The Week in Cyber Security and Data Privacy: 15 – 21 January 2024

Welcome to this week’s global round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

More than 70 million email addresses added to Have I Been Pwned

The security researcher Troy Hunt has added more than 70 million email addresses from the Naz.API data set to his Have I Been Pwned data breach notification service. The data set is a collection of 1 billion credentials sourced from stealer logs and hosted on the illicit.services website. According to Hunt, more than a third of the email addresses were new to Have I Been Pwned.

Data breached: 70,840,771 email addresses.

VF Corporation confirms 35.5 million customers’ data stolen

VF Corporation – the parent company of many popular clothing brands, including Vans and The North Face – has confirmed in its Form 8-K/A filing to the US Securities and Exchange Commission (an amendment to its original Form 8-K filing) that its December 2023 cyber attack resulted in the theft of 35.5 million customers’ data.

Data breached: 35,500,000 records.

More than 10 million lines of Pastelería Mozart customer data apparently posted on dark web

The Ynnian hacking group has posted 10,870,525 lines of data on the dark web, apparently originating from Pastelería Mozart, a popular bakery chain in Chile. The leaked information allegedly includes customers’ names, dates of birth, email addresses, passwords and phone numbers.

Data breached: 10,870,524 lines.


Publicly disclosed data breaches and cyber attacks: full list

This week, we’ve found 130,036,285 records known to be compromised, and 116 organisations suffering a newly disclosed incident. 96 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 1 definitely hasn’t had data breached.

We’ve also found 9 organisations providing a significant update on a previously disclosed incident.

