Welcome to this week’s round-up of the biggest and most interesting news stories.
At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.
Publicly disclosed data breaches and cyber attacks: in the spotlight
Massive data breach potentially exposes entire Brazilian population
Researchers have discovered a publicly accessible Elasticsearch instance containing the private data of hundreds of millions of Brazilians, including full names, dates of birth, sex and Cadastro de Pessoas Físicas numbers – the 11-digit number that identifies individual taxpayers. The data is no longer publicly available.
Data breached: >223,000,000 records.
Al Mujtama Pharmacy allegedly breached, more than 7 million records affected
More than 7 million data records belonging to the Saudi pharmacy Al Mujtama have reportedly been published on an underground forum. The 3.3 GB database includes names, email addresses, phone numbers and passwords.
Data breached: >7,000,000 records.
Vauxhall Motors database with 5.5 million records leaked
Attackers have published a sample of data allegedly exfiltrated from Vauxhall Motors following a data breach affecting 5.5 million call logs between employees and customers. Compromised data includes user IDs, call dates and phone numbers.
Data breached: 5,500,000 records.
Publicly disclosed data breaches and cyber attacks: full list
This week, we’ve found 249,142,212 records known to be compromised, and 108 organisations suffering a newly disclosed incident. 94 of them are known to have had data breached. Only 4 definitely haven’t had data breached.
We’ve also found 16 organisations providing a significant update on a previously disclosed incident.
| Organisation(s) | Sector | Location | Data breached? | Known records breached |
| Unknown Brazilian organisation Source (New) |
Unknown | Brazil | Yes | >223,000,000 |
| Al Mujtama Pharmacy Source (New) |
Manufacturing | Saudi Arabia | Yes | >7,000,000 |
| Vauxhall Motors Ltd Source (New) |
Manufacturing | UK | Yes | 5,500,000 |
| Raptor Technologies, LLC Source (New) |
IT services | USA | Yes | 4,024,001 |
| Hathway Cable & Datacom Ltd Source 1; source 2 (Update) |
Telecoms | India | Yes | Almost 4,000,000 |
| NASCO Source 1; source 2 (Update) |
Insurance | USA | Yes | 1,696,867 |
| Ministry of Foreign Affairs Source (New) |
Public | Saudi Arabia | Yes | >1,400,000 |
| Fidelity National Financial Source 1; source 2 (Update) |
Finance | USA | Yes | 1,300,000 |
| Halara Source (Update) |
Retail | USA | Yes | 941,910 |
| Indian Railways Institute of Mechanical and Electrical Engineering Source (New) |
Education | India | Yes | 908,626 |
| Hi-Cone Source (New) |
Manufacturing | USA | Yes | 650 GB |
| Ursel Phillips Fellows Hopkinson LLP Source (New) |
Legal | Canada | Yes | 365 GB |
| Infiniti Mall Source (New) |
Retail | India | Yes | 280,000 |
| Malabar Gold & Diamonds Source (New) |
Retail | India | Yes | 270 GB |
| Health Alliance Hospital Mary’s Avenue Campus Source 1; source 2 (New) |
Healthcare | USA | Yes | 264,197 |
| Singing River Health System Source (New) |
Healthcare | USA | Yes | 252,890 |
| The Harris Center for Mental Health and IDD Source 1; source 2 (New) |
Healthcare | USA | Yes | 238,463 |
| Eckell Sparks Source (New) |
Legal | USA | Yes | 175 GB |
| Bogart Source (New) |
Retail | France | Yes | 152 GB |
| Acutis Diagnostics Source 1; source 2 (New) |
Healthcare | USA | Yes | 137 GB |
| Independent Living Systems, LLC Source 1; source 2; source 3 (Update) |
Healthcare | USA | Yes | 123,651 |
| R. Robertson Insurance Brokers Ltd Source (New) |
Insurance | Canada | Yes | 120 GB |
| Team Liquid (Liquipedia) Source (New) |
Leisure | Netherlands | Yes | 118,989 |
| SPRIM Source (New) |
Healthcare | Spain | Yes | 113,000 |
| Inspiring Vacations Source (New) |
