This is a special digest prepared by InfoWatch Analytics Center in recognition of the International Data Privacy Day. This unusual holiday has been celebrated every year on January 28 ever since it was initiated on April 26, 2006, by the Committee of Ministers of the Council of Europe to commemorate the signing of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data on January 28, 1981.

The Data Privacy Day is to raise awareness and promote privacy and best practices of personal data protection, storage, processing, and transfer.

Over the 12 years since the first Data Privacy Day, InfoWatch has recorded 14,300 confidential information leaks from businesses and government agencies, with more than 11,000 breaches (78%) compromising personal data, such as names, mailing and e-mail addresses, passport details, information about education, income, health, political and religious views, nationality, and biometric data.

Despite the efforts taken by regulatory authorities, businesses, and public organizations, an avalanche of breaches is still impossible to stop in the era of global digitalization. Over 30 billion personal data records have been leaked since 2007, with 20+ billion stolen over the last two years alone.

Even a small data leak can hit an organization hard, leading to such adverse effects as fall of stock, dented investor confidence, and weakening market position. Furthermore, companies can become subject to sanctions by regulatory authorities, including large penalties, mandatory audits, cybersecurity infrastructure upgrade claims, as well as class actions by persons whose data were compromised.

Depending on a type and volume of compromised personal information, data subjects may also suffer heavily from data breaches. Thus, if a dishonest advertiser finds out your e-mail address, you will most likely face some junk mail only. However, should a criminal obtain a large volume of your personal information, you may easily become a victim of fraud, with your credentials being used for forgery or credit fraud.

Largest Personal Data Leaks from Organizations

  1. In October 2017, Yahoo admittedthat a previously disclosed attack that had occurred in 2013 had affected all three billion of Yahoo’s user accounts rather than one billion accounts reported initially. Digital thieves made off with names, dates of birth, phone numbers and passwords of users.
  2. As part of a huge personal data leak discovered in China in 2017, DU Caller, an app developed by a Baidu’s subsidiary DU Group, was found to be automatically gatheringsensitive information and uploading it to a public directory. A search function on the app allowed users to find contacts of 2 billion affected people by simply entering a name.
  3. In March 2017, MacKeeper security researcher Chris Vickery discovereda publicly exposed database online containing nearly 1.4 billion e-mail accounts tied to real names, IP addresses and often physical addresses. The leak was caused by spamming group River City Media (RCM) that forgot to password-protect their backups.
  4. In early 2018, anonymous sellers, over WhatsApp, offered unrestricted accessto details of any of the more than 1 billion Aadhaar unique numbers submitted to the UIDAI (Unique Identification Authority of India). The hackers seem to have gained access to the website of the Government of Rajasthan state and stolen personal data of 1.2 billion people to then sell a complete database for as little as $8.

Data of 100,000+ Alaskan households that applied for public assistance breached

More than 100,000 households that had applied for public assistance services from the Alaskan State Department of Health and Social Services (DHSS) had their data breached last spring, the applicants just learned.

The impact of a Zeus/Zbot Trojan virus attack discovered in late April was initially thought to affect only about 500 Alaskans, but further investigation discovered the breach to be far worse and likely the work of Russian attackers.

The infected computer showed that it had interacted with Russia-based IP addresses, compromising names, social security numbers, birth dates, addresses, health information, benefit information and income.

Last June DHSS went public about the suspected breach of HIPAA and APIPA information, and alerted those whose data was taken from the Divisionof Public Assistance (DPA). Those affected now are thought to be DPA applicants of such programs as Medicaid, SNAP, senior benefits, and disabilities related to Medicaid and adult public assistance, including PII of multiple members in each household.

The households impacted by the hack received letters from DHSS, which told the recipients steps had been taken to prevent such an attack,“but unfortunately there are some viruses we just aren’t able to be prepared for,” Shawnda O’Brien, director of the Division of Public Assistance, was quoted in a published report.

The DHSS letter reads: “We are working very hard in conjunction with the State of Alaska, Office of Information Technology and the FBI to further fortify and secure the statewide area network to protect against hackers penetrating our systems.”

Oklahoma Government Leaks 3TB of Sensitive Data


Millions of sensitive files dating back decades have been exposed after 3TB of data on a storage server was left publicly exposed by the Oklahoma Securities Commission.

Researchers at UpGuard made the discovery on December 7 last year and it was fixed a day later by the commission, part of the state’s Department of Securities which regulates and administers the trading securities sector.

It was first registered as publicly accessible by Shodan a week earlier.

“The data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services, allowing any user from any IP address to download all the files stored on the server,” explained the security vendor.

“The website for the Securities Commission has an UpGuard Cyber Risk score of 171 out of 950, indicating severe risk of breach. Among the issues lowering the website’s score is the use of the web server IIS 6.0, which reached end of life in July 2015, meaning no updates to address any newly discovered vulnerabilities have been released in the last three and a half years.”

The data, which dated back to 1986 and included email back-ups and virtual images, covered a broad sweep of different areas.

These included personal information such as the Social Security numbers of 10,000 brokers, and highly sensitive life insurance information on terminally ill AIDS patients.

Also exposed were system credentials which could allow an attacker to hijack Department of Securities workstations, third-party security filings, and accounts with Thawte, Symantec Protection Suite, Tivoli and others.

The leaked data also included “spreadsheets documenting the timeline for investigations by the FBI and people they interviewed,” potentially putting witnesses at risk.

“We need to stop making it so easy for hackers and bad actors who are simply using tools that have been around for years,” argued Suzanne Spaulding, Nozomi Networks adviser and former DHS under secretary.

“Hackers use a tool called Shodan that allows anyone to scan the internet, looking for devices and computers, connected to the internet, but not protected.”