65,583,602 known records breached in 127 newly disclosed incidents
Welcome to this week’s global round-up of the biggest and most interesting news stories.
At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.
Publicly disclosed data breaches and cyber attacks: in the spotlight
73,481,539 records from alleged AT&T breach offered for sale
A threat actor known as MajorNelson has listed more than 70 million data records on a dark web forum, claiming it to be data originally exfiltrated from AT&T by a threat actor known as ShinyHunters in 2021.
The data includes names, addresses and mobile phone numbers, as well as encrypted birth dates and Social Security numbers.
AT&T has denied the breach since 2021. However, numerous researchers, including Dark Web Informer and vx-underground, have confirmed that the data does indeed relate to AT&T customers.
Data breached: 73,481,539 records.
France Travail and Cap emploi breach affects 43 million
The French data protection authority, the CNIL, reports that the unemployment agencies France Travail (formerly Pôle emploi) and Cap emploi have suffered a cyber attack that led to the exposure of 43 million people’s data.
According to France Travail, the breached data includes names, dates of birth, email and postal addresses, telephone numbers, social security numbers and France Travail identifiers. Passwords and bank details were not affected.
Last August, Pôle emploi suffered a data breach affecting 10 million people. At the time, the security firm Emsisoft attributed it to May 2023’s MOVEit Transfer breach, but removed the agency from its list of MOVEit victims the following month. It’s not known whether this breach relates to the MOVEit one.
Data breached: 43 million individuals’ data.
HIBP adds almost 3.3 million ClickASnap records to its database
In October 2022, ClickASnap announced that it had suffered a data breach on 24 September of that year, in which user emails were stolen from a database.
Have I Been Pwned has now added 3,262,980 records to its database, including email addresses, names, passwords, physical addresses, purchases, social media profiles and usernames.
Data breached: 3,262,980 records.
Publicly disclosed data breaches and cyber attacks: full list
This week, we found 65,583,602 records known to be compromised, and 127 organisations suffering a newly disclosed incident. 79 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 37 definitely haven’t had data breached.
We also found 11 organisations providing a significant update on a previously disclosed incident.
| Organisation(s) | Sector | Location | Data breached? | Known data breached |
| AT&T Source 1; source 2 (Update) |
Telecoms | USA | Yes | 73,481,539 |
| France Travail Source 1; source 2 (New) |
Public | France | Yes | 43,000,000 |
| ClickASnap Source 1; source 2 (Update) |
IT services | UK | Yes | 3,262,980 |
| AMMEGA Source (New) |
Manufacturing | Netherlands | Yes | 3 TB |
| MediaWorks NZ Source 1; source 2 (New) |
Media | New Zealand | Yes | 2,461,000 |
| Kids Empire Source (New) |
Leisure | USA | Yes | 2,363,222 |
| Plymouth Tube Company Source (New) |
Manufacturing | USA | Yes | 1.83 TB |
| GPAA (Government Pensions Administration Agency) Source 1; source 2 (New) |
Public | South Africa | Yes | 1.08 TB |
| Health Service Executive Source (New) |
Healthcare | Ireland | Yes | >1,000,000 |
| Teupe Gruppe Source (New) |
Construction | Germany | Yes | >1 TB |
| Cleshar Source (New) |
Transport | UK | Yes | 1 TB |
| OYAK Source (New) |
Finance | Turkey | Yes | 720 GB |
| Flipkart Source 1; source 2 (Update) |
IT services | India | Yes | 552,094 |
| Reny Picot Source (New) |
