The Week in Cyber Security and Data Privacy: 20 – 26 November 2023

Welcome to this week’s round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.

This week, we’re taking a slightly different approach with the ‘publicly disclosed data breaches and cyber attacks’ category, presenting the most interesting data points in a table format. This should make it easier for you to quickly find the information you want.

We’ve also included more details on the top 3 biggest breaches of the week.

The ‘enforcement’ and ‘other news’ categories remain unchanged.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Over 95 million records breached from just one organisation; hundreds of organisations’ Kubernetes Secrets exposed

Researchers from Aqua Nautilus have discovered Kubernetes Secrets – objects that contain small amounts of sensitive data, such as passwords, tokens or keys – relating to hundreds of organisations exposed to the Internet in public GitHub repositories.

Among those affected was SAP SE. The researchers discovered credentials that provided access to 95,592,696 artifacts, as well as download permissions and some deploy operations. They notified SAP SE, which responded “in the most professional and efficient manner”, remediating the issue, launching an investigation and maintaining communications with Aqua Nautilus.

Breached records: 95,592,696.

Over 56 million sensitive records leaked by TmaxSoft

TmaxSoft, an IT company in South Korea, has exposed 2 TB of data to the Internet via a Kibana dashboard for over two years. The data contains more than 56 million records, some of which are duplicates.

Most of the leaked data is company information and emails, but includes employee names, phone numbers, employment contract numbers and emails, as well as email attachments, metadata and other sensitive information that could be exploited in supply chain attacks.

The dashboard was first spotted in June 2021.

Breached records: more than 56 million.

9 million records breached through decade-long data leak

A former temporary employee of a subsidiary of NTT West (Nippon Telegraph and Telephone West Corp) illegally accessed about 9 million personal data records over the course of a decade (2013 to 2023).

NTT Business Solutions in Osaka handles the computer system used by NTT call centres. The employee downloaded customer information, including names, addresses and telephone numbers, to a work terminal before transferring it to a USB drive. They then sold it on to list brokers – businesses or individuals that trade in personal information.

At least 59 organisations, which outsourced call centre operations, have been impacted by this breach.

Breached records: about 9 million.


Publicly disclosed data breaches and cyber attacks: full list

This week, we’ve found 174,266,938 records known to be compromised, and 100 organisations suffering a newly disclosed incident. 19 of them are known to have had data exfiltrated or exposed. Only 3 definitely haven’t had data breached.

We’ve also found 5 organisations providing a significant update on a previously disclosed incident.

Organisation name Sector Location Data exfiltrated? Known records breached
SAP SE
Source
(New)
Technology Bulgaria Unknown 95,592,696
TmaxSoft
Source
(New)
Technology South Korea Yes 56,000,000+
NTT Business Solutions
Source
(New)
Telecoms Japan Yes 9,000,000
Welltok
Source
(New)
Technology USA Yes 8,493,379
Online platform or service used by Turkish healthcare providers or the Ministry of Health (probably)
Source
(New)
Healthcare Turkey Yes 1,900,000
Taj Hotels
Source
(New)
Hospitality India Yes 1,500,000
Appscook Technologies
Source
(New)
Technology India Yes Almost 1 million
INL (Idaho National Laboratory)
Source 1; source 2
(New)
Research USA Yes 200,000+
CCSD (Clark County School District)
Source
(Update)
Education USA Yes 200,000
AutoZone
Source
(New)
Retail USA Yes 184,995
HSKSG
Source
(New)
Finance UK Yes 168 GB
New York City Bar Association
Source
(Update)
Legal USA Yes 27,000+ (1.8 TB)
64 organisations with Docker Hub accounts
Source
(New)
Unknown Unknown Yes 768
Microsoft
Source
(New)
Technology USA Unknown 100+
AFT (Autonomous Flight Technologies)
Source
(New)
Manufacturing Romania Yes Unknown
GE (General Electric)
Source
(New)
Manufacturing USA Yes  Unknown
Gulf Air
Source
(New)
Transport Bahrain Yes Unknown
Kansas courts
Source
(Update)
Legal USA Yes Unknown
The British Library
Source
(Update)
Public UK Yes Unknown
China Energy Engineering Corporation
Source
(New)
Energy China Yes Unknown
Vodafone
Source
(New)
Telecoms Spain Yes Unknown
CTS
Source
(New)
IT services UK Unknown Unknown
HSE
Source
(New)
Utilities Slovenia Unknown Unknown
New Relic
Source
(New)
Technology USA Unknown Unknown
HTX
Source 1; Source 2
(New)
Finance Singapore Unknown Unknown
HECO (Huobi Eco) Chain
Source 1; Source 2
(New)
Finance China Unknown Unknown
KyberSwap
Source
(New)
Finance Singapore Unknown Unknown
Two top tier blockchain companies
Source
(New)
Finance USA Unknown Unknown
Portneuf Medical Center
Source
(New)
Healthcare USA Unknown Unknown
UT Health East Texas
Source
(New)
Healthcare USA Unknown Unknown
Pascack Valey Medical Center and Mountainside Medical Center
Source
(New)
Healthcare USA Unknown Unknown
Hillcrest HealthCare System
Source
(New)
Healthcare USA Unknown Unknown
Vanderbilt University Medical Center
Source
(New)
Healthcare USA Unknown Unknown
Municipal Water Authority
Source
(New)
Public USA Unknown Unknown
FNF (Fidelity National Financial)
Source 1; Source 2
(New)
Insurance USA Unknown Unknown
London & Zurich
Source
(New)
Finance UK Unknown Unknown
SIAAP (service public de l’assainissement francilien)
Source
(New)
Public France Unknown Unknown
blender.org
Source
(New)
Technology Netherlands No 0
Two Bahrain government agency websites
Source
(New)
Public Bahrain No 0

Note: ‘New’/’Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.


Enforcement

ICO gives UK’s top websites 30 days to meet cookie requirements

The Information Commissioner has issued a statement, threatening enforcement action to the companies running the UK’s most-visited websites unless it meets its legal requirements on cookies within 30 days.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place for you.

In the meantime, if you missed it, check out last week’s round-up. Please do also let us know what you think about our new table format.

The post The Week in Cyber Security and Data Privacy: 20 – 26 November 2023 appeared first on IT Governance UK Blog.