Welcome to this week’s round-up of the biggest and most interesting news stories.
At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.
Publicly disclosed data breaches and cyber attacks: in the spotlight
Unsecured Kid Security app exposes over 300 million records
The popular parental control app Kid Security, which allows parents to monitor and control their children’s online safety, exposed user activity logs to the Internet for over a month via misconfigured Elasticsearch and Logstash instances.
The security researcher Bob Diachenko of SecurityDiscovery first identified the exposed information in mid-September. According to CyberNews, more than 300 million data records were compromised, including 21,000 telephone numbers and 31,000 email addresses. Some payment card data was also exposed.
It also appears that the data was accessed: the Readme bot “partially destroyed” the open instance, injecting a ransom note with a bitcoin wallet address to send a payment to in exchange for the files.
Data breached: over 300 million records.
35 TB of data exfiltrated from Henry Schein, plus ALPHV/BlackCat re-encrypted the newly restored files
As we first reported last month, the US healthcare solutions provider Henry Schein announced on 15 October that it had suffered a cyber attack that caused disruption to its manufacturing and distribution businesses. The company’s description of the incident suggested ransomware.
This was confirmed about a fortnight later, in early November, when the ALPHV/BlackCat ransomware group took responsibility for the attack, claiming to have encrypted Henry Schein’s files and exfiltrated 35 TB of data.
On 13 November, Henry Schein confirmed that a data breach had occurred, and that “Customer and personal information, such as bank account numbers, credit card numbers, and other sensitive information, may have been exposed to third parties”.
One aspect of ALPHV/BlackCat’s operation is particularly eye-catching: apparently impatient about Henry Schein’s slow response, the gang re-encrypted all the files the company had just restored, causing further disruption.
Henry Schein confirmed on 22 November that some of its applications were “currently unavailable”, but that it had identified why: “The threat actor from the previously disclosed cyber incident has claimed responsibility”.
In a 27 November update, Henry Schein said it had restored its US e-commerce platform, with its Canadian and European platforms expected to follow.
Data breached: 35 TB.
WeMystic exposes 13.3 million user records via an unsecured database
WeMystic, an online astrology and spiritual wellbeing website, exposed 34 GB of data to the Internet via an unsecured MongoDB database for at least five days. According to Cybernews, one of the data sets contained 13.3 million records, including names, dates of birth, email addresses and IP addresses, as well as users’ genders and horoscope signs.
Data breached: 13.3 million records.
Publicly disclosed data breaches and cyber attacks: full list
This week, we’ve found 362,028,638 records known to be compromised, and 150 organisations suffering a newly disclosed incident. 67 of them are known to have had data exfiltrated or exposed. Only 3 definitely haven’t had data breached.
We’ve also found 9 organisations providing a significant update on a previously disclosed incident.
Organisation name | Sector | Location | Data exfiltrated? | Known records breached |
Kid Security Source (New) |
Technology | Kazakhstan | Yes | 300,000,000+ |
Henry Schein Source 1; source 2 (Update) |
Healthcare | USA | Yes | 35,000,000 |
WeMystic Source (New) |
Technology | Portugal | Unknown | 13,300,000 |
Northwell Health and Crouse Health Source (Update) |
Healthcare | USA | Yes | At least 4,000,000 |
Autobindo Pharma Ltd Source (New) |
Healthcare | India | Yes | 3.7 TB |
Zeroed-In Technologies and Dollar Tree Source 1; source 2 (New) |
Technology and retail | USA | Yes | 1,977,486 |
Ziv Medical Center Source (New) |
Healthcare | Israel | Yes | 700,000 |
LY Corporation and Naver Cloud Source (New) |
Technology | Japan and South Korea | Yes | 440,000 |
Jacobs Farm del Cabo Source (New) |
Agriculture | USA | Yes | 405 GB |
Wakefield & Associates Source (New) |
Legal | USA | Yes | Over 400 GB |
Anderson Jones, PLLC Source (New) |
Legal | USA | Yes | 360 GB |
Aetna Life Insurance Company Source (Update) |
Insurance | USA | Yes | 310,019 |
Tipalti Source 1; source 2 (New) |
Technology | USA | Yes | Over 265 GB |
Carranza LLP Source 1; source 2 (New) |
Legal | Canada | Yes | 257 GB |
DePauw University Source 1; source 2 (New) |
Education | USA | Yes | 214 GB |
Alpura Source (New) |
