Welcome to this week’s round-up of the biggest and most interesting news stories.
At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.
Publicly disclosed data breaches and cyber attacks: in the spotlight
More than 59 million patients’ medical and personal data exposed via DICOM servers
Security weaknesses in DICOM (Digital Imaging and Communications in Medicine), the international standard for medical imaging for more than 30 years, have led to the exposure of more than 59 million patients’ personal and medical records.
Researchers from the German cyber security company Aplite discovered 3,806 servers from 111 countries accessible on the Internet. Less than 1% of the DICOM servers on the Internet use effective authorisation.
Data breached: more than 59 million data records.
Akumin Inc. suffers second ransomware attack in months
Having been struck by a ransomware attack in October by the BlackSuit group, which led to operations and appointments being postponed, Akumin Inc. has suffered a second attack, this time by the BianLian ransomware group.
BianLian claims to have exfiltrated 5 TB of data, comprising millions of sensitive documents. Compromised information includes patients’ personal data, health and medical records, financial data, internal emails and software source code.
Data breached: 5 TB.
BianLian group claims to have hacked AMCO Proteins
The BianLian ransomware group has added AMCO Proteins to its list of victims, claiming to have exfiltrated 4 TB of data, including personal data; accounting, budget and financial data; employee data; operational and business files; email and message archives; and more.
Data breached: 4 TB.
Publicly disclosed data breaches and cyber attacks: full list
This week, we’ve found 83,463,951 records known to be compromised, and 210 organisations suffering a newly disclosed incident. 138 of them are known to have had data exfiltrated or exposed. Only 3 definitely haven’t had data breached.
We’ve also found 6 organisations providing a significant update on a previously disclosed incident.
| Organisation name | Sector | Location | Data exfiltrated? | Known records breached |
| Up to 3,806 organisations with DICOM (Digital Imaging and Communications in Medicine) servers Source (New) |
Healthcare | Unknown | Unknown | >59 million |
| Akumin Source (New) |
Healthcare | USA | Yes | 5 TB |
| AMCO Proteins Source (New) |
Manufacturing | USA | Yes | 4 TB |
| Norton Healthcare Source (New) |
Healthcare | USA | Yes | 2.5 million |
| LivaNova Source 1; source 2 (New) |
Manufacturing | UK | Yes | 2.2 TB |
| Concertus Design and Property Consultants Limited Source 1; source 2 (New) |
Professional services | UK | Yes | 1.9 TB |
| Accu Reference Medical Lab Source (New) |
Healthcare | USA | Yes | >1.2 TB |
| Acero Engineering, Inc. Source (New) |
Manufacturing | Canada | Yes | 1.2 TB |
| At least two South Korean defence companies and three other South Korean companies Source (New) |
Defence and unknown | South Korea | Yes | 1.2 TB |
| Elixir RX Solutions, OrthoNebraska and OSF HealthCare System Source (New) |
Healthcare | USA | Yes | 931,316 |
| SML Group Ltd Source (New) |
Engineering | UK | Yes | 830 GB |
| Travian Games Source (New) |
Technology | Germany | Yes | 560 GB (790,567 files) |
| CMS Communications Source (New) |
Telecoms | USA | Yes | >500 GB |
| UF Resources Source (New) |
Finance | USA | Yes | 500 GB |
| Denave Source (New) |
Professional services | India | Yes | 300 GB |
| Clatskanie PUD Source (New) |
Utilities | USA | Yes | >200 GB |
| Great Lakes Technologies Source (New) |
Manufacturing | USA | Yes | 200 GB |
| Americold Logistics, LLC. Source (New) |
Transport | USA | Yes | 129,611 |
| Tcman Source (New) |
Manufacturing | Spain | Yes | 108 GB (179 files) |
| Compass Group Italia Source (New) |
