92,391,296 known records breached in 222 publicly disclosed incidents
Welcome to this week’s global round-up of the biggest and most interesting news stories.
At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.
Publicly disclosed data breaches and cyber attacks: in the spotlight
Two French healthcare service providers breached affecting over 33 million people
The French data protection authority, the CNIL, is investigating data breaches at two French healthcare service providers, Viamedis and Almerys, which manage third-party payments for supplementary health insurance.
Compromised data includes policyholders’ and their families’ civil status, dates of birth and social security numbers, as well as the name of their health insurer and information relating to their contracts.
Financial information, medical data, health reimbursements, postal addresses, telephone numbers and emails are not thought to have been compromised.
In total, more than 33 million people – nearly half France’s population – have been affected.
Data breached: >33,000,000 people’s data.
Thailand’s Department of Older Persons breached, exposing almost 20 million personal data records
The Department of Older Persons, part of Thailand’s Ministry of Social Development and Human Security, suffered a data breach in which 19,718,687 rows or personal data was exposed.
Compromised data included names, ID card numbers, phone numbers, emails, salaries and personal photographs.
The incident is one of a series of major data breaches in Thailand in recent months that have been analysed by the security company Resecurity. It has since been confirmed by Anukul Peedkaew, the permanent secretary of social development and human security.
Data breached: 19,718,687 records.
Further victims of last year’s Perry Johnson & Associates data breach identified
Last year, the medical transcription company PJ&A (Perry Johnson & Associates) suffered a data breach in which an unauthorised third party was able to access its computer network. In November 2023, Northwell Health – the largest health system in New York – confirmed that it was affected by the incident.
PJ&A has now determined that information relating to another of its clients, Concentra Health Services, was also accessed and has filed notice of a data breach on behalf of Concentra, confirming that over 13 million people were affected. Compromised information varies from person to person.
Data breached: 13,300,750 people’s data.
Publicly disclosed data breaches and cyber attacks: full list
This week, we found 92,391,296 records known to be compromised, and 222 organisations suffering a newly disclosed incident. 184 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 2 definitely haven’t had data breached.
We also found 7 organisations providing a significant update on a previously disclosed incident.
| Organisation(s) | Sector | Location | Data breached? | Known records breached |
| Viamedis and Almerys Source New |
Healthcare | France | Yes | >33,000,000 |
| Department of Older Persons (part of Thailand’s Ministry of Social Development and Human Security) Source 1; source 2 New |
Public | Thailand | Yes | 19,718,687 |
| Perry Johnson & Associates, Inc. (PJ&A) Source Update |
IT services and software | USA | Yes | 13,300,750 |
| Hyundai Motor Europe Source New |
Manufacturing | Germany | Yes | 3 TB |
| MRA – The Management Association Source New |
Professional services | USA | Yes | 3 TB |
| 65 unidentified APAC organisations Source New |
Multiple | Multiple APAC countries, predominantly India (12 victims), Taiwan (10), Thailand (9) and Vietnam (7) | Yes | 2,079,027 |
| Al Firas Source New |
Construction and real estate | UAE | Yes | 2 TB |
| Chulabook Source New |
Retail | Thailand | Yes | >1,600,000 |
| Drost Kivlahan Mcmahon & O’Connor Source New |
Legal | USA | Yes | 1.6 TB |
| KSA Architecture Source New |
Construction and real estate | USA | Yes | 1.5 TB |
