Cyber Security Is Not a Game of Lock & Key: Worst Data Breaches So Far of 2020

Who doesn’t use Facebook? This social networking platform is known for connecting millions of people around the globe while they interact and socialize with each other.

Right from sharing photographs to liking them, this App won millions of hearts in its initial days. Facebook made it easier for users to connect with long-distance relatives and friends as if they never left in the first place.

To make our user experience better and smoother, Facebook gathers our personal information which is synced to our accounts. What if one day you came to know that all your data has been compromised? What if all your photos, videos, and contact details have been laundered by some unauthentic source? This is exactly what happened back in 2018 when Cambridge Analytica captured Facebook using its API login method.

“Security used to be an inconvenience sometimes, but now it’s a necessity all the time.” - Martina Navratilova

Over 7.9 billion data breach cases occurred in 2020, which is about 33% more than the same in 2019. Though hackers are usually responsible for exposing and uncovering personal data, a data breach may also occur due to human errors.

Improper handling of Personally Identifiable Information, or PII, caused major breaches like in the case of the Equifax breach and Facebook data leaks. To punish such irresponsible and improper work, the Federal Trade Commission has often imposed hefty fines and penalties on these organizations.

Besides the spread of the deadly coronavirus, 2020 has also seen a steady increase in the number of data breaches and exposures that have put customers at risk. The first quarter’s records show an increase in data exposure-related cases by about 273% as compared to last year.

Most of the breaches occur due to faults and errors in the Application Testing Services and that can put customers at risk, even identity thefts. So, what were these breaches?

Calm your nerves as we drive you through the worst data breaches of 2020 so far. These breaches have not only stirred the cybersecurity realm but left the Cybersecurity department questioning its security module. Let’s learn about them here...

January 2020 - The Start

“I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We’ve created life in our image.” - Stephen Hawking

★ Laundry’s: January 2

The widespread restaurant conglomerate Laundry’s made announcements regarding a point-of-sale malware attack, which put customer’s payment card details at risk. This is the second time the company has faced a data breach since 2015.

Among the Personally Identifiable Information (PII) collected are credit and debit card numbers, expiration dates, verification codes, and cardholder names.

★ Peekaboo Moments: January 14

An unsecured database on an Elasticsearch server linking to Peekaboo Moments was left exposed to data breach incidents. Peekaboo Moment is an app where parents post images and videos of their children.

The affected data connect email address, geographic location detail, device data, and backlinks to images and videos submitted by parents. The company has not revealed the number of impacted customers. This app which debuted in 2012, has over a million downloads.

★ Hanna Andersson: January 20

Children’s clothing retailer Hanna Andersson has been a victim of a data breach over the payment information of several customers. The exact number of customers affected has not been disclosed to the public. This is a Magecart attack, where the hackers installed malicious software in Point-of-Sale (POS) systems to skim credit card information.

The data explored connected names of clients, their delivery addresses, billing addresses, payment card numbers, CVV codes, and termination dates, which were shaved and put on sales on the dark web. Only customers who made online purchases between September 16, 2019, to November 11, 2019, have been affected.

★ Microsoft: January 22

A customer support database that held over 280 million Microsoft customer records was left unprotected on the web.

Email addresses, IP addresses, and support case details were exposed due to the unprotected database. Microsoft assured that the database did not include any other personal information.

★ Marijuana Dispensaries: January 23

The marijuana dispensaries follow the THSuite point-of-sale system. After the database was left unprotected, over 85,000 medical marijuana patients and recreational users had their data exposed.

Names, BOD, Ph. no. emails, venue address, patient names and health id, cannabis different and the bulk capacity purchased, number of transaction pay detail, received payment dates, and photographs of examining government and employee IDs were available to the hackers due to the data breach.

February 2020: It Is Growing Cold

“We’re all going to have to change how we think about data protection.” - Elizabeth Denham

★ Estee Lauder: February 11

Makeup Company Estee Lauder had an unsecured database, which revealed and exposed customer data of 440 million customers.

Though no financial information was impacted, customer’s email addresses, IP addresses, ports, pathways, and storage information were disclosed in the database.

★ Fifth Third Bank: February 11

Fifth Third Bank is a financial institution with over 1150 branches, spread in 10 states. They blame a former employee for a data breach, which exposed customers’ names.

Social Security number, driver’s license information, mother’s maiden name, address, phone number, date of birth, and account numbers. The number of affected employees and banking clients have not been disclosed.

