The Week in Cyber Security and Data Privacy: 4 – 10 December 2023

Welcome to this week’s round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

More than 59 million patients’ medical and personal data exposed via DICOM servers

Security weaknesses in DICOM (Digital Imaging and Communications in Medicine), the international standard for medical imaging for more than 30 years, have led to the exposure of more than 59 million patients’ personal and medical records.

Researchers from the German cyber security company Aplite discovered 3,806 servers from 111 countries accessible on the Internet. Less than 1% of the DICOM servers on the Internet use effective authorisation.

Data breached: more than 59 million data records.

Akumin Inc. suffers second ransomware attack in months

Having been struck by a ransomware attack in October by the BlackSuit group, which led to operations and appointments being postponed, Akumin Inc. has suffered a second attack, this time by the BianLian ransomware group.

BianLian claims to have exfiltrated 5 TB of data, comprising millions of sensitive documents. Compromised information includes patients’ personal data, health and medical records, financial data, internal emails and software source code.

Data breached: 5 TB.

BianLian group claims to have hacked AMCO Proteins

The BianLian ransomware group has added AMCO Proteins to its list of victims, claiming to have exfiltrated 4 TB of data, including personal data; accounting, budget and financial data; employee data; operational and business files; email and message archives; and more.

Data breached: 4 TB.


Publicly disclosed data breaches and cyber attacks: full list

This week, we’ve found 83,463,951 records known to be compromised, and 210 organisations suffering a newly disclosed incident. 138 of them are known to have had data exfiltrated or exposed. Only 3 definitely haven’t had data breached.

We’ve also found 6 organisations providing a significant update on a previously disclosed incident.

