37,376,751 known records breached in 2,109 newly disclosed incidents
Welcome to this week’s global round-up of the biggest and most interesting news stories.
At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.
Publicly disclosed data breaches and cyber attacks: in the spotlight
Researchers find thousands of publicly exposed – and compromised – Ray servers
The Oligo Security research team have discovered an attack campaign targeting a critical vulnerability in Ray – an AI framework developed and maintained by Anyscale – for the past seven months.
This vulnerability is one of five disclosed to Anyscale in late 2023. The company addressed four of the vulnerabilities, but this one – CVE-2023-48022 – remains disputed and therefore unpatched. As such, many teams and tools aren’t aware of, or concerned about, it.
However, Oligo’s researchers discovered this vulnerability has already been exploited in the wild, meaning that “thousands of publicly exposed Ray servers all over the world were already compromised as a result of this new vulnerability, dubbed ShadowRay”.
According to Anyscale’s website, some of the organisations using Ray include OpenAI, Uber, AWS (Amazon Web Services), Cohere, Ant Group, Instacart and Samsara.
According to Oligo’s research team, the vulnerability “allows attackers to take over the companies’ computing power and leak sensitive data”.
Data breached: unknown.
More than 19 million users’ data breached in info stealer malware campaign
What is apparently the “largest infostealer malware campaign targeting gamers/cheaters in history” has affected millions of gamers, including around 14,000,000 Discord users and 3,662,647 Battle.net (from Blizzard Entertainment) users.
Other affected domains include Activision, elitepvpers, UnKnoWnCheaTs, Phantom Overlap, ACDiamond, ArtificialAiming, two EngineOwning domains, iNIUARIA Cheats and GameSense.
Note that, although most affected domains are cheating forums, the malware itself wasn’t in cheat software.
Data breached: 19,126,976 users’ data.
Change Healthcare acknowledges data stolen in February’s cyber attack
Change Healthcare (of UnitedHealth Group) confirmed a cyber attack in February. It’s now publicly acknowledged that data was stolen during that attack, and is now analysing the types of data – including personal, financial and health information – compromised.
The ransomware group ALPHV/BlackCat claimed to have exfiltrated 6 TB of data from Change Healthcare. If true, this is a relatively small amount in the context of the organisation apparently processing 15 billion transactions annually.
Data breached: 6 TB.
Publicly disclosed data breaches and cyber attacks: full list
This week, we found 37,376,751 records known to be compromised, and 2,109 organisations suffering a newly disclosed incident. “Thousands” of them – which we’ve logged as 2,000 – are attributed to the publicly exposed Ray servers, as discussed above.
2,092 of organisations disclosing a new incident this week are known to have had data exfiltrated, exposed or otherwise breached. Only 1 definitely hasn’t had data breached.
We also found 14 organisations providing a significant update on a previously disclosed incident.
| Organisation(s) | Sector | Location | Data breached? | Known data breached |
| Discord Source 1; source 2 (New) |
Software | USA | Yes | 14,000,000 |
| Change Healthcare Source 1; source 2 (Update) |
Healthcare | USA | Yes | 6 TB |
| Battle.net (Blizzard Entertainment) Source (New) |
Leisure | USA | Yes | 3,662,647 |
| NHS Dumfries & Galloway Source 1; source 2 (Update) |
Healthcare | UK | Yes | 3 TB |
| Harvard Pilgrim Health Care Source 1; source 2 (Update) |
Healthcare | USA | Yes | 2,860,795 |
| NADRA Source (New) |
