The Week in Cyber Security and Data Privacy: 27 November – 3 December 2023

Welcome to this week’s round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Unsecured Kid Security app exposes over 300 million records

The popular parental control app Kid Security, which allows parents to monitor and control their children’s online safety, exposed user activity logs to the Internet for over a month via misconfigured Elasticsearch and Logstash instances.

The security researcher Bob Diachenko of SecurityDiscovery first identified the exposed information in mid-September. According to CyberNews, more than 300 million data records were compromised, including 21,000 telephone numbers and 31,000 email addresses. Some payment card data was also exposed.

It also appears that the data was accessed: the Readme bot “partially destroyed” the open instance, injecting a ransom note with a bitcoin wallet address to send a payment to in exchange for the files.

Data breached: over 300 million records.

35 TB of data exfiltrated from Henry Schein, plus ALPHV/BlackCat re-encrypted the newly restored files

As we first reported last month, the US healthcare solutions provider Henry Schein announced on 15 October that it had suffered a cyber attack that caused disruption to its manufacturing and distribution businesses. The company’s description of the incident suggested ransomware.

This was confirmed about a fortnight later, in early November, when the ALPHV/BlackCat ransomware group took responsibility for the attack, claiming to have encrypted Henry Schein’s files and exfiltrated 35 TB of data.

On 13 November, Henry Schein confirmed that a data breach had occurred, and that “Customer and personal information, such as bank account numbers, credit card numbers, and other sensitive information, may have been exposed to third parties”.

One aspect of ALPHV/BlackCat’s operation is particularly eye-catching: apparently impatient about Henry Schein’s slow response, the gang re-encrypted all the files the company had just restored, causing further disruption.

Henry Schein confirmed on 22 November that some of its applications were “currently unavailable”, but that it had identified why: “The threat actor from the previously disclosed cyber incident has claimed responsibility”.

In a 27 November update, Henry Schein said it had restored its US e-commerce platform, with its Canadian and European platforms expected to follow.

Data breached: 35 TB.

WeMystic exposes 13.3 million user records via an unsecured database

WeMystic, an online astrology and spiritual wellbeing website, exposed 34 GB of data to the Internet via an unsecured MongoDB database for at least five days. According to Cybernews, one of the data sets contained 13.3 million records, including names, dates of birth, email addresses and IP addresses, as well as users’ genders and horoscope signs.

Data breached: 13.3 million records.


Publicly disclosed data breaches and cyber attacks: full list

This week, we’ve found 362,028,638 records known to be compromised, and 150 organisations suffering a newly disclosed incident. 67 of them are known to have had data exfiltrated or exposed. Only 3 definitely haven’t had data breached.

We’ve also found 9 organisations providing a significant update on a previously disclosed incident.

