The Week in Cyber Security and Data Privacy: 5 – 11 February 2024

92,391,296 known records breached in 222 publicly disclosed incidents

Welcome to this week’s global round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Two French healthcare service providers breached affecting over 33 million people

The French data protection authority, the CNIL, is investigating data breaches at two French healthcare service providers, Viamedis and Almerys, which manage third-party payments for supplementary health insurance.

Compromised data includes policyholders’ and their families’ civil status, dates of birth and social security numbers, as well as the name of their health insurer and information relating to their contracts.

Financial information, medical data, health reimbursements, postal addresses, telephone numbers and emails are not thought to have been compromised.

In total, more than 33 million people – nearly half France’s population – have been affected.

Data breached: >33,000,000 people’s data.

Thailand’s Department of Older Persons breached, exposing almost 20 million personal data records

The Department of Older Persons, part of Thailand’s Ministry of Social Development and Human Security, suffered a data breach in which 19,718,687 rows or personal data was exposed.

Compromised data included names, ID card numbers, phone numbers, emails, salaries and personal photographs.

The incident is one of a series of major data breaches in Thailand in recent months that have been analysed by the security company Resecurity. It has since been confirmed by Anukul Peedkaew, the permanent secretary of social development and human security.

Data breached: 19,718,687 records.

Further victims of last year’s Perry Johnson & Associates data breach identified

Last year, the medical transcription company PJ&A (Perry Johnson & Associates) suffered a data breach in which an unauthorised third party was able to access its computer network. In November 2023, Northwell Health – the largest health system in New York – confirmed that it was affected by the incident.

PJ&A has now determined that information relating to another of its clients, Concentra Health Services, was also accessed and has filed notice of a data breach, confirming that over 13 million people were affected. Compromised information varies from person to person.

Data breached: 13,300,750 people’s data.

Publicly disclosed data breaches and cyber attacks: full list

This week, we found 92,391,296 records known to be compromised, and 222 organisations suffering a newly disclosed incident. 184 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 2 definitely haven’t had data breached.

We also found 7 organisations providing a significant update on a previously disclosed incident.