IT services | Pakistan | Yes | 2,700,000 |
| Sysmex Corporation Source (New) |
Manufacturing | Japan | Yes | 1,164,827 |
| Juniper Education Source (New) |
Software | UK | Yes | 864,603 |
| Ejercito del Perú Source 1; source 2 (New) |
Defence | Peru | Yes | 763.8 GB |
| Atraf Source 1; source 2 (Update) |
Software | Israel | Yes | 669,672 |
| Qosina Source (New) |
Manufacturing | USA | Yes | 638 GB |
| EMSA (Emergency Medical Services Authority) Source 1; source 2; source 3 (Update) |
Healthcare | USA | Yes | 611,743 |
| Accor Source (New) |
Hospitality | France | Yes | 596,000 |
| UnKnoWnCheaTs Source (New) |
Non-profit | Unknown | Yes | 572,831 |
| Activision Source (New) |
Leisure | USA | Yes | 561,183 |
| Big Issue Source 1; source 2 (New) |
Media | UK | Yes | 550 GB |
| Chattanooga Heart Institute Source 1; source 2 (Update) |
Healthcare | USA | Yes | 547,434 |
| Houser LLP Source 1; source 2 (Update) |
Legal | USA | Yes | 364,312 |
| FICO Source (New) |
Software | USA | Yes | 170,000 |
| Rent Go Source (new) |
Transport | Turkey | Yes | >161,000 |
| Scullion Law Source (New) |
Legal | UK | Yes | 155 GB |
| Elitepvpers Source (New) |
Leisure | Mexico | Yes | 117,366 |
| EngineOwning (two domains) Source (New) |
Leisure | UAE | Yes | 85,360 |
| BLOG (website for cheaters) Source (New) |
Leisure | Unknown | Yes | 67,152 |
| Select Education Group, LLC Source (New) |
Education | USA | Yes | >67,000 |
| Contender Boats, Inc Source (New) |
Manufacturing | USA | Yes | 65 GB |
| Bayer Heritage Federal Credit Union Source 1; source 2 (Update) |
Finance | USA | Yes | 61,165 |
| LC Waikiki Source (New) |
Retail | Egypt | Yes | 60,000 |
| Ezras Choilim Health Center Source 1; source 2 (New) |
Healthcare | USA | Yes | 59,861 |
| ECB (England & Wales Cricket Board) Source 1; source 2 (Update) |
Leisure | UK | Yes | 43,299 |
| Prudential Insurance Company of America Source (New) |
Insurance | USA | Yes | 36,545 |
| Pembina County Memorial Hospital Source (New) |
Healthcare | USA | Yes | 23,451 |
| ArtificialAiming Source (New) |
Leisure | Unknown | Yes | 21,564 |
| GameSense Source (New) |
Leisure | Unknown | Yes | 18,465 |
| iNIURIA Cheats (DigitalWorks GmbH) Source (New) |
Leisure | Germany | Yes | 14,181 |
| Ethos Source (New) |
Non-profit | USA | Yes | 13,418 |
| Pomona Valley Hospital Medical Center Source 1; source 2 (New) |
Healthcare | USA | Yes | 13,345 |
| Rancho Medical Family Group Source 1; source 2; source 3 (Update) |
Healthcare | USA | Yes | 10,480 |
| Gunster Yoakley and Stewart PA Source 1; source 2 (New) |
Legal | USA | Yes | 9,550 |
| Multiple government entities and private energy companies in India Source (New) |
Public and energy | India | Yes | 8.81 GB |
| Wyndemere Senior Living Source (New) |
Healthcare | USA | Yes | 6,846 |
| Donald W. Wyatt Detention Facility Source 1; source 2 (Update) |
Public | USA | Yes | 5,760 |
| Northern Virginia Oral, Maxillofacial & Implant Surgery Source (New) |
Healthcare | USA | Yes | 5,568 |
| ACDiamond Source (New) |
Leisure | UAE | Yes | 3,818 |
| Shivaji College Source (New) |
Education | India | Yes | 3,651 |
| Sanford, Pierson, Thone & Strean, PLC Source (New) |
Legal | USA | Yes | 3,100 |
| Battle Mountain General Hospital Source 1; source 2 (New) |
Healthcare | USA | Yes | 3,000 |
| Western New York Independent Living Source 1; source 2 (New) |
Healthcare | USA | Yes | 2,886 |
| Barings (via Infosys McCamish Systems) Source (New) |
Finance | USA | Yes | 2,671 |
| Kids Care Dental & Orthodontics Source 1; source 2; source 3 (Update) |
Healthcare | USA | Yes | 2,260 |
| BodyHealth, LLC Source (New) |
Healthcare | USA | Yes | 2,222 |
| Sierra Lobo, Inc. Source (New) |
Manufacturing | USA | Yes | 1,991 |
| GH America Source (New) |