Organisation(s)SectorLocationData breached?Known records breached
Naz.API (likely belonging to multiple organisations)
Source
(New)
UnknownUnknownYes70,840,771
VF Corporation
Source 1; source 2
(Update)
RetailUSAYes35,500,000
Pastelería Mozart
Source
(New)
HospitalityChileYes10,870,524
Foxsemicon Integrated Technology, Inc.
Source 1; source 2
(New)
ManufacturingTaiwanYes5 TB
Korean Association of Social Workers
Source
(New)
PublicSouth KoreaYes1,350,000
Fred Hutchinson Cancer Center
Source 1; source 2; source 3
(Update)
HealthcareUSAYes890,959
Target
Source
(New)
RetailUSAYes800,000
Toyota Tsusho Insurance Broker India
Source
(New)
InsuranceIndiaYes657,000
Busse & Busse, P.C.
Source
(New)
LegalUSAYes637,873
Anna Jaques Hospital
Source 1; source 2; source 3
(Update)
HealthcareUSAYes600 GB
Plaza Radiology, LLC
Source 1; source 2
(New)
HealthcareUSAYes569,022
GEICO
Source
(New)
InsuranceUSAYes552,900
Tone Academy
Source
(New)
EducationIndiaYes400,000
CompleteCare Health Network
Source 1; source 2; source 3
(Update)
HealthcareUSAYes313,973
Academy Mortgage Corporation
Source 1; source 2
(Update)
FinanceUSAYes284,443
buygoods
Source
(New)
RetailUSAYes257,562
Large payment system in Egypt
Source
(New)
FinanceEgyptYes212,312
Subway
Source
(New)
HospitalityUSAYesHundreds of GB
Columbus Regional Healthcare System
Source
(New)
HealthcareUSAYes132,887
Cooper Aerobics
Source 1; source 2; source 3
(Update)
HealthcareUSAYes124,341
AUSA
Source
(New)
ManufacturingSpainYes93,796
Projects World Co.
Source
(New)
ManufacturingSaudi ArabiaYes86.16 GB
JSP Pharmaceutical Manufacturing (Thailand) PCL
Source
(New)
ManufacturingThailandYes>80 GB
TREZOR
Source
(New)
CryptoFranceYesNearly 66,000
Oak View Group
Source
(New)
LeisureUSAYes58,935
Innefu Labs Pvt. Ltd.
Source
(New)
Cyber securityIndiaYes54 GB
Arden Claims Service
Source
(New)
FinanceUSAYes50,032
Ashford Inc.
Source
(New)
Real estateUSAYes46,906
Hampton-Newport News Community Services Board
Source 1; source 2; source 3
(New)
HealthcareUSAYes44,312
Air Methods
Source 1; source 2
(New)
HealthcareUSAYes34,016
GREYHOURS
Source
(New)
RetailFranceYes18,700
Groveport Madison Schools
Source 1; source 2; source 3
(Update)
EducationUSAYes15.5 GB
ELO CPAs & Advisors
Source
(New)
FinanceUSAYes15,167
THE ICONIC, Guzman y Gomez, Dan Murphy’s, BINGE, Event Cinemas and TVSN
Source
(New)
Retail, hospitality, manufacturing, leisure and mediaAustraliaYes>15,000
Community Memorial Healthcare
Source 1; source 2
(New)
HealthcareUSAYes14,798
InHealth Technologies
Source 1; source 2
(New)
ManufacturingUSAYes12,143
Foundation Building Materials and  Marjam Supply
Source
(New)
RetailUSAYes7,957
Tameside Council
Source
(New)
PublicUKYes6,345
Summit Medical Group
Source 1; source 2
(New)
HealthcareUSAYes5,809
Community Tri-County Healthcare
Source 1; source 2
(New)
HealthcareUSAYes4,135
Fora Financial
Source
(New)
FinanceUSAYes3,270
International Cooling Tower USA, Inc.
Source 1; source 2
(New)
ManufacturingUSAYes2,833
Morgan Stanley Health Benefits and Insurance Plan
Source 1; source 2
(New)
InsuranceUSAYes2,442
Keystone First
Source 1; source 2
(New)
HealthcareUSAYes1,965
Finham Park Multi Academy Trust
Source
(New)
EducationUKYes1,843
Hamilton Tax and Accounting LLC
Source 1; source 2
(New)
FinanceUSAYes1,543
Northern Inyo Healthcare District
Source 1; source 2
(New)
HealthcareUSAYes1,305
Dickinson County Health Department
Source
(New)
PublicUSAYes1,063
California Public Employees Retirement System
Source 1; source 2
(New)
PublicUSAYes1,033
Zephyr Ventilation
Source
(New)
RetailUSAYes514
Main Military Construction Directorate for Special Facilities
Source
(New)
DefenceRussiaYes>500
D’Youville Life & Wellness Community
Source 1; source 2
(New)
HealthcareUSAYes501
Pennsylvania Multi Family Asset Managers
Source
(New)
Real estateUSAYes278
Farren International LLC
Source
(New)
TransportUSAYes235
Escuela Superior de Formación Artística Pública de Juliaca
Source
(New)
EducationPeruYes234
Colegio de Abogados de la Ciudad de Buenos Aires
Source
(New)
LegalArgentinaYes133
Metropolitan Area Planning Council
Source
(New)
PublicUSAYes2
PC Matthew Gell (Nottinghamshire Police)
Source
(New)
PublicUKYes1
Payoneer
Source
(New)
FinanceArgentinaYesUnknown
Fertility North
Source
(New)
HealthcareAustraliaYesUnknown
Court Services Victoria
Source 1; source 2
(Update)
LegalAustraliaYesUnknown
Clearview Resources Ltd
Source 1; source 2
(Update)
EnergyCanadaYesUnknown
Tilbury District Family Health Team
Source
(New)
HealthcareCanadaYesUnknown
JDB Group
Source
(New)
ManufacturingChinaYesUnknown
Maisons de l’Avenir
Source
(New)
ConstructionFranceYesUnknown
Vision Plast
Source
(New)
ManufacturingFranceYesUnknown
Socket
Source 1; source 2
(New)
BlockchainIndiaYesUnknown
Cipla
Source
(New)
ManufacturingIndiaYesUnknown
Vasudha Pharma Chem. Ltd.
Source
(New)
ManufacturingIndiaYesUnknown
PT Samuel Sekuritas Indonesia
Source
(New)
FinanceIndonesiaYesUnknown
Shinwa Foreign Language Academy
Source
(New)
EducationJapanYesUnknown
Aegon
Source
(New)
FinanceNetherlandsYesUnknown
Emagister
Source
(New)
EducationSpainYesUnknown
Lanbide
Source
(New)
PublicSpainYesUnknown
Ulsan HD FC
Source
(New)
LeisureSouth KoreaYesUnknown
Tietoevry
Source
(New)
IT servicesSwedenYesUnknown
Hosted-IT Ltd
Source
(New)
IT servicesUKYesUnknown
Millgate
Source
(New)
IT servicesUKYesUnknown
Liverpool City Region Combined Authority
Source
(New)
PublicUKYesUnknown
Space NK
Source
(New)
RetailUKYesUnknown
Pratt Institute
Source
(New)
EducationUSAYesUnknown
Rocky Mountain University
Source
(New)
EducationUSAYesUnknown
Premier Facility Management, Corp
Source
(New)
EnvironmentalUSAYesUnknown
Ameriprise Financial Services, LLC
Source 1; source 2
(New)
FinanceUSAYesUnknown
Beasley, Mitchell & Co., LLP
Source
(New)
FinanceUSAYesUnknown
Hanmi Bank
Source 1; source 2
(New)
FinanceUSAYesUnknown
Wayne Bank
Source 1; source 2
(New)
FinanceUSAYesUnknown
McDonald’s
Source 1; source 2; source 3
(New)
HospitalityUSAYesUnknown
CAMICO
Source 1; source 2
(New)
InsuranceUSAYesUnknown
First Financial Security
Source 1; source 2
(New)
InsuranceUSAYesUnknown
HMSA
Source
(New)
InsuranceUSAYesUnknown
F.J. O’Hara & Sons, Inc.
Source
(New)
IT servicesUSAYesUnknown
Virgin Islands Lottery
Source
(New)
LeisureUSAYesUnknown
Ascendum Machinery
Source
(New)
ManufacturingUSAYesUnknown
Digital Power Corporation
Source
(New)
ManufacturingUSAYesUnknown
Maxxis International
Source
(New)
ManufacturingUSAYesUnknown
Maine Salty Girl
Source
(New)
RetailUSAYesUnknown
Microsoft
Source
(New)
SoftwareUSAYesUnknown
At least 172,000 smart TVs and set-top boxes
Source
(New)
UnknownBrazilUnknownUnknown
Paisii Hilendarski University of Plovdiv
Source
(New)
EducationBulgariaUnknownUnknown
SudaChad Telecom
Source
(New)
TelecomsChadUnknownUnknown
Indian Air Force
Source
(New)
DefenceIndiaUnknownUnknown
BLB Limited
Source
(New)
FinanceIndiaUnknownUnknown
Milectria
Source
(New)
ManufacturingFinlandUnknownUnknown
Telegram, WhatsApp and Beeline
Source
(New)
IT services and telecomsRussiaUnknownUnknown
Swiss government websites
Source 1; source 2
(New)
PublicSwitzerlandUnknownUnknown
Legal & General
Source
(New)
FinanceUKUnknownUnknown
EK Services, and Canterbury, Dover and Thanet councils
Source
(New)
IT services and publicUKUnknownUnknown
Manta Network
Source
(New)
BlockchainUSAUnknownUnknown
Kansas State University
Source
(New)
EducationUSAUnknownUnknown
UC Irvine
Source
(New)
EducationUSAUnknownUnknown
Banco Nacional de Angola
Source
(New)
FinanceAngolaNo0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