Organisation name Sector Location Data exfiltrated? Known records breached
Kid Security
Source
(New)
Technology Kazakhstan Yes 300,000,000+
Henry Schein
Source 1; source 2
(Update)
Healthcare USA Yes 35,000,000
WeMystic
Source
(New)
Technology Portugal Unknown 13,300,000
Northwell Health and Crouse Health
Source
(Update)
Healthcare USA Yes At least 4,000,000
Autobindo Pharma Ltd
Source
(New)
Healthcare India Yes 3.7 TB
Zeroed-In Technologies and Dollar Tree
Source 1; source 2
(New)
Technology and retail USA Yes 1,977,486
Ziv Medical Center
Source
(New)
Healthcare Israel Yes 700,000
LY Corporation and Naver Cloud
Source
(New)
Technology Japan and South Korea Yes 440,000
Jacobs Farm del Cabo
Source
(New)
Agriculture USA Yes 405 GB
Wakefield & Associates
Source
(New)
Legal USA Yes Over 400 GB
Anderson Jones, PLLC
Source
(New)
Legal USA Yes 360 GB
Aetna Life Insurance Company
Source
(Update)
Insurance USA Yes 310,019
Tipalti
Source 1; source 2
(New)
Technology USA Yes Over 265 GB
Carranza LLP
Source 1; source 2
(New)
Legal Canada Yes 257 GB
DePauw University
Source 1; source 2
(New)
Education USA Yes 214 GB
Alpura
Source
(New)
Manufacturing Mexico Yes Almost 200 GB
Servicio Móvil
Source
(New)
Technology Spain Yes 114 GB
Robeson Health Care Corporation
Source 1; source 2
(Update)
Healthcare USA Yes 62,627
Grupo Prides
Source
(New)
Technology Costa Rica Yes 60 GB
Bauwerk Group
Source
(New)
Manufacturing Switzerland Yes 40 GB
Verdecora
Source
(New)
Manufacturing Spain Yes 37 GB
North Texas Municipal Water District
Source
(Update)
Utilities USA Yes 33,844
County of Rock, WI
Source
(New)
Public USA Yes 25,823
Teleflora
Source
(New)
Manufacturing USA Yes 24 GB
Bluefield University
Source
(New)
Education USA Yes 23,195
Science History Institute
Source
(New)
Non-profit USA Yes 22 GB
Okta
Source 1; source 2
(Update)
Technology USA Yes 18,000
Valrhona Inc.
Source
(New)
Manufacturing USA Yes 6,537
Walborsky Bradley & Fleming, PLLC
Source
(New)
Legal USA Yes 5,227
Broadview Federal Credit Union
Source
(New)
Finance USA Yes 5,074
The City of Waynesboro
Source
(New)
Public USA Yes 4,639
Treeways Holdings LLC
Source
(Update)
Environmental USA Yes 3,908
World Learning, Inc.
Source
(New)
Education USA Yes 3,022
Lakeview Healthcare System, LLC
Source 1; source 2
(New)
Healthcare USA Yes 2,495
The Hershey Company
Source
(New)
Manufacturing USA Yes 2,214
Park Bank
Source
(New)
Finance USA Yes 2,081
The Walker School, Inc.
Source
(New)
Education USA Yes 1,493
Kimber Mfg., Inc.
Source
(New)
Manufacturing USA Yes 1,212
Butte School District
Source
(New)
Education USA Yes 900+
Fenway Community Health Center, Inc.
Source 1; source 2
(New)
Healthcare USA Unknown 598
Comprehensive Auto Resource, Inc.
Source
(New)
Insurance USA Yes 240
Lovelace Health System
Source
(New)
Healthcare USA Yes Unknown
DP World Australia
Source
(Update)
Transport Australia Yes Unknown
Charmant USA
Source
(New)
Retail USA Yes Unknown
King Edward VII’s Hospital
Source
(New)
Healthcare UK Yes Unknown
Quantum Radiology
Source
(New)
Healthcare Australia Yes Unknown
Israel’s State Archive
Source 1; source 2
(New)
Public Israel Yes Unknown
National Aerospace Laboratories
Source
(New)
Public India Yes Unknown
Shoval
Source 1; source 2
(New)
Public Israel Yes Unknown
SinglePoint Outsourcing, Inc.
Source
(New)
Professional services USA Yes Unknown
Thillens
Source
(New)
Finance USA Yes Unknown
Elston-Nationwide Carriers
Source
(New)
Transport USA Yes Unknown
American Insulated Glass
Source
(New)
Retail USA Yes Unknown
MooreCo Inc.
Source
(New)
Manufacturing USA Yes Unknown
Sparex Limited
Source
(New)
Retail UK Yes Unknown
Retailer Web Services
Source
(New)
Technology USA Yes Unknown
Continental Shipping Line (Texas branch)
Source
(New)
Transport USA Yes Unknown
BYFOD
Source
(New)
Retail Netherlands Yes Unknown
SurvTech Solutions
Source
(New)
Engineering USA Yes Unknown
Edge Realty Partners
Source
(New)
Real estate USA Yes Unknown
Noble Mountain Tree Farm
Source
(New)
Agriculture USA Yes Unknown
Unitransfer Florida
Source
(New)
Telecommunications USA Yes Unknown
SC Hydraulic Engineering Corporation
Source
(New)
Manufacturing USA Yes Unknown
Labtopia, Inc.
Source
(New)
Professional services USA Yes Unknown
OLA Consulting Engineers
Source
(New)
Engineering USA Yes Unknown
Canderel Group
Source
(New)
Real estate Canada Yes Unknown
Great Valley School District
Source 1; source 2
(New)
Education USA Yes Unknown
Pacific Cataract and Laser Institute
Source
(New)
Healthcare USA Yes Unknown
Covenant Care
Source
(New)
Healthcare USA Yes Unknown
HTC Global Services
Source
(New)
Technology USA Yes Unknown
Aqipa GmbH
Source
(New)
Retail Austria Yes Unknown
ARPEGE MASTER K
Source
(New)
Manufacturing France Yes Unknown
Chetu, Inc.
Source
(New)
Technology USA Yes Unknown
FUTURA Fundament-
systeme GmbH
Source
(New)
Construction Germany Yes Unknown
Ardent Health Services
Source
(New)
Healthcare USA Unknown Unknown
University of Kansas Health System-St. Francis
Source
(New)
Healthcare USA Unknown Unknown
North Texas Municipal Water District
Source
(New)
Utilities USA Unknown Unknown
Staples
Source
(New)
Retail USA Unknown Unknown
City of Hendersonville
Source
(New)
Public USA Unknown Unknown
Capital Health
Source
(New)
Healthcare USA Unknown Unknown
Weald of Kent Grammar School
Source
(New)
Education UK Unknown Unknown
Several district heating plants
Source 1; source 2
(New)
Energy Estonia Unknown Unknown
Five California courts (Monroe, Lee, Sarasota, Hillsborough and Brevard) and three court record system providers (Catalis, Tyler Technologies, and Henschen & Associates)
Source 1; source 2
(New)
Legal and technology USA Unknown Unknown
Japan Space Exploration Agency
Source
(New)
Space Japan Unknown Unknown
Ongoing Operations, FedComp, and 60 credit unions including Mountain Valley Federal Credit Union
Source
(New)
Technology and finance USA Unknown   Unknown
Drum/ Binghamstown Group Water Scheme (Mayo County Council)
Source
(New)
Utilities Ireland No 0
Trasporto Locale and Trentino Transport
Source
(New)
Transport Italy No 0