Manufacturing | Spain | Yes | 350 GB |
| Instituto Tecnológico Superior de Atlixco, CECyTE Morelos, Municipio de San Andrés Cholula, Departamento de Farmacología, FacMed, UNAM, and others Source (New) |
Education, public and others | Mexico | Yes | 250 GB |
| GLG (Gerson Lehrman Group) Source (New) |
Professional services | USA | Yes | 152,621 |
| Rashim LTD and Israeli universities, including Sapir College, Sakhnin College and the Policy Academy in Beit Shemesh Source 1; source 2 (New) |
Software and education | Israel | Yes | 120 GB |
| Prince George County Public Schools Source (New) |
Education | USA | Yes | 117,785 |
| Zapping Source (New) |
Leisure | Chile | Yes | >100,000 |
| Saint Louis University Source (New) |
Education | USA | Yes | 93,612 |
| Nations Direct Mortgage Source (New) |
Finance | USA | Yes | 83,108 |
| Bradford-Scott Data, Massachusetts Family Credit Union, Methuen Federal Credit Union, Priority Plus Federal Credit Union, StagePoint Federal Credit Union, Wellness Federal Credit Union and Community Credit Union of New Milford Source 1; source 2 (Update) |
IT services and finance | USA | Yes | 43,414 |
| CCM Health Source (New) |
Healthcare | USA | Yes | 29,182 |
| Stanford University Department of Public Safety Source 1; source 2 (Update) |
Education | USA | Yes | 27,000 |
| Eland Energy, Inc. Source (New) |
Energy | USA | Yes | 18,237 |
| Precision Tune Auto Care Source 1; source 2 (Update) |
Manufacturing | USA | Yes | 15,633 |
| Teleflora Source 1; source 2 (Update) |
Manufacturing | USA | Yes | 12,635 |
| The Biltmore Company Source (New) |
Retail | USA | Yes | 11,530 |
| Rudman Winchell Source (New) |
Legal | USA | Yes | 11,327 |
| Double Eagle Energy Holdings IV LLC Source 1; source 2 (Update) |
Energy | USA | Yes | 9,040 |
| Faculty of Exact, Physical and Natural Sciences at Universidad de Córdoba Source (New) |
Education | Argentina | Yes | 8,841 |
| Texas Health and Human Services Source (New) |
Public | USA | Yes | 3,392 |
| Universidad de Córdoba Source (New) |
Education | Argentina | Yes | 2,858 |
| Ada Technologies Incorporated Source 1; source 2 (New) |
Manufacturing | USA | Yes | 2,398 |
| KMJ Health Solutions Source 1; source 2 (New) |
IT services | USA | Yes | 2,191 |
| ACR Electronics, Inc. Source (New) |
Manufacturing | USA | Yes | 2,045 |
| Grow Financial Federal Credit Union Source (New) |
Finance | USA | Yes | 1,635 |
| Bay Surgical Specialists Source 1; source 2 (New) |
Healthcare | USA | Yes | 1,505 |
| Orsini Specialty Pharmacy Source 1; source 2 (New) |
Manufacturing | USA | Yes | 1,433 |
| BlueCross BlueShield of Tennessee, Inc. and Volunteer State Health Plan, Inc. d/b/a BlueCare Plus Tennessee Source 1; source 2 (Update) |
Insurance | USA | Yes | 1,251 |
| Taft Stettinius & Hollister LLP Source (New) |
Legal | USA | Yes | 641 |
| Oakland Community Health Network Source 1; source 2 (New) | Healthcare | USA | Yes | 607 |
| East Side Health District Source 1; source 2 (New) |
Healthcare | USA | Yes | 559 |
| Lake of the Woods County Department of Social Services Source 1; source 2 (New) |
Public | USA | Yes | 537 |
| Jewish Home Lifecare Source 1; source 2 (New) |
Healthcare | USA | Yes | 501 |
| Khorfakkan Municipality Source (New) |
Public | UAE | Yes | 369 |
| Four Seasons Sales & Service Source (New) |
Retail | USA | Yes | 269 |
| RPS Defense Source (New) |
Manufacturing | USA | Yes | 213 |
| Port City Air Source (New) |
Transport | USA | Yes | 125 |
| West Chester University of Pennsylvania Source (New) |
Education | USA | Yes | >36 |
| MSI United States and DonorPerfect Source (New) |
Non-profit and software | USA | Yes | 24 |
| Northeast Credit Union Source (New) |
