Welcome to this week’s round-up of the biggest and most interesting news stories.
At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.
Publicly disclosed data breaches and cyber attacks: in the spotlight
More than 70 million email addresses added to Have I Been Pwned
The security researcher Troy Hunt has added more than 70 million email addresses from the Naz.API data set to his Have I Been Pwned data breach notification service. The data set is a collection of 1 billion credentials sourced from stealer logs and hosted on the illicit.services website. According to Hunt, more than a third of the email addresses were new to Have I Been Pwned.
Data breached: 70,840,771 email addresses.
VF Corporation confirms 35.5 million customers’ data stolen
VF Corporation – the parent company of many popular clothing brands, including Vans and The North Face – has confirmed in its Form 8-K/A filing to the US Securities and Exchange Commission (an amendment to its original Form 8-K filing) that its December 2023 cyber attack resulted in the theft of 35.5 million customers’ data.
Data breached: 35,500,000 records.
More than 10 million lines of Pastelería Mozart customer data apparently posted on dark web
The Ynnian hacking group has posted 10,870,525 lines of data on the dark web, apparently originating from Pastelería Mozart, a popular bakery chain in Chile. The leaked information allegedly includes customers’ names, dates of birth, email addresses, passwords and phone numbers.
Data breached: 10,870,524 lines.
Publicly disclosed data breaches and cyber attacks: full list
This week, we’ve found 130,036,285 records known to be compromised, and 116 organisations suffering a newly disclosed incident. 96 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 1 definitely hasn’t had data breached.
We’ve also found 9 organisations providing a significant update on a previously disclosed incident.
Organisation(s) | Sector | Location | Data breached? | Known records breached |
Naz.API (likely belonging to multiple organisations) Source (New) |
Unknown | Unknown | Yes | 70,840,771 |
VF Corporation Source 1; source 2 (Update) |
Retail | USA | Yes | 35,500,000 |
Pastelería Mozart Source (New) |
Hospitality | Chile | Yes | 10,870,524 |
Foxsemicon Integrated Technology, Inc. Source 1; source 2 (New) |
Manufacturing | Taiwan | Yes | 5 TB |
Korean Association of Social Workers Source (New) |
Public | South Korea | Yes | 1,350,000 |
Fred Hutchinson Cancer Center Source 1; source 2; source 3 (Update) |
Healthcare | USA | Yes | 890,959 |
Target Source (New) |
Retail | USA | Yes | 800,000 |
Toyota Tsusho Insurance Broker India Source (New) |
Insurance | India | Yes | 657,000 |
Busse & Busse, P.C. Source (New) |
Legal | USA | Yes | 637,873 |
Anna Jaques Hospital Source 1; source 2; source 3 (Update) |
Healthcare | USA | Yes | 600 GB |
Plaza Radiology, LLC Source 1; source 2 (New) |
Healthcare | USA | Yes | 569,022 |
GEICO Source (New) |
Insurance | USA | Yes | 552,900 |
Tone Academy Source (New) |
Education | India | Yes | 400,000 |
CompleteCare Health Network Source 1; source 2; source 3 (Update) |
Healthcare | USA | Yes | 313,973 |
Academy Mortgage Corporation Source 1; source 2 (Update) |
Finance | USA | Yes | 284,443 |
buygoods Source (New) |
Retail | USA | Yes | 257,562 |
Large payment system in Egypt Source (New) |
Finance | Egypt | Yes | 212,312 |
Subway Source (New) |
Hospitality | USA | Yes | Hundreds of GB |
Columbus Regional Healthcare System Source (New) |
Healthcare | USA | Yes | 132,887 |
Cooper Aerobics Source 1; source 2; source 3 (Update) |
Healthcare | USA | Yes | 124,341 |
AUSA Source (New) |
