18,267,244 known records breached in 94 newly disclosed incidents
Welcome to this week’s global round-up of the biggest and most interesting news stories.
At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.
Publicly disclosed data breaches and cyber attacks: in the spotlight
loanDepot reports an extra 324,071 victims
In January, the mortgage lender loanDepot announced in an SEC filing that an unauthorised third party had gained access to the sensitive personal information of about 16.6 million individuals in its systems.
In a new breach notification to the Maine Attorney General this week, it reported that an extra 324,071 individuals were affected. The breached data includes names, addresses, emails, phone numbers, dates of birth, and financial account and Social Security numbers.
Data breached: 16,924,071 individuals’ data.
The Colorado Department of Health Care Policy & Financing reports a further 473,936 victims
Last October, the Colorado Department of Health Care Policy & Financing notified the Maine Attorney General of a breach affecting 4,187,732 people. The incident was caused by the MOVEit Transfer vulnerability.
This week, the Department informed the Maine regulator that an additional 474,936 individuals were impacted. The breached data may include names, Social Security numbers and health insurance information.
Data breached: 4,662,668 individuals’ data.
2,350,236 individuals’ health data compromised in American Vision Partners breach
Medical Management Resource Group, L.L.C. (doing business as American Vision Partners), an eye care practitioner with more than 100 eye care centres across the US, reported a data breach affecting 2,350,236 people.
For all individuals, the breached data included names, contact details, dates of birth and medical information. For some victims, the stolen data also included Social Security numbers and health insurance information.
Data breached: 2,350,236 individuals’ data.
Publicly disclosed data breaches and cyber attacks: full list
This week, we found 18,267,244 records known to be compromised, and 94 organisations suffering a newly disclosed incident. 86 of them are known to have had data exfiltrated, exposed or otherwise breached. None definitely haven’t had data breached.
We also found 4 organisations providing a significant update on a previously disclosed incident.
| Organisation(s) | Sector | Location | Data breached? | Known data breached |
| loanDepot Source 1; source 2 (Update) |
Finance | USA | Yes | 16,924,071 |
| Colorado Department of Health Care Policy & Financing Source 1; Source 2 (Update) |
Public | USA | Yes | 4,662,668 |
| Medical Management Resource Group, L.L.C. (American Vision Partners) Source 1; source 2; source 3 (New) |
Healthcare | USA | Yes | 2,350,236 |
| March Construction Source (New) |
Construction | USA | Yes | 1.8 TB |
| Roncelli Plastics Source (New) |
Manufacturing | USA | Yes | 1.6 TB |
| The Peddie School Source (New) |
Education | USA | Yes | 1.2 TB |
| Newman Ferrara Source (New) |
Legal | USA | Yes | 835 GB |
| UNITE HERE Source (Update) |
Professional services | USA | Yes | 791,273 |
| First Professional Services Source (New) |
Healthcare | USA | Yes | 755 GB |
| BS&B Safety Systems Source (New) |
Manufacturing | USA | Yes | 714.9 GB |
| Grand Paris Aménagement Source (New) |
Construction | France | Yes | 653.8 GB |
| Climatech Source (New) |
Manufacturing | USA | Yes | 550 GB |
| VSP Dental Source (New) |
Healthcare | USA | Yes | 543 GB |
| Human Resources Technologies Source (New) |
IT services | USA | Yes | 500 GB |
| Dilweg Source (New) |
Finance | USA | Yes | 453 GB |
| Spine West Source (New) |
Healthcare | USA | Yes | 450 GB |
| Wapiti Energy Source (New) |
Energy | USA | Yes | 436.3 GB |
| Birchall Foodservice Source (New) |
Hospitality | UK | Yes | 405 GB |
| Zircodata Source (New) |
IT services | Australia | Yes | 395 GB |
| Wangkanai Group Source (New) |
Manufacturing | Thailand | Yes | 350 GB |
| Family Health Center Source (New) |