Finance | USA | Yes | 9 |
| Intuit Source (New) |
Software | USA | Yes | 1 |
| Mozaic Source (New) |
Crypto | British Virgin Islands | Yes | Unknown |
| ZSB & Company Professional Corporation Source (New) |
Finance | Canada | Yes | Unknown |
| Journey Freight International Source (New) |
Transport | Canada | Yes | Unknown |
| ADOM Salud Source (New) |
Healthcare | Colombia | Yes | Unknown |
| Dörr Group Source (New) |
Retail | Germany | Yes | Unknown |
| VOID Interactive Source (New) |
Software | Ireland | Yes | Unknown |
| The Lebanese Organization for Studies and Training Source (New) |
Non-profit | Lebanon | Yes | Unknown |
| FGV Holdings Berhad Source (New) |
Manufacturing | Malaysia | Yes | Unknown |
| AirAsia Source (New) |
Transport | Malaysia | Yes | Unknown |
| Banregio Source (New) |
Finance | Mexico | Yes | Unknown |
| Topa Partners Ltd Source (New) |
Professional services | New Zealand | Yes | Unknown |
| Ministerio de Educación del Perú Source (New) |
Public | Peru | Yes | Unknown |
| Acer Philippines Source (New) |
Manufacturing | Philippines | Yes | Unknown |
| Brooks Tropicals Source (New) |
Agricultural | USA | Yes | Unknown |
| DHanis ISD Source (New) |
Education | USA | Yes | Unknown |
| Scranton School District Source (New) |
Education | USA | Yes | Unknown |
| Encina Wastewater Authority Source (New) |
Environmental | USA | Yes | Unknown |
| ATMCo Source (New) |
Finance | USA | Yes | Unknown |
| EquiLend Source 1; source 2; source 3 (Update) |
Finance | USA | Yes | Unknown |
| Orthopedics Associates of Flower Mound Source 1; source 2 (New) |
Healthcare | USA | Yes | Unknown |
| Rancho Medical Family Group Source 1; source 2 (New) |
Healthcare | USA | Yes | Unknown |
| St. Rose Dominican Hospitals (Rose de Lima) Source 1; source 2 (New) |
Healthcare | USA | Yes | Unknown |
| Facey Goss & McPhee P.C. Source (New) |
Legal | USA | Yes | Unknown |
| International Monetary Fund Source (New) |
Public | USA | Yes | Unknown |
| Wyoming Financial Group (WERCS) Source (New) |
Real estate | USA | Yes | Unknown |
| The North Face Source (New) |
Retail | USA | Yes | Unknown |
| Opus Match Source (New) |
Software | USA | Yes | Unknown |
| R1 RCM Source 1; source 2 (New) |
Software | USA | Yes | Unknown |
| Jonathan Katz (former manager of a telecoms company from Burlington County, New Jersey) Source (New) |
Telecoms | USA | Yes | Unknown |
| edpnet België Source (New) |
Telecoms | Belgium | Unknown | Unknown |
| Town of Huntsville Source (New) |
Public | Canada | Unknown | Unknown |
| Prensa Latina TV Source (New) |
Media | Cuba | Unknown | Unknown |
| Petroltecnica S.p.A. Source (New) |
Environmental | Italy | Unknown | Unknown |
| Fujitsu Source (New) |
IT services | Japan | Unknown | Unknown |
| Meduza Source (New) |
Media | Latvia | Unknown | Unknown |
| Russian polling stations Source (New) |
Public | Russia | Unknown | Unknown |
| Moscow Metro Source (New) |
Transport | Russia | Unknown | Unknown |
| NHS Dumfries & Galloway Source 1; source 2 (New) |
Healthcare | UK | Unknown | Unknown |
| Option Care Health Source (New) |
Healthcare | USA | Unknown | Unknown |
| CHRG Source (New) |
Hospitality | Australia | No | 0 |
| Dozens of Estonian government institutions Source (New) |
Public | Estonia | No | 0 |
| 8 French government agencies Source 1; source 2 (New) |
Public | France | No | 0 |
| Liverpool John Lennon Airport Source (New) |
Transport | UK | No | 0 |
| Multiple Alabama government agencies Source (New) |
Public | USA | No | 0 |
| MarineMax Source (New) |
Retail | USA | No | 0 |
Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.
Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.
