The Week in Cyber Security and Data Privacy: 1 – 7 January 2024

Welcome to this week’s round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Hathaway breached, 41.5 million customers’ data compromised

Cyber criminals known as dawnofdevil have claimed responsibility for a data breach at Hathaway Cable & Datacom Ltd, one of India’s largest Internet service providers, in December 2023. They accessed 41.5 million customers’ data having gained access via a vulnerability in Hathaway’s Laravel web application framework. The compromised data allegedly includes names, email addresses and phone numbers.

Data breached: 41,500,000 records.

LockBit claims responsibility for Capital Health security incident

The LockBit ransomware group has claimed responsibility for an attack on Capital Health, a healthcare provider in Pennington, New Jersey, last November. The group has allegedly exfiltrated more than 10 million files. Capital Health operates two hospitals in the New Jersey-Pennsylvania region: Regional Medical Center in Trenton and Capital Health Medical Center in Hopewell.

Data breached: >10 million records.

HealthEC LLC breached, almost 4.5 million individuals affected

HealthEC LLC, a health technology company, has announced that it suffered a data breach in July 2023, in which systems were accessed and files were copied. Information relating to nearly 4.5 million people was compromised, including names, addresses, dates of birth, Social Security numbers, taxpayer identification numbers, medical information, health insurance information, and billing and claims information.

Data breached: 4,452,782 records.


Publicly disclosed data breaches and cyber attacks: full list

This week, we’ve found 71,561,990 records known to be compromised, and 260 organisations suffering a newly disclosed incident. 79 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 1 definitely hasn’t had data breached.

We’ve also found 8 organisations providing a significant update on a previously disclosed incident.