Hospitality | Italy | Yes | 107 GB |
| Pan-American Life Insurance Group, Inc. Source (New) |
Insurance | USA | Yes | 105,387 |
| Carter’s | Oshkosh Israel Source (New) |
Retail | Israel | Yes | >100,000 |
| SodaStream Source (New) |
Manufacturing | Israel | Yes | >100,000 |
| Amsellem & Weitz Source (New) |
Legal | Israel | Yes | 100 GB |
| Stanley Steemer International, Inc. Source (Update) |
Professional services | USA | Yes | 67,921 |
| Worldwide Australian Labradoodle Association Source (New) |
Non-profit | USA | Unknown | >56,000 |
| Tryax Realty Management, Inc. Source (New) |
Real estate | USA | Yes | >50 GB |
| HMW Special Utility District Source 1; source 2 (New) |
Utilities | USA | Yes | >50 GB |
| University Hospital Southampton Source (New) |
Healthcare | UK | Unknown | 42,000 |
| Florida Community Care Source (New) |
Insurance | USA | Yes | 30,891 |
| Red Roof Inn Source (New) |
Hospitality | USA | Yes | 27,327 |
| Addenbrooke’s Hospital – The Rosie Hospital Source 1; source 2 (New) |
Healthcare | UK | Unknown | 22,073 |
| Sweetwater Union High School District Source (Update) |
Education | USA | Yes | >22,000 |
| Independent Living Systems, LLC Source (New) |
Healthcare | USA | Yes | 19,419 |
| Hi-School Pharmacy Source (New) |
Healthcare | USA | Yes | 17,676 |
| Financial Risk Mitigation, Inc. Source (New) |
Professional services | USA | Yes | 10,799 |
| Blue Waters Products Limited Source (New) |
Manufacturing | Trinidad and Tobago | Yes | >10 GB |
| Getrix Source (New) |
Technology | Italy | Yes | 10 GB |
| Nida Corporation Source (New) |
Manufacturing | USA | Yes | 10 GB |
| Kirkwood Bank & Trust Source (New) |
Finance | USA | Yes | 8,719 |
| Baird Insurance Services, Inc. and Robert W. Baird & Co. Incorporated Source (Update) |
Insurance | USA | Yes | 7,361 |
| Advantis Global, Inc. Source (New) |
Professional services | USA | Yes | 5,666 |
| United Home Loans, Inc. Source (New) |
Finance | USA | Yes | 5,324 |
| STI Holdings, Inc. Source (New) |
Manufacturing | USA | Yes | 4,294 |
| Pinnacle Bank (Nebraska) Source (New) |
Finance | USA | Yes | 2,726 |
| Fedway Associates, Inc. Source (New) |
Retail | USA | Yes | 2,469 |
| Three GreatStar Industrial Co. Ltd. subsidiaries: Arrow Fastener Co., LLC, Prime-Line Products and Shop-Vac USA, LLC Source (New) |
Manufacturing | USA | Yes | Thousands of administrative documents, budgets, sales invoices, salary information, company secrets; dozens of NVDAs; over 100 distributor agreements; and some passports |
| Bell Flavors & Fragrances Source (New) |
Manufacturing | USA | Yes | 1,768 |
| Simoniz USA, Inc. Source (New) |
Manufacturing | USA | Yes | 1,570 |
| Spectris, Inc. Source (New) |
Manufacturing | USA | Yes | 1,237 |
| Leggett & Platt Incorporated Employee Benefit Fund Source (New) |
Healthcare | USA | Yes | 1,200 |
| Central Bank (Storm Lake, IA) Source (New) |
Finance | USA | Yes | 792 |
| Senior Flexonics Pathway Source (New) |
Manufacturing | USA | Yes | 611 |
| Aiphone Corporation Source (New) |
Manufacturing | USA | Yes | 553 |
| Washington National Insurance Company Source (New) |
Insurance | USA | Unknown | 424 |
| Addenbrooke’s Hospital – cancer patients on clinical trials Source 1; source 2 (New) |
Healthcare | UK | Unknown | 373 |
| AvidXchange, Inc. Source (New) |
Technology | USA | Yes | 204 |
| Ho Chi Minh City Energy Company Source (New) |
Energy | Vietnam | Yes | 84 |
| Austal USA Source 1; source 2 (New) |
Manufacturing | USA | Yes | 43 |
| Income Tax Department of India Source (New) |
Public | India | Yes | 1 |
| Gloucestershire County Council Source (New) |
Public | UK | Unknown | 1 |
| Daiho Industrial Co., Ltd. Source (New) |
Manufacturing | Japan | Yes | Unknown |
| Midland Industries Source (New) |
Retail | USA | Yes | Unknown |
| Rosen’s Diversified, Inc. Source (New) |
