January 31, 2024

Major Data Breaches and Hacking News in January 2024

Data Breaches 

VF Corporation

Organization description: VF Corporation is the parent company of popular outdoor and activity-based apparel brands like Vans, Timberland, The North Face, Dickies, and Supreme.

Breach size: 35.5 million individuals

Data exposed: Not yet disclosed.

VF Corporation, a renowned clothing conglomerate, suffered a December data breach exposing the personal data of 35.5 million customers, including popular brands like North Face and Vans. The nature of stolen data remains unclear. Discovered on Dec 13, during the lead-up to a busy holiday shopping season, the cyber incident led to disruptions, system shutdowns, and impacted operations. While the company restored IT systems and ousted attackers by Dec 15, it's still dealing with minor residual impacts. VF assures no evidence of stolen passwords or sensitive information like Social Security and credit card details. However, ongoing investigations that suggest customer names, addresses, demographics, and purchase information might be at risk.


Organization description: loanDepot is a non-bank mortgage lender that offers consumer credit products like mortgage loans, personal loans, and related credit and real estate services.

Breach size: 16.6 million individuals

Data exposed: Not yet disclosed, but may contain names, addresses, Social Security numbers, and loan numbers.

LoanDepot, a major U.S. mortgage lender, faced a ransomware attack, revealing that approximately 16.6 million people had their personal information compromised. The attack, discovered on January 6, prompted system shutdowns and affected services, causing delays in payment history and portal outages. While the company is restoring systems, affected individuals will receive free credit monitoring and identity protection. With sensitive financial data at risk, vigilance is crucial as these breaches often lead to phishing attempts and identity theft. LoanDepot is taking steps to address the situation and support those impacted by this unfortunate incident. 

Worried about your data being compromised in a breach? Get protected with IDSeal’s identity theft and device protection. Start your membership today.  

HealthEC LLC

Organization description: ealthEC provides management solutions for healthcare organizations to improve data integration, analytics, care coordination, patient engagement, compliance, and reporting.

Breach size: 4.5 million individuals

Data exposed: HealthEC LLC, a health management solutions provider, experienced a data breach affecting around 4.5 million individuals who received care through their platform. The breach occurred between July 14 and 23 of 2023, leading to unauthorized access to some systems. As a precaution, individuals are advised to monitor accounts, review benefit statements, and check credit reports for unusual activities. Promptly report any suspicious activity to relevant parties. The breach impacted seventeen (17) healthcare service providers, including Corewell Health, HonorHealth, Beaumont ACO, and others. For those affected, it's crucial to stay vigilant and take necessary precautions against potential identity theft and fraud. 

Fidelity National Financial

Organization description: Fidelity National Financial (not to be confused with Fidelity Investments) is a provider of title insurance and transaction services for the real estate and mortgage industries in the United States.  

Breach size: Over 1.3 million individuals

Data exposed: Names, addresses, Social Security numbers, and loan numbers. 

In November of 2023, Fidelity National Financial (FNF), a real estate services company, faced a week-long system outage likely due to a ransomware attack, with ALPHV/BlackCat claiming responsibility. As ransomware groups often steal data for added leverage, it appears that was the idea in play for this malicious breach. While ALPHV's leak site listing was removed, indicating potential ransom payment or law enforcement action, the gang reappeared in December. FNF, in a Form 8-K, notified state authorities and approximately 1.3 million potentially affected consumers. The company is offering credit monitoring and identity theft services, but the specific type of stolen data remains undisclosed.  

Orrick, Herrington, Sutcliffe

Organization description: Orrick, Herrington, & Sutcliffe is a global law firm offering commercial counseling on transaction, litigation, and compliance in the technology, energy, and finance sectors.

Breach size: Over 600,000

Data exposed: Names, dates of birth, addresses, email addresses, and government-issued identification numbers like Social Security numbers, passport, driver’s license, and Tax Identification Numbers.

Orrick, Herrington, and Sutcliffe, a San-Francisco-based law firm, faced a data breach in March 2023, impacting 637,620 individuals. The breach exposed sensitive health information, including names, addresses, dates of birth, and government-issued ID numbers, with additional compromises like medical treatment details, insurance claims, and financial information. Orrick promptly notified affected individuals and offered two-year identity monitoring services. The incident also implicated data related to other companies Orrick provided legal counsel to, such as EyeMed Vision Care and Delta Dental. The law firm, currently settling a class-action lawsuit, assures ongoing focus on protecting client information. 

