List of data breaches and cyber attacks in September 2021 – 91 million records breached

By our reckoning, September 2021 saw 97 security incidents comprising 91,127,815 million breached records.

What is unusual about this month is that a single incident accounted for most of those records: 61 million of them, in fact, which were exposed via an unsecured database.

According to Website Planet, whose researchers discovered the database, the organisation responsible was GetHealth, a New York City company that syncs data from numerous IOT health and fitness trackers, including FitBits and Apple’s Healthkit.

Compromised data included users’ “first and last name, display name, date of birth, weight, height, gender, geo location, and more”.

This brings the year’s running total to 996 security incidents and 4,132,751,378 records.

As ever, you can find links to all the incidents listed below.

And don’t forget to subscribe to our Weekly Round-up to receive the latest industry news and advice.

Cyber attacks

Hackers steal Covid test data of 1.4 million people from Paris hospital system (rfi.fr) (1,400,000)

Dallas Independent School District reveals breach, but details are still missing (databreaches.net) (0)

Cyberattack on DHSS website includes HIPAA and APIPA breach (alaska.gov) (unknown)

FocaLeaks claims to have hacked El Salvador Police, gained access to records on civilians, agents, and criminal investigations (databreaches.net) (37,000)

PA: Penelec customers must reset passwords after security breach (databreaches.net) (0)

Hacked hospital patients’ data ‘not important’ (bangkokpost.com) (10,000)

Nevada Restaurant Services, Inc. Provides Notice Of Data Privacy Event | | djournal.com (0)

Hacked student email threatens high school – ABC 36 News (wtvq.com) (unknown)

Desorden Group claims to have stolen 200 GB of data from ABX Express (databreaches.net) (15,000,000)

Hackers take part of Anvisa’s website off the air and replace it with Argentina’s flag (playcrazygame.com) (0)

Vermont radio stations dealing with fallout from cyberattack (wcax.com) (1)

Report: Fitness Tracker Data Breach Exposed 61 Million Records and User Data Online (websiteplanet.com) (61,000,000)

SANSA breach: International hacker group claims responsibility for Space Agency leak (thesouthafrican.com) (0)

Vermont radio stations dealing with fallout from cyberattack (wcax.com) (1)

Texoma Community Center notifies 24,030 patients of email hack in September, 2020 (databreaches.net) (24,030)

SC: Dorchester County Government Notice of February Security Incident (databreaches.net) (0)

CMA CGM hit by another cyber attack – Splash247 (unknown)

MD: Groove threat actors claim to have hit Robinwood Orthopaedic (databreaches.net) (unknown)

ALTDOS claims to have hacked one of Malaysia’s biggest conglomerates (databreaches.net) (1,000)

UN Computer Networks Breached by Hackers Earlier This Year (yahoo.com) (0)

HBP Financial Services Group notice of breach impacting Pathology Consultants of New London, PC (databreaches.net) (0)

VA: Greensville County Public Schools hit by Grief threat actors (databreaches.net) (unknown)

Anonymous leaks gigabytes of data from alt-right web host Epik | Ars Technica (unknown)

Notice of Data Event – Simon Eye (14,400)

Ransomware and malware

African Bank warns of data breach with personal details compromised (businesstech.co.za) (1,400,000)

Office of the Maine AG: Consumer Protection: Privacy, Identity Theft and Data Security Breaches (49,476)

Post-Ida cyber attack hits Jefferson Parish courts; closures to last until at least Sept. 20 | Courts | nola.com (0)

CYBER INCIDENT – Queen Creek, AZ: Desert Wells Family Medicine (35,000)

Ransomware attack under investigation at Howard U, online classes canceled Sept. 8 | WJLA (0)

Hacker puts stolen data online because college refuses to pay (databreaches.net) (0)

After Biden Warning, Hackers Define ‘Critical’ as They See Fit – Bloomberg (unknown)

Bridgeport city government hacked, residents put on notice | 104.5 FM & 1440 AM | The Voice of Morgantown | Morgantown, WV (wajr.com) (0)

Mass data leak after Bar Ilan University refuses to pay hacker $2.5m | The Times of Israel (0)

PA: Horizon House notifying patients of ransomware attack in March (databreaches.net) (27,823)

Department of Justice (twimg.com) (0)

Millions of South Africans caught up in security incident after debt recovery firm suffers ‘significant data breach’ | The Daily Swig (portswigger.net) (1,400,000)

Barlow Respiratory Hospital recovering from breach but may have a long incident response road ahead (databreaches.net) (0)

Technology giant Olympus hit by BlackMatter ransomware | TechCrunch (0)

Tamil Nadu Public Department comes under ransomware attack – The Hindu (unknown)

City of Yonkers Hacked, No Computers for the Past Week: Ransom Demanded, City Hall Says No | Yonkers Times (0)

Indian Creek Foundation Provides Notice of Data Event (prnewswire.com) (0)

Customer Care Giant TTEC Hit By Ransomware – Krebs on Security (0)

Two more ransomware attacks on medical entities impact 56,000 patients in Florida and Texas (56,000)