Non-profit | USA | Yes | 1,802 |
| Reyes Automotive Group Source 1; source 2 (New) |
Manufacturing | USA | Yes | 1,660 |
| Bronson Healthcare Source 1; source 2 (New) |
Healthcare | USA | Yes | 1,597 |
| Phantom Overlay Source (New) |
Leisure | Unknown | Yes | 1,365 |
| Permian Resources Source 1; source 2 (New) |
Energy | USA | Yes | 1,351 |
| RN (website for cheaters) Source (New) |
Leisure | Unknown | Yes | 1,044 |
| Cherry Health Source 1; source 2 (New) |
Healthcare | USA | Yes | 500 |
| Cornerstone Healthcare Group Management Services LLC Source 1; source 2 (New) |
Healthcare | USA | Yes | 500 |
| Southwest Binding & Laminating Source 1; source 2 (Update) |
Professional services | USA | Yes | 341 |
| Southern Nevada Health District Source (New) |
Public | USA | Yes | 300 |
| Saco River Medical Group, PC Source (New) |
Healthcare | USA | Yes | 64 |
| July Business Services Source (New) |
Finance | USA | Yes | 59 |
| Coeur d’Alene, City of Source (New) |
Public | USA | Yes | 57 |
| Regency Media Source (New) |
Leisure | Australia | Yes | Unknown |
| The Star Entertainment Group Source (New) |
Leisure | Australia | Yes | Unknown |
| Summer Fresh Salads Inc. Source (New) |
Manufacturing | Canada | Yes | Unknown |
| BSR Infratech India Ltd. Source (New) |
Construction | India | Yes | Unknown |
| CurioInvest Source (New) |
Crypto | Liechtenstein | Yes | Unknown |
| DEBATE Source (New) |
Media | Mexico | Yes | Unknown |
| Europol Source (New) |
Legal | Netherlands | Yes | Unknown |
| Poh Heng Jewellery Pte Ltd Source (New) |
Retail | Singapore | Yes | Unknown |
| Nampak Source (New) |
Manufacturing | South Africa | Yes | Unknown |
| Ayuntamiento de Torre Pacheco Source (New) |
Public | Spain | Yes | Unknown |
| Cressex Community School Source (New) |
Education | UK | Yes | Unknown |
| Delta Pipeline, Inc. Source 1; source 2 (New) |
Construction | USA | Yes | Unknown |
| OWASP® Foundation Source (New) |
Cyber security | USA | Yes | Unknown |
| Baylor College of Medicine Source (New) |
Education | USA | Yes | Unknown |
| Burnham Wood Charter Schools Source (New) |
Education | USA | Yes | Unknown |
| Florida Memorial University Source (New) |
Education | USA | Yes | Unknown |
| Groton Public Schools Source 1; source 2 (Update) |
Education | USA | Yes | Unknown |
| Tech-Quip Inc Source (New) |
Energy | USA | Yes | Unknown |
| Orange County’s Credit Union Source 1; source 2 (New) |
Finance | USA | Yes | Unknown |
| Performance Health Technology Source 1; source 2 (New) |
Healthcare | USA | Yes | Unknown |
| Trustpoint Rehabilitation Hospital of Lubbock Source (New) |
Healthcare | USA | Yes | Unknown |
| Alamo Insurance Group, Inc. Source 1; source 2 (New) |
Insurance | USA | Yes | Unknown |
| LoDan Electronics, Inc. Source (New) |
Manufacturing | USA | Yes | Unknown |
| Affinity Health Services Source 1; source 2 (New) |
Professional services | USA | Yes | Unknown |
| KTUA Landscape Architecture and Planning Source 1; source 2 (New) |
Professional services | USA | Yes | Unknown |
| Township of Haverford Source (New) |
Public | USA | Yes | Unknown |
| White Oak Partners Source (New) |
Real estate | USA | Yes | Unknown |
| Pennsylvania Southeast Conference U C C Source (New) |
Religious | USA | Yes | Unknown |
| Hot Topic Source 1; source 2 (New) |
Retail | USA | Yes | Unknown |
| Timberland Source (New) |
Retail | USA | Yes | Unknown |
| Anyscale and thousands of organisations using Ray Source (New) |
Software and other | USA and other | Yes | Unknown |
| Top.gg Discord bot community Source (New) |
Software | USA | Yes | Unknown |
| VNDIRECT Securities Corporation Source (New) |
Finance | Vietnam | Yes | Unknown |
| Munchables Source (New) |
Crypto | Unknown | Yes | Unknown |
| Prisma Finance Source (New) |
