This week, hackers make a sport of exploiting online gamers’ data, ransomware prevents patient care, and business leaders lament today’s data landscape.
Dark Web ID Trends:
Top Source Hits: ID Theft Forums
Top Compromise Type: Domain
Top Industry: Finance & Insurance
Top Employee Count: 501+ Employees
United States – Zynga
Exploit: Unauthorized database access
Zynga: Social game development company
 | Risk to Small Business: 2 = Severe: Hackers gained access to the company’s database, which exposed the personally identifiable information(PII) for millions of customers. The company discovered the breach in September, and they responded by hiring an external investigator to determine the scope and severity of the breach. Unfortunately, by the time they responded, hackers uploaded user data to various hacker forums. |
| Individual Risk: 2.428 = Severe: The data breach applies to all users of the platform’s popular Words with Friends gaming app on Android and iOS who registered on or before September 2, 2019. In addition, some users of Draw Something, another mobile game produced by Zynga, were compromised. The exposed information includes names, email addresses, login IDs, hashed passwords, password reset tokens, phone numbers, Facebook IDs, and other Zynga account details. Since this information is already available to bad actors on the Dark Web and will be used to perpetuate additional cybercrimes, those impacted by the breach should carefully monitor their accounts while being especially watchful for other fraudulent communications. |
Customers Impacted: 218,000,000
How it Could Affect Your Business: Data security is increasingly top of mind for consumers. For companies operating in a highly competitive marketplace, it can mean the difference between keeping your customers happy while increasing revenue or losing them forever. Therefore, businesses of every size need to meet the moment by understanding their vulnerabilities, embracing best practices for cyber defense, and building a breach response action plan.
United States – Tomo Drug Testing
Exploit: Unauthorized database access
Tomo Drug Testing: Medical laboratory providing drug and screening services
| Risk to Small Business: 1.888 = Severe: An unauthorized user gained access to Tomo’s customer database, which contained a treasure trove of personal data. Upon discovering the access, Tomo hired an external forensic firm to investigate the incident, which confirmed that customer data was either deleted or removed from the database. Although Tomo can’t confirm that hackers downloaded data, they are charged with notifying their customers and regulatory bodies of the incident. This could bring additional expenses and revenue reductions to the drug testing company. Moreover, the company will certainly face additional criticism and scrutiny for its lengthy reporting process and the sensitive nature of the compromised information in question. The breach occurred on July 1, 2019 but wasn’t officially reported until this week. |
| Individual Risk: 2.142 = Severe: Tomo confirmed that personal data, including names, driver’s license numbers, Social Security numbers, and drug test results could be compromised. The drug testing company has set up a designated helpline, and they encourage those impacted by the breach to acquire a free credit report to identify abnormalities. |
Customers Impacted: Unknown
How it Could Affect Your Business: Although Tomo states that data privacy is one of their top concerns, their actions say otherwise. Companies demonstrate their priorities by actively securing their customers’ data and by having a response plan ready in case a breach occurs. Knowing what happens to data after it is stolen and having deliberate channels to communicate this information to your customers are both critical to hastening the recovery process and restoring customer confidence in your brand.
United States – Zendesk
Exploit: Unauthorized database access
Zendesk: Customer service software company
| Risk to Small Business: 1.888 = Severe: More than three years after the event, Zendesk acknowledged a data breach after a third party notified the customer service software company of unauthorized data access. The breach impacts Support and Chat accounts, and it includes personal data from all categories of Zendesk users, including customers, agents, and end users. The company is resetting all passwords for users that registered before November 1, 2016. However, the platform touts many high-profile companies as clients, which means that the breach could have far-reaching repercussions for all stakeholders involved. |
| Individual Risk: 2.285 = Severe: The personal details of customers, agents, and end users were compromised in the breach. This includes names, email addresses, phone numbers, passwords, and other technically-oriented data. The company is contacting all customers who could be impacted by the breach, and those affected should reset their Zendesk passwords and any redundant passwords used on other platforms. |
Customers Impacted: 10,000
How it Could Affect Your Business: When it comes to protecting customer data, speed and precision are your best friends. Unfortunately, too many companies don’t have the IT capabilities to identify a data breach or to adequately investigate an event after it happens. As a result, customer data can virtually linger indefinitely before protective action can be taken, such as changing passwords or otherwise ensuring data integrity. This incident serves as an important reminder that every business needs to enlist in services that help proactively monitor and protect customer data.
Canada – Listowel Wingham Hospital Alliance
Exploit: Ransomware
Listowel Wingham Hospital Alliance: Healthcare partnership between Listowel Memorial Hospital and Wingham and District Hospital
 | Risk to Small Business: 2 = Severe: The Listowel Wingham Hospital Alliance, which is comprised of two hospitals, was struck by a ransomware attack that significantly curtailed their treatment capabilities. Although the emergency rooms remain open, less urgent patients are enduring long waits or are being transferred to other facilities. In addition, the hospitals are unable to communicate with other healthcare providers until their network is cleared of ransomware-spreading malware. Not only does this put patients’ health at risk, but the recovery expenses and opportunity costs are sure to be immense. Individual Risk: No personal information was compromised in the breach. |
Customers Impacted: Unknown
How it Could Affect Your Business: There are no inexpensive ways to respond to a ransomware attack, which raises the importance of strong cybersecurity standards that can defend against these attacks. As the cost of a ransomware attack continues to rise, every business needs to be aware of the urgent need to secure their IT infrastructure against this incredibly frustrating and unfortunately expensive cybersecurity threat.