Leisure | Australia | Yes | 112,605 |
| Shibley Righton LLP Source (New) |
Legal | Canada | Yes | 92 GB |
| Cooper Aerobics Source 1; source 2 (Update) |
Healthcare | USA | Yes | 89,399 |
| HMG Healthcare Source 1; source 2; source 3 (New) |
Healthcare | USA | Yes | 80,000 |
| Senior PsychCare Source (New) |
Healthcare | USA | Yes | 65,193 |
| Arrowhead Regional Computing Consortium Source (New) |
Finance | USA | Yes | 65,010 |
| Asbury Automotive Group Source 1; source 2 (New) |
Manufacturing | USA | Yes | 62 GB |
| Milliman, Inc. Source 1; source 2 (Update) |
Professional services | USA | Yes | 56,457 |
| Highlands Oncology Group Source 1; source 2; source 3 (Update) |
Healthcare | USA | Yes | 55,297 |
| Charm Sciences, Inc. Source (New) |
Manufacturing | USA | Yes | 42 GB |
| Auto-Motion Shade Inc. Source (New) |
Transport | Canada | Yes | 38 GB |
| U.S. Drug Mart Source 1; source 2 (Update) |
Healthcare | USA | Yes | 36,749 |
| Elliott Group Source (New) |
Manufacturing | USA | Yes | 31.5 GB |
| Dedicated Transportation Solutions Source (New) |
Transport | USA | Yes | 34 GB |
| Burr & Forman LLP Source (New) |
Legal | USA | Yes | 19,893 |
| Academy Mortgage Corporation Source 1; source 2 (Update) |
Finance | USA | Yes | 18,290 |
| EvolvE Cryo + Wellness Source (New) |
Healthcare | USA | Yes | 14,000 |
| Premium Mortgage Corporation Source (New) |
Finance | USA | Yes | 10,835 |
| Tarrytown Expocare Pharmacy Source 1; source 2 (Update) |
Healthcare | USA | Yes | 10,708 |
| Centennial Bank Source (New) |
Finance | USA | Yes | 10,008 |
| Intercity Investments, Inc. Source (New) |
Real estate | USA | Yes | 10 GB |
| Unitex Source (New) |
Manufacturing | USA | Yes | 9.5 GB |
| CBIZ KA Source 1; source 2 (Update) |
Healthcare | USA | Yes | 9,129 |
| BMW Montréal Centre Source (New) |
Retail | Canada | Yes | 9,000 |
| Sharp Health Plan Source (New) |
Insurance | USA | Yes | 8,200 |
| Nautic Partners LLC Source (New) |
Finance | USA | Yes | 7,870 |
| Carnegie Mellon University Source (New) |
Education | USA | Yes | 7,343 |
| Indian government (tax officers) Source (New) |
Public | India | Yes | >7,000 |
| Tameside Metropolitan Borough Council Source (New) |
Public | UK | Yes | 6,345 |
| HairClub Source (New) |
Retail | USA | Yes | 4,334 |
| Alexandria University Source (New) |
Education | Egypt | Yes | 3.03 GB |
| Rebekah Children’s Services Source (New) |
Non-profit | USA | Yes | 2,805 |
| Butte School District Source 1; source 2 (Update) |
Education | USA | Yes | 2,658 |
| Dignity Health Nevada St. Rose Dominican Hospital Source (New) |
Healthcare | USA | Yes | 2,652 |
| DentalXChange Source 1; source 2 (New) |
Software | USA | Yes | 2,574 |
| Walker County, Texas Source (New) |
Public | USA | Yes | 2,420 |
| Cambridge Labour Party Source (New) |
Public | UK | Yes | 1,942 |
| Hi-Crush Source 1; source 2 (New) |
Energy | USA | Yes | 1,902 |
| Villager Construction, Inc. Source (New) |
Construction | USA | Yes | 1,380 |
| One Stop Financial Services Source (New) |
Finance | USA | Yes | 1,179 |
| Tampa Bay Surgical Group Source (New) |
Healthcare | USA | Yes | 1,107 |
| Essen Health Care Source 1; source 2 (Update) |
Healthcare | USA | Yes | 1,104 |
| Whitley Penn Source (New) |
Finance | USA | Yes | 605 |
| Music Institute of Chicago Source (New) |
Non-profit | USA | Yes | 605 |
| Marvel Consultants Source (New) |
Professional services | USA | Yes | 593 |
| Dallas County Source 1; source 2 (New) |
Public | USA | Yes | 501 |
| Mount Carmel Care Center Source 1; source 2 (New) |
Healthcare | USA | Yes | 501 |
| Waterford Country School Source 1; source 2 (New) |
Education | USA | Yes | 500 |
| Toyota Financial Services Source 1; source 2 (Update) |
Finance | USA | Yes | 490 |
| American Meat Companies Source (New) |
Manufacturing | USA | Yes | 367 |
