252,796,762 known records breached in 126 newly disclosed incidents
Welcome to this week’s global round-up of the biggest and most interesting news stories.
At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.
Publicly disclosed data breaches and cyber attacks: in the spotlight
Millions of Pure Incubation Ventures records listed on hacking forum
183,754,481 records apparently belonging to the venture capital and private equity group Pure Incubation Ventures have been listed for sale on a hacking forum.
The threat actor, KryptonZambie, has provided a sample of 100,000 records. The claim is yet to be verified.
Data breached: 183,754,481 records.
EasyPark data breach: 21.1 million records offered for sale
Europe’s largest parking app operator, EasyPark, announced last December that it had suffered a cyber attack that resulted in customer data being compromised. The company, which owns brands including RingGo and ParkMobile, didn’t say how many customers were affected, stating only that 950 UK RingGo users’ data was affected, and that most users affected were in Europe.
Now, 21.1 million data records belonging to EasyPark have been listed for sale on a hacking forum. Data apparently includes users’ full names, phone numbers, addresses, email addresses and partial payment card information.
Data breached: 21,100,000 records.
Nearly 20 million Cutout.Pro users’ data breached
Cutout.Pro, an AI photo and video editing platform, has suffered a data breach. Affected information includes users’ names, email addresses, IP addresses and encrypted passwords.
The threat actor, KryptonZambie, listed a 5.93 GB dataset on a hacking forum, claiming to still have access to the breached system. Have I Been Pwned confirmed that the data set contained information relating to 19,972,829 people, despite the company’s denial.
Data breached: 19,972,829 individuals’ data.
Publicly disclosed data breaches and cyber attacks: full list
This week, we found 252,796,762 records known to be compromised, and 126 organisations suffering a newly disclosed incident. 110 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 5 definitely haven’t had data breached.
We also found 7 organisations providing a significant update on a previously disclosed incident.
| Organisation(s) | Sector | Location | Data breached? | Known data breached |
| Pure Incubation Ventures Source (New) |
Professional services | USA | Yes | 183,754,481 |
| EasyPark Source 1; source 2; source 3 (Update) |
Software | Sweden | Yes | 21,100,000 |
| Cutout.Pro Source (New) |
Software | Hong Kong | Yes | 19,972,829 |
| Optum Source 1; source 2 (New) |
Healthcare | USA | Yes | 6 TB |
| Kumagai Gumi Group Co., Ltd. Source (New) |
Engineering | Japan | Yes | >5 TB |
| Array Networks Source (New) |
Cyber security | USA | Yes | 2.5 TB |
| Turtlemint Source (New) |
Insurance | India | Yes | 1,800,000 |
| Chunghwa Telecom Source (New) |
Telecoms | Taiwan | Yes | 1.7 TB |
| LDLC Source (New) |
Retail | France | Yes | 1,500,000 |
| APROA Source (New) |
Professional services | Argentina | Yes | 1,197,562 |
| Petrus Resources Ltd. Source (New) |
Energy | Canada | Yes | 1 TB |
| AB Texel Source (New) |
Transport | Netherlands | Yes | 1 TB |
| STOCK Development Source (New) |
Real estate | USA | Yes | 1 TB |
| Centre Hospitalier d’Armentières Source 1; source 2 (Update) |
Healthcare | France | Yes | >900,000 |
| INSS Source (New) |
Public | Brazil | Yes | 879,492 |
| bienDIG Source (New) |
Software | Mexico | Yes | 450,000 |
| Grand Avignon Source (New) |
Public | France | Yes | 350,000 |
| Houser LLP Source (New) |
Legal | USA | Yes | 326,386 |
| Bagart Source (New) |
Retail | France | Yes | 250,000 |
| PR Newswire Source (New) |
Media | USA | Yes | 250,000 |
| GCA Nederland Source (New) |
Transport | Netherlands | Yes | 239 GB |
| Yakima Valley Radiology Source (New) |
Healthcare | USA | Yes | 235,249 |
| Frencken Group Limited Source (New) |
Manufacturing | Malaysia | Yes | 226 GB |
| State University of Campinas (Unicamp) Source (New) |
Education | Brazil | Yes | >146,000 |
| TalentLaunch (Alliance Solutions Group) Source (New) |
Professional services | USA | Yes | 119,261 |
| Egyptian Health Department Source 1; source 2 (New) |
