical School was impacted by the widespread breach of the MOVEit Transfer application, compromising data from more than 134,000 individuals who are part of or previously enrolled in some state programs, according to CBS News Boston.
    • Personal data of more than 40K Vermonters may have been compromised - Times Argus (08/11/2023)
      The Vermont Department of Financial Regulation announced Friday that the personal data of roughly 42,000 residents has been compromised. DFR stated in a press release it has been notified about a large-scale data security breach affecting about 38 million consumers nationwide. According to the department, the breach occurred when a ransomware gang infiltrated the file transfer software used by many public and private organizations.
    • MoveIT breach exposes data of 612K Medicare beneficiaries, CMS says - Rebecca Pifer, Cybersecurity Dive (07/31/2023)
      The sensitive personal and health information of approximately 612,000 Medicare beneficiaries was exposed as part of the MoveIT transfer service breaches, according to the CMS.
    • Attorneys in Lehigh Valley Health Network data breach lawsuit battle over protection of data downloaded from dark web - Terrie Morgan-Besecker, The Morning Call (07/29/2023)
      Attorneys for Lehigh Valley Health Network allege lawyers suing the provider over a cyberattack that exposed patients’ personal information to the dark web improperly downloaded the data from a website run by the hackers.
    • Average Data Breach Costs Soar to $4.4M in 2022 - Robert Lemos, Dark Reading (07/27/2023)
      Sixty percent of breaches have resulted in companies recouping the cost of fines, clean-up, and technological improvements by increasing prices, essentially making consumers pay for breaches and companies' lack of preparedness, according to an annual report published on July 27.
    • Chinese hackers breached US ambassador to China’s email account - Sean Lyngaas and Kylie Atwood, CNN (07/21/2023)
      China-based hackers breached the email account of US Ambassador to China Nicholas Burns as part of a recent targeted intelligence-gathering campaign, three US officials familiar with the matter told CNN.
    • On the Brink(er): In Appeal of Closely-Watched Data Breach Class Certification, Eleventh Circuit Vacates in Part and Remands for Further Proceedings - Mark A. Olthoff and Shundra Crumpton Manning, Polsinelli (07/14/2023)
      The Eleventh Circuit’s recent ruling in In re Brinker Data Incident Litigation (“Brinker”) is the first time that a federal circuit court has ruled on a lower court’s grant of class certification in a data breach class action case. The Eleventh Circuit, in a 2-1 split panel decision, vacated in part the District Court’s class certification order finding that two out of three named plaintiffs did not have Article III standing.
    • Data breach exposes personal information of Idaho college students, employees - Gabe Barnard, The Spokesman-Review (07/14/2023)
      A data breach has exposed personal information of students and employees at seven of Idaho’s public colleges, the State Board of Education said Friday. The exposed data includes first and last names, addresses, birthdays and Social Security numbers of employees of Boise State University, the University of Idaho, Idaho State University, Lewis-Clark State College, and three community colleges: the College of Western Idaho, College of Southern Idaho and North Idaho College, according to a news release.
    • Two more lawsuits filed against Scranton cardiology group over data breach - Terrie Morgan-Besecker, The Times-Tribune, Scranton, Pa. (07/11/2023)
      Cybercriminals attempted to access accounts of a Scranton couple who are among clients whose personal information was exposed in a data breach at a Commonwealth Health cardiology group's practice, according to a proposed class-action lawsuit.
    • HCA Healthcare reports data breach potentially impacting 11M patients - Heather Landi, Fierce Healthcare (07/10/2023)
      HCA Healthcare reported Monday that hackers stole personal information including patient names and dates of birth and posted it online. The Nashville, Tennessee-based health system said the information was taken from an external storage location exclusively used to automate the formatting of email messages.
    • Human error may have caused data breach involving more than 5,500 people in P.E.I. - Bill Dicks, CTV Atlantic (07/10/2023)
      More than 5,600 clients of a provincial employment program on Prince Edward Island may have had their personal information compromised after a privacy breach. The head of SkillsPEI says human error was to blame.
    • 1st Source says data compromised in MOVEit data breach - Reuters (07/10/2023)
      Financing firm 1st Source Corp (SRCE.O) said on Monday a third party gained access to data of its commercial and individual clients as part of the security breach involving popular file transfer tool MOVEit reported last month.
    • SEC delays final rule on cyber incident disclosure as industry pushes back - David Jones, CFO Dive (06/16/2023)
      The Securities and Exchange Commission has postponed until October a final rule that would require publicly traded companies to report material cyber breaches and attacks in regulatory filings.
    • 'Global' hack exposed 6 million Louisiana driver's license and other OMV records, state says - James Finn, nola.com (06/16/2023)
      A massive data breach roiling Louisianans' Office of Motor Vehicles exposed at least six million records including driver's license information and other data, officials said Friday. Officials don't currently believe any state agencies besides the OMV were affected, Casey Tingle, director of the Governor's Office of Homeland Security and Emergency Preparedness, told reporters.
    • Exclusive: US government agencies hit in global cyberattack - Sean Lyngaas, CNN (06/15/2023)
      Several US federal government agencies have been hit in a global cyberattack by Russian cybercriminals that exploits a vulnerability in widely used software, according to a top US cybersecurity agency.
    • Lawsuit accuses Harvard Pilgrim of 'negligently failing' to protect members' data following breach - Frank Diamond, Fierce Healthcare (06/15/2023)
      Harvard Pilgrim Health Care and its parent company, Point32Health, have been hit with a class-action lawsuit for allegedly failing to secure the personal information of over 2.5 million people.
    • UPMC contractor detects patient data breach - Stephanie Ritenbaugh, Pittsburgh Tribune-Review (06/13/2023)
      A contractor for UPMC said it discovered a data breach that could have impacted customer and patient information. Tennessee-based Intellihartx LLC said it found that its secure file transfer service provider, Fortra, “experienced a data security incident.” The company undertook an investigation to figure out the scope of the incident. Intellihartx is notifying those potentially affected. It said it so far is unaware of anyone misusing the information.
    • 2023 Data Breach Investigations Report: frequency and cost of social engineering attacks skyrocket - Verizon Business (06/06/2023)
      Verizon Business today released the results of its 16th annual Data Breach Investigations Report (2023 DBIR), which analyzed 16,312 security incidents and 5,199 breaches. Chief among its findings is the soaring cost of ransomware – malicious software (malware) that encrypts an organization’s data and then extorts large sums of money to restore access.
    • Insurance regulators examining Point32Health data breach - Sam Drysdale and Michael P. Norton, State House News Service (05/29/2023)
      State insurance regulators have opened an examination into a cyberattack on one of the state’s largest health insurance providers. The Division of Insurance is monitoring the Point32Health data breach, which may have compromised personal data including addresses, medical history and Social Security numbers of current and former Harvard Pilgrim Health Care policyholders, according to Executive Office of Housing and Economic Development spokesperson Margaret Quackenbush.
    • FBI probing Fox News ‘hack’ linked to leak of unaired Tucker Carlson footage - Graig Graziosi, The Independent (05/27/2023)
      Federal investigators are reportedly probing an alleged hack that compromised Fox News' internal systems, resulting in the release of previously unaired footage featuring its former star host, Tucker Carlson.
    • NYC's Metropolitan Opera sued for massive data breach - Adam Schrader, UPI (05/27/2023)
      New York City's Metropolitan Opera, the largest opera house in the world, is facing a class action lawsuit after a data breach allegedly compromised the personal information for 45,000 employees and patrons.
    • Dutch Watchdog Looking Into Alleged Tesla Data Breach - Riham Alkousaa and Toby Sterling, Reuters (05/25/2023)
      The data protection watchdog for the Netherlands said on Friday it was aware of possible Tesla data protection breaches, but it was too early for further comment. Germany's Handelsblatt reported on Thursday that Elon Musk's Tesla had allegedly failed to adequately protect data from customers, employees and business partners, citing 100 gigabytes of confidential data leaked by a whistleblower.
    • Amazon’s PillPack reports data breach affecting more than 19,000 - Emily Olsen, Healthcare Dive (05/22/2023)
      PillPack, an online pharmacy owned by Amazon, has reported a data breach affecting more than 19,000 customers. The cyberattack exposed users’ email addresses, prescription information and their providers’ contact details. Social Security numbers and credit card information weren’t involved. PillPack said more than 3,600 affected accounts included prescription data.
    • Suspected cyberattack cripples news operations at Philadelphia Inquirer - A.L. Lee, UPI (05/15/2023)
      A suspected cyberattack crippled operations at the Philadelphia Inquirer over the weekend, leaving the newspaper unable to print its regular Sunday edition and leaving staff without a headquarters as a major city election approached.
    • Thousands of US government workers have data leaked online - Sead Fadilpašić, Tech Radar (05/15/2023)
      The US Transportation Department (USDOT) has been hit by a cyberattack that saw data on current and former employees stolen. In a report, Reuters, citing “sources briefed on the matter”, states that the incident affected a total of 237,000 people - 114,000 current USDOT employees, and 123,000 former ones.
    • Discord reveals data breach after worker hack - is your account affected? - Sead Fadilpašić, Tech Radar (05/15/2023)
      Top streaming service Discord has suffered a minor cybersecurity incident in which potentially sensitive and personal user data was exposed. In a letter sent to users seen by BleepingComputer, the company revealed unnamed threat actors managed to compromise an account belonging to a third-party support agent, gaining access to the agent's support ticket queue, which included some personally identifiable information such as user email addresses.
    • Hackers Post Data to Dark Web After Massachusetts Cyber Attack - Melanie Gilbert, Government Technology (05/12/2023)
      The ransomware group Play, which has claimed responsibility for the hacking of Lowell's municipal network on April 24, said Thursday that it released 5 gigabytes of data from that theft and posted it to the dark web.
    • Former Ubiquiti engineer sentenced to six years for stealing company data, attempted extortion - Rob Thuron, Tech Spot (05/12/2023)
      An engineer who worked for wireless networking products provider Ubiquiti has been sentenced to six years in prison for stealing gigabytes of confidential data from the company and demanding $1.9 million for its return.
    • Prosecution of Former Uber Security Chief Carries Warnings for Cyber Leaders - James Rundle, The Wall Street Journal (05/05/2023)
      Joseph Sullivan, the former chief security officer at Uber Technologies, was sentenced to three years’ probation by a federal court in San Francisco, over criminal obstruction charges relating to a 2016 data breach at the ride-hailing giant.
    • Ransom demands, recovery times, payments and breach lawsuits all on the rise - Jessica Davis, SC Media (05/01/2023)
      Healthcare data breach lawsuits were filed last week against 90 Degree Benefits, CommonSpirit, and OneBrooklyn Health. The three legal filings reflect a broader trend of the growing impact of cybercrime and ransomware across all industries, like healthcare.
    • CFPB staffer forwarded data on 250K consumers to personal account - Stephen Neukam, The Hill (04/19/2023)
      A now-former Consumer Financial Protection Bureau (CFPB) employee sent the personal information of over 250,000 individuals to their personal email account, the agency said, calling the privacy breach “completely unacceptable.”
    • Thousands of Iowa Medicaid members affected in national data breach - Michaela Ramm, Des Moines Register (04/17/2023)
      Approximately 20,800 members in Iowa's Medicaid program were affected in a data breach of a third-party vendor hired by the state to help manage the state health insurance program for Iowans who are poor or disabled.
    • Education data breaches hit record high in 2021 - Anna Merod, K-12 Dive (04/10/2023)
      To date, 2021 has marked the biggest year for data breaches in education, impacting 771 institutions and nearly 2.6 million records, Comparitech said. The Illuminate Education data breach affecting at least 605 institutions made up a significant portion of the share.
    • Taiwanese PC Company MSI Falls Victim to Ransomware Attack - Ravie Lakshmanan, The Hacker News (04/08/2023)
      Taiwanese PC company MSI (short for Micro-Star International) officially confirmed it was the victim of a cyber attack on its systems. The company said it "promptly" initiated incident response and recovery measures after detecting "network anomalies." It also said it alerted law enforcement agencies of the matter.
    • Law firm fined $200K by NY AG over 2021 data breach that exposed health care information - News 12 Staff, News 12 Westchester (03/27/2023)
      A law firm has to pay up for a 2021 data breach that compromised New Yorkers' health care information. The state Attorney General's Office says HPMB Law Firm will have to pay the state $200,000. The AG says the firm had poor data security measures that made it vulnerable when a hacker got in through its email server.
    • Latitude Financial cyber-attack worse than first thought with 14m customer records stolen - Jonathan Barrett, The Guardian (03/26/2023)
      Latitude Financial has revealed that 14m customer records – including driver’s licence numbers, passport numbers and financial statements – were stolen from its system in a cyber-attack that was far worse than the company initially reported.
    • Ferrari Hit By Cyberattack Demanding Customer Details - AFP News (03/21/2023)
      Luxury Italian carmaker Ferrari has revealed it was a victim of a cyberattack targeting confidential information about its customers, but said it had refused a ransom demand.
    • FBI Arrests Alleged Mastermind Behind BreachForums, ‘Pompompurin’ - Miklos Zoltan, Privacy Affairs (03/21/2023)
      Last Wednesday, US federal agents arrested New York resident Conor Brian Fitzpatrick, believed to be the mastermind behind the notorious dark web data-breach site BreachForums, known by the alias “Pompompurin.”
    • Maternal and Family Health Services sued over data breach - Terrie Morgan-Besecker, The Time-Tribune, Scranton, Pa. (03/20/2023)
      Maternal & Family Health Services Inc. learned hackers obtained confidential information on more than 460,000 patients, but did not notify affected individuals until nine months after the discovery, according to a proposed federal class action lawsuit.
    • NBA fans are being warned their data might have been hacked - Sead Fadilpašić, Tech Radar (03/20/2023)
      Basketball fans interested in getting regular email updates from the NBA may have had some of their personal data stolen, the body has confirmed. The NBA has sent out a “Notice of cybersecurity incident” to an “unknown number” of fans, BleepingComputer reported.
    • Hitachi Energy confirms data breach after being hit by Clop ransomware - Sead Fadilpašić, Tech Radar (03/20/2023)
      We can now add Hitachi Energy to the increasingly growing list of organizations compromised through the GoAnywhere MFT zero-day vulnerability. The company has published a press release in which it explained the details of the breach: "We recently learned that a third-party software provider called FORTRA GoAnywhere MFT (Managed File Transfer) was the victim of an attack by the CLOP ransomware(opens in new tab) group that could have resulted in an unauthorized access to employee data in some countries," the company said.
    • Wave of telecom data breaches highlight industry's weaknesses - Sam Sabin, Axios (03/17/2023)
      A recent data breach involving millions of AT&T customers is bringing renewed attention to the fault lines in major telecommunications providers' security programs.
    • CISA says hackers had access to federal agency for months - Sead Fadilpašić, Tech Radar (03/16/2023)
      An unnamed U.S. civilian executive branch has unintentionally been feeding intel to cybercriminals and state-sponsored threat actors for six months, a new report from the country’s law enforcement and intelligence agencies claims.
    • Med tech vendor Zoll has one million sensitive records stolen - Sead Fadilpašić, Tech Radar (03/16/2023)
      Zoll Medical, a company that builds hardware and software for the healthcare industry, filed a report with the Office of the Maine Attorney General earlier this month, in which it detailed the hack that resulted in its data theft.
    • Members of 'ViLE' online group charged by Brooklyn feds with using stolen police credentials for 'doxxing' scheme - John Annese, New York Daily News (03/14/2023)
      A Queens man and his teenage cohort from Rhode Island posed as a cop to access law enforcement data as part of a sick doxxing and extortion scheme, federal prosecutors in Brooklyn said Tuesday.
    • 2,000 assessment records breached in LAUSD cyber attack - Kate Sequeira, Ed Source (02/24/2023)
      About 2,000 assessment records were breached during the September cyber attack on Los Angeles Unified, affecting at least 60 currently enrolled students, the district is now disclosing. Compromised records have primarily affected former district students and include some drivers license numbers and social security numbers.
    • DNA Diagnostics Center Reaches $400K Settlement After Healthcare Data Breach - Sarai Rodriguez, Health IT Security (02/22/2023)
      DNA Diagnostics Center has reached a $400,000 settlement to resolve several violations over a 2021 healthcare data breach. DNA Diagnostics Center is a major private DNA-testing organization providing diagnostic and genetic testing to address questions about health, fertility, and relationships.

