Top Cyber

Attacks
 DEMANT
Recovery And Mitigation Costs: $80 million To $95 million

An apparent ransomware attack that hit Danish hearing aid manufacturer Demant at the start of September is
expected to cause one of the most significant cyber-related losses ever outside the 2017 Not Petya
ransomware outbreak. The financial impact would have been even worse had it not been for a $14.6 million
cyber insurance policy held by Demant.

The “critical incident” forced Demant to shut down its entire internal IT infrastructure, with the impact spanning
from the company’s Polish production and distribution facilities, French cochlear impact production sites, and
Danish amplifier production sites to its Mexican production and service sites, entire Asia-Pacific network, and
ERP system.

As a result, Demant was unable for several weeks to supply its products, receive and process orders, and
service end users through clinics in its network.
Norsk Hydro
Recovery And Mitigation Costs: $60 million to $71 million

Oslo, Norway-based aluminum provider Norsk Hydro was struck in March with a large ransomware attack that
started in its U.S.-based facilities then spread, and the company couldn’t stabilize the situation until the
summer.

The ransomware strain was ultimately determined by incident responders to be LockerGoga, which has
wreaked havoc on companies in the industrial and manufacturing space. Norsk Hydro restored its systems
from digital backups rather than pay the ransom demand, and switched to “manual mode” inside several its
facilities to contain the spread of the ransomware.

Much of the financial impact of the ransomware stemmed from Norsk Hydro being forced to switch off
production lines and resort to manual operations for reporting, billing and invoicing. Norsk Hydro aluminum
manufacturer Extruded Solutions suffered the most significant operations challenges and financial losses as a
result of the attack, according to a company earnings report.
Baltimore
Recovery And Mitigation Costs: $18.2 million

Baltimore’s computer systems on May 7 were hit by a ransomware strain known as RobbinHood, which
encrypted several critical functions for the city. The damage extended to city employees’ email and voicemail
systems; online payment services for water bills, property taxes and traffic citations; and real-estate
transactions, necessitating the creation of a “manual work around” using paper forms.

City leaders at the time were presented with a demand for roughly $76,000 in exchange for a decryption key,
and were threatened with the destruction of affected data within days if the ransom wasn’t paid. But the city
refused to pay the ransom and instead endeavored to restore the affected systems and data on its own.

As a result, the city experienced the loss or delay of $8.2 million in revenue from sources such as fines,
property taxes and real-estate fees, and expects to spend $10 million in the recovery effort by the some of
2019. Some of the recovery-related costs include $2.8 million for forensic analysis and detection, $1.9 million
for new hardware and software, and $600,000 to deploy new systems and replace hard drives.
22 Texas Towns
Recovery And Mitigation Costs: At least $12 million

A coordinated ransomware attack hit 22 Texas towns on Aug. 16, using Sodinokibi (REvil) ransomware to lock
the municipalities out of their IT systems after hackers breached the software of a third-party service provider
used to remotely manage their infrastructure. The criminals demanded a ransom of $2.5 million to regain
access to the IT systems, but none of the affected towns were willing to pay.

All of the affected towns have transitioned from assessment to remediation and recovery by a week after the
attack, with more than half resuming normal operations as of Sept. 9, according to the Texas Department of
Information Resources (DIR). The state declined to release the names of the affected cities, with only Keene
and Borger initially indicating they were victims of the attack.

Of the total cost associated with the ransomware, some $3.25 million was expected to be incurred by county
governments, $2.34 million was expected to be incurred by cities and towns, and $1.8 million was expected to
be incurred by educational institutions, according to Cybersecurity Insiders. The remaining $5 million of
anticipated expenses were miscellaneous in nature.
New Orleans
Recovery And Mitigation Costs: At Least $3 million

New Orleans was made aware of a ransomware attack of Dec. 13 after an employee clicked on a link in a
phishing email and provided their credentials, resulting in a large volume of phishing emails showing up in the
city’s system. Those behind the attacks are believed to have used Ryuk, a piece of malware first discovered 16
months ago that’s popular with criminal groups in eastern Europe and Russia.

