Industry News: ESG5

Know Your Breach: Desjardins

The target: Desjardins Group, a Quebec-based federation of credit unions.

The take: Personal information for more than 2.7 million individuals and more than 173,00 businesses, potentially including name, date of birth, social insurance number, address, phone number, e-mail address, and ‘details about banking habits’.

The attack vector: Desjardins announced that the breach was not the result of an external cyberattack, but was the result of ‘unauthorized and illegal use of its internal data by an employee who has since been fired.’.


Know Your Breach: US CBP

The target: United States Customs and Border Security Protection, the largest federal law enforcement agency of the US Department of Homeland Security.

The take: Photos of the faces and license plates of almost 100,000 travellers to have entered and exited the US via a single (unnamed) land border entry port.

The attack vector: A ‘malicious cyberattack’ against federal contractor ‘Perceptics’ led to the images being made available on the dark web, along with other proprietary information.


Know Your Breach: Quest Diagnostics / LabCorp

The target: Quest Diagnostics, the largest blood testing provider in the US, and LabCorp, a leading health care diagnostics company.

The take: Almost 20 million patient records, including names, dates of birth, addresses, phone numbers, dates of service, providers, and balance information, including 200,000 credit card or bank account details.

The attack vector: American Medical Collection Agency, a third-party collections firm, reported that their web billing site had been breached as of Aug 1, 2018 through March 30, 2019, resulting in the theft of information held on behalf the entities for whom they provided collection services.


Know Your Breach: Helse Sør-Øst RHF

The target: Norway’s largest healthcare authority, Health South-East.

The take: Patient records and private health information for almost 3 million people.

The attack vector: Apparently focused on the health service’s relationship with Norway’s armed forces and the ‘Trident Juncture 18’ NATO exercise scheduled for October 2018, cybercriminals exploited legacy systems and substandard security to exfiltrate health data for almost half of Norway’s population. Reports indicate that as of June 2017, more than 1,200 of Health South-East’s endpoints were running the Windows XP operating system (which reached end-of-life in 2014).


Know Your Breach: Instagram

The target: Instagram, a Facebook-owned picture-sharing social network.

The take: 49 million user records, including name, number of followers, location, phone number and e-mail addresses.

The attack vector: An AWS database belonging to social media marketing firm Chtrbox was discovered to be publicly exposed and accessible to anyone with an internet connection.


Know Your Breach: Saks/Lord & Taylor

The target: Saks Fifth Avenue and Lord & Taylor, high-end department stores.

The take: 5 million credit and debit card account numbers.

The attack vector: Attackers appear to have gained complete access to the breached department stores’ networks, and installed card-scraping malware on point-of-sale terminals at all 51 Lord & Taylor and 83 Saks Fifth Avenue locations. The compromise appears to have initiated in May of 2017 and was discovered and remediated one year later.


Know Your Breach: Uber

The target: Uber, a ridesharing service.

The take: The personal data of 57 million customers and drivers, including names, e-mail addresses and phone numbers, as well as driver’s license numbers for hundreds of thousands of American drivers.

The attack vector: Attackers gained access to an AWS-hosted server with credentials an Uber engineer left publicly exposed in a Github repository.

Uber later came under fire for failing to report the breach at the time that it occurred, and attempting to pay the hackers a $100,000 ransom to delete the stolen data. The handling of the incident resulted in the dismissal of Uber’s Chief Security Officer.


Know Your Breach: Home Depot

The target: Home Depot, an American home improvement retailer.

The take: 53 million e-mail addresses and 56 million credit and debit accounts.

The attack vector: Beginning in April 2014 and lasting several months, attackers used compromised credentials belonging to a third-party vendor to initially breach Home Depot’s network. Once inside, they exploited unpatched Windows vulnerabilities and installed malware on self-checkout registers to skim customer information.


Know Your Breach:

The target: Microsoft’s personal e-mail service,

The take: E-mail accounts under the,, and domains were compromised – while Microsoft has offered that ‘only 6%’ of accounts were compromised, they would not confirm the number of accounts that percentage represents. While they initially denied that the attackers had access to customers’ inboxes beyond contacts, folder names, and subject lines, it was later confirmed that email contents could have been viewed.

The attack vector: Attackers were able access Microsoft’s infrastructure by compromising the credentials of a customer support representative.


Know Your Breach: Orbitz

The target: Orbitz, a subsidiary of online travel agency Expedia Inc.

The take: Payment card information and personal data such as billing addresses, phone numbers, and emails.

The attack vector: About 880,000 payment cards had been hit by a security breach. The attacker may have accessed personal information that was submitted for certain purchases made during an entire year.