Welcome to this week’s round-up of the biggest and most interesting news stories.
At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.
Publicly disclosed data breaches and cyber attacks: in the spotlight
Hathaway breached, 41.5 million customers’ data compromised
Cyber criminals known as dawnofdevil have claimed responsibility for a data breach at Hathaway Cable & Datacom Ltd, one of India’s largest Internet service providers, in December 2023. They accessed 41.5 million customers’ data having gained access via a vulnerability in Hathaway’s Laravel web application framework. The compromised data allegedly includes names, email addresses and phone numbers.
Data breached: 41,500,000 records.
LockBit claims responsibility for Capital Health security incident
The LockBit ransomware group has claimed responsibility for an attack on Capital Health, a healthcare provider in Pennington, New Jersey, last November. The group has allegedly exfiltrated more than 10 million files. Capital Health operates two hospitals in the New Jersey-Pennsylvania region: Regional Medical Center in Trenton and Capital Health Medical Center in Hopewell.
Data breached: >10 million records.
HealthEC LLC breached, almost 4.5 million individuals affected
HealthEC LLC, a health technology company, has announced that it suffered a data breach in July 2023, in which systems were accessed and files were copied. Information relating to nearly 4.5 million people was compromised, including names, addresses, dates of birth, Social Security numbers, taxpayer identification numbers, medical information, health insurance information, and billing and claims information.
Data breached: 4,452,782 records.
Publicly disclosed data breaches and cyber attacks: full list
This week, we’ve found 71,561,990 records known to be compromised, and 260 organisations suffering a newly disclosed incident. 79 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 1 definitely hasn’t had data breached.
We’ve also found 8 organisations providing a significant update on a previously disclosed incident.
| Organisation | Sector | Location | Data breached? | Known records breached |
| Hathway Cable & Datacom Ltd Source (New) |
Telecoms | India | Yes | 41,500,000 |
| Capital Health Source 1; source 2 (Update) |
Healthcare | USA | Yes | >10,000,000 |
| HealthEC Source 1; source 2 (Update) |
Software | USA | Yes | 4,452,782 |
| Cross Switch S.à.r.l. Source (New) |
Software | Luxembourg | Yes | 3,600,000 |
| National Automobile Dealers Association Source (New) |
Retail | USA | Yes | 1,065,000 |
| Consórcio Canopus Source (New) |
Professional services | Brazil | Yes | 1,400,000 |
| The Teaching Company (Wondrium by The Great Courses) Source (New) |
Education | USA | Yes | 1.3 TB |
| Gräbener Maschinentechnik GmbH & Co. KG Source 1; source 2 (New) |
Manufacturing | Germany | Yes | 1.1 TB |
| Halara Cannabis Source (New) |
Manufacturing | USA | Yes | >1,000,000 |
| Proax Technologies Ltd. Source (New) |
Manufacturing | Canada | Yes | 855 GB |
| Thermosash Commercial Limited Source (New) |
Construction | New Zealand | Yes | 776,229 |
| Bradford Health Services Source (New) |
Healthcare | USA | Yes | 626,837 |
| Electrostim Medical Services, Inc. Source 1; source 2 (New) |
Manufacturing | USA | Yes | 542,990 |
| Park Holidays UK Source (New) |
Hospitality | UK | Yes | 515 GB |
| North Kansas City Hospital Source 1; source 2 (New) |
Healthcare | USA | Yes | 502,438 |
