The Week in Cyber Security and Data Privacy: 30 October – 5 November 2023

Welcome to this week’s round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks

True Potential leaks clients’ personal data to adviser

Date of breach: October 2023 (exact date unknown)

Breached organisation: True Potential, a wealth management platform

Incident details: True Potential accidentally gave an independent financial advisor, Celtic Financial Planning, access to a spreadsheet that contained True Potential’s customers’ personal information, including their full names, addresses and national insurance numbers.

Records breached: Data relating to 6,336 clients

Toronto Public Library services knocked offline by cyber attack

Date of breach: 28 October

Breached organisation: TPL (Toronto Public Library), Canada’s largest public library system

Incident details: TPL reported that a “cybersecurity incident” on 28 October had rendered several services unavailable, including “tpl.ca, ‘your account’, tpl:map passes and digital collections”. Library branches remain open, Wi-Fi is still available and materials can still be borrowed. However, public computers and printing services are unavailable.

Records breached: According to the library’s 4 November update, there is “no evidence that the personal information of our staff or customers has been compromised”.

US Justice and Defense departments added to list of MOVEit Transfer breach victims

Date of breach: 28 and 29 May 2023

Breached organisation: US Department of Justice and Department of Defense

Incident details: A report by the US OPM (Office of Personnel Management) revealed that the data firm Westat, which the OPM uses to administer employee surveys, used MOVEit Transfer. When MOVEit was hacked by the Russian Cl0p ransomware gang in May, email addresses and links to government employee surveys were compromised. According to Forbes, Defense Department employees affected included “officials from the Air Force, the Army, the Army Corps of Engineers, the Office of the Secretary of Defense and the Joint Staff”.

Records breached: The email addresses of about 632,000 employees

ICMR Indian Council of Medical Research: 815,000,000 breached records

Date of breach: Data exfiltrated in September 2023, offered for sale on dark web on 9 October, reported in the news from 30 October

Breached organisation: The ICMR (Indian Council of Medical Research)

Incident details: The personal data of 815 million Indian residents, apparently exfiltrated from the ICMR’s Covid-testing database, was offered for sale on the dark web earlier this month. According to the security company Resecurity, which discovered the listing, the data included victims’ name, age, gender, address, passport number and Aadhaar number (a 12-digit government identification number).

Records breached: 815,000,000

Milford Management Corp. reports unauthorised access to confidential consumer information

Date of breach: 25–27 August 2023 (discovered 6 October 2023)

Breached organisation: Milford Management Corporation, a subsidiary of Milstein Properties, a New York real estate investment company

Incident details: On 30 October, Milford Management Corporation filed a data breach notification with the Maine Attorney General, reporting on “an incident that involved unauthorized access to certain of [its] computer systems”.

Records breached: Unknown (including four Maine residents)

SBM reports unauthorised access to confidential consumer information

Date of breach: 28 June 2023

Breached organisation: SBM Management Services, a business services company based in McClellan, California

Incident details: On 27 October, SBM filed a data breach notification with the Montana Attorney General, reporting that it had suffered a network disruption on 28 June. While investigating the incident, it discovered that confidential consumer information had been accessed by an unauthorised third party.

Records breached: Unknown

United Medical Centers reports unauthorised access to patient data

Date of breach: Suspicious activity detected on 26 July 2023, unauthorised access confirmed 2 September, victims notified 27 October, breach notification filed with the Texas Attorney General 30 October

Breached organisation: UMC (United Medical Centers)

Incident details: In July, UMC detected suspicious activity on its network. It secured its systems, notified law enforcement and began investigating the incident. On 2 September, it confirmed that an unauthorised party had accessed or removed some of its files, some of which contained confidential patient information. Compromised information included patients’ names, dates of birth, postal addresses, Social Security numbers, diagnosis and treatment information, and health insurance information.

Records breached: Unknown

Boeing investigates cyber security incident following LockBit claims

Date of breach: Unknown (LockBit listing on 3 November)

Breached organisation: Boeing

Incident details: Boeing is investigating a cyber attack on its parts and distribution business after the LockBit ransomware gang claimed to have exfiltrated data. LockBit has threatened to publish the data if Boeing doesn’t contact it – presumably, to pay a ransom. Boeing is “assessing the claim”.

Records breached: According to LockBit, a “tremendous amount of sensitive data”

Advarra investigating security breach

Date of breach: On or around 25 October

Breached organisation: Advarra

Incident details: According to DataBreaches, threat actors hacked Advarra and exfiltrated 120GB+ of data, having gained access by phishing an executive’s personal email account, placing malware in her OneDrive and bypassing MFA (multifactor authentication) to access her work accounts and files. Advarra says “a limited amount of company data” was “acquired” and its investigation is ongoing.

