Welcome to this week’s round-up of the biggest and most interesting news stories.
At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.
Publicly disclosed data breaches and cyber attacks
True Potential leaks clients’ personal data to adviser
Date of breach: October 2023 (exact date unknown)
Breached organisation: True Potential, a wealth management platform
Incident details: True Potential accidentally gave an independent financial advisor, Celtic Financial Planning, access to a spreadsheet that contained True Potential’s customers’ personal information, including their full names, addresses and national insurance numbers.
Records breached: Data relating to 6,336 clients
Toronto Public Library services knocked offline by cyber attack
Date of breach: 28 October
Breached organisation: TPL (Toronto Public Library), Canada’s largest public library system
Incident details: TPL reported that a “cybersecurity incident” on 28 October had rendered several services unavailable, including “tpl.ca, ‘your account’, tpl:map passes and digital collections”. Library branches remain open, Wi-Fi is still available and materials can still be borrowed. However, public computers and printing services are unavailable.
Records breached: According to the library’s 4 November update, there is “no evidence that the personal information of our staff or customers has been compromised”.
US Justice and Defense departments added to list of MOVEit Transfer breach victims
Date of breach: 28 and 29 May 2023
Breached organisation: US Department of Justice and Department of Defense
Incident details: A report by the US OPM (Office of Personnel Management) revealed that the data firm Westat, which the OPM uses to administer employee surveys, used MOVEit Transfer. When MOVEit was hacked by the Russian Cl0p ransomware gang in May, email addresses and links to government employee surveys were compromised. According to Forbes, Defense Department employees affected included “officials from the Air Force, the Army, the Army Corps of Engineers, the Office of the Secretary of Defense and the Joint Staff”.
Records breached: The email addresses of about 632,000 employees
ICMR Indian Council of Medical Research: 815,000,000 breached records
Date of breach: Data exfiltrated in September 2023, offered for sale on dark web on 9 October, reported in the news from 30 October
Breached organisation: The ICMR (Indian Council of Medical Research)
Incident details: The personal data of 815 million Indian residents, apparently exfiltrated from the ICMR’s Covid-testing database, was offered for sale on the dark web earlier this month. According to the security company Resecurity, which discovered the listing, the data included victims’ name, age, gender, address, passport number and Aadhaar number (a 12-digit government identification number).
Records breached: 815,000,000
Milford Management Corp. reports unauthorised access to confidential consumer information
Date of breach: 25–27 August 2023 (discovered 6 October 2023)
Breached organisation: Milford Management Corporation, a subsidiary of Milstein Properties, a New York real estate investment company
Incident details: On 30 October, Milford Management Corporation filed a data breach notification with the Maine Attorney General, reporting on “an incident that involved unauthorized access to certain of [its] computer systems”.
Records breached: Unknown (including four Maine residents)
SBM reports unauthorised access to confidential consumer information
Date of breach: 28 June 2023
Breached organisation: SBM Management Services, a business services company based in McClellan, California
Incident details: On 27 October, SBM filed a data breach notification with the Montana Attorney General, reporting that it had suffered a network disruption on 28 June. While investigating the incident, it discovered that confidential consumer information had been accessed by an unauthorised third party.
Records breached: Unknown
United Medical Centers reports unauthorised access to patient data
Date of breach: Suspicious activity detected on 26 July 2023, unauthorised access confirmed 2 September, victims notified 27 October, breach notification filed with the Texas Attorney General 30 October
Breached organisation: UMC (United Medical Centers)
Incident details: In July, UMC detected suspicious activity on its network. It secured its systems, notified law enforcement and began investigating the incident. On 2 September, it confirmed that an unauthorised party had accessed or removed some of its files, some of which contained confidential patient information. Compromised information included patients’ names, dates of birth, postal addresses, Social Security numbers, diagnosis and treatment information, and health insurance information.
Records breached: Unknown
Boeing investigates cyber security incident following LockBit claims
Date of breach: Unknown (LockBit listing on 3 November)
Breached organisation: Boeing
Incident details: Boeing is investigating a cyber attack on its parts and distribution business after the LockBit ransomware gang claimed to have exfiltrated data. LockBit has threatened to publish the data if Boeing doesn’t contact it – presumably, to pay a ransom. Boeing is “assessing the claim”.
Records breached: According to LockBit, a “tremendous amount of sensitive data”
Advarra investigating security breach
Date of breach: On or around 25 October
Breached organisation: Advarra
Incident details: According to DataBreaches, threat actors hacked Advarra and exfiltrated 120GB+ of data, having gained access by phishing an executive’s personal email account, placing malware in her OneDrive and bypassing MFA (multifactor authentication) to access her work accounts and files. Advarra says “a limited amount of company data” was “acquired” and its investigation is ongoing.
