The Week in Cyber Security and Data Privacy: 11 – 18 December 2023

Welcome to this week’s round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.

We’re also introducing two new categories this week: ‘AI’ and ‘Key dates’.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Mr. Cooper reveals 14,690,284 people affected in October breach

The largest mortgage provider in the US, Nationstar Mortgage LLC, operating under the name Mr. Cooper, says its investigation into an October cyber attack has uncovered evidence of customer data being compromised.

According to its breach notification, Mr. Cooper detected suspicious activity on its network on 31 October. An investigation determined that personal data, including names, addresses, phone numbers, Social Security numbers, dates of birth and bank account numbers, belonging to nearly 15 million people was obtained by an unauthorised party between 30 October and 1 November.

Data breached: personal data belonging to 14,690,284 individuals.

8 TB of data exfiltrated from Advantage Group International

Following an outage affecting its leak site (see the ‘Enforcement’ section below), the ALPHV/BlackCat ransomware group is listing only a single incident: a data breach affecting the business management consultant Advantage Group International. ALPHV claims to have 8 TB of data, including data sets from Coca-Cola, Procter & Gamble, and Pepsi.

Data breached: 8 TB.

Delta Dental of California suffers breach affecting 6,928,932 people due to MOVEit vulnerability

Delta Dental of California, which provides dental benefits to people, was a user of Progress Software’s popular file transfer software application MOVEit Transfer. When the Russian Cl0p gang exploited a zero-day SQL injection vulnerability in MOVEit Transfer in May 2023, Delta Dental was one of hundreds of organisations whose data was compromised.

According to Delta Dental’s breach notification, affected personal data included addresses, Social Security numbers, driver’s license numbers or other state identification numbers, passport numbers, financial account information, tax identification numbers, individual health insurance policy numbers and health information. The data belonged to nearly 7 million individuals.

Data breached: personal data belonging to 6,928,932 individuals.


Publicly disclosed data breaches and cyber attacks: full list

This week, we’ve found 49,172,276 records known to be compromised, and 239 organisations suffering a newly disclosed incident. 144 of them are known to have had data exfiltrated or exposed. Only 4 definitely haven’t had data breached.

We’ve also found 13 organisations providing a significant update on a previously disclosed incident.