Records breached: According to the threat actors, 120GB+ of confidential data, belonging to “customers, patients & ALL employees, both former and current”. According to Advarra, “a limited amount of company data”.

British Library suffers “cyber incident”, online systems disrupted

Date of breach: 28 October

Breached organisation: The British Library

Incident details: The British Library has suffered a “cyber incident”, affecting its “website, online systems and services, and some onsite services including Wi-Fi”. Reading rooms remain open. The Library is investigating the incident with the NCSC (National Cyber Security Centre) and “other specialists”. As of the publication of this blog post, the Library’s website remains offline.

Records breached: Unknown

ALPHV/BlackCat publishes data exfiltrated from the Town of Iowa, Louisiana

Date of breach: Unknown

Breached organisation: The Town of Iowa, Louisiana

Incident details: The ALPHV/BlackCat ransomware gang has published approximately 250 documents that it exfiltrated from the Town of Iowa in Louisiana. Most documents date from 2019 and 2020, and contain Social Security numbers, employees’ salaries, birthdates, addresses, phone numbers and other personal data.

Records breached: Unknown (approximately 250 documents released)

Rightway Healthcare breach affects Okta employees

Date of breach: 23 September, disclosed 12 October

Breached organisation: Rightway Healthcare

Incident details: According to Okta’s breach notification letter, cyber criminals hacked Rightway Healthcare, accessing an eligibility census file relating to its provision of services to Okta employees from 2019 to 2020. Compromised data included names, Social Security numbers, and health/medical insurance plan numbers.

Records breached: Nearly 4,961 current and former Okta employees’ data

Pharmacist accesses Alfred Health patients’ data without authorisation

Date of breach: Unknown (investigation launched in June 2023, patients notified 30 November)

Breached organisation: Alfred Health

Incident details: A “curious” former Alfred Health pharmacist accessed more than 7,000 patients’ medical records over a four-year period, without authorisation. Compromised information include patients’ names, dates of birth, addresses, Medicare numbers and medical information.

Records breached: More than 7,000 patients’ data

Jeffco Public Schools hacked by same organisation as Clark County School District

Date of breach: 31 October, breach notice 1 November

Breached organisation: Jeffco Public Schools

Incident details: SingularityMD, the attackers who compromised Clark County School District on 5 October (see last week’s round-up) gained access to the Jeffco Public Schools network using the same method – exploiting the school’s policy of using students’ dates of birth as their passwords. According to the attacker, compromised information included staff information, such as phone numbers and postal addresses, parent and student information, a full backup of the school’s IT project management directory and some financial documents.

Records breached: Information relating to 90,000 students

Virginia’s Fairfax County Public Schools student data compromised

Date of breach: October 2023

Breached organisation: Fairfax Country Public Schools, Virginia

Incident details: Callie Oettinger, a parent advocate who had requested access to her own children’s files, was accidentally given thumb drives and computer discs containing sensitive personal data relating to tens of thousands of students.

Records breached: Information relating to about 35,000 students

Another update on cyber attacks at Canadian hospitals

Date of breach: 23 October (see last week’s blog post)

Breached organisation: Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital in Ontario

Incident details: Daixin Team, which exfiltrated data from five Canadian hospitals via a cyber attack on TransForm SSO, has released further stolen files, including sensitive patient information.

Records breached: Numerous files, including hospital employee data, at least 15,000 patients’ data and IT-related information


Enforcement

First ransomware victim fined for HIPAA breach

The US Department of Health and Human Services has fined a Massachusetts-based medical management company $100,000 following an investigation into a 2019 GandCrab ransomware breach that affected 206,695 individuals.

SEC Charges SolarWinds and its CISO with Fraud

The SEC (Securities and Exchange Commission) has charged the software company SolarWinds and its CISO (chief information security officer), Timothy G. Brown, with fraud and internal control failures relating to its cybersecurity practices. The SEC says that, from the company’s IPO (initial public offering) in October 2018 until December 2020, when it revealed that it had been the victim of a cyber attack, SolarWinds had defrauded investors by overstating its cybersecurity practices and downplaying the risks it faced.


Other news

FIRST publishes new version of CVSS (Common Vulnerability Scoring System)

FIRST has released CVSS v4.0 – the latest version of the standard used worldwide to categorise security vulnerabilities.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place for you.

In the meantime, if you missed it, check out last week’s round-up.