The Week in Cyber Security and Data Privacy: 8 – 14 January 2024

Welcome to this week’s round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Massive data breach potentially exposes entire Brazilian population

Researchers have discovered a publicly accessible Elasticsearch instance containing the private data of hundreds of millions of Brazilians, including full names, dates of birth, sex and Cadastro de Pessoas Físicas numbers – the 11-digit number that identifies individual taxpayers. The data is no longer publicly available.

Data breached: >223,000,000 victims’ personal data.

Al Mujtama Pharmacy allegedly breached, more than 7 million records affected

More than 7 million data records belonging to the Saudi pharmacy Al Mujtama have reportedly been published on an underground forum. The 3.3 GB database includes names, email addresses, phone numbers and passwords.

Data breached: >7,000,000 records.

Vauxhall Motors database with 5.5 million records leaked

Attackers have published a sample of data allegedly exfiltrated from Vauxhall Motors following a data breach affecting 5.5 million call logs between employees and customers. Compromised data includes user IDs, call dates and phone numbers.

Data breached: 5,500,000 records.


Publicly disclosed data breaches and cyber attacks: full list

This week, we’ve found 249,142,212 records known to be compromised, and 108 organisations suffering a newly disclosed incident. 94 of them are known to have had data breached. Only 4 definitely haven’t had data breached.

We’ve also found 16 organisations providing a significant update on a previously disclosed incident.

