The Week in Cyber Security and Data Privacy: 16 – 22 October 2023

Welcome to a new series of weekly blog posts rounding up the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks

City of Philadelphia discloses data breach after five months

Date of breach: 24 May 2023 (notice issued 20 October 2023).

Breached organisation: City of Philadelphia, US.

Incident details: An unauthorised party gained access to some employee email accounts and the information within them, including demographic, medical and financial information.

Records breached: Unknown, but sensitive personal data was probably breached.

BHI Energy Announces Data Breach Affecting Confidential Information of 91k Individuals

Date of breach: 29 June 2023 (filed notice with the Attorney General of Maine on 18 October 2023).

Breached organisation: BHI Energy, providing staffing solutions to the nuclear, fossil, wind, hydro and government energy markets.

Incident details: The company found that data on its network had been encrypted without its knowledge. It turned out that an unauthorised party had accessed and downloaded its business records, including files containing personal data.

Records breached: 91,000 individuals affected.

Another small firm suffers a serious ransomware attack: Cadre Services gets mauled by ALPHV

Date of breach: 19 September 2013 (ALPHV uploaded first part of data to its website on 19 October 2023).

Breached organisation: Cadre Services (formerly Premier Staffing) in Wisconsin, US, providing employment and staffing services for office professionals.

Incident details: Ransomware attack leading to a significant data breach, where the firm negotiated with the attackers, ALPHV, but refused to pay more than $35,000 (about £28,600), so ALPHV leaked the data on its website.

Records breached: Almost 4,400 applicant records in the first leak, but ALPHV claims to have acquired 100 GB of files. This includes employee data.

International Criminal Court says cyberattack was attempted espionage

Date of breach: 19 September 2023 (update on 20 October 2023).

Breached organisation: ICC (International Criminal Court), headquartered in the Netherlands.

Incident details: The ICC suffered a cyber attack in September, and has since determined this was a “targeted and sophisticated attack” with the “objective of espionage”. It hasn’t determined whether any data was breached or the root cause of the incident, nor confirmed who was behind the attack.

Records breached: Unknown.

BlackCat threatens to leak data from Morrison Community Hospital

Date of breach: 24 September 2023 (added to dark web leak site 13 October 2023; issued public statement 19 October 2023).

Breached organisation: MCH (Morrison Community Hospital) in Illinois, US.

Incident details: Network security incident, where allegedly ALPHV gained unauthorised access and made demands to the hospital’s leadership, suggesting a ransomware attack.

Records breached: 5 TB of SQL (Structured Query Language) plus data (presumably patient data).

D-Link Corporation Provides Details about an Information Disclosure Security Incident

Date of breach: 2 October 2023.

Breached organisation: D-Link Corporation, Taiwanese networking equipment manufacturer.

Incident details: Successful phishing attack, breaching records on a server that reached end of life in 2015, though the information itself was “of low-sensitivity and semi-public”.

Records breached: Around 700 records.

Hackers Stole Access Tokens from Okta’s Support Unit

Date of breach: 2 October 2023.

Breached organisation: Okta, security software company in California, US.

Incident details: A customer, security firm BeyondTrust, alerted Okta on 2 October 2023 that it was probably breached. Okta only fully contained the situation 15 days later, giving the attackers access to Okta’s support platform for at least 2 weeks, breaching sensitive information like cookies and session tokens from recent support cases by some customers.

Records breached: Unknown, but a “very, very small subset” of Okta’s more than 18,000 customers.

Hacker leaks millions of new 23andMe genetic data profiles

Date of breach: 2 October 2023 (update from the threat actor on 17 October 2023).

Breached organisation: 23andMe, consumer genetics and research company headquartered in California, US.

Incident details: Credential stuffing attacks, resulting in initially 1 million data packs of Ashkenazi Jews leaked on a hacking forum, to which an additional 4.1 million of genetic data profiles of UK and German residents have now been added. As the threat actor claims to have “hundreds of TBs of data” in their possession, further data leaks are likely.

Records breached: 5,150,779 (1 million originally, plus an additional 4,150,779 from the hacker’s update).

Personal information accessed in CCSD cybersecurity incident

Date of breach: 5 October 2023.

Breached organisation: CCSD (Clark County School District) in Nevada, US.

Incident details: Unauthorised access to personal information of students, parents and employees.

Records breached: Unknown.

KwikTrip all but says IT outage was caused by a cyberattack

Date of breach: 8 October 2023.

Breached organisation: Kwik Trip, American convenience store chain.

Incident details: Network disruption likely caused by a cyber attack, as “third-party information security experts” are involved. It’s unclear whether personal data has been breached.

Records breached: Unknown.

Casio Issues Apology and Notice Concerning Personal Information Leak

Date of breach: 11 October 2023.

Breached organisation: ClassPad.net, an educational web application operated by Casio Computer Co., Ltd.

Incident details: Unauthorised access to web application’s server, leading to a personal data breach. The likely root cause was a misconfiguration – specifically, the disabling of certain network security settings due to human error.

Records breached: 126,970 (91,921 customers in Japan, and 35,049 customers in 148 other countries and regions).

American Family Insurance confirms cyberattack is behind IT outages

Date of breach: 14 or 15 October 2023.

Breached organisation: American Family Insurance, headquartered in Wisconsin, US.

Incident details: After detecting unusual activity on its network, which turned out to be a cyber attack, the company shut off its IT systems to prevent it from spreading. The company has so far not detected compromises to customer data processing systems, but did disrupt its phone and online services, and building connectivity.

Records breached: Unknown.

Operations of Healthcare Solutions Giant Henry Schein Disrupted by Cyberattack

Date of breach: 15 October 2023.

Breached organisation: Henry Schein in New York, US, healthcare solutions provider.

Incident details: A cyber attack (possibly ransomware) that caused the company to take some systems offline and may have resulted in a data breach.

Records breached: Unknown.

Rock County refusing to pay bad actors who launched ransomware attack

Date of breach: 18 October 2023.

Breached organisation: Rock County in Wisconsin, US.

Incident details: Ransomware attack that encrypted files and took systems, including critical ones, offline. The attackers demanded $1.9 million (about £1.55 million), which the county refused to pay.

Records breached: Unknown, but no reason to assume “sensitive” personal data of employees was stolen.

Another plastic surgery practice appears to have been hit — this time by Hunters International

Date of breach: 22 October 2023 (but the FBI may have known of the attack by 17 October 2023).

Breached organisation: Dr. Jaime S. Schwartz MD FACS, plastic surgeon with offices in Beverly Hills (California, US) and Dubai (UAE).

Incident details: Hunters International exfiltrated data, in a wider pattern of attackers more aggressively targeting plastic surgery offices and patients this year.

Records breached: 248,245 files (1.1 TB of data).


Enforcement

Ragnar Locker ransomware gang taken down by international police swoop

An international law enforcement operation, in an action carried out between 16–20 October 2023 in 11 countries, has taken down the gang behind the Ragnar Locker ransomware.

US seizes sites that funnel money from North Korean IT workers for illicit activities

The US seized 17 website domains allegedly used by North Korean IT workers in a scheme to defraud US and foreign businesses, and fund the North Korean government’s weapons programmes.

France releases Spain’s two biggest hackers

As the investigation into two Spanish hackers was found to lack credibility following a hearing, they were both released. The two hackers, both in their 20s, were arrested last summer and charged with attacking 26 French organisations.