Organisation nameSectorLocationData exfiltrated?Known records breached
Up to 3,806 organisations with DICOM (Digital Imaging and Communications in Medicine) servers
Source
(New)
HealthcareUnknownUnknown>59 million
Akumin
Source
(New)
HealthcareUSAYes5 TB
AMCO Proteins
Source
(New)
ManufacturingUSAYes4 TB
Norton Healthcare
Source
(New)
HealthcareUSAYes2.5 million
LivaNova
Source 1; source 2
(New)
ManufacturingUKYes2.2 TB
Concertus Design and Property Consultants Limited
Source 1; source 2
(New)
Professional servicesUKYes1.9 TB
Accu Reference Medical Lab
Source
(New)
HealthcareUSAYes>1.2 TB
Acero Engineering, Inc.
Source
(New)
ManufacturingCanadaYes1.2 TB
At least two South Korean defence companies and three other South Korean companies
Source
(New)
Defence and unknownSouth KoreaYes1.2 TB
Elixir RX Solutions, OrthoNebraska and OSF HealthCare System
Source
(New)
HealthcareUSAYes931,316
SML Group Ltd
Source
(New)
EngineeringUKYes830 GB
Travian Games
Source
(New)
TechnologyGermanyYes560 GB (790,567 files)
CMS Communications
Source
(New)
TelecomsUSAYes>500 GB
UF Resources
Source
(New)
FinanceUSAYes500 GB
Denave
Source
(New)
Professional servicesIndiaYes300 GB
Clatskanie PUD
Source
(New)
UtilitiesUSAYes>200 GB
Great Lakes Technologies
Source
(New)
ManufacturingUSAYes200 GB
Americold Logistics, LLC.
Source
(New)
TransportUSAYes129,611
Tcman
Source
(New)
ManufacturingSpainYes108 GB
(179 files)
Compass Group Italia
Source
(New)
HospitalityItalyYes107 GB
Pan-American Life Insurance Group, Inc.
Source
(New)
InsuranceUSAYes105,387
Carter’s | Oshkosh Israel
Source
(New)
RetailIsraelYes>100,000
SodaStream
Source
(New)
ManufacturingIsraelYes>100,000
Amsellem & Weitz
Source
(New)
LegalIsraelYes100 GB
Stanley Steemer International, Inc.
Source
(Update)
Professional servicesUSAYes67,921
Worldwide Australian Labradoodle Association
Source
(New)
Non-profitUSAUnknown>56,000
Tryax Realty Management, Inc.
Source
(New)
Real estateUSAYes>50 GB
HMW Special Utility District
Source 1; source 2
(New)
UtilitiesUSAYes>50 GB
University Hospital Southampton
Source
(New)
HealthcareUKUnknown42,000
Florida Community Care
Source
(New)
InsuranceUSAYes30,891
Red Roof Inn
Source
(New)
HospitalityUSAYes27,327
Addenbrooke’s Hospital – The Rosie Hospital
Source 1; source 2
(New)
HealthcareUKUnknown22,073
Sweetwater Union High School District
Source
(Update)
EducationUSAYes>22,000
Independent Living Systems, LLC
Source
(New)
HealthcareUSAYes19,419
Hi-School Pharmacy
Source
(New)
HealthcareUSAYes17,676
Financial Risk Mitigation, Inc.
Source
(New)
Professional servicesUSAYes10,799
Blue Waters Products Limited
Source
(New)
ManufacturingTrinidad and TobagoYes>10 GB
Getrix
Source
(New)
TechnologyItalyYes10 GB  
Nida Corporation
Source
(New)
ManufacturingUSAYes10 GB  
Kirkwood Bank & Trust
Source
(New)
FinanceUSAYes8,719
Baird Insurance Services, Inc. and Robert W. Baird & Co. Incorporated
Source
(Update)
InsuranceUSAYes7,361
Advantis Global, Inc.
Source
(New)
Professional servicesUSAYes5,666
United Home Loans, Inc.
Source
(New)
FinanceUSAYes5,324
STI Holdings, Inc.
Source
(New)
ManufacturingUSAYes4,294
Pinnacle Bank (Nebraska)
Source
(New)
FinanceUSAYes2,726
Fedway Associates, Inc.
Source
(New)
RetailUSAYes2,469
Three GreatStar Industrial Co. Ltd. subsidiaries: Arrow Fastener Co., LLC, Prime-Line Products and Shop-Vac USA, LLC
Source
(New)
ManufacturingUSAYesThousands of administrative documents, budgets, sales invoices, salary information, company secrets; dozens of NVDAs; over 100 distributor agreements; and some passports
Bell Flavors & Fragrances
Source
(New)
ManufacturingUSAYes1,768
Simoniz USA, Inc.
Source
(New)
ManufacturingUSAYes1,570
Spectris, Inc.
Source
(New)
ManufacturingUSAYes1,237
Leggett & Platt Incorporated Employee Benefit Fund
Source
(New)
HealthcareUSAYes1,200
Central Bank (Storm Lake, IA)
Source
(New)
FinanceUSAYes792
Senior Flexonics Pathway
Source
(New)
ManufacturingUSAYes611
Aiphone Corporation
Source
(New)
ManufacturingUSAYes553
Washington National Insurance Company
Source
(New)
InsuranceUSAUnknown424
Addenbrooke’s Hospital – cancer patients on clinical trials
Source 1; source 2
(New)
HealthcareUKUnknown373
AvidXchange, Inc.
Source
(New)
TechnologyUSAYes204
Ho Chi Minh City Energy Company
Source
(New)
EnergyVietnamYes84
Austal USA
Source 1; source 2
(New)
ManufacturingUSAYes43
Income Tax Department of India
Source
(New)
PublicIndiaYes1
Gloucestershire County Council
Source
(New)
PublicUKUnknown1
Daiho Industrial Co., Ltd.
Source
(New)
ManufacturingJapanYesUnknown
Midland Industries
Source
(New)
RetailUSAYesUnknown
Rosen’s Diversified, Inc.
Source
(New)
AgricultureUSAYesUnknown
Precision Technologies Group – Holroyd
Source
(New)
EngineeringUKYesUnknown
A.G. Consulting Engineering, PC
Source
(New)
EngineeringUSAYesUnknown
Planbox
Source
(New)
TechnologyCanadaYesUnknown
GVM, Inc
Source
(New)
ManufacturingUSAYesUnknown
Bowden Barlow Law, P.A.
Source
(New)
LegalUSAYesUnknown
University of Wollongong
Source
(New)
EducationAustraliaYesUnknown
Midgaard
Source
(New)
RetailSwedenYesUnknown
RESERVED Israel
Source
(New)
RetailIsraelYesUnknown
Back2School Project
Source
(New)
Non-profitIsraelYesUnknown
Israel’s Ministry of Health
Source
(New)
PublicIsraelYesUnknown
SEACRET Australia
Source
(New)
RetailAustraliaYesUnknown
Camel Grinding Wheels
Source
(New)
ManufacturingIsraelYesUnknown
Taylor University
Source
(New)
EducationUSAYesUnknown
Gunster
Source
(New)
LegalUSAYesUnknown
Jersey College
Source
(New)
EducationUSAYesUnknown
CBIZ KA and Prime Healthcare – specifically, Saint Michael’s Medical Center, Roxborough Memorial Hospital, Garden City Hospital, Landmark Medical Center, Lower Bucks Hospital, Saint Clare’s Hospital, Lake Huron Medical Center, St. Mary’s General Hospital and Suburban Community Hospital
Source 1; source 2
(New)
Professional services and healthcareUSAYesUnknown