Manufacturing | Mexico | Yes | Almost 200 GB |
Servicio Móvil Source (New) |
Technology | Spain | Yes | 114 GB |
Robeson Health Care Corporation Source 1; source 2 (Update) |
Healthcare | USA | Yes | 62,627 |
Grupo Prides Source (New) |
Technology | Costa Rica | Yes | 60 GB |
Bauwerk Group Source (New) |
Manufacturing | Switzerland | Yes | 40 GB |
Verdecora Source (New) |
Manufacturing | Spain | Yes | 37 GB |
North Texas Municipal Water District Source (Update) |
Utilities | USA | Yes | 33,844 |
County of Rock, WI Source (New) |
Public | USA | Yes | 25,823 |
Teleflora Source (New) |
Manufacturing | USA | Yes | 24 GB |
Bluefield University Source (New) |
Education | USA | Yes | 23,195 |
Science History Institute Source (New) |
Non-profit | USA | Yes | 22 GB |
Okta Source 1; source 2 (Update) |
Technology | USA | Yes | 18,000 |
Valrhona Inc. Source (New) |
Manufacturing | USA | Yes | 6,537 |
Walborsky Bradley & Fleming, PLLC Source (New) |
Legal | USA | Yes | 5,227 |
Broadview Federal Credit Union Source (New) |
Finance | USA | Yes | 5,074 |
The City of Waynesboro Source (New) |
Public | USA | Yes | 4,639 |
Treeways Holdings LLC Source (Update) |
Environmental | USA | Yes | 3,908 |
World Learning, Inc. Source (New) |
Education | USA | Yes | 3,022 |
Lakeview Healthcare System, LLC Source 1; source 2 (New) |
Healthcare | USA | Yes | 2,495 |
The Hershey Company Source (New) |
Manufacturing | USA | Yes | 2,214 |
Park Bank Source (New) |
Finance | USA | Yes | 2,081 |
The Walker School, Inc. Source (New) |
Education | USA | Yes | 1,493 |
Kimber Mfg., Inc. Source (New) |
Manufacturing | USA | Yes | 1,212 |
Butte School District Source (New) |
Education | USA | Yes | 900+ |
Fenway Community Health Center, Inc. Source 1; source 2 (New) |
Healthcare | USA | Unknown | 598 |
Comprehensive Auto Resource, Inc. Source (New) |
Insurance | USA | Yes | 240 |
Lovelace Health System Source (New) |
Healthcare | USA | Yes | Unknown |
DP World Australia Source (Update) |
Transport | Australia | Yes | Unknown |
Charmant USA Source (New) |
Retail | USA | Yes | Unknown |
King Edward VII’s Hospital Source (New) |
Healthcare | UK | Yes | Unknown |
Quantum Radiology Source (New) |
Healthcare | Australia | Yes | Unknown |
Israel’s State Archive Source 1; source 2 (New) |
Public | Israel | Yes | Unknown |
National Aerospace Laboratories Source (New) |
Public | India | Yes | Unknown |
Shoval Source 1; source 2 (New) |
Public | Israel | Yes | Unknown |
SinglePoint Outsourcing, Inc. Source (New) |
Professional services | USA | Yes | Unknown |
Thillens Source (New) |
Finance | USA | Yes | Unknown |
Elston-Nationwide Carriers Source (New) |
Transport | USA | Yes | Unknown |
American Insulated Glass Source (New) |
Retail | USA | Yes | Unknown |
MooreCo Inc. Source (New) |
Manufacturing | USA | Yes | Unknown |
Sparex Limited Source (New) |
Retail | UK | Yes | Unknown |
Retailer Web Services Source (New) |
Technology | USA | Yes | Unknown |
Continental Shipping Line (Texas branch) Source (New) |
Transport | USA | Yes | Unknown |
BYFOD Source (New) |
Retail | Netherlands | Yes | Unknown |
SurvTech Solutions Source (New) |
Engineering | USA | Yes | Unknown |
Edge Realty Partners Source (New) |
Real estate | USA | Yes | Unknown |
Noble Mountain Tree Farm Source (New) |
Agriculture | USA | Yes | Unknown |
Unitransfer Florida Source (New) |
Telecommunications | USA | Yes | Unknown |
SC Hydraulic Engineering Corporation Source (New) |
Manufacturing | USA | Yes | Unknown |
Labtopia, Inc. Source (New) |
Professional services | USA | Yes | Unknown |
OLA Consulting Engineers Source (New) |
Engineering | USA | Yes | Unknown |
Canderel Group Source (New) |
Real estate | Canada | Yes | Unknown |
Great Valley School District Source 1; source 2 (New) |
Education | USA | Yes | Unknown |
Pacific Cataract and Laser Institute Source (New) |
Healthcare | USA | Yes | Unknown |
Covenant Care Source (New) |
Healthcare | USA | Yes | Unknown |
HTC Global Services Source (New) |
Technology | USA | Yes | Unknown |
Aqipa GmbH Source (New) |
Retail | Austria | Yes | Unknown |
ARPEGE MASTER K Source (New) |
Manufacturing | France | Yes | Unknown |
Chetu, Inc. Source (New) |
Technology | USA | Yes | Unknown |
FUTURA Fundament- systeme GmbH Source (New) |
Construction | Germany | Yes | Unknown |
Ardent Health Services Source (New) |
Healthcare | USA | Unknown | Unknown |
University of Kansas Health System-St. Francis Source (New) |
Healthcare | USA | Unknown | Unknown |
North Texas Municipal Water District Source (New) |
Utilities | USA | Unknown | Unknown |
Staples Source (New) |
Retail | USA | Unknown | Unknown |
City of Hendersonville Source (New) |