| Cole, Cole, Easley & Sciba Source New |
Legal | USA | Yes | 1.5 TB |
| JP Original Corp Source New |
Manufacturing | USA | Yes | 1.2 TB |
| CTSI Source New |
Multiple | USA | Yes | 978 GB |
| Willis Lease Finance Corporation Source New |
Finance | USA | Yes | 910 GB |
| asecos Source New |
Manufacturing | Germany | Yes | 810 GB |
| Transaxle Source New |
Manufacturing | USA | Yes | 795 GB |
| Dalmahoy Hotel & Country Club Source New |
Hospitality and leisure | UK | Yes | 769,590 |
| B&B Electric Source New |
Construction & real estate | USA | Yes | 750 GB |
| Posen Architects Source New |
Construction and real estate | USA | Yes | 724 GB |
| SPB Global Source New |
Manufacturing | Spain | Yes | 706 GB |
| Avianor Group Source New |
Engineering | Canada | Yes | 578,914 |
| United Colors of Benetton Source New |
Retail | India | Yes | 500,000 |
| Studio Galbusera Source New |
Education | Italy | Yes | 500 GB |
| Upper Merion Youth Wrestling Association Source New |
Charity and non-profit | USA | Yes | 500 GB |
| Village of Skokie Source New |
Public | USA | Yes | 499,988 |
| Benchmark Management Group Source New |
Construction and real estate | USA | Yes | 401,148 |
| Manitou Group Source New |
Manufacturing | France | Yes | 400 GB |
| Azura Vascular Care Source 1; source 2 New |
Healthcare | USA | Yes | 348,000 |
| Indorama Ventures Source New |
Manufacturing | Thailand | Yes | 318 GB |
| Groupe Goyette Source New |
Transport | Canada | Yes | 314,307 |
| SEIU (Service Employees International Union) Source 1; source 2 New |
Public | USA | Yes | 308 GB |
| Des Moines Orthopaedic Surgeons, P.C. Source 1; source 2 New |
Healthcare | USA | Yes | 307,864 |
| Planet Home Lending, LLC Source Update |
Finance | USA | Yes | 284,974 |
| Technet Source New |
IT services and software | Sweden | Yes | 278 GB |
| Ducont Source New |
IT services and software | UAE | Yes | 256,018 |
| Spoutible Source 1; source 2 New |
Media | USA | Yes | 207,000 |
| Carespring Healthcare Source New |
Healthcare | USA | Yes | 182,725 |
| Parksite Source New |
Construction and real estate | USA | Yes | 170 GB |
| Vail-Summit Orthopaedics & Neurosurgery Source New |
Healthcare | USA | Yes | 150 GB |
| Gocco Source New |
Retail | Spain | Yes | 136 GB |
| Commonwealth Sign Source New |
Manufacturing | USA | Yes | 113.63 GB |
| Western Municipal Construction Source New |
Construction and real estate | USA | Yes | 101 GB |
| Tennessee Farmers Insurance Source New |
Insurance | USA | Yes | 71,000 |
| CNO ACE Source 1; source 2 New |
Healthcare | USA | Yes | 65,195 |
| Verizon Communications Inc. Source New |
Telecoms | USA | Yes | 63,206 |
| Bayer Heritage Federal Credit Union Source Update |
Finance | USA | Yes | 61,159 |
| HBL CPAs Source New |
Professional services | USA | Yes | 60 GB |
| Shipleys Source New |
Professional services | UK | Yes | 60 GB |
| Sopem Tunisie Source New |
Manufacturing | Tunisia | Yes | 55,169 |
| Harinck Source New |
Manufacturing | Belgium | Yes | 53.1 GB |
| Impact Energy Services Source New |
Engineering | Canada | Yes | 52,707 |
| Lancaster County Sheriff’s Office Source New |
Public | USA | Yes | 52,567 |
| Maximum Research Source New |
Professional services | USA | Yes | 52 GB |
| Terago Source New |
Telecoms | Canada | Yes | 45 GB |
| Zivilgeometer Source New |
Engineering | Austria | Yes | 41.83 GB |
| Aver Information Source New |
Telecoms | Taiwan | Yes | 40 GB |
| Nastech Source New |
Energy and utilities | UAE | Yes | 33,664 |
| Facebook Marketplace Source New |
Media | USA | Yes | 24,127 |
| PWS – The Laundry Company Source New |
Professional services | USA | Yes | 21.1 GB |
| City of Clemson, South Carolina Source New |
Public | USA | Yes | 21,056 |
| DGX-Dependable Hawaiian Express Source New |
Professional services | USA | Yes | 20 GB |
| Verdimed Source New |
Agricultural | Europe | Yes | 19 GB |
| Watchmax Source New |