Healthcare | USA | Yes | 327 GB |
| US Merchants Source (New) |
Manufacturing | USA | Yes | 245 GB |
| Tangerine Source New |
Telecoms | Australia | Yes | 232,000 |
| Remkes Poultry Source (New) |
Manufacturing | Netherlands | Yes | 190 GB |
| Hardeman County Community Health Center Source (New) |
Healthcare | USA | Yes | 169 GB |
| CarePro Source 1; source 2 (New) |
Healthcare | USA | Yes | 151,499 |
| Farmacia al Shefa Source (New) |
Healthcare | Romania | Yes | 150 GB |
| Quik Pawn Shop Source (New) |
Finance | USA | Yes | 140 GB |
| Bucher and Strauss Source (New) |
Finance | Switzerland | Yes | 140 GB |
| Prime Healthcare Employee Health Plan Source 1; source 2 (New) |
Healthcare | USA | Yes | 101,135 |
| Apex Internationale Spedition Source (New) |
Transport | Germany | Yes | 100 GB |
| Bram Auto Group Source (New) |
Manufacturing | USA | Yes | 85 GB |
| Town of Greater Napanee Source (New) |
Public | Canada | Yes | 82.9 GB |
| Tiete Automobile Source (New) |
Retail | Brazil | Yes | 68.5 GB |
| Delia Cosmetics Source (New) |
Manufacturing | Poland | Yes | 64 GB |
| Rapid Granulator Source (New) |
Manufacturing | Sweden | Yes | 60 GB |
| medQ, Inc. Source (New) |
Healthcare | USA | Yes | 54,353 |
| Advanced Project Solutions Source (New) |
IT services | USA | Yes | 54 GB |
| Greater Cincinnati Behavioral Health Services Source 1; source 2 (Update) |
Healthcare | USA | Yes | 50,000 |
| Compression Leasing Services Source (New) |
Manufacturing | USA | Yes | 41.11 GB |
| Washington County Hospital and Nursing Home Source (New) |
Healthcare | USA | Yes | 31,125 |
| Crossroads Equipment Lease & Finance, LLC Source (New) |
Finance | USA | Yes | 24,182 |
| EdisonLearning, Inc. Source (New) |
Education | USA | Yes | 23,922 |
| DTS (Desarrollo de Tecnologia y Sistemas) Source New |
IT services | Chile | Yes | 20 GB |
| Peer Consultants Source (New) |
Professional services | USA | Yes | 20 GB |
| Wyze Source (New) |
IT services | USA | Yes | 13,000 |
| Bay Area Heart Center Source 1; source 2 (New) |
Healthcare | USA | Yes | 11,709 |
| Westward360 Source (New) |
Real estate | USA | Yes | 11 GB |
| Greylock McKinnon Associates, Inc. Source (New) |
Legal | USA | Yes | 5,465 |
| Bacon-Universal Holdings, LLC Source (New) |
Construction | USA | Yes | 3,561 |
| T.Y. Lin International Group Ltd. Source (New) |
Engineering | USA | Yes | 3,398 |
| GC Services Source (New) |
Finance | USA | Yes | 3,043 |
| CVS Pharmacy, Inc. Source 1; source 2 (New) |
Healthcare | USA | Yes | 1,896 |
| Matthews International Source (New) |
Manufacturing | USA | Yes | 1,846 |
| Pond & Company Source (New) |
Engineering | USA | Yes | 1,495 |
| Brazee & Huban CPAs Source (New) |
Finance | USA | Yes | 1,119 |
| BlueCross BlueShield of Tennessee, Inc. and Volunteer State Health Plan, Inc. d/b/a BlueCare Plus Tennessee Source 1; source 2 (New) |
Healthcare | USA | Yes | 790 |
| Roswell Park Comprehensive Cancer Center Source 1; source 2 (New) |
Healthcare | USA | Yes | 755 |
| Capital Health system, Inc. Source 1; source 2 (New) |
Healthcare | USA | Yes | 501 |
| Harris Beach PLLC Source (New) |
Legal | USA | Yes | 486 |
| Beauty Essence, Inc. Source (New) |
Leisure | USA | Yes | 409 |
| Walmart, Inc. Source (New) |
Retail | USA | Yes | 204 |
| Xerox Corporation Source (New) |
Professional services | USA | Yes | 181 |
| HematoLogics, Inc. Source (New) |
Healthcare | USA | Yes | 99 |
| torchbyte Source (New) |
Telecoms | Romania | Yes | 45 |
| Australian Department of Finance Source (New) |
Public | Australia | Yes | Unknown |
| Anxun Information Technology Source (New) |
Cyber security | China | Yes | Unknown |
| PSI Software Source (New) |
Software | Germany | Yes | Unknown |
| Acies SRL Source (New) |
Healthcare | Italy | Yes | Unknown |
| Grupo Bimbo Source (New) |
Manufacturing | Mexico | Yes | Unknown |
| Axel Johnson Source (New) |
Manufacturing | Sweden | Yes | Unknown |
| dasteam ag Source (New) |
Professional services | Switzerland | Yes | Unknown |
| Acorn Property Group Source (New) |