AI
MEPs adopt Artificial Intelligence Act
The European Parliament has endorsed the EU Artificial Intelligence Act, with 523 MEPs voting in favour and 46 against the Act. There were 49 abstentions.
The Act “aims to protect fundamental rights, democracy, the rule of law and environmental sustainability from high-risk AI, while boosting innovation and establishing Europe as a leader in the field”. It also “establishes obligations for AI based on its potential risks and level of impact”.
Garante launches investigation info Open AI’s Sora
Italy’s data protection authority, the Garante per la Protezione dei Dati Personali, has announced that it is investigating Open AI following the launch of a new AI model called Sora, which is capable of creating videos from short textual instructions. The Garante is considering the possible implications Sora could have on the processing of EU residents’ personal data.
Enforcement
European Commission’s use of Microsoft 365 infringes data protection law
The EDPS (European Data Protection Supervisor) has announced that it has found the European Commission’s use of Microsoft 365 infringed several data protection provisions that apply to EUIs (EU institutions, bodies, offices and agencies), including ensuring that personal data transferred outside the EEA is subject to appropriate safeguards.
LockBit associate pleads guilty to cyber extortion
Mikhail Vasiliev, a hacker awaiting extradition from Canada to the US on cyber crime charges, has pleaded guilty to eight counts of cyber extortion, mischief and weapons charges. Vasiliev was arrested over a year ago for committing crimes in connection with the LockBit ransomware group.
Justice officials say Vasiliev took tens of millions of dollars in ransom payments from at least 1,000 ransomware attacks.
Meanwhile, LockBit’s purported leader has vowed to continue its ransomware attacks, despite the massive law enforcement operation that disrupted the group earlier this year.
Polish supervisory authority issues two €24,000 fines for data breach notification failures
Poland’s data protection authority, the UODO (Urząd Ochrony Danych Osobowych), fined two organisations last year for failing to notify it of personal data breaches.
According to the EDPB (European Data Protection Board), the UODO fined an insurance company €24,000 in October 2023 after an unauthorised recipient received an email that was sent in error. The email’s attachment contained personal data belonging to an insurance claimant.
The UODO also fined the District Court in Krakow the same amount in December 2023 after it sent a package containing personal data to the Minister of Foreign Affairs, which arrived damaged and incomplete. The Court, which was the data controller in this instance, failed to notify the supervisory authority of the breach.
Other news
noyb complains that Swedish data broker uses legal loophole to evade GDPR
The privacy rights campaign group noyb has filed a complaint against one of Sweden’s largest data brokers, MrKoll. Noyb argues that MrKroll’s use of a media licence unfairly exempts it from its obligations under the GDPR (General Data Protection Regulation), depriving “people of their fundamental right to privacy and [exposing] their most intimate data to the internet”.
ICO publishes view on DPDI Bill
The ICO (Information Commissioner’s Office) has published its view on the government’s DPDI (Data Protection and Digital Information Bill) as it reaches the Lords committee stage. The Bill aims to reform data protection law in the UK.
Browsers add extra protection to help secure users
Google has announced that Chrome will now use real-time Safe Browsing protections to show warnings when users visit potentially unsafe websites.
And Microsoft has announced that new security protections in Edge and other Chromium-based browsers will prevent criminal hackers from using an exploit in a Renderer Process to escape the Renderer sandbox. This will prevent “attackers from using an exploit to enable the Mojo JavaScript bindings (MojoJS) for their site context within the Renderer”.
Key dates
31 March 2024 – PCI DSS v4.0 transitioning deadline
Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on 31 March, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.
30 April 2024 – ISO/IEC 27001:2013 certification unavailable
Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.
That’s it for this week’s round-up. We hope you found it useful.
We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.
In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.
Security Spotlight
To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.
Every Wednesday, you’ll get a 4-minute email with:
- Industry news, including this weekly round-up;
- Our latest research and statistics;
- Interviews with our experts, sharing their insights and expertise;
- Free useful resources; and
- Upcoming webinars.
The post The Week in Cyber Security and Data Privacy: 11 – 17 March 2024 appeared first on IT Governance UK Blog.