The Week in Cyber Security and Data Privacy: 11 – 17 December 2023

Welcome to this week’s round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.

We’re also introducing two new categories this week: ‘AI’ and ‘Key dates’.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Mr. Cooper reveals 14,690,284 people affected in October breach

The largest mortgage provider in the US, Nationstar Mortgage LLC, operating under the name Mr. Cooper, says its investigation into an October cyber attack has uncovered evidence of customer data being compromised.

According to its breach notification, Mr. Cooper detected suspicious activity on its network on 31 October. An investigation determined that personal data, including names, addresses, phone numbers, Social Security numbers, dates of birth and bank account numbers, belonging to nearly 15 million people was obtained by an unauthorised party between 30 October and 1 November.

Data breached: personal data belonging to 14,690,284 individuals.

8 TB of data exfiltrated from Advantage Group International

Following an outage affecting its leak site (see the ‘Enforcement’ section below), the ALPHV/BlackCat ransomware group is listing only a single incident: a data breach affecting the business management consultant Advantage Group International. ALPHV claims to have 8 TB of data, including data sets from Coca-Cola, Procter & Gamble, and Pepsi.

Data breached: 8 TB.

Delta Dental of California suffers breach affecting 6,928,932 people due to MOVEit vulnerability

Delta Dental of California, which provides dental benefits to people, was a user of Progress Software’s popular file transfer software application MOVEit Transfer. When the Russian Cl0p gang exploited a zero-day SQL injection vulnerability in MOVEit Transfer in May 2023, Delta Dental was one of hundreds of organisations whose data was compromised.

According to Delta Dental’s breach notification, affected personal data included addresses, Social Security numbers, driver’s license numbers or other state identification numbers, passport numbers, financial account information, tax identification numbers, individual health insurance policy numbers and health information. The data belonged to nearly 7 million individuals.

Data breached: personal data belonging to 6,928,932 individuals.


Publicly disclosed data breaches and cyber attacks: full list

This week, we’ve found 49,172,276 records known to be compromised, and 239 organisations suffering a newly disclosed incident. 144 of them are known to have had data exfiltrated or exposed. Only 4 definitely haven’t had data breached.

We’ve also found 13 organisations providing a significant update on a previously disclosed incident.