Department for Child Protection, South Australia
Source
(New)
Non-profitAustraliaYesUnknown
ALDO Shoes franchise partner
Source 1; source 2
(New)
RetailCanadaYesUnknown
La Prensa
Source
(New)
MediaNicaraguaYesUnknown
Visán
Source
(New)
ManufacturingSpainYesUnknown
Campbell County School District
Source
(New)
EducationUSAYesUnknown
Deutsche Energie-Agentur GmbH
Source
(New)
EnergyGermanyYesUnknown
Flexible Packaging Solutions
Source
(New)
ManufacturingNetherlandsYesUnknown
Aqualectra Utility
Source
(New)
UtilitiesCuraçaoYesUnknown
Sagent
Source
(New)
TechnologyUSAYesUnknown
FPZ
Source
(New)
ManufacturingItalyYesUnknown
LABELIANS
Source
(New)
RetailFranceYesUnknown
Polyclinique du Cotentin
Source
(New)
HealthcareFranceYesUnknown
TraCS Florida
Source
(New)
TechnologyUSAYesUnknown
Restar Holdings Corporation
Source
(New)
ManufacturingJapanYesUnknown
Greater Richmond Transit Company
Source 1; source 2
(New)
TransportUSAYesUnknown
Omega Interventional Pain Clinic
Source
(New)
HealthcareUSAYesUnknown
Kuriyama of America, Inc.
Source
(New)
ManufacturingUSAYesUnknown
Payne Hicks Beach LLP
Source
(New)
LegalUKYesUnknown
Vitro Plus
Source
(New)
AgricultureNetherlandsYesUnknown
Becker Furniture
Source
(New)
ManufacturingUSAYesUnknown
Capespan
Source
(New)
TransportSouth AfricaYesUnknown
Burton Wire & Cable
Source
(New)
ManufacturingUSAYesUnknown
Graphic Solutions Group
Source
(New)
Professional servicesUSAYesUnknown
GreenWaste
Source
(New)
EnvironmentalUSAYesUnknown
Silvent North America
Source
(New)
ManufacturingUSAYesUnknown
California Innovations
Source
(New)
ManufacturingCanadaYesUnknown
Phibro LLC
Source
(New)
EnergyUSAYesUnknown
AJO
Source
(New)
FinanceUSAYesUnknown
Ridge Vineyards
Source
(New)
ManufacturingUSAYesUnknown
PLS Logistics Services
Source
(New)
TransportUSAYesUnknown
Intrepid Museum
Source
(New)
Non-profitUSAYesUnknown
SMRT Architects & Engineers
Source
(New)
ManufacturingUSAYesUnknown
Golfzon
Source
(New)
RetailSouth KoreaYesUnknown
Postworks
Source
(New)
MediaUSAYesUnknown
Yan Chai Hospital Law Chan Chor Si College
Source
(New)
EducationHong KongYesUnknown
Université de Sherbrooke
Source
(New)
EducationCanadaYesUnknown
HopTo
Source
(New)
TransportUSAYesUnknown
Bridgers & Paxton
Source
(New)
ManufacturingUSAYesUnknown
SigniFlow
Source
(New)
TechnologyUKYesUnknown
Citizens Bank of West Virginia
Source
(New)
FinanceUSAYesUnknown
Direct Radiology
Source
(New)
HealthcareUSAYesUnknown
Policía Nacional del Perú
Source
(New)
PublicPeruYesUnknown
Qatar Racing and Equestrian Club
Source
(New)
LeisureQatarYesUnknown
Osem, H&O Israel and Hagarin
Source 1; source 2
(Update)
Manufacturing and retailIsraelYesUnknown
Rheinmetall AG
Source
(New)
ManufacturingGermanyUnknownUnknown
Verkehrsverbund Großraum Nürnberg
Source
(New)
TransportGermanyUnknownUnknown
annalena-baerbock.de
Source
(New)
PublicGermanyUnknownUnknown
Bayerische Landesbank
Source
(New)
FinanceGermanyUnknownUnknown
Münchner Verkehrs-gesellschaft
Source
(New)
TransportGermanyUnknownUnknown
Berlin.de
Source
(New)
PublicGermanyUnknownUnknown
Bundeswehr
Source
(New)
DefenceGermanyUnknownUnknown
Nissan, Nissan Financial Services, Mitsubishi Motors Financial Services, Renault Financial Services, Skyline Car Finance, RAM Truck Finance, and LDV Financial Services
Source 1; source 2
(New)
Manufacturing and financeAustralia and New ZealandUnknownUnknown
Government, aerospace technology, higher education, finance, manufacturing and technology sector targets in Europe and North America
Source
(New)
Public, manufacturing, education, finance and technologyEurope and North AmericaUnknownUnknown
Hugging Face, Meta, Google, Microsoft and VMWare
Source
(New)
TechnologyUSAUnknownUnknown
US Department of Health and Human Services
Source
(New)
PublicUSAUnknownUnknown
Hinsdale School District
Source
(New)
EducationUSAUnknownUnknown
Fred Hutch Cancer Center
Source
(New)
HealthcareUSAUnknownUnknown
National Police of Ukraine
Source
(New)
PublicUkraine UnknownUnknown
London City Airport
Source 1; source 2
(New)
TransportUK UnknownUnknown
Finnish National Cyber Security Centre
Source
(New)
SecurityFinlandUnknownUnknown
Saimaan Saaristo- ja Veneilypalvelut Oy
Source
(New)
Cruise agencyFinlandUnknownUnknown
Finnish Transport Infrastructure Agency
Source
(New)
PublicFinlandUnknownUnknown
Traficom
Source
(New)
PublicFinlandUnknownUnknown
Government of Yucatán
Source 1; source 2
(New)
PublicMexicoUnknownUnknown
DEPA Commercial S.A.
Source
(New)
EnergyGreeceUnknownUnknown
Coral Gas
Source
(New)
EnergyGreeceUnknownUnknown
Elin
Source
(New)
EnergyGreeceUnknownUnknown
Warsaw Metro, Strona główna, Raiffeisen Bank, Plus Bank, Bank Pekao, Narodowy Bank Polski, KGHM Polska Miedź, Polskie Radio 24, ePUAP, Senate of the Republic of Poland, Marshal Office of the Lubelskie Voivodeship and Supreme Court of Poland
Source 1; source 2; source 3
(New)
Transport, finance, mining, media, technology, public and legalPolandUnknownUnknown
Senate of the Czech Republic, Ministry of the interior of the Czech Republic, Financial Administration of the Czech Republic, Police of the Czech Republic, Prague public transport company, Prague Airport, Prague Stock Exchange, CzechTrade and MONETA Money Bank
Source 1; source 2
(New)
Public, transport and financeCzech RepublicUnknownUnknown
Sky Arabia News and The Economist
Source
(New)
MediaUAE and UKUnknownUnknown
ELTA Hellenic Post SA
Source
(New)
TransportGreeceUnknownUnknown
East Cambridgeshire District Council, Leicestershire County Council, Liverpool City Council and West Yorkshire Metro
Source
(New)
Public and transportUKUnknownUnknown
BERMAD
Source
(New)
ManufacturingIsraelUnknownUnknown
Zhytomyr College of Pharmacy
Source
(New)
EducationUkraineUnknownUnknown
Adobe and a federal agency
Source
(New)
Technology and publicUSANo0
Groveport Madison Schools
Source 1; source 2
(New)
EducationUSANo0