Agriculture | USA | Yes | Unknown |
| Precision Technologies Group – Holroyd Source (New) |
Engineering | UK | Yes | Unknown |
| A.G. Consulting Engineering, PC Source (New) |
Engineering | USA | Yes | Unknown |
| Planbox Source (New) |
Technology | Canada | Yes | Unknown |
| GVM, Inc Source (New) |
Manufacturing | USA | Yes | Unknown |
| Bowden Barlow Law, P.A. Source (New) |
Legal | USA | Yes | Unknown |
| University of Wollongong Source (New) |
Education | Australia | Yes | Unknown |
| Midgaard Source (New) |
Retail | Sweden | Yes | Unknown |
| RESERVED Israel Source (New) |
Retail | Israel | Yes | Unknown |
| Back2School Project Source (New) |
Non-profit | Israel | Yes | Unknown |
| Israel’s Ministry of Health Source (New) |
Public | Israel | Yes | Unknown |
| SEACRET Australia Source (New) |
Retail | Australia | Yes | Unknown |
| Camel Grinding Wheels Source (New) |
Manufacturing | Israel | Yes | Unknown |
| Taylor University Source (New) |
Education | USA | Yes | Unknown |
| Gunster Source (New) |
Legal | USA | Yes | Unknown |
| Jersey College Source (New) |
Education | USA | Yes | Unknown |
| CBIZ KA and Prime Healthcare – specifically, Saint Michael’s Medical Center, Roxborough Memorial Hospital, Garden City Hospital, Landmark Medical Center, Lower Bucks Hospital, Saint Clare’s Hospital, Lake Huron Medical Center, St. Mary’s General Hospital and Suburban Community Hospital Source 1; source 2 (New) |
Professional services and healthcare | USA | Yes | Unknown |
| Department for Child Protection, South Australia Source (New) |
Non-profit | Australia | Yes | Unknown |
| ALDO Shoes franchise partner Source 1; source 2 (New) |
Retail | Canada | Yes | Unknown |
| La Prensa Source (New) |
Media | Nicaragua | Yes | Unknown |
| Visán Source (New) |
Manufacturing | Spain | Yes | Unknown |
| Campbell County School District Source (New) |
Education | USA | Yes | Unknown |
| Deutsche Energie-Agentur GmbH Source (New) |
Energy | Germany | Yes | Unknown |
| Flexible Packaging Solutions Source (New) |
Manufacturing | Netherlands | Yes | Unknown |
| Aqualectra Utility Source (New) |
Utilities | Curaçao | Yes | Unknown |
| Sagent Source (New) |
Technology | USA | Yes | Unknown |
| FPZ Source (New) |
Manufacturing | Italy | Yes | Unknown |
| LABELIANS Source (New) |
Retail | France | Yes | Unknown |
| Polyclinique du Cotentin Source (New) |
Healthcare | France | Yes | Unknown |
| TraCS Florida Source (New) |
Technology | USA | Yes | Unknown |
| Restar Holdings Corporation Source (New) |
Manufacturing | Japan | Yes | Unknown |
| Greater Richmond Transit Company Source 1; source 2 (New) |
Transport | USA | Yes | Unknown |
| Omega Interventional Pain Clinic Source (New) |
Healthcare | USA | Yes | Unknown |
| Kuriyama of America, Inc. Source (New) |
Manufacturing | USA | Yes | Unknown |
| Payne Hicks Beach LLP Source (New) |
Legal | UK | Yes | Unknown |
| Vitro Plus Source (New) |
Agriculture | Netherlands | Yes | Unknown |
| Becker Furniture Source (New) |
Manufacturing | USA | Yes | Unknown |
| Capespan Source (New) |
Transport | South Africa | Yes | Unknown |
| Burton Wire & Cable Source (New) |
Manufacturing | USA | Yes | Unknown |
| Graphic Solutions Group Source (New) |
Professional services | USA | Yes | Unknown |
| GreenWaste Source (New) |
Environmental | USA | Yes | Unknown |
| Silvent North America Source (New) |
Manufacturing | USA | Yes | Unknown |
| California Innovations Source (New) |
Manufacturing | Canada | Yes | Unknown |
| Phibro LLC Source (New) |
Energy | USA | Yes | Unknown |
| AJO Source (New) |
Finance | USA | Yes | Unknown |
| Ridge Vineyards Source (New) |
Manufacturing | USA | Yes | Unknown |
| PLS Logistics Services Source (New) |
Transport | USA | Yes | Unknown |
| Intrepid Museum Source (New) |
Non-profit | USA | Yes | Unknown |
| SMRT Architects & Engineers Source (New) |
