134,503,937 known records breached in 1,091 newly disclosed incidents
Welcome to this week’s global round-up of the biggest and most interesting news stories.
At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.
Publicly disclosed data breaches and cyber attacks: in the spotlight
Misconfigured Google Firebase instances expose almost 125 million user records
On 10 January, a security researcher known as ‘MrBruh’ reported on vulnerabilities in the AI hiring system Chattr.ai, which is used by many US fast food chains.
According to MrBruh, attackers could register Chattr profiles with full privileges by exploiting misconfigurations in Google Firebase – a Cloud-based mobile application platform.
This gave them access to names, phone numbers, emails, plaintext passwords, branch locations, confidential messages and shift information for Chattr employees, franchisee managers and job applicants.
MrBruh, alongside two other researchers who go by the names ‘Logykk’ and ‘xyzeva’/’Eva’, then scanned more than 5 million domains for personally identifiable information exposed via other misconfigured Firebase instances.
They discovered 916 misconfigured websites, exposing 124,605,664 million users’ records, including names, emails, phone numbers, passwords and financial data.
The researchers then alerted all affected organisations, sending 842 emails over 13 days. Only 24% of site owners fixed the misconfiguration.
Data breached: 124,605,664 records.
Multiple Indian brands affected by Gamooga misconfiguration
A misconfigured Apache Kafka broker belonging to the Indian marketing analytics company Gamooga exposed sensitive data relating to numerous organisations in India for over a year, “including banking service providers, insurance agencies, e-commerce stores, entertainment apps, and educational institutions”.
At least 1 million customers of well-known brands, including Swiggy, Redbus, Nykaa, BigBasket, TataMotors, ICICIPruLife and Axis Direct, are known to be affected, but the actual scale of the breach is potentially vast: Gamooga claims to track more than 1 billion users – two thirds of India’s population, or one eighth of the world’s.
Publicly accessible information included names, dates of birth, phone numbers, email addresses, IP addresses, purchase history, insurance information, payment information, and more.
Data breached: at least 1 million people’s data.
Chinese APT group compromises 70 organisations, including 48 government agencies
The Chinese advanced persistent threat group Earth Krahang is known to have targeted at least 116 organisations in 45 countries, and has successfully breached 70 organisations in 23 countries. These include 48 government agencies, 10 of which are foreign affairs ministries.
According to Trend Micro, which has been tracking the group since early 2022, the group “exploits public-facing servers and sends spear phishing emails to deliver previously unseen backdoors”.
It then uses “its malicious access to government infrastructure to attack other government entities, abusing the infrastructure to host malicious payloads, proxy attack traffic, and send spear-phishing emails to government-related targets using compromised government email accounts”.
Data breached: unknown.
Publicly disclosed data breaches and cyber attacks: full list
This week, we found 134,503,937 records known to be compromised, and 1,091 organisations suffering a newly disclosed incident. 916 of those incidents are linked to Google Firebase misconfigurations, as explained above.
This week, 1,076 organisations are known to have had data exfiltrated, exposed or otherwise breached. Only 5 definitely haven’t had data breached.
We also found 6 organisations providing a significant update on a previously disclosed incident.
| Organisation(s) | Sector | Location | Data breached? | Known data breached |
| 916 Google Firebase websites (via Chattr) Source 1; source 2; source 3 (New) |
Retail and hospitality | USA | Yes | 124,605,664 |
| eClinical Solutions Source (New) |
Software | USA | Yes | 3 TB |
| Kelson Source (New) |
Construction | Canada | Yes | 1.5 TB |
| Gamooga, Swiggy, bigbasket.com, redBus, Nykaa, CaratLane, TataMotors, ICICI Prudential Life Insurance Company Limited and Axis Bank Source (New) |