OrganisationSectorLocationData breached?Known records breached
Hathway Cable & Datacom Ltd
Source
(New)
TelecomsIndiaYes41,500,000
Capital Health
Source 1; source 2
(Update)
HealthcareUSAYes>10,000,000
HealthEC
Source 1; source 2
(Update)
SoftwareUSAYes4,452,782
Cross Switch S.à.r.l.
Source
(New)
SoftwareLuxembourgYes3,600,000
National Automobile Dealers Association
Source
(New)
RetailUSAYes1,065,000
Consórcio Canopus
Source
(New)
Professional servicesBrazilYes1,400,000
The Teaching Company (Wondrium by The Great Courses)
Source
(New)
EducationUSAYes1.3 TB
Gräbener Maschinentechnik GmbH & Co. KG
Source 1; source 2
(New)
ManufacturingGermanyYes1.1 TB
Halara Cannabis
Source
(New)
ManufacturingUSAYes>1,000,000
Proax Technologies Ltd.
Source
(New)
ManufacturingCanadaYes855 GB
Thermosash Commercial Limited
Source
(New)
ConstructionNew ZealandYes776,229
Bradford Health Services
Source
(New)
HealthcareUSAYes626,837
Electrostim Medical Services, Inc.
Source 1; source 2
(New)
ManufacturingUSAYes542,990
Park Holidays UK
Source
(New)
HospitalityUKYes515 GB
North Kansas City Hospital
Source 1; source 2
(New)
HealthcareUSAYes502,438
NJ Technologies (MyEstatePoint Property Search)
Source
(New)
SoftwareIndiaYes>497,000
Gunning & LaFazia, Inc.
Source
(New)
LegalUSAYes310,297
Bit24.cash
Source
(New)
CryptoIranYes230,000
Leonard’s Express Source
Source
(New)
TransportUSAYes182 GB
Edmonds School District
Source
(New)
EducationUSAYes145,844
NALS Apartment Homes
Source
(New)
Real estateUSAYes145 GB
GeoLogics Corporation
Source
(New)
IT servicesUSAYes122.89 GB
Grupo SCA
Source
(New)
Professional servicesSpainYes>100 GB
Meridian Behavioral Healthcare, Inc.
Source 1; source 2; source 3; source 4
(Update)
HealthcareUSAYes98,808
Agro Baggio Máquinas Agrícolas LTDA
Source 1; source 2
(New)
ManufacturingBrazilYes70 GB
ConsensioHealth, LLC
Source
(New)
HealthcareUSAYes60,871
Network180
Source 1; source 2; source 3
(New)
HealthcareUSAYes59,334
UKG Inc. and New York City Health and Hospitals
Source
(New)
SoftwareUSAYes45,966
Southeastern Orthopaedic Specialists
Source 1; source 2
(New)
HealthcareUSAYes35,533
Diablo Valley Oncology & Hematology Medical Group
Source
(New)
HealthcareUSAYes>30 GB
Swiss Air Force
Source
(New)
DefenceSwitzerlandYes30 GB
Project M.O.R.E., Inc.
Source
(New)
Non-profitUSAYes26,390
Housing Authority of the County of San Bernardino
Source
(New)
PublicUSAYes18,689
Kershaw County School District
Source
(New)
EducationUSAYes17.5 GB
Fincantieri Marine Group, LLC
Source
(New)
ManufacturingUSAYes16,769
Buckley King LPA
Source
(New)
LegalUSAYes15,282
Quaker Windows & Doors
Source 1; source 2
(Update)
RetailUSAYes10,988
Senior Scripts
Source 1; source 2
(New)
HealthcareUSAYes10,566
The Foleck Center
Source 1; source 2
(New)
HealthcareUSAYes6,965
Healix Infusion Therapy, LLC
Source 1; source 2; source 3
(Update)
HealthcareUSAYes6,026
Lone Peak Physical Therapy
Source 1; source 2
(New)
HealthcareUSAYes5,809
Humana
Source 1; source 2
(New)
InsuranceUSAYes2,844
Barrick Gold Corporation
Source
(New)
MiningCanadaYes2,761
EAFC Maquisistema
Source
(New)
FinancePeruYes2,746
Woodsville Guaranty Savings Bank
Source
(New)
FinanceUSAYes2,483
LACERA and State Street
Source
(New)
Public and financeUSAYes2,400
Tata Consultancy Services and System for Pension Administration Raksha
Source
(New)
IT services and defenceIndiaYes“thousands”
Molina Healthcare of Ohio, Inc.
Source 1; source 2
(New)
HealthcareUSAYes1,977
Eyefinity
Source 1; source 2
(New)
SoftwareUSAYes1,353
Los Angeles County Department of Mental Health
Source 1; source 2
(New)
PublicUSAYes1,284
Elevate ENT Partners
Source
(New)
HealthcareUSAYes1,053
The Middlefield Banking Company
Source 1; source 2
(Update)
FinanceUSAYes1,025
Amerigroup Iowa, Inc.
Source
(New)
HealthcareUSAYes1,023
First Choice Dental
Source 1; source 2
(New)
HealthcareUSAYes1,000
Qorvo, Inc.
Source 1; source 2
(Update)
ManufacturingUSAYes735
Osteopathic Healing Hands
Source
(New)
HealthcareUSAYes707
Marathon Coach, Inc.
Source
(New)
ManufacturingUSAYes704
Rally Credit Union
Source 1; source 2
(Update)
FinanceUSAYes677
ACME Architectural Hardware
Source
(New)
Professional servicesUSAYes288
Salford City Council
Source
(New)
PublicUKYes>100
Registro del Patrimonio Cultural Venezolano
Source
(New)
PublicVenezuelaYes21
Court Services Victoria
Source
(New)
LegalAustraliaYesUnknown
Midwives of Windsor
Source
(New)
HealthcareCanadaYesUnknown
Salal Sexual Violence Support Centre
Source
(New)
Non-profitCanadaYesUnknown
London Public Library
Source 1; source 2; source 3
(Update)
PublicCanadaYesUnknown
CoinsPaid
Source
(New)
CryptoEstoniaYesUnknown
IPS Securex Pte Ltd
Source 1; source 2
(New)
Cyber securitySingaporeYesUnknown
Orbit Chain
Source 1; source 2
(New)
BlockchainSouth KoreaYesUnknown
Lutheran World Federation
Source
(New)
Non-profitSwitzerlandYesUnknown
Standard Laboratories
Source
(New)
EnvironmentalUSAYesUnknown
RKL LLP
Source 1; source 2
(New)
FinanceUSAYesUnknown
CompleteCare Health Network
Source
(New)
HealthcareUSAYesUnknown
Cooper Aerobics
Source
(New)
HealthcareUSAYesUnknown
Essen Health Care
Source
(New)
HealthcareUSAYesUnknown
Highland Oncology Group
Source
(New)
HealthcareUSAYesUnknown
Navvis & Company and SSM Health
Source 1; source 2
(New)
HealthcareUSAYesUnknown
Hartwell
Source 1; source 2
(New)
InsuranceUSAYesUnknown
Neste US
Source
(New)
ManufacturingUSAYesUnknown
The Switch
Source 1; source 2
(New)
MediaUSAYesUnknown
Gallery Systems, Museum of Fine Arts Boston, Rubin Museum of Art and Crystal Bridges Museum of American Art
Source 1; source 2
(New)
Software and non-profitUSAYesUnknown
Gamma
Source 1; source 2
(New)
CryptoUnknownYesUnknown
Radiant Capital
Source
(New)
CryptoUnknownYesUnknown
Election Commission (Smart Election Management BD)
Source
(New)
PublicBangladeshUnknownUnknown
Memorial University of Newfoundland
Source
(New)
EducationCanadaUnknownUnknown
Communauté de Communes du Pays Fouesnantais
Source
(New)
PublicFranceUnknownUnknown
Commune de Saint-Philippe
Source
(New)
PublicFranceUnknownUnknown
Gobierno de Guatemala
Source
(New)
PublicGuatemalaUnknownUnknown
Beirut International Airport
Source
(New)
TransportLebanonUnknownUnknown
Ministry of Foreign Affairs
Source
(New)
PublicMaldivesUnknownUnknown
Ministry of Tourism Maldives
Source
(New)
PublicMaldivesUnknownUnknown
The President’s Office
Source
(New)
PublicMaldivesUnknownUnknown
Government of Nepal
Source
(New)
PublicNepalUnknownUnknown
120 government and 47 other UAE domains
Source
(New)
Public and unknownUAEUnknownUnknown
Mandiant
Source 1; source 2; source 3
(New)
Cyber securityUSAUnknownUnknown
loanDepot
Source
(New)
FinanceUSAUnknownUnknown
City of Beckley, West Virginia
Source
(New)
PublicUSAUnknownUnknown
Orange Spain
Source
(New)
TelecomsSpainNo0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