Note: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.


Enforcement

ECJ ruling makes it easier for data protection authorities to impose GDPR fines

The European Court of Justice has issued a verdict relating to two GDPR (General Data Protection Regulation) enforcement cases, in Lithuania and Germany, which will have wider implications for all data protection authorities. According to the decision, fines can be issued to data controllers when GDPR infringements are “committed wrongfully, that is to say, intentionally or negligently”.

UK Information Commissioner warns about data privacy when using AI

On 6 December, the UK Information Commissioner, John Edwards, told techUK’s Digital Ethics Summit 2023 that developers must embed privacy in their products to maintain consumer trust.

In his keynote address, he said: “Privacy and AI go hand in hand – there is no either/or here. You cannot expect to utilise AI in your products or services without considering privacy, data protection and how you will safeguard people’s rights. There are no excuses for not ensuring that people’s personal information is protected if you are using AI systems, products or services.”

US OCR imposes HIPAA penalty in phishing attack case

The US Office for Civil Rights has imposed its first financial penalty under HIPAA (the Health Insurance Portability and Accountability Act) for violations of the Act’s security rule relating to phishing. A criminal hacker gained access to Lafourche Medical Group’s Microsoft 365 environment following a phishing attack that impersonated one of the medical group’s owners. The protected health information of up to 34,862 people was compromised.


Other news

US GAO finds federal agencies need to improve incident response capabilities

A new study by the US Government Accountability Office has found that, while federal agencies have improved their ability to detect, analyse and handle incidents such as ransomware attacks and data breaches, some agencies still have not met the federal requirements for event logging.

AFP calls for Australians to report ransomware attacks

The Australian Federal Police is renewing its call for victims of ransomware to report incidents as soon as possible, fearing that some organisations and people are not involving law enforcement in their response to attacks.

CISA and ENISA sign working arrangement to enhance cooperation

The US’s CISA (Cybersecurity and Infrastructure Security Agency) and ENISA (European Union Agency for Cybersecurity) have signed a working arrangement relating to capacity building, the exchange of best practices and boosting situational awareness. The arrangement builds on current cooperation to improve cyber resilience.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.