       

    • Hackers steal Activision games and employee data - Lorenzo Franceschi-Bicchierai, Tech Crunch (02/21/2023)
      Unknown hackers stole internal data from the games giant Activision. On Sunday, the cybersecurity and malware research group vx-underground published screenshots of data purportedly stolen from Activision, including the schedule of planned content to be released for the popular first-person shooter Call of Duty.

       

    • Companies grapple with post-breach disclosure risks - Matt Kapko, Cybersecurity Dive (02/16/2023)
      Post-breach disclosures remain a rarity, despite constant warnings from cyber authorities that they can only help organizations if incidents are brought to their attention. While half of organizations suffered a data breach in 2022, nearly three-quarters of those breached chose not to disclose the information, according to a report released Thursday by Arctic Wolf.

       

    • Sharp notifies nearly 63,000 patients of data breach - Paul Sisson, The San Diego Union-Tribune (02/06/2023)
      Sharp HealthCare, San Diego’s largest health provider, announced Monday that it has begun notifying 62,777 of its patients that some of their personal information was compromised during a hacking attack on the computers that run its website, sharp.com.

       

    • Iran behind hack of French magazine Charlie Hebdo, Microsoft says - Zeba Siddiqui, Reuters (02/03/2023)
      An Iranian government-backed hacking team allegedly stole and leaked private customer data belonging to French satirical magazine Charlie Hebdo, security researchers at Microsoft said on Friday.

       

    • 2022 data breach report: fewer incidents, more victims - Rob Thubron, Tech Spot (01/30/2023)
      The 17th annual Data Breach Report from the Identity Theft Resource Council (ITRC), a nationally recognized nonprofit organization established to support victims of identity crime, shows that there were 1,802 data compromises in the US last year, just 60 short of the record 1,862 seen in 2021.

       

    • UCHealth, UCLA Health Report Healthcare Data Breaches - Jill McKeon, Health IT Security (01/27/2023)
      The healthcare data breach at UCHealth stemmed from a third-party vendor, and the UCLA Health breach was tied to the organization’s use of analytics tools.

       

    • Breach hits GoTo, the parent company of LastPass - Matt Kapko, Cybersecurity Dive (01/24/2023)
      GoTo is confronting potentially extensive damage after a threat actor exfiltrated encrypted backups and an encryption key tied to some of the stolen data.

       

    • Entire US "no fly list" leaked online after being left on an unsecured server - Craig Hale, Tech Radar (01/23/2023)
      The entire of the US "No Fly List" has been exposed online by a Swiss hacker who reportedly found three sensitive files stored on an unsecure cloud storage server. One of the files contains the information of more than 1.5 million entries into the list, which covers individuals who have been barred from travelling to or from the US.

       

    • If you use PayPal, your personal data may have been compromised - Monica J. White, Digital Trends (01/20/2023)
      PayPal has recently suffered a massive data breach, and if you were one of the affected users, your details may have been leaked. Given the nature of a PayPal account, the exposed data includes some of the most sensitive information, which could put those users at risk of identity theft.

       

    • T-Mobile Says Hackers Stole Data on About 37 Million Customers in Breach - Will Feuer, The Wall Street Journal (01/20/2023)
      T-Mobile US Inc. said hackers accessed data, including birth dates and billing addresses, for about 37 million of its customers, the second major security lapse at the wireless company in two years.

       

    • PayPal, Inc. Announces Data Breach Following Apparent Credential-Stuffing Attack - Richard Console, Jr., JD Supra (01/19/2023)
      On January 18, 2023, PayPal, Inc. filed notice of a data breach with the Maine Attorney General’s Office after learning that confidential consumer information was compromised following what appears to have been a credential-stuffing attack.
    • Norton LifeLock says thousands of customer accounts breached - Zach Whittaker, Tech Crunch (01/15/2023)
      Thousands of Norton LifeLock customers had their accounts compromised in recent weeks, potentially allowing criminal hackers access to customer password managers, the company revealed in a recent data breach notice.

       

    • Hackers leak sensitive files after attack on San Francisco transit police - Kevin Collier, NBC News (01/10/2023)
      Criminal hackers have posted an enormous trove of sensitive files to the internet from a San Francisco Bay Area transit system’s police department, including specific allegations of child abuse.

       

    • Twitter hacked, 200 million user email addresses leaked, researcher says - Raphael Satter, Reuters (01/05/2023)
      Hackers stole the email addresses of more than 200 million Twitter users and posted them on an online hacking forum, a security researcher said Wednesday.

       

    2022

    • Gemini, Uber data breaches show third-party risk can’t be ignored - Tim Keary, Venture Beat (12/16/2022)
      Third-party risk is one of the most overlooked threats in enterprise security. Research shows that over the past 12 months, 54% of organizations have suffered data breaches through third parties. This week alone, both Uber and cryptocurrency exchange Gemini have been added to that list.

       

    • Events D.C. data published online in apparent ransomware attack - Michael Brice-Saddler and Aaron Schaffer , The Washington Post (12/16/2022)
      Nearly two months after D.C.’s official convention and sports authority said it was the victim of a cyberattack that may have compromised sensitive information about its employees, a ransomware group now appears to have published a tranche of data and documents from the agency on the dark web.

       

    • Information of 360,000 people affected in Ontario vaccine data breach - Canadian Press, The Toronto Sun (12/09/2022)
      The Ontario government says it is notifying about 360,000 people whose personal information was involved in a vaccine database breach more than a year ago.
    • Amnesty Canada Blames China For 'Sophisticated' Hack - AFP - Agence France Presse, Barron's (12/06/2022)
      The Canadian arm of rights group Amnesty International said on Monday it had been hit by what it termed a "sophisticated digital security breach" that it believed was sponsored by China.

