16,482,365 known records breached in 240 newly disclosed incidents
Welcome to this week’s global round-up of the biggest and most interesting news stories.
At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.
Publicly disclosed data breaches and cyber attacks: in the spotlight
Criminal hackers threaten to leak World-Check screening database
A criminal group known as GhostR claims to have stolen 5.3 million records from World-Check, a screening database used to screen potential customers for links to illegal activity and government sanctions.
Compromised data includes names, passport numbers, Social Security numbers, online crypto account identifiers and bank account numbers.
A spokesman for the London Stock Exchange Group, which maintains the database, confirmed the breach involved a data set illegally obtained from a third party. GhostR says it obtained the records from a Singapore-based company with access to the database.
Data breached: 5,300,000 records.
Almost 1.5 million accounts compromised in Le Slip Français data breach
The French underwear manufacturer Le Slip Français has suffered a data breach. The alleged perpetrator, who goes by the name ShopifyGUY, claims to have obtained more than 1.5 million emails, including 690,000 sets of customer details comprising email addresses, names, postal addresses, phone numbers and purchase data.
ShopifyGUY is the same person who posted the Giant Tiger data last week. According to Troy Hunt of the data breach notification service HIBP (Have I Been Pwned), “it looks like they’re finding @Shopify keys somewhere then just dumping all the data. I’m told the JSON format these breaches all appear in is consistent with that, so it stands to reason that’s the common vector for all these breaches”.
Hunt has added 1,495,127 Le Slip Français accounts to the HIBP database.
Data breached: 1,495,127 accounts.
Mobile Guardian app hacked, compromising Singaporean parent and teacher data
The names and email addresses of parents and teachers from 5 primary and 122 secondary schools in Singapore have been compromised after a mobile app was hacked. Mobile Guardian, which is used to help parents manage their children’s device usage, was hacked on 19 April, according to the Singaporean Ministry of Education.
Mobile Guardian, which is based in the UK, said that its investigations detected unauthorised access to its systems via an administrative account on its management portal. Account records from the United States were also accessed.
Data breached: unknown.
Publicly disclosed data breaches and cyber attacks: full list
This week, we found 16,482,365 records known to be compromised, and 240 organisations suffering a newly disclosed incident. 226 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 5 definitely haven’t had data breached.
We also found 8 organisations providing a significant update on a previously disclosed incident.
| Organisation(s) | Sector | Location | Data breached? | Known data breached |
| World-Check, and a Singapore-based firm with access to it Source (New) |
Finance and unknown | UK and Singapore | Yes | 5,300,000 |
| Digi Yatra Source (New) |
Software | India | Yes | >3,300,000 |
| Le Slip Français Source 1; source 2; source 3 (Update) |
Retail | France | Yes | 1,495,127 |
| XD Connects Source (New) |
Retail | Netherlands | Yes | 1 TB |
| DISB (District of Columbia Department of Insurance, Securities and Banking) and Tyler Technologies Source 1; source 2; source 3; source 4 (Update) |
Public and software | USA | Yes | 800 GB |
| Smoke Alarm Solutions Source (New) |
Professional services | Australia | Yes | 762,856 |
| City of St. Cloud, FL Source (Update) |
Public | USA | Yes | 719,597 |
| Regulator Marine Inc Source (New) |
Manufacturing | USA | Yes | 630 GB |
| Risas Dental and Braces Source 1; source 2 (New) |
Healthcare | USA | Yes | 618,189 |
| HUB International Source (New) |
Insurance | USA | Yes | 514,477 |
| Lee University Source 1; source 2 (New) |
Education | USA | Yes | 387.49 GB |
| Village Family Dental Source 1; source 2 (New) |
Healthcare | USA | Yes | 240,214 |
| Cherry Health Source 1; source 2 (Update) |
Healthcare | USA | Yes | 184,372 |
| Arby’s Source 1; source 2 (New) |
Hospitality | USA | Yes | 175 GB |
| Albatros Source (New) |
Manufacturing | Russia | Yes | >100 GB |
| T2 Tea Source 1; source 2 (New) |
Retail | Australia | Yes | 85,894 |
| Argentinian database of driving licences Source (New) |
Public | Argentina | Yes | 70,000 |
| sa.global Source (New) |
IT services | USA | Yes | 41 GB |
| Blackstone Valley Community Health Care Source 1; source 2 (Update) |
Healthcare | USA | Yes | 34,416 |
| Green Diamond Resource Company Source (New) |
Environmental | USA | Yes | 27,896 |
| Kisco Senior Living Source (New) |
Healthcare | USA | Yes | 26,663 |
| Roman Catholic Diocese of Phoenix Source (New) |
Religious | USA | Yes | 23,853 |
| Bi-State Development Source (New) |
Public | USA | Yes | 21,953 |
| University of Tennessee Health Science Center Source 1; source 2 (New) |
Education | USA | Yes | 19,353 |
| Township of Montclair Source (New) |
Public | USA | Yes | 17,835 |
| Carl Buddig and Company Source (New) |
Hospitality | USA | Yes | 11,830 |
| Asteco Property Management Source (New) |
Real estate | UAE | Yes | 11.4 GB |
| Ministry of Public Health and Social Assistance Source (New) |
Public | Dominican Republic | Yes | >8,000 |
| Island Ambulatory Surgery Center Source 1; source 2 (New) |
Healthcare | USA | Yes | 7,900 |
| Federal Penitentiary Service Source (New) |
Public | Argentina | Yes | 7,115 |
| Taft Stettinius & Hollister LLP Source 1; source 2 (Update) |
Legal | USA | Yes | 5,980 |
| Citizens Property Insurance Corporation Source (New) |
Insurance | USA | Yes | 4,948 |
| Northern Colorado Long Term Acute Hospital Source 1; source 2 (New) |
Healthcare | USA | Yes | 4,335 |
| Numotion Source (New) |
Manufacturing | USA | Yes | 4,190 |
| Olive View – UCLA Medical Center Source 1; source 2 (New) |
Education | USA | Yes | 3,716 |
| Butler, Lavanceau & Sober, LLC Source (New) |
Finance | USA | Yes | 3,370 |
| Catholic Medical Center Source (New) |
Healthcare | USA | Yes | 2,792 |
| Concorde Entertainment Group Source (New) |
Hospitality | Canada | Yes | 2 GB |
| Atlanta Technical College Source (New) |
Education | USA | Yes | 1,523 |
| WIS International Source (New) |
Retail | USA | Yes | 1,295 |
| HBL CPAs, P.C. Source (New) |
Finance | USA | Yes | 1,206 |
| DES Source (New) |
Engineering | USA | Yes | 1,144 |
| Baylor College of Medicine Source 1; source 2; source 3 (Update) |
Education | USA | Yes | 801 |
| Medical Home Network Source (New) |
Healthcare | USA | Yes | 681 |
| Moveable Feast Source (New) |
Non-profit | USA | Yes | 568 |
| Jackson Medical Center Source 1; source 2 (New) |
Healthcare | USA | Yes | 509 |
| Washington County Department of Human Services Source 1; source 2 (New) |
Public | USA | Yes | 501 |
| Basingstoke MP Maria Miller Source (New) |
Public | UK | Yes | 500 |
| SMRT Architects & Engineers Source 1; source 2 (Update) |
Engineering | USA | Yes | 348 |
| Pandemonium Rocks Source (New) |
Leisure | Australia | Yes | “hundreds” |
| EBIR Bathroom Lighting Source (New) |
Manufacturing | Spain | Yes | 200 MB |
| Former Manx Care employee Source (New) |
Healthcare | UK | Yes | 160 |
| Big Ass Fans Source (New) |
Manufacturing | USA | Yes | 146 |
| Cocoon, Inc. Source (New) |
Manufacturing | USA | Yes | 50 |
| Avalon Trust Source (New) |
Finance | USA | Yes | 27 |
| Grodno Azot Source (New) |
Manufacturing | Belarus | Yes | Unknown |
| Canadia Bank Source (New) |
Finance | Cambodia | Yes | Unknown |
| ND Paper Source (New) |
Media | China | Yes | Unknown |
| Kameymall Source (New) |
Retail | China | Yes | Unknown |
| UNDP (United Nations Development Programme) Source (New) |
Non-profit | Denmark | Yes | Unknown |
| Consejo de la Judicatura Source (New) |
Legal | Ecuador | Yes | Unknown |
| Ministerio de Educación, Ciencia y Tecnología de El Salvador Source (New) |
Public | El Salvador | Yes | Unknown |
| Lyon Terminal Source 1; source 2 (New) |
Transport | France | Yes | Unknown |
| Volkswagen Source (New) |
Manufacturing | Germany | Yes | Unknown |
| Union Hospital Source (New) |
Healthcare | Hong Kong | Yes | Unknown |
| QUEST Alliance Source (New) |
Non-profit | India | Yes | Unknown |
| Extern Source (New) |
Charity | Ireland | Yes | Unknown |
| Coppel Source 1; source 2 (New) |
Retail | Mexico | Yes | Unknown |
| Iddink Group Source (New) |
IT services | Netherlands | Yes | Unknown |
| Nieuwsbank Source (new) |
Media | Netherlands | Yes | Unknown |
| Hamdard Pakistan Source (New) |
Manufacturing | Pakistan | Yes | Unknown |
| Pak Suzuki Motor Company Limited Source (New) |
Manufacturing | Pakistan | Yes | Unknown |
| Ministry of Finance, Republic of Serbia Source (New) |
Public | Serbia | Yes | Unknown |
| 5 primary and 122 secondary schools in Singapore, through Mobile Guardian Source (New) |
Education and software | Singapore | Yes | Unknown |
| International Trade Administration Commission of SA Source (New) |
Public | South Africa | Yes | Unknown |
| AsiaLove Source (New) |
Software | South Korea | Yes | Unknown |
| Lopesan Source 1; source 2 (New) |
Hospitality | Spain | Yes | Unknown |
| ASESGC Guardia Civil Source (New) |
Non-profit | Spain | Yes | Unknown |
| Bagcilar Education and Research Hospital Source (New) |
Healthcare | Turkey | Yes | Unknown |
| Bureau van Dijk Source (New) |
Professional services | UK | Yes | Unknown |
| Zest Protocol Source (New) |
Crypto | UK | Yes | Unknown |
| Companies House Source (New) |
Public | UK | Yes | Unknown |
| Tasteful Selections LLC Source (New) |
Agricultural | USA | Yes | Unknown |
| Cisco Duo and its telephony supplier Source (New) |
Cyber security and telecoms | USA | Yes | Unknown |
| Brandeis University Source (New) |
Education | USA | Yes | Unknown |
| ASMFC (Atlantic States Marine Fisheries Commission) Source (New) |
Environmental | USA | Yes | Unknown |
| Bauknight Pietras & Stormer, P.A. Source (New) |
Finance | USA | Yes | Unknown |
| BlueChip Financial Source (New) |
Finance | USA | Yes | Unknown |
| Continuing Healthcare Solutions Source (New) |
Healthcare | USA | Yes | Unknown |
| SysInformation Source (New) |
Healthcare | USA | Yes | Unknown |
| Space-Eyes Source (New) |
IT services | USA | Yes | Unknown |
| VIP (Visionary Integration Professionals) Source (New) |
IT services | USA | Yes | Unknown |
| Allcare Pharmacy | W.P. Malone, Inc. Source (New) |
Manufacturing | USA | Yes | Unknown |
| Cembell Industries Inc Source (New) |
Manufacturing | USA | Yes | Unknown |
| HB Molding, Inc. Source (New) |
Manufacturing | USA | Yes | Unknown |
| The Post and Courier Source (New) |
Media | USA | Yes | Unknown |
| European Wax Center Source (New) |
Professional services | USA | Yes | Unknown |
| Solano County Library Source (New) |
Public | USA | Yes | Unknown |
| Blooms Today Source (New) |
Retail | USA | Yes | Unknown |
| Payroll Select Services Source (New) |
Software | USA | Yes | Unknown |
| Unspecified US consumer database Source (New) |
Unknown | USA | Yes | Unknown |
| Frontier Internet Source (New) |
Telecoms | USA | Yes | Unknown |
| Hedgey Source (New) |
Blockchain | Unknown | Yes | Unknown |
| Honda Vietnam Company Limited Source (New) |
Manufacturing | Vietnam | Yes | Unknown |
| Grand Base Source (New) |
Blockchain | Unknown | Yes | Unknown |
| Barnetts Couriers Source (New) |
Transport | Australia | Unknown | Unknown |
| Hôpital de Cannes – Simone Veil Source (New) |
Healthcare | France | Unknown | Unknown |
| SYNLAB Italia Source (New) |
Research | Italy | Unknown | Unknown |
| OGERO Source (New) |
Telecoms | Lebanon | Unknown | Unknown |
| 1+1 media Source (New) |
Media | Ukraine | Unknown | Unknown |
| MITRE Source (New) |
Cyber security | USA | Unknown | Unknown |
| Octapharma Plasma, Inc. Source (New) |
Manufacturing | USA | Unknown | Unknown |
| Systems used by New York’s legislature Source (New) |
Public | USA | Unknown | Unknown |
| OLA (Observatorio de Libertad Académica) Source (New) |
Non-profit | Cuba | No | 0 |
| Likud Party Source (New) |
Public | Israel | No | 0 |
| LRT Source (New) |
Media | Lithuania | No | 0 |
| Carpetright Source (New) |
Retail | UK | No | 0 |
| Gmail And YouTube users Source (New) |
IT services | USA | No | 0 |
Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.
Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.
AI
NSA published guidance on strengthening the security of AI systems
The US National Security Agency has published a cyber security information sheet entitled Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems. The guidance was designed for national security purposes, but can be applied by anyone bringing AI capabilities into a managed environment.
Protect AI releases April 2024 vulnerability report
Protect AI has published its latest monthly report into security vulnerabilities affecting AI systems. This month contains 48 vulnerabilities, up 220% from the 15 it identified in November 2023.
Enforcement
Proposed FTC order will fine Cerebral, Inc. $7 million and restrict its use of sensitive data
Cerebral, Inc. has agreed to an FTC order that will prohibit it from using or disclosing sensitive consumer data for advertising purposes. Under the proposed order, the company will be required to pay more than $7 million for violating its customers privacy rights.
International law enforcement operation disrupts LabHost phishing-as-a-service platform
A law enforcement operation involving 19 countries has disrupted LabHost, one of the world’s largest phishing-as-a-service platforms. 37 suspects have been arrested and the LabHost platform has been shut down.
Other news
ENISA will not create vulnerability database
Hans de Vries, the new chief cybersecurity and operational officer of ENISA, the EU Agency for Cybersecurity, has confirmed that his agency will not create a database of security vulnerabilities, as proposed by the EU Cyber Resilience Act.
NCSC CAF (Cyber Assessment Framework) 3.2 published
The National Cyber Security Centre has published version 3.2 of its Cyber Assessment Framework. Significant changes have been made to sections covering remote access, privileged operations, user access levels and the use of multifactor authentication.
CREST launches new cyber threat intelligence guide
CREST has published a new guide: What is Cyber Threat Intelligence and How is it Used? It provides accessible advice on the theory and practice of CTI products and services, outlining key concepts and principles underpinning CTI, along with the ways organisations can use CTI to predict, prevent, detect and respond to potential cyber security threats and reduce cyber risk.
NATO to launch new cyber centre
Acknowledging that “cyberspace is contested at all times”, NATO will create a new cyber centre at its military headquarters in Mons, Belgium. James Appathurai, NATO’s deputy assistant secretary general for innovation, hybrid and cyber, said the new centre would be modelled on the UK’s NCSC.