★ Health Share of Oregon: February 13

A GridWorks IC employee’s laptop was stolen, which exposed the personal and medical information of 654,000 members.GridWorks IC is a third-party vendor of the Health Share of Oregon.

This breach exposed sensitive personal information including names, addresses, phone numbers, and dates of birth, Social Security numbers, and Medicaid ID numbers.

★ MGM Resorts: February 20

The personal information of over 10.6 million guests, who stayed at the MGM Resorts, has been posted on a hacking forum. The data posted had sensitive information like names, home addresses, phone numbers, emails, and dates of birth of former hotel guests.

July 15, 2020: After meticulous investigation and probing, it was found that 142 million personal records from former guests at the MGM Resorts were up for sale on the Dark Web. This meant that the previous speculations were nowhere near the actual size and intensity of the breach.

★ PhotoSquared: February 20

An unsecured database of the photography app, PhotoSquared has exposed the personal information of over a hundred thousand people, who downloaded the app. The unsecured database had risked not only photos, but also user’s names, addresses, order receipts, and shipping labels.

★ Slickwraps: February 24

Slickwraps, which is an online tech customization store, and offers software development solutions, reported an incident due to an unsecured database. The unprotected database revealed information belonging to 850,000 customers. The disclosed information includes names of customers, their physical addresses, phone numbers, and purchase history.

March 2020: One of Those March Days

“Privacy – like eating and breathing – is one of life’s basic requirements.” - Katherine Neville

★ Walgreens: March 2

Walgreens, the second-largest pharmacy chain in the United States faced an error within its mobile app’s messaging feature which required a prompt software development solution.

This error exposed messages within the app, along with names, prescription numbers and drug names, store numbers, and shipping addresses of the users. The application has more than 10 million downloads, and the specific number of influenced clients has not been revealed.

★ Carnival Cruise Lines: March 4

Hackers accessed a Carnival Corporation employee’s work email to get sensitive information regarding employees and customers. The information was accessed from the Princess Cruises and the Holland America Line under Carnival Cruises management.

The leaked information includes names, addresses, Social Security numbers, government identification numbers, such as passport number or driver’s license number, credit card and financial account information, and health-related information.

★ J-Crew: March 4

Apparel Retailer J-Crew became victim to a credential stuffing attack, letting hackers’ access customer accounts. By making use of exposed login details, hackers were able to gain access to different accounts.

They accessed the accounts to obtain information like the last four digits of credit card numbers, expiration dates, card types, billing addresses, order numbers, shipping confirmation numbers, and shipment status.

★ T-Mobile: March 5

A malicious attack by third-party vendors allowed hackers to access customers’ sensitive information through T-Mobile employee email accounts.

The data accessed by hackers include names and addresses, Social Security numbers, financial account information, and government identification numbers, along with phone numbers, billing and account information, and rate plans and features.

★ Whisper: March 11

Whisper is an app, where users can share their secrets anonymously with other users. It has left user data exposed in an unsecured database.

Though the data heap does not have real names of users, it includes nicknames, ages, ethnicities, genders, and location data of over 900 million users.

★ TrueFire: March 18

TrueFire, the online guitar lessons website, notified users regarding a hack, which gave the attackers access to names, addresses, payment card account numbers, card expiration dates, and security codes for the past six months.

TrueFire, which has millions of users worldwide, could not specify the number of victims.

★ Unnamed U.K-Based Security Firm: March 19

Upon investigations, researchers found an unprotected database on Elasticsearch, which contained over 5 billion individual records.

This database was managed by an U.K-based security firm, which remains unnamed, and it has been taken offline, as confirmed by the researcher who found it.

This database contained data and records belonging to Adobe, Twitter, Tumbler, and LinkedIn, among many others that had previously been breached. It includes leak dates, passwords, email addresses, email domains, and companies that were the source of the original leaks.

★ General Electric: March 24

General Electric, the conglomerate of tech companies, announced that a third-party vendor has been victim to a data breach. This breach has exposed personally identifiable information of over 280,000 current and former employees.

The breach originated at Canon Business Process Services, and it exposed names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, and dates of birth of the employees.

★ Marriot International: March 31

Marriot International exposed the information of 5.2 million guests when hackers used the login credentials of two employees from a third-party app used to provide guest services.

Names, mailing addresses, email addresses, phone numbers, loyalty account numbers, and points balances, company, genders, birth dates, linked airline loyalty programs and numbers, room preferences, and language preferences of the hotel guests.

