38,846,799 known records breached in 140 publicly disclosed incidents
Welcome to this week’s global round-up of the biggest and most interesting news stories.
At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.
Publicly disclosed data breaches and cyber attacks: in the spotlight
Eye4Fraud database allegedly leaked – 14.9 million lines of unique data being sold
A threat actor claims to be selling 14.9 million lines of data, with unique email addresses, from around 29 million order records from Eye4Fraud, a US company offering fraud protection software. At the time of writing, it’s unclear whether this is related to a 2023 data breach suffered by the company, as discussed by Have I Been Pwned’s Troy Hunt last March.
Data breached: 14,900,000 lines.
13.3 million Gumtree user records allegedly for sale
A user database from the classified advertising platform Gumtree has allegedly been offered for sale on a hacking forum. According to the threat actor, the database contains 13.3 million unique records, with 9.4 million of them originating from South Africa, 2.6 million from Poland, 900,000 from Singapore and 500,000 from Ireland.
Data breached: 13,300,000 records.
Schneider Electric hit by Cactus ransomware
The Sustainability Business division of the energy company Schneider Electric suffered a ransomware attack on 17 January, disrupting the company’s Resource Advisor platform. According to Bleeping Computer, the Cactus ransomware gang stole “terabytes of corporate data”, which it’s threatening to leak if a ransom isn’t paid.
Data breached: “terabytes of corporate data”.
Publicly disclosed data breaches and cyber attacks: full list
This week, we found 38,846,799 records known to be compromised, and 140 organisations suffering a newly disclosed incident. 123 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 1 definitely hasn’t had data breached.
We also found 17 organisations providing a significant update on a previously disclosed incident.
| Organisation(s) | Sector | Location | Data breached? | Known records breached |
| Eye4Fraud Source (New) |
Finance | USA | Yes | 14,900,000 |
| Gumtree Source (New) |
IT services | South Africa | Yes | 13,300,000 |
| Schneider Electric Source (New) |
Energy | France | Yes | “terabytes” of data |
| BeatBase ApS Source (New) |
IT services | Denmark | Yes | 1,648,030 |
| Football Australia Source 1; source 2 (New) |
Leisure | Australia | Yes | 1,421,804 |
| Indian Bank Source (New) |
Finance | India | Yes | 990,000 |
| FOOTDISTRICT Source (New) |
Retail | Spain | Yes | 943,797 |
| MESVision Source 1; source 2 (Update) |
Healthcare | USA | Yes | 667,567 |
| Ministry of Health (Rio Negro) Source (New) |
Public | Argentina | Yes | >650,000 |
| CloudFire and 8 other Italian companies Source 1; source 2 (Update) |
IT services and unknown | Italy | Yes | 400 GB |
| Direct Trading Technologies LTD Source (New) |
Finance | Saudi Arabia | Yes | >300,000 |
| Chamber of Deputies of Romania Source 1; source 2 (New) |
Public | Romania | Yes | >250 GB |
| Gaming Underground Network Source (New) |
Other | Unknown | Yes | 246,412 |
| Abel Santos y Asociados Source (New) |
Professional services | Argentina | Yes | 224 GB |
| Black Butte Coal Source (New) |
Mining | USA | Yes | 213 GB |
| Benjamin Plumbing Inc Source (New) |
Construction | USA | Yes | 188 GB |
| HopSkipDrive Source (New) |
Software | USA | Yes | 155,394 |
| LUSH Source 1; source 2; source 3 (Update) |
Retail | UK | Yes | >110 GB |
| North American University Source (New) |
Education | USA | Yes | 108 GB |
| FEPCO Zona Franca SAS Source (New) |
Energy | Colombia | Yes | >100 GB |
| Emmanuel College (Boston) Source (New) |
Education | USA | Yes | 89,064 |
| GEICO Source 1; source 2 (Update) |
Insurance | USA | Yes | 71,490 |
| Infosys McCamish Systems Source (New) |
Insurance | USA | Yes | 57,028 |
| Dirox Source (New) |
Software | France | Yes | 50 GB |
| Veterans Health Administration Source 1; source 2 (Update) |
Healthcare | USA | Yes | 46,677 |
| Bankers Life Source (New) |
Insurance | USA | Yes | 45,842 |
| Knight Barry Title Group Source (New) |
Real estate | USA | Yes | 44,910 |
| Prestige Care, Inc. Source (New) |
Healthcare | USA | Yes | 38,087 |
| TRISTAR Insurance Group Source 1; source 2 (Update) |
Insurance | USA | Yes | 35,120 |
| Investor’s Business Daily Source (New) |
Media | USA | Yes | 35,000 |
