Welcome to this week’s round-up of the biggest and most interesting news stories.
At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.
This week, we’re taking a slightly different approach with the ‘publicly disclosed data breaches and cyber attacks’ category, presenting the most interesting data points in a table format. This should make it easier for you to quickly find the information you want.
We’ve also included more details on the top 3 biggest breaches of the week.
The ‘enforcement’ and ‘other news’ categories remain unchanged.
Publicly disclosed data breaches and cyber attacks: in the spotlight
Researchers from Aqua Nautilus have discovered Kubernetes Secrets – objects that contain small amounts of sensitive data, such as passwords, tokens or keys – relating to hundreds of organisations exposed to the Internet in public GitHub repositories.
Among those affected was SAP SE. The researchers discovered credentials that provided access to 95,592,696 artifacts, as well as download permissions and some deploy operations. They notified SAP SE, which responded “in the most professional and efficient manner”, remediating the issue, launching an investigation and maintaining communications with Aqua Nautilus.
Breached records: 95,592,696.
Over 56 million sensitive records leaked by TmaxSoft
TmaxSoft, an IT company in South Korea, has exposed 2 TB of data to the Internet via a Kibana dashboard for over two years. The data contains more than 56 million records, some of which are duplicates.
Most of the leaked data is company information and emails, but includes employee names, phone numbers, employment contract numbers and emails, as well as email attachments, metadata and other sensitive information that could be exploited in supply chain attacks.
The dashboard was first spotted in June 2021.
Breached records: more than 56 million.
9 million records breached through decade-long data leak
A former temporary employee of a subsidiary of NTT West (Nippon Telegraph and Telephone West Corp) illegally accessed about 9 million personal data records over the course of a decade (2013 to 2023).
NTT Business Solutions in Osaka handles the computer system used by NTT call centres. The employee downloaded customer information, including names, addresses and telephone numbers, to a work terminal before transferring it to a USB drive. They then sold it on to list brokers – businesses or individuals that trade in personal information.
At least 59 organisations, which outsourced call centre operations, have been impacted by this breach.
Breached records: about 9 million.
Publicly disclosed data breaches and cyber attacks: full list
This week, we’ve found 174,266,938 records known to be compromised, and 100 organisations suffering a newly disclosed incident. 19 of them are known to have had data exfiltrated or exposed. Only 3 definitely haven’t had data breached.
We’ve also found 5 organisations providing a significant update on a previously disclosed incident.
Organisation name | Sector | Location | Data exfiltrated? | Known records breached |
SAP SE Source (New) |
Technology | Bulgaria | Unknown | 95,592,696 |
TmaxSoft Source (New) |
Technology | South Korea | Yes | 56,000,000+ |
NTT Business Solutions Source (New) |
Telecoms | Japan | Yes | 9,000,000 |
Welltok Source (New) |
Technology | USA | Yes | 8,493,379 |
Online platform or service used by Turkish healthcare providers or the Ministry of Health (probably) Source (New) |
Healthcare | Turkey | Yes | 1,900,000 |
Taj Hotels Source (New) |
Hospitality | India | Yes | 1,500,000 |
Appscook Technologies Source (New) |
Technology | India | Yes | Almost 1 million |
INL (Idaho National Laboratory) Source 1; source 2 (New) |
Research | USA | Yes | 200,000+ |
CCSD (Clark County School District) Source (Update) |
Education | USA | Yes | 200,000 |
AutoZone Source (New) |
Retail | USA | Yes | 184,995 |
HSKSG Source (New) |
Finance | UK | Yes | 168 GB |
New York City Bar Association Source (Update) |
Legal | USA | Yes | 27,000+ (1.8 TB) |
64 organisations with Docker Hub accounts Source (New) |
Unknown | Unknown | Yes | 768 |
Microsoft Source (New) |
Technology | USA | Unknown | 100+ |
AFT (Autonomous Flight Technologies) Source (New) |
Manufacturing | Romania | Yes | Unknown |
GE (General Electric) Source (New) |
Manufacturing | USA | Yes | Unknown |
Gulf Air Source (New) |
Transport | Bahrain | Yes | Unknown |
Kansas courts Source (Update) |
Legal | USA | Yes | Unknown |
The British Library Source (Update) |
Public | UK | Yes | Unknown |
China Energy Engineering Corporation Source (New) |
Energy | China | Yes | Unknown |
Vodafone Source (New) |
Telecoms | Spain | Yes | Unknown |
CTS Source (New) |
IT services | UK | Unknown | Unknown |
HSE Source (New) |
Utilities | Slovenia | Unknown | Unknown |
New Relic Source (New) |
Technology | USA | Unknown | Unknown |
HTX Source 1; Source 2 (New) |
Finance | Singapore | Unknown | Unknown |
HECO (Huobi Eco) Chain Source 1; Source 2 (New) |
Finance | China | Unknown | Unknown |
KyberSwap Source (New) |
Finance | Singapore | Unknown | Unknown |
Two top tier blockchain companies Source (New) |
Finance | USA | Unknown | Unknown |
Portneuf Medical Center Source (New) |
Healthcare | USA | Unknown | Unknown |
UT Health East Texas Source (New) |
Healthcare | USA | Unknown | Unknown |
Pascack Valey Medical Center and Mountainside Medical Center Source (New) |
Healthcare | USA | Unknown | Unknown |
Hillcrest HealthCare System Source (New) |
Healthcare | USA | Unknown | Unknown |
Vanderbilt University Medical Center Source (New) |
Healthcare | USA | Unknown | Unknown |
Municipal Water Authority Source (New) |
Public | USA | Unknown | Unknown |
FNF (Fidelity National Financial) Source 1; Source 2 (New) |
Insurance | USA | Unknown | Unknown |
London & Zurich Source (New) |
Finance | UK | Unknown | Unknown |
SIAAP (service public de l’assainissement francilien) Source (New) |
Public | France | Unknown | Unknown |
blender.org Source (New) |
Technology | Netherlands | No | 0 |
Two Bahrain government agency websites Source (New) |
Public | Bahrain | No | 0 |
Note: ‘New’/’Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.
Enforcement
ICO gives UK’s top websites 30 days to meet cookie requirements
The Information Commissioner has issued a statement, threatening enforcement action to the companies running the UK’s most-visited websites unless it meets its legal requirements on cookies within 30 days.
That’s it for this week’s round-up. We hope you found it useful.
We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place for you.
In the meantime, if you missed it, check out last week’s round-up. Please do also let us know what you think about our new table format.
The post The Week in Cyber Security and Data Privacy: 20 – 26 November 2023 appeared first on IT Governance UK Blog.