Welcome to this week’s round-up of the biggest and most interesting news stories.
At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.
Publicly disclosed data breaches and cyber attacks
Attack on 22 Danish critical infrastructure companies
Date of breach: 11 May 2023
Breached organisation: 22 companies
Incident details: According to a SektorCERT report, a coordinated attack exploited vulnerabilities in the Zyxel firewall products used by Denmark’s critical infrastructure, resulting in 22 companies in the energy sector being compromised.
Records breached: Unknown
Otsego Memorial Hospital suffers security breach, shuts down systems
Date of breach: October (exact date unknown)
Breached organisation: Otsego Memorial Hospital in Gaylord, Michigan
Incident details: Munson Healthcare’s chief marketing and communications officer, Megan Brown, has confirmed that there was a cyber breach at Otsego Memorial Hospital last month. No other Munson facilities in Michigan were known to have been affected. An investigation is underway.
Records breached: Unknown
Hunters International claims responsibility for cyber attack on Homeland, Inc.
Date of breach: 26 October 2023
Breached organisation: Homeland, Inc., a property management company in Kentucky
Incident details: The ransomware group Hunters International has added Homeland, Inc. to its leak site. According to databreaches.net, the group exfiltrated tenant information, service management information, financial data, business data, property data, employee data and sensitive business information. Sample data posted on the Hunters site contains “tenants’ personal information including, depending on the form involved, date of birth, address, annual income, and other details concerning their rent”.
Records breached: 204.1GB of data in 183,793 files
Beaverton School District warns parents of student data breach
Date of breach: October 2023
Breached organisation: Beaverton School District, Oregon
Incident details: One of Oregon’s largest school districts has warned parents that a data breach has affected students’ information. According to OPB, the district didn’t provide details, but said that “our student credentials may have been compromised as part of a security incident”.
Records breached: Unknown
ALPHV/BlackCat attacks MeridianLink then reports it to the SEC
Date of breach: 7 November
Breached organisation: MeridianLink
Incident details: The ALPHV/BlackCat ransomware group has added the software company MeridianLink to its leak site, having exfiltrated data without encrypting company systems. However, in a very unusual move, ALPHV has also reported its victim to the US SEC (Securities and Exchange Commission) for failing to comply with the new SEC cybersecurity disclosure rules – even though the rules in question do not come into force until December. (For more information about the SEC cyber security disclosure rules, register for our free webinar on 30 November.)
Records breached: Unknown
Another victim of the MOVEit breach notifies potentially affected individuals
Date of breach: 30 May 2023
Breached organisation: CMS (the Centers for Medicare & Medicaid Services), the federal agency that manages the Medicare program
Incident details: CMS and its contractor Maximus Federal Services, Inc. have notified 330,000 people that their personal data might have been compromised as part of the MOVEit Transfer data breach.
Records breached: 330,000 individuals
West Central District Health Department, Nebraska investigates data breach
Date of breach: 18 – 23 May 2023
Breached organisation: WCDHD (West Central District Health Department), Nebraska
Incident details: According to a notice which is downloadable from its website, WCDHD recently discovered unusual activity on its network. An investigation found that there was unauthorised access to its network between 18 and 23 May 2023. Compromised personal data included names, Social Security numbers, driver’s licence/state ID numbers or financial account numbers.
Records breached: Unknown
Email error exposes Nebraska patients’ email addresses
Date of breach: 22 September 2023
Breached organisation: Rock Valley Physical Therapy, Nebraska
Incident details: An employee of Rock Valley Physical Therapy emailed an undisclosed number of Rock Valley patients about health insurance, mistakenly adding their email addresses to the Cc rather than Bcc field, thereby making them visible to all recipients.
Records breached: Unknown
Misconfigured NTMC database exposed personal information
Date of breach: November 2023
Breached organisation: The NTMC (National Telecommunication Monitoring Centre), Bangladesh
Incident details: According to Wired, the NTMC, an intelligence in Bangladesh that monitors people’s mobile phone and email activity, published personal data on an unsecured database, which has been exfiltrated by anonymous attackers. The database contained names, professions, blood groups, parents’ names, phone numbers, the length of calls, vehicle registrations, passport details and fingerprint photos.
Records breached: Unknown
Systems East, Inc. discloses data breach affecting 209,328 customers’ payment card data
Date of breach: 25 August
Breached organisation: SEI (Systems East, Inc.)
Incident details: SEI, an online payment service provider, has notified customers that its systems has been accessed by an unknown individual who copied an encrypted database. According to its disclosure to the Maine Attorney General, the database contained names and payment card information. It is not known whether the individual can decrypt the database.