AI

ICO launches consultation on generative AI and data protection

The Information Commissioner’s Office has launched a consultation series on the application of data protection law to generative AI models, particularly in relation to the UK GDPR and Part 2 of the DPA 2018. The first chapter covers the lawful basis for training generative AI models on web-scraped data and is open until 1 March.

Microsoft gives all businesses access to AI-powered Office features

When Microsoft launched Copilot for Office 365 in November 2023, it required enterprise customers to have at least 300 users. It has now removed that requirement, opening up Copilot to businesses of all sizes. According to Microsoft, “Microsoft 365 Copilot provides real-time intelligent assistance, enabling users to enhance their creativity, productivity, and skills.”

Australian government sets out risk-based system to respond to AI

The Australian government has launched its plan to respond to the rise in AI, using a risk-based system to impose proportionate controls on its use. Under the proposed rules, mandatory safeguards would be applied to high-risk applications of AI and watermarks would be applied to identify AI-generated content.


Enforcement

EDPB publishes GDPR one-stop shop case digest on security of processing and data breach notification

The European Data Protection Board has published a One-Stop-Shop case digest on Security of Processing and Data Breach Notification. The case digest provides insights into how the data protection authorities have applied the GDPR’s provisions in various scenarios, such as ransomware attacks and the accidental disclosure of data.

CNIL fines Yahoo! €10 million for cookie violation

France’s data protection authority, the CNIL, has fined Yahoo EMEA Ltd €10 million for failing to take account of users’ cookie choices. Yahoo installed about 20 advertising cookies on users’ devices without their consent and failed to allow users of the Yahoo! Mail service to freely withdraw their consent.

BreachedForums owner sentenced to at least 15 years in prison

Two weeks ago, we reported that the former admin of the now-defunct BreachForums website, Conor Brian Fitzpatrick, aka Pompompurin, had violated his parole. Fitzpatrick has now been sentenced to time served on 3 counts and supervised release of 20 years with special conditions.


Other news

Ivanti Connect Secure VPN breached with more than 1,700 devices exposed

On 10 January, the cyber security company Volexity published details of attacks exploiting two zero-day vulnerabilities in Ivanti Connect Secure VPN appliances. Ivanti published a mitigation the same day and announced that it was developing a patch. Volexity now reports that it has identified more than 1,700 compromised Ivanti Connect Secure VPN devices worldwide.

Two-fifths of employees sacked over email security breaches

Nearly half of workers who were responsible for email security breaches in the past year were sacked, according to research from the cyber security company Egress. The organisation also found that 94% of organisations have experienced a serious email security incident in the past 12 months.

EDPB identifies areas of improvement relating to data protection officer role

The EDPB has adopted a report on the findings of its second coordinated enforcement action, which focuses on the designation and position of DPOs. The report encourages the data protection authorities to carry out more awareness-raising activities and enforcement actions, as well as encouraging organisations to ensure that DPOs have sufficient opportunities, time and resources to refresh their knowledge and learn about the latest developments in their field.

European Commission completes review of adequacy decisions

The European Commission has reviewed 11 adequacy decisions that allow EU residents’ personal data to be transferred to third countries. Its report concludes that personal data transferred from the EU to Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay is afforded adequate protection under the EU GDPR.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with: