The Week in Cyber Security and Data Privacy: 15 – 21 January 2024

Welcome to this week’s round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

More than 70 million email addresses added to Have I Been Pwned

The security researcher Troy Hunt has added more than 70 million email addresses from the Naz.API data set to his Have I Been Pwned data breach notification service. The data set is a collection of 1 billion credentials sourced from stealer logs and hosted on the illicit.services website. According to Hunt, more than a third of the email addresses were new to Have I Been Pwned.

Data breached: 70,840,771 email addresses.

VF Corporation confirms 35.5 million customers’ data stolen

VF Corporation – the parent company of many popular clothing brands, including Vans and The North Face – has confirmed in its Form 8-K/A filing to the US Securities and Exchange Commission (an amendment to its original Form 8-K filing) that its December 2023 cyber attack resulted in the theft of 35.5 million customers’ data.

Data breached: 35,500,000 records.

More than 10 million lines of Pastelería Mozart customer data apparently posted on dark web

The Ynnian hacking group has posted 10,870,525 lines of data on the dark web, apparently originating from Pastelería Mozart, a popular bakery chain in Chile. The leaked information allegedly includes customers’ names, dates of birth, email addresses, passwords and phone numbers.

Data breached: 10,870,524 lines.


Publicly disclosed data breaches and cyber attacks: full list

This week, we’ve found 130,036,285 records known to be compromised, and 116 organisations suffering a newly disclosed incident. 96 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 1 definitely hasn’t had data breached.

We’ve also found 9 organisations providing a significant update on a previously disclosed incident.

