The Week in Cyber Security and Data Privacy: 23–29 October 2023

Welcome to this week’s round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks

France says Russian state hackers breached numerous critical networks

Date of breach: From second half of 2021 (reported 26 October 2023).

Breached organisation: French public bodies, organisations, universities, research institutes and think tanks.

Incident details: The Russian hacking group APT28 has been targeting a range of unspecified French organisations for the past two years, according to an ANSSI report. The techniques used included using leaked credential databases to conduct brute-force attacks, phishing and exploiting multiple vulnerabilities.

Records breached: Unknown. Data has been exfiltrated, but we don’t know how much.

Thousands of drivers have sensitive data exposed to hackers in major IT breach

Date of breach: Unclear, but breached documents date back to 2017.

Breached organisation: A Limerick-based IT services firm (in the Republic of Ireland), retained by 11 towing companies, which are used by state bodies including the Irish national police and security service, An Garda Síochána. The data controller of the breached data is currently unclear.

Incident details: A security vulnerability in a third party left personal data exposed of thousands of motorists who had their vehicle towed on behalf of the An Garda Síochána. It’s unclear how long the vulnerability was in place, or who may have accessed the data.

Records breached: 512,000 documents, with details of insurance investigations, vehicle registration certificates, notices of car seizures and payment card details. Includes the driving licences of “thousands of motorists”.

University of Tokyo PC Infected with Malware in July 2022; Possible Leak of Students’ Addresses, Grades

Date of breach: July 2022 (first reported 24 October 2023).

Breached organisation: The Graduate School of Arts and Sciences of the University of Tokyo in Japan.

Incident details: A computer was infected with malware when a faculty member fell for a phishing email while working from home, causing a data breach.

Records breached: Up to 4,341 files, containing addresses and grades of students from 2003–2022.

Reeds Spring district alerts families to cybersecurity data breach

Date of breach: 26 April 2023 (reported 26 October 2023).

Breached organisation: Reeds Spring School District in Missouri, US.

Incident details: A “sophisticated” cyber attack that resulted in a data breach. The school district has engaged a third party, and the investigation is still ongoing, but it’s taken action to contain the incident, restore data and enhance its security. It’s also notified affected students and staff.

Records breached: Exact numbers unknown, but names, dates of birth, Social Security numbers, health insurance information and class lists were exfiltrated.

CCleaner says hackers stole users’ personal data during MOVEit mass-hack

Date of breach: May 2023 (reported 25 October 2023).

Breached organisation: CCleaner, based in the UK, which provides a popular cleaning software for computers and mobile devices.

Incident details: The MOVEit Transfer vulnerability was exploited (again), leading to data being exfiltrated. The company took five months to report it.

Records breached: Customer phone numbers, email addresses and billing addresses of “less than 2% of users”. Note the billing addresses, and that CCleaner’s parent company reports having around 65 million paid customers (and more than 38 million direct customers) to its cyber safety solutions, which includes CCleaner.

August 2023 Data Incident

Date of breach: 23 August 2023 (update on 23 October 2023).

Breached organisation: University of Michigan (US).

Incident details: An unauthorised third party had access to some university systems between 23–27 August 2023, breaching personal information belonging to students, applicants, alumni, donors, employees, contractors, research study participants, and University Health Service and School of Dentistry patients.

Records breached: 230,000 individuals affected, breaching sensitive personal information that included Social Security numbers, driver’s licences or other government-issued ID numbers, financial account or payment card numbers, and health information.

Security incident report

Date of breach: 29 September 2023 (but report updated on 27 October 2023). Note: this means that the Okta breach happened sooner than previously reported (2 October 2023).

Breached organisation: 1Password, a password manager provider based in Canada.

Incident details: An IT team member received a suspicious email, so alerted the incident response team, which discovered that the organisation’s Okta environment had been accessed by a threat actor with administrative privileges. Other systems were not accessed, and no data was breached.

Records breached: 0.

Clark County School District student data begins to leak; CCSD doesn’t comment

Date of breach: 5 October 2023 (update 26 October 2023).

Breached organisation: CCSD (Clark County School District).

Incident details: Detailed last week. However, we now know that data was breached: “1% of the total files obtained” was released on a file-sharing website.

Records breached: Total number is unclear, but data records belonging to at least 26,000 people: 25,000 graduates (emails, dates of birth, ethnicity information, PSAT scores) and 1,000 students with diabetes (unspecified personal information).

Ransomware group threatens to leak Stanford police data

Date of breach: 10 October 2023 (first reported 26 October 2023).

Breached organisation: SUDPS (Stanford University Department of Public Safety) in California, US.

Incident details: The Akira ransomware group claims to have exfiltrated 430 GB of data, after breaching the university’s firewall, and is threatening to leak it online if the (unspecified) ransom isn’t paid.

Records breached: 430 GB of data, including private information and confidential documents.