Organisation nameSectorLocationData exfiltrated?Known records breached
Nationstar Mortgage LLC (Mr. Cooper)
Source 1; source 2
(Update)
FinanceUSAYes14,690,284
Advantage Group International
Source
(New)
Professional servicesCanadaYes8 TB
Delta Dental of California
Source
(New)
HealthcareUSAYes6,928,932
KFC China
Source
(New)
HospitalityChinaYes3,780,000
Instituto Universitario de Tecnología de Administración Industrial
Source
(New)
EducationVenezuelaYes1,760,785
Azienda USL di Modena
Source 1; source 2
(New)
HealthcareItalyYes1,202,175
Independent Recovery Resources, Inc.
Source
(New)
FinanceUSAYes1.1 TB
Greenbox Loans, Inc.
Source
(New)
FinanceUSAYes1 TB
GokuMarket (ByteX)
Source
(New)
CryptoCanadaUnknown>1,000,000
DonorView
Source 1; source 2
(New)
SoftwareUSAUnknown948,029
CTS, Talbots Law and Fenwick Elliott LLP
Source 1; source 2
(Update)
IT services and legalUKYes945 GB
Shorts Chartered Accountants
Source
(New)
FinanceUKYes597.67 GB
Alexander Dennis
Source
(New)
ManufacturingUKYes507 GB
CMS Spain
Source 1; source 2
(New)
LegalSpainYes>500 GB
West Virginia University Health System
Source
(New)
HealthcareUSAYes495,331
Dameron Hospital
Source 1; source 2
(Update)
HealthcareUSAYes>480 GB
World Emblem
Source
(New)
ManufacturingUSAYes417.12 GB
Coca-Cola Singapore
Source
(New)
ManufacturingSingaporeYes413.92 GB
City of Defiance
Source
(New)
PublicUSAYes>390 GB
Dafiti Argentina
Source
(New)
RetailArgentinaYes321.63 GB
Goa Natural Gas Pvt.Ltd.
Source
(New)
EnergyIndiaYes280,000
National Student Clearinghouse
Source 1; source 2
(Update)
Non-profitUSAYes271,496
PCTEL
Source
(New)
TelecomsUSAYes267.45 GB
Greater Buffalo United Accountable Healthcare Network
Source
(New)
HealthcareUSAYes235.66 GB
Dubai Taxi Company
Source
(New)
TransportUAEUnknown>219,952
Rodo Limited
Source
(New)
RetailUKYes201 GB
Altezze
Source
(New)
ManufacturingMexicoYes200 GB
AGL Welding Supply Co., Inc.
Source
(New)
ManufacturingUSAYes171.54 GB
Gaido & Fintzen
Source
(New)
LegalUSAYes170 GB
TGLT
Source
(New)
ConstructionArgentinaYes158.78 GB
Harrisburg Medical Center
Source
(New)
HealthcareUSAYes 147,826
InstantResume
Source
(New)
SoftwareUSAYes>142,000
Decina
Source
(New)
ManufacturingAustraliaYes108.98 GB
Asper Biogene
Source
(New)
ManufacturingEstoniaYes100,000
St. Kitts and Nevis Customs and Excise Department
Source
(New)
PublicSaint Kitts and NevisYes<100 GB
Regional Family Medicine
Source
(New)
HealthcareUSAYes80,166
Greater Cincinnati Behavioral Health Services
Source
(New)
HealthcareUSAYes72.4 GB
SmartWAVE Technologies
Source
(New)
TelecomsUSAYes65 GB
Cooper Research Technology
Source
(New)
EngineeringUKYes64.72 GB
Heart of Texas Behavioral Health Network
Source 1; source 2
(New)
HealthcareUSAYes63,776
Grupo Televisa
Source
(New)
TelecomsMexicoYes>60,000
The Teaching Company (Wondrium by The Great Courses)
Source
(New)
EducationUSAYes60 GB
Lunacon Construction Group, Corp.
Source
(New)
ConstructionUSAYes50.93 GB
Crace Medical Centre
Source
(New)
HealthcareAustraliaYes30 GB
Kitahiroshima Fukushikai Social Welfare Council
Source
(New)
PublicJapanYes30 GB
Warrior Met Coal
Source
(New)
EnergyUSAYes19,794
Coos Health & Wellness
Source
(New)
HealthcareUSAYes14,040
MSD Information Technology
Source
(New)
IT servicesAustraliaYes47 GB
Goiasa
Source
(New)
EnergyBrazilYes47 GB
PTSolutions and Berkshire eSupply