Manufacturing | USA | Yes | Unknown |
| Golfzon Source (New) |
Retail | South Korea | Yes | Unknown |
| Postworks Source (New) |
Media | USA | Yes | Unknown |
| Yan Chai Hospital Law Chan Chor Si College Source (New) |
Education | Hong Kong | Yes | Unknown |
| Université de Sherbrooke Source (New) |
Education | Canada | Yes | Unknown |
| HopTo Source (New) |
Transport | USA | Yes | Unknown |
| Bridgers & Paxton Source (New) |
Manufacturing | USA | Yes | Unknown |
| SigniFlow Source (New) |
Technology | UK | Yes | Unknown |
| Citizens Bank of West Virginia Source (New) |
Finance | USA | Yes | Unknown |
| Direct Radiology Source (New) |
Healthcare | USA | Yes | Unknown |
| Policía Nacional del Perú Source (New) |
Public | Peru | Yes | Unknown |
| Qatar Racing and Equestrian Club Source (New) |
Leisure | Qatar | Yes | Unknown |
| Osem, H&O Israel and Hagarin Source 1; source 2 (Update) |
Manufacturing and retail | Israel | Yes | Unknown |
| Rheinmetall AG Source (New) |
Manufacturing | Germany | Unknown | Unknown |
| Verkehrsverbund Großraum Nürnberg Source (New) |
Transport | Germany | Unknown | Unknown |
| annalena-baerbock.de Source (New) |
Public | Germany | Unknown | Unknown |
| Bayerische Landesbank Source (New) |
Finance | Germany | Unknown | Unknown |
| Münchner Verkehrs-gesellschaft Source (New) |
Transport | Germany | Unknown | Unknown |
| Berlin.de Source (New) |
Public | Germany | Unknown | Unknown |
| Bundeswehr Source (New) |
Defence | Germany | Unknown | Unknown |
| Nissan, Nissan Financial Services, Mitsubishi Motors Financial Services, Renault Financial Services, Skyline Car Finance, RAM Truck Finance, and LDV Financial Services Source 1; source 2 (New) |
Manufacturing and finance | Australia and New Zealand | Unknown | Unknown |
| Government, aerospace technology, higher education, finance, manufacturing and technology sector targets in Europe and North America Source (New) |
Public, manufacturing, education, finance and technology | Europe and North America | Unknown | Unknown |
| Hugging Face, Meta, Google, Microsoft and VMWare Source (New) |
Technology | USA | Unknown | Unknown |
| US Department of Health and Human Services Source (New) |
Public | USA | Unknown | Unknown |
| Hinsdale School District Source (New) |
Education | USA | Unknown | Unknown |
| Fred Hutch Cancer Center Source (New) |
Healthcare | USA | Unknown | Unknown |
| National Police of Ukraine Source (New) |
Public | Ukraine | Unknown | Unknown |
| London City Airport Source 1; source 2 (New) |
Transport | UK | Unknown | Unknown |
| Finnish National Cyber Security Centre Source (New) |
Security | Finland | Unknown | Unknown |
| Saimaan Saaristo- ja Veneilypalvelut Oy Source (New) |
Cruise agency | Finland | Unknown | Unknown |
| Finnish Transport Infrastructure Agency Source (New) |
Public | Finland | Unknown | Unknown |
| Traficom Source (New) |
Public | Finland | Unknown | Unknown |
| Government of Yucatán Source 1; source 2 (New) |
Public | Mexico | Unknown | Unknown |
| DEPA Commercial S.A. Source (New) |
Energy | Greece | Unknown | Unknown |
| Coral Gas Source (New) |
Energy | Greece | Unknown | Unknown |
| Elin Source (New) |
Energy | Greece | Unknown | Unknown |
| Warsaw Metro, Strona główna, Raiffeisen Bank, Plus Bank, Bank Pekao, Narodowy Bank Polski, KGHM Polska Miedź, Polskie Radio 24, ePUAP, Senate of the Republic of Poland, Marshal Office of the Lubelskie Voivodeship and Supreme Court of Poland Source 1; source 2; source 3 (New) |
Transport, finance, mining, media, technology, public and legal | Poland | Unknown | Unknown |
| Senate of the Czech Republic, Ministry of the interior of the Czech Republic, Financial Administration of the Czech Republic, Police of the Czech Republic, Prague public transport company, Prague Airport, Prague Stock Exchange, CzechTrade and MONETA Money Bank Source 1; source 2 (New) |