       

    • Report Shows California Gun Data Breach Was Unintentional - Adam Beam, Insurance Journal (12/02/2022)
      California’s Department of Justice mistakenly posted the names, addresses and birthdays of nearly 200,000 gun owners on the internet because officials didn’t follow policies or understand how to operate their website, according to an investigation released this week.

       

    • Ontario appeal court limits privacy claim in data breach lawsuits - Howard Solomon, IT World Canada (12/01/2022)
      The ability of victims of data theft in Ontario to sue organizations for failing to protect their information under a fledgling privacy right has been almost eliminated by a ruling of the province’s appeal court.

       

    • Security breach exposes LastPass user data - Patrick Hilsman, UPI (12/01/2022)
      Password management service LastPass announced that a security breach exposed users' personal data. LastPass announced the breach in a tweet on Wednesday that did not clarify what data was exposed but said that customer passwords were not compromised.

       

    • Identities of Thousands of Migrants Seeking Asylum in U.S. Posted in Error - Livia Albeck-Ripka and Miriam Jordan, The New York Times (12/01/2022)
      Immigration and Customs Enforcement mistakenly released the names and other identifying details of 6,252 migrants seeking protection in the United States this week, the agency said Wednesday. The error raised fears for their safety among advocates for asylum seekers.
    • Medibank hackers announce ‘case closed’ and dump huge data file on dark web - Josh Taylor, The Guardian (11/30/2022)
      The cybercriminals behind the Medibank cyber-attack have posted on the dark web what appears to be the remainder of the customer data they took from the health insurer, stating it is “case closed” for the hack.

       

    • Belgian Police Under Fire After Major Ransomware Leak - Phil Muncaster, Info Security (11/28/2022)
      A notorious ransomware group has begun leaking highly sensitive data it stole from Belgian police, in what is being described as one of the biggest breaches of its kind in the country.

       

    • Millions of Twitter users hacked in ‘colossal’ security breach - Anthony Cuthbertson, The Independent (11/28/2022)
      Millions of Twitter accounts have been compromised after a security bug was exploited by hackers. User records of over 5.4 million people were stolen through a vulnerability known as an API (application programming interface) attack, which exposed private phone numbers and email addresses.

       

    • Irish watchdog fines Meta 265M euros in latest privacy case - Kelvin Chan, The Associated Press (11/28/2022)
      Irish regulators slapped Facebook parent Meta with a 265 million-euro ($277 million) fine Monday, the company’s latest punishment for breaching strict European Union data privacy rules.
    • Major Canadian Crypto Exchange Coinsquare Says Client Data Breached - Frederick Munawa, CoinDesk (11/26/2022)
      Coinsquare, one of Canada’s largest cryptocurrency exchanges, may have been breached, but the company claims customer assets are “secure in cold storage and are not at risk.”

       

    • ‘Really poor form’: Medibank yet to contact hundreds of customers with leaked personal data - Josh Taylor, The Guardian (11/16/2022)
      Customers whose personal details – but not medical information – were posted online have been left in the dark by health insurer.

       

    • Medibank data theft: hackers release records they claim are related to mental health and alcohol issues - Australian Associated Press, The Guardian (11/10/2022)
      The hackers allegedly behind the Medibank data theft have released another file of apparently stolen medical records despite being warned the “smartest and toughest” people in Australia are coming after them.

       

    • Medibank refuses to pay cyber ransom in hack affecting 9.7M customers - Clyde Hughes, UPI (11/07/2022)
      Medibank, one of Australia's largest health insurers, said on Monday it will not pay a ransom to hackers who allegedly gained access to information belonging to millions of its customers recently. The company said it cannot "trust criminals" attempting to shield the stolen information that was hacked. Medibank said last month it appeared hackers had breached its computer system to gain data on more than five million current customers and more former customers.

       

    • AstraZeneca password lapse exposed patient data - Zack Whittaker, Tech Crunch (11/03/2022)
      Pharmaceutical giant AstraZeneca has blamed “user error” for leaving a list of credentials online for more than a year that exposed access to sensitive patient data.

       

    • Crime group hijacks hundreds of US news websites to push malware - Carly Page, Tech Crunch (11/03/2022)
      A cybercriminal group has compromised a media content provider to deploy malware on the websites of hundreds of news outlets in the U.S., according to cybersecurity company Proofpoint.

       

    • New phishing campaign lures victims with new Elon Musk Twitter verification rules - Sead Fadilpašić, Tech Radar (11/03/2022)
      Elon Musk's purchase of Twitter is being used by scammers as a lure to steal login credentials from “famous or well-known” persons, or those believing to fit the category.

       

    • Hackers Stole Source Code, Personal Data From Dropbox Following Phishing Attack - Eduard Kovacs, Security Week (11/02/2022)
      Dropbox revealed on November 1 that it recently suffered a data breach where malicious actors gained access to some source code and personal information belonging to employees and customers. The file hosting giant said it learned about the breach on October 14, after being alerted by GitHub.

       

    • WakeMed faces class action lawsuit for alleged Meta Pixel data breach - Ashley Anderson, Gilat Melamed, CBS 17 (11/02/2022)
      WakeMed is on the receiving end of a class action lawsuit seeking a trial by jury for an alleged data breach. The 33-page lawsuit filed this week claims that the information of nearly half a million patients was shared with Facebook, now known as Meta.
    • UK politicians demand probe into Liz Truss phone hack claim - Associated Press, Associated Press (10/30/2022)
      The British government insisted Sunday it has robust cybersecurity for government officials, after a newspaper reported that former Prime Minister Liz Truss’ phone was hacked while she was U.K. foreign minister.

       

    • Bed Bath & Beyond reviewing possible data breach - Reuters, Reuters (10/28/2022)
      Bed Bath & Beyond Inc said on Friday a third party had this month improperly accessed its data through a phishing scam by accessing the hard drive and certain shared drives of one of its employees.

       

    • Data breach victims sue Rhode Island transit agency, insurer - The Associated Press, The Associated Press (10/25/2022)
      Two people whose personal information was compromised in a data breach at Rhode Island’s public bus service that affected about 22,000 people sued the agency and a health insurer on Tuesday seeking monetary damages and answers.

       

    • FTC brings action against CEO of alcohol delivery company over data breach - Cat Zakrzewski, The Washington Post (10/24/2022)
      The Federal Trade Commission plans to take the rare step of bringing individual sanctions against the CEO of alcohol delivery company Drizly for data privacy abuses, following allegations that the company’s security failures under his watch exposed the personal information of about 2.5 million customers.

       

    • Medibank hack started with theft of company credentials, investigation suggests - Josh Taylor, The Guardian (10/24/2022)
      The Medibank hack began with the theft of the credentials of someone who had high-level access within the organisation, which were then sold on a Russian-language cybercrime forum, according to a source close to the company investigation.

       

    • Hackers steal 50GB data, thousands of emails from Iranian nuclear facilities - Sead Fadilpašić, Tech Radar (10/24/2022)
      The Iranian Atomic Energy Agency has suffered a data breach that reportedly saw thousands of emails leaked - however both the agency, and the group apparently behind the attack, have their own versions of events.

       

    • $228 Million Privacy Ruling Against Rail Giant Is ‘Wake-Up Call’ for Third-Party Risk - David Uberti, The Wall Street Journal (10/21/2022)
      Companies have paid out eye-popping sums in recent years to settle claims they violated Illinois’s biometric privacy law. Last week, a historic legal judgment against BNSF Railway Co. highlighted that data lapses by third-party contractors also don’t come cheap.

       

    • Advocate Aurora Health discloses data breach, 3 million could be affected - Ron Southwick, Chief Healthcare Executive (10/21/2022)
      The Advocate Aurora Health system says the system has suffered a breach affecting patient information. Advocate Aurora, one of America’s largest non-profit health systems, said in a statement that some information has been transmitted to other companies due to tracking technologies from Facebook and Google. These online tools, called pixels, track patient trends and preferences on Advocate Aurora's websites. Many hospitals, and many businesses, use pixels on their websites.

       

    • Australia's No. 1 health insurer says hacker stole patient details - Byron Kaye, Reuters (10/20/2022)
      Australia's biggest health insurer said on Thursday a criminal had apparently stolen customers' medical information as part of a massive breach of data, fuelling concern about a wave of high-profile cyber attacks.

       

    • New Mexico Licensing Department subject of cyber attack - The Associated Press, The Associated Press (10/13/2022)
      The New Mexico agency that oversees professional licenses for thousands of businesses across the state has been the target of a cyber attack. Officials said Thursday there is evidence of unauthorized access of the Regulation and Licensing Department and that some organizations and individuals had their records compromised.
    • Major U.S. Airport Websites Hit With Suspected Russian Cyberattacks - Madeline Halpert, Forbes (10/11/2022)
      A pro-Russian hacking group claimed credit for cyberattacks hitting more than a dozen U.S. airports’ websites Monday morning, according to multiple outlets, temporarily rendering parts of the sites inaccessible to the public, though the hacking did not result in any operational disruptions.

       

    • Second Australia-based Singtel Subsidiary Hacked - AFP News, AFP News (10/10/2022)
      Hackers have attacked a second subsidiary of Singapore Telecommunications Ltd (Singtel), the company said Monday, but analysts said it appeared the Southeast Asian telecom giant was not being specifically targeted.

       

    • Info expected to emerge slowly in hospital chain cyberattack - Kathleen Fody and Kimberlee Kruesi, The Associated Press (10/07/2022)
      Details of an apparent cyberattack on one of the largest health systems in the U.S. were slow to emerge as security experts on Friday warned that it often takes time to assess the full impact on patients and hospitals. Earlier this week, CommonSpirit Health confirmed it experienced an “IT security issue” but it has yet to answer detailed questions about the incident, including how many of its 1,000 care sites that serve 20 million Americans may have been affected. The health system giant, which is the second largest nonprofit health system in America, has 140 hospitals in 21 states.

       

    • Binance Blockchain Hit by $570 Million Hack, Exposing Crypto Vulnerabilities - Ephrat Livni, The New York Times (10/07/2022)
      Binance, the world’s biggest cryptocurrency exchange, confirmed on Friday that $570 million had been stolen in a hack of a blockchain it runs that serves as a bridge for asset transfers between networks. The attack on the Binance Smart Chain network highlighted weaknesses in decentralized finance, or DeFi, where transactions are controlled by code.

       

    • Log4Shell Among Chinese Hackers' Fave Vulns, Say Feds - Prajeet Nair, Bank Info Security (10/07/2022)
      A roundup by the FBI, National Security Agency and Cybersecurity and Infrastructure Security Agency of the 20 most actively exploited vulnerabilities favored by Beijing's coterie of state-sponsored threat actors over the past two years puts CVE-2021-44228 - better known as Log4Shell - smack at the top.

       

    • Former Uber security chief guilty of data breach coverup - The Associated Press, The Associated Press (10/06/2022)
      The former chief security officer for Uber was convicted Wednesday of trying to cover up a 2016 data breach in which hackers accessed tens of millions of customer records from the ride-hailing service.

       

    • Hamden mayor estimates $500,000 cost to address spring cyberattack - Meghan Friedmann, New Haven Register (10/05/2022)
      A May 26 cybersecurity event that compromised the town’s information technology system and affected government email for weeks is expected to cost the town roughly $500,000.