IT services, retail, manufacturing, insurance and finance | India | Yes | >1,000,000 |
| International Luxury Group Source (New) |
Retail | Switzerland | Yes | 1 TB |
| Grupa Topex Source (New) |
Manufacturing | Poland | Yes | 638 GB |
| Philips Respironics Source 1; source 2; source 3; source 4 (New) |
Manufacturing | USA | Yes | 457,152 |
| NewAgeSys, Inc Source (New) |
Professional services | USA | Yes | 319 GB |
| V12Software Source 1; source 2 (New) |
Software | USA | Yes | 286,396 |
| Sting AD Source (New) |
Manufacturing | Bulgaria | Yes | 235,585 |
| Therapeutic Health Services Source (New) |
Healthcare | USA | Yes | 218,940 |
| Sun Holdings Source (New) |
Hospitality | USA | Yes | 182,756 |
| 3Delectronics Source (New) |
Retail | Russia | Yes | 133,000 |
| University of Wisconsin Hospitals and Clinics Source 1; source 2 (New) |
Healthcare | USA | Yes | 85,902 |
| South China Athletic Association Source 1; source 2 (New) |
Non-profit | Hong Kong | Yes | 70,000 |
| Select Education Group Source (New) |
Professional services | USA | Yes | 67,097 |
| PyLC Source (New) |
Insurance | Mexico | Yes | 63,000 |
| El Ezaby Pharmacy Source 1; source 2 (New) |
Manufacturing | Egypt | Yes | 62.4 GB |
| Hallesche Kraftverkehrs-& Speditions-GmbH Source (New) |
Transport | Germany | Yes | 54,547 |
| Valley Oaks Health Source (New) |
Healthcare | USA | Yes | 50,352 |
| City of Jacksonville Beach Source (New) |
Public | USA | Yes | 48,949 |
| Kirkland & Ellis Source 1; source 2 (New) |
Legal | USA | Yes | 48,802 |
| Monmouth College Source 1; source 2 (New) |
Education | USA | Yes | 44,737 |
| England & Wales Cricket Board (ECB) Source (New) |
Leisure | UK | Yes | 43,000 |
| GardaWorld Source (New) |
Professional services | USA | Yes | 39,928 |
| Citizens Bank of West Virginia Source 1; source 2 (Update) |
Finance | USA | Yes | 35,105 |
| Podemos Source (New) |
Public | Spain | Yes | 30 GB |
| Fidelity Investments Life Insurance Source 1; source 2 (Update) |
Insurance | USA | Yes | 29,073 |
| Bethel School District Source (New) |
Education | USA | Yes | 28,844 |
| Weirton Medical Center Source (New) |
Healthcare | USA | Yes | 26,793 |
| American Renal Associates Source (New) |
Healthcare | USA | Yes | At least 19,295 |
| Tiegerman Source 1; source 2 (New) |
Education | USA | Yes | 19,000 |
| R1 RCM Source 1; source 2; source 3 (Update) |
Software | USA | Yes | 16,121 |
| Newton Public Schools Source (New) |
Education | USA | Yes | 10,545 |
| Healthfirst Source 1; source 2 (New) |
Insurance | USA | Yes | 6,836 |
| Johnson Matthey Source (New) |
Manufacturing | USA | Yes | 6,095 |
| St. Mary’s Healthcare System for Children Source (New) |
Healthcare | USA | Yes | 5,650 |
| Simpson Strong-Tie Source (New) |
Retail | USA | Yes | 5,570 |
| Victory Bank Source 1; source 2 (New) |
Finance | USA | Yes | 4,292 |
| Dental Group of Amarillo Source 1; source 2 (New) |
Healthcare | USA | Yes | 3,821 |
| Eastside Union School District Source (New) |
Education | USA | Yes | 3,592 |
| Schuster Co Source (New) |
Transport | USA | Yes | 3,532 |
| Dedicated Senior Medical Centers Source 1; source 2 (New) |
Healthcare | USA | Yes | 3,441 |
| Sycamore Rehabilitation Services, Inc. Source (New) |
Healthcare | USA | Yes | 3,414 |
| A5 Pharmacy Inc. Source 1; source 2 (New) |
Healthcare | USA | Yes | 3,000 |
| Plymouth Tube Company Employee Benefit Plan Source 1; source 2; source 3 (Update) |
Insurance | USA | Yes | 2,652 |
| Shimon Peres Negev Nuclear Research Center Source (New) |
Defence | Israel | Yes | “thousands” |
| Orthopedics Associates of Flower Mound Source 1; source 2; source 3 (Update) |
Healthcare | USA | Yes | 1,759 |
| UC San Diego Health Source 1; source 2 (New) |
Healthcare | USA | Yes | 1,642 |
| Homeaglow Source (New) |
IT services | USA | Yes | 1,556 |
| California Correctional Health Care Services Source 1; source 2 (New) |
Healthcare | USA | Yes | 1,348 |
| Ascend Healthcare Inc Source 1; source 2 (New) |
Healthcare | USA | Yes | 791 |
| Cypress Capital Group, Inc. Source (New) |
Finance | USA | Yes | 756 |
| Community Health Group Partnership Plan Source 1; source 2 (New) |
Insurance | USA | Yes | 708 |
