The Week in Cyber Security and Data Privacy: 22 – 28 April 2024

5,255,944,117 known records breached in 128 newly disclosed incidents

Welcome to this week’s global round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Data scraping site taken offline after billions of Discord users’ messages offered for sale

A data scraping website called Spy.pet has been taken offline after harvesting more than 4 billion messages made by almost 630 million Discord users and offering them for sale. Data scraping or web scraping is a typically automated process that extracts information from websites, allowing criminals to compile datasets containing personal information.

“Scraping our services and self-botting are violations of our Terms of Service and Community Guidelines,” a Discord spokesperson told The Register. “In addition to banning the affiliated accounts, we are considering appropriate legal action. We identified certain accounts that we believe are affiliated with the Spy.pet website, which we have subsequently banned.”

Data breached: 4,186,879,104 messages.

Keyboard app vulnerabilities reveal keystrokes to network eavesdroppers

Security researchers have identified critical security vulnerabilities in Cloud-based pinyin keyboard apps from Baidu, Inc., Honor, Huawei, iFlytek, OPPO, Samsung Electronics, Tencent, Vivo and Xiaomi Technology. The vulnerabilities could be exploited to reveal users’ keystrokes and “up to one billion users are affected”.

Data breached: <1 billion people’s data.

Phone tracking app iSharingSoft reveals users’ precise locations

Eric Daigle, a computer science and economics student at the University of British Columbia in Vancouver, has discovered vulnerabilities in the phone tracking app iSharing that let users access any other user’s location, as well as their name, profile photo and the email address and phone number they used to log in, even if they weren’t actively sharing their location data. iSharing is used by more than 35 million users.

The company has fixed the issue, blaming it on a vulnerability in the app’s groups feature. 

Data breached: >35 million people’s data.


Publicly disclosed data breaches and cyber attacks: full list

This week, we found 5,255,944,117 records known to be compromised, and 128 organisations suffering a newly disclosed incident. 117 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 4 definitely haven’t had data breached.

We also found 5 organisations providing a significant update on a previously disclosed incident.

Organisation(s) Sector Location Data breached? Known data breached
Discord (via Spy.pet)
Source
(New)
IT services USA Yes 4,186,879,104
Baidu, Inc., Honor, Huawei, iFlytek, OPPO, Samsung Electronics, Tencent, Vivo and Xiaomi Technology
Source
(New)
Software China Yes Up to 1,000,000,000
iSharingSoft
Source
(New)
Software USA Yes >35,000,000
Kaiser Permanente
Source 1; source 2
(New)
Insurance USA Yes 13,400,000
World-Check
Source 1; source 2
(Update)
Finance UK Yes 5,299,116
Chicony Electronics Co., Ltd.
Source
(New)
Manufacturing Taiwan Yes 4,715,133
Mustafa Centre
Source 1; source 2
(Update)
Retail Singapore Yes >3,5000,000
TRAXERO
Source
(New)
Software USA Yes 2,634,753
Piping Rock Health Products
Source 1; source 2; source 3
(New)
Manufacturing USA Yes 2,103,100
FBCS, Inc.
Source
(New)
Finance USA Yes 1,955,385
BerryDunn and Reliable Networks
Source
(New)
Finance and IT services USA Yes 1,107,354
VISAV Limited
Source
(New)
IT services UK Yes >1,000,000
Designed Receivable Solutions, Inc.
Source 1; source 2
(Update)
Finance USA Yes 498,686
J.P. Morgan
Source
(New)
Finance USA Yes 451,809
Hong Kong College of Technology
Source
(New)
Education Hong Kong Yes 450 GB
PT Bank Pembangunan Daerah Banten Tbk
Source
(New)
Finance Indonesia Yes 450 GB
Hirsh Industries, LLC
Source
(New)
Manufacturing USA Yes 450 GB
Health Gennie
Source
(New)
Software India Yes Nearly 450,000
Army Welfare Trust
Source
(New)
Defence Pakistan Yes 400 GB
Anders Group, LLC
Source
(New)
Professional services USA Yes 214.48 GB
Ghim Li Group
Source
(New)
Manufacturing Singapore Yes 88 GB
University of Düsseldorf
Source
(New)
Education Germany Yes >60,000
Blackstone Valley Community Health Care
Source 1; source 2
(Update)
Healthcare USA Yes 34,518
Optometric Physicians of Middle Tennessee
Source
(New)
Healthcare USA Yes 29,000
Moffitt Cancer Center (via Advarra)
Source
(New)
Healthcare USA Yes 26,577
Valley Veterinary Clinic
Source
(New)
Veterinary USA Yes 25,969
The Philadelphia Inquirer
Source
(New)
Media USA Yes 25,500
Dr Willian Segalin
Source
(New)
Healthcare Brazil Yes 20 GB
Buffalo Public Schools
Source
(New)
Education USA Yes 19,494
Hungry Jack’s® Pty Ltd
Source
(New)
Hospitality Australia Yes >19,000
Aspire Health Alliance
Source
(New)
Healthcare USA Yes 17,490
ICICI Bank
Source
(New)
Finance India Yes 17,000
Somerset Dental Las Vegas
Source
(New)
Healthcare USA Yes 11,321
Diocese of Cleveland
Source
(New)
Non-profit USA Yes 9,859
Synergy Hotels, Inc.
Source
(New)
Hospitality USA Yes 9,211
State Security Committee of the Republic of Belarus
Source
(New)
Public Belarus Yes >8,600
Camino Nuevo Charter Academy
Source
(New)
Education USA Yes 7,916
Sanchez Daniels & Hoffman LLP
Source
(New)
Legal USA Yes 3,938
UNC Hospitals
Source
(New)
Healthcare USA Yes 3,142
Lagunitas Brewing Company
Source
(New)
Manufacturing USA Yes 2,979
Nothing
Source 1; source 2
(New)
Manufacturing UK Yes 2,250
Amerit Fleet Solutions
Source
(New)
Manufacturing USA Yes 1,912
Integral Federal, Inc.
Source
(New)
IT services USA Yes 1,724
Regulator Marine Inc
Source 1; source 2
(Update)
Manufacturing USA Yes 1,384
CoVerica Insurance
Source
(New)
Insurance USA Yes 1,028
The J D Russell Company
Source 1; source 2
(New)
Manufacturing USA Yes 684
Phillips Academy and AthleteTrax, LLC
Source
(New)
Education and software USA Yes 347
Vericast
Source 1; source 2
(New)
Professional services USA Yes 319
Stad Deinze
Source
(New)
Public Belgium Yes 300
Glendale Unified School District
Source
(New)
Education USA Yes At least 231
BCRA
Source
(New)
Finance Argentina Yes Unknown
OracleCMS
Source 1; source 2
(New)
Professional services Australia Yes Unknown
SIAFI (Sistema Integrado de Administração Financeira)
Source
(New)
IT services Brazil Yes Unknown
El Carnicero Maestro en Carnes
Source
(New)
Hospitality Chile Yes Unknown
Education News in Egypt
Source
(New)
Media Egypt Yes Unknown
Lucky ONE
Source
(New)
Software Egypt Yes Unknown
Chivo Wallet
Source
(New)
Crypto El Salvador Yes Unknown
Ministerio de Desarrollo Local
Source
(New)
Public El Salvador Yes Unknown
Ateliers Jean Nouvel
Source
(New)
Engineering France Yes Unknown
LATEXBIO
Source
(New)
Manufacturing France Yes Unknown
l’Oracle
Source
(New)
Professional services France Yes Unknown
Speedy France
Source 1; source 2
(New)
Professional services France Yes Unknown
Pondicherry University
Source
(New)
Education India Yes Unknown
Luxor International
Source
(New)
Manufacturing India Yes Unknown
Yamaha & Friends
Source
(New)
IT services Indonesia Yes Unknown
Gelora Bung Karno Stadium
Source
(New)
Leisure Indonesia Yes Unknown
Tunas Toyota Pecenongan
Source
(New)
Retail Indonesia Yes Unknown
Sentry MBA (Cyberint)
Source
(New)
Cyber security Israel Yes Unknown
Porsche Financial Services Italia S.p.A.
Source
(New)
Finance Italy Yes Unknown
CDSHotels
Source
(New)
Hospitality Italy Yes Unknown
Fashion Evolution Network
Source
(New)
Retail Japan Yes Unknown
Kintetsu World Express
Source
(New)
Transport Japan Yes Unknown
EuroParcs Enkhuizer Strand
Source
(New)
Hospitality Netherlands Yes Unknown
Nigeria Customs Service
Source
(New)
Public Nigeria Yes Unknown
Mr. CRAB
Source
(New)
Hospitality Russia Yes Unknown
United Russia
Source
(New)
Public Russia Yes Unknown
Interregional Transit Telecom JSC (MTT)
Source
(New)
Telecoms Russia Yes Unknown
10 South Korean defence contractors and subcontractors
Source
(New)
Defence South Korea Yes Unknown
Universidad Miguel Hernández de Elche
Source
(New)
Education Spain Yes Unknown
Air Arabia
Source
(New)
Transport UAE Yes Unknown
2plan wealth management Ltd
Source
(New)
Finance UK Yes Unknown
Lekpharm
Source
(New)
Manufacturing Ukraine Yes Unknown
Savage IO
Source
(New)
Crypto USA Yes Unknown
Okta
Source
(New)
Cyber security USA Yes Unknown
Rensselaer Polytechnic Institute
Source
(New)
Education USA Yes Unknown
University System of Georgia
Source
(New)
Education USA Yes Unknown
Biggs Cardosa Associates, Inc.
Source
(New)
Engineering USA Yes Unknown
WRA Architects, Inc.
Source
(New)
Engineering USA Yes Unknown
Transamerica
Source
(New)
Finance USA Yes Unknown
Direct Federal Credit Union and Wescom Resources Group, LLC
Source
(New)
Finance and IT services USA Yes Unknown
NorthBay VacaValley Hospital
Source 1; source 2
(New)
Healthcare USA Yes Unknown
OrthoNY
Source
(New)
Healthcare USA Yes Unknown
South Texas Oncology and Hematology, PLLC
Source
(New)
Healthcare USA Yes Unknown
Amerlux LLC
Source
(New)
Manufacturing USA Yes Unknown
JB Poindexter & Co
Source
(New)
Manufacturing USA Yes Unknown
UNICEF
Source
(New)
Non-profit USA Yes Unknown
Weapon Systems Training Council
Source
(New)
Professional services USA Yes Unknown
Panama City Police Department
Source
(New)
Public USA Yes Unknown
Paul Stuart, Inc.
Source
(New)
Retail USA Yes Unknown
Autodesk
Source
(New)
Software USA Yes Unknown
DATAIR Employee Benefit Systems, Inc.
Source
(New)
Software USA Yes Unknown
Nota
Source
(New)
Software USA Yes Unknown
StarWallets
Source
(New)
Crypto Unknown Yes Unknown
SKANLOG
Source
(New)
Transport Denmark Unknown Unknown
Ministry of the Interior
Source
(New)
Public Greece Unknown Unknown
Cisco
Source
(New)
Cyber security USA Unknown Unknown
CONSOL Energy
Source
(New)
Energy USA Unknown Unknown
Kansas City Scouts
Source
(New)
Leisure USA Unknown Unknown
Coffee County
Source 1; source 2
(New)
Public USA Unknown Unknown
Gemeente Voorschoten and Gemeente Wassenaar
Source
(New)
Public Netherlands No 0
Puerto Rico Terminals
Source
(New)
Transport Puerto Rico No 0
Systembolaget AB
Source
(New)
Manufacturing Sweden No 0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.


AI

Scientists successfully use AI to detect AI-generated videos

Scientists at the MISL (Multimedia and Information Security Lab) in Drexel University’s College of Engineering have developed a suite of tools to detect AI-generated videos at the sub-pixel level. In Beyond Deepfake Images: Detecting AI-Generated Videos, a paper due to be presented at the IEEE Computer Vision and Pattern Recognition conference in June, Danial Samadi Vahdati, Tai D. Nguyen, Aref Azizpour and Matthew C. Stamm explain how a constrained neural network can be used to detect synthetic videos “at 98% accuracy”.

US Department of Homeland Security announces AI Safety and Security Board

The US DHS (Department of Homeland Security) has announced the establishment of its Artificial Intelligence Safety and Security Board. The group will advise on the safe and secure development and deployment of AI technology in the country’s critical national infrastructure.


Enforcement

US Federal Trade Commission refunds $5.6 million to Ring customers

The US FTC (Federal Trade Commission) is paying $5.6 million to settle a complaint alleging that the home security camera company Ring “allowed employees and contractors to access consumers’ private videos and failed to implement security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos”.

Biden-Harris administration issues new rule to support reproductive healthcare privacy

The Biden-Harris administration has announced the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, a rule that strengthens HIPAA’s (the Health Insurance Portability and Accountability Act) privacy rule by restricting the disclosure of protected health information related to lawful reproductive healthcare.

European Parliament adopts European Health Data Space and regulation on substances of human origin

The European Commission has welcomed the European Parliament’s adoption of the EHDS (European Health Data Space) and new rules on SoHO (substances of human origin), both of which aim to protect individuals’ health and improve the resilience of healthcare systems. The Council will now formally adopt both regulations.

ICO fines two companies £340,000 for 1.43 million unwanted marketing calls

The UK’s ICO (Information Commissioner’s Office) has fined two telemarketing companies for making 1.4 million calls to people registered with the Telephone Preference Service. Cardiff-based Outsource Strategies Ltd and London-based Dr Telemarketing Ltd targeted elderly and vulnerable people, using aggressive sales tactics to persuade them to sign up for products.


Other news

FTC announces changes to Health Breach Notification Rule

The FTC has announced that it has finalised its changes to the HBNR (Health Breach Notification Rule), which will clarify its applicability to health apps and other similar technologies.

European police chiefs call for an end to end-to-end encryption

A joint declaration by the European police chiefs calls for tech companies to limit end-to-end encryption so the companies can identify and report illegal activity on their platforms, and enable law enforcement investigations to access secure messages.


New guidance

EDPB publishes information on Data Protection Framework redress mechanism

The European Data Protection Board’s Information Note on the redress mechanism for EU/EEA individuals in relation to alleged violations of U.S. law with respect to their data collected by U.S authorities competent for national security sets out how data subjects in the EU and EEA can formally complain about the processing of their personal data by US intelligence agencies.


Recently published reports


Key dates

29 April 2024 – UK Product Security and Telecommunications Infrastructure Act 2022 comes into effect

The UK’s consumer connectable product security regime comes into effect on 29 April 2024. Businesses in the supply chains of these products need to be compliant with the legislation from that date.

30 April 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.


The post The Week in Cyber Security and Data Privacy: 22 – 28 April 2024 appeared first on IT Governance UK Blog.