Welcome to this week’s round-up of the biggest and most interesting news stories.
At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.
Publicly disclosed data breaches and cyber attacks
Mulkay Cardiology Consultants notifies Maine Attorney General of breach
Date of breach: 1 September – 5 September 2023
Breached organisation: Mulkay Cardiology Consultants at Holy Name Medical Center, New Jersey
Incident details: On 5 September, Mulkay Cardiology Consultants discovered that an unauthorised third party had accessed its systems and encrypted some of its files. On 14 September, Mulkay discovered that the compromised files contained personal information, including “name, address, date of birth, Social Security number, driver’s license number or state ID, medical treatment information, and health insurance information”.
Records breached: 79,582
Date of breach: 23 October 2023
Breached organisation: Bluewater Health and Chatham-Kent Health Alliance
Incident details: A database containing information about 5.6 million patient visits to Bluewater Health and the social insurance numbers of 1,446 Chatham-Kent Health Alliance employees was among the data exfiltrated as part of a 23 October ransomware attack on TransForm, a payroll provider to five Ontario hospitals(see The Week in Cyber Security and Data Privacy 30 October – 5 November 2023 and The Week in Cyber Security and Data Privacy: 23–29 October 2023).
Records breached: 5,601,446
Marina Bay Sands reveals data breach affecting 665,000 customers
Date of breach: 19 and 20 October 2023
Breached organisation: Marina Bay Sands
Incident details: Marina Bay Sands, a luxury resort operator in Singapore, has announced that the personal data of 665,000 members of its shopping loyalty programme has been compromised in a “data security incident”. The data included shoppers’ names, email addresses, phone numbers, countries of residence and membership numbers.
Records breached: 665,000
Tri-City Medical Center, San Diego, hit by suspected ransomware attack
Date of breach: 9 November 2023
Breached organisation: Tri-City Medical Center, Oceanside
Incident details: Tri-City Medical Center was forced to divert ambulances to other hospitals following what a spokesperson referred to as “A cybersecurity challenge”. According to the San Diego Union-Tribune, “several people familiar with the situation who asked not to be identified said that [ransomware] was the suspected culprit”.
Records breached: Unknown
Multiple instances of unauthorised access via ScreenConnect
Date of breach: 28 October – 8 November 2023
Breached organisation: Multiple healthcare organisations
Incident details: Huntress reports that attackers have exploited ScreenConnect, a remote access tool used by the pharmacy supply chain and management systems solution provider Transaction Data Systems/Outcomes, to access endpoints belonging to “multiple healthcare organizations”.
Records breached: Unknown
Northwell Health patient data compromised in Perry Johnson & Associates data breach
Date of breach: 7 – 19 April 2023
Breached organisation: Northwell Health
Incident details: Northwell Health – the largest health system in New York – has confirmed that it was affected by the data breach at the medical transcription company Perry Johnson & Associates earlier this year. According to the HIPAA Journal, “Northwell Health said the breach involved names, addresses, dates of birth, and medical information, including diagnoses, test results, and physician and healthcare provider names. Some patients also had their Social Security numbers exposed.”
Records breached: Unknown (although Northwell Health’s initial statement, since withdrawn, said 3,891,565 people were affected)
Maine state agencies affected by MOVEit Transfer breach
Date of breach: 31 May 2023
Breached organisation: The State of Maine
Incident details: The State of Maine has confirmed that it was affected by the Cl0p attack on Progress Software’s MOVEit Transfer file transfer tool in May. Approximately 1.3 million individuals’ information was compromised, including names, Social Security numbers, dates of birth, driver’s license/state identification numbers and taxpayer identification numbers.
Records breached: 1.3 million individuals
McLaren Health Care notifies nearly 2.2 million people of data breach
Date of breach: 28 July – 23 August 2023
Breached organisation: McLaren Health Care, Michigan
Incident details: notice: According to its data breach notification, McLaren Health Care became aware of suspicious activity on its systems on 22 August. Its investigation determined that there had been unauthorised access to is network between 28 July and 23 August, gaining access to personal information, including names, Social Security numbers, consumers’ or consumers’ family members’ “past, present or future physical, mental or behavioral health or condition”, and information relating to the provision of and payment for healthcare. According to BleepingComputer, the ALPHV/BlackCat ransomware group took responsibility for an attack on McLaren’s network on 4 October.
Records breached: 2,192,515 people affected
Sumo Logic identifies “potential security incident”
Date of breach: 3 November 2023
Breached organisation: Sumo Logic
Incident details: On 7 November, Sumo Logic notified its customers that it had “discovered evidence of a potential security incident” in which “a compromised credential” was used “to access a Sumo Logic AWS account”. Customer data, which was encrypted, was reported to be unaffected.
Records breached: None
Butler County reports personal information breach
Date of breach: 8 November 2023
Breached organisation: Butler County
Incident details: The Butler County Commissioners Office has announced that personal data was compromised in October when an unauthorised third party accessed its network. The information mostly related to court proceedings. “The security and integrity of our information systems are top priorities, and we work continually to safeguard our network to maintain confidentiality,” stated county IT director Jim Venturini. “The county will continue to invest in the internal processes, tools, and resources to reduce the likelihood of future security incidents.”
Records breached: Unknown
Butte School District shuts down computer network after system compromised
Date of breach: 4 November 2023
Breached organisation: Butte School District
Incident details: Butte School District was forced to shut down its computer systems following an unknown breach. “All I can say is that we’re still investigating the issue and we do not have any clear information of what it was,” Butte School District Superintendent Judy Jonart told KXLF.
Records breached: Unknown
Pulaski County Public Schools announces ransomware investigation
Date of breach: 5 November 2023
Breached organisation: Pulaski County Public Schools
Incident details: According to a notice published on Facebook on 7 November, Pulaski County Public Schools has fallen victim to a ransomware attack.
Records breached: Unknown
Australian port operators knocked offline by cyber attack
Date of breach: 10 – 13 November 2023
Breached organisation: DP World Australia (ports operator)
Incident details: Operations at the DP World Australia container terminals in Melbourne, Sydney, Brisbane and Perth were disrupted by a cyber attack from Friday 10 – Monday 13 November. A company statement quoted by the BBC, the organisation is investigating the cyber attack. “The resumption of port operations does not mean that this incident has concluded,” it said. “DP World Australia’s investigation and ongoing remediation work are likely to continue for some time.”
Records breached: Unkown
LockBit ransomware attack on ICBC Financial Services
Date of breach: 8 November 2023
Breached organisation: ICBC FS (Industrial & Commercial Bank of China Financial Services)
Incident details: According to a notice on its website, ICBC FS – a US subsidiary of the world’s largest bank – suffered a ransomware attack on 8 November that disrupted some of its systems and, as a result, affected the US Treasury market. The Russian LockBit ransomware gang has taken responsibility for the attack.
Records breached: Unknown
Other news
ICO and EDPS sign Memorandum of Understanding
The UK’s ICO (Information Commissioner’s Office) and the EDPS (European Data Protection Supervisor) have signed a Memorandum of Understanding, reinforcing “their common mission to uphold individuals’ data protection and privacy rights, and cooperate internationally to achieve this goal”.
That’s it for this week’s round-up. We hope you found it useful.
We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place for you.
In the meantime, if you missed it, check out last week’s round-up.
The post The Week in Cyber Security and Data Privacy: 6 – 12 November 2023 appeared first on IT Governance UK Blog.