| NJ Technologies (MyEstatePoint Property Search) Source (New) |
Software | India | Yes | >497,000 |
| Gunning & LaFazia, Inc. Source (New) |
Legal | USA | Yes | 310,297 |
| Bit24.cash Source (New) |
Crypto | Iran | Yes | 230,000 |
| Leonard’s Express Source Source (New) |
Transport | USA | Yes | 182 GB |
| Edmonds School District Source (New) |
Education | USA | Yes | 145,844 |
| NALS Apartment Homes Source (New) |
Real estate | USA | Yes | 145 GB |
| GeoLogics Corporation Source (New) |
IT services | USA | Yes | 122.89 GB |
| Grupo SCA Source (New) |
Professional services | Spain | Yes | >100 GB |
| Meridian Behavioral Healthcare, Inc. Source 1; source 2; source 3; source 4 (Update) |
Healthcare | USA | Yes | 98,808 |
| Agro Baggio Máquinas Agrícolas LTDA Source 1; source 2 (New) |
Manufacturing | Brazil | Yes | 70 GB |
| ConsensioHealth, LLC Source (New) |
Healthcare | USA | Yes | 60,871 |
| Network180 Source 1; source 2; source 3 (New) |
Healthcare | USA | Yes | 59,334 |
| UKG Inc. and New York City Health and Hospitals Source (New) |
Software | USA | Yes | 45,966 |
| Southeastern Orthopaedic Specialists Source 1; source 2 (New) |
Healthcare | USA | Yes | 35,533 |
| Diablo Valley Oncology & Hematology Medical Group Source (New) |
Healthcare | USA | Yes | >30 GB |
| Swiss Air Force Source (New) |
Defence | Switzerland | Yes | 30 GB |
| Project M.O.R.E., Inc. Source (New) |
Non-profit | USA | Yes | 26,390 |
| Housing Authority of the County of San Bernardino Source (New) |
Public | USA | Yes | 18,689 |
| Kershaw County School District Source (New) |
Education | USA | Yes | 17.5 GB |
| Fincantieri Marine Group, LLC Source (New) |
Manufacturing | USA | Yes | 16,769 |
| Buckley King LPA Source (New) |
Legal | USA | Yes | 15,282 |
| Quaker Windows & Doors Source 1; source 2 (Update) |
Retail | USA | Yes | 10,988 |
| Senior Scripts Source 1; source 2 (New) |
Healthcare | USA | Yes | 10,566 |
| The Foleck Center Source 1; source 2 (New) |
Healthcare | USA | Yes | 6,965 |
| Healix Infusion Therapy, LLC Source 1; source 2; source 3 (Update) |
Healthcare | USA | Yes | 6,026 |
| Lone Peak Physical Therapy Source 1; source 2 (New) |
Healthcare | USA | Yes | 5,809 |
| Humana Source 1; source 2 (New) |
Insurance | USA | Yes | 2,844 |
| Barrick Gold Corporation Source (New) |
Mining | Canada | Yes | 2,761 |
| EAFC Maquisistema Source (New) |
Finance | Peru | Yes | 2,746 |
| Woodsville Guaranty Savings Bank Source (New) |
Finance | USA | Yes | 2,483 |
| LACERA and State Street Source (New) |
Public and finance | USA | Yes | 2,400 |
| Tata Consultancy Services and System for Pension Administration Raksha Source (New) |
IT services and defence | India | Yes | “thousands” |
| Molina Healthcare of Ohio, Inc. Source 1; source 2 (New) |
Healthcare | USA | Yes | 1,977 |
| Eyefinity Source 1; source 2 (New) |
Software | USA | Yes | 1,353 |
| Los Angeles County Department of Mental Health Source 1; source 2 (New) |
Public | USA | Yes | 1,284 |
| Elevate ENT Partners Source (New) |
Healthcare | USA | Yes | 1,053 |
| The Middlefield Banking Company Source 1; source 2 (Update) |
Finance | USA | Yes | 1,025 |
| Amerigroup Iowa, Inc. Source (New) |
Healthcare | USA | Yes | 1,023 |
| First Choice Dental Source 1; source 2 (New) |
Healthcare | USA | Yes | 1,000 |
| Qorvo, Inc. Source 1; source 2 (Update) |
Manufacturing | USA | Yes | 735 |
| Osteopathic Healing Hands Source (New) |
Healthcare | USA | Yes | 707 |