Organisation(s)SectorLocationData breached?Known records breached
Viamedis and Almerys
Source
New
HealthcareFranceYes>33,000,000
Department of Older Persons (part of Thailand’s Ministry of Social Development and Human Security)
Source 1; source 2
New
PublicThailandYes19,718,687
Perry Johnson & Associates, Inc. (PJ&A)
Source
Update
IT services and softwareUSAYes13,300,750  
Hyundai Motor Europe
Source
New
ManufacturingGermanyYes3 TB
MRA – The Management Association
Source
New
Professional servicesUSAYes3 TB
65 unidentified APAC organisations
Source
New
MultipleMultiple APAC countries, predominantly India (12 victims), Taiwan (10), Thailand (9) and Vietnam (7)Yes2,079,027
Al Firas
Source
New
Construction and real estateUAEYes2 TB
Chulabook
Source
New
RetailThailand  Yes>1,600,000
Drost Kivlahan Mcmahon & O’Connor
Source
New
LegalUSAYes1.6 TB
KSA Architecture
Source
New
Construction and real estateUSAYes1.5 TB
Cole, Cole, Easley & Sciba
Source
New
LegalUSAYes1.5 TB
JP Original Corp
Source
New
ManufacturingUSAYes1.2 TB
CTSI
Source
New
MultipleUSAYes978 GB
Willis Lease Finance Corporation
Source
New
FinanceUSAYes910 GB
asecos
Source
New
ManufacturingGermanyYes810 GB
Transaxle
Source
New
ManufacturingUSAYes795 GB
Dalmahoy Hotel & Country Club
Source
New
Hospitality and leisureUKYes769,590
B&B Electric
Source
New
Construction & real estateUSAYes750 GB
Posen Architects
Source
New
Construction and real estateUSAYes724 GB
SPB Global
Source
New
ManufacturingSpainYes706 GB
Avianor Group
Source
New
EngineeringCanadaYes578,914
United Colors of Benetton
Source
New
RetailIndiaYes500,000
Studio Galbusera
Source
New
EducationItalyYes500 GB
Upper Merion Youth Wrestling Association
Source
New
Charity and non-profitUSAYes500 GB
Village of Skokie
Source
New
PublicUSAYes499,988
Benchmark Management Group
Source
New
Construction and real estateUSAYes401,148
Manitou Group
Source
New
ManufacturingFranceYes400 GB
Azura Vascular Care
Source 1; source 2
New
HealthcareUSAYes348,000
Indorama Ventures
Source
New
ManufacturingThailandYes318 GB
Groupe Goyette
Source
New
TransportCanadaYes314,307
SEIU (Service Employees International Union)
Source 1; source 2
New
PublicUSAYes308 GB
Des Moines Orthopaedic Surgeons, P.C.
Source 1; source 2
New
HealthcareUSAYes307,864
Planet Home Lending, LLC
Source
Update
FinanceUSAYes284,974
Technet
Source
New
IT services and softwareSwedenYes278 GB
Ducont
Source
New
IT services and softwareUAEYes256,018
Spoutible
Source 1; source 2
New
MediaUSAYes207,000
Carespring Healthcare
Source
New
HealthcareUSAYes182,725
Parksite
Source
New
Construction and real estateUSAYes170 GB
Vail-Summit Orthopaedics & Neurosurgery
Source
New
HealthcareUSAYes150 GB
Gocco
Source
New
RetailSpainYes136 GB
Commonwealth Sign
Source
New
ManufacturingUSAYes113.63 GB
Western Municipal Construction
Source
New
Construction and real estateUSAYes101 GB
Tennessee Farmers Insurance
Source
New
InsuranceUSA  Yes71,000
CNO ACE
Source 1; source 2
New
HealthcareUSAYes65,195
Verizon Communications Inc.
Source
New
TelecomsUSAYes63,206
Bayer Heritage Federal Credit Union
Source
Update
FinanceUSAYes61,159  
HBL CPAs
Source
New
Professional servicesUSAYes60 GB
Shipleys
Source
New
Professional servicesUKYes60 GB
Sopem Tunisie
Source
New
ManufacturingTunisiaYes55,169
Harinck
Source
New
ManufacturingBelgiumYes53.1 GB
Impact Energy Services
Source
New
EngineeringCanadaYes52,707
Lancaster County Sheriff’s Office
Source
New
PublicUSAYes52,567
Maximum Research
Source
New
Professional servicesUSAYes52 GB
Terago
Source
New
TelecomsCanadaYes45 GB
Zivilgeometer
Source
New
EngineeringAustriaYes41.83 GB
Aver Information
Source
New
TelecomsTaiwanYes40 GB
Nastech
Source
New
Energy and utilitiesUAEYes33,664
Facebook Marketplace
Source
New
MediaUSAYes24,127  
PWS – The Laundry Company
Source
New
Professional servicesUSAYes21.1 GB
City of Clemson, South Carolina
Source
New
PublicUSAYes21,056  
DGX-Dependable Hawaiian Express
Source
New
Professional servicesUSAYes20 GB
Verdimed
Source
New
AgriculturalSpainYes19 GB
Watchmax
Source
New
RetailUKYes15,000
Del-Tron Precision
Source
New
ManufacturingIndiaYes8.9 GB
Signature Performance, Inc.
Source
Update
HealthcareUSAYes7,122
Arch Capital Services LLC
Source
New
HealthcareUSAYes7,036
Tobacco-Free Kids
Source
New
Charity and non-profitUSAYes7 GB
Health Alliance Medical Plans
Source 1; source 2
New
HealthcareUSAYes6,900
Family Healthcare Center
Source 1; source 2
New
HealthcareUSAYes6,457
International Center of Photography
Source
New
Charity and non-profitUSAYes5,985  
The Burton Corporation
Source
New
ManufacturingUSAYes5,170
Southwest Binding & Laminating
Source
New
Professional servicesUSAYes4.2 GB
Sun Pain Management, LLC
Source 1; source 2
New
HealthcareUSAYes2,988
J.D. Gilmour & Co., Inc.
Source 1; Source 2
Update
HealthcareUSAYes2,481
The New Jewish Home
Source
New
HealthcareUSAYes2,000  
Finzer Roller, Inc.
Source
New
ManufacturingUSAYes1,335
Science Systems and Applications, Inc.
Source
New
DefenceUSAYes1,051
Connecticut College
Source
New
EducationUSAYes954
American Alarm & Communications Inc.
Source
Update
Professional servicesUSAYes942
The Northwestern Mutual Life Insurance Company
Source
New
FinanceUSAYes887
Whitley Penn
Source
Update
