The Week in Cyber Security and Data Privacy: 27 November – 3 December 2023

Welcome to this week’s round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Unsecured Kid Security app exposes over 300 million records

The popular parental control app Kid Security, which allows parents to monitor and control their children’s online safety, exposed user activity logs to the Internet for over a month via misconfigured Elasticsearch and Logstash instances.

The security researcher Bob Diachenko of SecurityDiscovery first identified the exposed information in mid-September. According to CyberNews, more than 300 million data records were compromised, including 21,000 telephone numbers and 31,000 email addresses. Some payment card data was also exposed.

It also appears that the data was accessed: the Readme bot “partially destroyed” the open instance, injecting a ransom note with a bitcoin wallet address to send a payment to in exchange for the files.

Data breached: over 300 million records.

35 TB of data exfiltrated from Henry Schein, plus ALPHV/BlackCat re-encrypted the newly restored files

As we first reported last month, the US healthcare solutions provider Henry Schein announced on 15 October that it had suffered a cyber attack that caused disruption to its manufacturing and distribution businesses. The company’s description of the incident suggested ransomware.

This was confirmed about a fortnight later, in early November, when the ALPHV/BlackCat ransomware group took responsibility for the attack, claiming to have encrypted Henry Schein’s files and exfiltrated 35 TB of data.

On 13 November, Henry Schein confirmed that a data breach had occurred, and that “Customer and personal information, such as bank account numbers, credit card numbers, and other sensitive information, may have been exposed to third parties”.

One aspect of ALPHV/BlackCat’s operation is particularly eye-catching: apparently impatient about Henry Schein’s slow response, the gang re-encrypted all the files the company had just restored, causing further disruption.

Henry Schein confirmed on 22 November that some of its applications were “currently unavailable”, but that it had identified why: “The threat actor from the previously disclosed cyber incident has claimed responsibility”.

In a 27 November update, Henry Schein said it had restored its US e-commerce platform, with its Canadian and European platforms expected to follow.

Data breached: 35 TB.

WeMystic exposes 13.3 million user records via an unsecured database

WeMystic, an online astrology and spiritual wellbeing website, exposed 34 GB of data to the Internet via an unsecured MongoDB database for at least five days. According to Cybernews, one of the data sets contained 13.3 million records, including names, dates of birth, email addresses and IP addresses, as well as users’ genders and horoscope signs.

Data breached: 13.3 million records.


Publicly disclosed data breaches and cyber attacks: full list

This week, we’ve found 362,028,638 records known to be compromised, and 150 organisations suffering a newly disclosed incident. 67 of them are known to have had data exfiltrated or exposed. Only 3 definitely haven’t had data breached.

We’ve also found 9 organisations providing a significant update on a previously disclosed incident.