Healthcare | USA | Yes | 100,000 |
| Cogdell Memorial Hospital (Scurry County Hospital District) Source 1; source 2 (New) |
Healthcare | USA | Yes | 86,981 |
| Stratford-on-Avon District Council Source 1; source 2 (Update) |
Public | UK | Yes | 79,000 |
| Webber International University Source (New) |
Education | USA | Yes | 65 GB |
| 180Post Source (New) |
Media | Lebanon | Yes | 63,000 |
| Northwestern Mutual Source 1; source 2 (Update) |
Insurance | USA | Yes | 62,656 |
| Brady Martz & Associates Source 1; source 2 (Update) |
Finance | USA | Yes | 58,520 |
| Greensboro College Source (New) |
Education | USA | Yes | 52,569 |
| Employee Benefits Corporation of America and Benefit Design Group, Inc. Source 1; source 2 (New) |
Insurance | USA | Yes | 38,912 |
| Muscatine Power and Water Source (New) |
Utilities | USA | Yes | 36,955 |
| Bradford-Scott Data and 4 credit unions Source (New) |
IT services and finance | USA | Yes | 35,736 |
| Renton School District Source (New) |
Education | USA | Yes | 30,373 |
| Fidelity Investments Life Insurance Source (New) |
Insurance | USA | Yes | 28,268 |
| Mr. Green Gaming Source 1; source 2; source 3 (New) |
Leisure | UK | Yes | 27,176 |
| Qualcomm Source 1; source 2 (New) |
Telecoms | USA | Yes | 27,038 |
| McKenzie Health Source 1; source 2 (New) |
Healthcare | USA | Yes | 21,000 |
| The Brody School of Medicine at East Carolina University Source 1; source 2 (New) |
Education | USA | Yes | 19,085 |
| Human Affairs International of California Source 1; source 2 (New) |
Insurance | USA | Yes | 18,347 |
| WebMarketPoint Source (New) |
Retail | Italy | Yes | 17,000 |
| Maryville Addiction Treatment Center Source 1; source 2; source 3 (Update) |
Healthcare | USA | Yes | 15,503 |
| Bay Area Anesthesia, LLC Source (New) |
Healthcare | USA | Yes | 15,196 |
| Elemetal Source (New) |
Finance | USA | Yes | 13,608 |
| Aspen Dental (APEO) Source (New) |
Healthcare | USA | Yes | 12,053 |
| Nashua School District Source (New) |
Education | USA | Yes | 9,829 |
| Hospice of Huntington Source 1; source 2 (New) |
Healthcare | USA | Yes | 9,013 |
| Veolia North America Source 1; source 2 (Update) |
Environmental | USA | Yes | 8,951 |
| Alliance College-Ready Public Schools Source (New) |
Education | USA | Yes | 8,793 |
| KRD, Ltd. Source (New) |
Finance | USA | Yes | 7,154 |
| CBIZ Marks Paneth Source 1; source 2 (New) |
Finance | USA | Yes | 5,562 |
| First National Bank of Hartford Source (New) |
Finance | USA | Yes | 5,316 |
| CF Manager Source (New) |
Retail | Thailand | Yes | >5,000 |
| Virgin Hotels North America Source (New) |
Hospitality | USA | Yes | 4,634 |
| Lena Pope Source 1; source 2 (New) |
Non-profit | USA | Yes | 3,954 |
| Humana Source 1; source 2 (New) |
Insurance | USA | Yes | 3,480 |
| Junta de Andalucía Source (New) |
Public | Spain | Yes | 3,336 |
| Erie Indemnity Company Group Dental Assistance Plan Source 1; source 2 (New) |
Insurance | USA | Yes | 3,122 |
| Interventional Pain & Regenerative Medicine Source 1; source 2 (New) |
Healthcare | USA | Yes | 2,500 |
| Santa Clarita Community College District Source 1; source 2 (New) |
Education | USA | Yes | 2,324 |
| National Association of Home Builders Source (New) |
Construction | USA | Yes | 2,020 |
| Lexington Medical Center Source 1; source 2 (New) |
Healthcare | USA | Yes | 1,994 |
| Sunway Hospitality Source (New) |
Hospitality | USA | Yes | 1,427 |
| City of Dubuque Fire Department Source 1; source 2 (New) |
Public | USA | Yes | 1,381 |
| Prague Regional Memorial Hospital Source 1; source 2 (New) |
Healthcare | USA | Yes | 1,347 |
| Citrus Diagnostic Center (Amin Radiology) Source 1; source 2 (New) |
Healthcare | USA | Yes | 1,273 |
| MCS (Mortgage Contracting Services) Source 1; source 2 (New) |
Real estate | USA | Yes | 1,143 |
| North Hill Needham Inc. Source 1; source 2 (New) |
Healthcare | USA | Yes | 1,096 |
| Mental Health Center of North Central Alabama, Inc. Source 1; source 2 (New) |
Healthcare | USA | Yes | 1,000 |
| Spaulding Clinical Research, LLC Source (New) |
Research | USA | Yes | 884 |
| Dignity Health Welfare Benefits Plan Source 1; source 2 (New) |
Insurance | USA | Yes | 744 |