FinanceUSAYes729
Albertsons Companies, Inc.
Source
New
RetailUSAYes457
Midwest Hardwood Company LLC
Source
New
ManufacturingUSAYes373
Precision Tune Auto Care
Source
New
TransportUSAYes0.274 GB
Trendium Pool Products, Inc.
Source
New
ManufacturingCanadaYes237  
The Hamilton Paramedic Service
Source
New
HealthcareUSAYes162
Tax Technologies, Inc.
Source
New
Professional servicesUSAYes146  
Community School of Naples
Source
New
EducationUSAYes4
Software Systems, Inc.
Source
New
IT services and softwareUSAYes2
Japanese government
Source
New
PublicJapanYesUnknown
WinStar
Source
New
Hospitality and leisureUSAYesUnknown
Maxis Berhad
Source
New
TelecomsMalaysiaYesUnknown
Lex Caribbean
Source
New
LegalBarbadosYesUnknown
Abel Santos & Asociados
Source
New
Professional servicesArgentinaYesUnknown
Pezold, Barker & Woltz, APPC
Source
New
LegalUSAYesUnknown
Chicago Extruded Metals
Source
New
ManufacturingUSAYesUnknown
Unidentified contractors of US Department of Defense
Source
New
PublicUSAYesUnknown
Greater Richmond Transit
Source
New
TransportUSAYesUnknown
VCS Observation
Source 1; source 2
New
ManufacturingNetherlandsYesUnknown
Hutch Paving
Source
New
Construction and real estateUSAYesUnknown
Modern Kitchens
Source
New
ManufacturingUSAYesUnknown
Greenwich Leisure
Source
New
PublicUKYesUnknown
A&A Ready Mixed Concrete
Source
New
Construction and real estateUSAYesUnknown
Northeastern Sheet Metal
Source
New
ManufacturingUSAYesUnknown
Hannon Transport
Source
New
TransportUKYesUnknown
McMillan Pazdan Smith
Source
New
Construction and real estateUSAYesUnknown
Mason Construction
Source
New
Construction and real estateUSAYesUnknown
Albert Bartlett
Source
New
AgriculturalUK  YesUnknown
Perry-McCall Construction
Source
New
Construction and real estateUSAYesUnknown
Premier Facility Management
Source
New
Professional servicesUSAYesUnknown
Douglas County Libraries
Source
New
PublicUSAYesUnknown
Leaders Staffing
Source
New
OtherUSAYesUnknown
Arpuplus
Source
New
TelecomsEgyptYesUnknown
Celeste
Source
New
MultipleFranceYesUnknown
Ceralp
Source
New
Professional servicesFranceYesUnknown
Worthen Industries
Source
New
ManufacturingUSAYesUnknown
PJ Green
Source
New
Professional servicesUSAYesUnknown
YRW Limited Chartered Accountants
Source
New
Professional servicesUSAYesUnknown
Karl Rieker
Source
New
ManufacturingGermanyYesUnknown
Tetrosyl Group
Source
New
ManufacturingUKYesUnknown
Anderco PTE
Source
New
Construction and real estateSingaporeYesUnknown
Distecna
Source
New
Professional servicesArgentinaYesUnknown
Grupo Moraval
Source
New
Charity and non-profitSpainYesUnknown
CDT Medicus
Source
New
HealthcarePolandYesUnknown
Soken Chemical & Engineering
Source
New
EngineeringJapanYesUnknown
Grace Lutheran Foundation
Source
New
Charity and non-profitUSAYesUnknown
Magi ERP Group
Source
New
IT services and softwareUSAYesUnknown
Pacific American Fish Company
Source
New
OtherUSAYesUnknown
Pakistan Super League
Source 1; source 2
New
Hospitality and leisurePakistanUnknownUnknown
Lurie Children’s Hospital
Source
New
HealthcareUSAUnknownUnknown
Multiple Philippine government agencies
Source
New
PublicPhilippinesUnknownUnknown  
Dutch MIVD (Military Intelligence and Security Service)
Source
New
PublicNetherlandsUnknownUnknown
The municipality of Korneuburg
Source
New
PublicAustriaUnknownUnknown
Armentières hospital
Source
New
HealthcareFranceUnknownUnknown
PhilogenSpA
Source
New
OtherItalyUnknownUnknown
Logtainer Srl
Source
New
TransportItalyUnknownUnknown
Prima Wawona
Source
New
AgriculturalUSAUnknownUnknown
Portline Transportes Marítimos Internacionais
Source
New
TransportPortugalUnknownUnknown
Semesco
Source
New
EngineeringCyprusUnknownUnknown
Ultraflex Systems
Source
New
ManufacturingUSAUnknownUnknown
Tgestiona
Source
New
Professional servicesBrazilUnknownUnknown
WIFI Niederösterreich
Source
New
EducationAustriaUnknownUnknown
Davis, French & Associates
Source
New
Professional servicesUKUnknownUnknown  
AXS Bolivia
Source
New
TelecomsBoliviaUnknownUnknown
Vimar Equipment
Source
New
TransportCanadaUnknownUnknown
Therme LAA
Source
New
Hospitality and leisureAustriaUnknownUnknown
Original Footwear
Source
New
ManufacturingUSAUnknownUnknown
Perkins Manufacturing
Source
New
ManufacturingUSAUnknown  Unknown
MacQueen Equipment Group
Source
New
ManufacturingUSAUnknownUnknown
Town of Seymour
Source
New
Professional servicesUSAUnknownUnknown
Northsea Yacht Support
Source
New
ManufacturingNetherlandsUnknownUnknown
Money Advice Trust
Source
New
Charity and non-profitUKUnknownUnknown
Bull Stockwell Allen
Source
New
Construction and real estateUSAUnknownUnknown
Capozzi Adler
Source
New
LegalUSAUnknownUnknown
Living Water International
Source
New
Charity and non-profitUSAUnknownUnknown
American Integrated Security Group
Source
New
Professional servicesUSAUnknownUnknown
Maddockhenson
Source
New
FinanceUSAUnknownUnknown
La Colline
Source
New
ManufacturingSwitzerlandUnknownUnknown
Amoskeag Network Consulting Group
Source
New
IT services and softwareUSAUnknownUnknown
Northern Light Health
Source
New
HealthcareUSANo0
Unified Judicial System of Pennsylvania
Source
New
PublicUSANo0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised [A1] in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