Construction | UK | Yes | Unknown |
| Multiple universities using the Janet Network, including Cambridge and Manchester Source (New) |
Education | UK | Yes | Unknown |
| Helical Technology Source (New) |
Manufacturing | UK | Yes | Unknown |
| The Chas. E. Phipps Co Source (New) |
Construction | USA | Yes | Unknown |
| FixedFloat Source (New) |
Crypto | USA | Yes | Unknown |
| Aeromech Source New |
Engineering | USA | Yes | Unknown |
| Bradshaw Medical (intech) Source (New) |
Healthcare | USA | Yes | Unknown |
| Maryville Addiction Treatment Center Source 1; source 2 (New) |
Healthcare | USA | Yes | Unknown |
| Radiology Associates of Ocala Source (New) |
Healthcare | USA | Yes | Unknown |
| Infiniti USA Source (New) |
Manufacturing | USA | Yes | Unknown |
| Pressco Technology Source (New) |
Manufacturing | USA | Yes | Unknown |
| Welch’s Source (New) |
Manufacturing | USA | Yes | Unknown |
| C&J Industries Source (New) |
Professional services | USA | Yes | Unknown |
| Carl Fischer Music Publishing Source (New) |
Retail | USA | Yes | Unknown |
| Lancaster Source (New) |
Retail | USA | Yes | Unknown |
| U-Haul Source (New) |
Retail | USA | Yes | Unknown |
| Andfla Source (New) |
Agriculture | Romania | Unknown | Unknown |
| CRB Group Source (New) |
Construction | USA | Unknown | Unknown |
| KHS&S Contractors Source (New) |
Construction | USA | Unknown | Unknown |
| Dunaway Source (New) |
Engineering | USA | Unknown | Unknown |
| Change Healthcare Source (New) |
Healthcare | USA | Unknown | Unknown |
| Ernest Health Source (New) |
Healthcare | USA | Unknown | Unknown |
| National Dentex Labs Source (New) |
Healthcare | USA | Unknown | Unknown |
| Silgan Holdings Source (New) |
Manufacturing | USA | Unknown | Unknown |
Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.
Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.
Enforcement
ICO orders leisure centre to stop using facial recognition technology to monitor staff
The ICO (Information Commissioner’s Office) has ordered Serco Leisure and several associated community leisure trusts to stop using facial recognition technology to monitor employee attendance as this is “neither fair nor proportionate under data protection law”, according to the UK Information Commissioner.
On the same day the ICO issued this enforcement notice, it published new guidance for using biometric data.
New US Executive Order issued to strengthen US port security
The Biden-Harris administration is issuing an Executive Order to strengthen the security of US ports. Cyber incidents that endanger “any vessel, harbor, port, or waterfront facility” must be reported. The US Coast Guard is also given the authority to respond to “malicious cyber activity”.
Other news
LockBit ransomware group recovers from law enforcement disruption
Last week, we reported that law enforcers disrupted the LockBit ransomware group. Four days later, the group recovered. Its blog has now reappeared, as well as a leak page containing folders for “dozens” of victims.
NSA announces retirement of director of cyber security
The US NSA (National Security Agency) has announced the retirement of its director of cyber security, Rob Joyce. He’ll be succeeded by David Luber.
Key date
31 March 2024 – PCI DSS v4.0 transitioning deadline
Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on 31 March, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.
That’s it for this week’s round-up. We hope you found it useful.
We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.
In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.
Security Spotlight
To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.
Every Wednesday, you’ll get a 4-minute email with:
- Industry news, including this weekly round-up;
- Our latest research and statistics;
- Interviews with our experts, sharing their insights and expertise;
- Free useful resources; and
- Upcoming webinars.
The post The Week in Cyber Security and Data Privacy: 19 – 25 February 2024 appeared first on IT Governance UK Blog.