A similar incident occurred with Marriott hotels back in 2018, which leaked the personal information of 500 million guests.

April 2020: The Month Where the World Says Go

“You know something is wrong when the government declares opening someone else’s mail is a felony but your internet activity is fair game for data collecting.” - E.A. Bucchianeri

★ Key Ring: April 6

Key Ring, the digital wallet app was responsible for leaving data of 14 million customers in an unsecured database. This app, which allows users to easily upload and store scans and photos of membership and loyalty cards to a digital folder in their mobile device, but all that data at risk.

Among other sensitive information which has been exposed includes:

• Names
• Full credit card details (including CVV numbers)
• Email address
• Birthdate
• Address
• Membership ID Numbers
• Retail Club
• Loyalty Card Memberships
• Government IDs
• Gift Cards
• Medical Insurance Cards
• Medical Marijuana IDs
• IP address and encrypted passwords.

★ San Francisco International Airport (SFO): April 13

Hackers injected malicious code into the two websites hosted by the San Francisco International Airport (SFO), SFOConnect.com, and SFOConstruction.com, aiming to collect user’s login credentials.

Every time users logged in to the infected websites, the malware stored the credentials to be misused by the hackers.

★ Zoom: April 14

Zoom Teleconferences was hit by a cyber-attack, and the user credentials of over 500,000 accounts were found for sale on the dark web and hacker forum for as low as $.02.

The data was collected through credential snuffling attacks, and the collected data comprised email addresses, passwords, and personal meeting URLs, and host keys.

★ Quidd: April 14

A hack collected around 4 million records belonging to the online marketplace Quidd and was put on sale on the dark web forum for free.

Once these data were accessible, the details and credentials were hashed for safety, but cybercriminals are unlashing them to sell them again.

★ Beaumont Health: April 20

A malicious actor compromised employee emails through a phishing attack and accessed the personal and medical information of over 112,000 employees and patients of Beaumont Health.

The records included names, birth dates, Social Security numbers, driver’s license numbers, medical condition data, and bank account data.

★ Facebook: April 21

Facebook profiles, belonging to over 267 million Facebook users have been posted for sale on the Dark Web, for a sum of $600.

Reports blame the December data breach to have caused this wreck, allowing hackers to access data and list it on the Dark Web. Researchers claim that this time, the data contained more than the one originally exposed, including additional PII, and email addresses.

★ Paay: April 22

Paay, a card payment processor startup, was irresponsible enough to leave a database containing 2.5 million card transaction records accessible online without password protection.

These transactions belonging to about 20 merchants gave anyone access to credit card numbers, expiry date, and the amount spent in plaintext.

★ Nintendo: April 27

Hackers performed a credential stuffing attack using previously exposed user IDs and passwords of Nintendo to access over 160,000 player accounts.

The hackers can misuse these accounts to purchase digital items using stored cards as well as view personal information including name, date of birth, gender, country/region, and email address.

★ Ambry Genetics: April 28

Ambry Genetics is a genetic testing laboratory based in the US. They made announcements regarding unauthorized access to the personal and medical information of around 233, 00 medical patients by a third party through an employee email.

The third-party had access to customer names, and also information related to customers’ use of the genetic laboratory’s services and medical information. The Social Security numbers of some of the patients were also accessed.

May 2020: All Things Seem Possible in May

“As cybersecurity leaders, we have to create our message of influence because security is a culture and you need the business to take place and be part of that security culture.” - Britney Hommertzheim

★ GoDaddy: May 4

The popular web hosting site, GoDaddy notified its customers regarding unauthorized third-party access to login credentials.

This exposed around 19 million users and exposed the username and passwords of around 24,000 users. The company took necessary and prompt action to prevent further damage.

★ Fresenius Group: May 5

Global healthcare company Fresenius Group faced a ransomware attack, which impacted the company’s operations worldwide. Fresenius Group, which also occurred to be the huge dialysis accessories worker interest that its system had been attacked by a virus.

A source confirmed the situation and added that the hacker held the healthcare’s IT systems and data hostage as ransom, in exchange for payment in Bitcoin.

★ U.S. Marshals: May 13

A hacker exploited a server vulnerability to gain access to the personal information of 387,000 former and current inmates.

This information included names, dates of birth, social security numbers, and home addresses of the inmates.

★ Magellan Health: May 13

Patients of Fortune 500 healthcare company, Magellan Health, were alerted of a phishing scam and ransomware attack that had affected them.