Retail | UK | Yes | 15,000 |
| Del-Tron Precision Source New |
Manufacturing | India | Yes | 8.9 GB |
| Signature Performance, Inc. Source Update |
Healthcare | USA | Yes | 7,122 |
| Arch Capital Services LLC Source New |
Healthcare | USA | Yes | 7,036 |
| Tobacco-Free Kids Source New |
Charity and non-profit | USA | Yes | 7 GB |
| Health Alliance Medical Plans Source 1; source 2 New |
Healthcare | USA | Yes | 6,900 |
| Family Healthcare Center Source 1; source 2 New |
Healthcare | USA | Yes | 6,457 |
| International Center of Photography Source New |
Charity and non-profit | USA | Yes | 5,985 |
| The Burton Corporation Source New |
Manufacturing | USA | Yes | 5,170 |
| Southwest Binding & Laminating Source New |
Professional services | USA | Yes | 4.2 GB |
| Sun Pain Management, LLC Source 1; source 2 New |
Healthcare | USA | Yes | 2,988 |
| J.D. Gilmour & Co., Inc. Source 1; Source 2 Update |
Healthcare | USA | Yes | 2,481 |
| The New Jewish Home Source New |
Healthcare | USA | Yes | 2,000 |
| Finzer Roller, Inc. Source New |
Manufacturing | USA | Yes | 1,335 |
| Science Systems and Applications, Inc. Source New |
Defence | USA | Yes | 1,051 |
| Connecticut College Source New |
Education | USA | Yes | 954 |
| American Alarm & Communications Inc. Source Update |
Professional services | USA | Yes | 942 |
| The Northwestern Mutual Life Insurance Company Source New |
Finance | USA | Yes | 887 |
| Whitley Penn Source Update |
Finance | USA | Yes | 729 |
| Albertsons Companies, Inc. Source New |
Retail | USA | Yes | 457 |
| Midwest Hardwood Company LLC Source New |
Manufacturing | USA | Yes | 373 |
| Precision Tune Auto Care Source New |
Transport | USA | Yes | 0.274 GB |
| Trendium Pool Products, Inc. Source New |
Manufacturing | Canada | Yes | 237 |
| The Hamilton Paramedic Service Source New |
Healthcare | USA | Yes | 162 |
| Tax Technologies, Inc. Source New |
Professional services | USA | Yes | 146 |
| Community School of Naples Source New |
Education | USA | Yes | 4 |
| Software Systems, Inc. Source New |
IT services and software | USA | Yes | 2 |
| Japanese government Source New |
Public | Japan | Yes | Unknown |
| WinStar Source New |
Hospitality and leisure | USA | Yes | Unknown |
| Maxis Berhad Source New |
Telecoms | Malaysia | Yes | Unknown |
| Lex Caribbean Source New |
Legal | Barbados | Yes | Unknown |
| Abel Santos & Asociados Source New |
Professional services | Argentina | Yes | Unknown |
| Pezold, Barker & Woltz, APPC Source New |
Legal | USA | Yes | Unknown |
| Chicago Extruded Metals Source New |
Manufacturing | USA | Yes | Unknown |
| Unidentified contractors of US Department of Defense Source New |
Public | USA | Yes | Unknown |
| Greater Richmond Transit Source New |
Transport | USA | Yes | Unknown |
| VCS Observation Source 1; source 2 New |
Manufacturing | Netherlands | Yes | Unknown |
| Hutch Paving Source New |
Construction and real estate | USA | Yes | Unknown |
| Modern Kitchens Source New |
Manufacturing | USA | Yes | Unknown |
| Greenwich Leisure Source New |
Public | UK | Yes | Unknown |
| A&A Ready Mixed Concrete Source New |
Construction and real estate | USA | Yes | Unknown |
| Northeastern Sheet Metal Source New |
Manufacturing | USA | Yes | Unknown |
| Hannon Transport Source New |
Transport | UK | Yes | Unknown |
| McMillan Pazdan Smith Source New |
Construction and real estate | USA | Yes | Unknown |
| Mason Construction Source New |
Construction and real estate | USA | Yes | Unknown |
| Albert Bartlett Source New |
Agricultural | UK | Yes | Unknown |
| Perry-McCall Construction Source New |
Construction and real estate | USA | Yes | Unknown |
| Premier Facility Management Source New |
Professional services | USA | Yes | Unknown |
| Douglas County Libraries Source New |
Public | USA | Yes | Unknown |
| Leaders Staffing Source New |
Other | USA | Yes | Unknown |
| Arpuplus Source New |
Telecoms | Egypt | Yes | Unknown |