Organisation name Sector Location Data exfiltrated? Known records breached
Nationstar Mortgage LLC (Mr. Cooper)
Source 1; source 2
(Update)
Finance USA Yes 14,690,284
Advantage Group International
Source
(New)
Professional services Canada Yes 8 TB
Delta Dental of California
Source
(New)
Healthcare USA Yes 6,928,932
KFC China
Source
(New)
Hospitality China Yes 3,780,000
Instituto Universitario de Tecnología de Administración Industrial
Source
(New)
Education Venezuela Yes 1,760,785
Azienda USL di Modena
Source 1; source 2
(New)
Healthcare Italy Yes 1,202,175
Independent Recovery Resources, Inc.
Source
(New)
Finance USA Yes 1.1 TB
Greenbox Loans, Inc.
Source
(New)
Finance USA Yes 1 TB
GokuMarket (ByteX)
Source
(New)
Crypto Canada Unknown >1,000,000
DonorView
Source 1; source 2
(New)
Software USA Unknown 948,029
CTS, Talbots Law and Fenwick Elliott LLP
Source 1; source 2
(Update)
IT services and legal UK Yes 945 GB
Shorts Chartered Accountants
Source
(New)
Finance UK Yes 597.67 GB
Alexander Dennis
Source
(New)
Manufacturing UK Yes 507 GB
CMS Spain
Source 1; source 2
(New)
Legal Spain Yes >500 GB
West Virginia University Health System
Source
(New)
Healthcare USA Yes 495,331
Dameron Hospital
Source 1; source 2
(Update)
Healthcare USA Yes >480 GB
World Emblem
Source
(New)
Manufacturing USA Yes 417.12 GB
Coca-Cola Singapore
Source
(New)
Manufacturing Singapore Yes 413.92 GB
City of Defiance
Source
(New)
Public USA Yes >390 GB
Dafiti Argentina
Source
(New)
Retail Argentina Yes 321.63 GB
Goa Natural Gas Pvt.Ltd.
Source
(New)
Energy India Yes 280,000
National Student Clearinghouse
Source 1; source 2
(Update)
Non-profit USA Yes 271,496
PCTEL
Source
(New)
Telecoms USA Yes 267.45 GB
Greater Buffalo United Accountable Healthcare Network
Source
(New)
Healthcare USA Yes 235.66 GB
Dubai Taxi Company
Source
(New)
Transport UAE Unknown >219,952
Rodo Limited
Source
(New)
Retail UK Yes 201 GB
Altezze
Source
(New)
Manufacturing Mexico Yes 200 GB
AGL Welding Supply Co., Inc.
Source
(New)
Manufacturing USA Yes 171.54 GB
Gaido & Fintzen
Source
(New)
Legal USA Yes 170 GB
TGLT
Source
(New)
Construction Argentina Yes 158.78 GB
Harrisburg Medical Center
Source
(New)
Healthcare USA Yes  147,826
InstantResume
Source
(New)
Software USA Yes >142,000
Decina
Source
(New)
Manufacturing Australia Yes 108.98 GB
Asper Biogene
Source
(New)
Manufacturing Estonia Yes 100,000
St. Kitts and Nevis Customs and Excise Department
Source
(New)
Public Saint Kitts and Nevis Yes <100 GB
Regional Family Medicine
Source
(New)
Healthcare USA Yes 80,166
Greater Cincinnati Behavioral Health Services
Source
(New)
Healthcare USA Yes 72.4 GB
SmartWAVE Technologies
Source
(New)
Telecoms USA Yes 65 GB
Cooper Research Technology
Source
(New)
Engineering UK Yes 64.72 GB
Heart of Texas Behavioral Health Network
Source 1; source 2
(New)
Healthcare USA Yes 63,776
Grupo Televisa
Source
(New)
Telecoms Mexico Yes >60,000
The Teaching Company (Wondrium by The Great Courses)
Source
(New)
Education USA Yes 60 GB
Lunacon Construction Group, Corp.
Source
(New)
Construction USA Yes 50.93 GB
Crace Medical Centre
Source
(New)
Healthcare Australia Yes 30 GB
Kitahiroshima Fukushikai Social Welfare Council
Source
(New)
Public Japan Yes 30 GB
Warrior Met Coal
Source
(New)
Energy USA Yes 19,794
Coos Health & Wellness
Source
(New)
Healthcare USA Yes 14,040
MSD Information Technology
Source
(New)
IT services Australia Yes 47 GB
Goiasa
Source
(New)
Energy Brazil Yes 47 GB
PTSolutions and Berkshire eSupply