Source 1; source 2
(New)
ManufacturingUSAYes33,570
Nexiga GmbH
Source
(New)
Professional servicesGermanyYes30 GB
Seven Seas Group
Source
(New)
TransportUAEYes26.52 GB
Total Club Apps
Source
(New)
SoftwareColumbiaYes21,000
Grayhill
Source
(New)
ManufacturingUSAYes19.71 GB
Novolog Group
Source 1; source 2
(Update)
HealthcareIsraelYes15 GB
Studio MF
Source
(New)
Professional servicesItalyYes10 GB
Plug Power
Source
(New)
ManufacturingUSAYes8,323
AMCP Payments Intermediate Company LLC (Talus Pay)
Source
(New)
FinanceUSAYes7,292
CareTree
Source 1; source 2
(Update)
SoftwareUSAYes5,474
Jacmar Companies, LLC
Source
(New)
HospitalityUSAYes4,863
LEEDARSON IoT Technology Inc.
Source
(New)
ManufacturingChinaYes3.53 GB
NATO
Source
(New)
DefenceBelgiumYes3,242
Stadt Baden
Source
(New)
PublicSwitzerlandYes3.15 GB
Aeronautical Radio of Thailand
Source
(New)
TransportThailandYes3,021
Florida Water Products
Source 1; source 2
(Update)
RetailUSAYes2,946
Atlas Technical Consultants, Inc.
Source
(New)
EnvironmentalUSAYes2,148
Alcaldía Mayor de Tunja
Source
(New)
PublicColumbiaYes2 GB
National Electric Coil
Source 1; source 2; source 3
(New)
ManufacturingUSAYes1,750
Wianno Club
Source
(New)
HospitalityUSAYes1,731
Iscar Metals
Source
(New)
ManufacturingUSAYes1,359
Butler Bros.
Source
(New)
RetailUSAYes1,268
Lipsey Communications, LLC (Paycom Payroll, LLC)
Source 1; source 2
(New)
TelecomsUSAYes1,202
Yorkshire Wellness Group, Corp.
Source 1; source 2
(New)
HealthcareUSAYes1,000
Ayuntamiento de Villamayor
Source
(New)
PublicSpainYes1,000
Pinnacle Bank Texas
Source
(New)
FinanceUSAYes809
Tool-Flo
Source
(New)
ManufacturingUSAYes660
American Meteorological Society
Source
(New)
Non-profitUSAYes557
City of Hope
Source
(New)
HealthcareUSAYes501
Lucifer Lighting Company
Source 1; source 2
(New)
ManufacturingUSAYes331
R. David Wheeler, CPA P.C.
Source
(New)
FinanceUSAYes325
Precision Cutting Tools
Source
(New)
ManufacturingUSAYes256
Marjorie E. Wolasky P.A.
Source
(New)
LegalUSAYes124
KV Federal Credit Union
Source
(New)
FinanceUSAYes97
Ortu Gable Hall School
Source
(New)
EducationUKUnknown69
Buffalo City Metropolitan Municipality
Source
(New)
PublicSouth AfricaYes>57
ISC Consulting Engineers
Source
(New)
EngineeringDenmarkYesUnknown
BioMatrix Specialty Pharmacy
Source
(New)
HealthcareUSAYesUnknown
Kohl Wholesale
Source
(New)
RetailUSAYesUnknown
DSG US
Source
(New)
SoftwareUSAYesUnknown
Share & Haris LLC
Source
(New)
FinanceUSAYesUnknown
Woodruff Enterprises
Source
(New)
TransportUSAYesUnknown
Airtech Equipment Pte Ltd
Source
(New)
ManufacturingSingaporeYesUnknown
Ahmedabad University
Source
(New)
EducationIndiaYesUnknown
Tradewinds International Insurance Brokers
Source
(New)
InsuranceMalaysiaYesUnknown
Hebeler LLC
Source
(New)
ManufacturingUSAYesUnknown
Spaulding Clinical
Source
(New)
HealthcareUSAYesUnknown
Rieser Aufzugbau GmbH
Source
(New)
ConstructionGermanyYesUnknown
Philips Global
Source
(New)
ManufacturingUSAYesUnknown
Bemes, Inc.
Source
(New)
ManufacturingUSAYesUnknown
Pagano & Company
Source
(New)
FinanceUSAYesUnknown
Spirit Leatherworks
Source
(New)
RetailUSAYesUnknown
Commonwealth Capital Pte Ltd
Source
(New)
FinanceSingaporeYesUnknown
Chaney, Couch, Callaway, Carter & Associates Family Dentistry
Source
(New)
HealthcareUSAYesUnknown
Grand Rapids Women’s Health
Source
(New)
HealthcareUSAYesUnknown