       

    • No prison for Seattle hacker behind Capital One $250M data breach - Renata Geraldo, The Seattle Times (10/05/2022)
      The former Amazon engineer whose 2019 hack compromised 100 million credit card users’ accounts won’t spend any additional time in jail. Convicted in June on seven hacking-related charges, Seattle resident Paige Thompson was sentenced Tuesday to time served and five years of probation for violating an anti-hacking law known as the Computer Fraud and Abuse Act.

       

    • Arizona announces $85M settlement with Google over user data - The Associated Press, The Associated Press (10/04/2022)
      Arizona Attorney General Mark Brnovich said Tuesday that his office had reached an $85 million settlement with Google to resolve a lawsuit that accused the tech company of “surreptitiously” obtaining user data to sell advertisements.
    • More Microsoft Exchange zero-days exploited in the wild - Sead Fadilpašić, TechRadar (10/03/2022)
      Two more zero-day vulnerabilities found in different versions of Microsoft Exchange Server are being exploited in the wild, the company has confirmed. According to recent customer guidance that Microsoft released for reported zero days, a server-side request forgery (SSRF) flaw, and remote code execution (RCE) flaw, were identified as being used by threat actors. The vulnerabilities were present in Microsoft Exchange Server 2013, 2016, and 2019 endpoints.
    • Hackers release data after LAUSD refuses to pay ransom - Howard Blume, Los Angeles Times (10/02/2022)
      Hackers released data from Los Angeles Unified School District on Saturday, a day after Supt. Alberto Carvalho said he would not negotiate with or pay a ransom to the criminal syndicate.

       

    • Suspected Chinese hackers tampered with widely used customer chat program, researchers say - Raphael Satter and Christopher Bing, Reuters (09/30/2022)
      Suspected Chinese hackers tampered with widely used software distributed by a small Canadian customer service company, another example of a "supply chain compromise" made infamous by the hack on U.S. networking company SolarWinds.
    • Montefiore flash drive containing patient information stolen in 6th data breach in 2 years - Aliya Schneider, The Bronx Times (09/28/2022)
      A Montefiore Medical Center research coordinator’s USB storage device was stolen, exposing personal information about more than 1,300 patients in the medical center’s second data breach this year and sixth since September 2020, impacting the privacy of 12,451 patients.

       

    • Media company hacked, racist push notifications sent to Apple iPhones - Joseph Menn, The Washington Post (09/27/2022)
      Hackers breached internal systems at Fast Company magazine Tuesday evening, defacing the company’s main news site and sending racist push notifications through Apple News to iPhone users.

       

    • Optus faces potential class action and pledges free credit monitoring to data-breach customers - Josh Taylor, The Guardian (09/26/2022)
      Optus has agreed to provide free credit monitoring to the millions of customers caught up in its massive data breach, as the home affairs minister flags changes to law to potentially fine companies millions for similar breaches.

       

    • Class Action Suit Moves Forward Against Robinhood Over Halting Meme Stock Trading - Derek Saul, Forbes (08/11/2022)
      A federal judge ruled Thursday that Robinhood must defend itself in court against a class action lawsuit related to the online brokerage’s January 2021 decision to halt trading in exploding “meme stocks” like AMC and GameStop, several outlets reported Thursday, though Robinhood vows to “vigorously defend” itself in the case.

       

    • Average cost of data breaches hits record high of $4.35 million: IBM - Shweta Sharma, CSO Online (08/01/2022)
      The global average cost of data breaches reached an all-time high of $4.35 million in 2022 compared with $4.24 million in 2021, according to a new IBM Security report. About 60% of the breached organizations raised product and services prices due to the breaches.

       

    • Uber admits covering up data breach involving 57 million users - Ians, Business Insider (07/26/2022)
      Uber has admitted that it covered up a massive data breach in 2016 that exposed data pertaining to approximately 57 million users and 600,000 drivers' license numbers.

       

    • T-Mobile agrees to pay customers $350 million in settlement over massive data breach - Brian Fung, CNN (07/25/2022)
      T-Mobile has agreed to pay $350 million to settle multiple class-action suits stemming from a data breach disclosed last year affecting tens of millions of people.
    • Tenet Healthcare faces lawsuit after data breach affects 1.2 million patients - Catherine Marfin, The Dallas Morning News (07/13/2022)
      A Texas man has filed a class-action lawsuit against Dallas-based Tenet Healthcare and its affiliate Baptist Health System after the companies experienced a data breach this year that affected more than a million patients.

       

    • California’s Concealed Weapons Breach Worse than First Reported - Gregory Yee, Los Angeles Times, Government Technology (06/30/2022)
      Initial reports of the exposure of personal information about concealed handguns permits was more expansive than initially thought. California Department of Justice officials now say several other data sets were exposed.

       

    • https://www.reuters.com/world/us/new-york-city-sues-five-companies-over-ghost-gun-sales-2022-06-29/ - Kurt Chirbas & Chantal Da Silva, NBC News (06/29/2022)
      The names, addresses and license types of all concealed carry permit holders in California were exposed after the state Justice Department suffered a data breach, authorities said Tuesday.

       

    • Data breach at health care organization may affect 2 million - Mark Pratt, The Associated Press (06/08/2022)
      A digital attack on a Massachusetts-based health care organization may have compromised the personal information of as many as 2 million people, officials said.

       

    • NYC Education Dept. bans widely-used online gradebook after security breach - Michael Elsen-Rooney, The New York Daily News (05/31/2022)
      The New York City Education Department is barring city public schools from continuing to contract with the company behind a widely-used online gradebook after the program suffered a major data breach that exposed the personal data of more than 800,000 students.

       

    • Breach exposed data of half-million Chicago students, staff - The Associated Press, The Associated Press (05/21/2022)
      The personal information of more than half a million Chicago Public Schools students and staff was compromised in a ransomware attack last December, but the vendor didn’t report it to the district until last month, officials said.

       

    • Texas data breach exposes personal information of 1.8 million people - Jonathan Greig, The Record (05/18/2022)
      The Texas Department of Insurance (TDI) released more information on Wednesday about a data breach discovered in January that exposed sensitive information from more than 1.8 million Texans.

       

    • California Bar Risks Lawyer Suits After Data Breach Notices - Jake Holland, Bloomberg Law (05/10/2022)
      The State Bar of California’s plan to notify attorneys whose names were exposed in a data breach of disciplinary records may spur litigation from lawyers who feel their reputations have been tarnished.

       

    • Elephant Insurance Reports Data Breach - Insurance Journal, Insurance Journal (05/10/2022)
      Virginia-based direct-to-consumer personal lines insurer Elephant Insurance reports that it experienced a cyber incident beginning in late March and as of April 25 its review had been able to identify consumers whose data may have been viewed or copied from its network.

       

    • Wawa wants a refund, says Mastercard owes $32 million for data breach penalties - Joseph N. DiStefano, The Philadelphia Inquirer (04/20/2022)
      Wawa, the Delaware County-based convenience store and gas station chain, paid $10.7 million last year linked to a 2019 breach of its customer payment security systems.

       

    • Big Coral Gables mortgage servicer hit by data breach, exposing clients’ personal information - Andres Viglucci, The Miami Herald (04/13/2022)
      One of the country’s largest mortgage servicers, a company based in Coral Gables, has reported what appears to be a significant data breach to customers three months after discovering it, prompting two separate federal lawsuits.

       

    • Over 8 million Cash App users possibly affected by data breach from a former employee - Jordan Mendoza, USA Today (04/06/2022)
      Over 8 million users of the mobile payment app Cash App could be affected by a data breach after a former employee of the company downloaded reports containing the personal information of U.S. users.

       

    • NYC officials call for investigation after data of 820,000 students compromised in hack - Jonathan Greig, The Record (03/28/2022)
      New York City’s mayor and several education officials said they are outraged after a digital education platform used by dozens of city schools disclosed that hackers gained access to the personal information of 820,000 current and former students during a January breach.

       

    • Revealed: Credit Suisse leak unmasks criminals, fraudsters and corrupt politicians - Doug Chayka, The Guardian (02/20/2022)
      A massive leak from one of the world’s biggest private banks, Credit Suisse, has exposed the hidden wealth of clients involved in torture, drug trafficking, money laundering, corruption and other serious crimes.

       

    • Ransomware gang says it has hacked 49ers football team - Alan Suderman, The Associated Press (02/13/2022)
      The San Francisco 49ers have been hit by a ransomware attack, with cyber criminals claiming they stole some of the football team’s financial data.

       

    • New Mexico health insurance company sued over data breach - Phaedra Haywood, The Shanta Fe New Mexican, Yahoo Finance (02/06/2022)
      Three state residents who have filed a lawsuit against insurance firm True Health New Mexico over what they call a "targeted cyberattack" are seeking to have their complaint declared a class action, representing about 63,000 patients whose personal information might have been stolen.

       

    • Goodwill claims it was hit by data breach - Sead Fadilpašić, Tech Radar (01/17/2022)
      American nonprofit Goodwill has suffered a data breach that is affecting the users of its ShopGoodwill.com e-commerce auction platform.

       

    • Morgan Stanley to pay $60 mln to resolve data security lawsuit - Jonathan Stempel, Reuters (01/03/2022)
      Morgan Stanley (MS.N) agreed to pay $60 million to settle a lawsuit by customers who said the Wall Street bank exposed their personal data when it twice failed to properly retire some of its older information technology.

       

    2021

    2020

    2019

    • Amazon and Ring’s ‘defective design’ lets hackers access your cameras, CA lawsuit says - Summer Lin, The Sacramento Bee (12/27/2019)
      Amazon and Ring, the home security company owned by Amazon, will soon have to answer for their hacking incidents, according to a new lawsuit brought against the companies.
    • Wawa discloses 9-month data breach affecting "potentially all" locations - Victoria Albert, CBS News (12/20/2019)
      The popular East Coast convenience store chain Wawa announced Thursday that it experienced a malware attack spanning more than nine months earlier this year. Customers' credit and debit card numbers, expiration dates, and cardholder names were potentially exposed in the breach, which impacted "potentially all" of the chain's hundreds of locations.
    • Iran Banks Burned, Then Customer Accounts Were Exposed Online - Farnaz Fassihi & Ronen Bergman, The New York Times (12/10/2019)
      After demonstrators in Iran set fire to hundreds of bank branches last month in antigovernment protests, the authorities dealt with another less visible banking threat that is only now coming to fuller light: a security breach that exposed the information of millions of Iranian customer accounts.
    • Target sues insurer for up to $74 million in 2013 data breach costs - Kavita Kumar, Chicago Tribune (11/20/2019)
      Minneapolis Target is suing its longtime insurance company for denying claims to reimburse Target for tens of millions of dollars it has paid out for new payment cards as part of settlements over the retailer's 2013 data breach.
    • Thousands of Disney Plus accounts were hacked and sold online for as little as $3 - Taylor Telford, The Washington Post (11/19/2019)
      For sale: Disney Plus account, barely used.