| Celeste Source New |
Multiple | France | Yes | Unknown |
| Ceralp Source New |
Professional services | France | Yes | Unknown |
| Worthen Industries Source New |
Manufacturing | USA | Yes | Unknown |
| PJ Green Source New |
Professional services | USA | Yes | Unknown |
| YRW Limited Chartered Accountants Source New |
Professional services | USA | Yes | Unknown |
| Karl Rieker Source New |
Manufacturing | Germany | Yes | Unknown |
| Tetrosyl Group Source New |
Manufacturing | UK | Yes | Unknown |
| Anderco PTE Source New |
Construction and real estate | Singapore | Yes | Unknown |
| Distecna Source New |
Professional services | Argentina | Yes | Unknown |
| Grupo Moraval Source New |
Charity and non-profit | Spain | Yes | Unknown |
| CDT Medicus Source New |
Healthcare | Poland | Yes | Unknown |
| Soken Chemical & Engineering Source New |
Engineering | Japan | Yes | Unknown |
| Grace Lutheran Foundation Source New |
Charity and non-profit | USA | Yes | Unknown |
| Magi ERP Group Source New |
IT services and software | USA | Yes | Unknown |
| Pacific American Fish Company Source New |
Other | USA | Yes | Unknown |
| Pakistan Super League Source 1; source 2 New |
Hospitality and leisure | Pakistan | Unknown | Unknown |
| Lurie Children’s Hospital Source New |
Healthcare | USA | Unknown | Unknown |
| Multiple Philippine government agencies Source New |
Public | Philippines | Unknown | Unknown |
| Dutch MIVD (Military Intelligence and Security Service) Source New |
Public | Netherlands | Unknown | Unknown |
| The municipality of Korneuburg Source New |
Public | Austria | Unknown | Unknown |
| Armentières hospital Source New |
Healthcare | France | Unknown | Unknown |
| PhilogenSpA Source New |
Other | Italy | Unknown | Unknown |
| Logtainer Srl Source New |
Transport | Italy | Unknown | Unknown |
| Prima Wawona Source New |
Agricultural | USA | Unknown | Unknown |
| Portline Transportes Marítimos Internacionais Source New |
Transport | Portugal | Unknown | Unknown |
| Semesco Source New |
Engineering | Cyprus | Unknown | Unknown |
| Ultraflex Systems Source New |
Manufacturing | USA | Unknown | Unknown |
| Tgestiona Source New |
Professional services | Brazil | Unknown | Unknown |
| WIFI Niederösterreich Source New |
Education | Austria | Unknown | Unknown |
| Davis, French & Associates Source New |
Professional services | UK | Unknown | Unknown |
| AXS Bolivia Source New |
Telecoms | Bolivia | Unknown | Unknown |
| Vimar Equipment Source New |
Transport | Canada | Unknown | Unknown |
| Therme LAA Source New |
Hospitality and leisure | Austria | Unknown | Unknown |
| Original Footwear Source New |
Manufacturing | USA | Unknown | Unknown |
| Perkins Manufacturing Source New |
Manufacturing | USA | Unknown | Unknown |
| MacQueen Equipment Group Source New |
Manufacturing | USA | Unknown | Unknown |
| Town of Seymour Source New |
Professional services | USA | Unknown | Unknown |
| Northsea Yacht Support Source New |
Manufacturing | Netherlands | Unknown | Unknown |
| Money Advice Trust Source New |
Charity and non-profit | UK | Unknown | Unknown |
| Bull Stockwell Allen Source New |
Construction and real estate | USA | Unknown | Unknown |
| Capozzi Adler Source New |
Legal | USA | Unknown | Unknown |
| Living Water International Source New |
Charity and non-profit | USA | Unknown | Unknown |
| American Integrated Security Group Source New |
Professional services | USA | Unknown | Unknown |
| Maddockhenson Source New |
Finance | USA | Unknown | Unknown |
| La Colline Source New |
Manufacturing | Switzerland | Unknown | Unknown |
| Amoskeag Network Consulting Group Source New |
IT services and software | USA | Unknown | Unknown |
| Northern Light Health Source New |
Healthcare | USA | No | 0 |
| Unified Judicial System of Pennsylvania Source New |
Public | USA | No | 0 |
Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised [A1] in the table.
Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.
AI
NCSC publishes new guidance on AI and cyber security
The UK’s National Cyber Security Centre has published new guidance on cyber security issues organisations need to be aware of when deploying artificial intelligence. AI and cyber security: what you need to know is designed to help managers, board members and senior executives (with a non-technical background) to understand some of the risks – and benefits – of using AI tools.
EU lawmakers vote to ratify political deal on AI Act
Two committees at the European Parliament have ratified the provisional agreement on the AI Act. LIBE (the European Parliament Committee on Civil Liberties, Justice and Home Affairs) posted on X (formerly Twitter): “AI Act takes a step forward: MEPs in @EP_Justice & @EP_SingleMarket have endorsed the provisional agreement on an Artificial Intelligence Act that ensures safety and complies with fundamental rights”.
Enforcement
US State Department offers $10 million for Hive ransomware information
The US Department of State is offering a reward of up to $10 million for information leading to the identification and/or location of the leaders of the Hive ransomware group, and a reward of up to $5 million for information that leads to the arrest and/or conviction of anyone conspiring to participate in Hive ransomware activity.
US announces visa restriction policy, banning people associated with spyware
Secretary of State Antony J Blinken has announced that the State Department is implementing a new policy “that will allow the imposition of visa restrictions on individuals involved in the misuse of commercial spyware”.
Denmark orders schools not to transfer students’ data to Google
The Danish data protection authority, Datatilsynet, has ordered 53 municipalities across Denmark to change their data processing activities so that they no longer transfer students’ personal data to Google.
Other news
Chinese Volt Typhoon group hid in US infrastructure network for 5 years
CISA (the Cybersecurity and Infrastructure Security Agency), the NSA (National Security Agency) and the FBI (Federal Bureau of Investigation) have issued a joint advisory about the Chinese Volt Typhoon cyber espionage group, which infiltrated US critical infrastructure.
Google confirms that spyware vendors are behind 50% of zero-day attacks
Google’s Threat Analysis Group has analysed 40 commercial spyware vendors and found that they were behind half of known 0-day exploits targeting Google products and Android ecosystem devices.
Ransomware payments topped $1 billion last year
Research by Chainalysis has found that ransom payments made to attackers reached an all-time high of more than $1 billion in 2023. The most profitable ransomware gangs were ALPHV/BlackCat, Clop, Play, LockBit, BlackBasta, Royal, Ransomhouse and Dark Angels. The previous record figure – $983 million – was set in 2021.
Fortinet brushes off DDoS claims
Despite going viral, a story that 3 million electric toothbrushes were hacked and used as a botnet to conduct DDoS (distributed-denial-of-service) attacks is, of course, untrue. The security company Fortinet confirmed that it was a hypothetical scenario, saying: “To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.”
Key dates
31 March 2024 – PCI DSS v4.0 transitioning deadline
Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on 31 March, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.
That’s it for this week’s round-up. We hope you found it useful.
We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.
In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.
Security Spotlight
To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.
Every Wednesday, you’ll get a 4-minute email with:
- Industry news, including this weekly round-up;
- Our latest research and statistics;
- Interviews with our experts, sharing their insights and expertise;
- Free useful resources; and
- Upcoming webinars.
The post The Week in Cyber Security and Data Privacy: 5 – 11 February 2024 appeared first on IT Governance UK Blog.