| TBM Consulting Group Source (New) |
Professional services | USA | Yes | 298 |
| Capital Formation Group, Inc. Source (New) |
Finance | USA | Yes | 274 |
| Coastal Plains Source 1; source 2 (Update) |
Healthcare | USA | Yes | 250 |
| Golf & Ski Warehouse Source (New) |
Retail | USA | Yes | 122 |
| Parliament of Albania Source 1; source 2 (Update) |
Public | Albania | Yes | Unknown |
| Hal Leonard Australia Source (New) |
Retail | Australia | Yes | Unknown |
| Molnár & Partners Source (New) |
Finance | Hungary | Yes | Unknown |
| Alkem Laboratories Ltd. Source (New) |
Manufacturing | India | Yes | Unknown |
| PT Kereta Api Indonesia Source (New) |
Transport | Indonesia | Yes | Unknown |
| Blowtherm Spa Source (New) |
Manufacturing | Italy | Yes | Unknown |
| Tigo Business Paraguay Source (New) |
Telecoms | Paraguay | Yes | Unknown |
| Ministry of Industry and Mineral Resources Source (New) |
Public | Saudi Arabia | Yes | Unknown |
| Carrefour Servicios Financieros Source (New) |
Finance | Spain | Yes | Unknown |
| Sudan University of Science and Technology Source (New) |
Education | Sudan | Yes | Unknown |
| Tura Scandinavia AB Source 1; source 2 (New) |
Manufacturing | Sweden | Yes | Unknown |
| Erbilbil Bilgisayar Source (New) |
Software | Turkey | Yes | Unknown |
| M9com Source 1; source 2 (New) |
Telecoms | Russia | Yes | Unknown |
| North Alabama Chapter of the Information System Security Association Source (New) |
Cyber security | USA | Yes | Unknown |
| Arlington Public Schools Source (New) |
Education | USA | Yes | Unknown |
| Equitrans Midstream Corporation Source 1; source 2 (New) |
Energy | USA | Yes | Unknown |
| CFD Investments Source (New) |
Finance | USA | Yes | Unknown |
| Keating Consulting Group Source (New) |
Finance | USA | Yes | Unknown |
| Oregon Pacific Bank Source (New) |
Finance | USA | Yes | Unknown |
| Allied Wound Care Specialist Source (New) |
Healthcare | USA | Yes | Unknown |
| CellNetix Pathology and Laboratories Source 1; source 2 (New) |
Healthcare | USA | Yes | Unknown |
| CINQCARE Source 1; source 2 (New) |
Healthcare | USA | Yes | Unknown |
| Morgan Pilate LLC Source (New) |
Legal | USA | Yes | Unknown |
| Indigo Sky Casino Source (New) |
Leisure | USA | Yes | Unknown |
| Amenitek Inc. Source (New) |
Manufacturing | USA | Yes | Unknown |
| Corinth Coca-Cola Bottling Group Source (New) |
Manufacturing | USA | Yes | Unknown |
| Framework Source (New) |
Manufacturing | USA | Yes | Unknown |
| Lee Spring Source (New) |
Manufacturing | USA | Yes | Unknown |
| Water for People Source 1; source 2 (New) |
Non-profit | USA | Yes | Unknown |
| Carta Source (New) |
Software | USA | Yes | Unknown |
| Resend Source (New) |
Software | USA | Yes | Unknown |
| Medjet Source 1; source 2 (New) |
Transport | USA | Yes | Unknown |
| Toronto Zoo Source (New) |
Non-profit | Canada | Unknown | Unknown |
| IT service provider of the Chambers of Craft and “vieler” [many] Handwerkskammern [Chambers of Craft] Source 1; source 2 (New) |
IT services and non-profit | Germany | Unknown | Unknown |
| Juvenile Court of the Maldives Source 1; source 2 (New) |
Legal | Maldives | Unknown | Unknown |
| Ayuntamiento de Calviá Source (New) |
Public | Spain | Unknown | Unknown |
| Hillside Dental Practice Source (New) |
Healthcare | UK | Unknown | Unknown |
| LUSH Source (New) |
Retail | UK | Unknown | Unknown |
| Kraken Digital Asset Exchange Source (New) |
Crypto | USA | Unknown | Unknown |
| Hyundai Middle East & Africa Source (New) |
Manufacturing | UAE | No | 0 |
| Alabama Medical Cannabis Commission Source (New) |
Healthcare | USA | No | 0 |
| U.S. Securities and Exchange Commission Source 1; source 2 (New) |
Public | USA | No | 0 |
| NETGEAR Source (New) |
Telecoms | USA | No | 0 |
Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.
Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.
AI
European Commission calls for contributions on competition in virtual worlds and generative AI
The European Commission has launched a call for contributions on competition in virtual worlds and generative AI, and requested information from several large digital players. Interested parties are invited to submit their responses to the calls for contributions by 11 March.
NSA uses AI and ML to detect malicious Chinese cyber activity
Rob Joyce, the director of the US National Security Agency’s Cybersecurity Directorate, told the International Conference on Cyber Security at Fordham University earlier this month that the NSA is using AI and machine learning to detect Chinese attacks on US critical infrastructure.
Enforcement
Eurocollege Oxford English Institute fined €72,000 for GDPR infringements
The Spanish data protection authority has fined Eurocollege Oxford English Institute €72,000 for violating Articles 5, 6 and 9 of the GDPR by requiring trainees to provide certain personal information, including a criminal record certificate, to access a training course.
Former vice president of Commonwealth Health Corporation sentenced to probation for HIPAA violation
Mark Kevin Robison, a former vice president of Commonwealth Health Corporation (now Med Center Health) in Kentucky, has been sentenced to two years’ probation and ordered to pay $140,000 after reaching a plea agreement with federal prosecutors over a HIPAA violation.
‘Asia’s best hacker’ arrested in Philippines
Edgar Silvano Jr, 47, once dubbed ‘Asia’s best hacker’, was arrested in the Philippines last Friday. Police confiscated 11 mobile phones, 7 flash drives, 5 laptops, 4 SD cards, 3 Wi-Fi routers, 2 hard drives, a desktop and a modem, as well as several financial documents containing personal and bank account information belonging to other people.
Other news
UK government accused of being misleading over new encryption laws
techUK, a trade association representing more than 1,000 businesses in the technology sector, including Apple and Meta, has accused the UK government of underplaying the significance of the new Investigatory Powers (Amendment) Bill. According to a letter sent to James Cleverly MP, the Home Office’s description of the Bill “does not reflect the true significance of the changes that are being introduced”.
noyb accuses Meta of unlawfully ignoring users’ right to easily withdraw consent
The privacy rights group noyb has accused Meta’s “pay or okay” system, which requires users to pay a “privacy fee” to avoid being tracked, of violating the GDPR’s requirements relating to the withdrawal of consent. Under the GDPR, it must be as easy to withdraw your consent as it is to give it.
Multiple security vulnerabilities discovered in Bosch Rexroth torque wrench
Researchers at Nozomi Networks Labs have identified security vulnerabilities affecting the Bosch NXA015S-36V-B handheld pneumatic torque wrench and its NEXO-OS operating system. According to Bosch, the vulnerabilities could allow attackers to, among other things, read, upload, download and delete arbitrary files in all paths of the system; inject and execute arbitrary client-side script code or arbitrary HTTP response headers, or manipulate HTTP response bodies, inside a victim’s session; perform denial-of-service attacks; and access sensitive data inside exported packages.
Key dates
7 January 2024 – EU Cybersecurity Regulation enters into force
The EU’s Cybersecurity Regulation, which sets out measures for a high common level of cyber security at EU institutions, bodies, offices and agencies, entered into force on 7 January. The Regulation establishes an internal cyber security risk management, governance and control framework for each EU entity, and sets up a new Interinstitutional Cybersecurity Board to monitor and support its implementation, as well as extending the mandate of CERT-EU (the Computer Emergency Response Team for the EU institutions, bodies, offices and agencies).
17 January 2024 – First batch of DORA regulatory technical requirements due to be submitted
Three European supervisory authorities – the EBA (European Banking Authority), EIOPA (European Insurance and Occupational Pensions Authority) and ESMA (European Securities and Markets Authority) – are developing DORA policy products for compliance with the EU Digital Operational Resilience Act. The first batch – a set of four regulatory technical requirements covering Articles 15, 16(3), 18(3), 28(9) and 28(10) – is due to be submitted by 17 January.
That’s it for this week’s round-up. We hope you found it useful.
We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.
In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.
The post The Week in Cyber Security and Data Privacy: 8 – 14 January 2024 appeared first on IT Governance UK Blog.