      Within hours of the streaming service’s bumpy rollout last week, hackers commandeered user accounts: locking out owners, changing log-in credentials and, in many cases, selling them for as little as $3 apiece, a ZDNet investigation revealed.
    • California DMV data breach exposed thousands of drivers' information, agency says - Allen Kim, CNN (11/06/2019)
      A data breach at the California Department of Motor Vehicles may have exposed some drivers' Social Security number information to seven government entities, according to the DMV.
    • Sens. Warren and Wyden urge FTC to investigate Amazon’s role in Capital One hack - William Feuer, CNBC (10/24/2019)
      Two lawmakers want to know about Amazon’s role in the Capital One hack that exposed data of 100 million individuals.
    • Yahoo data breach settlement 2019: How to get up to $358 or free credit monitoring - Kelly Tyko, USA Today (10/14/2019)
      Yahoo users can now file a claim for a piece of the $117.5 million class-action settlement related to massive data breaches.
    • Dutch Prostitution Site Hookers.nl Hacked—250,000 Users’ Data Leaked - Thomas Brewster, Forbes (10/10/2019)
      Hackers have obtained the data and personal details of around 250,000 users of the Dutch sex-work forum Hookers.nl.
    • Twitter under fire for profiting from millions of UK users' data sold to advertisers - Natasha Bernal, The Telegraph UK (10/09/2019)
      Twitter has been accused of unfairly profiteering from the personal data of up to 14.1 million people in the UK after it used their email addresses to sell targeted advertising without their knowledge.
    • British Airways: Half a million scammed passengers given green light to sue airline - Aimee Robinson, Express Co. UK (10/05/2019)
      HALF A million British Airways passengers have been given the go ahead to press legal action against the airline after their data was breached as part of an elaborate scam. A recent investigation by the Information Commissioners Office (ICO) found that names, including payment data and addresses, of approximately 500,000 passengers were taken. What options do affected passengers have now?
    • Turkey fines Facebook $282,000 over privacy breach - Reuters (10/03/2019)
      Turkish authorities have fined Facebook Inc (FB.O) 1.6 million lira ($282,000) for violation of data protection laws which affected nearly 300,000 people, the Personal Data Protection Board (KVKK) said on Thursday.
    • More than 200 million Words with Friends users had data stolen in breach - Susan Gonzalez, ABC News (10/02/2019)
      A breach in September exposed the data of about 218 million Words with Friends users, according to multiple reports.
    • DoorDash data breach affects personal info of 4.9 million customers, merchants - CBC News (09/27/2019)
      Online food delivery service DoorDash says it's the victim of a data breach in which the personal information of 4.9 million people was stolen, including names, email addresses, delivery addresses, phone numbers, and partial banking and credit card details.
    • Malaysia's Malindo Air confirms passenger data breach - Liz Lee, Stanley Widianto, Reuters (09/18/2019)
      Malaysia’s Malindo Air, a subsidiary of Indonesia’s Lion Group, said on Wednesday it was investigating a data breach involving the personal details of its passengers.
    • Financial asset firm PCI ordered to pay $1.5 million for poor cybersecurity practices - Charlie Osborne, Zero Day (09/17/2019)
      Phillip Capital Inc. (PCI) has been fined $1.5 million by the US Commodity Futures Trading Commission (CFTC) for "allowing" a data breach to occur and failing to alert its customers in a reasonable timeframe.
    • Ecuador Investigates Data Breach of Up to 20 Million People - Palko Karasz, Anatoly Kurmanaev, The New York Time (09/17/2019)
      Ecuador has begun an investigation into a sprawling data breach in which the personal data of up to 20 million people, more than the country’s population, was made available online.
    • Lawyers accuse BA of 'swerving responsibility' for data breach after time limit is imposed for compensation claims - Victoria Ward, The Telegraph (09/12/2019)
      British Airways has been accused of "swerving responsibility" for a massive data breach by trying to limit compensation payouts for victims, lawyers claim.
    • Ransomware attack locks out New Bedford city data - Insurance Journal (09/09/2019)
      A Massachusetts mayor says hackers demanded $5.3 million from his city in a ransomware attack this summer.
    • Hackers stole $1.66M from German bank by cloning EVM cards - ATM Markertplacce (09/06/2019)
      EVM (chip and pin technology) was supposed to help make credit and debit cards safe from fraud, but that is not always the case.

      ZDnet first reported that cyber criminals have stolen more than1.5 million euros ($1.66 million) from the German bank Oldenburgische Landesbank by cloning customer debit cards. The cards were protected by EMV technology.
    • Facebook to face fresh EU privacy concerns after company admits new data breach - Hasan Chowdhury, The Telegraph (08/27/2019)
      Facebook could come under fresh scrutiny over privacy concerns after the company admitted that audio clips sent by some users in Europe had been collected and transcribed without their consent.
    • New York Expands The Data Breach Umbrella: More Cybersecurity Incidents Will Require Breach Compliance From Businesses Who Possess Private Information For New York Residents - Jeffrey Csercsevits, Fisher Phillips, JD Supra (08/24/2019)
      On July 25, 2019, New York Governor Anthony Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law. The Act creates additional protections for the residents of New York and their private information. It also endeavors to improve cybersecurity measures for those who possess private information about New York residents.
    • Massachusetts General Hospital privacy breach exposed 10,000 patients' records, genetic information - Heather Landi, Fierce Healthcare (08/23/2019)
      Nearly 10,000 patients involved in research studies were impacted by a third-party privacy breach that may have exposed their medical diagnoses, test results and genetic information at Massachusetts General Hospital (MGH).
    • MasterCard says it's investigating a data breach of German loyalty program - Steve Goldstein, Market Watch (08/22/2019)
      MasterCard MA, +0.96% said it was investigating a data breach of a loyalty program in Germany which led to a leak of personal information, The Wall Street Journal reported. The loyalty program has been shut down, and on Wednesday, the company became aware of another file with user data, the report said. The loyalty program was operated by a third-party service provider and doesn't affect the company's payments systems, according to the report.
    • Georgia Supreme Court: Are data breach victims entitled to damages? - Bill Rankin, Herald Mail Media (08/20/2019)
      ATLANTA — In the spring of 2016, a cyber thief calling himself the “Dark Overlord” hacked into the databases of a Clarke County medical clinic and emerged with the personal information of an estimated 200,000 patients.

      The Athens Orthopedic Clinic refused to pay the hacker’s ransom and advised current and former patients to set up anti-fraud protections. Now a lawsuit filed by three of those patients — demanding that the clinic pay damages — could set a precedent in Georgia, where reports of data breaches have been soaring.
    • Ransomware Attack Hits 22 Texas Towns, Authorities Say - Manny fernandez, The New York Times (08/20/2019)
      HOUSTON — Computer systems in 22 small Texas towns have been hacked, seized and held for ransom in a widespread, coordinated cyberattack that has sent state emergency-management officials scrambling and prompted a federal investigation, the authorities said.
    • Ellensburg loses $185k to fraud email - Action News Staff, Komo News (08/19/2019)
      ELLENSBURG, Wash. - The City of Ellensburg says they are victims of electronic theft after a fraudulent transfer was made in the amount of $185, 897.
    • Possible data breach may have affected more than 15,000 current, former Kern County employees - John Cox, The Bakersfield Californian (08/06/2019)
      A suspected data breach may have compromised the personal information of as many as 15,298 current and former County of Kern employees and their dependents, a government spokeswoman said by email Tuesday.
    • Marriott Takes $126 Million Charge Related to Data Breach - Maria Armental, The Wall Street Journal (08/05/2019)
      Marriott International Inc. said Monday it booked a $126 million charge in the latest quarter tied to a massive data breach disclosed last year and lowered financial projections for the year.
    • Facebook's 'like' button puts businesses at risk of breaching data privacy laws, warns top EU court - Natasha Bernal, The Telegraph (07/29/2019)
      Companies that feature Facebook's "Like" button on their websites must warn users that their personal data is being sent to the social media giant, Europe's top court has ruled.
    • IBM Study Shows Data Breach Costs on the Rise; Financial Impact Felt for Years - Staff, IBM News Room (07/23/2019)
      Security today announced the results of its annual study examining the financial impact of data breaches on organizations
    • Equifax Is Said to Be Close to Reaching Deal in Huge ’17 Data Breach - Stacy Cowley & Peter Eavis, The New York Times (07/19/2019)
      The credit bureau Equifax is expected to pay around $650 million to settle federal and state investigations and consumer claims relating to a data breach that exposed sensitive information belonging to at least 145 million people, according to two people familiar with the settlement discussions.
    • Personal Details of 'Practically the Whole Adult Population' of Entire Country Stolen - Andrew Griffin, The Independent (07/17/2019)
      The personal details of almost every adult in Bulgaria have been leaked as part of a huge cyber attack.
    • Premera Blue Cross to pay $10 million to 30 states, including New Jersey, after data breach - Christian Hetrick, The Philadelphia Inquirer (07/16/2019)
      Premera Blue Cross Blue Shield, the largest health insurer in the Pacific Northwest, has agreed to pay $10 million to 30 states
    • Hacker hits LA County Health, putting data of 14,600 at risk - Joseph Goedert, HealtData Management (07/11/2019)
      A data breach at the Los Angeles County Department of Health Services has affected about 14,600 individuals after a hacker infiltrated a business associate working in the department.
    • Marriott Faces $124 Million Fine Over Starwood Data Breach - Parmy Olson, The Wall Street Journal (07/09/2019)
      Marriott International Inc. faces a potential £99.2 million ($123.6 million) fine from the U.K.’s privacy watchdog over a consumer-data breach, as the regulator raises pressure on businesses to comply with Europe’s data-protection rules.
    • British Airways faces record £183m fine for data breach - Rory Cellan-Jones, BBC (07/08/2019)
      British Airways is facing a record fine of £183m for last year's breach of its security systems.
    • Border Agency’s Images of Travelers Stolen in Hack - Zolan Kanno-Youngs & David E. Sanger, The New York Times (06/10/2019)
      Tens of thousands of images of travelers and license plates stored by the Customs and Border Protection agency have been stolen in a digital breach, officials said Monday, prompting renewed questions about how the federal government secures and shares personal data.
    • Premera agrees to $74M settlement for 2014 data breach - Greg Slabodkin, HealthData Management (06/05/2019)
      Five years after hackers accessed the personal information of 10.6 million individuals, parties to a consolidated class action lawsuit have reached one of the largest healthcare data breach settlements.
    • LabCorp discloses data breach affecting 7.7 million customers - Rachel Siegel, The Washington Post (06/05/2019)
      LabCorp, a medical testing company, said 7.7 million customers had their personal and financial data exposed through a breach at a third-party billing collections company.
    • Dark Web: Hackers Sell Doctors' Identities for $500 in Disturbing New Trend - Anthony Cuthbertson, The Independent (06/05/2019)
      The identities of doctors are selling on the dark web for $500, new research reveals.
    • Data for nearly 12 million Quest Diagnostics patients may have been exposed - Irina Ivanova, CBS News (06/03/2019)
      Quest Diagnostics, the world's largest blood-testing company, said Monday that nearly 12 million patients may have had personal information exposed in a data breach. The information includes financial data, Social Security numbers and medical records, though the company said laboratory test results were not exposed.
    • Australian National University hit by huge data breach - Lisa Martin, The Guardian (06/03/2019)
      The Australian National University is in damage control after discovering a major data breach a fortnight ago in which a “significant” amount of staff and student information was accessed by a “sophisticated operator”.
    • Checkers announces data breach impacting 4 Ohio Rally's locations - Staff, WKYC3 (05/30/2019)
      Fast food chain Checkers on Wednesday announced a data breach that may have compromised customers' data at some Checkers and Rally's locations.
    • Hack Brief: 885 Million Sensitive Financial Records Exposed Online - Lily Hay Newman, Wired (05/24/2019)
      After a solid decade of nonstop corporate data breaches and exposures, you'd think large organizations would have at least fixed the most basic and obviously damaging types of data mishandling. But there's clearly still a long way to go.
    • Healthcare breach of 1.5M records made worse by notifications sent to wrong addresses - Heather Landi, Fierce Healthcare (05/23/2019)
      Inmediata Health Group, a healthcare clearinghouse, notified patients last month that at least 1.56 million people had their personal health data potentially exposed due to a misconfigured website.
    • Lawsuit: Hackers stole $515,000, Fort Worth employee data compromised in security breach - Deanna Boyd, The Fort Worth Star-Telegram (05/16/2019)
      Hackers stole more than $515,000 from the city of Fort Worth and employees with criminal convictions were allowed access to a confidential FBI criminal database, according to a lawsuit filed Wednesday by a former IT manager against the city.
    • Uniqlo Says 460,000 Online Accounts Accessed in Japan Hack - Lisa Du, Bloomberg (05/13/2019)
      Fast Retailing Co., Asia’s largest retailer, said hackers may have gained access to the personal information of about half a million users of its Uniqlo and GU brand e-commerce portals.
    • Norsk Hydro Cyber Attack Cost It Nearly $52M in First Quarter - Terje Solsvik & Izabela Niemiec, Insurance Journal (04/30/2019)
      Norsk Hydro said the March cyber attack that paralyzed its computer networks would cost the aluminum maker up to 450 million Norwegian crowns ($52 million) in the first quarter.
    • World's biggest data breach is just the tip of the iceberg – Dark Web dangers are growing - Itay Yanovski, The Telegraph (04/08/2019)