Organisation nameSectorLocationData exfiltrated?Known records breached
Kid Security
Source
(New)
TechnologyKazakhstanYes300,000,000+
Henry Schein
Source 1; source 2
(Update)
HealthcareUSAYes35,000,000
WeMystic
Source
(New)
TechnologyPortugalUnknown13,300,000
Northwell Health and Crouse Health
Source
(Update)
HealthcareUSAYesAt least 4,000,000
Autobindo Pharma Ltd
Source
(New)
HealthcareIndiaYes3.7 TB
Zeroed-In Technologies and Dollar Tree
Source 1; source 2
(New)
Technology and retailUSAYes1,977,486
Ziv Medical Center
Source
(New)
HealthcareIsraelYes700,000
LY Corporation and Naver Cloud
Source
(New)
TechnologyJapan and South KoreaYes440,000
Jacobs Farm del Cabo
Source
(New)
AgricultureUSAYes405 GB
Wakefield & Associates
Source
(New)
LegalUSAYesOver 400 GB
Anderson Jones, PLLC
Source
(New)
LegalUSAYes360 GB
Aetna Life Insurance Company
Source
(Update)
InsuranceUSAYes310,019
Tipalti
Source 1; source 2
(New)
TechnologyUSAYesOver 265 GB
Carranza LLP
Source 1; source 2
(New)
LegalCanadaYes257 GB
DePauw University
Source 1; source 2
(New)
EducationUSAYes214 GB
Alpura
Source
(New)
ManufacturingMexicoYesAlmost 200 GB
Servicio Móvil
Source
(New)
TechnologySpainYes114 GB
Robeson Health Care Corporation
Source 1; source 2
(Update)
HealthcareUSAYes62,627
Grupo Prides
Source
(New)
TechnologyCosta RicaYes60 GB
Bauwerk Group
Source
(New)
ManufacturingSwitzerlandYes40 GB
Verdecora
Source
(New)
ManufacturingSpainYes37 GB
North Texas Municipal Water District
Source
(Update)
UtilitiesUSAYes33,844
County of Rock, WI
Source
(New)
PublicUSAYes25,823
Teleflora
Source
(New)
ManufacturingUSAYes24 GB
Bluefield University
Source
(New)
EducationUSAYes23,195
Science History Institute
Source
(New)
Non-profitUSAYes22 GB
Okta
Source 1; source 2
(Update)
TechnologyUSAYes18,000
Valrhona Inc.
Source
(New)
ManufacturingUSAYes6,537
Walborsky Bradley & Fleming, PLLC
Source
(New)
LegalUSAYes5,227
Broadview Federal Credit Union
Source
(New)
FinanceUSAYes5,074
The City of Waynesboro
Source
(New)
PublicUSAYes4,639
Treeways Holdings LLC
Source
(Update)
EnvironmentalUSAYes3,908
World Learning, Inc.
Source
(New)
EducationUSAYes3,022
Lakeview Healthcare System, LLC
Source 1; source 2
(New)
HealthcareUSAYes2,495
The Hershey Company
Source
(New)
ManufacturingUSAYes2,214
Park Bank
Source
(New)
FinanceUSAYes2,081
The Walker School, Inc.
Source
(New)
EducationUSAYes1,493
Kimber Mfg., Inc.
Source
(New)
ManufacturingUSAYes1,212
Butte School District
Source
(New)
EducationUSAYes900+
Fenway Community Health Center, Inc.
Source 1; source 2
(New)
HealthcareUSAUnknown598
Comprehensive Auto Resource, Inc.
Source
(New)
InsuranceUSAYes240
Lovelace Health System
Source
(New)
HealthcareUSAYesUnknown
DP World Australia
Source
(Update)
TransportAustraliaYesUnknown
Charmant USA
Source
(New)
RetailUSAYesUnknown
King Edward VII’s Hospital
Source
(New)
HealthcareUKYesUnknown
Quantum Radiology
Source
(New)
HealthcareAustraliaYesUnknown
Israel’s State Archive
Source 1; source 2
(New)
PublicIsraelYesUnknown
National Aerospace Laboratories
Source
(New)
PublicIndiaYesUnknown
Shoval
Source 1; source 2
(New)
PublicIsraelYesUnknown
SinglePoint Outsourcing, Inc.
Source
(New)
Professional servicesUSAYesUnknown
Thillens
Source
(New)
FinanceUSAYesUnknown
Elston-Nationwide Carriers
Source
(New)
TransportUSAYesUnknown
American Insulated Glass
Source
(New)
RetailUSAYesUnknown
MooreCo Inc.
Source
(New)
ManufacturingUSAYesUnknown
Sparex Limited
Source
(New)
RetailUKYesUnknown
Retailer Web Services
Source
(New)
TechnologyUSAYesUnknown
Continental Shipping Line (Texas branch)
Source
(New)
TransportUSAYesUnknown
BYFOD
Source
(New)
RetailNetherlandsYesUnknown
SurvTech Solutions
Source
(New)
EngineeringUSAYesUnknown
Edge Realty Partners
Source
(New)
Real estateUSAYesUnknown
Noble Mountain Tree Farm
Source
(New)
AgricultureUSAYesUnknown
Unitransfer Florida
Source
(New)
TelecomsUSAYesUnknown
SC Hydraulic Engineering Corporation
Source
(New)
ManufacturingUSAYesUnknown
Labtopia, Inc.
Source
(New)
Professional servicesUSAYesUnknown
OLA Consulting Engineers
Source
(New)
EngineeringUSAYesUnknown
Canderel Group
Source
(New)
Real estateCanadaYesUnknown
Great Valley School District
Source 1; source 2
(New)
EducationUSAYesUnknown
Pacific Cataract and Laser Institute
Source
(New)
HealthcareUSAYesUnknown
Covenant Care
Source
(New)
HealthcareUSAYesUnknown
HTC Global Services
Source
(New)
TechnologyUSAYesUnknown
Aqipa GmbH
Source
(New)
RetailAustriaYesUnknown
ARPEGE MASTER K
Source
(New)
ManufacturingFranceYesUnknown
Chetu, Inc.
Source
(New)
TechnologyUSAYesUnknown
FUTURA Fundament-
systeme GmbH
Source
(New)
ConstructionGermanyYesUnknown
Ardent Health Services
Source
(New)
HealthcareUSAUnknownUnknown
University of Kansas Health System-St. Francis
Source
(New)
HealthcareUSAUnknownUnknown
North Texas Municipal Water District
Source
(New)
UtilitiesUSAUnknownUnknown
Staples
Source
(New)
RetailUSAUnknownUnknown
City of Hendersonville
Source
(New)
PublicUSAUnknownUnknown
Capital Health
Source
(New)
HealthcareUSAUnknownUnknown
Weald of Kent Grammar School
Source
(New)
EducationUKUnknownUnknown
Several district heating plants
Source 1; source 2
(New)
EnergyEstoniaUnknownUnknown
Five California courts (Monroe, Lee, Sarasota, Hillsborough and Brevard) and three court record system providers (Catalis, Tyler Technologies, and Henschen & Associates)
Source 1; source 2
(New)
Legal and technologyUSAUnknownUnknown
Japan Space Exploration Agency
Source
(New)
SpaceJapanUnknownUnknown
Ongoing Operations, FedComp, and 60 credit unions including Mountain Valley Federal Credit Union
Source
(New)
Technology and financeUSAUnknown  Unknown
Drum/ Binghamstown Group Water Scheme (Mayo County Council)
Source
(New)
UtilitiesIrelandNo0
Trasporto Locale and Trentino Transport
Source
(New)
TransportItalyNo0