| Coastal Hospice & Palliative Care Source 1; source 2 (New) |
Healthcare | USA | Yes | 29,100 |
| Arvest Bank Source (New) |
Finance | USA | Yes | 26,388 |
| Washington National Insurance Company Source (New) |
Insurance | USA | Yes | 20,360 |
| Corbett Exterminating Source (New) |
Environmental | USA | Yes | 20 GB |
| AnyDesk Software Source 1; source 2 (New) |
Software | Germany | Yes | 18,317 |
| National Advisors Trust Company Source (New) |
Finance | USA | Yes | 14,043 |
| Realmforge Studios GmbH Source (New) |
Software | Germany | Yes | 13 GB |
| Michigan Catholic Conference Source (New) |
Non-profit | USA | Yes | 12,652 |
| Humana Source 1; source 2 (New) |
Insurance | USA | Yes | 12,539 |
| eBay Source (New) |
IT services | USA | Yes | 12,000 |
| TGI Direct, Inc. Source 1; source 2 (New) |
Professional services | USA | Yes | 11,556 |
| Poder Judicial de Santa Cruz Source (New) |
Legal | Argentina | Yes | 8,732 |
| J.D. Gilmour Source (New) |
Insurance | USA | Yes | 6,838 |
| Universidad Nacional de Entre Ríos Source (New) |
Education | Argentina | Yes | 5,307 |
| National Board of Osteopathic Medical Examiners Source (New) |
Non-profit | USA | Yes | 4,310 |
| Catholic Diocese of Lansing Source (New) |
Non-profit | USA | Yes | 4,124 |
| Omaha Firefighters Healthcare Trust Source 1; source 2 (New) |
Insurance | USA | Yes | 3,567 |
| Sirius Federal Source 1; source 2 (Update) |
IT services | USA | Yes | 3,266 |
| PrintingCenterUSA Source (New) |
Retail | USA | Yes | 3,159 |
| Concord Music Group, Inc. Source (New) |
Leisure | USA | Yes | 3,131 |
| Timex Group Source (New) |
Manufacturing | USA | Yes | 3,085 |
| GC Services Source (New) |
Finance | USA | Yes | 2,824 |
| Veterans Health Administration Source 1; source 2 (New) |
Healthcare | USA | Yes | 2,380 |
| Ministerio de Justicia (Buenos Aires) Source (New) |
Legal | USA | Yes | >2,000 |
| Artesia General Hospital Source 1; source 2 (New) |
Healthcare | USA | Yes | 1,985 |
| Rensselaer Polytechnic Institute and Athletic Trainer System Source (New) |
Education and software | USA | Yes | 1,799 |
| Webber Chiropractic Sports Clinic Source 1; source 2 (New) |
Healthcare | USA | Yes | 1,695 |
| Catholic Charities of the Archdiocese of Miami, Inc. Source 1; source 2; source 3 (Update) |
Non-profit | USA | Yes | 1,500 |
| OrthoArkansas, PA Employee Benefit Plan Source (New) |
Insurance | USA | Yes | 1,270 |
| European Parliament Source (New) |
Public | Belgium | Yes | 1,000 |
| Regence BlueCross BlueShield of Oregon Source 1; source 2 (New) |
Insurance | USA | Yes | 856 |
| Kern Regional Center Source 1; source 2 (New) |
Non-profit | USA | Yes | 700 |
| Coppola Physical Therapy Source (New) |
Healthcare | USA | Yes | 632 |
| Coastal Plains Community Mental Health Mental Retardation Center Source 1; source 2 (New) |
Healthcare | USA | Yes | 500 |
| Entellus, Inc. Source (New) |
Construction | USA | Yes | 491 |
| Fort Worth Source (Update) |
Public | USA | Yes | 448 |
| Infotech Source (New) |
Software | USA | Yes | 355 |
| Professional Compounding Centers of America Source (New) |
Manufacturing | USA | Yes | 316 |
| Mobile phones in Jordan, including of journalists, lawyers and activists Source (New) |
Media, legal and unknown | Jordan | Yes | >35 |
| Yaunique Tompkins Source (New) |
Healthcare | USA | Yes | 4 |
| Poder Judicial del Chubut Source (New) |
Legal | Argentina | Yes | Unknown |
| Policía de Santa Cruz Source (New) |
Public | Argentina | Yes | Unknown |
| Central Coast Council and other organisations Source (New) |
Public | Australia | Yes | Unknown |
| Elite Supplements Source (New) |
Retail | Australia | Yes | Unknown |
| Nubank Source (New) |
Finance | Brazil | Yes | Unknown |
| Global Affairs Canada Source (New) |
Public | Canada | Yes | Unknown |
| Egyptian Tax Authority Source (New) |
Public | Egypt | Yes | Unknown |
| Reykjavik University Source (New) |
Education | Iceland | Yes | Unknown |
| Baruch Padeh Medical Center Source (New) |
Healthcare | Israel | Yes | Unknown |
| Barzilai Medical Center Source (New) |
Healthcare | Israel | Yes | Unknown |
| Bnai Zion Medical Center Source (New) |
Healthcare | Israel | Yes | Unknown |
| Carmel Medical Center Source (New) |
Healthcare | Israel | Yes | Unknown |
| Emek Medical Center Source (New) |
Healthcare | Israel | Yes | Unknown |
| Galilee Medical Center Source (New) |
Healthcare | Israel | Yes | Unknown |
| Hadassah Medical Center Source (New) |