AI

NCSC publishes new guidance on AI and cyber security

The UK’s National Cyber Security Centre has published new guidance on cyber security issues organisations need to be aware of when deploying artificial intelligence. AI and cyber security: what you need to know is designed to help managers, board members and senior executives (with a non-technical background) to understand some of the risks – and benefits – of using AI tools.

EU lawmakers vote to ratify political deal on AI Act

Two committees at the European Parliament have ratified the provisional agreement on the AI Act. LIBE (the European Parliament Committee on Civil Liberties, Justice and Home Affairs) posted on X (formerly Twitter): “AI Act takes a step forward: MEPs in @EP_Justice & @EP_SingleMarket have endorsed the provisional agreement on an Artificial Intelligence Act that ensures safety and complies with fundamental rights”.


Enforcement

US State Department offers $10 million for Hive ransomware information

The US Department of State is offering a reward of up to $10 million for information leading to the identification and/or location of the leaders of the Hive ransomware group, and a reward of up to $5 million for information that leads to the arrest and/or conviction of anyone conspiring to participate in Hive ransomware activity.

US announces visa restriction policy, banning people associated with spyware

Secretary of State Antony J Blinken has announced that the State Department is implementing a new policy “that will allow the imposition of visa restrictions on individuals involved in the misuse of commercial spyware”.

Denmark orders schools not to transfer students’ data to Google

The Danish data protection authority, Datatilsynet, has ordered 53 municipalities across Denmark to change their data processing activities so that they no longer transfer students’ personal data to Google.


Other news

Chinese Volt Typhoon group hid in US infrastructure network for 5 years

CISA (the Cybersecurity and Infrastructure Security Agency), the NSA (National Security Agency) and the FBI (Federal Bureau of Investigation) have issued a joint advisory about the Chinese Volt Typhoon cyber espionage group, which infiltrated US critical infrastructure.

Google confirms that spyware vendors are behind 50% of zero-day attacks

Google’s Threat Analysis Group has analysed 40 commercial spyware vendors and found that they were behind half of known 0-day exploits targeting Google products and Android ecosystem devices.

Ransomware payments topped $1 billion last year

Research by Chainalysis has found that ransom payments made to attackers reached an all-time high of more than $1 billion in 2023. The most profitable ransomware gangs were ALPHV/BlackCat, Clop, Play, LockBit, BlackBasta, Royal, Ransomhouse and Dark Angels. The previous record figure – $983 million – was set in 2021.

Fortinet brushes off DDoS claims

Despite going viral, a story that 3 million electric toothbrushes were hacked and used as a botnet to conduct DDoS (distributed-denial-of-service) attacks is, of course, untrue. The security company Fortinet confirmed that it was a hypothetical scenario, saying: “To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.”


Key dates

31 March 2024 – PCI DSS v4.0 transitioning deadline 

Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on 31 March, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.