Records breached: According to the threat actors, 120GB+ of confidential data, belonging to “customers, patients & ALL employees, both former and current”. According to Advarra, “a limited amount of company data”.
British Library suffers “cyber incident”, online systems disrupted
Date of breach: 28 October
Breached organisation: The British Library
Incident details: The British Library has suffered a “cyber incident”, affecting its “website, online systems and services, and some onsite services including Wi-Fi”. Reading rooms remain open. The Library is investigating the incident with the NCSC (National Cyber Security Centre) and “other specialists”. As of the publication of this blog post, the Library’s website remains offline.
Records breached: Unknown
ALPHV/BlackCat publishes data exfiltrated from the Town of Iowa, Louisiana
Date of breach: Unknown
Breached organisation: The Town of Iowa, Louisiana
Incident details: The ALPHV/BlackCat ransomware gang has published approximately 250 documents that it exfiltrated from the Town of Iowa in Louisiana. Most documents date from 2019 and 2020, and contain Social Security numbers, employees’ salaries, birthdates, addresses, phone numbers and other personal data.
Records breached: Unknown (approximately 250 documents released)
Rightway Healthcare breach affects Okta employees
Date of breach: 23 September, disclosed 12 October
Breached organisation: Rightway Healthcare
Incident details: According to Okta’s breach notification letter, cyber criminals hacked Rightway Healthcare, accessing an eligibility census file relating to its provision of services to Okta employees from 2019 to 2020. Compromised data included names, Social Security numbers, and health/medical insurance plan numbers.
Records breached: Nearly 4,961 current and former Okta employees’ data
Pharmacist accesses Alfred Health patients’ data without authorisation
Date of breach: Unknown (investigation launched in June 2023, patients notified 30 November)
Breached organisation: Alfred Health
Incident details: A “curious” former Alfred Health pharmacist accessed more than 7,000 patients’ medical records over a four-year period, without authorisation. Compromised information include patients’ names, dates of birth, addresses, Medicare numbers and medical information.
Records breached: More than 7,000 patients’ data
Jeffco Public Schools hacked by same organisation as Clark County School District
Date of breach: 31 October, breach notice 1 November
Breached organisation: Jeffco Public Schools
Incident details: SingularityMD, the attackers who compromised Clark County School District on 5 October (see last week’s round-up) struck Jeffco Public Schools using the same method – exploiting the school’s policy of using students’ date of birth as their password to gain access to the network. According to the attacker, compromised information included staff information, such as phone numbers and postal addresses, parent and student information, a full backup of the school’s IT project management directory and some financial documents.
Records breached: Information relating to 90,000 students
Virginia’s Fairfax County Public Schools student data compromised
Date of breach: October 2023
Breached organisation: Fairfax Country Public Schools, Virginia
Incident details: Callie Oettinger, a parent advocate who had requested access to her own children’s files, was accidentally given thumb drives and computer discs containing sensitive personal data relating to tens of thousands of students.
Records breached: Information relating to about 35,000 students
Another update on cyber attacks at Canadian hospitals
Date of breach: 23 October (see last week’s blog post)
Breached organisation: Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital in Ontario
Incident details: Daixin Team, which exfiltrated data from five Canadian hospitals via a cyber attack on TransForm SSO, has released further stolen files, including sensitive patient information.
Records breached: Numerous files, including hospital employee data, at least 15,000 patients’ data and IT-related information
Enforcement
First ransomware victim fined for HIPAA breach
The US Department of Health and Human Services has fined a Massachusetts-based medical management company $100,000 following an investigation into a 2019 GandCrab ransomware breach that affected 206,695 individuals.
SEC Charges SolarWinds and its CISO with Fraud
The SEC (Securities and Exchange Commission) has charged the software company SolarWinds and its CISO (chief information security officer), Timothy G. Brown, with fraud and internal control failures relating to its cybersecurity practices. The SEC says that, from the company’s IPO (initial public offering) in October 2018 until December 2020, when it revealed that it had been the victim of a cyber attack, SolarWinds had defrauded investors by overstating its cybersecurity practices and downplaying the risks it faced.
Other news
FIRST publishes new version of CVSS (Common Vulnerability Scoring System)
FIRST has released CVSS v4.0 – the latest version of the standard used worldwide to categorise security vulnerabilities.
That’s it for this week’s round-up. We hope you found it useful.
We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place for you.
In the meantime, if you missed it, check out last week’s round-up.
The post The Week in Cyber Security and Data Privacy: 30 October – 5 November 2023 appeared first on IT Governance UK Blog.