Crypto | Unknown | Yes | Unknown |
| University of Winnipeg Source (New) |
Education | Canada | Unknown | Unknown |
| St Paul’s Co-educational College Source (New) |
Education | Hong Kong | Unknown | Unknown |
| Operational Research Society of India Source (New) |
Education | India | Unknown | Unknown |
| New Zealand Parliamentary Service and Parliamentary Counsel Office Source 1; source 2 (New) |
Public | New Zealand | Unknown | Unknown |
| Statistični urad Republike Slovenije Source (New) |
Public | Slovenia | Unknown | Unknown |
| Website of President Nataša Pirc Musar Source (New) |
Public | Slovenia | Unknown | Unknown |
| The University of Manchester Source (New) |
Education | UK | Unknown | Unknown |
| University of Wolverhampton Source (New) |
Education | UK | Unknown | Unknown |
| Clinical School Computing Service Source (New) |
IT services | UK | Unknown | Unknown |
| Communication Workers Union Source (New) |
Professional services | UK | Unknown | Unknown |
| YASNO Source (New) |
Energy | Ukraine | Unknown | Unknown |
| Traverse City Area Public Schools Source (New) |
Education | USA | Unknown | Unknown |
| City of St. Cloud, FL Source (New) |
Public | USA | Unknown | Unknown |
| Gilmer County Government Source (New) |
Public | USA | Unknown | Unknown |
| An ASEAN-affiliated entity Source (New) |
Public | Unknown (likely Cambodia, Laos or Singapore) | Unknown | Unknown |
| Philippine Coast Guard Auxiliary Source (New) |
Non-profit | Philippines | No | 0 |
Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.
Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.
AI
UK Artificial Intelligence (Regulation) Bill progresses to Lords committee stage
The House of Lords read the UK Artificial Intelligence (Regulation) Bill for a second time on 22 March, and have progressed the Bill to the committee stage. This blog explains in more detail how a bill becomes law.
Researchers reveal new quantum AI model that allegedly identifies 100% of attacks
Multiverse Computing and CounterCraft revealed a new quantum AI model: the MPS (Matrix Product State) model. It’s been trained on data sets from real network traffic and system logs, and “significantly improves” attack detection compared to traditional methods, supposedly identifying 100% of cyber attacks.
US OMB issues first government-wide policy to mitigate risks and harness benefits of AI
Vice President Harris announced that the White House OMB (Office of Management and Budget) is issuing its first government-wide policy to mitigate the risks, and harness the benefits, of AI. This delivers on a key element of President Biden’s Executive Order on safely developing and using AI.
The OMB’s new policy is aimed at federal agencies, and looks to “strengthen AI safety and security, protect Americans’ privacy, advance equity and civil rights, stand up for consumers and workers, promote innovation and competition, advance American leadership around the world, and more”.
Enforcement
Sellafield to be prosecuted for alleged IT security offences between 2019 and 2023
The UK’s nuclear safety regulator – the ONR (Office for Nuclear Regulation) – has notified the nuclear site Sellafield that it’ll face prosecution under the Nuclear Industries Security Regulations 2003 for alleged IT security offences between 2019 and 2023.
Sellafield was reportedly hacked by cyber groups “closely linked to Russia and China”.
European Commission started investigation into Meta’s “pay or consent model”
The European Commission has opened proceedings again Meta’s “pay or consent model” – alongside Alphabet’s rules on steering in Google Play and self-preference on Google search, and Apple’s rules on steering in the App Store – under the DMA (Digital Markets Act).