Pronat Industries
Source
(New)
ManufacturingIsraelYesUnknown
Austen Consultants
Source
(New)
IT servicesUSAYesUnknown
Catholic Charities of the Archdiocese of Miami, Inc.
Source
(New)
CharityUSAYesUnknown
E. & J. Gallo Winery
Source
(New)
ManufacturingUSAYesUnknown
Mortgage Contracting Services, LLC
Source
(New)
FinanceUSAYesUnknown
King Aerospace
Source
(New)
ManufacturingUSAYesUnknown
Insomniac Games (Sony)
Source 1; source 2
(New)
SoftwareUSAYesUnknown
CHI St. Alexius Health
Source
(New)
HealthcareUSAYesUnknown
GlobalSpec
Source
(New)
EngineeringUSAYesUnknown
Bayonne Board of Education
Source
(New)
EducationUSAYesUnknown
Grupo José Alves
Source
(New)
ManufacturingBrazilYesUnknown
ATCO Products
Source
(New)
ManufacturingUSAYesUnknown
Keenan & Associates
Source 1; source 2
(New)
InsuranceUSAYesUnknown
Petrotec Qatar
Source
(New)
EnergyQatarYesUnknown
Memorial Sloan Kettering Cancer Center
Source
(New)
HealthcareUSAYesUnknown
Restek Corporation
Source 1; source 2
(New)
ManufacturingUSAYesUnknown
CVC Holding Corp
Source 1; source 2
(New)
ConstructionUSAYesUnknown
Zai Lab
Source
(New)
ManufacturingChinaYesUnknown
IGT Testing Systems
Source
(New)
ManufacturingNetherlandsYesUnknown
William Jackson Food Group
Source
(New)
ManufacturingUKYesUnknown
Tulane University
Source
(New)
EducationUSAYesUnknown
Carolina Beverage Group, LLC
Source
(New)
ManufacturingUSAYesUnknown
Goldwind
Source
(New)
ManufacturingChinaYesUnknown
Converze Media Group
Source
(New)
Professional servicesUSAYesUnknown
Hyman Hayes Associates
Source
(New)
ConstructionUSAYesUnknown
CACG
Source
(New)
EnvironmentalFranceYesUnknown
MongoDB
Source
(New)
SoftwareUSAYesUnknown
SenateSHJ and its third-party IT provider
Source
(New)
Professional services and IT servicesNew Zealand and unknownYesUnknown
New York School of Interior Design
Source
(New)
EducationUSAYesUnknown
Insidesource
Source
(New)
RetailUSAYesUnknown
TaxPlus
Source 1; source 2
(New)
FinanceUSAYesUnknown
AGY
Source
(New)
ManufacturingUSAYesUnknown
TRISTAR Insurance Group
Source 1; source 2
(New)
InsuranceUSAYesUnknown
The Greenbrier Sporting Club
Source
(New)
LeisureUSAYesUnknown
Mitrani, Caballero & Ruiz Moreno
Source
(New)
LegalArgentinaYesUnknown
Reus Mobilitat i Serveis (Amersam)
Source
(New)
TransportSpainYesUnknown
Dillard Door & Security Inc.
Source
(New)
ManufacturingUSAYesUnknown
SBK Real Estate
Source
(New)
Real estateUAEYesUnknown
Tim Davies Landscaping
Source
(New)
Professional servicesAustraliaYesUnknown
Soethoudt Metaalbewerking
Source
(New)
ManufacturingNetherlandsYesUnknown
VAC-U-MAX
Source
(New)
ManufacturingUSAYesUnknown
Hawkins Sales
Source
(New)
ManufacturingUSAYesUnknown
Groupe PROMOBE
Source
(New)
Real estateLuxemburgYesUnknown
VF Corporation
Source
(New)
RetailUSAYesUnknown
Petersen Health Care
Source
(New)
HealthcareUSAYesUnknown
Tri-City Medical Center
Source 1; source 2
(Update)
HealthcareUSAYesUnknown
Zap Group and Semicom
Source 1; source 2
(Update)
IT services and retailIsraelYesUnknown
Bayer Heritage Federal Credit Union
Source 1; source 2
(Update)
FinanceUSAYesUnknown
Battle.net (Blizzard Entertainment)
Source
(New)
SoftwareUSAUnknownUnknown
Newfound Area School District
Source
(New)
EducationUSAUnknownUnknown
Dubai Airports and Abu Dhabi Airports
Source 1; source 2
(New)
TransportUAEUnknownUnknown
