“While the number of publicly disclosed data breaches totaled 4,145 globally in 2021, a 5% decline from 2020, the bulk of those breaches occurred in the United States. Disclosed data breaches in the U.S. totaled 2,953, or 71% of the global total, according to Risked Based Security Inc. The number of breaches in the U.S. were also up for the year, increasing 11% from the 2,645 breaches reported in 2020.”

“Digital banking app and tech unicorn Dave.com confirmed today a security breach after a hacker published the details of 7,516,625 users on a public forum. In an email to ZDNet today, Dave said the security breach originated on the network of a former business partner, Waydev, an analytics platform used by engineering teams.”

“Hotel chain Marriott disclosed today a security breach that impacted more than 5.2 million hotel guests who used the company’s loyalty app. According to a breach notification posted on its website , the hotel chain learned of the security breach at the end of February, when it discovered that a hacker had used the login credentials of two employees from one of its franchise properties to access customer information from the app’s backend systems.”

“Credit card and debit card numbers, expiration dates and customers’ names on the cards used at its in-store registers and gas pumps were among the data affected, the company says. The company’s announcement and FAQ doesn’t begin to suggest how the malware got there or who might have been trying to get customers’ payment information, but the company says it has a forensics firm investigating the breach and is working with authorities on a criminal investigation into the matter.”

“Iran has been engaged in a cycle of hack and counterhack in a cyberwar against the United States and Israel. Both sides have targeted each other’s financial and sensitive government institutions through cyberattacks for years. The banks affected — Mellat, Tejarat and Sarmayeh — had all been sanctioned more than a year ago by the United States Treasury, which accused them of having transferred money on behalf of blacklisted entities of Iran’s Islamic Revolutionary Guards Corps, part of the armed forces. The entire Revolutionary Guards organization was designated as a terrorist group by the Trump administration last April.”

“Some Macy’s customer payment data was stolen when its website was hacked last month, the company wrote in a notice. In a letter sent to customers on Thursday, Macy’s informed shoppers about the breach, which the company believes occurred when a third party attached malicious computer code to Macys.com via the “Checkout” and “My Wallet” pages.”

“Equifax ( EFX ) used the word “admin” as both password and username for a portal that contained sensitive information, according to a class action lawsuit filed in federal court in the Northern District of Georgia. The ongoing lawsuit, filed after the breach, went viral on Twitter Friday after Buzzfeed reporter Jane Lytvynenko came across the detail. “Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes, a password that ‘is a surefire way to get hacked,’” the lawsuit reads.”

“A thriving online bazaar selling stolen payment card data has been hacked in a heist that leaked the records for more than 26 million cards, KrebsOnSecurity reported on Tuesday. The 26 million figure isn’t significant only to the legitimate consumers and businesses who own the stolen cards or the financial institutions that issued them. Fortunately for the card owners, the database is now in the hands of affected financial institutions, who can invalidate and replace the cards.”

“Hackers have breached the infrastructure of Volusion, a provider of cloud-hosted online stores, and are delivering malicious code that records and steals payment card details entered by users in online forms. More than 6,500 stores are impacted, but the number could be even higher. In a press release published last month, Volusion claimed it had more than 20,000 customers.”

“The food delivery company said in a blog post Thursday that 4.9 million customers, delivery workers and merchants had their information stolen by hackers. The breach happened on May 4, the company said, but added that customers who joined after April 5, 2018 are not affected by the breach. It’s not clear why it took almost five months for DoorDash to detect the breach.”

“In 2017 and 2018, hackers compromised systems running the Click2Gov self-service bill-payment portal in dozens of cities across the United States, a feat that compromised 300,000 payment cards and generated nearly $2 million of revenue. Now, Click2Gov systems have been hit by a second wave of attacks that’s dumping tens of thousands of records onto the Dark Web, researchers said on Thursday.”

“Mastercard Inc.’s European unit formally notified Belgian and German data-protection regulators of a data lapse concerning a loyalty program, officials said on Friday. The Belgian watchdog said in a statement on Friday that the card company alerted it to a “breach” detected on Aug. 19. It said the episode would have affected a “large number” of people and that “a significant portion” of them would be German customers.”

“A combination of configuration errors and lax oversight by Instagram allowed one of the social network’s vetted advertising partners to misappropriate vast amounts of public user data and create detailed records of users’ physical whereabouts, personal bios, and photos that were intended to vanish after 24 hours. The profiles, which were scraped and stitched together by the San Francisco-based marketing firm Hyp3r, were a clear violation of Instagram’s rules. But it all occurred under Instagram’s nose for the past year by a firm that Instagram had blessed as one of its preferred “Facebook Marketing Partners.”

“Ms. Thompson was allegedly able to find an opening in Capital One’s systems and exploit a weakness in some misconfigured networks, according to a Wall Street Journal analysis of hundreds of Ms. Thompson’s online messages and interviews with people familiar with the investigation. Security professionals for years have warned about that gap, which the messages and interviews suggest she used to trick a system in the cloud to uncover the sensitive credentials she needed to access the vast number of customer records.”

“According to a CoinDesk Japan report on Friday, Bitpoint halted all services including trading, deposit and withdrawal of all crypto assets on Friday morning after it noticed irregular withdrawal from its hot wallet on Thursday. It is not yet clear at this stage which types of assets were lost, the exchange offered trading for five cryptocurrencies: bitcoin, bitcoin cash, ether, litecoin and XRP.”

“Nearly 50% of retail loss prevention professionals are getting bigger budgets to help quell fraud, according to a report released by the National Retail Federation earlier this month. 44.5% of loss prevention professionals surveyed said their budgets for loss prevention efforts are increasing, and 68.2% say they’ll allocate additional resources to stop fraud, most of that in technology. About one in three (28.6%) surveyed professionals say they will add staff resources—and are looking for professionals with analytical, cybersecurity and investigative skills, the NRF says.”

“LabCorp is the latest laboratory testing giant this week to confirm it’s affected by the same third-party data breach. The Burlington, North Carolina-based medical giant said 7.7 million patients had their personal and financial data stolen by hackers, which hit the payment pages of the American Medical Collection Agency, a third-party vendor that processes payments for LabCorp and other companies. The admission comes a day after Quest Diagnostics around 11.9 million patients had their data stolen.”

“Checkers Drive-In Restaurants is notifying guests about a data security issue involving malware at certain Checkers and Rally’s locations in 19 states, according to a news release. The brand said that after becoming aware of the issue, data security experts investigated and coordinated with federal law enforcement, while dispatching third-party security experts to contain and remove the malware, according to the release.”

“The punch cards stuffed in your wallet know next to nothing about you, except maybe how many frozen yogurts you still need to buy to get a free one. But loyalty programs, as they shift from paper and plastic to apps and websites, are increasingly tracking a currency that can be more valuable than how much you spend: personal data. As a result, the programs know things about you that some of your friends may not, like your favorite flavor (mango), when your cravings strike (early afternoon) and how you pay (with your Visa), in addition to billing details and contact information.”