Note: ‘New’/‘update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.


Enforcement

Joint operation breaks up international ransomware gang

Five people were arrested in Ukraine on 21 November in connection with a ransomware operation believed to be responsible for attacks in 71 countries. Authorities from Norway, France, the Netherlands, Ukraine, Germany, Switzerland and the United States, as well as Europol and Eurojust participated in the operation.

Dutch Data Protection Authority takes action against Dutch Employee Insurance Agency

The Dutch Data Protection Authority, the Autoriteit Persoonsgegevens, has reprimanded the Dutch Employment Insurance Agency, the UWV, for using an algorithm to monitor the online behaviour of people receiving unemployment benefits, in contravention of the GDPR (General Data Protection Regulation).


Other news

European Parliament and Council of the European Union reach political agreement on Cyber Resilience Act

The European Commission has welcomed the political agreement reached between the European Parliament and the Council of the European Union on the Cyber Resilience Act, which the Commission proposed in 2022. The Act aims to improve the cyber security of digital products across the EU by introducing mandatory cyber security requirements for all hardware and software.

Council of the European Union adopts Data Act

The Council of the European Union has adopted a new regulation on harmonised rules on fair access to, and use of, data across the EU. The Data Act obliges manufacturers and service providers to let their users access and reuse the data generated by the use of their products and services.

NCSC publishes new guidance on how to ‘lift and shift’

The NCSC (National Cyber Security Centre) has added a new section about how to ‘lift and shift’ to its guidance on using Cloud services securely. ‘Lift and shift’ is the practice of replicating an existing local system in the Cloud.

NCSC publishes secure AI system development guidelines

The NCSC has published a new set of Guidelines for secure AI system development to “help providers to build AI systems that function as intended, are available when needed, and work without revealing sensitive data to unauthorised parties”.

New York Governor proposes cyber security regulations for hospitals

New York Governor Kathy Hochul has proposed new cyber security regulations for all hospitals operating in the state, which are expected to complement the security requirements of HIPAA (the Health Insurance Portability and Accountability Act).

Manufacturing industry identified as top target of cyber extortion

According to a new report by Orange Cyberdefense, 20% of all cyber extortion attacks in 2023 were aimed at the manufacturing industry – a 42% increase over 2022 and 17% more than the second most targeted industry.

NATO expands cyber security coalition

NATO countries welcomed South Korea and Japan to their cyber security exercises in Estonia from 27 November to 1 December. This year’s Cyber Coalition “brought together more than 1,300 cyber defenders from 28 NATO Allies and 7 partner countries, as well as the European Union and participants from industry and academia”.

Queensland passes mandatory data breach laws

Queensland has become the second Australian state, following New South Wales, to oblige public-sector entities to notify affected individuals and the state’s privacy regulator of data breaches that would likely result in serious harm.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up.