Source 1; source 2
(New)
Manufacturing USA Yes 33,570
Nexiga GmbH
Source
(New)
Professional services Germany Yes 30 GB
Seven Seas Group
Source
(New)
Transport UAE Yes 26.52 GB
Total Club Apps
Source
(New)
Software Columbia Yes 21,000
Grayhill
Source
(New)
Manufacturing USA Yes 19.71 GB
Novolog Group
Source 1; source 2
(Update)
Healthcare Israel Yes 15 GB
Studio MF
Source
(New)
Professional services Italy Yes 10 GB
Plug Power
Source
(New)
Manufacturing USA Yes 8,323
AMCP Payments Intermediate Company LLC (Talus Pay)
Source
(New)
Finance USA Yes 7,292
CareTree
Source 1; source 2
(Update)
Software USA Yes 5,474
Jacmar Companies, LLC
Source
(New)
Hospitality USA Yes 4,863
LEEDARSON IoT Technology Inc.
Source
(New)
Manufacturing China Yes 3.53 GB
NATO
Source
(New)
Public Belgium Yes 3,242
Stadt Baden
Source
(New)
Public Switzerland Yes 3.15 GB
Aeronautical Radio of Thailand
Source
(New)
Transport Thailand Yes 3,021
Florida Water Products
Source 1; source 2
(Update)
Retail USA Yes 2,946
Atlas Technical Consultants, Inc.
Source
(New)
Environmental USA Yes 2,148
Alcaldía Mayor de Tunja
Source
(New)
Public Columbia Yes 2 GB
National Electric Coil
Source 1; source 2; source 3
(New)
Manufacturing USA Yes 1,750
Wianno Club
Source
(New)
Hospitality USA Yes 1,731
Iscar Metals
Source
(New)
Manufacturing USA Yes 1,359
Butler Bros.
Source
(New)
Retail USA Yes 1,268
Lipsey Communications, LLC (Paycom Payroll, LLC)
Source 1; source 2
(New)
Telecoms USA Yes 1,202
Yorkshire Wellness Group, Corp.
Source 1; source 2
(New)
Healthcare USA Yes 1,000
Ayuntamiento de Villamayor
Source
(New)
Public Spain Yes 1,000
Pinnacle Bank Texas
Source
(New)
Finance USA Yes 809
Tool-Flo
Source
(New)
Manufacturing USA Yes 660
American Meteorological Society
Source
(New)
Non-profit USA Yes 557
City of Hope
Source
(New)
Healthcare USA Yes 501
Lucifer Lighting Company
Source 1; source 2
(New)
Manufacturing USA Yes 331
R. David Wheeler, CPA P.C.
Source
(New)
Finance USA Yes 325
Precision Cutting Tools
Source
(New)
Manufacturing USA Yes 256
Marjorie E. Wolasky P.A.
Source
(New)
Legal USA Yes 124
KV Federal Credit Union
Source
(New)
Finance USA Yes 97
Ortu Gable Hall School
Source
(New)
Education UK Unknown 69
Buffalo City Metropolitan Municipality
Source
(New)
Public South Africa Yes >57
ISC Consulting Engineers
Source
(New)
Engineering Denmark Yes Unknown
BioMatrix Specialty Pharmacy
Source
(New)
Healthcare USA Yes Unknown
Kohl Wholesale
Source
(New)
Retail USA Yes Unknown
DSG US
Source
(New)
Software USA Yes Unknown
Share & Haris LLC
Source
(New)
Finance USA Yes Unknown
Woodruff Enterprises
Source
(New)
Transport USA Yes Unknown
Airtech Equipment Pte Ltd
Source
(New)
Manufacturing Singapore Yes Unknown
Ahmedabad University
Source
(New)
Education India Yes Unknown
Tradewinds International Insurance Brokers
Source
(New)
Insurance Malaysia Yes Unknown
Hebeler LLC
Source
(New)
Manufacturing USA Yes Unknown
Spaulding Clinical
Source
(New)
Healthcare USA Yes Unknown
Rieser Aufzugbau GmbH
Source
(New)
Construction Germany Yes Unknown
Philips Global
Source
(New)
Manufacturing USA Yes Unknown
Bemes, Inc.
Source
(New)
Manufacturing USA Yes Unknown
Pagano & Company
Source
(New)
Finance USA Yes Unknown
Spirit Leatherworks
Source
(New)
Retail USA Yes Unknown
Commonwealth Capital Pte Ltd
Source
(New)
Finance Singapore Yes Unknown
Chaney, Couch, Callaway, Carter & Associates Family Dentistry
Source
(New)
Healthcare USA Yes Unknown
Grand Rapids Women’s Health
Source
(New)