Note: ‘New’/‘update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.


Enforcement

Joint operation breaks up international ransomware gang

Five people were arrested in Ukraine on 21 November in connection with a ransomware operation believed to be responsible for attacks in 71 countries. Authorities from Norway, France, the Netherlands, Ukraine, Germany, Switzerland and the United States, as well as Europol and Eurojust participated in the operation.

Dutch Data Protection Authority takes action against Dutch Employee Insurance Agency

The Dutch Data Protection Authority, the Autoriteit Persoonsgegevens, has reprimanded the Dutch Employment Insurance Agency, the UWV, for using an algorithm to monitor the online behaviour of people receiving unemployment benefits, in contravention of the GDPR (General Data Protection Regulation).


Other news

European Parliament and Council of the European Union reach political agreement on Cyber Resilience Act

The European Commission has welcomed the political agreement reached between the European Parliament and the Council of the European Union on the Cyber Resilience Act, which the Commission proposed in 2022. The Act aims to improve the cyber security of digital products across the EU by introducing mandatory cyber security requirements for all hardware and software.

Council of the European Union adopts Data Act

The Council of the European Union has adopted a new regulation on harmonised rules on fair access to, and use of, data across the EU. The Data Act obliges manufacturers and service providers to let their users access and reuse the data generated by the use of their products and services.

NCSC publishes new guidance on how to ‘lift and shift’

The NCSC (National Cyber Security Centre) has added a new section about how to ‘lift and shift’ to its guidance on using Cloud services securely. ‘Lift and shift’ is the practice of replicating an existing local system in the Cloud.

NCSC publishes secure AI system development guidelines

The NCSC has published a new set of Guidelines for secure AI system development to “help providers to build AI systems that function as intended, are available when needed, and work without revealing sensitive data to unauthorised parties”.

New York Governor proposes cyber security regulations for hospitals

New York Governor Kathy Hochul has proposed new cyber security regulations for all hospitals operating in the state, which are expected to complement the security requirements of HIPAA (the Health Insurance Portability and Accountability Act).

Manufacturing industry identified as top target of cyber extortion

According to a new report by Orange Cyberdefense, 20% of all cyber extortion attacks in 2023 were aimed at the manufacturing industry – a 42% increase over 2022 and 17% more than the second most targeted industry.

Nato expands cyber security coalition

Nato countries welcomed South Korea and Japan to their cyber security exercises in Estonia from 27 November to 1 December. This year’s Cyber Coalition “brought together more than 1,300 cyber defenders from 28 NATO Allies and 7 partner countries, as well as the European Union and participants from industry and academia”.

Queensland passes mandatory data breach laws

Queensland has become the second Australian state, following New South Wales, to oblige public-sector entities to notify affected individuals and the state’s privacy regulator of data breaches that would likely result in serious harm.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up.

The post The Week in Cyber Security and Data Privacy: 27 November – 3 December 2023 appeared first on IT Governance UK Blog.