The Week in Cyber Security and Data Privacy: 29 January – 4 February 2024

38,846,799 known records breached in 140 publicly disclosed incidents

Welcome to this week’s global round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Eye4Fraud database allegedly leaked – 14.9 million lines of unique data being sold

A threat actor claims to be selling 14.9 million lines of data, with unique email addresses, from around 29 million order records from Eye4Fraud, a US company offering fraud protection software. At the time of writing, it’s unclear whether this is related to a 2023 data breach suffered by the company, as discussed by Have I Been Pwned’s Troy Hunt last March.

Data breached: 14,900,000 lines.

13.3 million Gumtree user records allegedly for sale

A user database from the classified advertising platform Gumtree has allegedly been offered for sale on a hacking forum. According to the threat actor, the database contains 13.3 million unique records, with 9.4 million of them originating from South Africa, 2.6 million from Poland, 900,000 from Singapore and 500,000 from Ireland.

Data breached: 13,300,000 records.

Schneider Electric hit by Cactus ransomware

The Sustainability Business division of the energy company Schneider Electric suffered a ransomware attack on 17 January, disrupting the company’s Resource Advisor platform. According to Bleeping Computer, the Cactus ransomware gang stole “terabytes of corporate data”, which it’s threatening to leak if a ransom isn’t paid.

Data breached: “terabytes of corporate data”.


Publicly disclosed data breaches and cyber attacks: full list

This week, we found 38,846,799 records known to be compromised, and 140 organisations suffering a newly disclosed incident. 123 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 1 definitely hasn’t had data breached.

We also found 17 organisations providing a significant update on a previously disclosed incident.

