There have been countless third-party cyber breaches over the past few years, but a handful of them stand out, particularly for their amount of exposed records.
Exposed records: 11.9 million patients
Reported June 2019
An unauthorized user gained access to Quest Diagnostic’s sensitive data via a billing collections vendor named American Medical Collection Agency (AMCA). The hacker had access to the information for roughly 7 months – from August 2018 to March 2019. The sensitive data of 11.9 million patients was accessed, ranging from credit card numbers to bank account information and even social security numbers.
Following the breach, AMCA lost its four largest clients including Quest Diagnostics and has filed for Chapter 11 protection.
Exposed Records: 150,000,000
Reported February 2018
Everything from user names, email addresses, and scrambled passwords all stolen in the 2018 MyFitnessPal hack (Reuters). The parent company, Under Armour, saw its shares dip by 3% following the news.
With Under Armour’s addition of MyFitnessPal, their already complex digital ecosystem grew, and a vulnerability was introduced through the acquired business unit. Though many third-party data breaches involve vendors, suppliers, or even partners, it’s just as severe when a hack is introduced this way. Regardless of where the weakness was, Under Armour took the financial and reputational hit, much like Hudson’s Bay Company.
“As companies continue to evolve into increasingly interconnected networks, including subsidiaries, affiliates, suppliers and vendors, the importance for ensuring appropriate levels of security at every node is all the more critical.”
-Fred Kneip, CEO and Founder, CyberGRX
MyHeritage Geneaology Site
Exposed Records: 92,000,000
Reported June 2018
A security researcher recently found an archive on a third-party server containing personal details of over 92 million MyHeritage users. The data ranged from hashed passwords to emails, luckily not payment information or – you guessed it – DNA test results.
MyHeritage reported that it uses third-party payment processors for financial operations, meaning payment data was never stored on its systems, while DNA test results were saved on separate servers from the one that managed user accounts.
The MyHeritage incident marks the biggest data breach of 2018 and the biggest leak since 2017’s Equifax hack (BleepingComputer).