San Bernardino Housing Authority

Organization description: The San Bernardino Housing Authority provides housing resources like rental assistance to low-income families. 

Breach size: 19,000

Data exposed: Names and Social Security numbers, however complete information has not yet been fully disclosed.  

The San Bernardino County Housing Authority revealed a June cyberattack compromising data of nearly 19,000 individuals, including names and Social Security numbers. Discovered on December 26, the breach occurred through unauthorized access to an employee email account, triggering immediate password resets and forensic investigation. Limited information may have been accessed. Notices were sent to regulators, offering the affected individuals one year of free credit monitoring. The housing authority, serving seniors, individuals with disabilities, veterans, and children, has operated for over 80 years. This incident follows a series of housing authority cyberattacks, emphasizing the escalating threat to such organizations and the imperative need for robust cybersecurity measures. 

Hacking News

26 Billion (with a “B”) Records Exposed in the “Mother of All Breaches”  

2024 started with a bang in the cybersecurity world when security researchers discovered a database containing no less than 26 billion leaked data records, totaling 12 terabytes. To give you an idea of how large that is, it’s estimated that the average reader would need 5,623 years to read one terabyte of text. The owner of this treasure trove of data found in the depths of the dark web is unlikely to be identified.

The research team believes that the database was likely compiled by a data broker over time through various cyberattacks. On the bright side, most of the data seems to be aggregated from previously known data breaches with many duplicate records. However, the inclusion of usernames paired with passwords presents significant concern for a surge in credential stuffing attacks over the next few weeks.

Credential stuffing is a tactic commonly used by hackers to access personal and financial accounts. The bad actors count on people recycling passwords or using similar combinations of words and numbers in their passwords to quickly break into accounts.

Several well-known companies and their users’ information were included in the breach, including Twitter/X, LinkedIn, Adobe, Canva, Snapchat, Venmo, MyFitnessPal, and Chinese technology and social media behemoth, Tencent.

Cybersecurity experts suggest that anyone who may have been affected should update their passwords with a new unique password to each account. If you’re using the same password for multiple accounts and one was compromised by this “mother of all breaches,” update it as soon as possible and enable two-factor authentication whenever available.

Hackers Want All Your Data, Even Your Genotype

Genetic testing provider 23andMe recently confirmed a significant data breach that compromised the privacy of millions of its customers. The breach, resulting from a prolonged credential stuffing attack, went undetected for an alarming five months, spanning from April 29 to September 27. 

According to reports, the stolen information encompasses health reports and raw genotype data of approximately 6.9 million individuals out of the existing 14 million customers. The severity of the incident was further underscored as some of the stolen data made its way onto notorious hacking forums like BreachForums and the unofficial 23andMe subreddit. 

23andMe revealed that the threat actors not only downloaded or accessed uninterrupted raw genotype data but also potentially accessed other sensitive information stored in customer accounts. This includes health-predisposition reports, wellness reports, carrier status reports, self-reported health conditions, and account settings. 

Customers who utilized 23andMe's DNA Relatives feature faced additional risks, as the attackers may have scraped their DNA Relatives and Family Tree profile information. This includes ancestry reports, matching DNA segments, self-reported locations (city/zip code), ancestor birth locations, family names, profile pictures, birth years, and other details included in the profile's "Introduce yourself" section. 

In response to the breach, 23andMe took immediate action, requiring all customers to reset their passwords as of October 10. Subsequently, since November 6, the company mandated two-factor authentication for all new and existing customers during login to fortify defenses against future credential-stuffing attempts.  

However, the aftermath of the incident extends beyond immediate security measures. The breach prompted multiple lawsuits against 23andMe, leading the company to update its Terms of Use on November 30, 2023. The revised terms include provisions making it more challenging for customers to join class-action lawsuits against the company, stating that disputes must be brought forward on an individual basis. 

Despite the legal challenges, 23andMe contends that these changes were implemented to streamline the arbitration process, making it more efficient and comprehensible for its customers. 

As users of genetic testing services, it is crucial to stay informed about the evolving landscape of cybersecurity threats and take proactive steps to secure personal genetic data. The incident serves as a stark reminder of the need for robust security practices and ongoing vigilance in the face of sophisticated cyber threats.