| Marathon Coach, Inc. Source (New) |
Manufacturing | USA | Yes | 704 |
| Rally Credit Union Source 1; source 2 (Update) |
Finance | USA | Yes | 677 |
| ACME Architectural Hardware Source (New) |
Professional services | USA | Yes | 288 |
| Salford City Council Source (New) |
Public | UK | Yes | >100 |
| Registro del Patrimonio Cultural Venezolano Source (New) |
Public | Venezuela | Yes | 21 |
| Court Services Victoria Source (New) |
Legal | Australia | Yes | Unknown |
| Midwives of Windsor Source (New) |
Healthcare | Canada | Yes | Unknown |
| Salal Sexual Violence Support Centre Source (New) |
Non-profit | Canada | Yes | Unknown |
| London Public Library Source 1; source 2; source 3 (Update) |
Public | Canada | Yes | Unknown |
| CoinsPaid Source (New) |
Crypto | Estonia | Yes | Unknown |
| IPS Securex Pte Ltd Source 1; source 2 (New) |
Cyber security | Singapore | Yes | Unknown |
| Orbit Chain Source 1; source 2 (New) |
Blockchain | South Korea | Yes | Unknown |
| Lutheran World Federation Source (New) |
Non-profit | Switzerland | Yes | Unknown |
| Standard Laboratories Source (New) |
Environmental | USA | Yes | Unknown |
| RKL LLP Source 1; source 2 (New) |
Finance | USA | Yes | Unknown |
| CompleteCare Health Network Source (New) |
Healthcare | USA | Yes | Unknown |
| Cooper Aerobics Source (New) |
Healthcare | USA | Yes | Unknown |
| Essen Health Care Source (New) |
Healthcare | USA | Yes | Unknown |
| Highland Oncology Group Source (New) |
Healthcare | USA | Yes | Unknown |
| Navvis & Company and SSM Health Source 1; source 2 (New) |
Healthcare | USA | Yes | Unknown |
| Hartwell Source 1; source 2 (New) |
Insurance | USA | Yes | Unknown |
| Neste US Source (New) |
Manufacturing | USA | Yes | Unknown |
| The Switch Source 1; source 2 (New) |
Media | USA | Yes | Unknown |
| Gallery Systems, Museum of Fine Arts Boston, Rubin Museum of Art and Crystal Bridges Museum of American Art Source 1; source 2 (New) |
Software and non-profit | USA | Yes | Unknown |
| Gamma Source 1; source 2 (New) |
Crypto | Unknown | Yes | Unknown |
| Radiant Capital Source (New) |
Crypto | Unknown | Yes | Unknown |
| Election Commission (Smart Election Management BD) Source (New) |
Public | Bangladesh | Unknown | Unknown |
| Memorial University of Newfoundland Source (New) |
Education | Canada | Unknown | Unknown |
| Communauté de Communes du Pays Fouesnantais Source (New) |
Public | France | Unknown | Unknown |
| Commune de Saint-Philippe Source (New) |
Public | France | Unknown | Unknown |
| Gobierno de Guatemala Source (New) |
Public | Guatemala | Unknown | Unknown |
| Beirut International Airport Source (New) |
Transport | Lebanon | Unknown | Unknown |
| Ministry of Foreign Affairs Source (New) |
Public | Maldives | Unknown | Unknown |
| Ministry of Tourism Maldives Source (New) |
Public | Maldives | Unknown | Unknown |
| The President’s Office Source (New) |
Public | Maldives | Unknown | Unknown |
| Government of Nepal Source (New) |
Public | Nepal | Unknown | Unknown |
| 120 government and 47 other UAE domains Source (New) |
Public and unknown | UAE | Unknown | Unknown |
| Mandiant Source 1; source 2; source 3 (New) |
Cyber security | USA | Unknown | Unknown |
| loanDepot Source (New) |
Finance | USA | Unknown | Unknown |
| City of Beckley, West Virginia Source (New) |
Public | USA | Unknown | Unknown |
| Orange Spain Source (New) |
Telecoms | Spain | No | 0 |
Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.
Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.
AI
FTC accepting submissions for Voice Cloning Challenge
The US Federal Trade Commission has begun accepting submissions for its Voice Cloning Challenge, which aims to develop ideas to mitigate the risk of AI-enabled voice cloning for fraud. The FTC will accept submissions until 12 January.
NIST identifies “adversarial machine learning” threats
New guidance from NIST offers approaches to mitigate AI malfunctions caused by exposure to untrustworthy data. The publication, Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations (NIST AI 100-2 E2023), is part of NIST’s broader effort to support the development of trustworthy AI.
OpenAI moves European HQ to Dublin
OpenAI is moving its main establishment in Europe to Dublin, listing its Irish office as its data controller for the EEA and Switzerland under the EU GDPR. This means the Irish Data Protection Commission will be OpenAI’s lead supervisor in the EU. The new Europe terms of use will apply from 15 February.
Enforcement
19 people charged after cyber crime investigation into xDedic Marketplace
An investigation into the xDedic Marketplace, a website on the dark web that illegally sold login credentials and personal data to criminals until it was shut down by the US Attorney’s Office in 2019, has resulted in 19 people being charged.
Man charged for alleged business email compromise scheme
Olusegun Samson Adejorin of Nigeria has been charged with wire fraud, aggravated identity theft and unauthorised access to a protected computer in relation to a $7.5 million scheme to defraud two charitable organisations by impersonating employees and accessing their email accounts.
BreachForums admin violates parole requirements by using VPN
Conor Brian Fitzpatrick, aka Pompompurin, the former admin of the now-defunct BreachForums website, which cyber criminals used to exchange stolen data, has violated his parole by using a computer and VPN (virtual private network) without enabling the court-prescribed monitoring software. Fitzpatrick was arrested in March 2023.
Other news
Turkish cyber espionage campaign targets Netherlands
The cyber security company Hunt & Hackett has detected a campaign of cyber attacks targeting victims in the Netherlands and originating in Turkey. The perpetrators, known as Sea Turtle, Teal Kurma, Marbled Dust, SILICON and Cosmic Wolf, are known to target organisations in Europe and the Middle East, especially governmental bodies, telecoms organisations, ISPs, IT service providers, and media and entertainment organisations.
noyb files complaint with Austrian data protection authority against creditors’ association
The privacy rights campaign group noyb has filed a complaint against the creditors’ association KSV1870 for charging data subjects to access their personal data, in contravention with Article 15 of the EU GDPR. KSV’s website urges people to buy an ‘InfoPass’ instead of letting individuals get a free copy of their data.
European Central Bank to test banks’ resilience to cyber attacks
The European Central Bank will conduct stress tests on banks in Europe to determine their cyber resilience. 109 banks must undertake vulnerability assessments and evaluate their incident response measures by mid-2024.
Key dates
10 January 2024 – ICO consultation on AI guidance and toolkits closes
An Information Commissioner’s Office consultation on the AI guidance and toolkits available to organisations closes on 10 January. The research, conducted by IFF Research, seeks the views of data protection offers or AI engineers.
17 January – first batch of DORA regulatory technical requirements due to be submitted
Three European supervisory authorities – the EBA (European Banking Authority), EIOPA (European Insurance and Occupational Pensions Authority) and ESMA (European Securities and Markets Authority) – are currently developing DORA policy products for compliance with the EU Digital Operational Resilience Act. The first batch – a set of four regulatory technical requirements covering Articles 15, 16(3), 18(3), 28(9) and 28(10) – is due to be submitted by 17 January 2024.
That’s it for this week’s round-up. We hope you found it useful.
We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.
In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.
The post The Week in Cyber Security and Data Privacy: 1 – 7 January 2024 appeared first on IT Governance UK Blog.
