Here’s your weekly #databreach news roundup:​​​​​

Insulet, Zacks Investment Research, Network of knockoff apparel stores, FanDuel, and Lutheran Social Services of Illinois (LSSI).



Mass.-based medical device company Insulet issued a notice of a data breach that may have compromised the protected health information of 29,000 users of its recently recalled Omnipod DASH Insulin Management System.

In November, the FDA posted a notice about a Class I recall of Insulet’s Omnipod DASH Insulin Management System Personal Diabetes Manager, following complaints about the battery, including swelling, fluid leaking and extreme overheating that may create a fire hazard. 

The company issued a voluntary device recall one month prior and notified users via an Urgent Medical Device Correction email.

In December, Insulet sent a follow-up letter requesting users acknowledge they received a medical device correction letter with a link to a unique webpage that inadvertently exposed IP addresses and whether customers used the DASH system and PDM to website performance and marketing partners.

Zacks Investment Research

Zacks Investment Research

Hackers breached Zacks Investment Research (Zacks) company last year and gained access to personal and sensitive information belonging to 820,000 customers.

Founded in 1978, the company helps investors with stock buying decisions by using advanced financial data analytics algorithms.

Zacks discovered the at the end of last year that some customer records had been accessed without authorization. An internal investigation into the incident determined that a threat actor gained access to the network somewhere between November 2021 and August 2022.

It is unclear if any data was stolen but the information exposed during the breach includes full names, addresses, phone numbers, email addresses, and user passwords for the Zacks.com website.

Network of knockoff apparel stores

If you recently made a purchase from an overseas online store selling knockoff clothes and goods, there’s a chance your credit card number and personal information were exposed.

Since January 6, a database containing hundreds of thousands of unencrypted credit card numbers and corresponding cardholders’ information was spilling onto the open web. At the time it was pulled offline on Tuesday, the database had about 330,000 credit card numbers, cardholder names, and full billing addresses — and rising in real-time as customers placed new orders. The data contained all the information that a criminal would need to make fraudulent transactions and purchases using a cardholder’s information.

The credit card numbers belong to customers who made purchases through a network of near-identical online stores claiming to sell designer goods and apparel. But the stores had the same security problem in common: Any time a customer made a purchase, their credit card data and billing information was saved in a database, which was left exposed to the internet without a password. Anyone who knew the IP address of the database could access reams of unencrypted financial data.



The FanDuel sportsbook and betting site is warning customers that their names and email addresses were exposed in a January 2023 MailChimp security breach, urging users to remain vigilant against phishing emails.

On January 13th, MailChimp confirmed they suffered a breach after hackers stole an employee’s credentials using a social engineering attack.

Using these credentials, the threat actors accessed an internal MailChimp customer support and administration tool to steal the “audience data” for 133 customers.

This audience data is different for each MailChimp customer but commonly contains the email addresses and names of customers, or potential customers, that are used to send marketing emails.

Last Thursday, FanDuel emailed customers to warn them that the threat actors acquired their names and email addresses during the MailChimp breach.

Lutheran Social Services of Illinois (LSSI)

Lutheran Social Services of Illinois

Lutheran Social Services of Illinois (LSSI) notified more than 184,000 individuals of a healthcare data breach recently, according to a breach notice provided to the Maine Attorney General’s Office. On January 27, 2022, LSSI discovered that it had fallen victim to a ransomware attack.

Despite discovering the incident in January, LSSI did not complete its data review until December 28, 2022. By that time, the social services provider had determined that the unauthorized party accessed files containing certain sensitive information that was maintained on the impacted systems.

The affected data included names, Social Security numbers, dates of birth, financial information, biometric information, driver’s license numbers, health insurance information, and medical diagnosis and treatment information.