Only about 10 percent of the city’s 450 servers and more than 3,500 laptops had been re-imaged five days
after the attack, with New Orleans focused on getting critical systems up and running in time for the holiday
and Carnival season. No city data was lost in the attack and no demands for payment have been made,
according to Mayor LaToya Cantrell.

Cantrell told WWL-TV that she expected the cost of the attack would exceed the $3 million cyber insurance
policy the city has in place, and that she will seek to increase the policy to $10 million next year. Within a few
days of the attack, Fox News said New Orleans had incurred nearly $1 million in costs, all of which will be
covered by cybersecurity insurance.
Riviera Beach, Fla.
Recovery And Mitigation Costs: $1.5 million

A ransomware attack against Riviera Beach, Fla., began on May 29 after a police department employee
opened an infected email attachment, knocking out the city’s online systems, email, phones and water utility
pump stations. The city was only able to accept utility payments in person or by snail mail, but by the following
week had restored the city’s website and created new email addresses for all employees.

The city on June 4 authorized spending more than $900,000 to buy new computer hardware, moving up
purchases that had been planned for the following year. About a third of the cost associated with investing in
310 desktops and 90 laptops is expected to be borne by the city’s cyber insurance company, according to
Cybersecurity Insiders.

Then in mid-June, the city council unanimously agreed during an emergency meeting to have Riviera Beach’s
insurance carriers pay the hackers roughly $592,000 in bitcoin in hopes of regaining access to data that had
been encrypted in the cyberattack three weeks earlier. Although paying the ransom is not advised by law
enforcement, city officials concluded there was no other way to recover the files.
New Bedford, Mass.
Recovery And Mitigation Costs: Less than $1 million

The city of New Bedford in July was hit with a variant of the Ryuk virus that affected 158 of the city’s 3,532
desktop and laptop computers, encrypting data stored on servers and workstations. The hackers initially asked
for $5.3 million in bitcoin, and New Bedford countered with an offer to pay $400,000.

The attacker rejected New Bedford’s counteroffer outright, so the city went about restoring from backups,
which was relatively easy due to the low number of infected systems and the fact that no critical systems had
been impacted. Attackers hit during the night when most of the city systems were turned off, preventing the
ransomware from spreading through the entirety of the network.

New Bedford’s insurance company has spent “in the hundreds of thousands” on recovering from the
ransomware attack, Mayor Jon Mitchell told The Standard-Times. But the city expects its $1 million
cybersecurity insurance policy with AIG will cover the full cost.
Lake City, Fla.
Recovery And Mitigation Costs: $460,000

A “Triple Threat” Ryuk ransomware attack in June disabled Lake City’s servers and phones, prompting city
leaders to unanimously agree to pay hackers $460,000 in bitcoin to unlock the encrypted files. All but $10,000
of that amount would be picked up by the city’s cyber insurance provider, and city manager Joe Helfenberg
expected the city to make a full recovery in two weeks.

The ransomware affected everything but Lake City’s police and fire departments, which were on a separate
server, and the city had run into trouble attempting to recover backup files that were deleted during the
incident. A prolonged recovery from backups would have exceeded the city’s $1 million cyber insurance
coverage limit, and the city wanted to resume normal services expeditiously.

The initial ransom demand had been for $700,000 in bitcoin, but negotiations with incident response firm
Covewave managed to knock the payout down by some $240,000. Lake City might have been able to achieve
a majority recovery of its files without paying the ransom, according to a city spokesman, but it would have
cost “three times as much money trying to get there.”
Jackson County,
Recovery And Mitigation Ga.
Costs: $400,000

A Ryuk ransomware attack in early March locked nearly all Jackson County, Ga., agencies out of their
systems, forcing many to carry out operations on paper. The attack impacted county law enforcement,
resulting in computer screens at the 911 dispatch center going dark, county jail staff being unable to open cell
doors remotely, and sheriff’s deputies losing the ability to use laptops to look up license plates.