      The 773 million records recently posted on a hacking forum, now known as "Collection #1", are merely the tip of a vast iceberg of stolen data now available to organised cyber criminals, hostile governments and terrorists.

    • Toyota data breach shows cybersecurity 'no longer a human-scale problem' - Lucy Ingham, Verdict (04/01/2019)

      The Toyota data breach announced by the Japanese car maker on Friday highlights the need for cybersecurity capabilities beyond those possible by humans alone, cybersecurity experts have said.

      The breach - the second reported by the company in just five weeks - saw hackers gain access to Toyota's IT systems containing the sales information of up to 3.1 million customers.

      The car marker is currently in the process of determining exactly what information was accessed and how many customers have been directly affected.

      For cybersecurity experts, the latest Toyota data breach underscores the importance of continuous vigilance by major companies.

      "While Toyota indicates they are now performing an audit of their systems, this attack and Toyota's response highlight a need for continuous monitoring beyond reviews performed following an incident or as part of an annual review process," said Tim Mackey, senior technical evangelist at Synopsys.

    • Equifax says US regulators seek damages related to 2017 breach - Reuters (02/22/2019)
      Credit reporting company Equifax Inc said it was informed by several U.S. regulators that they intend to seek damages from the company related to the cybersecurity breach of 2017 that exposed personal information of nearly 145 million people. . . . The company has received legal notices from the Federal Trade Commission, Consumer Financial Protection Bureau and the New York Department of Financial Services, it said in a filing on Thursday. . . . The United States Securities and Exchange commission had also issued a subpoena on May 14, 2018, regarding disclosure issues relating to the data breach, while the Office of the Privacy Commissioner of Canada has informed Equifax it intends to “make certain findings and recommendation” related to the incident. . . . The company has been named in 19 class action lawsuits in courts across the country, it said, and has spent hundreds of millions of dollars since disclosing the breach. . . . Regulators in the UK and Australia have also fined the company for the breach that saw personal information such as Social Security numbers, birth dates and addresses of millions of people being stolen by hackers.
    • Large breach of mortgage borrowers’ data raises new concerns, questions - Kenneth R. Harney, Washington Post (02/06/2019)
      A large breach of mortgage data that has exposed the personal financial information of tens of thousands of borrowers raises key consumer questions: What happens to all those disclosures we make after we apply for and obtain a home loan — our tax returns, Social Security numbers, credit card accounts, bank account numbers and detailed summaries of our assets? . . . Where does it all go after the closing? If your mortgage or servicing rights subsequently are sold and resold to other companies, what happens to all that intimate information? Does it stay securely padlocked away somewhere, far out of the reach of criminals? . . . You would hope so, but consider this — 54,000 mortgage borrowers recently had their financial data exposed to identity thieves trolling on the Internet. Borrowers had no hint that they were vulnerable, and many may still not know that a breach occurred.

    2018

    • Marriot Cyber Attack: Hotel Data Breach That Hit 500 Million Guests Linked to Chinese Spy Agency, Nicole Perlroth, Glenn Thrush, Alan Rappeport - Nicole Perlroth, Glenn Thrush, Alan Rappeport, The Independent (12/12/2018)
      The cyberattack on the Marriott hotel chain that collected personal details of roughly 500 million guests was part of a Chinese intelligence-gathering effort that also hacked health insurers and the security clearance files of millions more Americans, according to two people briefed on the investigation. . . . They said the hackers are suspected of working on behalf of the Ministry of State Security, the country’s Communist-controlled civilian spy agency. The discovery comes as the Trump administration is planning actions targeting China’s trade, cyber and economic policies, perhaps within days. . . . Those moves include charges against Chinese hackers working for the intelligence services and the military, according to four government officials who spoke on the condition of anonymity. The Trump administration also plans to declassify intelligence reports to reveal Chinese efforts dating to at least 2014 to build a database containing names of executives and US government officials with security clearances.
    • Congressional committee slams Equifax in report on data breach - LAURA HAUTALA, CNET (12/10/2018)
      Equifax didn't take steps to prevent a massive data breach in 2017 that allowed hackers to steal the personal information of 147.7 million Americansfrom its servers. It wasn't ready to handle the aftermath, either. . . . That's the takeaway from a House Oversight Committee report (PDF), released Monday, which calls the breach "entirely preventable."
    • Alabama Becomes 50th State to Enact Data Breach Notification Law - National Law Review (04/03/2018)
      Alabama has joined the “crazy quilt” of state data breach notification laws with the governor’s signature of the Alabama Data Breach Notification Act of 2018.
    • Data firm tied to Trump campaign harvested data from millions of Facebook users: report - William Watts, Marketwatch (03/17/2018)
      A data firm hired to support President Donald Trump’s 2016 election campaign harvested private information from 50 million Facebook users without their permission, the New York Times and the Observer of London reported Saturday. . . . The newspapers, citing former employees of Cambridge Analytica, associates of the firm, and documents, described the harvesting effort as the largest data breach in Facebook’s history. . . . The New York Times said Cambridge Analytica was able to exploit the social media activity of a swath of the American electorate, developing techniques that was central to its work for the Trump campaign in 2016.
    • Yahoo loses its bid to reject data breach lawsuit - Jon Fingas, Engadget (03/12/2018)
      Yahoo (and by extension, its parent/Engadget owner Verizon) now has no choice but to face the majority of claims in a US lawsuit over the internet giant's multiple data breaches. California Judge Lucy Koh (of Apple-versus-Samsung fame) has denied Verizon's bid to dismiss numerous claims in the suit, including breach of contract and negligence. The plaintiffs' claims demonstrated that they would have "behaved differently" if they'd known about Yahoo's email security woes, Judge Koh said, and that Yahoo's attempts to limit liability were "unconscionable" given how much it knew about its security problems and how little it did. . . . The judge had previously shot down attempts by Yahoo and Verizon to dismiss unfair competition claims. In attempting to take down most of the claims, Yahoo had maintained that the lawsuit was based on "20/20 hindsight" and didn't change that the company had been continuously fighting security threats. . . . This ruling could put Yahoo and Verizon on the hook for a tremendous sum if the lawsuit is successful. It eventually became clear that all of Yahoo's 3 billion users circa 2013 were affected by the first big breach, and that's not including the people affected by the two other breaches between then and 2016. Only a fraction of those users are American, but that could still lead to a costly payout.

    2017

    • NAIC Passes Insurance Data Security Model Law - NAIC (10/24/2017)
      The National Association of Insurance Commissioners adopted the Insurance Data Security Model Law today during a joint meeting of the Executive (EX) Committee and Plenary. . . . The model law, adopted during National Cybersecurity Awareness Month, creates rules for insurers, agents and other licensed entities covering data security, investigation and notification of breach. This includes maintaining an information security program based on ongoing risk assessment, overseeing third-party service providers, investigating data breaches and notifying regulators of a cybersecurity event
    • Before the breach, Equifax sought to limit exposure to lawsuits - Renae Merle and Hamza Shaban, Washington Post (09/19/2017)

      Before Equifax discovered a massive computer breach that exposed sensitive information about millions of Americans, the company lobbied Congress on legislation to limit how much it could be forced to pay if sued by consumers, and it pressed lawmakers to roll back the powers of its regulators. . . . Since at least 2015, the credit reporting agency has repeatedly lobbied lawmakers on issues related to “data security and breach notification,” according to federal disclosure forms. Those issues are likely to take center stage now as the company deals with the outcry over its decision to wait six weeks before notifying the public about a cybersecurity attack that exposed the Social Security numbers, driver’s license information and other personal data of 143million people.

    • FTC confirms it's investigating Equifax data breach — a highly unusual comment - Brian Fung, Washington Post (09/14/2017)

      The Federal Trade Commission said Thursday it is investigating the massive data breach at credit reporting firm Equifax, adding America’s top consumer watchdog to the chorus of federal lawmakers and regulators expressing alarm over the unauthorized access of 143 million Americans’ personal data. . . The FTC’s disclosure of an ongoing probe is highly unusual, underscoring the enormous stakes involved in the incident affecting what amounts to half the country.

    • Before its massive data breach, Equifax fought to kill a rule allowing victims to sue - Michael Hiltzik, Daily Mail (09/11/2017)

      The data collection and monitoring firm Equifax has been properly flayed for the massive data breach it disclosed last week, as well as for its weak and dishonest response to the breach. . . . The firm has rectified some of the flaws in its response to the breach, which exposed the personal data of 143 million American consumers to hackers. But it hasn’t backed off from another action that would undermine consumers’ ability to hold the entire consumer monitoring industry accountable for such breaches: A concerted campaign to repeal a federal regulation upholding consumers’ rights to sue. . . . The regulation, issued by the Consumer Financial Protection Bureau on July 10 and scheduled to go into effect in mid-January, came under attack by Republicans in Congress “before the ink was even dry,” says Amanda Werner of Americans for Financial Reform, which is fighting to retain the rule. Under its provisions, financial firms would be prohibited from saddling consumers with arbitration clauses that prevent the consumers from filing or joining class-action lawsuits against the firms.

