The Week in Cyber Security and Data Privacy: 13 – 19 November 2023

Welcome to this week’s round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks

Attack on 22 Danish critical infrastructure companies

Date of breach: 11 May 2023

Breached organisation: 22 companies

Incident details: According to a SektorCERT report, a coordinated attack exploited vulnerabilities in the Zyxel firewall products used by Denmark’s critical infrastructure, resulting in 22 companies in the energy sector being compromised.

Records breached: Unknown

Otsego Memorial Hospital suffers security breach, shuts down systems

Date of breach: October (exact date unknown)

Breached organisation: Otsego Memorial Hospital in Gaylord, Michigan

Incident details: Munson Healthcare’s chief marketing and communications officer, Megan Brown, has confirmed that there was a cyber breach at Otsego Memorial Hospital last month. No other Munson facilities in Michigan were known to have been affected. An investigation is underway.

Records breached: Unknown

Hunters International claims responsibility for cyber attack on Homeland, Inc.

Date of breach: 26 October 2023

Breached organisation: Homeland, Inc., a property management company in Kentucky

Incident details: The ransomware group Hunters International has added Homeland, Inc. to its leak site. According to databreaches.net, the group exfiltrated tenant information, service management information, financial data, business data, property data, employee data and sensitive business information. Sample data posted on the Hunters site contains “tenants’ personal information including, depending on the form involved, date of birth, address, annual income, and other details concerning their rent”.

Records breached: 204.1GB of data in 183,793 files

Beaverton School District warns parents of student data breach

Date of breach: October 2023

Breached organisation: Beaverton School District, Oregon

Incident details: One of Oregon’s largest school districts has warned parents that a data breach has affected students’ information. According to OPB, the district didn’t provide details, but said that “our student credentials may have been compromised as part of a security incident”.

Records breached: Unknown

ALPHV/BlackCat attacks MeridianLink then reports it to the SEC

Date of breach: 7 November 2023

Breached organisation: MeridianLink

Incident details: The ALPHV/BlackCat ransomware group has added the software company MeridianLink to its leak site, having exfiltrated data without encrypting company systems. However, in a very unusual move, ALPHV has also reported its victim to the US SEC (Securities and Exchange Commission) for failing to comply with the new SEC cybersecurity disclosure rules – even though the rules in question do not come into force until December. (For more information about the SEC cyber security disclosure rules, register for our free webinar on 30 November.)

Records breached: Unknown

Another victim of the MOVEit breach notifies potentially affected individuals

Date of breach: 30 May 2023

Breached organisation: CMS (the Centers for Medicare & Medicaid Services), the federal agency that manages the Medicare program

Incident details: CMS and its contractor Maximus Federal Services, Inc. have notified 330,000 people that their personal data might have been compromised as part of the MOVEit Transfer data breach.

Records breached: 330,000 individuals

West Central District Health Department, Nebraska investigates data breach

Date of breach: 18 – 23 May 2023

Breached organisation: WCDHD (West Central District Health Department), Nebraska

Incident details: According to a notice which is downloadable from its website, WCDHD recently discovered unusual activity on its network. An investigation found that there was unauthorised access to its network between 18 and 23 May 2023. Compromised personal data included names, Social Security numbers, driver’s licence/state ID numbers or financial account numbers.

Records breached: Unknown

Email error exposes Nebraska patients’ email addresses

Date of breach: 22 September 2023

Breached organisation: Rock Valley Physical Therapy, Nebraska

Incident details: An employee of Rock Valley Physical Therapy emailed an undisclosed number of Rock Valley patients about health insurance, mistakenly adding their email addresses to the Cc rather than Bcc field, thereby making them visible to all recipients.

Records breached: Unknown

Misconfigured NTMC database exposed personal information

Date of breach: November 2023

Breached organisation: The NTMC (National Telecommunication Monitoring Centre), Bangladesh

Incident details: According to Wired, the NTMC, an intelligence in Bangladesh that monitors people’s mobile phone and email activity, published personal data on an unsecured database, which has been exfiltrated by anonymous attackers. The database contained names, professions, blood groups, parents’ names, phone numbers, the length of calls, vehicle registrations, passport details and fingerprint photos.

Records breached: Unknown

Systems East, Inc. discloses data breach affecting 209,328 customers’ payment card data

Date of breach: 25 August

Breached organisation: SEI (Systems East, Inc.)

Incident details: SEI, an online payment service provider, has notified customers that its systems has been accessed by an unknown individual who copied an encrypted database. According to its disclosure to the Maine Attorney General, the database contained names and payment card information. It is not known whether the individual can decrypt the database.