As a result, guards had to go into cell blocks to open doors and escort inmates to family visits, which increased
the risk to guards, according to county Sheriff Janis Mangum. And emergency dispatchers had to take notes
by hand and rely on printed maps of the county and paper logs to keep track of emergency responders in the
field, according to county E-911 director LouAnn David.

County Manager Kevin Poe made the decision to pay the $400,000 ransom after speaking with cybersecurity
consultants, who advised that rebuilding networks from scratch could be a long and costly process. After
paying, hackers sent Jackson County a decryption key that allowed county employees back into their
computer systems, although dispatchers were without computers for two weeks.
Albany, N.Y.
Recovery And Mitigation Costs: $300,000

Albany IT systems were infiltrated on March 30, with hackers demanding payment in cryptocurrency to recover
the files they had encrypted. City officials immediately shut down the affected systems and didn’t have to worry
about the hackers constantly changing ransom demands since Albany had backups of its critical servers,
according to Administrative Services Commissioner Rachel McEneny.

Having daily backup of those mission-critical systems meant that Albany never lost the ability to pay its
employees and was able to get its treasury office up and running just two calendar days after the attack,
McEneny said. Restoring all the city’s systems took two or three months and was done in-house through
Albany’s in-house IT department, with some legacy systems not rebuilt due to being obsolete, she said.