President of the Republic of Bulgaria, Council of Ministers of the Republic of Bulgaria, and National Customs Agency
Source
(New)
PublicBulgariaUnknownUnknown
DSK Bank, Bulgarian National Bank, ProCredit Bank Bulgaria, and First Investment Bank
Source
(New)
FinanceBulgariaUnknownUnknown
ONE FOR ISRAEL
Source
(New)
ReligiousIsraelUnknownUnknown
The Official Portal of the UAE Government
Source
(New)
PublicIsraelUnknownUnknown
Zara
Source
(New)
RetailSpainUnknownUnknown
Israel Defense Forces
Source
(New)
DefenceIsraelUnknownUnknown
About two dozen US critical infrastructure organisations, as well as several non-US entities
Source 1; source 2
(New)
Includes utilities, transport and energyUSA and unknownUnknownUnknown
Bezirk March
Source
(New)
PublicSwitzerlandUnknownUnknown
London Public Library
Source 1; source 2
(New)
PublicCanadaUnknownUnknown
Federal Tax Service of Russia
Source
(New)
PublicRussiaUnknownUnknown
Ledger
Source 1; source 2
(New)
CryptoFranceUnknownUnknown
Kraft Heinz
Source 1; source 2
(New)
ManufacturingUSAUnknownUnknown
Västtrafik, Norrtåg, Port of Oskarshamn and Port of Helsingborg
Source 1; source 2
(New)
TransportSwedenUnknownUnknown
Avanza Bank and Länsförsäkringar Bank
Source
(New)
FinanceSwedenUnknownUnknown
Indian Department of Justice; High Court of Punjab and Haryana, Chandigarh; Department of Police, Uttar Pradesh; Office of the Controller General of Patents, Designs & Trade Marks; and Employees’ State Insurance Corporation
Source
(New)
Public, legal and insuranceIndiaUnknownUnknown
Abu Ali Express
Source
(New)
MediaIsraelUnknownUnknown
Emirates News Agency (WAM)
Source 1; source 2
(New)
MediaUAEUnknownUnknown
UAE Pass
Source
(New)
SoftwareUAEUnknownUnknown
UAE Ministry of Climate Change and Environment
Source
(New)
PublicUAEUnknownUnknown
Discord
Source
(New)
SoftwareUSAUnknownUnknown
Rocket League (Psyonix)
Source
(New)
SoftwareUSAUnknownUnknown
Raiffeisenbank CZ, Sberbank CZ, Buřinka and Trinity Bank
Source
(New)
FinanceCzech RepublicUnknownUnknown
Bundesverfassungs-gericht, Bundesgerichtshof, Bundeswehr and Bundespolizei
Source
(New)
Legal, defence and publicGermanyUnknownUnknown
Ruter AS
Source
(New)
TransportNorwayUnknownUnknown
Swift card
Source
(New)
FinanceUKUnknownUnknown
European Bank for Reconstruction and Development
Source
(New)
FinanceUKUnknownUnknown
European Economic and Social Committee
Source
(New)
FinanceBelgiumUnknownUnknown
The Belgian Monarchy, premier.be, Chamber of Representatives and City of Brussels
Source
(New)
PublicBelgiumUnknownUnknown
Brussels Intercommunal Transport Company
Source
(New)
TransportBelgiumUnknownUnknown
Ukrinmash
Source
(New)
DefenceUkraineUnknownUnknown
Prosecutor General of Ukraine and Security Service of Ukraine
Source 1; source 2
(New)
Legal and publicUkraineUnknownUnknown
Ukraine Energy Support Fund and Zhytomyroblenergo
Source
(New)
EnergyUkraineUnknownUnknown
Zaporizhstal and Velta
Source
(New)
ManufacturingUkraineUnknownUnknown
The National Securities and Stock Market Commission of Ukraine, Akordbank and UnexBank
Source
(New)
FinanceUkraineUnknownUnknown
Severn Valley Medical Practice
Source
(New)
HealthcareUKNoUnknown
Kyivstar
Source 1; source 2
(New)
TelecomsUkraineNo0
UAE set-top box provider
Source
(New)
ManufacturingUAENo0
Central Bank of Lesotho
Source 1; source 2
(New)
FinanceLesothoNo0
Newsquest
Source
(New)
MediaUKNo0