| Seaglass Chiropractic Source 1; source 2 (New) |
Healthcare | USA | Yes | 650 |
| Lindsay Municipal Hospital Source 1; source 2 (New) |
Healthcare | USA | Yes | 500 |
| Massachusetts Department of Developmental Services Source 1; source 2 (New) |
Public | USA | Yes | 500 |
| Mercy Home for Children Source (New) |
Healthcare | USA | Yes | 356 |
| Gnome Landscapes & Design Source 1; source 2 (Update) |
Professional services | USA | Yes | 356 |
| Mintlify Source (New) |
Software | USA | Yes | 91 |
| TD Source (New) |
Finance | USA | Yes | 4 |
| Goed Source (New) |
Healthcare | Belgium | Yes | Unknown |
| Spa Gran Prix Source (New) |
Leisure | Belgium | Yes | Unknown |
| Grupo Equatorial Energia Source (New) |
Utilities | Brazil | Yes | Unknown |
| Giant Tiger Source (New) |
Retail | Canada | Yes | Unknown |
| Radiant Logistics Inc. Source (New) |
Transport | Canada | Yes | Unknown |
| Dongguan Southstar Electronics Limited Source (New) |
Manufacturing | China | Yes | Unknown |
| SCHOKINAG-Schokolade-Industrie GmbH Source (New) |
Manufacturing | Germany | Yes | Unknown |
| The Railways of Islamic Republic of Iran (RAI) Source (New) |
Transport | Iran | Yes | Unknown |
| IronRock Insurance Company Limited Source (New) |
Insurance | Jamaica | Yes | Unknown |
| The Pokémon Company Source (New) |
Leisure | Japan | Yes | Unknown |
| The London Clinic Source 1; source 2 (New) |
Healthcare | UK | Yes | Unknown |
| Ultra Electronics Group Source (New) |
Manufacturing | UK | Yes | Unknown |
| Kolbe Striping, Inc Source (New) |
Construction | USA | Yes | Unknown |
| Dolomite Source (New) |
Crypto | USA | Yes | Unknown |
| Lewis & Clark College Source (New) |
Education | USA | Yes | Unknown |
| St. Mary Parish School Board Source (New) |
Education | USA | Yes | Unknown |
| Fiduciary Outsourcing, LLC Source (New) |
Finance | USA | Yes | Unknown |
| M&D Capital Source 1; source 2 (New) |
Finance | USA | Yes | Unknown |
| Aveanna Healthcare Source 1; source 2 (New) |
Healthcare | USA | Yes | Unknown |
| Commonwealth Healthcare Corporation Source (New) |
Healthcare | USA | Yes | Unknown |
| EMSA (Emergency Medical Services Authority) Source (New) |
Healthcare | USA | Yes | Unknown |
| Jordano’s Inc. Source 1; source 2 (New) |
Hospitality | USA | Yes | Unknown |
| BioLife Plasma Services Source (New) |
Manufacturing | USA | Yes | Unknown |
| Crinetics Pharmaceuticals Source 1; source 2 (New) |
Manufacturing | USA | Yes | Unknown |
| I.A.T.S.E. National Benefit Funds Source (New) |
Non-profit | USA | Yes | Unknown |
| Ampersand Source 1; source 2 (New) |
Professional services | USA | Yes | Unknown |
| Henry County, VA Source (New) |
Public | USA | Yes | Unknown |
| Arx Capital Source 1; source 2 (New) |
Real estate | USA | Yes | Unknown |
| MarineMax Source 1; source 2; source 3 (Update) |
Retail | USA | Yes | Unknown |
| 70 organisations, including 48 government organisations Source (New) |
Public and unknown | Multiple | Yes | Unknown |
| Bundeskriminalamt Source (New) |
Legal | Germany | Unknown | Unknown |
| Polycab India Limited Source (New) |
Manufacturing | India | Unknown | Unknown |
| REG.RU Source (New) |
IT services | Russia | Unknown | Unknown |
| Pension Fund of Ukraine Source (New) |
Public | Ukraine | Unknown | Unknown |
| KIM (Kaluska informatsiyna merezha LLC) Source 1; source 2 (New) |
Telecoms | Ukraine | Unknown | Unknown |
| Linktelecom Source (New) |
Telecoms | Ukraine | Unknown | Unknown |
| Мисто-ТВ Source (New) |
Telecoms | Ukraine | Unknown | Unknown |
| Triacom Source 1; source 2 (New) |
Telecoms | Ukraine | Unknown | Unknown |
| Apex Legends Global Series Source (New) |
Leisure | USA | Unknown | Unknown |
| City of Pensacola Government Source (New) |
Public | USA | Unknown | Unknown |
| Giorgia Meloni’s Instagram account Source (New) |
Public | Italy | No | 0 |
| gouvernement.lu Source 1; source 2 (New) |
Public | Luxembourg | No | 0 |
| MyGuichet.lu Source 1; source 2 (New) |
Public | Luxembourg | No | 0 |
| dormakaba Source (New) |
Retail | Switzerland | No | 0 |
| Rt Hon. Grant Shapps MP’s RAF Dassault Falcon 900 jet Source (New) |
Transport | UK | No | 0 |
Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.
Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.
AI
Microsoft research finds 87% of UK organisations vulnerable to cyber attacks in the age of AI
A new report by Microsoft, in collaboration with Dr Chris Brauer of Goldsmiths, University of London classed 87% of UK organisations as vulnerable to cyber attacks. Mission Critical: Unlocking the UK AI Opportunity Through Cybersecurity states that the UK must cement its position as a “cybersecurity superpower” in order to realise its ambition of becoming a global “AI superpower”.
Google VLOGGER generates video from photos, raising security concerns
Google researchers have unveiled VLOGGER, an AI model that can generate photorealistic videos of people from photographs and audio samples. However, security professionals have expressed concern about the technology’s potential misuse to create deepfakes that could be used for social engineering attacks.
Enforcement
Nemesis Market darknet marketplace shutdown
The Office of the Public Prosecutor General in Frankfurt am Main – Central Office for Combating Cybercrime – and the German Federal Criminal Police Office have seized the server infrastructure of the darknet marketplace Nemesis Market, along with €94,000 in cryptocurrency.
US House of Representatives passes bill to block sale of US data to foreign adversaries
The House of Representatives has unanimously voted in favour of a bill to block data brokers from selling US citizens’ data to foreign adversaries.
“Today’s overwhelming vote sends a clear message that we will not allow our adversaries to undermine American national security and individual privacy by purchasing people’s personally identifiable sensitive information from data brokers,” said House Energy and Commerce Committee leaders Cathy McMorris Rodgers and Frank Pallone in a joint statement.
Other news
UK accuses China of two malicious cyber campaigns
The UK’s deputy prime minister, Oliver Dowden, has officially blamed the 2021–22 attacks on the UK’s Electoral Commission and parliamentarians on “China state-affiliated actors”.
ICO publishes new fining guidance
The UK’s data protection authority, the ICO (Information Commissioner’s Office), has published new data protection fining guidance, setting out how it calculates fines.
The ICO’s director of legal service, Tim Capel, said: “We believe the guidance will provide certainty and clarity for organisations. It shows how we reach one of our most important decisions as a regulator by explaining when, how and why we would issue a fine for a breach of the UK General Data Protection Regulation or Data Protection Act 2018.”
ISACA® qualification chosen by NCSC as part of GovAssure
ISACA’s® CISA (Certified Information Security Auditor) qualification has been chosen by the NCSC as an industry-leading standard and qualifying criterion for companies licensed to conduct assurance reviews of government organisations, as part of its new cyber assurance regime for government systems, GovAssure.
New guidance and recently published reports
- Akamai: Lurking in the Shadows: Attack Trends Shine Light on API Threats
- Cado Security: H2 2023 Cloud Threat Findings Report
- Horizon3.ai: 2023 Year in Review
- Imprivata/Ponemon Institute: Unlocking the cost of chaos: The state of enterprise mobility in life- and mission-critical industries
- Kaspersky ICS CERT: Threat landscape for industrial automation systems: H2 2023
- KELA Research: A deep dive into Akira and Black Basta negotiations
- Proofpoint: The 2024 Data Loss Landscape
- Recorded Future: 2023 Annual Report
Key dates
21 March 2024 – old EU Standard Contractual Clauses expired
If you transfer data using old EU standard contractual clauses issued under the Data Protection Directive 1995, the deadline to replace them was 21 March 2024. The ICO website provides further information.
31 March 2024 – PCI DSS v4.0 transitioning deadline
Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on 31 March, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.
30 April 2024 – ISO/IEC 27001:2013 certification unavailable
Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.
That’s it for this week’s round-up. We hope you found it useful.
We’ll be back next week Tuesday with the biggest and most interesting news stories, all rounded up in one place. Until then, have a good Easter.
In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.
Security Spotlight
To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.
Every Wednesday, you’ll get a 4-minute email with:
- Industry news, including this weekly round-up;
- Our latest research and statistics;
- Interviews with our experts, sharing their insights and expertise;
- Free useful resources; and
- Upcoming webinars.
The post The Week in Cyber Security and Data Privacy: 18 – 24 March 2024 appeared first on IT Governance UK Blog.