Organisation(s)SectorLocationData breached?Known records breached
Eye4Fraud
Source
(New)
FinanceUSAYes14,900,000
Gumtree
Source
(New)
IT servicesSouth AfricaYes13,300,000
Schneider Electric
Source
(New)
EnergyFranceYes“terabytes” of data
BeatBase ApS
Source
(New)
IT servicesDenmarkYes1,648,030
Football Australia
Source 1; source 2
(New)
LeisureAustraliaYes1,421,804
Indian Bank
Source
(New)
FinanceIndiaYes990,000
FOOTDISTRICT
Source
(New)
RetailSpainYes943,797
MESVision
Source 1; source 2
(Update)
HealthcareUSAYes667,567
Ministry of Health (Rio Negro)
Source
(New)
PublicArgentinaYes>650,000
CloudFire and 8 other Italian companies
Source 1; source 2
(Update)
IT services and unknownItalyYes400 GB
Direct Trading Technologies LTD
Source
(New)
FinanceSaudi ArabiaYes>300,000
Chamber of Deputies of Romania
Source 1; source 2
(New)
PublicRomaniaYes>250 GB
Gaming Underground Network
Source
(New)
OtherUnknownYes246,412
Abel Santos y Asociados
Source
(New)
Professional servicesArgentinaYes224 GB
Black Butte Coal
Source
(New)
MiningUSAYes213 GB
Benjamin Plumbing Inc
Source
(New)
ConstructionUSAYes188 GB
HopSkipDrive
Source
(New)
SoftwareUSAYes155,394
LUSH
Source 1; source 2; source 3
(Update)
RetailUKYes>110 GB
North American University
Source
(New)
EducationUSAYes108 GB
FEPCO Zona Franca SAS
Source
(New)
EnergyColombiaYes>100 GB
Emmanuel College (Boston)
Source
(New)
EducationUSAYes89,064
GEICO
Source 1; source 2
(Update)
InsuranceUSAYes71,490
Infosys McCamish Systems
Source
(New)
InsuranceUSAYes57,028
Dirox
Source
(New)
SoftwareFranceYes50 GB
Veterans Health Administration [1]
Source 1; source 2
(Update)
HealthcareUSAYes46,677
Bankers Life
Source
(New)
InsuranceUSAYes45,842
Knight Barry Title Group
Source
(New)
Real estateUSAYes44,910
Prestige Care, Inc.
Source
(New)
HealthcareUSAYes38,087
TRISTAR Insurance Group
Source 1; source 2
(Update)
InsuranceUSAYes35,120
Investor’s Business Daily
Source
(New)
MediaUSAYes35,000
Coastal Hospice & Palliative Care
Source 1; source 2
(New)
HealthcareUSAYes29,100
Arvest Bank
Source
(New)
FinanceUSAYes26,388
Washington National Insurance Company
Source
(New)
InsuranceUSAYes20,360
Corbett Exterminating
Source
(New)
EnvironmentalUSAYes20 GB
AnyDesk Software
Source 1; source 2
(New)
SoftwareGermanyYes18,317
National Advisors Trust Company
Source
(New)
FinanceUSAYes14,043
Realmforge Studios GmbH
Source
(New)
SoftwareGermanyYes13 GB
Michigan Catholic Conference
Source
(New)
Non-profitUSAYes12,652
Humana
Source 1; source 2
(New)
InsuranceUSAYes12,539
eBay
Source
(New)
IT servicesUSAYes12,000
TGI Direct, Inc.
Source 1; source 2
(New)
Professional servicesUSAYes11,556
Poder Judicial de Santa Cruz
Source
(New)
LegalArgentinaYes8,732
J.D. Gilmour
Source
(New)
InsuranceUSAYes6,838
Universidad Nacional de Entre Ríos
Source
(New)
EducationArgentinaYes5,307
National Board of Osteopathic Medical Examiners
Source
(New)
Non-profitUSAYes4,310
Catholic Diocese of Lansing
Source
(New)
Non-profitUSAYes4,124
Omaha Firefighters Healthcare Trust
Source 1; source 2
(New)
InsuranceUSAYes3,567
Sirius Federal
Source 1; source 2
(Update)
IT servicesUSAYes3,266
PrintingCenterUSA
Source
(New)
RetailUSAYes3,159
Concord Music Group, Inc.
Source
(New)
LeisureUSAYes3,131
Timex Group
Source
(New)
ManufacturingUSAYes3,085
GC Services
Source
(New)
FinanceUSAYes2,824
Veterans Health Administration [2]
Source 1; source 2
(New)
HealthcareUSAYes2,380
Ministerio de Justicia (Buenos Aires)
Source
(New)
LegalUSAYes>2,000
Artesia General Hospital
Source 1; source 2
(New)
HealthcareUSAYes1,985
Rensselaer Polytechnic Institute and Athletic Trainer System
Source
(New)
Education and softwareUSAYes1,799
Webber Chiropractic Sports Clinic
Source 1; source 2
(New)
HealthcareUSAYes1,695
Catholic Charities of the Archdiocese of Miami, Inc.
Source 1; source 2; source 3
(Update)
Non-profitUSAYes1,500
OrthoArkansas, PA Employee Benefit Plan
Source
(New)
InsuranceUSAYes1,270
European Parliament
Source
(New)
PublicBelgiumYes1,000
Regence BlueCross BlueShield of Oregon
Source 1; source 2
(New)
InsuranceUSAYes856
Kern Regional Center
Source 1; source 2
(New)
Non-profitUSAYes700
Coppola Physical Therapy
Source
(New)
HealthcareUSAYes632
Coastal Plains Community Mental Health Mental Retardation Center
Source 1; source 2
(New)
HealthcareUSAYes500
Entellus, Inc.
Source
(New)
ConstructionUSAYes491
Fort Worth
Source
(Update)
PublicUSAYes448
Infotech
Source
(New)
SoftwareUSAYes355
Professional Compounding Centers of America
Source
(New)
ManufacturingUSAYes316
Mobile phones in Jordan, including of journalists, lawyers and activists
Source
(New)
Media, legal and unknownJordanYes>35
Yaunique Tompkins
Source
(New)
HealthcareUSAYes4
Poder Judicial del Chubut
Source