Healthcare | Israel | Yes | Unknown |
| HaSharon Medical Center Source (New) |
Healthcare | Israel | Yes | Unknown |
| Hillel Yaffe Medical Center Source (New) |
Healthcare | Israel | Yes | Unknown |
| Ichilov Hospital Source (New) |
Healthcare | Israel | Yes | Unknown |
| Kaplan Medical Center Source (New) |
Healthcare | Israel | Yes | Unknown |
| Meir Medical Center Source (New) |
Healthcare | Israel | Yes | Unknown |
| Rabin Medical Center Source (New) |
Healthcare | Israel | Yes | Unknown |
| Schneider Children’s Medical Center Source (New) |
Healthcare | Israel | Yes | Unknown |
| Shamir Medical Center (Assaf Harofeh) Source (New) |
Healthcare | Israel | Yes | Unknown |
| Sheba Medical Center Source (New) |
Healthcare | Israel | Yes | Unknown |
| Soroka Medical Center Source (New) |
Healthcare | Israel | Yes | Unknown |
| Wolfson Medical Center Source (New) |
Healthcare | Israel | Yes | Unknown |
| Yoseftal Medical Center Source (New) |
Healthcare | Israel | Yes | Unknown |
| ZIV Medical Center Source (New) |
Healthcare | Israel | Yes | Unknown |
| Elad Health Source (New) |
IT services | Israel | Yes | Unknown |
| CasaSpeciale.it Source (New) |
Real estate | Italy | Yes | Unknown |
| E&T Solutions Source (New) |
Telecoms | Mexico | Yes | Unknown |
| Norske Boligbyggelag Source (New) |
Non-profit | Norway | Yes | Unknown |
| Helthjem Source (New) |
Transport | Norway | Yes | Unknown |
| Derrama Magisterial Source (New) |
Consumer services | Peru | Yes | Unknown |
| CNPC Peru Source (New) |
Energy | Peru | Yes | Unknown |
| Passenger Rail Agency of South Africa Source (New) |
Transport | South Africa | Yes | Unknown |
| AUSA Source (New) |
Manufacturing | Spain | Yes | Unknown |
| Teo City Council Source (New) |
Public | Spain | Yes | Unknown |
| The Oxford Academy Source (New) |
Education | UK | Yes | Unknown |
| UNISON Source (New) |
Non-profit | UK | Yes | Unknown |
| Class Charts Source (New) |
Software | UK | Yes | Unknown |
| CMG Drainage Engineering, Inc. Source (New) |
Construction | USA | Yes | Unknown |
| Curtainwall Design and Consulting, Inc. Source 1; source 2 (New) |
Construction | USA | Yes | Unknown |
| Daher Contracting Inc. Source (New) |
Construction | USA | Yes | Unknown |
| Nabholz Construction Source 1; source 2 (New) |
Construction | USA | Yes | Unknown |
| Chris Larsen (Ripple) Source (New) |
Crypto | USA | Yes | Unknown |
| William Jewell College Source 1; source 2 (New) |
Education | USA | Yes | Unknown |
| Encore Bank Source (New) |
Finance | USA | Yes | Unknown |
| Sigrist, Cheek, Potter & Huyser Source (New) |
Finance | USA | Yes | Unknown |
| Atlanta Women’s Health Group Source 1; source 2 (New) |
Healthcare | USA | Yes | Unknown |
| CarePro Health Services Source 1; source 2 (New) |
Healthcare | USA | Yes | Unknown |
| Saint Anthony Hospital Source 1; source 2; source 3 (New) |
Healthcare | USA | Yes | Unknown |
| Ortho Development Corporation Source 1; source 2 (New) |
Manufacturing | USA | Yes | Unknown |
| One America News Network Source (New) |
Media | USA | Yes | Unknown |
| Commonwealth Sign Company Source (New) |
Professional services | USA | Yes | Unknown |
| Digitel GSM Source 1; source 2; source 3 (New) |
Telecoms | Venezuela | Yes | Unknown |
| Abracadabra Money Source (New) |
Crypto | Unknown | Yes | Unknown |
| INSTAT Source (New) |
Public | Albania | Unknown | Unknown |
| Salud Total EPS-S Source (New) |
Healthcare | Colombia | Unknown | Unknown |
| Súperintendencia Nacional de Salud Source (New) |
Public | Colombia | Unknown | Unknown |
| Instituto de Seguridad Social de la Policía Nacional Source (New) |
Public | Ecuador | Unknown | Unknown |
| Alcaldía Municipal de La Unión Source (New) |
Public | El Salvador | Unknown | Unknown |
| aminia Source (New) |
Telecoms | Malaysia | Unknown | Unknown |
| Connexus Source (New) |
Real estate | UK | Unknown | Unknown |
| Coordination Headquarters for the Treatment of Prisoners of War Source (New) |
Public | Ukraine | Unknown | Unknown |
| Freehold Township School District Source (New) |
Education | USA | Unknown | Unknown |
| Groton Public Schools Source (New) |
Education | USA | Unknown | Unknown |
| Lurie Children’s Source 1; source 2 (New) |
Healthcare | USA | Unknown | Unknown |
| City of Germantown Source (New) |
Public | USA | Unknown | Unknown |
| Fulton County Government Source (New) |
Public | USA | Unknown | Unknown |
| Beaumont Independent School District and phone provider Source (New) |
Education and telecoms | USA | Unknown | Unknown |
| dark.fail Source (New) |
Media | Unknown | Unknown | Unknown |
| Cloudflare Source (New) |
Cyber security | USA | No | 0 |
Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.
Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.
AI
EU representatives unanimously approve AI Act
The Committee of Permanent Representatives, or Coreper, unanimously voted in favour of the EU’s AI Act on 2 February, after the bloc’s three largest economies – France, Germany and Italy – overcame their reservations about the Act’s regulatory regime.
Italian data protection authority notifies OpenAI of GDPR breaches
Following last March’s temporary ban in the country, Italy’s data protection regulator, the Garante per la Protezione dei Dati Personali, has notified ChatGPT’s parent company, OpenAI, that it has identified several breaches of data protection law. OpenAI has 30 days to submit counterclaims about the alleged breaches.
Europcar confirms alleged data breach is false
Europcar has confirmed that a database of nearly 50 million customer records purportedly stolen from the company is fake. “The record number is completely wrong, the sample data is probably generated by ChatGPT (addresses do not exist, ZIP code does not match the US state, first and last names do not match email addresses, email addresses use very unusual tlds), and, most importantly, none of the email addresses are in our database”, the company said.
Enforcement
Uber fined €10 million for GDPR breaches
The Dutch data protection authority, Autoriteit Persoonsgegevens, has fined Uber €10 million for failing to be transparent about its data retention practices and making it difficult for drivers to exercise their data privacy rights.
INTERPOL operation targets global cyber crime
Operation Synergia, an INTERPOL operation involving 60 law enforcement agencies from more than 50 countries, has identified 1,300 malicious command-and-control servers involved in phishing, malware and ransomware attacks. 70% of the servers have been taken down and the remainder are under investigation.
ICO publishes progress update about cookie enforcement
The Information Commissioner’s Office wrote to 53 of the UK’s biggest websites about their cookie practices last November, warning that they’d face enforcement action if they didn’t comply with data protection law. The ICO now reports that 38 of those 53 have updated their cookie banners and 4 have committed to reach compliance. The remainder are working on solutions.
Other news
EDPB launches open-source website auditing tool
The European Data Protection Board has launched an audit tool that can help analyse websites’ compliance with the law. It is available for download here and the source code is available here.
European Commission adopts cyber security certification scheme
The European Commission has adopted the first European cyber security certification scheme, in line with the EU Cybersecurity Act. The voluntary scheme provides a set of rules and procedures on how to certify ICT products.
EU and US enhance cyber security cooperation
The EU and US have issued a joint statement about the importance of cooperation about cyber resilience. The statement sets out the EU and US’s shared objectives for a secure cyberspace.
US GAO publishes ransomware report
The US Government Accountability Office has published a study into federal agencies’ cyber security practices and, in particular, how prepared they are to mitigate the risk of ransomware.
Key dates
31 March 2024 – PCI DSS v4.0 transitioning deadline
Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on 31 March, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.
That’s it for this week’s round-up. We hope you found it useful.
We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.
In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.
Security Spotlight
To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.
Every Wednesday, you’ll get a 4-minute email with:
- Industry news, including this weekly round-up;
- Our latest research and statistics;
- Interviews with our experts, sharing their insights and expertise;
- Free useful resources; and
- Upcoming webinars.
The post The Week in Cyber Security and Data Privacy: 29 January – 4 February 2024 appeared first on IT Governance UK Blog.