Records breached: 209,328 individuals
City of Long Beach announces network security incident
Date of breach: 14 November
Breached organisation: City of Long Beach
Incident details: In a statement published on 15 November, the City of Long Beach said that it had been subject to “a network security incident” that forced it to take its systems offline.
Records breached: Unknown
NoEscape gang threatens PruittHealth Network, launches DDoS attack
Date of breach: 13 November
Breached organisation: PruittHealth
Incident details: The NoEscape ransomware gang attacked PruittHealth on 13 November, exfiltrating 1.5TB of data and threatening to publish it if it is not contacted by a negotiator from PruittHealth. With three days until the deadline, DataBreaches.net reports that NoEscape has hit PruittHealth with a DDoS (distributed-denial-of-service) attack. PruittHealth has not commented.
Records breached: 1.5TB
Former NHS secretary found guilty of illegally accessing medical records
Date of breach: Between March and June 2019
Breached organisation: Worcestershire Acute Hospitals NHS Trust
Incident details: Loretta Alborghetti, a medical secretary at the Ophthalmology department of Worcestershire Acute Hospitals NHS Trust, illegally accessed 156 patient records over 1,800 times between March and June 2019. The ICO (Information Commissioner’s Office) reports that Ms Alborghetti appeared before Worcester Magistrates’ Court on 15 November 2023, where “she pleaded guilty to unlawfully obtaining personal data in breach of Section 170 of the Data Protection Act 2018 and was ordered to pay a total of £648”.
Records breached: 156 patients’ records
Canadian Government announces third-party data breach affecting users of relocation services
Date of breach: Some time before 19 October 2023
Breached organisation: Brookfield Global Relocation Services and SIRVA Worldwide Relocation & Moving Services
Incident details: The Canadian government has warned current and former public service employees, as well as members of the Royal Canadian Mounted Police and the Canadian Armed Forces, that they might have been affected by a data breach at two contractors who provided relocation support to government employees. It warns that “preliminary information indicates that breached information could belong to anyone who has used relocation services as early as 1999 and may include any personal and financial information that employees provided to the companies”. DataBreaches.net reports that LockBit added SIRVA to is leak site on 6 October, saying it had over 1.5TB of data.
Records breached: 1.5TB of documents
Poloniex identifies hacker and offers $10M reward for stolen funds
Date of breach: 10 November 2023
Breached organisation: Poloniex
Incident details: The Poloniex cryptocurrency exchange was hacked on 10 November, resulting in the loss of $120 million in cryptocurrency. According to cryptoslate.com, it has now identified the person responsible for stealing the funds and is offering a $10 million reward for their return.
Records breached: Cryptocurrency stolen
Samsung UK discloses year-long data breach
Date of breach: 1 June 2019 – 30 June 2020, discovered 13 November 2023
Breached organisation: Samsung
Incident details: The security consultant and creator of haveibeenpwned.com Troy Hunt has shared an email to Samsung’s UK customers, disclosing a year-long data breach. According to the email, Samsung determined on 13 November 2023 that “an unauthorised individual exploited a vulnerability in a third-party business operation we use, and that some personal information of certain customers who made purchases on SEUK’s eCommerce site between July 1, 2020 and June 30, 2020, was affected”. Compromised data “may have included” names, phone numbers, addresses and email addresses.
Records breached: Unknown
Booking.com confirms phishing attack
Date of breach:
Breached organisation: Booking.com
Incident details: According to JD Supra, Booking.com confirmed in a “limited statement” on 12 November that it was investigating an incident that has been widely reported in the information security press since 14 September, when Perception Point researchers reported that they’d observed a number of phishing campaigns targeting hotels and travel agencies. These attacks enabled the attackers to access customer data, which they then used in further phishing campaigns, sent via official Booking.com channels. Read more in our Catches of the Month blog.
Records breached: Unknown
Enforcement
Europol and Eurojust take down phishing gang
An international operation between the Czech and Ukrainian police, with the support of Europol and Eurojust, has disrupted a phishing operation thought to have defrauded victims of tens of millions of euros across Europe – and beyond. Read more in our Catches of the Month blog.
Other news
Royal Mail ransomware recovery to cost £10 million
Recovering from the LockBit ransomware attack earlier this year will cost the Royal Mail £10 million.
Rackspace ransomware recovery has cost $11 million so far
Rackspace has told the SEC that recovering from a ransomware attack last December has cost it $11 million in remediation so far – although half of that amount has been covered by insurance.
That’s it for this week’s round-up. We hope you found it useful.
We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place for you.
In the meantime, if you missed it, check out last week’s round-up.
The post The Week in Cyber Security and Data Privacy: 13 – 19 November 2023 appeared first on IT Governance UK Blog.