(New)
LegalArgentinaYesUnknown
Policía de Santa Cruz
Source
(New)
PublicArgentinaYesUnknown
Central Coast Council and other organisations
Source
(New)
PublicAustraliaYesUnknown
Elite Supplements
Source
(New)
RetailAustraliaYesUnknown
Nubank
Source
(New)
FinanceBrazilYesUnknown
Global Affairs Canada
Source
(New)
PublicCanadaYesUnknown
Egyptian Tax Authority
Source
(New)
PublicEgyptYesUnknown
Reykjavik University
Source
(New)
EducationIcelandYesUnknown
Baruch Padeh Medical Center
Source
(New)
HealthcareIsraelYesUnknown
Barzilai Medical Center
Source
(New)
HealthcareIsraelYesUnknown
Bnai Zion Medical Center
Source
(New)
HealthcareIsraelYesUnknown
Carmel Medical Center
Source
(New)
HealthcareIsraelYesUnknown
Emek Medical Center
Source
(New)
HealthcareIsraelYesUnknown
Galilee Medical Center
Source
(New)
HealthcareIsraelYesUnknown
Hadassah Medical Center
Source
(New)
HealthcareIsraelYesUnknown
HaSharon Medical Center
Source
(New)
HealthcareIsraelYesUnknown
Hillel Yaffe Medical Center
Source
(New)
HealthcareIsraelYesUnknown
Ichilov Hospital
Source
(New)
HealthcareIsraelYesUnknown
Kaplan Medical Center
Source
(New)
HealthcareIsraelYesUnknown
Meir Medical Center
Source
(New)
HealthcareIsraelYesUnknown
Rabin Medical Center
Source
(New)
HealthcareIsraelYesUnknown
Schneider Children’s Medical Center
Source
(New)
HealthcareIsraelYesUnknown
Shamir Medical Center (Assaf Harofeh)
Source
(New)
HealthcareIsraelYesUnknown
Sheba Medical Center
Source
(New)
HealthcareIsraelYesUnknown
Soroka Medical Center
Source
(New)
HealthcareIsraelYesUnknown
Wolfson Medical Center
Source
(New)
HealthcareIsraelYesUnknown
Yoseftal Medical Center
Source
(New)
HealthcareIsraelYesUnknown
ZIV Medical Center
Source
(New)
HealthcareIsraelYesUnknown
Elad Health
Source
(New)
IT servicesIsraelYesUnknown
CasaSpeciale.it
Source
(New)
Real estateItalyYesUnknown
E&T Solutions
Source
(New)
TelecomsMexicoYesUnknown
Norske Boligbyggelag
Source
(New)
Non-profitNorwayYesUnknown
Helthjem
Source
(New)
TransportNorwayYesUnknown
Derrama Magisterial
Source
(New)
Consumer servicesPeruYesUnknown
CNPC Peru
Source
(New)
EnergyPeruYesUnknown
Passenger Rail Agency of South Africa
Source
(New)
TransportSouth AfricaYesUnknown
AUSA
Source
(New)
ManufacturingSpainYesUnknown
Teo City Council
Source
(New)
PublicSpainYesUnknown
The Oxford Academy
Source
(New)
EducationUKYesUnknown
UNISON
Source
(New)
Non-profitUKYesUnknown
Class Charts
Source
(New)
SoftwareUKYesUnknown
CMG Drainage Engineering, Inc.
Source
(New)
ConstructionUSAYesUnknown
Curtainwall Design and Consulting, Inc.
Source 1; source 2
(New)
ConstructionUSAYesUnknown
Daher Contracting Inc.
Source
(New)
ConstructionUSAYesUnknown
Nabholz Construction
Source 1; source 2
(New)
ConstructionUSAYesUnknown
Chris Larsen (Ripple)
Source
(New)
CryptoUSAYesUnknown
William Jewell College
Source 1; source 2
(New)
EducationUSAYesUnknown
Encore Bank
Source
(New)
FinanceUSAYesUnknown
Sigrist, Cheek, Potter & Huyser
Source
(New)
FinanceUSAYesUnknown
Atlanta Women’s Health Group
Source 1; source 2
(New)
HealthcareUSAYesUnknown
CarePro Health Services
Source 1; source 2
(New)
HealthcareUSAYesUnknown
Saint Anthony Hospital
Source 1; source 2; source 3
(New)
HealthcareUSAYesUnknown
Ortho Development Corporation
Source 1; source 2
(New)
ManufacturingUSAYesUnknown
One America News Network
Source
(New)
MediaUSAYesUnknown
Commonwealth Sign Company
Source
(New)
Professional servicesUSAYesUnknown
Digitel GSM
Source 1; source 2; source 3
(New)
TelecomsVenezuelaYesUnknown
Abracadabra Money
Source
(New)
CryptoUnknownYesUnknown
INSTAT
Source
(New)
PublicAlbaniaUnknownUnknown
Salud Total EPS-S
Source
(New)
HealthcareColombiaUnknownUnknown
Súperintendencia Nacional de Salud
Source
(New)
PublicColombiaUnknownUnknown
Instituto de Seguridad Social de la Policía Nacional
Source
(New)
PublicEcuadorUnknownUnknown
Alcaldía Municipal de La Unión
Source
(New)
PublicEl SalvadorUnknownUnknown
aminia
Source
(New)
TelecomsMalaysiaUnknownUnknown
Connexus
Source
(New)
Real estateUKUnknownUnknown
Coordination Headquarters for the Treatment of Prisoners of War
Source
(New)
PublicUkraineUnknownUnknown
Freehold Township School District
Source
(New)
EducationUSAUnknownUnknown
Groton Public Schools
Source
(New)
EducationUSAUnknownUnknown
Lurie Children’s
Source 1; source 2
(New)
HealthcareUSAUnknownUnknown
City of Germantown
Source
(New)
PublicUSAUnknownUnknown
Fulton County Government
Source
(New)
PublicUSAUnknownUnknown
Beaumont Independent School District and phone provider
Source
(New)
Education and telecomsUSAUnknownUnknown
dark.fail
Source
(New)
MediaUnknownUnknownUnknown
Cloudflare
Source
(New)
Cyber securityUSANo0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