| King Aerospace Source 1; source 2 (Update) |
Manufacturing | USA | Yes | 727 |
| East Side Health District Source 1; source 2 (New) |
Healthcare | USA | Yes | 559 |
| Arsenault and Cline CPAs, Inc. Source (New) |
Finance | USA | Yes | 421 |
| Northgate Environmental Management Source (New) |
Environmental | USA | Yes | 404 |
| Policía Nacional del Perú Source (New) |
Public | Peru | Yes | 325 |
| Icetro America Source (New) |
Manufacturing | USA | Yes | 280 |
| Empire Auto Parts Source (New) |
Transport | USA | Yes | 150 |
| BAPU Source (New) |
Environmental | Ecuador | Yes | >50 |
| Coinsquare Source (New) |
Crypto | Canada | Yes | Unknown |
| Le Groupe Vertdure Source (New) |
Environmental | Canada | Yes | Unknown |
| Whaley Estate Litigation (WEL) Partners Source (New) |
Legal | Canada | Yes | Unknown |
| City of Hamilton Source 1; source 2 (New) |
Public | Canada | Yes | Unknown |
| Town of Ponoka Source (New) |
Public | Canada | Yes | Unknown |
| YX International Information Co., Ltd Source (New) |
Telecoms | China | Yes | Unknown |
| Verbraucherzentrale Hessen Source 1; source 2 (New) |
Non-profit | Germany | Yes | Unknown |
| Pepco Group Source (New) |
Retail | Hungary | Yes | Unknown |
| RedisInsight server in India Source (New) |
Unknown | India | Yes | Unknown |
| Dinamic Oil SpA Source (New) |
Manufacturing | Italy | Yes | Unknown |
| Mirtylla Source (New) |
Retail | Italy | Yes | Unknown |
| Odette Danza Source (New) |
Retail | Italy | Yes | Unknown |
| Texx Offroad Source (New) |
Retail | Italy | Yes | Unknown |
| Infraestructura Portuaria Mexicana, S.A. De C.V. Source (New) |
Manufacturing | Mexico | Yes | Unknown |
| Sund Birsta Source (New) |
Manufacturing | Sweden | Yes | Unknown |
| PGAL Source (New) |
Construction | USA | Yes | Unknown |
| Orange Public School District Source (New) |
Education | USA | Yes | Unknown |
| DCO Energy, LLC Source 1; source 2 (New) |
Energy | USA | Yes | Unknown |
| Fairway Independent Mortgage Corporation Source 1; source 2 (New) |
Finance | USA | Yes | Unknown |
| Wyatt Leasing Source (New) |
Finance | USA | Yes | Unknown |
| Conrade Insurance Group Source (New) |
Insurance | USA | Yes | Unknown |
| Casino Del Sol Resort Source 1; source 2 (New) |
Leisure | USA | Yes | Unknown |
| RCI Source (New) |
Leisure | USA | Yes | Unknown |
| Cencora Source (New) |
Manufacturing | USA | Yes | Unknown |
| Divvies LLC Source 1; source 2 (New) |
Manufacturing | USA | Yes | Unknown |
| Ewig USA Source (New) |
Manufacturing | USA | Yes | Unknown |
| Intercept Pharmaceuticals Source 1; source 2 (New) |
Manufacturing | USA | Yes | Unknown |
| Pik Rite, Inc. Source 1; source 2 (New) |
Manufacturing | USA | Yes | Unknown |
| Institute of Food Technologists Source 1; source 2 (New) |
Non-profit | USA | Yes | Unknown |
| Vulcan Industries Source 1; source 2 (New) |
Retail | USA | Yes | Unknown |
| Shido Network Source (New) |
Blockchain | Unknown | Yes | Unknown |
| Laurentian University Source (New) |
Education | Canada | Unknown | Unknown |
| Road Safety and Transport Agency Source (New) |
Public | Denmark | Unknown | Unknown |
| Copenhagen Airports A/S Source (New) |
Transport | Denmark | Unknown | Unknown |
| Trafikselskabet Movia Source (New) |
Transport | Denmark | Unknown | Unknown |
| Orange Egypt Source (New) |
Telecoms | Egypt | Unknown | Unknown |
| Hochschule Kempten Source (New) |
Education | Germany | Unknown | Unknown |
| ThyssenKrupp Source (New) |
Manufacturing | Germany | Unknown | Unknown |
| Burger Singh Source (New) |
Hospitality | India | Unknown | Unknown |
| City of Oakley, California Source (New) |
Public | USA | Unknown | Unknown |
| GitHub Source (New) |
Software | USA | Unknown | Unknown |
| Bill and Hillary Clinton National Airport Source (New) |
Transport | USA | Unknown | Unknown |
| Philippine Coast Guard Source (New) |
Public | Philippines | No | 0 |
| Lowell Public School Source 1; source 2 (New) | Education | USA | No | 0 |
| Federal Home Loan Bank of New York Source (New) |
Finance | USA | No | 0 |
| Matthew Perry Source (New) |
Media | USA | No | 0 |
| Town of Poughkeepsie Source (New) |
Public | USA | No | 0 |
Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.
Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.
AI
Automattic to sell WordPress and Tumblr content to AI companies by default
Automattic, the parent company of WordPress and Tumblr, has announced that it’ll share public content hosted on those platforms with AI companies unless users opt out.
According to 404 Media, the company is planning to sell content to OpenAI and Midjourney to train their AI models, although it’s not clear what types of user data will be shared.
Enforcement
ICO finds Home Office migrant monitoring scheme broke data protection law
The ICO (Information Commissioner’s Office) has found that the Home Office failed to sufficiently assess the privacy risks associated with a pilot scheme to electronically monitor migrants’ whereabouts by placing ankle tags on them and tracking their location via GPS.
The ICO has issued an enforcement notice and a warning to the Home Office.
Italian data protection authority fines Enel €79 million
Italy’s data protection regulator, the Garante per la Protezione dei Dati Personali, has fined the country’s largest utility company, Enel, more than €79 million for misusing customer data for telemarketing.
The fine is the largest the Garante has issued to date.
International operation takes down cyber crime market
Düsseldorf Police has seized control of Crimemarket, a German-language criminal trading platform with over 180,000 users.
According to Bleeping Computer, Crimemarket “was the largest cybercrime market in the country and a hub for trading illegal drugs, narcotics, and cybercrime services, while it also hosted tutorials/guides for conducting various crimes”.
President Biden signs executive order to restrict sale of US data
President Biden has signed an executive order designed to “prevent the large-scale transfer of Americans’ personal data to countries of concern”.
It also “provides safeguards around other activities that can give those countries access to Americans’ sensitive data”.
Other news
NIST releases version 2.0 of Cybersecurity Framework
The US National Institute of Standards and Technology has updated its CSF (Cybersecurity Framework).
NIST CSF 2.0 has “an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It also has a new focus on governance, which encompasses how organizations make and carry out informed decisions on cybersecurity strategy”.
Critical vulnerability could have allowed threat actors to hijack any Facebook account
Meta has addressed a critical security vulnerability and rewarded the security researcher who reported it under Facebook’s bug bounty programme. Samip Aryal described the vulnerability as a “rate-limiting issue in a specific endpoint of Facebook’s password reset flow that could’ve allowed the takeover of any Facebook account by bruteforcing a particular type of nonce”.
Users of Anycubic 3D printers have reported that their machines have been hacked. The person responsible added a text file to their devices, which reads:
“Your machine has a critical vulnerability, posing a significant threat to your security. Immediate action is strongly advised to prevent potential exploitation. Feel free to disconnect your printer from the Internet if you don’t wanna get hacked by a bad actor. This is just a harmless message. You have not been harmed in any way.”
Nearly 3 million devices have downloaded this warning.
Key dates
31 March 2024 – PCI DSS v4.0 transitioning deadline
Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on 31 March, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.
30 April 2024 – ISO/IEC 27001:2013 certification unavailable
Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.
ISO 27001:2022 itself has been amended to refer to climate change. The amendment adds two sentences, requiring compliant organisations to determine whether climate change is a relevant issue and noting that relevant interested parties can have requirements related to climate change.
That’s it for this week’s round-up. We hope you found it useful.
We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.
In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.
Security Spotlight
To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.
Every Wednesday, you’ll get a 4-minute email with:
- Industry news, including this weekly round-up;
- Our latest research and statistics;
- Interviews with our experts, sharing their insights and expertise;
- Free useful resources; and
- Upcoming webinars.
The post The Week in Cyber Security and Data Privacy: 26 February – 3 March 2024 appeared first on IT Governance UK Blog.