The threat actors held names, contact information, employee ID numbers, W-2 or 1099 information, including Social Security numbers or taxpayer-identification numbers, as well as login credentials and passwords for employees as ransom.

★ Home Chef: May 20

After a data breach incident, information of about 8 million users of the home meal delivery service, Home Chef, were found for sale on the Dark Web.

The data for sale was found to contain names, email addresses, phone numbers, addresses, scrambled passwords, and the last four digits of credit card numbers of the users.

★ Wishbone: May 20

A data breach exposed over 40 million user data of the mobile app, Wishbone.

Their data was found for sale on the Dark Web, containing their usernames, emails, phone numbers, location information, and hashed passwords.

★ Mathway: May 24

Mathway, the popular calculator app faced a security incident, and over 25 million user data was found for sale on the Dark Web.

The breached data also included “back-end system data,” that runs behind the scenes on a server, powering the application for the end-user but is invisible to the user.

June 2020: When Half the Year Is Gone

“As we’ve come to realize, the idea that security starts and ends with the purchase of a prepackaged firewall is simply misguided.” - Art Wittmann

★ Amtrak: June 2

The passenger railroad service, Amtrak notified its customers regarding unauthorized third-party access to their database, which exposed several Amtrak Guest Rewards accounts.

The company assured that hackers only accessed usernames, passwords, and some personal data, but Social Security Numbers and financial data was safe.

★ Claire’s: June 15

Claire’s, the famous jewelry and accessories retailer, suffered a magic art attack, which exposed payment information of an unknown number of customers.

The retailer, which operates from 3500 locations worldwide, and on an e-commerce platform, said that the breach only affected online sales.

★ Cognizant: June 17

IT managed Service Company Cognizant announced to its users that a ransomware attack in April 2020 accessed and stole user’s information.

The threat actors had stolen information, which included names, Social Security numbers, tax identification numbers, financial account information, driver’s licenses, and passport information.

★ BlueLeaks: June 22

Hackers and threat actors have leaked over 296GB of data from the US law enforcement agencies and fusion centers and posted the files online on a searchable portal titled BlueLeaks.

The leaked data has over a million files, which include scanned documents, videos, emails, audio files, and personal information, such as names, bank account numbers, and phone numbers.

★ Twitter: June 23

Twitter faced a security lapse that left the account information of their business users exposed. The impacted business accounts suffered heavily as their email addresses, phone numbers, and the last four digits of their credit card number were impacted. The number of accounts at risk, has, however, not been disclosed.

July 2020: The Month to Excel Breach

“Cybercrime is the greatest threat to every company in the world.” - Ginni Romney

★ Clubillion: July 7

Clubillion, a popular casino gambling company suffered a data leak, which exposed the PII of millions of users worldwide.

While it was functioning without any issue, the database recorded up to 200 million records daily, including users’ IP addresses, email addresses, amounts won, and private messages within the app. Most of the app’s users are from the United States.

★ Polk County: July 16

An employee at Florida’s Polk County Tax Collector fell victim to a phishing attack, exposing the driver’s license numbers and Social Security numbers of over 450,000 residents.

★ Ancestry.com: July 20

Sensitive data belonging to 60,000 customers were exposed by Ancestry.com due to an unsecured server.

This leak of family history search Java Web development Company included data like email addresses, geolocation data, IP addresses, system user IDs, support messages, and technical details.

★ Dave Mobile Banking: July 26

Dave, the digital banking app, was a victim of a third-party breach. This breach put over 7.5 million users at risk.

The customer data revealed include names, phone numbers, emails, birth dates, home addresses, and encrypted Social Security numbers. Fortunately, financial information had not been exposed.

★ Drizly: July 28

Drizly, the online alcohol delivery startup notified customers regarding a hack. The hacker accessed account details of 2.5 million Drizly customers, including their email addresses, dates of birth, and hashed passwords.

★ Promo: July 28

A third-party data breach has exposed the personal and account information of 22 million customers of the video creation platform, Promo.com.

The data exposed by the hack includes phone numbers, emails, birth dates, home addresses, and encrypted Social Security numbers.

★ Avon: July 28

An unsecured database at cosmetic company Avon exposed the Personally Identifiable Information (PII) of 19 million customers and potential employees, including names, phone numbers, dates of birth, email and home addresses, and GPS coordinates, as well as other technical information.