In the throes of bankruptcy and hit by a ransomware attack, Akumin still unable to provide many diagnostic services to patients

Date of breach: 11 October 2023.

Breached organisation: Akumin Inc., headquartered in Florida, US, but providing medical scans and radiology services for around 1,000 healthcare organisations in 48 US states.

Incident details: A ransomware attack that led to postponed operations and other appointments, despite the company using workarounds to minimise disruptions. The organisation shut down its systems when it became aware of suspicious activity, and has since partially restored them. It’s unclear whether any records were breached.

Records breached: Unknown.

SA Health patients caught up in data breach of third-party platform Personify Care

Date of breach: 16 October 2023 (reported 28 October 2023).

Breached organisation: Personify Care, an online patient portal provider in Australia.

Incident details: Human error caused an “unauthorised third party” to delete patient data. There’s no evidence that the data was exfiltrated, and the data has already been restored, with new measures put in place to prevent recurrence of such an incident.

Records breached: 12,624 names and phone numbers of patients. Of 121 patients, health information was also breached.

Hopewell Area School District targeted by ransomware attack

Date of breach: In the week of 16 October 2023 (reported 23 October 2023).

Breached organisation: Hopewell Area School District in Pennsylvania, US.

Incident details: Ransomware attack that caused network disruption. The school is still investigating whether data on the network was accessed without authorisation.

Records breached: Unknown.

Orange County’s DA’s Office experiences data breach

Date of breach: 20 October 2023 (reported 23 October 2023).

Breached organisation: Orange County District Attorney, a public prosecutor, in California, US.

Incident details: The organisation’s IT system was broken into; we don’t yet know whether any information was compromised.

Records breached: Unknown.

Detroit-Area District Cancels Classes Due to Cyber Incident

Date of breach: 22 October 2023 (reported 25 October 2023).

Breached organisation: Allen Park Public Schools in Michigan, US.

Incident details: A cyber attack required the school to shut down parts of its network and cancel classes. The school has engaged a third party to look into what happened and remediate the issues, but expects it to take at least a few days before full functionality is restored. We don’t yet know whether personal information has been breached.

Records breached: Unknown.

Update on Cyber Attacks at Regional Hospitals

Date of breach: 23 October 2023 (initial system outage notice).

Breached organisations: Five Canadian hospitals: Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital via TransForm SSO (Shared Service Organization), a non-profit IT service provider founded by, and exclusively supporting these five hospitals.

Incident details: A system outage (including for emails) caused by a cyber attack via TransForm’s service that led to cancelled appointments with hospital patients. Not yet known whether patient data/records were breached.

Records breached: Unknown.

Millions of Highly Sensitive Patient Records Exposed in Medical Diagnostic Company Data Breach

Date of breach: Discovered on or just before 25 October 2023, but unclear how long the database was unprotected.

Breached organisation: Medical diagnostic company Redcliffe Labs, based in India.

Incident details: A security researcher discovered a non-password-protected database and notified the company, which restricted public access that same day. We don’t know whether the data has been criminally exfiltrated.

Records breached: 12,347,297 medical records (7 TB).


Enforcement

Spain arrests 34 cybercriminals who stole data of 4 million people

The Spanish police has arrested 34 members of a criminal group, which has stolen the data of more than 4 million people through phishing attacks.

China crackdown on cyber scams in Southeast Asia nets thousands but leaves networks intact

In a big crackdown, Chinese and regional authorities in South-East Asia have arrested thousands of people part of cyber scam networks. However, as the leaders were not captured, just “victims who were forced to work for the criminals”, the networks remain intact.

Nigerian Police Dismantle Major Cybercrime Hub

After a Nigerian raid, six members of a cyber crime recruitment and training centre were arrested; some members escaped the scene, which the police is still tracking. The police encourages members of the public to come forward when they suspect a cyber crime group to be operating in their area, and not contribute to “the conspiracy of silence”.

Feel-good story of the week: Two ransomware gangs meet their demise

The Trigona ransomware group, which emerged in 2022, has been taken down – in other words, hacked – by the ‘Ukrainian Cyber Alliance’. Trigona’s entire infrastructure appears to have been wiped out.

South Korea’s privacy watchdog fines PayPal $664,000 over data breaches

After two data breaches that exposed the personal data of more than 23,000 customers, PayPal was fined $663,863 (about £550,000) by South Korea’s data watchdog.


Other news

Cyber resilience of the UK’s critical national infrastructure

The UK government is so concerned about cyber threats to UK organisations – particularly to its CNI (critical national infrastructure) – that the Science, Innovation and Technology Committee is launching an inquiry into the CNI’s cyber resilience.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place for you.

In the meantime, if you missed it, check out last week’s round-up, including a story on 5.1 million genetic data profiles leaked.

The post The Week in Cyber Security and Data Privacy: 23–29 October 2023 appeared first on IT Governance UK Blog.