Still, the city took $300,000 out of its contingency fund to purchase firewall insurance, upgrade user security
software, address destroyed servers, and firm up the city’s systems, McEneny told the Times Union. Specially,
NewsChannel 13 said that $85,000 had been spent on professional services, $54,000 was for hardware and
software investments, and $23,000 was used for credit monitoring services.
These are the worst hacks, cyberattacks, and
data breaches of 2019
JANUARY:
● Ministry of Health HIV registry: In Singapore, the Ministry of Health admitted to a data breach
exposing the confidential and highly sensitive records of over 14,000 individuals diagnosed with HIV.
This information was then leaked online.
● Apple FaceTime: A Fortnite player found a bug in Apple iOS that allowed users to eavesdrop on an
iPhone's environment by calling but without it being answered. It may have also been possible to view
live video feeds.
● Oklahoma Department of Securities: A server belonging to the Oklahoma Department of Securities
containing terabytes of confidential government data, including FBI investigation records and sensitive
government files, was exposed to the internet and was found through the Shodan search engine.
● Del Rio ransomware: The City of Del Rio, in Texas, was forced to go back to pen-and-paper systems
after City Hall servers were rendered useless by a ransomware infection.
● Town of Salem: Town of Salem developer BlankMediaGames said the personal details of 7.6 million
users were stolen. Multiple backdoors were removed from company systems.
FEBRUARY:
● Cabrini Hospital: A ransomware infection locked up 15,000 patient files, with operators demanding
payment in return for a decryption key.
● VFEmail: Privacy email provider VFEmail suffered a catastrophic cyberattack in which a hacker
destroyed data on its main and backup systems. At the time, rumors surfaced of the provider shutting
down due to the damage, but VFEmail is currently in recovery.
● UConn: Unauthorized access to employee email accounts compromised roughly 326,000 patients. The
data leak may have included Social Security numbers.
● The wrong tax forms: In a blunder of ridiculous proportions, the State of Ohio sent 9,000 tax forms,
inaccurate and containing the wrong PII, to the wrong people.
● UW Medicine: UW Medicine revealed the existence of an open database, available to anyone with a
browser, that had been leaking patient data and PII since December 2018. Close to one million
individuals were embroiled in the security lapse.
● Medical advice calls: In Sweden, recordings of roughly 2.7 million calls made to a Swedish national
health service hotline were stored in an open server. Some phone numbers, connected to the
recordings, were also available.
● 620 million accounts: 620 million accounts harvested from 16 websites owned by companies including
Dubsmash, Armor Games, 500px, Whitepages, and ShareThis were put up for sale in the Dark Web.
● Tax documents lost: Approximately 42,000 students from Salt Lake Community College were told their
tax information was lost after a USB drive containing this sensitive data fell out of an envelope.
MARCH:
● Tornado sirens: Ahead of a major storm, two Texan cities were forced to pull tornado warning systems
offline after a threat actor compromised them and set off over 30 false alarms.
● Hacked ASUS software: A campaign called Operation ShadowHammer targeted the ASUS Live Update
Utility to compromise thousands of PCs.
● Facebook, Facebook Lite and Instagram: Hundreds of millions of users may have been impacted by
shoddy password storage management by Facebook, in which account credentials were stored in
plaintext.
● Legal documents: 250,000 legal documents, some marked "not designated for publication," were
stored on an open database exposed online for at least two weeks.
● Student admissions files: A hacker allegedly compromised admissions databases belonging to three
colleges, offering the chance for impacted students to buy their admissions file for one Bitcoin.
● FEMA: FEMA accidentally exposed the PII and financial information of 2.3 million disaster victims,
including those who survived Hurricane Harvey and Irma.
● Vengeance: A sacked IT admin torched 23 servers belonging to his ex-employer.
APRIL:
● Inmediata Health Group: Inmediata Health Group began notifying patients of a security incident in
which the personal and medical data of clients may have been exposed. The issue was caused due to
website misconfiguration that allowed internal webpages to be indexed by public search engines. It is
believed up to 1.5 million individuals may have been affected.
● Facebook records: 540 million Facebook-related records, collected by two third-party companies, were
found exposed and open to the world on AWS servers. Names, IDs, some passwords, likes, photos,
groups joined, and more were leaked.
● Georgia Tech: A web application with wide-open access compromised the security of 1.3 million records
belonging to current and former Georgia Institute of Technology employees and students.
● Toyota: Japanese automaker Toyota revealed a data breach in April that took place at sales subsidiaries
and dealerships. "Unauthorized access" to systems may have exposed client data.
● Facebook, in plaintext: Facebook admitted to storing the passwords of millions of Instagram users in
plaintext.
● Evite: Evite admitted to a data breach in which user data was sold as part of a wider dump in the Dark
Web.
● Pregnant women: A leaky server belonging to an Indian government healthcare agency exposed over
12.5 million records relating to pregnant women.
● Docker: Docker warned that a threat actor obtained access to a database containing sensitive data