Organisation(s) Sector Location Data breached? Known records breached
Naz.API (likely belonging to multiple organisations)
Source
(New)
Unknown Unknown Yes 70,840,771
VF Corporation
Source 1; source 2
(Update)
Retail USA Yes 35,500,000
Pastelería Mozart
Source
(New)
Hospitality Chile Yes 10,870,524
Foxsemicon Integrated Technology, Inc.
Source 1; source 2
(New)
Manufacturing Taiwan Yes 5 TB
Korean Association of Social Workers
Source
(New)
Public South Korea Yes 1,350,000
Fred Hutchinson Cancer Center
Source 1; source 2; source 3
(Update)
Healthcare USA Yes 890,959
Target
Source
(New)
Retail USA Yes 800,000
Toyota Tsusho Insurance Broker India
Source
(New)
Insurance India Yes 657,000
Busse & Busse, P.C.
Source
(New)
Legal USA Yes 637,873
Anna Jaques Hospital
Source 1; source 2; source 3
(Update)
Healthcare USA Yes 600 GB
Plaza Radiology, LLC
Source 1; source 2
(New)
Healthcare USA Yes 569,022
GEICO
Source
(New)
Insurance USA Yes 552,900
Tone Academy
Source
(New)
Education India Yes 400,000
CompleteCare Health Network
Source 1; source 2; source 3
(Update)
Healthcare USA Yes 313,973
Academy Mortgage Corporation
Source 1; source 2
(Update)
Finance USA Yes 284,443
buygoods
Source
(New)
Retail USA Yes 257,562
Large payment system in Egypt
Source
(New)
Finance Egypt Yes 212,312
Subway
Source
(New)
Hospitality USA Yes Hundreds of GB
Columbus Regional Healthcare System
Source
(New)
Healthcare USA Yes 132,887
Cooper Aerobics
Source 1; source 2; source 3
(Update)
Healthcare USA Yes 124,341
AUSA
Source
(New)
Manufacturing Spain Yes 93,796
Projects World Co.
Source
(New)
Manufacturing Saudi Arabia Yes 86.16 GB
JSP Pharmaceutical Manufacturing (Thailand) PCL
Source
(New)
Manufacturing Thailand Yes >80 GB
TREZOR
Source
(New)
Crypto France Yes Nearly 66,000
Oak View Group
Source
(New)
Leisure USA Yes 58,935
Innefu Labs Pvt. Ltd.
Source
(New)
Cyber security India Yes 54 GB
Arden Claims Service
Source
(New)
Finance USA Yes 50,032
Ashford Inc.
Source
(New)
Real estate USA Yes 46,906
Hampton-Newport News Community Services Board
Source 1; source 2; source 3
(New)
Healthcare USA Yes 44,312
Air Methods
Source 1; source 2
(New)
Healthcare USA Yes 34,016
GREYHOURS
Source
(New)
Retail France Yes 18,700
Groveport Madison Schools
Source 1; source 2; source 3
(Update)
Education USA Yes 15.5 GB
ELO CPAs & Advisors
Source
(New)
Finance USA Yes 15,167
THE ICONIC, Guzman y Gomez, Dan Murphy’s, BINGE, Event Cinemas and TVSN
Source
(New)
Retail, hospitality, manufacturing, leisure and media Australia Yes >15,000
Community Memorial Healthcare
Source 1; source 2
(New)
Healthcare USA Yes 14,798
InHealth Technologies
Source 1; source 2
(New)
Manufacturing USA Yes 12,143
Foundation Building Materials and  Marjam Supply
Source
(New)
Retail USA Yes 7,957
Tameside Council
Source
(New)
Public UK Yes 6,345
Summit Medical Group
Source 1; source 2
(New)
Healthcare USA Yes 5,809
Community Tri-County Healthcare
Source 1; source 2
(New)
Healthcare USA Yes 4,135
Fora Financial
Source
(New)
Finance USA Yes 3,270
International Cooling Tower USA, Inc.
Source 1; source 2
(New)
Manufacturing USA Yes 2,833
Morgan Stanley Health Benefits and Insurance Plan
Source 1; source 2
(New)
Insurance USA Yes 2,442
Keystone First
Source 1; source 2
(New)
Healthcare USA Yes 1,965
Finham Park Multi Academy Trust
Source
(New)
Education UK Yes 1,843
Hamilton Tax and Accounting LLC
Source 1; source 2
(New)
Finance USA Yes 1,543
Northern Inyo Healthcare District
Source 1; source 2
(New)
Healthcare USA Yes 1,305
Dickinson County Health Department
Source
(New)
Public USA Yes 1,063
California Public Employees Retirement System
Source 1; source 2
(New)
Public USA Yes 1,033
Zephyr Ventilation
Source
(New)
Retail USA Yes 514
Main Military Construction Directorate for Special Facilities
Source
(New)
Defence Russia Yes >500
D’Youville Life & Wellness Community
Source 1; source 2
(New)
Healthcare USA Yes 501
Pennsylvania Multi Family Asset Managers
Source
(New)
Real estate USA Yes 278
Farren International LLC
Source
(New)
Transport USA Yes 235
Escuela Superior de Formación Artística Pública de Juliaca
Source
(New)
Education Peru Yes 234
Colegio de Abogados de la Ciudad de Buenos Aires
Source
(New)
Legal Argentina Yes 133
Metropolitan Area Planning Council
Source
(New)
Public USA Yes 2
PC Matthew Gell (Nottinghamshire Police)
Source
(New)
Public UK Yes 1
Payoneer
Source
(New)
Finance Argentina Yes Unknown
Fertility North
Source
(New)
Healthcare Australia Yes Unknown
Court Services Victoria
Source 1; source 2
(Update)
Legal Australia Yes Unknown
Clearview Resources Ltd
Source 1; source 2
(Update)
Energy Canada Yes Unknown
Tilbury District Family Health Team
Source
(New)
Healthcare Canada Yes Unknown
JDB Group
Source
(New)
Manufacturing China Yes Unknown
Maisons de l’Avenir
Source
(New)
Construction France Yes Unknown
Vision Plast
Source
(New)
Manufacturing France Yes Unknown
Socket
Source 1; source 2
(New)
Blockchain India Yes Unknown
Cipla
Source
(New)
Manufacturing India Yes Unknown
Vasudha Pharma Chem. Ltd.
Source
(New)
Manufacturing India Yes Unknown
PT Samuel Sekuritas Indonesia
Source
(New)
Finance Indonesia Yes Unknown
Shinwa Foreign Language Academy
Source
(New)
Education Japan Yes Unknown
Aegon
Source
(New)
Finance Netherlands Yes Unknown
Emagister
Source
(New)
Education Spain Yes Unknown
Lanbide
Source
(New)
Public Spain Yes Unknown
Ulsan HD FC
Source
(New)
Leisure South Korea Yes Unknown
Tietoevry
Source
(New)
IT services Sweden Yes Unknown
Hosted-IT Ltd
Source
(New)
IT services UK Yes Unknown
Millgate
Source
(New)
IT services UK Yes Unknown
Liverpool City Region Combined Authority
Source
(New)
Public UK Yes Unknown
Space NK
Source
(New)
Retail UK Yes Unknown
Pratt Institute
Source
(New)
Education USA Yes Unknown
Rocky Mountain University
Source
(New)
Education USA Yes Unknown
Premier Facility Management, Corp
Source
(New)
Environmental USA Yes Unknown
Ameriprise Financial Services, LLC
Source 1; source 2
(New)
Finance USA Yes Unknown
Beasley, Mitchell & Co., LLP
Source
(New)
Finance USA Yes Unknown
Hanmi Bank
Source 1; source 2
(New)
Finance USA Yes Unknown
Wayne Bank
Source 1; source 2
(New)
Finance USA Yes Unknown
McDonald’s
Source 1; source 2; source 3
(New)
Hospitality USA Yes Unknown
CAMICO
Source 1; source 2
(New)
Insurance USA Yes Unknown
First Financial Security
Source 1; source 2
(New)
Insurance USA Yes Unknown
HMSA
Source
(New)
Insurance USA Yes Unknown
F.J. O’Hara & Sons, Inc.
Source
(New)
IT services USA Yes Unknown
Virgin Islands Lottery
Source
(New)
Leisure USA Yes Unknown
Ascendum Machinery
Source
(New)
Manufacturing USA Yes Unknown
Digital Power Corporation
Source
(New)
Manufacturing USA Yes Unknown
Maxxis International
Source
(New)
Manufacturing USA Yes Unknown
Maine Salty Girl
Source
(New)
Retail USA Yes Unknown
Microsoft
Source
(New)
Software USA Yes Unknown
At least 172,000 smart TVs and set-top boxes
Source
(New)
Unknown Brazil Unknown Unknown
Paisii Hilendarski University of Plovdiv
Source
(New)
Education Bulgaria Unknown Unknown
SudaChad Telecom
Source
(New)
Telecoms Chad Unknown Unknown
Indian Air Force
Source
(New)
Defence India Unknown Unknown
BLB Limited
Source
(New)
Finance India Unknown Unknown
Milectria
Source
(New)
Manufacturing Finland Unknown Unknown
Telegram, WhatsApp and Beeline
Source
(New)
IT services and telecoms Russia Unknown Unknown
Swiss government websites
Source 1; source 2
(New)
Public Switzerland Unknown Unknown
Legal & General
Source
(New)
Finance UK Unknown Unknown
EK Services, and Canterbury, Dover and Thanet councils
Source
(New)
IT services and public UK Unknown Unknown
Manta Network
Source
(New)
Blockchain USA Unknown Unknown
Kansas State University
Source
(New)
Education USA Unknown Unknown
UC Irvine
Source
(New)
Education USA Unknown Unknown
Banco Nacional de Angola
Source
(New)
Finance Angola No 0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