    • Giant Equifax data breach: 143 million people could be affected - Sara Ashley O'Brien, CNN (09/08/2017)

      Cyber criminals have accessed sensitive information -- including names, social security numbers, birth dates, addresses, and the numbers of some driver's licenses. . . . Additionally, Equifax said that credit card numbers for about 209,000 U.S. customers were exposed, as was "personal identifying information" on roughly 182,000 U.S. customers involved in credit report disputes. Residents in the U.K. and Canada were also impacted.

    • How hacked computer code allegedly helped a biker gang steal 150 Jeeps - Hamza Shaban, The Washington Post (06/01/2017)
      In a cross-border auto heist that resembles a scrapped plot from the “Fast and the Furious” franchise, nine members of a Tijuana-based biker club have been charged with stealing 150 Jeep Wranglers using stolen computer code and key designs, the Justice Department announced earlier this week.
    • Russian 'Fancy Bear' Hackers Tainted Their Huge Leaks With Fake Data - Thomas Fox-Brewster, Forbes (05/26/2017)
      The first evidence that the hacker crew responsible for the breach of the Democratic National Committee (DNC) snuck false information into their leaks has been uncovered by a group of researchers. The hackers, a group called Fancy Bear that U.S. intelligence and law enforcement claim to be sponsored by Russia's intelligence unit, the GRU, planted the information inside a leak of emails belonging to a journalist and critic of the Putin regime, according to a report from Citizen Lab, a University of Toronto-based organization. That formed part of a massive hacking campaign attempting to steal Google passwords from 218 targets across 39 countries, including former American defense officials. Though Citizen Lab couldn't definitively tie Fancy Bear to those "tainted leaks," Forbes separately obtained evidence that indicated the group was responsible.
    • Chipotle data breach affected locations nationwide - Jonathan Maze, Nation's Restaurant News (05/26/2017)
      A short-lived data breach this spring affected Chipotle Mexican Grill Inc. restaurants nationwide, the company said on Friday. The breach also affected Pizzeria Locale, the company said. Cards used at the locations between March 24 and April 18 were impacted. Chipotle initially reported the breach in April. "Most, but not all locations may have been involved," company spokesman Chris Arnold said in an email. And he said the locations were affected for "varying amounts of time." The company has set up a website with details on the breach and information for consumers. That site also includes a list of affected restaurants, which are located in all 48 contiguous U.S. states. Chipotle has also published information for Pizzeria Locale customers.
    • Target to Pay $18.5 Million to Settle Massive 2013 Data Breach - Nicole Hong, The Wall Street Journal (05/23/2017)
      Target Corp. on Tuesday agreed to pay $18.5 million to resolve an investigation by state prosecutors into its massive 2013 hack, a deal that represents the largest multistate data breach settlement in history. The investigation, led by the attorney generals in Connecticut and Illinois, focused on allegations that more than 40 million customers had their credit or debit card information compromised in 2013 after Target failed to provide reasonable data security. The money will go to 47 states and the District of Columbia, with California receiving the largest share of more than $1.4 million.
    • Gannett Reports Data Breach Compromising Employee Information - Lukas I. Alpert, The Wall Street Journal (05/02/2017)
      Gannett Co. suffered a data breach that may have exposed banking details, Social Security numbers and other personal employee information to hackers, the company said in a letter to staffers.
    • Lifespan notifies 20,000 patients of data breach - Lynn Arditi, The Providence Journal (04/22/2017)
      Lifespan, the state’s largest health-care network, has notified about 20,000 patients of the theft of an employee’s laptop containing patient information.
    • Holiday Inn, Crowne Plaza locations among over 1,000 hotels hit by major data breach - Karen Robinson-Jacobs, The Dallas News (04/20/2017)
      A data breach involving InterContinental Hotels Group, which owns brands such as Holiday Inn and Kimpton,  has proved to be significantly larger than earlier reported.
    • Wonga data breach could affect nearly 250,000 UK customers - Hilary Osborne, The Guardian (04/09/2017)
      More than a quarter of a million customers of payday loan firm Wonga are being warned that their personal data may have been stolen in a data breach at the firm. The online lender said it was "urgently investigating illegal and unauthorised access" to the personal data of some of its customers in the UK and Poland. It is understood that the breach could affect up to 270,000 current and former customers, including 245,000 in the UK. The company would not disclose where it had taken place. The lender, which offers loans at interest rates starting at 1,286% a year, became aware of a problem last week but did not realise until Friday that data could be accessed externally. It alerted the authorities and started to contact borrowers on Saturday to make them aware of the problem, and give details of a dedicated customer services phone line for those affected.
    • Report: GameStop investigating serious breach compromising credit card info - Owen S. Good, Polygon (04/08/2017)

      GameStop is investigating the possibility hackers may have stolen credit card and customer information from its website, the retail giant acknowledged yesterday to Brian Krebs, a journalist specializing in computer security. The Grapevine, Texas-based company acknowledged that it had been alerted to a claim of payment card data, stolen from GameStop.com, being offered for sale on a black market website.

    • IRS Data on Up to 100,000 Taxpayers Compromised in Breach of College Financial-Aid Tool - Richard Rubin & Douglas Belkin, The Wall Street Journal (04/07/2017)
      Personal information for up to 100,000 taxpayers may have been compromised in a security breach of a critical online tool used to fill out student loan applications, Internal Revenue Service Commissioner John Koskinen said Thursday. The IRS is beginning to notify people potentially affected by the breach, Mr. Koskinen said during a Senate Finance Committee hearing.
    • Data Breach Risks for 401(k) and Retirement Plans - John A. Vogt, Richard DeNatale, Travis DeHaven, & Todd S. McClelland, Jones Day (04/03/2017)
      There has been a recent spike in attacks on 401(k) and retirement plans by cyber criminals.
    • Third Circuit Moves Toward a Broader View of Standing in FCRA Data-Breach Class Action - Nicholas Ranjan, et al., K&L Gates (01/30/2017)
      Recently, the Third Circuit widened the gates for certain data-breach plaintiffs, holding that alleged violations of the Fair Credit Reporting Act (“FCRA”) constitute injuries-in-fact sufficient for Article III standing…In re Horizon appears to have shifted the Third Circuit’s prevailing analysis of injuries for standing, at least in the FCRA context and potentially in the context of other federal statutory violations. This decision seems to narrow the lack-of-standing defense in that type of data-breach case, and potentially in others, when the claims involved arise from certain statutory rights, which may allow more lawsuits past the motion-to-dismiss stage.

    2016

    • EU police agency blames human error for data security breach - Mike Corder , The Washington Post (11/30/2016)
      European Union police agency Europol on Wednesday blamed human error for a breach of its data security rules by a former staff member that reportedly led to dossiers containing information about terrorism investigations becoming visible online. Dutch investigative television show Zembla reported that a Europol staffer — in a breach of the agency’s tight security rules — took dossiers home and copied them to a backup drive that was linked to the internet. The breach could undermine faith in the organization among EU member states that share highly sensitive intelligence with Europol as a way of boosting continent wide investigations into terrorism and organized crime.
    • FriendFinder Investigates Report of Breached Accounts - Robert McMillan, The Wall Street Journal (11/14/2016)
      FriendFinder Networks Inc. is investigating reports that data from more than 412 million user accounts was stolen from five of the company’s online-dating, sex-chat and pornography sites.The stolen data includes 20 years of customer email addresses and passwords, according to LeakedSource.com, an anonymously run website that sells access to stolen records. Many of the stolen records are from accounts that are no longer active, LeakedSource said. Others may be duplicates or created by automated programs known as “bots.”… A spokesman for FriendFinder Networks couldn’t confirm LeakedSource’s claims, but said via email the company is investigating several reports “regarding potential security vulnerabilities.” The company is “in the process of notifying affected users to provide them with information and guidance on how they can protect themselves,” the spokesman said.
    • Yahoo Employees Knew in 2014 About State-Sponsored Hacker Attack - Vindu Goel, The New York Times (11/09/2016)
      Yahoo employees knew in 2014 that a hacker backed by a foreign government had broken into its network, the company said in a securities filing on Wednesday. But Yahoo did not say whether the attack that year — which led to the theft of data like names, birth dates and encrypted passwords for more than 500 million accounts — was disclosed to senior management at the time. The timeline of who knew what about the attack and when has become central to the company’s plan to sell its internet operations to Verizon Communications for $4.8 billion.
    • U.S. Bank Regulator Notifies Congress of Major Data Security Breach - Donna Borak, The Wall Street Journal (10/28/2016)
      A U.S. bank regulator on Friday disclosed a data breach involving a former agency employee’s unauthorized removal of more than 10,000 records. The cybersecurity breach at the Office of the Comptroller of the Currency was detected in September while the agency was undertaking a retrospective two-year review of employees downloading information in an effort to help minimize cyberthreats. The breach, flagged to Congress and three other government agencies including the Department of Homeland Security, occurred in November 2015 when a former employee downloaded a large number of files onto two thumb drives before retiring from the agency. The OCC said data on the thumb drives were encrypted and there is no evidence that data taken by the employee were “disclosed” or “misused.”
    • Sixth Circuit denies rehearing in Nationwide data breach class actions - Jessica Karmasek, Legal NewsLine (10/25/2016)
      A federal appellate court has denied Nationwide Insurance’s request for a rehearing after deciding last month to side with plaintiffs in two consolidated class action lawsuits brought against the company over a 2012 data breach. The U.S. Court of Appeals for the Sixth Circuit, in an Oct. 12 order, denied Nationwide’s motion for rehearing en banc, or a rehearing by the full court. “The original panel has reviewed the petition for rehearing and concludes that the issues raised in the petition were fully considered upon the original submission and decision of the cases. The petition then was circulated to the full court,” the single-page order states.
    • Verizon Puts Yahoo on Notice After Data Breach - Thomas Gryta and Deepa Seetharaman , The Wall Street Journal (10/13/2016)
      Verizon Communications Inc. signaled it may demand to renegotiate its $4.8 billion deal for Yahoo Inc. following the internet company’s recent disclosure of a data breach that affected more than 500 million accounts. At a meeting in Verizon’s Washington offices on Thursday, General Counsel Craig Silliman said it was “reasonable” to believe that the breach represented a material event that could allow it to change the terms of the takeover. He said it was up to Yahoo to prove the full impact of the data leak and prove it wasn’t material. “If they believe that it’s not, then they’ll need to show us that,” said Mr. Silliman, who has been leading Verizon’s review of the situation.
    • Cybersecurity Whistleblowing Is Murkier Than You May Think - Renee Phillips and Shea Leitch , Corporate Counsel (10/10/2016)
      How can your breach turn into a securities law violation? The answer may be "via whistleblower." More and more, corporate employees are reporting cybersecurity vulnerabilities to the U.S. Securities and Exchange Commission after not receiving satisfactory responses from managers about issues they raise. Companies with a strong internal reporting protocol may believe that they need not worry about missing a valid internal report. But organizations should not be so sure. Cyber whistleblowers may present themselves in ways that are virtually unrecognizable from a traditional whistleblower perspective. Recognizing a potential cyber whistleblower may require companies to appreciate nuances previously unanticipated by most internal reporting schemes.
    • Calls for Federal Breach Notification Law Continue After Yahoo Data Breach - The National Law Review (10/05/2016)
      Data breach prevention and response are again at the forefront of the public consciousness with the recent news of a massive data breach by Yahoo. The call for federal breach notification legislation was revived by the FTC on September 27, 2016, five days after the Yahoo breach was announced. During testimony before the U.S. Senate Committee on Commerce, Science and Transportation, the FTC reiterated “its longstanding, bipartisan call for federal legislation that would (1) strengthen its existing data security authority and (2) require companies, in appropriate circumstances, to provide notification to consumers when there is a security breach.” Just twelve days prior, John Carlin, assistant attorney general for national security at the Department of Justice, called for a unified federal breach notification law, referring to the existing spread of 47 state laws as “ridiculous.”
    • Cyberattacks on personal health records growing ‘exponentially’ - Joe Davidson , The Washington Post (09/28/2016)
      In 2015, 113 million electronic health records were breached, a major leap over the 12.5 million the year before. In 2009, the number was less than 135,000. The number of reported hacks and breaches affecting records of at least 500 individuals rose from none in 2009 to 56 last year, almost double from 2014. “The magnitude of the threat against health care information has grown exponentially,” GAO said, citing a 2015 study by the KPMG accounting firm. Electronic health records are not just convenient. They also provide a cost-efficient, valuable service in our fragmented health-care system. Modern technology allows different providers, say a primary care doc and a specialist, to share information about the same patient. Without that, care can suffer and health-care spending can grow unnecessarily. “Lack of care coordination can lead to inappropriate or duplicative tests and procedures that can increase health risks to patients and poorer patient outcomes,” GAO said. It previously reported that fragmentation can increase health care costs by $148 billion to $226 billion per year. But electronic health records come with a cost. As cyberthieves become bolder, more creative and more successful, the risks to our personal information increases. That includes everything from Social Security numbers to medical conditions.
    • Donald Trump’s Hotel Chain to Pay Penalty Over Data Breaches - Steve Eder, The New York Times (09/24/2016)
      Donald J. Trump’s hotel chain agreed to pay a $50,000 penalty and revamp its data security policies after a couple of breaches exposed 70,000 credit card numbers and other personal information of its customers. Attorney General Eric T. Schneiderman of New York, who announced the settlement on Friday, said in a news release that banks tracing fraudulent card use last year determined that the cards had last been legally used at Trump hotels, indicating the security breach had happened there. Further investigation found malware at several Trump hotels and that an attacker in 2014 had gained unauthorized access to steal sensitive information… The high-end hotel chain, which includes the Trump Soho and Trump International in New York and properties in Chicago, Las Vegas and Waikiki, Hawaii, knew about the initial infiltration as early as June 2015, but did not warn customers for nearly four months, which the attorney general’s office said violated state laws requiring expedient notification.
    • Dropbox hack leads to leaking of 68m user passwords on the internet - Samuel Gibbs, The Guardian (08/31/2016)
      Popular cloud storage firm Dropbox has been hacked, with over 68m users’ email addresses and passwords leaking on to the internet. The attack took place during 2012. At the time Dropbox reported a collection of user’s email addresses had been stolen. It did not report that passwords had been stolen as well. The dump of passwords came to light when the database was picked up by security notification service Leakbase, which sent it to Motherboard...Dropbox sent out notifications last week to all users who had not changed their passwords since 2012. The company had around 100m customers at the time, meaning the data dump represents over two-thirds of its user accounts.

