The Week in Cyber Security and Data Privacy: 20 – 26 November 2023

Welcome to this week’s round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.

This week, we’re taking a slightly different approach with the ‘publicly disclosed data breaches and cyber attacks’ category, presenting the most interesting data points in a table format. This should make it easier for you to quickly find the information you want.

We’ve also included more details on the top 3 biggest breaches of the week.

The ‘enforcement’ and ‘other news’ categories remain unchanged.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Over 95 million records breached from just one organisation; hundreds of organisations’ Kubernetes Secrets exposed

Researchers from Aqua Nautilus have discovered Kubernetes Secrets – objects that contain small amounts of sensitive data, such as passwords, tokens or keys – relating to hundreds of organisations exposed to the Internet in public GitHub repositories.

Among those affected was SAP SE. The researchers discovered credentials that provided access to 95,592,696 artifacts, as well as download permissions and some deploy operations. They notified SAP SE, which responded “in the most professional and efficient manner”, remediating the issue, launching an investigation and maintaining communications with Aqua Nautilus.

Breached records: 95,592,696.

Over 56 million sensitive records leaked by TmaxSoft

TmaxSoft, an IT company in South Korea, has exposed 2 TB of data to the Internet via a Kibana dashboard for over two years. The data contains more than 56 million records, some of which are duplicates.

Most of the leaked data is company information and emails, but includes employee names, phone numbers, employment contract numbers and emails, as well as email attachments, metadata and other sensitive information that could be exploited in supply chain attacks.

The dashboard was first spotted in June 2021.

Breached records: more than 56 million.

9 million records breached through decade-long data leak

A former temporary employee of a subsidiary of NTT West (Nippon Telegraph and Telephone West Corp) illegally accessed about 9 million personal data records over the course of a decade (2013 to 2023).

NTT Business Solutions in Osaka handles the computer system used by NTT call centres. The employee downloaded customer information, including names, addresses and telephone numbers, to a work terminal before transferring it to a USB drive. They then sold it on to list brokers – businesses or individuals that trade in personal information.

At least 59 organisations, which outsourced call centre operations, have been impacted by this breach.

Breached records: about 9 million.


Publicly disclosed data breaches and cyber attacks: full list

This week, we’ve found 174,266,938 records known to be compromised, and 100 organisations suffering a newly disclosed incident. 19 of them are known to have had data exfiltrated or exposed. Only 3 definitely haven’t had data breached.

We’ve also found 5 organisations providing a significant update on a previously disclosed incident.

Organisation nameSectorLocationData exfiltrated?Known records breached
SAP SE
Source
(New)
TechnologyBulgariaUnknown95,592,696
TmaxSoft
Source
(New)
TechnologySouth KoreaYes56,000,000+
NTT Business Solutions
Source
(New)
TelecomsJapanYes9,000,000
Welltok
Source
(New)
TechnologyUSAYes8,493,379
Online platform or service used by Turkish healthcare providers or the Ministry of Health (probably)
Source
(New)
HealthcareTurkeyYes1,900,000
Taj Hotels
Source
(New)
HospitalityIndiaYes1,500,000
Appscook Technologies
Source
(New)
TechnologyIndiaYesAlmost 1 million
INL (Idaho National Laboratory)
Source 1; source 2
(New)
ResearchUSAYes200,000+
CCSD (Clark County School District)
Source
(Update)
EducationUSAYes200,000
AutoZone
Source
(New)
RetailUSAYes184,995
HSKSG
Source
(New)
FinanceUKYes168 GB
New York City Bar Association
Source
(Update)
LegalUSAYes27,000+
(1.8 TB)
64 organisations with Docker Hub accounts
Source
(New)
UnknownUnknownYes768
Microsoft
Source
(New)
TechnologyUSAUnknown100+
AFT (Autonomous Flight Technologies)
Source
(New)
ManufacturingRomaniaYesUnknown
GE (General Electric)
Source
(New)
ManufacturingUSAYes Unknown
Gulf Air
Source
(New)
TransportBahrainYesUnknown
Kansas courts
Source
(Update)
LegalUSAYesUnknown
The British Library
Source
(Update)
PublicUKYesUnknown
China Energy Engineering Corporation
Source
(New)
EnergyChinaYesUnknown
Vodafone
Source
(New)
TelecomsSpainYesUnknown
CTS
Source
(New)
IT servicesUKUnknownUnknown
HSE
Source
(New)
UtilitiesSloveniaUnknownUnknown
New Relic
Source
(New)
TechnologyUSAUnknownUnknown
HTX
Source 1; Source 2
(New)
FinanceSingaporeUnknownUnknown
HECO (Huobi Eco) Chain
Source 1; Source 2
(New)
FinanceChinaUnknownUnknown
KyberSwap
Source
(New)
FinanceSingaporeUnknownUnknown
Two top tier blockchain companies
Source
(New)
FinanceUSAUnknownUnknown
Portneuf Medical Center
Source
(New)
HealthcareUSAUnknownUnknown
UT Health East Texas
Source
(New)
HealthcareUSAUnknownUnknown
Pascack Valey Medical Center and Mountainside Medical Center
Source
(New)
HealthcareUSAUnknownUnknown
Hillcrest HealthCare System
Source
(New)
HealthcareUSAUnknownUnknown
Vanderbilt University Medical Center
Source
(New)
HealthcareUSAUnknownUnknown
Municipal Water Authority
Source
(New)
PublicUSAUnknownUnknown
FNF (Fidelity National Financial)
Source 1; Source 2
(New)
InsuranceUSAUnknownUnknown
London & Zurich
Source
(New)
FinanceUKUnknownUnknown
SIAAP (service public de l’assainissement francilien)
Source
(New)
PublicFranceUnknownUnknown
blender.org
Source
(New)
TechnologyNetherlandsNo0
Two Bahrain government agency websites
Source
(New)
PublicBahrainNo0

Note: ‘New’/’update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.


Enforcement

ICO gives UK’s top websites 30 days to meet cookie requirements

The Information Commissioner has issued a statement, threatening enforcement action to the companies running the UK’s most-visited websites unless it meets its legal requirements on cookies within 30 days.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place for you.

In the meantime, if you missed it, check out last week’s round-up. Please do also let us know what you think about our new table format.

One Response

  1. Alora Hendershot 4th December 2023