belonging to 190,000 user accounts.
MAY:
● Canva: Australian tech unicorn Canva was targeted by the GnosticPlayers, which claimed to have stolen
records belonging to 139 million users including names and email addresses in order to flog the data on
the Dark Web.
● First American Financial Corp.: Real estate giant FAFC leaked hundreds of millions of insurance
documents dating back to 2003. Bank account numbers, statements, mortgage and tax records, and
more were openly available on the internet.
● Major hotel chains: 85GB in hotel security logs belonging to major hotel chains were exposed online
due to a third-party management provider.
● Burger King: Close to 40,000 customer records for Kool King Shop, specifically designed for kids, were
left open for the world to see through a leaky database.
● Git repositories: A hacker wiped GitHub repositories and demanded a ransom. Source code was
removed and a threat was made to release everything to the public.
● Lunchtime: Rivalry between two Bay Area school lunch companies eventually spilled out into
cyberwarfare, with an executive from one firm being arrested for allegedly hacking the other's website
and illegally obtaining student data.
JUNE:
● American Medical Collection Agency (AMCA): Unauthorized access to a database led to the
exposure of medical data belonging to roughly 20 million individuals. The information leak also impacted
other companies including LabCorp and Quest Diagnostics.
● Smartphone backdoors: Four entry-level smartphone models were found to be pre-loaded with
backdoor malware.
● Tech Data Corp.: The Fortune 500 company owned an open database containing 264GB of data
relating to client servers, invoices, SAP integrations, and plain-text passwords.
JULY:
● Equifax: Equifax settled with regulators over the theft of records belonging to 146 million customers in
2017 for $700 million. A $300 million fund was set up for customers to claim up to $125 in compensation
-- together with an additional $150 million -- or free credit monitoring was on offer. Less than a week
later, the FTC practically begged consumers to take up the credit monitoring offer instead, as too many
would reduce monetary claims.
● Capital One: Capital One disclosed a data breach impacting 100 million US citizens and 6 million
individuals in Canada. A configuration vulnerability in a database was responsible for the exposure of PII
from 2005 to 2019.
● Los Angeles police department: The Los Angeles' Personnel Department was subject to a data breach
after a hacker claimed to have stolen the PII of 2,500 serving LAPD officers, trainees, and recruits, and
data belonging to roughly 17,500 Candidate Applicant program enrollees.
● Facebook: Facebook settled with the FTC for a record $5 billion to settle lawsuits launched following the
Cambridge Analytica privacy scandal.
● Banks: Bangladesh, India, Sri Lanka, and Kyrgyzstan banks were hit in quick succession by 'Silence'
hackers, allegedly stealing millions of dollars in the process.
● Dominion National: Virginia-based health insurer and services company Dominion National revealed a
10-year-long data breach caused by an unsecured server. The records of 2.9 million members may have
been compromised.
AUGUST:
● Choice Hotels: An unsecured database containing roughly 700,000 customer records was accessed by
an unknown threat actor and a ransom note placed on the server, demanding Bitcoin in return for the
stolen data.
● Biometric database leak: A biometrics database used by the UK Metropolitan Police, banks, and
enterprise companies leaked millions of records.
● SIM-swapper jailed: A British teenager was sentenced to 20 months behind bars for offering data theft
and SIM-swapping services as a hacker-for-hire.
● 3Fun: A mobile application used to find willing participants for threesomes was found to be a "privacy
trainwreck" by researchers that could be manipulated to hone in on the specific locations of individuals.
The app claims to cater to 1.5 million active users.
● Major dating apps: Three dating applications, Grindr, Romeo, and Recon, were also found to contain
security flaws that led to the exposure of a user's location.
● Asurion: Asurion Insurance bowed to hacker demands and forked out $300,000 to an attacker who
claimed he had stolen roughly 1TB of private information belonging to thousands of employees and over
a million customers.
● Cybercrime in space: A NASA astronaut was accused of monitoring her estranged spouse from space
including accessing a bank account allegedly without permission.
SEPTEMBER:
● DK-LOK: An unsecured AWS database belonging to South Korean industrial manufacturer DK-LOK
exposed confidential emails and communication between the company and its clients. Efforts by
researchers and ZDNet to have the leak closed via email were sent to the trash bin, an activity viewable
due to the open bucket.
● Ecuador: Another open, misconfigured database leaked the personal data of Ecuador's citizens. It is
believed most of the country's citizens -- in total, roughly 20 million -- were impacted.
● DoorDash: Close to five million customers of DoorDash were embroiled in a data leak. An unauthorized
third-party accessed the PII of customers, drivers, and merchants. Approximately 100,000 driver licenses
were also stolen and the last four digits of payment cards were exposed.
OCTOBER:
● Yahoo: Yahoo launched a compensation fund for those who owned a Yahoo account between 2012 and
2016. Between these dates, hackers were able to access every Yahoo account in existence and steal
names, email addresses, telephone numbers, dates of birth, passwords, and security question answers.
