Major Data Breaches & Hacking News in September 2024

September 24, 2024

While many of us slow down after summer travels and activities, welcoming the crisp weather and cozy days of autumn, cybercriminals remain as active as ever. Recently, companies such as Avis, USAA, and Slim CD have experienced significant data breaches compromising user data, with other companies like 23andMe and CrowdStrike facing lawsuits in the wake of security-related issues. Read on to get the details about each incident.

Avis

Organization Description: Avis is a transportation solutions company specializing in rental cars.

Breach Size: 299,000

Data Exposed: Avis has announced that in August, unknown attackers gained access to personal information belonging to over a quarter of a million customers. The type of information leaked remains undisclosed. Avis is working with cybersecurity experts to investigate the incident and improve their defenses and has notified affected customers of the potential identity theft risks.

USAA

Organization Description: The United Services Automobile Association (USAA) is a financial services company insuring military members and their families.

Breach Size: 32,000

Data Exposed: At the end of August, members of USAA were impacted by a breach resulting from a system error during a routine update, which exposed data to an unauthorized party. Affected information included names, addresses, email addresses, dates of birth, Social Security numbers, driver’s license and passport numbers, vehicle identification numbers, loan numbers, and health information, and information related to property and casualty insurance policies — all putting customers at risk of personalized phishing attempts and identity fraud. USAA is informing the impacted individuals and investigating the breach.

Slim CD

Organization Description: Slim CD is a payment gateway provider for electronic card payments.

Breach Size: 1.7 million

Data Exposed: This month, Slim CD shared that its computer systems were accessed by an unauthorized third party. The company said that bad actors may have had access to sensitive information for nearly a year between August 2023 and June 2024. Data included users’ full names, addresses, credit card number, and credit card expiration date, increasing the risk of financial fraud attempts. Slim CD is investigating the incident and working to improve its security to avoid further breaches.

23andMe

Organization Description: 23andMe is a biotechnology and genomics company best known for ancestry and DNA tests.

Lawsuit: 23andMe has agreed to settle a class action lawsuit over a 2023 data breach that impacted 6.4 million customers. The company will distribute $30 million in cash payments to affected customers. 23andMe also promises to implement improved security measures including annual cybersecurity audits, enhanced employee security training, a data breach response plan, and mandatory two-factor authentication. 23andMe must also stop keeping personal data for inactive or deactivated accounts. While the company believes the settlement is reasonable, it denies any claims of wrongdoing or liability over the data breach and related damages.

CrowdStrike

Organization Description: CrowdStrike is a global cybersecurity technology company.

Data Exposed: In the wake of a faulty update to CrowdStrike’s cybersecurity software, Falcon, that caused more than 8.5 million Windows devices to suddenly crash, Delta Air Lines has announced its intent to sue CrowdStrike. The airline experienced outages that lasted for five days — resulting in a revenue loss of $500 million and leaving airline passengers stranded as thousands of flights were disrupted — and says CrowdStrike provided insufficient support. CrowdStrike has expressed regret over the incident but disputes Delta’s claims, stating that Delta refused to accept free onsite assistance to restore their devices. With approximately $5 billion in total estimated losses caused by the outage across airlines, financial services, and other industries, CrowdStrike is expected to face additional class action lawsuits from impacted parties.

Hacking & Phishing News

Password Spraying

Password spraying is a tactic in which bad actors use one password to try to gain access to a variety of different accounts. Unlike traditional brute force attacks, which focus on cracking one account by attempting many different passwords, password spraying casts a wider net, targeting passwords that are commonly used and easy to guess, such as “123456” or variations on “password.” Strategies to avoid falling victim to password spraying include using long, unique passwords with special characters and enabling multi-factor authentication, which requires a secondary verification step if bad actors do manage to guess the correct password.

Keyloggers

A keylogger, or keystroke logger, is a type of malicious software that records a person’s keystrokes while typing. The goal is to uncover user credentials like usernames, passwords, credit card numbers, and other sensitive data. They can be installed via phishing emails, Trojan horse viruses, or USB drives. Signs of keystroke tracking include a disappearing cursor or lagging in the browser, mouse, or keystrokes. Robust protection against keyloggers should include up-to-date antivirus software and regular malware scans.

Learn More

These recent data breaches and lawsuits highlight the ongoing challenges of data security that impact both organizations and individuals. With bad actors continually seeking to steal and exploit sensitive data, it’s never been more important to take device protection measures to prevent the theft of your personal information. By taking steps like using strong passwords, enabling multi-factor identification, utilizing robust antivirus software, and staying vigilant of phishing scams, you can significantly reduce the risk of identity theft. With the addition of a comprehensive identity theft protection service like IDSeal, you get more than just device monitoring and suspicious activity alerts — you’ll receive white glove identity restoration services and 24/7 assistance from a dedicated support team.