August 2020: Final Moments of Fun before the Freeze

“It’s funny to us as we’re so used to worms and viruses being bad news rather than making the world a better place.” - Graham Cluley

★ Instagram, TikTok & YouTube: August 20

Defunct social media data broker, Deep Social had an unsecured database containing over 235 million Instagram, TikTok, and YouTube user profiles.

This leak exposed names, ages, genders, profile photos, account descriptions, statistics about follower engagement and demographic such as the number of likes, followers, follower growth rate, engagement rate, audience demographic (gender, age, and location), and whether the profile belongs to a business or has advertisements.

★ Freepik: August 21

The image database, Freepik notified its 8.3 million strong user base, that their account login information had been exposed through malware on their site.

The injected malware collected the email addresses of all users and hashed the passwords of 3.77 million users.

★ Dynasplinyt Systems: August 26

An encryption attack held Dynasplit Systems at a deadlock. This attack on all their business devices exposed the personal and medical information of 103,000 patients.

Besides, their names, addresses, dates of birth, and Social Security Numbers were also exposed.

★ Utah Pathology Services: August 31

While trying to redirect funds from Utah Pathological Services, an unauthorized hacker stumbled upon an employee’s email account. It contained sensitive information about 112,000 medical patients.

The hacker accessed this data, which included patient names, gender, date of birth, mailing address, phone number, email address, health insurance information, internal record numbers, diagnostic information, and a small number of Social Security numbers.

September 2020: The Month to Remember

“At the end of the day, the goals are simple: safety and security.” - Jodi Rell

★ Telmate: September 5

Telmate, the prison phone service used in the United States, have had their personal information in an unsecured database. The information of over 1 million inmates and their contacts have been exposed.

This data included names, gender, offense, religion, facility location, relationship status, medication history, emails, physical and IP addresses, phone numbers, and driver’s license details.

★ Imperium Health: September 7

The Health information of 140,000 medical patients of Imperium Health Management was exposed after it was a victim of a phishing attack.

This attack exposed information like patient names, addresses, dates of birth, medical record numbers, account numbers, health insurance information, Medicare numbers, Medicare Health Insurance Claim Numbers (which can include Social Security numbers), and limited clinical and treatment information.

★ NorthShore University HealthSystem: September 9

A third-party breach exposed the health information of 348,000 medical patients under NorthShore University HealthSystem, the Chicago based healthcare system.

The data breach risked patients as their names, dates of birth, addresses, phone numbers, e-mails, admission and discharge dates, locations of services, and physician names and specialties had been exposed.

★ Razer: September 10

Researchers have found an online database containing customer information of 100,000 gamers, who made purchases with game tech company Razer.

This database contained information like the names, email addresses, phone numbers, customer internal IDs, order numbers, order details, and billing and shipping addresses.

★ Staples: September 14

Many customers who purchase from Staples, the office retail giant, received emails alerting them that a data breach had caused their information to get exposed.

The data, which has been breached, included information like customer names, addresses, email addresses, phone numbers, last four credit card digits, and order details.

★ Children’s Hospitals & Clinics of Minnesota: September 16

Children’s Hospitals and Clinics of Minnesota notified the patients regarding a third-party breach, which had exposed over 160,000 patient records.

The patient data revealed due to the breach includes information like their names, addresses, phone numbers, ages, dates of birth, genders, medical record numbers, dates of treatment, locations of treatment, names of doctors, and health insurance status.

★ Activision: September 21

Credential stuffing attacks were aimed at over 500.000 gamer accounts of video game publisher Activision. Reports say that login data, particularly emails and passwords were published online.

Hackers could access the Call of Duty accounts, but the rightful owners were kicked out in the process.

★ Town Sports: September 24

Fitness chain, Town Sports, which has 185 clubs under brands like New York Sports Clubs, Philadelphia Sports Clubs, Boston Sports Clubs, and Washington Sports Clubs maintained an unsecured online database, containing records of 600,000 gym members.

The database, which was exposed, contained data including customer names, postal addresses, email addresses, phone numbers, check-in data, gym location, notes on customer accounts, last four digits of credit card, credit card expiration date, and billing history.

★ Warner Music Group: September 29

In a recent legal filing, it was discovered that entertainment and record label conglomerate, Warner Music Group has been the victim of a three-month-long magecart attack. This exposed several customer’s personal and financial data.

Warner Music’s e-commerce website, which is hosted and supported by a third-party, was the target of hackers.