Records breached: 209,328 individuals

City of Long Beach announces network security incident

Date of breach: 14 November

Breached organisation: City of Long Beach

Incident details: In a statement published on 15 November, the City of Long Beach said that it had been subject to “a network security incident” that forced it to take its systems offline.

Records breached: Unknown

NoEscape gang threatens PruittHealth Network, launches DDoS attack

Date of breach: 13 November

Breached organisation: PruittHealth

Incident details: The NoEscape ransomware gang attacked PruittHealth on 13 November, exfiltrating 1.5TB of data and threatening to publish it if it is not contacted by a negotiator from PruittHealth. With three days until the deadline, databreaches.net reports that NoEscape has hit PruittHealth with a DDoS (distributed-denial-of-service) attack. PruittHealth has not commented.

Records breached: 1.5TB

Former NHS secretary found guilty of illegally accessing medical records

Date of breach: Between March and June 2019

Breached organisation: Worcestershire Acute Hospitals NHS Trust

Incident details: Loretta Alborghetti, a medical secretary at the Ophthalmology department of Worcestershire Acute Hospitals NHS Trust, illegally accessed 156 patient records over 1,800 times between March and June 2019. The ICO (Information Commissioner’s Office) reports that Ms Alborghetti appeared before Worcester Magistrates’ Court on 15 November 2023, where “she pleaded guilty to unlawfully obtaining personal data in breach of Section 170 of the Data Protection Act 2018 and was ordered to pay a total of £648”.

Records breached: 156 patients’ records

Canadian Government announces third-party data breach affecting users of relocation services

Date of breach: Some time before 19 October 2023

Breached organisation: Brookfield Global Relocation Services and SIRVA Worldwide Relocation & Moving Services

Incident details: The Canadian government has warned current and former public service employees, as well as members of the Royal Canadian Mounted Police and the Canadian Armed Forces, that they might have been affected by a data breach at two contractors who provided relocation support to government employees. It warns that “preliminary information indicates that breached information could belong to anyone who has used relocation services as early as 1999 and may include any personal and financial information that employees provided to the companies”. Databreaches.net reports that LockBit added SIRVA to is leak site on 6 October, saying it had over 1.5TB of data.

Records breached: 1.5TB of documents

Poloniex identifies hacker and offers $10M reward for stolen funds

Date of breach: 10 November 2023

Breached organisation: Poloniex

Incident details: The Poloniex cryptocurrency exchange was hacked on 10 November, resulting in the loss of $120 million in cryptocurrency. According to cryptoslate.com, it has now identified the person responsible for stealing the funds and is offering a $10 million reward for their return.

Records breached: Cryptocurrency stolen

Samsung UK discloses year-long data breach

Date of breach: 1 June 2019 – 30 June 2020, discovered 13 November 2023

Breached organisation: Samsung

Incident details: The security consultant and creator of haveibeenpwned.com Troy Hunt has shared an email sent to Samsung’s UK customers, disclosing a year-long data breach. According to the email, Samsung determined on 13 November 2023 that “an unauthorised individual exploited a vulnerability in a third-party business operation we use, and that some personal information of certain customers who made purchases on SEUK’s eCommerce site between July 1, 2020 and June 30, 2020, was affected”. Compromised data “may have included” names, phone numbers, addresses and email addresses.

Records breached: Unknown

Booking.com confirms phishing attack

Date of breach:

Breached organisation: Booking.com

Incident details: According to JD Supra, Booking.com confirmed in a “limited statement” on 12 November that it was investigating an incident that has been widely reported in the information security press since 14 September, when Perception Point researchers reported that they’d observed a number of phishing campaigns targeting hotels and travel agencies. These attacks enabled the attackers to access customer data, which they then used in further phishing campaigns, sent via official Booking.com channels. Read more in our Catches of the Month blog.

Records breached: Unknown


Enforcement

Europol and Eurojust take down phishing gang

An international operation between the Czech and Ukrainian police, with the support of Europol and Eurojust, has disrupted a phishing operation thought to have defrauded victims of tens of millions of euros across Europe – and beyond. Read more in our Catches of the Month blog.


Other news

Royal Mail ransomware recovery to cost £10 million

Recovering from the LockBit ransomware attack earlier this year will cost the Royal Mail £10 million.

Rackspace ransomware recovery has cost $11 million so far

Rackspace has told the SEC that recovering from a ransomware attack last December has cost it $11 million in remediation so far – although half of that amount has been covered by insurance.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place for you.

In the meantime, if you missed it, check out last week’s round-up.