AI

EU representatives unanimously approve AI Act

The Committee of Permanent Representatives, or Coreper, unanimously voted in favour of the EU’s AI Act on 2 February, after the bloc’s three largest economies – France, Germany and Italy – overcame their reservations about the Act’s regulatory regime.

Italian data protection authority notifies OpenAI of GDPR breaches

Following last March’s temporary ban in the country, Italy’s data protection regulator, the Garante per la Protezione dei Dati Personali, has notified ChatGPT’s parent company, OpenAI, that it has identified several breaches of data protection law. OpenAI has 30 days to submit counterclaims about the alleged breaches.

Europcar confirms alleged data breach is false

Europcar has confirmed that a database of nearly 50 million customer records purportedly stolen from the company is fake. “The record number is completely wrong, the sample data is probably generated by ChatGPT (addresses do not exist, ZIP code does not match the US state, first and last names do not match email addresses, email addresses use very unusual tlds), and, most importantly, none of the email addresses are in our database”, the company said.


Enforcement

Uber fined €10 million for GDPR breaches

The Dutch data protection authority, Autoriteit Persoonsgegevens, has fined Uber €10 million for failing to be transparent about its data retention practices and making it difficult for drivers to exercise their data privacy rights.

INTERPOL operation targets global cyber crime

Operation Synergia, an INTERPOL operation involving 60 law enforcement agencies from more than 50 countries, has identified 1,300 malicious command-and-control servers involved in phishing, malware and ransomware attacks. 70% of the servers have been taken down and the remainder are under investigation.

ICO publishes progress update about cookie enforcement

The Information Commissioner’s Office wrote to 53 of the UK’s biggest websites about their cookie practices last November, warning that they’d face enforcement action if they didn’t comply with data protection law. The ICO now reports that 38 of those 53 have updated their cookie banners and 4 have committed to reach compliance. The remainder are working on solutions.


Other news

EDPB launches open-source website auditing tool

The European Data Protection Board has launched an audit tool that can help analyse websites’ compliance with the law. It is available for download here and the source code is available here.

European Commission adopts cyber security certification scheme

The European Commission has adopted the first European cyber security certification scheme, in line with the EU Cybersecurity Act. The voluntary scheme provides a set of rules and procedures on how to certify ICT products.

EU and US enhance cyber security cooperation

The EU and US have issued a joint statement about the importance of cooperation about cyber resilience. The statement sets out the EU and US’s shared objectives for a secure cyberspace.

US GAO publishes ransomware report

The US Government Accountability Office has published a study into federal agencies’ cyber security practices and, in particular, how prepared they are to mitigate the risk of ransomware.


Key dates

31 March 2024 – PCI DSS v4.0 transitioning deadline 

Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on 31 March, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.