Canada – The National Basketball Association
Exploit: Unauthorized database access
The National Basketball Association: Men’s professional basketball league in North America
| Risk to Small Business: 2.111 = Severe: An unauthorized user accessed a server managed by the NBA for its Canadian business efforts. The league quickly identified the intrusion and took the server offline, began an investigation, and hired cybersecurity experts to make further recommendations. However, these measures can’t retroactively restore users’ data integrity, nor will it negate the reputational damage that always accompanies a privacy breach. |
| Individual Risk: 2.428 = Severe: The exposed user data includes names, addresses, email addresses, phone number, and other account-related information. Although the breach is limited to those who recently entered an online contest in Canada, this information is especially sensitive, and those impacted by the breach should take every precaution to ensure the long-term integrity of their credentials. |
Customers Impacted: Unknown
How it Could Affect Your Business: Digital platforms can be a great way to engage customers, but when data integrity is compromised, these initiatives can quickly become a liability. Therefore, cybersecurity needs to be the bedrock of any online engagement to ensure that such marketing efforts meet customers where they are secure, as opposed to manifesting into self-inflicted wounds on your company’s reputation and customer engagement.
United Kingdom – EA Sports
Exploit: Accidental sharing
EA Sports: Developer and publisher of sports video games
| Risk to Small Business: 2 = Severe: EA Sports inadvertently leaked the personal data of 1,600 gamers who participated in a competition on the company’s website. The breach is related to the company’s FIFA 20 Global Series competition. Aside from becoming a PR nightmare for EA Sports on social media, the leak occurred just hours after the company’s announcement of new security features and promotional events related to the UK’s National Cyber Security Month. The web form was removed after thirty minutes, and the competition was temporarily cancelled. |
| Individual Risk: 2.142 = Severe: The leaked data includes email addresses, account ID numbers, usernames, and dates of birth. Those impacted by the breach should monitor their accounts for suspicious or unusual activity. |
Customers Impacted: 1,600
How it Could Affect Your Business: Even relatively small data breaches can have a sizable impact on a company’s reputation and future earnings potential. Even apart from the bad press and media scrutiny that often accompanies a breach, customers are quick to take to social media to voice their concerns. Taken together, a data breach can quickly escalate into a PR disaster. To protect your brand’s reputation, prioritize customer data security.
Australia – West Gippsland Hospital
Exploit: Ransomware
West Gippsland Hospital: Regional emergency hospital
| Risk to Small Business: 2.111 = Severe: A ransomware attack has significantly impacted the healthcare provider’s ability to conduct business and treat patients. West Gippsland Hospital expects their book and record keeping system to be unavailable for two weeks. In response, the hospital had to disconnect and isolate its computer network to prevent the malware’s spread. Emergency and surgery centers remain operational, but some patient procedures were cancelled, and others were delayed until full operations can be restored. The ransomware attack was one of seven reported at healthcare providers around Australia. Individual Risk: No personal information was compromised in the breach. |
Customers Impacted: Unknown
How it Could Affect Your Business: Ransomware attacks are on the rise, and healthcare providers are a top target. However, regardless of industry, every organization needs to examine the deliverable pathways for ransomware. Since there is no advantageous or affordable response once a ransomware attack occurs, these critical defensive maneuvers are a bottom-line issue for every company in 2019.
New Zealand – Tu Ora Compass Health
Exploit: Unauthorized database access
Tu Ora Compass Health: Primary health organization
| Risk to Small Business: 1.666 = Severe: Tu Ora Compass Health recently acknowledged a data breach that compromised the personal information for up to a million people. The breach was extensive, and hackers likely had access to the healthcare provider’s system since 2016. The organization discovered the breach after its website was defaced in August, and their slow response time made an already difficult situation even more damaging. Now, the organization will face public backlash, regulatory scrutiny, and high recovery costs. |
| Individual Risk: 2.428 = Severe: Tu Ora Compass Health’s data breach included a wide range of patient data, including names, ages, ethnicities, and addresses. In addition, hackers had access to patients’ smoking history, alcohol intake levels, immunization records, diabetes information, and other highly-personal data points. Administrators believe this data was harvested to perpetuate identity theft, so those impacted by the breach should enroll in identity monitoring services to ensure that their information isn’t leveraged for nefarious reasons. |
Customers Impacted: 1,000,000
How it Could Affect Your Business: Companies operating in highly regulated industries like healthcare have to be especially vigilant about their cybersecurity stance. Patients’ personal data must be protected at all costs, and when a breach occurs, it should not take three years to discover. Deploying proper defenses is much more affordable and advantageous than considering data breaches an inevitability and leaving it up to chance.