The Commission is “concerned” that the “binary choice” of Meta’s model “may not provide a real alternative in case users do not consent, thereby not achieving the objective of preventing the accumulation of personal data by gatekeepers”.
EU and South Korea reaffirm partnership on cyber security, AI and other areas
In a second digital partnership council, the EU and South Korea reaffirmed their commitment to cooperating in “key digital technologies”, including cyber security, AI, quantum technology, platforms, semiconductors, 5G and beyond, and “defined other areas of cooperation such as network connectivity”.
Med-Data settles data breach lawsuit for $7 million
The Texas-based revenue cycle management company Med-Data has agreed to a $7 million (about £5.6 million) settlement to resolve a breach from 2018–2019, involving the health data of around 136,000 people.
Recently published reports
- Cognyte: 2024 Threat Intelligence Landscape
- Dr.Web: January 2024 review of virus activity on mobile devices
- ENISA (European Union Agency for Cybersecurity): Foresight Cybersecurity Threats For 2030
- Flashpoint: 2024 Global Threat Intelligence Report
- FS-ISAC: Navigating Cyber 2024 – Annual Threat Review and Predictions
- FTC (Federal Trade Commission): 2023 Privacy and Data Security Update
- Google: 2023 Ads Safety Report
- Google and Mandiant: We’re All in this Together – A Year in Review of Zero-Days Exploited In-the-Wild in 2023
- Intel471: Vulnerabilities Year-in-Review: 2023
- IPCO (Investigatory Powers Commissioner) and OCDA (Office for Communications Data Authorisations): Annual Report of the Investigatory Powers Commissioner 2022
- Keeper Security: The Future of Defense: IT Leaders Brace for Unprecedented Cyber Threats
- Netskope Threat Labs: Stats for February 2024
- Positive Technologies: How APT groups operate in the Middle East
- ReliaQuest: Annual Cyber-Threat Report: 2024
- Sophos: The Impact Of Compromised Backups On Ransomware Outcomes
- SpyCloud: Annual Identity Exposure Report 2024
- Surfshark: Which countries exercise the “right to be forgotten” the most?
- Zscaler: ThreatLabz 2024 AI Security Report
Other news
At least 17,000 Microsoft Exchange servers in Germany critically exposed
The BSI (Bundesamt für Sicherheit in der Informationstechnik; the German Federal Office for Information Security) warned that at least 37% of Microsoft Exchange servers in Germany (so at least 17,000) are vulnerable to at least one critical security vulnerability.
US DoD established new office: the Office of the Assistant Secretary of Defense for Cyber Policy
The US Department of Defense established a new office – the OASD(CP), or Office of the Assistant Secretary of Defense for Cyber Policy – on 20 March.
The ASD(CP) – Assistant Secretary of Defense for Cyber Policy – is responsible for “all matters related to cyber-related activities that support or enable DoD missions in, through, and from cyberspace”.
Proposed amendment to the US Cyber Incident Reporting for Critical Infrastructure Act of 2022
The US Department of Homeland Security has filed a draft to amend the CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act of 2022). The amendment requires CISA (Cybersecurity and Infrastructure Security Agency) to “promulgate regulations implementing the statute’s covered cyber incident and ransom payment reporting requirements for covered entities”.
The proposed rule is currently unpublished – the scheduled publication date is 4 April. CISA invites comments on the proposal until 60 days after publication.
Key dates
31 March 2024 – PCI DSS v4.0 transitioning deadline
Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) was retired on 31 March and replaced by version 4.0 of the Standard.
30 April 2024 – ISO/IEC 27001:2013 certification unavailable
Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.
That’s it for this week’s round-up. We hope you found it useful.
We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.
In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.
Security Spotlight
To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.
Every Wednesday, you’ll get a 4-minute email with:
- Industry news, including this weekly round-up;
- Our latest research and statistics;
- Interviews with our experts, sharing their insights and expertise;
- Free useful resources; and
- Upcoming webinars.
The post The Week in Cyber Security and Data Privacy: 25 – 31 March 2024 appeared first on IT Governance UK Blog.