Healthcare USA Yes Unknown
Pronat Industries
Source
(New)
Manufacturing Israel Yes Unknown
Austen Consultants
Source
(New)
IT services USA Yes Unknown
Catholic Charities of the Archdiocese of Miami, Inc.
Source
(New)
Charity USA Yes Unknown
E. & J. Gallo Winery
Source
(New)
Manufacturing USA Yes Unknown
Mortgage Contracting Services, LLC
Source
(New)
Finance USA Yes Unknown
King Aerospace
Source
(New)
Manufacturing USA Yes Unknown
Insomniac Games (Sony)
Source 1; source 2
(New)
Software USA Yes Unknown
CHI St. Alexius Health
Source
(New)
Healthcare USA Yes Unknown
GlobalSpec
Source
(New)
Engineering USA Yes Unknown
Bayonne Board of Education
Source
(New)
Education USA Yes Unknown
Grupo José Alves
Source
(New)
Manufacturing Brazil Yes Unknown
ATCO Products
Source
(New)
Manufacturing USA Yes Unknown
Keenan & Associates
Source 1; source 2
(New)
Insurance USA Yes Unknown
Petrotec Qatar
Source
(New)
Energy Qatar Yes Unknown
Memorial Sloan Kettering Cancer Center
Source
(New)
Healthcare USA Yes Unknown
Restek Corporation
Source 1; source 2
(New)
Manufacturing USA Yes Unknown
CVC Holding Corp
Source 1; source 2
(New)
Construction USA Yes Unknown
Zai Lab
Source
(New)
Manufacturing China Yes Unknown
IGT Testing Systems
Source
(New)
Manufacturing Netherlands Yes Unknown
William Jackson Food Group
Source
(New)
Manufacturing UK Yes Unknown
Tulane University
Source
(New)
Education USA Yes Unknown
Carolina Beverage Group, LLC
Source
(New)
Manufacturing USA Yes Unknown
Goldwind
Source
(New)
Manufacturing China Yes Unknown
Converze Media Group
Source
(New)
Professional services USA Yes Unknown
Hyman Hayes Associates
Source
(New)
Construction USA Yes Unknown
CACG
Source
(New)
Environmental France Yes Unknown
MongoDB
Source
(New)
Software USA Yes Unknown
SenateSHJ and its third-party IT provider
Source
(New)
Professional services and IT services New Zealand and unknown Yes Unknown
New York School of Interior Design
Source
(New)
Education USA Yes Unknown
Insidesource
Source
(New)
Retail USA Yes Unknown
TaxPlus
Source 1; source 2
(New)
Finance USA Yes Unknown
AGY
Source
(New)
Manufacturing USA Yes Unknown
TRISTAR Insurance Group
Source 1; source 2
(New)
Insurance USA Yes Unknown
The Greenbrier Sporting Club
Source
(New)
Leisure USA Yes Unknown
Mitrani, Caballero & Ruiz Moreno
Source
(New)
Legal Argentina Yes Unknown
Reus Mobilitat i Serveis (Amersam)
Source
(New)
Transport Spain Yes Unknown
Dillard Door & Security Inc.
Source
(New)
Manufacturing USA Yes Unknown
SBK Real Estate
Source
(New)
Real estate UAE Yes Unknown
Tim Davies Landscaping
Source
(New)
Professional services Australia Yes Unknown
Soethoudt Metaalbewerking
Source
(New)
Manufacturing Netherlands Yes Unknown
VAC-U-MAX
Source
(New)
Manufacturing USA Yes Unknown
Hawkins Sales
Source
(New)
Manufacturing USA Yes Unknown
Groupe PROMOBE
Source
(New)
Real estate Luxemburg Yes Unknown
VF Corporation
Source
(New)
Retail USA Yes Unknown
Petersen Health Care
Source
(New)
Healthcare USA Yes Unknown
Tri-City Medical Center
Source 1; source 2
(Update)
Healthcare USA Yes Unknown
Zap Group and Semicom
Source 1; source 2
(Update)
IT services and retail Israel Yes Unknown
Bayer Heritage Federal Credit Union
Source 1; source 2
(Update)
Finance USA Yes Unknown
Battle.net (Blizzard Entertainment)
Source
(New)
Software USA Unknown Unknown
Newfound Area School District
Source
(New)
Education USA Unknown Unknown
Dubai Airports and Abu Dhabi Airports
Source 1; source 2
(New)
Transport UAE Unknown Unknown