Public, transport and finance | Czech Republic | Unknown | Unknown |
| Sky Arabia News and The Economist Source (New) |
Media | UAE and UK | Unknown | Unknown |
| ELTA Hellenic Post SA Source (New) |
Transport | Greece | Unknown | Unknown |
| East Cambridgeshire District Council, Leicestershire County Council, Liverpool City Council and West Yorkshire Metro Source (New) |
Public and transport | UK | Unknown | Unknown |
| BERMAD Source (New) |
Manufacturing | Israel | Unknown | Unknown |
| Zhytomyr College of Pharmacy Source (New) |
Education | Ukraine | Unknown | Unknown |
| Adobe and a federal agency Source (New) |
Technology and public | USA | No | 0 |
| Groveport Madison Schools Source 1; source 2 (New) |
Education | USA | No | 0 |
Note: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.
Enforcement
ECJ ruling makes it easier for data protection authorities to impose GDPR fines
The European Court of Justice has issued a verdict relating to two GDPR (General Data Protection Regulation) enforcement cases, in Lithuania and Germany, which will have wider implications for all data protection authorities. According to the decision, fines can be issued to data controllers when GDPR infringements are “committed wrongfully, that is to say, intentionally or negligently”.
UK Information Commissioner warns about data privacy when using AI
On 6 December, the UK Information Commissioner, John Edwards, told techUK’s Digital Ethics Summit 2023 that developers must embed privacy in their products to maintain consumer trust.
In his keynote address, he said: “Privacy and AI go hand in hand – there is no either/or here. You cannot expect to utilise AI in your products or services without considering privacy, data protection and how you will safeguard people’s rights. There are no excuses for not ensuring that people’s personal information is protected if you are using AI systems, products or services.”
US OCR imposes HIPAA penalty in phishing attack case
The US Office for Civil Rights has imposed its first financial penalty under HIPAA (the Health Insurance Portability and Accountability Act) for violations of the Act’s security rule relating to phishing. A criminal hacker gained access to Lafourche Medical Group’s Microsoft 365 environment following a phishing attack that impersonated one of the medical group’s owners. The protected health information of up to 34,862 people was compromised.
Other news
US GAO finds federal agencies need to improve incident response capabilities
A new study by the US Government Accountability Office has found that, while federal agencies have improved their ability to detect, analyse and handle incidents such as ransomware attacks and data breaches, some agencies still have not met the federal requirements for event logging.
AFP calls for Australians to report ransomware attacks
The Australian Federal Police is renewing its call for victims of ransomware to report incidents as soon as possible, fearing that some organisations and people are not involving law enforcement in their response to attacks.
CISA and ENISA sign working arrangement to enhance cooperation
The US’s CISA (Cybersecurity and Infrastructure Security Agency) and ENISA (European Union Agency for Cybersecurity) have signed a working arrangement relating to capacity building, the exchange of best practices and boosting situational awareness. The arrangement builds on current cooperation to improve cyber resilience.
That’s it for this week’s round-up. We hope you found it useful.
We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.
In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.
The post The Week in Cyber Security and Data Privacy: 4 – 10 December 2023 appeared first on IT Governance UK Blog.
