Three’s no charm today for customers using sites developed by U.K. web developer Fashion Nexus Ltd., patients at UnityPoint Health and students at Yale University — all affected by data breaches.

Starting with Fashion Nexus, which operates sites such as Elle Belle Attire, AX Paris and Traffic People on behalf of clients, about 1 million customer records were found exposed online by white-hat hacker Taylor Ralston.

The number of records is in some dispute. Graham Cluley, who first reported the data breach, pegged the number at 1.3 million. The company itself claimed it’s 642,000. But what’s not in dispute is that the data consisted of customer names, dates of birth, email addresses, phone numbers and hashed passwords.

Scott Schneider, chief revenue officer at CyberGRX Inc., told SiliconANGLE that the Fashion Nexus breach demonstrates the “powerful ripple effect” when a solution provider is compromised in an industry where retailers’ and vendors’ digital ecosystems have become increasingly intertwined.

“A single vulnerability at an e-commerce company’s network led to sensitive data for over a million customers across multiple retailers,” Schneider said. “When customers find out their data was exposed, it’s the retailers they will blame. As digital ecosystems grow increasingly interconnected, it’s critical that retailers understand and manage their own cyber risk and make decisions based upon the security postures of the third parties with access to their networks.”

UnityPoint Health, which was previously in the news back in 2016 when it was disclosed that an employee has been stealing patient information over the course of about seven years, has been outright hacked this time around via a phishing attack.

The hack, which occurred between March 14 to April 3, saw 1.4 million records stolen covering a wide variety of information: names, addresses, dates of birth, medical record numbers, medical information, treatment and surgical information, diagnoses, lab results, medications, providers, dates of service and insurance information.

Derek Lin, chief data scientist at Exabeam Inc. noted that many network attack vectors start with a link to a phishing URL.

“A carefully crafted email containing the malicious link is sent to an unsuspecting employee,” Lin explained. “As soon as it’s clicked, the cycle of information loss and damage begins. Any company that houses sensitive data — especially electronic healthcare records — should aim to nip this problem early on by identifying and alerting on these malicious links.”

Yale delivered the third of the data breaches, disclosing that its systems had been compromised 10 years ago.

The data intrusion is said to have a taken place between 2008 and 2009, with records of 119,000 students faculty members stolen. ZDNet reports that the hackers were able to exfiltrate names, Social Security numbers and in most cases dates of birth. Some victims also had the details of their Yale email addresses and physical addresses stolen.

Anurag Kahol, chief technology officer at Bitglass Inc., said that Yale is just one of many organizations breached long ago that failed to take immediate action.

“Unfortunately, countless more of these incidents have yet to be discovered,” he said. “While Yale hasn’t disclosed much information around how the breach occurred, this event highlights the need for proactive security that is constantly, vigilantly monitoring data. As the era of the cloud marches onward, hackers will become more and more capable of stealing massive amounts of data in the blink of an eye, so for unsuspecting organizations that lack adequate protections, the threat of data leakage will only increase.”

Photo: Pixabay