HHS patches security after cyber attack
Following a cyber attack on the US Department of Health and Human Services last year, in which criminals stole $7.5 million, the Department is removing HHS Login from its grantee payment system.
EDPB sets out priorities for 2024–2027
The EDPB (European Data Protection Board) has adopted its strategy for 2024–2027, which is based around four pillars:
- Pillar 1 – Enhancing harmonisation and promoting compliance.
- Pillar 2 – Reinforcing a common enforcement culture and effective cooperation.
- Pillar 3 – Safeguarding data protection in the developing digital and cross-regulatory landscape.
- Pillar 4 – Contributing to the global dialogue on data protection.
The Board’s chair, Anu Talus, said: “The new strategy takes the existing vision in a new direction in order to respond to the data protection needs of today, and the ever evolving digital landscape. The strategy is the result of a collaborative effort, involving all EU data protection authorities (DPAs) and sets out common priorities for the years to come.”
EDPB publishes opinion on Meta’s ‘pay or OK’ model
The EDPB has published its opinion on Meta’s proposed ‘pay or consent’ model, which aims to charge users a monthly fee to use its platforms without targeted advertising. Louise Brooks, from IT Governance’s sister company DQM GRC, observes:
“The opinion finds that Meta’s proposed ‘pay or consent’ model isn’t compliant with the EU GDPR, but it doesn’t go so far as to rule it out as an option completely. It’s important at this stage to understand that EDPB opinions are not legally binding.
“However, the opinion was requested by supervisory authorities for the purpose of active cases under consideration for enforcement action, so the outcome of those cases will add context and detail to the interpretation of, and potential future reliance upon, the opinion.
“From a UK perspective, we know the ICO is actively monitoring the European debate on this issue as it confirmed the same at the DMA’s recent annual conference, so it remains to be seen how the EDPB’s opinion might be used or interpreted here.
“The debate certainly isn’t over, and we probably need to wait for case law to proceed before we can really start seeing the wood for the trees and understand the ramifications.
“Nevertheless, any sensible large online platforms would do well to model alternatives and consider the impact any precedents set by enforcement actions that don’t support their business models might have.”
ICO publishes guidance to improve transparency in health and social care
The ICO (Information Commissioner’s Office) has published new guidance to provide regulatory certainty on how health and social care organisations should handle sensitive information while keeping people properly informed.
Recently published reports
- ANY.RUN: Malware Trends Report: Q1, 2024
- Check Point: Microsoft and Google Top the List in Q1 2024 Phishing Attacks: Check Point Research Highlights a Surge in Cyber Threats
- Cloudflare: DDoS threat report for 2024 Q1
- CyberEdge: Cyberthreat Defense Report
- CYE: Inadequacies in Breach Insurance Coverage: A Data-Driven Gap Analysis
- Dr. Web: Doctor Web’s review of virus activity on mobile devices in 2023
- Food and Ag-ISAC: Farm-To-Table Ransomware Realities
- GuidePoint: Q1 2024 Ransomware Report
- Imperva: 2024 Imperva Bad Bot Report
- Kroll: The State of Cyber Defense: Diagnosing Cyber Threats in Healthcare
- Pentera: The State of Pentesting 2024
- Red Canary: Intelligence Insights: April 2024
- The Record: Ransomware Tracker
Key dates
29 April 2024 – UK Product Security and Telecommunications Infrastructure Act 2022 comes into effect
The UK’s consumer connectable product security regime comes into effect on 29 April 2024. Businesses in the supply chains of these products need to be compliant with the legislation from that date.
30 April 2024 – ISO/IEC 27001:2013 certification unavailable
Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.
That’s it for this week’s round-up. We hope you found it useful.
We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.
In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.
Security Spotlight
To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.
Every Wednesday, you’ll get a 4-minute email with:
- Industry news, including this weekly round-up;
- Our latest research and statistics;
- Interviews with our experts, sharing their insights and expertise;
- Free useful resources; and
- Upcoming webinars.
The post The Week in Cyber Security and Data Privacy: 15 – 21 April 2024 appeared first on IT Governance UK Blog.