● UniCredit: Italian bank UniCredit said a single, compromised file dating back to 2015 exposed three
million customer records, including their names, telephone numbers, email addresses, and cities of
residence.
● Tū Ora Compass Health: Tū Ora Compass Health, a primary healthcare organization in New Zealand,
revealed the leak of personal data belonging to one million people, potentially including names, dates of
birth, ethnicity, and addresses. The PHO isn't sure if data was stolen but said it was "assuming the
worst."
● Adobe: Adobe left the details of 7.5 million Adobe Creative Cloud customers on an unsecured database
exposed online without authentication credentials being required for access.
● 20 million Russians: Over 20 million tax records belonging to Russian citizens were contained in an
open database, available online. Information leaked spanned 2009 to 2016.
● Avast: Avast said an internal security breach, caused by compromised employee credentials, aimed to
insert malware into CCleaner.
● Nikkei: A Nikkei employee was scammed by threat actors into transferring $29 million to a bank account.
The hackers pretended to be a management executive.
NOVEMBER:
● OnePlus: A vulnerability in the smartphone vendor's website paved the way for attackers to obtain
access to records of past customer orders, including names, telephone numbers, email addresses, and
shipping details.
● Facebook: The social networking giant revealed a privacy breach in which roughly 100 developers were
given access to profile data they shouldn't have.
● Trend Micro: A rogue employee of the cybersecurity firm stole personal information belonging to support
customers, including names, email addresses, support ticket numbers, and some telephone numbers,
later selling this information on to scammers.
● PayMyTab: An open AWS database belonging to the mobile payment service was found by researchers,
exposing customer names, email addresses, telephone numbers, order details, restaurant visit records,
and the last four digits of payment cards.
● T-Mobile: T-Mobile revealed a data breach impacting prepaid service customers. Unauthorized access
exposed names, billing addresses, phone numbers, account numbers, and plans.
● UK Labour Party: The UK Labour Party was subject to multiple distributed denial-of-service (DDoS)
attacks flooding both the party's website and campaign tools.
● Macy's: US retailer Macy's revealed a week-long Magecart attack impacting e-commerce customers. It
is not known how many customers were impacted, but the card-skimming code found in the firm's
payment portal and wallet service stole payment card details.
● Disney+: Only hours after the service launched, the Disney+ content streaming service was
compromised and underground traders began offering accounts on hacking forums.
● 1.2 million records leaked: An unsecured database was found by researchers that contained 1.2
million records of individuals including their email addresses, employers, locations, job titles, names,
phone numbers, and social media profiles.
DECEMBER:
● Politician by day, hacker by night: On Christmas eve, a Dutch politician will be sentenced for being part
of the "fappening" movement in 2014. The politician is accused of compromising the iCloud accounts of
roughly 100 women and leaking explicit photos and videos online.
● Mixcloud: Data belonging to approximately 21 million Mixcloud users went up for sale on the Dark Web.
● New Zealand's gun buyback: New Zealand's gun buyback scheme, launched following mass shootings
in Christchurch, was subject to a data breach caused by human error at SAP. SAP developed a custom
platform for licensees to register their weapons before turning them in.
● Nebraska Medical Center: An insider managed to access a database without permission that contained
patient data including names, addresses, dates of birth, social security numbers, and test results. The
employee was immediately fired.
● Reveton: A 25-year-old computer science student was issued a demand for restitution amounting to
£270,000 -- and a Rolex -- following the award of a six-year jail term for distributing Reveton ransomware.
If he fails to pay up, he will spend longer behind bars.
● New Orleans: the city of New Orleans grappled with a cyberattack, forcing officials to shut down
computer systems and disconnect from Wi-Fi. Ransomware was to blame.
● RSA certificates: Researchers found that IoT devices with poor entropy were contributing to a massive
problem in encryption standards -- in which one in every 172 active keys could be broken.
● Epilepsy Foundation: The Epilepsy Foundation filed criminal complaints against Twitter users uploading
seizure-inducing videos to YouTube in response to tweets and hashtags.
● LifeLabs: LifeLabs paid hackers to recover the data of 15 million account holders. In addition, 85,000 lab
result records were compromised.
● Stand in line: Over 38,000 students and staff members at Justus Liebig University (JLU), in Germany,
were asked to queue to receive a new password following a malware infection.
● Unroll.me: The FTC settled a case with email cleanup service Unroll.me. The agency alleged that
Unroll.me was not transparent in how user data was accessed, stored, and sold on to third-party services.
● Insider trading: A former Palo Alto Networks IT administrator was charged by US law enforcement for
allegedly running an insider trading ring, using his privileges and credentials to tip-off others to likely
changes in the stock market.
● The Dark Overlord: A member of "The Dark Overlord" hacking group was extradited to the United States.
● Extreme cyberstalking: A man from Florida was sentenced to over five years in prison for cyberstalking
and threatening a former high school classmate.