Note: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.


AI

Panel discussion on AI and privacy in healthcare

At a recent panel discussion hosted by Georgetown University and the World Bank, experts discussed the opportunities and challenges of using AI in healthcare. One of the major issues the panel focused on was the use of patient data to teach AI models.

Japan and ASEAN to cooperate on cyber security and AI

Following a summit to mark the 50th anniversary of relations between Japan and the Association of Southeast Asian Nations, the two sides will work together on cyber security and managing AI. A draft implementation plan will set out steps towards three goals: interpersonal exchanges; co-creation of the economy and society; and peace and stability.

EU to invest over €760 million in Digital Europe Programme (DIGITAL)

The European Commission has adopted the amendment of the Digital Europe work programmes for 2024, assigning €762.7 million in funding for digital solutions. The amended main work programme will focus on projects that use digital technologies such as data, Cloud and advanced digital skills. New actions will support the implementation of the AI Act and the development of a European AI ecosystem.


Enforcement

ALPHV/BlackCat ransomware site outage

The ALPHV/BlackCat ransomware-as-a-service group, which has often featured in the news in recent years for its numerous high-profile attacks, has suffered online disruption to its leak site and payment infrastructure.

The cyber intelligence company RedSense claimed that ALPHV’s site was “taken down by law enforcement”, although Infosecurity Magazine reports that the group has blamed the outage on “unspecified ‘hosting’ issues”. Whatever the cause, the site is missing its database of previous data breaches and currently lists only one: Advantage Group International (see above).

Russian ransomware banker arrested in Paris

French authorities have arrested a 40-year-old Russian national suspected of laundering money for the Hive ransomware-as-a-service group, which was dismantled in January. Police seized more than €570,000 worth of cryptocurrency as part of their search of his home in Cyprus.

Man sentenced to two years in prison for damaging former employer’s network

A former Cloud engineer for a San Francisco bank has been sentenced to 24 months in prison for accessing the bank’s network after he was sacked and causing over $220,000 worth of damage. Miklos Daniel Brody “deleted the bank’s code repositories, ran a malicious script to delete logs, left taunts within the bank’s code for former colleagues, and impersonated other bank employees by opening sessions in their names” as well as emailing himself proprietary code.


Other news

UK cultural institutions advised on reducing cyber risks

The NCSC (National Cyber Security Centre) and the DCMS (Department for Culture, Media & Sport) held talks with representatives of the UK’s cultural sector about protecting institutions’ digital collections from ransomware and other cyber attacks.

CISA issues update on school cyber security challenges

The US Department of Education and CISA (US Cybersecurity and Infrastructure Agency) have published a brief about how to meet the cyber security challenges facing the K-12 sector (education from kindergarten to 12th grade). K-12 Digital Infrastructure Brief: Defensible and Resilient urges school vendors and suppliers to implement secure-by-design principles that make robust security settings the default.

China publishes draft data security response plan

China’s Ministry of Industry and Information Technology has published a draft plan setting out how local governments and organisations should respond to cyber security incidents. According to Reuters, the plan proposes a four-tier classification system based on an attack’s impact on “national security, a company’s online and information network, or the running of the economy”.


Key dates

15 December 2023 – SEC cyber security rules, Forms 10-K and 20-F

Deadline for all registrants, including smaller reporting companies, to start providing cyber security risk management, strategy and governance disclosures in Forms 10-K and 20-F.

18 December 2023 – SEC cyber security rules, Forms 8-K and 6-K

Deadline for registrants that aren’t smaller reporting companies to start disclosing material cyber security incidents in Forms 8-K and 6-K.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back in the new year with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.