Manufacturing | Spain | Yes | 93,796 |
Projects World Co. Source (New) |
Manufacturing | Saudi Arabia | Yes | 86.16 GB |
JSP Pharmaceutical Manufacturing (Thailand) PCL Source (New) |
Manufacturing | Thailand | Yes | >80 GB |
TREZOR Source (New) |
Crypto | France | Yes | Nearly 66,000 |
Oak View Group Source (New) |
Leisure | USA | Yes | 58,935 |
Innefu Labs Pvt. Ltd. Source (New) |
Cyber security | India | Yes | 54 GB |
Arden Claims Service Source (New) |
Finance | USA | Yes | 50,032 |
Ashford Inc. Source (New) |
Real estate | USA | Yes | 46,906 |
Hampton-Newport News Community Services Board Source 1; source 2; source 3 (New) |
Healthcare | USA | Yes | 44,312 |
Air Methods Source 1; source 2 (New) |
Healthcare | USA | Yes | 34,016 |
GREYHOURS Source (New) |
Retail | France | Yes | 18,700 |
Groveport Madison Schools Source 1; source 2; source 3 (Update) |
Education | USA | Yes | 15.5 GB |
ELO CPAs & Advisors Source (New) |
Finance | USA | Yes | 15,167 |
THE ICONIC, Guzman y Gomez, Dan Murphy’s, BINGE, Event Cinemas and TVSN Source (New) |
Retail, hospitality, manufacturing, leisure and media | Australia | Yes | >15,000 |
Community Memorial Healthcare Source 1; source 2 (New) |
Healthcare | USA | Yes | 14,798 |
InHealth Technologies Source 1; source 2 (New) |
Manufacturing | USA | Yes | 12,143 |
Foundation Building Materials and Marjam Supply Source (New) |
Retail | USA | Yes | 7,957 |
Tameside Council Source (New) |
Public | UK | Yes | 6,345 |
Summit Medical Group Source 1; source 2 (New) |
Healthcare | USA | Yes | 5,809 |
Community Tri-County Healthcare Source 1; source 2 (New) |
Healthcare | USA | Yes | 4,135 |
Fora Financial Source (New) |
Finance | USA | Yes | 3,270 |
International Cooling Tower USA, Inc. Source 1; source 2 (New) |
Manufacturing | USA | Yes | 2,833 |
Morgan Stanley Health Benefits and Insurance Plan Source 1; source 2 (New) |
Insurance | USA | Yes | 2,442 |
Keystone First Source 1; source 2 (New) |
Healthcare | USA | Yes | 1,965 |
Finham Park Multi Academy Trust Source (New) |
Education | UK | Yes | 1,843 |
Hamilton Tax and Accounting LLC Source 1; source 2 (New) |
Finance | USA | Yes | 1,543 |
Northern Inyo Healthcare District Source 1; source 2 (New) |
Healthcare | USA | Yes | 1,305 |
Dickinson County Health Department Source (New) |
Public | USA | Yes | 1,063 |
California Public Employees Retirement System Source 1; source 2 (New) |
Public | USA | Yes | 1,033 |
Zephyr Ventilation Source (New) |
Retail | USA | Yes | 514 |
Main Military Construction Directorate for Special Facilities Source (New) |
Defence | Russia | Yes | >500 |
D’Youville Life & Wellness Community Source 1; source 2 (New) |
Healthcare | USA | Yes | 501 |
Pennsylvania Multi Family Asset Managers Source (New) |
Real estate | USA | Yes | 278 |
Farren International LLC Source (New) |
Transport | USA | Yes | 235 |
Escuela Superior de Formación Artística Pública de Juliaca Source (New) |
Education | Peru | Yes | 234 |
Colegio de Abogados de la Ciudad de Buenos Aires Source (New) |
Legal | Argentina | Yes | 133 |
Metropolitan Area Planning Council Source (New) |
Public | USA | Yes | 2 |
PC Matthew Gell (Nottinghamshire Police) Source (New) |
Public | UK | Yes | 1 |
Payoneer Source (New) |
Finance | Argentina | Yes | Unknown |
Fertility North Source (New) |
Healthcare | Australia | Yes | Unknown |
Court Services Victoria Source 1; source 2 (Update) |
Legal | Australia | Yes | Unknown |
Clearview Resources Ltd Source 1; source 2 (Update) |
Energy | Canada | Yes | Unknown |
Tilbury District Family Health Team Source (New) |
Healthcare | Canada | Yes | Unknown |
JDB Group Source (New) |