President of the Republic of Bulgaria, Council of Ministers of the Republic of Bulgaria, and National Customs Agency
Source
(New)
Public Bulgaria Unknown Unknown
DSK Bank, Bulgarian National Bank, ProCredit Bank Bulgaria, and First Investment Bank
Source
(New)
Finance Bulgaria Unknown Unknown
ONE FOR ISRAEL
Source
(New)
Religious Israel Unknown Unknown
The Official Portal of the UAE Government
Source
(New)
Public Israel Unknown Unknown
Zara
Source
(New)
Retail Spain Unknown Unknown
Israel Defense Forces
Source
(New)
Defence Israel Unknown Unknown
About two dozen US critical infrastructure organisations, as well as several non-US entities
Source 1; source 2
(New)
Include utilities, transport and energy USA and unknown Unknown Unknown
Bezirk March
Source
(New)
Public Switzerland Unknown Unknown
London Public Library
Source 1; source 2
(New)
Public Canada Unknown Unknown
Federal Tax Service of Russia
Source
(New)
Public Russia Unknown Unknown
Ledger
Source 1; source 2
(New)
Crypto France Unknown Unknown
Kraft Heinz
Source 1; source 2
(New)
Manufacturing USA Unknown Unknown
Västtrafik, Norrtåg, Port of Oskarshamn and Port of Helsingborg
Source 1; source 2
(New)
Transport Sweden Unknown Unknown
Avanza Bank and Länsförsäkringar Bank
Source
(New)
Finance Sweden Unknown Unknown
Indian Department of Justice; High Court of Punjab and Haryana, Chandigarh; Department of Police, Uttar Pradesh; Office of the Controller General of Patents, Designs & Trade Marks; and Employees’ State Insurance Corporation
Source
(New)
Public, legal and insurance India Unknown Unknown
Abu Ali Express
Source
(New)
Media Israel Unknown Unknown
Emirates News Agency (WAM)
Source 1; source 2
(New)
Media UAE Unknown Unknown
UAE Pass
Source
(New)
Software UAE Unknown Unknown
UAE Ministry of Climate Change and Environment Source (New) Public UAE Unknown Unknown
Discord Source (New) Software USA Unknown Unknown
Rocket League (Psyonix)
Source
(New)
Software USA Unknown Unknown
Raiffeisenbank CZ, Sberbank CZ, Buřinka and Trinity Bank
Source
(New)
Finance Czech Republic Unknown Unknown
Bundes-verfassungs-gericht, Bundes-gerichtshof, Bundeswehr and Bundespolizei
Source
(New)
Legal, defence and public Germany Unknown Unknown
Ruter AS
Source
(New)
Transport Norway Unknown Unknown
Swift card
Source
(New)
Finance UK Unknown Unknown
European Bank for Reconstruction and Development
Source
(New)
Finance UK Unknown Unknown
European Economic and Social Committee
Source
(New)
Finance Belgium Unknown Unknown
The Belgian Monarchy, premier.be, Chamber of Representatives and City of Brussels
Source
(New)
Public Belgium Unknown Unknown
Brussels Intercommunal Transport Company
Source
(New)
Transport Belgium Unknown Unknown
Ukrinmash
Source
(New)
Defence Ukraine Unknown Unknown
Prosecutor General of Ukraine and Security Service of Ukraine
Source 1; source 2
(New)
Legal and public Ukraine Unknown Unknown
Ukraine Energy Support Fund and Zhytomyr-oblenergo
Source
(New)
Energy Ukraine Unknown Unknown
Zaporizhstal and Velta
Source
(New)
Manufacturing Ukraine Unknown Unknown
The National Securities and Stock Market Commission of Ukraine, Akordbank and UnexBank
Source
(New)
Finance Ukraine Unknown Unknown
Severn Valley Medical Practice
Source
(New)
Healthcare UK No Unknown
Kyivstar
Source 1; source 2
(New)
Telecoms Ukraine No 0
UAE set-top box provider
Source
(New)
Manufacturing UAE No 0
Central Bank of Lesotho
Source 1; source 2
(New)
Finance Lesotho No 0
Newsquest
Source
(New)
Media UK No 0