AI

ICO launches consultation on generative AI and data protection

The Information Commissioner’s Office has launched a consultation series on the application of data protection law to generative AI models, particularly in relation to the UK GDPR and Part 2 of the DPA 2018. The first chapter covers the lawful basis for training generative AI models on web-scraped data and is open until 1 March.

Microsoft gives all businesses access to AI-powered Office features

When Microsoft launched Copilot for Office 365 in November 2023, it required enterprise customers to have at least 300 users. It has now removed that requirement, opening up Copilot to businesses of all sizes. According to Microsoft, “Microsoft 365 Copilot provides real-time intelligent assistance, enabling users to enhance their creativity, productivity, and skills.”

Australian government sets out risk-based system to respond to AI

The Australian government has launched its plan to respond to the rise in AI, using a risk-based system to impose proportionate controls on its use. Under the proposed rules, mandatory safeguards would be applied to high-risk applications of AI and watermarks would be applied to identify AI-generated content.


Enforcement

EDPB publishes GDPR one-stop shop case digest on security of processing and data breach notification

The European Data Protection Board has published a One-Stop-Shop case digest on Security of Processing and Data Breach Notification. The case digest provides insights into how the data protection authorities have applied the GDPR’s provisions in various scenarios, such as ransomware attacks and the accidental disclosure of data.

CNIL fines Yahoo! €10 million for cookie violation

France’s data protection authority, the CNIL, has fined Yahoo EMEA Ltd €10 million for failing to take account of users’ cookie choices. Yahoo installed about 20 advertising cookies on users’ devices without their consent and failed to allow users of the Yahoo! Mail service to freely withdraw their consent.

BreachedForums owner sentenced to at least 15 years in prison

Two weeks ago, we reported that the former admin of the now-defunct BreachForums website, Conor Brian Fitzpatrick, aka Pompompurin, had violated his parole. Fitzpatrick has now been sentenced to time served on 3 counts and supervised release of 20 years with special conditions.


Other news

Ivanti Connect Secure VPN breached with more than 1,700 devices exposed

On 10 January, the cyber security company Volexity published details of attacks exploiting two zero-day vulnerabilities in Ivanti Connect Secure VPN appliances. Ivanti published a mitigation the same day and announced that it was developing a patch. Volexity now reports that it has identified more than 1,700 compromised Ivanti Connect Secure VPN devices worldwide.

Two-fifths of employees sacked over email security breaches

Nearly half of workers who were responsible for email security breaches in the past year were sacked, according to research from the cyber security company Egress. The organisation also found that 94% of organisations have experienced a serious email security incident in the past 12 months.

EDPB identifies areas of improvement relating to data protection officer role

The EDPB has adopted a report on the findings of its second coordinated enforcement action, which focuses on the designation and position of DPOs. The report encourages the data protection authorities to carry out more awareness-raising activities and enforcement actions, as well as encouraging organisations to ensure that DPOs have sufficient opportunities, time and resources to refresh their knowledge and learn about the latest developments in their field.

European Commission completes review of adequacy decisions

The European Commission has reviewed 11 adequacy decisions that allow EU residents’ personal data to be transferred to third countries. Its report concludes that personal data transferred from the EU to Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay is afforded adequate protection under the GDPR.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.

The post The Week in Cyber Security and Data Privacy: 15 – 21 January 2024 appeared first on IT Governance UK Blog.