Manufacturing | China | Yes | Unknown |
Maisons de l’Avenir Source (New) |
Construction | France | Yes | Unknown |
Vision Plast Source (New) |
Manufacturing | France | Yes | Unknown |
Socket Source 1; source 2 (New) |
Blockchain | India | Yes | Unknown |
Cipla Source (New) |
Manufacturing | India | Yes | Unknown |
Vasudha Pharma Chem. Ltd. Source (New) |
Manufacturing | India | Yes | Unknown |
PT Samuel Sekuritas Indonesia Source (New) |
Finance | Indonesia | Yes | Unknown |
Shinwa Foreign Language Academy Source (New) |
Education | Japan | Yes | Unknown |
Aegon Source (New) |
Finance | Netherlands | Yes | Unknown |
Emagister Source (New) |
Education | Spain | Yes | Unknown |
Lanbide Source (New) |
Public | Spain | Yes | Unknown |
Ulsan HD FC Source (New) |
Leisure | South Korea | Yes | Unknown |
Tietoevry Source (New) |
IT services | Sweden | Yes | Unknown |
Hosted-IT Ltd Source (New) |
IT services | UK | Yes | Unknown |
Millgate Source (New) |
IT services | UK | Yes | Unknown |
Liverpool City Region Combined Authority Source (New) |
Public | UK | Yes | Unknown |
Space NK Source (New) |
Retail | UK | Yes | Unknown |
Pratt Institute Source (New) |
Education | USA | Yes | Unknown |
Rocky Mountain University Source (New) |
Education | USA | Yes | Unknown |
Premier Facility Management, Corp Source (New) |
Environmental | USA | Yes | Unknown |
Ameriprise Financial Services, LLC Source 1; source 2 (New) |
Finance | USA | Yes | Unknown |
Beasley, Mitchell & Co., LLP Source (New) |
Finance | USA | Yes | Unknown |
Hanmi Bank Source 1; source 2 (New) |
Finance | USA | Yes | Unknown |
Wayne Bank Source 1; source 2 (New) |
Finance | USA | Yes | Unknown |
McDonald’s Source 1; source 2; source 3 (New) |
Hospitality | USA | Yes | Unknown |
CAMICO Source 1; source 2 (New) |
Insurance | USA | Yes | Unknown |
First Financial Security Source 1; source 2 (New) |
Insurance | USA | Yes | Unknown |
HMSA Source (New) |
Insurance | USA | Yes | Unknown |
F.J. O’Hara & Sons, Inc. Source (New) |
IT services | USA | Yes | Unknown |
Virgin Islands Lottery Source (New) |
Leisure | USA | Yes | Unknown |
Ascendum Machinery Source (New) |
Manufacturing | USA | Yes | Unknown |
Digital Power Corporation Source (New) |
Manufacturing | USA | Yes | Unknown |
Maxxis International Source (New) |
Manufacturing | USA | Yes | Unknown |
Maine Salty Girl Source (New) |
Retail | USA | Yes | Unknown |
Microsoft Source (New) |
Software | USA | Yes | Unknown |
At least 172,000 smart TVs and set-top boxes Source (New) |
Unknown | Brazil | Unknown | Unknown |
Paisii Hilendarski University of Plovdiv Source (New) |
Education | Bulgaria | Unknown | Unknown |
SudaChad Telecom Source (New) |
Telecoms | Chad | Unknown | Unknown |
Indian Air Force Source (New) |
Defence | India | Unknown | Unknown |
BLB Limited Source (New) |
Finance | India | Unknown | Unknown |
Milectria Source (New) |
Manufacturing | Finland | Unknown | Unknown |
Telegram, WhatsApp and Beeline Source (New) |
IT services and telecoms | Russia | Unknown | Unknown |
Swiss government websites Source 1; source 2 (New) |
Public | Switzerland | Unknown | Unknown |
Legal & General Source (New) |
Finance | UK | Unknown | Unknown |
EK Services, and Canterbury, Dover and Thanet councils Source (New) |
IT services and public | UK | Unknown | Unknown |
Manta Network Source (New) |
Blockchain | USA | Unknown | Unknown |
Kansas State University Source (New) |
Education | USA | Unknown | Unknown |
UC Irvine Source (New) |
Education | USA | Unknown | Unknown |
Banco Nacional de Angola Source (New) |
Finance | Angola | No | 0 |
Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.
Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.
AI
ICO launches consultation on generative AI and data protection
The Information Commissioner’s Office has launched a consultation series on the application of data protection law to generative AI models, particularly in relation to the UK GDPR and Part 2 of the DPA 2018. The first chapter covers the lawful basis for training generative AI models on web-scraped data and is open until 1 March.
Microsoft gives all businesses access to AI-powered Office features
When Microsoft launched Copilot for Office 365 in November 2023, it required enterprise customers to have at least 300 users. It has now removed that requirement, opening up Copilot to businesses of all sizes. According to Microsoft, “Microsoft 365 Copilot provides real-time intelligent assistance, enabling users to enhance their creativity, productivity, and skills.”
Australian government sets out risk-based system to respond to AI
The Australian government has launched its plan to respond to the rise in AI, using a risk-based system to impose proportionate controls on its use. Under the proposed rules, mandatory safeguards would be applied to high-risk applications of AI and watermarks would be applied to identify AI-generated content.
Enforcement
EDPB publishes GDPR one-stop shop case digest on security of processing and data breach notification
The European Data Protection Board has published a One-Stop-Shop case digest on Security of Processing and Data Breach Notification. The case digest provides insights into how the data protection authorities have applied the GDPR’s provisions in various scenarios, such as ransomware attacks and the accidental disclosure of data.
CNIL fines Yahoo! €10 million for cookie violation
France’s data protection authority, the CNIL, has fined Yahoo EMEA Ltd €10 million for failing to take account of users’ cookie choices. Yahoo installed about 20 advertising cookies on users’ devices without their consent and failed to allow users of the Yahoo! Mail service to freely withdraw their consent.
BreachedForums owner sentenced to at least 15 years in prison
Two weeks ago, we reported that the former admin of the now-defunct BreachForums website, Conor Brian Fitzpatrick, aka Pompompurin, had violated his parole. Fitzpatrick has now been sentenced to time served on 3 counts and supervised release of 20 years with special conditions.
Other news
Ivanti Connect Secure VPN breached with more than 1,700 devices exposed
On 10 January, the cyber security company Volexity published details of attacks exploiting two zero-day vulnerabilities in Ivanti Connect Secure VPN appliances. Ivanti published a mitigation the same day and announced that it was developing a patch. Volexity now reports that it has identified more than 1,700 compromised Ivanti Connect Secure VPN devices worldwide.
Two-fifths of employees sacked over email security breaches
Nearly half of workers who were responsible for email security breaches in the past year were sacked, according to research from the cyber security company Egress. The organisation also found that 94% of organisations have experienced a serious email security incident in the past 12 months.
EDPB identifies areas of improvement relating to data protection officer role
The EDPB has adopted a report on the findings of its second coordinated enforcement action, which focuses on the designation and position of DPOs. The report encourages the data protection authorities to carry out more awareness-raising activities and enforcement actions, as well as encouraging organisations to ensure that DPOs have sufficient opportunities, time and resources to refresh their knowledge and learn about the latest developments in their field.
European Commission completes review of adequacy decisions
The European Commission has reviewed 11 adequacy decisions that allow EU residents’ personal data to be transferred to third countries. Its report concludes that personal data transferred from the EU to Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay is afforded adequate protection under the GDPR.
That’s it for this week’s round-up. We hope you found it useful.
We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.
In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.
Security Spotlight
To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.
Every Wednesday, you’ll get a 4-minute email with:
- Industry news, including this weekly round-up;
- Our latest research and statistics;
- Interviews with our experts, sharing their insights and expertise;
- Free useful resources; and
- Upcoming webinars.
The post The Week in Cyber Security and Data Privacy: 15 – 21 January 2024 appeared first on IT Governance UK Blog.