Venmo data leaked by serviceLast week, stories about three concerning data breaches broke. This time, we learned how payment app Venmo’s default public display of transaction data can expose its users, and that robocaller RoboCent leaked the data of voters in its database. We also learned that the medical giant LabCorp was hit with ransomware. Continue reading to see what you need to know about these breaches and how they might impact you.

Venmo requires users to opt-in for privacy

What happened?

Last week’s biggest story about the large financial platform Venmo (owned by PayPal) isn’t technically regarding a data breach in the traditional sense of the term, however, it’s yet another story about a company with terrible privacy controls that is worth your attention. When a security researcher published her findings about how Venmo makes all transactions and conversations public by default, the media quickly picked up the story, and over the past few days, we’ve learned just how easily third parties can (and do) abuse this feature. The leaky nature of Venmo’s default privacy settings apparently exposed a total of 207,984,218 transactions in 2017 alone.

Who does the incident impact and what’s being done about it?

Pretty much any Venmo user – even those who’ve only used the app a handful of times – should take a good look at their account’s privacy settings to determine whether or not their accounts details are public. There are dozens of guides that have been published in the wake of this story that illustrate how users can make their account private. The company has actually been chided about this issue in the past and was even taken to court over it by the FTC, so after this incident, it’s expected that the company will take steps to redesign its privacy controls and better educate consumers about what transactions are and are not public. While this is not a new story, and many users may have been aware, it’s worth considering the potential impact of transaction data being open and available to anyone for whatever purpose.

RoboCent database leaks registered voter data

What happened?

Security researcher Bob Diachenko discovered that Virginia-based political campaigning company RoboCent left nearly 2,600 files – including spreadsheets with voter records – exposed on a database. The data included a plethora of details on voters like political affiliation, full names, addresses as well as gender, ethnicity and other demographic details. While voter records are a matter of public record in most states, there are usually limitations on who can purchase it. Additionally, the exposure of voter data packaged in this matter has become a growing concern over the past few years. In fact, we’ve covered several stories in the past two years involving voter databases which saw their contents leaked due to the exact same flaw.

Who does the incident impact and what’s being done about it?

Diachenko states that the database was publicly searchable on the Internet with the proper keywords. Additionally, the database appeared in a tool that can easily search leaky databases. As far as the number of voters exposed, the numbers aren’t clear, but the data from the breach is considered to be an aggregation of older data from 2013 to 2016 compiled by other firms like NationBuilder. RoboCent is a small firm with a single individual claiming to be the developer for the company, according to Diachenko. The company’s co-founder has been markedly defensive about the incident and told Newsweek that, “We have no evidence to support that this data has been accessed by any third parties for inappropriate use. The affected data is a very small portion of the full data that is housed by RoboCent. No customer information beyond the name of their campaign was released in the data exposure …” He later stated that the company has started and will continue to “notify the customers whose data was exposed.”

Despite the reassurances, though, if you’re registered to vote in the United States, it might be best to assume your data has been compromised and take appropriate steps to protect yourself – namely freezing your credit to stop financial fraud. If you’re worried about other types of identity theft, then monitoring your public record information, securing your online accounts, reviewing any financial or insurance statements for fraud and using tools like the Social Security Administration’s my Social Security online portal and the Department of Homeland Security’s myE-Verify tool can help too. Given the ubiquity of data breaches, it might make sense to also enlist the help of identity theft protection services, which can monitor the use of your personal information on public records and the dark web.

LabCorp hit with ransomware

What happened?

LabCorp, one of the largest medical diagnostics companies in the nation, stated that it was investigating a security breach that occurred during the weekend of July 14. LabCorp has been sparse with details, and what we do know has mostly come from a filing with the Security and Exchange Commission on Monday, July 16. The company appears to have been hit with a ransomware known as Samsam, purportedly for a ransom worth over $50,000 in Bitcoin. Because investigation is still ongoing, it’s unclear if this hack affected LabCorp users or clients specifically. The hack has many concerned, though, as the company’s databases contain troves of personal health information, or PHI. The company thus far hasn’t found any evidence of PHI or other sensitive information being stolen, and the infection was contained fairly quickly with infected machines being removed from LabCorp networks, so there’s hope that the situation won’t get any worse. Once more is known about this story, we’ll be sure to write a follow-up post that details the updates.

For more information on data breaches, keep reading our data breach blog.