Hacker Makes Off with $12 Million in Latest DeFi Breach (govinfosecurity.com) (0)

Exabytes Falls Victim To Ransomware Attack: Causes Disruptions To Certain Services – Lowyat.NET (0)

MN: Crystal Valley Computer Systems Infected By Ransomware Attack (databreaches.net) (0)

United Health Centers of San Joaquin Valley remains publicly silent after ransomware attack (databreaches.net) (unknown)

Major European call center provider goes down in ransomware attack – The Record by Recorded Future (0)

Unauthorised access and vulnerabilities

The Recorder – Deerfield offering credit monitoring after data breach potentially exposed residents’ info (8,100)

Personal Data of 2 Million Moroccans Leaked Online (moroccoworldnews.com) (2,000,000)

Hacker steals 40,000 patients’ data from kidney hospital (bangkokpost.com) (40,000)

Rehabilitation Support Services(rehab.org) (0)

Anonymous Hacks Texas GOP Website, Floods it with Memes (dailydot.com) (0)

Hacker Compromises Personal Info Of NEISD Employees (databreaches.net) (5,000)

Northern Light Health reports data breach | WGME (0)

IN: Carmel Clay Schools notifying 15,817 after compromise of employee email accounts (databreaches.net) (15,817)

Council on Aging notifies impacted clients of data security issue (help4seniors.org) (unknown)

SEC fines three companies over hacked employee email accounts – The Record by Recorded Future (4,900)

Guntrader Data Breach Claims | Gun Trader’s Database Hacked & Exposed (celsolicitors.co.uk) (100,000)

Hacker claims to have stolen information of 7 million Israelis – The Jerusalem Post (jpost.com) (7,000,000)

80,000 MyRepublic mobile users’ data exposed by breach (yahoo.com) (79,388)

HBP Financial Services Group notice of breach impacting Pathology Consultants of New London, PC (databreaches.net) (0)

Missouri Delta Medical Center silent about patient data dump and claimed ransomware attack (databreaches.net) (95,000)

UAE: Moorfields Eye Hospital in Dubai sees more staff and patient data dumped (databreaches.net) (1,100)

Walgreens’ Covid-19 test registration system exposed patient data – Vox (0)

SEC fines three companies over hacked employee email accounts – The Record by Recorded Future (2,177)

State-sponsored hacking group targets Port of Houston using Zoho zero-day – The Record by Recorded Future (0)

Credential leak fears raised following security breach at Travis CI | The Daily Swig (portswigger.net) (unknown)

Report: Data Exposure discovered at EventBuilder company (clario.co) (100,000)

TX: Lubbock County confirms private information accessible under new computer system, says situation not a data breach (databreaches.net) (0)

Sandhills Center LME/MCO Provides Notice of Potential Data Theft (prnewswire.com) (0)

Elon Musk’s top-secret ‘full self-driving’ AI car software leaked to hackers – Daily Star (0)

SEC fines three companies over hacked employee email accounts – The Record by Recorded Future (4,388)

Chinese hackers behind July 2021 SolarWinds zero-day attacks – The Record by Recorded Future (0)

Texas Right to Life website exposed job applicants’ resumes | TechCrunch (300)

Hackers leak passwords for 500,000 Fortinet VPN accounts (bleepingcomputer.com) (500,000)

Internal error and malicious insiders

Data breach at Coalinga State Hospital reveals private information on nearly 1,800 patients – California News Times (1,800)

Private information of 2,841 students accidentally released: Sask. privacy commissioner (yahoo.com) (2,841)

Credit unions demand assurances from Central Bank after data leak blunder – Independent.ie (50)

Dallas police data loss nearly triple initial estimate (ksla.com) (15 terabytes)

700,000 French pharmacy Covid test results left publicly available (connexionfrance.com) (700,000)

Student files class action lawsuit against SU over data breach that affected 10,000 – The Daily Orange (10,000)

McDonald’s email blunder broadcasts database creds to comedy competition winners • The Register (0)

Ottawa Hospital apologizes to unvaccinated staff for privacy breach | CBC News (400)

Mankato Clinic notifies patients of health data breach (keyc.com) (535)

Illinois discloses breach involving access control to Illinois Integrated Eligibility System (databreaches.net) (unknown)

Second MOD data breach uncovered putting safety of Afghan interpreters at risk – Mirror Online (55)

Police investigating City of Helsinki data breach involving over 140 victims (helsinkitimes.fi) (144)

Afghanistan: MoD shared more than 250 Afghan interpreters’ details on email – BBC News (250)

Fired NY credit union employee nukes 21GB of data in revenge (bleepingcomputer.com) (21 GB)

Tempe nurse assistant stole patient identities to open bank accounts, lease apartments, police say (databreaches.net) (unknown)

Ashland City Elementary PTO President faces theft, computer crimes charges (tennessean.com) (1)

 

Other incidents

Resource Anesthesiology Association of California warns patient information was on stolen laptop (databreaches.net) (0)

Southeast Health Center break-in compromises personal information of about 700 people | Multnomah County (multco.us) (700)

Safeway reports theft of COVID-19 vaccine records | Supermarket News (138)