    2015

    2014

    • FCC fines 2 phone companies $10 million over data breach - AP, Portland Press Herald (10/25/2014)
      TerraCom Inc. and YourTel America, which are jointly owned, complied [with orders to collect information such as Social Security numbers on Lifeline consumers], but were so careless with the files that a reporter stumbled upon them during a simple Google search, according to the Federal Communications Commission.
    • How Not to Handle a Data Breach - Penny Crosman, American Banker (10/07/2014)
      There's almost no good way to tell bank customers that their personal data has been stolen. But some banks do a particularly bad job of communicating during a security incident.
    • Sales Drop as Corporate Data Breaches Rise According to New Study from Identity Finder - PR Newswire (04/29/2014)
      Consumers avoid doing business with a breached organization at an alarming rate, according to a new study conducted by Javelin Strategy & Research and commissioned by sensitive data management solution provider, Identity Finder.
    • After Data Breach, Target Plans to Issue More Secure Chip-and-PIN Cards - Elizabeth A. Harris, New York Times (04/29/2014)
      Still pushing to right itself after an enormous data breach by cybercriminals, Target announced on Tuesday that it would switch its debit and credit cards over to a more secure technology by early next year, most likely making it the first major retailer in the country to do so.
    • UK Firms Increasingly Hit by Data Theft, but Aren’t Reporting It - Amir Mizroch, Wall Street Journal (04/29/2014)
      A survey released Tuesday has found that almost half of all large organizations in the UK  have lost or had confidential data stolen over the past year, but that only 30% of breaches ever make it to the media, showing that the majority of companies do not report the breaches that they’re aware of.
    • Federal Court Refuses To Dismiss FTC Data Security Authority - Kenneth K. Dort, Ronald A. Sarachan, Peter A. Blenkinsop, Zoë K. Wilhelm, National Law Review (04/28/2014)

       On April 7, 2014, in a landmark decision with broad implications for American businesses, the U.S. District Court for the District of New Jersey upheld the U.S. Federal Trade Commission’s authority to regulate data security practices under the unfairness provision of the Federal Trade Commission Act (FTC Act).

    • UPMC data breach could be part of a national scheme - Deborah M. Todd, Pittsburgh Post-Gazette (04/18/2014)
      UPMC confirmed Thursday that a data breach thought to only affect a few dozen employees when announced in February has actually revealed the personal information of approximately 27,000 employees.
    • N.Y. Court: Zurich Not Obligated to Defend Sony Units in Data Breach Litigation - Young Ha, Insurance Journa (03/17/2014)
      A New York trial court recently ruled in a commercial general liability (CGL) policy coverage case that Zurich American Insurance Co. has no duty to defend Sony Corp. of America and Sony Computer Entertainment America in litigation stemming from the April 2011 hacking of Sony Corp.’s PlayStation online services.

    Additional Items

    By far and away the most well rounded and useful Cat-focused industry conference out there. Perfect for all levels within the industry. From the conference content, the presenters and the attendees, this conference is a can’t miss for those interested in expanding their knowledge and learning more about cat related insurance and reinsurance modeling topics Nick DiMuzio, Everest

    "Fantastic, enriching conference - brilliantly planned and run, illuminating talks and excellent opportunities for networking across multiple areas of catastrophic risk.” Gary Ackerman, University at Albany

    “From a treaty underwriter's point of view, RAA presented relevant topics related to today's macro events. Scientific presentations provided insight that I can incorporate in underwriting and share with my clients.” Eric B. Silberman, Munich Re

    "Great conference with some of the biggest names in the business presenting their work. What more could you ask for?” Ron Nash, Nash Consulting

    “A perfect introduction to the world of reinsurance. Relevant topics, great speakers and the opportunity to network with industry peers makes this a must go event.”
    Tom Barrett, Everest Re

    Demystifying Reinsurance was an excellent tool to clearly understand and break down the basics. Very good class and recommend it for beginners and even as a refresher course for the intermediate student.”
    Chenessia West, TransRe

    “Re Basics is the ideal opportunity whether an industry professional or student of insurance to understand the in and outs of reinsurance while being able to network with persons spread across the whole industry.”
    Darius Zuill, Bermuda Monetary Authority

    “This has been the best reinsurance seminar that I have been to! Whether a reinsurance seasoned vet or new to the field, this is an engaging seminar that addressed specific issues of the reinsurance market.”
    Michelle Thimm, Church Mutual Insurance 

    “Re Underwriting provided a comprehensive and interesting overview of underwriting in the current market with a major (and interesting) focus on trends. Very useful for underwriting and non-underwriting alike.”
    DeVika Bourne, PartnerRe

    “Very informative experience, and a great way to keep up to date on current underwriting events and trends.”
    Steven Whalen, Aspen Re

    “Time well spent in learning the updated underwriting business and networking!”
    Christine Chen,  Everest Re 

    “The panels and presentations were thought provoking and fascinating as numerous topics were covered affecting the industry. I’m leaving the conference with a greater insight of the future market.”
    Brittany de Frias, AXIS Capital 

     

    “RAA Re Finance was the first RAA seminar I attended, and I was thoroughly impressed with the speakers and content. I learned a great deal from the presentations and intend to bring some new ideas back to my company and share with the team!”
    Taylor Robinson, ICW Group

    “Fantastic slate of instructors who thoughtfully walked us through financial reporting and other aspects of reinsurance finance. They used terminology that non finance people (lawyers) could understand. Really great program.”
    Steven Bazil, The Bazil Group

    “If you are in Reinsurance Accounting/Finance, you need to take this course to help you with your job.”
    Frank Borawski, Markel  

    “The speakers were excellent! There is something to be said about a person, and in this case a group of people, who can take time away from their busy schedules and explain to everyone something they feel passionate about in a manner that's understandable. My only complaint is that I wish we had more time with them.”
    Jessica Mieles, Sompo International

    “The RAA ReContracts is the most comprehensive reinsurance contract wording training available in the U.S. market.”
    David Kragseth, Guy Carpenter   

    “The course was very helpful in addressing different viewpoints and important things to consider in contract design and review.”
    Andy Martin, AmericanAg 

    “The RAA contract course was very informative and interesting. It covered a wide range of Reinsurance Contracts Types. In my Reinsurance Career, I have had the opportunity to work on a limited type of contracts, so I learned a lot.”
    Vivian Castro, Arch Insurance Company 

    “The RAA Contracts course provides the opportunity to engage with relevant topics, taught by industry experts, in both seminar and small group environments. The course material and industry experts provide an understanding on a wide range of subjects.” 
    Kevin English, LMRe

    “Participation in Re Claims should be mandatory for all P&C reinsurance underwriters. It’s truly an eye-opener, providing an in-depth look from a claims manager’s perspective on what happens to the business that we underwrite. There are lots of do’s and don’ts to pay attention to. Re Claims answers all the hard questions."  Michael Delacruz, China Re P&C

    “I absolutely love this program. I learned so many new things. Reinsurance from the industry’s top executives, interactive activities, interesting panels, and innovating presentations makes for an intriguing few days. Well worth the time and money.” Chenessia West, TransRe

    “As a reinsurance attorney I find Re Claims highly valuable to stay abreast of emerging issues. Also, being walked through practical case studies is extremely helpful in creating a thorough understanding of how contracts work.” Steven Bazil, The Bazil Group

    Become a Re Scholar!

    The Re Ed Institute's Re Scholar Program seeks to recognize those who achieve a high standard of reinsurance education by completing the Re Scholar curriculum. Learn More.


    Become a Re Ed Sponsor

    The RAA’s Reinsurance Education Institute programs attract professionals from the world’s leading insurance/reinsurance companies, brokers, law firms and consulting firms. Interested in sponsoring? Contact Carolyn Fahey.