Public | USA | Unknown | Unknown |
Capital Health Source (New) |
Healthcare | USA | Unknown | Unknown |
Weald of Kent Grammar School Source (New) |
Education | UK | Unknown | Unknown |
Several district heating plants Source 1; source 2 (New) |
Energy | Estonia | Unknown | Unknown |
Five California courts (Monroe, Lee, Sarasota, Hillsborough and Brevard) and three court record system providers (Catalis, Tyler Technologies, and Henschen & Associates) Source 1; source 2 (New) |
Legal and technology | USA | Unknown | Unknown |
Japan Space Exploration Agency Source (New) |
Space | Japan | Unknown | Unknown |
Ongoing Operations, FedComp, and 60 credit unions including Mountain Valley Federal Credit Union Source (New) |
Technology and finance | USA | Unknown | Unknown |
Drum/ Binghamstown Group Water Scheme (Mayo County Council) Source (New) |
Utilities | Ireland | No | 0 |
Trasporto Locale and Trentino Transport Source (New) |
Transport | Italy | No | 0 |
Note: ‘New’/‘update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.
Enforcement
Joint operation breaks up international ransomware gang
Five people were arrested in Ukraine on 21 November in connection with a ransomware operation believed to be responsible for attacks in 71 countries. Authorities from Norway, France, the Netherlands, Ukraine, Germany, Switzerland and the United States, as well as Europol and Eurojust participated in the operation.
Dutch Data Protection Authority takes action against Dutch Employee Insurance Agency
The Dutch Data Protection Authority, the Autoriteit Persoonsgegevens, has reprimanded the Dutch Employment Insurance Agency, the UWV, for using an algorithm to monitor the online behaviour of people receiving unemployment benefits, in contravention of the GDPR (General Data Protection Regulation).
Other news
The European Commission has welcomed the political agreement reached between the European Parliament and the Council of the European Union on the Cyber Resilience Act, which the Commission proposed in 2022. The Act aims to improve the cyber security of digital products across the EU by introducing mandatory cyber security requirements for all hardware and software.
Council of the European Union adopts Data Act
The Council of the European Union has adopted a new regulation on harmonised rules on fair access to, and use of, data across the EU. The Data Act obliges manufacturers and service providers to let their users access and reuse the data generated by the use of their products and services.
NCSC publishes new guidance on how to ‘lift and shift’
The NCSC (National Cyber Security Centre) has added a new section about how to ‘lift and shift’ to its guidance on using Cloud services securely. ‘Lift and shift’ is the practice of replicating an existing local system in the Cloud.
NCSC publishes secure AI system development guidelines
The NCSC has published a new set of Guidelines for secure AI system development to “help providers to build AI systems that function as intended, are available when needed, and work without revealing sensitive data to unauthorised parties”.
New York Governor proposes cyber security regulations for hospitals
New York Governor Kathy Hochul has proposed new cyber security regulations for all hospitals operating in the state, which are expected to complement the security requirements of HIPAA (the Health Insurance Portability and Accountability Act).
Manufacturing industry identified as top target of cyber extortion
According to a new report by Orange Cyberdefense, 20% of all cyber extortion attacks in 2023 were aimed at the manufacturing industry – a 42% increase over 2022 and 17% more than the second most targeted industry.
Nato expands cyber security coalition
Nato countries welcomed South Korea and Japan to their cyber security exercises in Estonia from 27 November to 1 December. This year’s Cyber Coalition “brought together more than 1,300 cyber defenders from 28 NATO Allies and 7 partner countries, as well as the European Union and participants from industry and academia”.
Queensland passes mandatory data breach laws
Queensland has become the second Australian state, following New South Wales, to oblige public-sector entities to notify affected individuals and the state’s privacy regulator of data breaches that would likely result in serious harm.
That’s it for this week’s round-up. We hope you found it useful.
We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.
In the meantime, if you missed it, check out last week’s round-up.
The post The Week in Cyber Security and Data Privacy: 27 November – 3 December 2023 appeared first on IT Governance UK Blog.