AI

FTC accepting submissions for Voice Cloning Challenge

The US Federal Trade Commission has begun accepting submissions for its Voice Cloning Challenge, which aims to develop ideas to mitigate the risk of AI-enabled voice cloning for fraud. The FTC will accept submissions until 12 January.

NIST identifies “adversarial machine learning” threats

New guidance from NIST offers approaches to mitigate AI malfunctions caused by exposure to untrustworthy data. The publication, Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations (NIST AI 100-2 E2023), is part of NIST’s broader effort to support the development of trustworthy AI.

OpenAI moves European HQ to Dublin

OpenAI is moving its main establishment in Europe to Dublin, listing its Irish office as its data controller for the EEA and Switzerland under the EU GDPR. This means the Irish Data Protection Commission will be OpenAI’s lead supervisor in the EU. The new Europe terms of use will apply from 15 February.


Enforcement

19 people charged after cyber crime investigation into xDedic Marketplace

An investigation into the xDedic Marketplace, a website on the dark web that illegally sold login credentials and personal data to criminals until it was shut down by the US Attorney’s Office in 2019, has resulted in 19 people being charged.

Man charged for alleged business email compromise scheme

Olusegun Samson Adejorin of Nigeria has been charged with wire fraud, aggravated identity theft and unauthorised access to a protected computer in relation to a $7.5 million scheme to defraud two charitable organisations by impersonating employees and accessing their email accounts.

BreachForums admin violates parole requirements by using VPN

Conor Brian Fitzpatrick, aka Pompompurin, the former admin of the now-defunct BreachForums website, which cyber criminals used to exchange stolen data, has violated his parole by using a computer and VPN (virtual private network) without enabling the court-prescribed monitoring software. Fitzpatrick was arrested in March 2023.


Other news

Turkish cyber espionage campaign targets Netherlands

The cyber security company Hunt & Hackett has detected a campaign of cyber attacks targeting victims in the Netherlands and originating in Turkey. The perpetrators, known as Sea Turtle, Teal Kurma, Marbled Dust, SILICON and Cosmic Wolf, are known to target organisations in Europe and the Middle East, especially governmental bodies, telecoms organisations, ISPs, IT service providers, and media and entertainment organisations.

noyb files complaint with Austrian data protection authority against creditors’ association

The privacy rights campaign group noyb has filed a complaint against the creditors’ association KSV1870 for charging data subjects to access their personal data, in contravention with Article 15 of the EU GDPR. KSV’s website urges people to buy an ‘InfoPass’ instead of letting individuals get a free copy of their data.

European Central Bank to test banks’ resilience to cyber attacks

The European Central Bank will conduct stress tests on banks in Europe to determine their cyber resilience. 109 banks must undertake vulnerability assessments and evaluate their incident response measures by mid-2024.


Key dates

10 January 2024 – ICO consultation on AI guidance and toolkits closes

An Information Commissioner’s Office consultation on the AI guidance and toolkits available to organisations closes on 10 January. The research, conducted by IFF Research, seeks the views of data protection offers or AI engineers.

17 January 2024 – First batch of DORA regulatory technical requirements due to be submitted

Three European supervisory authorities – the EBA (European Banking Authority), EIOPA (European Insurance and Occupational Pensions Authority) and ESMA (European Securities and Markets Authority) – are currently developing DORA policy products for compliance with the EU Digital Operational Resilience Act. The first batch – a set of four regulatory technical requirements covering Articles 15, 16(3), 18(3), 28(9) and 28(10) – is due to be submitted by 17 January 2024.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.