Note: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.


AI

Panel discussion on AI and privacy in healthcare

At a recent panel discussion hosted by Georgetown University and the World Bank, experts discussed the opportunities and challenges of using AI in healthcare. One of the major issues the panel focused on was the use of patient data to teach AI models.

Japan and ASEAN to cooperate on cyber security and AI

Following a summit to mark the 50th anniversary of relations between Japan and the Association of Southeast Asian Nations, the two sides will work together on cyber security and managing AI. A draft implementation plan will set out steps towards three goals: interpersonal exchanges; co-creation of the economy and society; and peace and stability.

EU to invest over €760 million in Digital Europe Programme (DIGITAL)

The European Commission has adopted the amendment of the Digital Europe work programmes for 2024, assigning €762.7 million in funding for digital solutions. The amended main work programme will focus on projects that use digital technologies such as data, Cloud and advanced digital skills. New actions will support the implementation of the AI Act and the development of a European AI ecosystem.


Enforcement

ALPHV/BlackCat ransomware site outage

The ALPHV/BlackCat ransomware-as-a-service group, which has often featured in the news in recent years for its numerous high-profile attacks, has suffered online disruption to its leak site and payment infrastructure.

The cyber intelligence company RedSense claimed that ALPHV’s site was “taken down by law enforcement”, although Infosecurity Magazine reports that the group has blamed the outage on “unspecified ‘hosting’ issues”. Whatever the cause, the site is missing its database of previous data breaches and currently lists only one: Advantage Group International (see above).

Russian ransomware banker arrested in Paris

French authorities have arrested a 40-year-old Russian national suspected of laundering money for the Hive ransomware-as-a-service group, which was dismantled in January. Police seized more than €570,000 worth of cryptocurrency as part of their search of his home in Cyprus.

Man sentenced to two years in prison for damaging former employer’s network

A former Cloud engineer for a San Francisco bank has been sentenced to 24 months in prison for accessing the bank’s network after he was sacked and causing over $220,000 worth of damage. Miklos Daniel Brody “deleted the bank’s code repositories, ran a malicious script to delete logs, left taunts within the bank’s code for former colleagues, and impersonated other bank employees by opening sessions in their names” as well as emailing himself proprietary code.


Other news

UK cultural institutions advised on reducing cyber risks

The NCSC (National Cyber Security Centre) and the DCMS (Department for Culture, Media & Sport) held talks with representatives of the UK’s cultural sector about protecting institutions’ digital collections from ransomware and other cyber attacks.

CISA issues update on school cyber security challenges

The US Department of Education and CISA (US Cybersecurity and Infrastructure Agency) have published a brief about how to meet the cyber security challenges facing the K-12 sector (education from kindergarten to 12th grade). K-12 Digital Infrastructure Brief: Defensible and Resilient urges school vendors and suppliers to implement secure-by-design principles that make robust security settings the default.

China publishes draft data security response plan

China’s Ministry of Industry and Information Technology has published a draft plan setting out how local governments and organisations should respond to cyber security incidents. According to Reuters, the plan proposes a four-tier classification system based on an attack’s impact on “national security, a company’s online and information network, or the running of the economy”.


Key dates

15 December 2023 – SEC cyber security rules, Forms 10-K and 20-F

Deadline for all registrants, including smaller reporting companies, to start providing cyber security risk management, strategy and governance disclosures in Forms 10-K and 20-F.

18 December 2023 – SEC cyber security rules, Forms 8-K and 6-K

Deadline for registrants that aren’t smaller reporting companies to start disclosing material cyber security incidents in Forms 8-K and 6-K.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


The post The Week in Cyber Security and Data Privacy: 11 – 18 December 2023 appeared first on IT Governance UK Blog.