They captured customer data, such as their names, email addresses, telephone numbers, billing addresses, shipping addresses, and payment card details such as card numbers, CVC/CVV, and expiration dates.

October 2020: Fall Is Here

“If security were all that mattered, computers would never be turned on, let alone hooked into a network with literally millions of potential intruders.” - Dan Farmer

★ Blackbaud: October 6

Blackbaud, which is a cloud-based fundraising database management vendor for non-profits and educational institutions has become a victim of a ransomware attack, which began in February 2020, but unfortunately remained undetected till May 2020.

Though the company paid the ransom and received confirmation of the destruction of the data, the attackers copied sensitive information of over 6 million donors, potential donors, patients, and community group connecting names, email address, Ph. no., BOD, genders, providers names, which dates services start, visited department detail and philanthropic providing past detail.

September records show that the security issue was more severe than originally reported. Hackers gained access to unencrypted data including Social Security numbers, financial accounts, and payment information. Clients affected have disclosed the hefty amounts they lost due to the ransomware attack.

★ Chowbus: October 6

Chowbus sent an email to its customers with a link to access the personal data and account information of about 800,000 customers.

The customer data includes names, phone numbers, and mailing and email addresses.

★ Barnes & Noble: October 15

Popular bookseller, Barnes & Noble was hit by a cyberattack, causing exposure of customer information and disrupted the services on their Nook e-reader.

The data leak allowed hackers to access billing and shipping addresses, telephone numbers, and email addresses. The number of customers who were affected, has, however, not been disclosed.

★ Dickey’s BBQ: October 16

Over 3 million customers have been affected by the year-long Point-of-Sale system breach at popular Dickey’s BBQ. Hackers have posted the stolen card details for sale on the Dark Web, for $17 a card.

★ Broadvoice: October 20

Comparittech security researchers found an unsecured database with over 350 million customer data, along with call transcripts belonging to Broadvoice, a cloud-based communication company.

The exposed data enclosed personal details like caller names, caller identification number, phone number, and location along with voicemail transcripts.

★ Pfizer: October 20

A data leak at the pharmaceutical corporation Pfizer exposed the personal and medical information of hundreds of medical patients partaking cancer drugs. This leak was caused by a misconfiguration in the Google Cloud database.

The leak contained personal and sensitive information like patient names, phone numbers, home addresses, email addresses, customer support messages, health data, medical status, phone call transcripts, and prescription information.

★ Fragomen, Del Rey, Bernsen & Loewy: October 27

Fragomen, Del Rey, Bernsen & Loewy, the immigration law firm responsible for representing Google announced a security incident, which has exposed the personal information of current and former Google employees.

A 3rd party boosted unauthorized approach to many employees Form I9’s, holding full detail, BOD, Ph. no., another security platform, passport no., and email id. 

November 2020: A Delightful Menance in the Air

“A good programmer is someone who always looks both ways before crossing a one-way street.” - Doug Linder

★ JM Bullion: November 3

Hackers embedded malware into the online bullion dealer, JM Bullion’s shopping portal to capture the personal and banking card information of customers. This skimming took place from February to July 2020.

The malicious code allowed hackers to collect customer names, addresses, and payment card details including account numbers, card expiration dates, and security codes.

★ Mashable.com: November 5

Hackers leaked a database belonging to the online media company Mashable.com. It contained staff, users, and subscriber data including names, email addresses, country, gender, job description, online behavior related details, date of registration, IP addresses, social media profile links, and authentication tokens.

★ Expedia, Hotels.com & Booking.com: November 6

The famous hotel reservation platform, Prestige Software, suffered from a data leak owing to an unsecured database. The leaked data belonged to over 10 million hotel guests worldwide and dated back to 2013.

Data leaked shows that all the reservations were made through travel companies like Expedia, Hotels.com, Booking.com, Agoda, Amadeus, Hotelbeds, Omnibees, Sabre, and others.

The leaked information includes names, email addresses, national ID numbers, phone numbers of hotel guests, and reservation details such as reservation number, dates of a stay, the price paid per night.

The payment details of several customers have been leaked too, which includes the card number, cardholder’s name, CVV, and expiration date, and total cost of hotel reservations.

Phew, those are some numbers eh? While December is yet to come, we wonder how many more breaches are waiting for us. However, we can only wait and ponder until another breach strikes to make the headlines. Till then, we can only sit, wait, and hope not to come across any more breaches, or do we? One may never know.