Organisation(s)SectorLocationData breached?Known records breached
Unknown Brazilian organisation
Source
(New)
UnknownBrazilYes>223,000,000
Al Mujtama Pharmacy
Source
(New)
ManufacturingSaudi ArabiaYes>7,000,000
Vauxhall Motors Ltd
Source
(New)
ManufacturingUKYes5,500,000
Raptor Technologies, LLC
Source
(New)
IT servicesUSAYes4,024,001
Hathway Cable & Datacom Ltd
Source 1; source 2
(Update)
TelecomsIndiaYesAlmost 4,000,000
NASCO
Source 1; source 2
(Update)
InsuranceUSAYes1,696,867
Ministry of Foreign Affairs
Source
(New)
PublicSaudi ArabiaYes>1,400,000
Fidelity National Financial
Source 1; source 2
(Update)
FinanceUSAYes1,300,000
Halara
Source
(Update)
RetailUSAYes941,910
Indian Railways Institute of Mechanical and Electrical Engineering
Source
(New)
EducationIndiaYes908,626
Hi-Cone
Source
(New)
ManufacturingUSAYes650 GB
Ursel Phillips Fellows Hopkinson LLP
Source
(New)
LegalCanadaYes365 GB
Infiniti Mall
Source
(New)
RetailIndiaYes280,000
Malabar Gold & Diamonds
Source
(New)
RetailIndiaYes270 GB
Health Alliance Hospital Mary’s Avenue Campus
Source 1; source 2
(New)
HealthcareUSAYes264,197
Singing River Health System
Source
(New)
HealthcareUSAYes252,890
The Harris Center for Mental Health and IDD
Source 1; source 2
(New)
HealthcareUSAYes238,463
Eckell Sparks
Source
(New)
LegalUSAYes175 GB
Bogart
Source
(New)
RetailFranceYes152 GB
Acutis Diagnostics
Source 1; source 2
(New)
HealthcareUSAYes137 GB
Independent Living Systems, LLC
Source 1; source 2; source 3
(Update)
HealthcareUSAYes123,651
R. Robertson Insurance Brokers Ltd
Source
(New)
InsuranceCanadaYes120 GB
Team Liquid (Liquipedia)
Source
(New)
LeisureNetherlandsYes118,989
SPRIM
Source
(New)
HealthcareSpainYes113,000
Inspiring Vacations
Source
(New)
LeisureAustraliaYes112,605
Shibley Righton LLP
Source
(New)
LegalCanadaYes92 GB
Cooper Aerobics
Source 1; source 2
(Update)
HealthcareUSAYes89,399
HMG Healthcare
Source 1; source 2; source 3
(New)
HealthcareUSAYes80,000
Senior PsychCare
Source
(New)
HealthcareUSAYes65,193
Arrowhead Regional Computing Consortium
Source
(New)
FinanceUSAYes65,010
Asbury Automotive Group
Source 1; source 2
(New)
ManufacturingUSAYes62 GB
Milliman, Inc.
Source 1; source 2
(Update)
Professional servicesUSAYes56,457
Highlands Oncology Group
Source 1; source 2; source 3
(Update)
HealthcareUSAYes55,297
Charm Sciences, Inc.
Source
(New)
ManufacturingUSAYes42 GB
Auto-Motion Shade Inc.
Source
(New)
TransportCanadaYes38 GB
U.S. Drug Mart
Source 1; source 2
(Update)
HealthcareUSAYes36,749
Elliott Group
Source
(New)
ManufacturingUSAYes31.5 GB
Dedicated Transportation Solutions
Source
(New)
TransportUSAYes34 GB
Burr & Forman LLP
Source
(New)
LegalUSAYes19,893
Academy Mortgage Corporation
Source 1; source 2
(Update)
FinanceUSAYes18,290
EvolvE Cryo + Wellness
Source
(New)
HealthcareUSAYes14,000
Premium Mortgage Corporation
Source
(New)
FinanceUSAYes10,835
Tarrytown Expocare Pharmacy
Source 1; source 2
(Update)
HealthcareUSAYes10,708
Centennial Bank
Source
(New)
FinanceUSAYes10,008
Intercity Investments, Inc.
Source
(New)
Real estateUSAYes10 GB
Unitex
Source
(New)
ManufacturingUSAYes9.5 GB
CBIZ KA
Source 1; source 2
(Update)
HealthcareUSAYes9,129
BMW Montréal Centre
Source
(New)
RetailCanadaYes9,000
Sharp Health Plan
Source
(New)
InsuranceUSAYes8,200
Nautic Partners LLC
Source
(New)
FinanceUSAYes7,870
Carnegie Mellon University
Source
(New)
EducationUSAYes7,343
Indian government (tax officers)
Source
(New)
PublicIndiaYes>7,000
Tameside Metropolitan Borough Council
Source
(New)
PublicUKYes6,345
HairClub
Source
(New)
RetailUSAYes4,334
Alexandria University
Source
(New)
EducationEgyptYes3.03 GB
Rebekah Children’s Services
Source
(New)
Non-profitUSAYes2,805
Butte School District
Source 1; source 2
(Update)
EducationUSAYes2,658
Dignity Health Nevada St. Rose Dominican Hospital
Source
(New)
HealthcareUSAYes2,652
DentalXChange
Source 1; source 2
(New)
SoftwareUSAYes2,574
Walker County, Texas
Source
(New)
PublicUSAYes2,420
Cambridge Labour Party
Source
(New)
PublicUKYes1,942
Hi-Crush
Source 1; source 2
(New)
EnergyUSAYes1,902
Villager Construction, Inc.
Source
(New)
ConstructionUSAYes1,380
One Stop Financial Services
Source
(New)
FinanceUSAYes1,179
Tampa Bay Surgical Group
Source
(New)
HealthcareUSAYes1,107
Essen Health Care
Source 1; source 2
(Update)
HealthcareUSAYes1,104
Whitley Penn
Source
(New)
FinanceUSAYes605
Music Institute of Chicago
Source
(New)
Non-profitUSAYes605
Marvel Consultants
Source
(New)
Professional servicesUSAYes593
Dallas County
Source 1; source 2
(New)
PublicUSAYes501
Mount Carmel Care Center
Source 1; source 2
(New)
HealthcareUSAYes501
Waterford Country School
Source 1; source 2
(New)
EducationUSAYes500
Toyota Financial Services
Source 1; source 2
(Update)
FinanceUSAYes490
American Meat Companies
Source
(New)
ManufacturingUSAYes367
TBM Consulting Group
Source
(New)
Professional servicesUSAYes298
Capital Formation Group, Inc.
Source
(New)
FinanceUSAYes274
Coastal Plains
Source 1; source 2
(Update)
HealthcareUSAYes250
Golf & Ski Warehouse
Source
(New)
RetailUSAYes122
Parliament of Albania
Source 1; source 2
(Update)
PublicAlbaniaYesUnknown
Hal Leonard Australia
Source
(New)
RetailAustraliaYesUnknown
Molnár & Partners
Source
(New)
FinanceHungaryYesUnknown
Alkem Laboratories Ltd.
Source
(New)
ManufacturingIndiaYesUnknown
PT Kereta Api Indonesia
Source
(New)
TransportIndonesiaYesUnknown
Blowtherm Spa
Source
(New)
ManufacturingItalyYesUnknown
Tigo Business Paraguay
Source
(New)
TelecomsParaguayYesUnknown
Ministry of Industry and Mineral Resources
Source
(New)
PublicSaudi ArabiaYesUnknown
Carrefour Servicios Financieros
Source
(New)
FinanceSpainYesUnknown
Sudan University of Science and Technology
Source
(New)
EducationSudanYesUnknown
Tura Scandinavia AB
Source 1; source 2
(New)
ManufacturingSwedenYesUnknown
Erbilbil Bilgisayar
Source
(New)
SoftwareTurkeyYesUnknown
M9com
Source 1; source 2
(New)
TelecomsRussiaYesUnknown
North Alabama Chapter of the Information System Security Association
Source
(New)
Cyber securityUSAYesUnknown
Arlington Public Schools
Source
(New)
EducationUSAYesUnknown
Equitrans Midstream Corporation
Source 1; source 2
(New)
EnergyUSAYesUnknown
CFD Investments
Source
(New)
FinanceUSAYesUnknown
Keating Consulting Group
Source
(New)
FinanceUSAYesUnknown
Oregon Pacific Bank
Source
(New)
FinanceUSAYesUnknown
Allied Wound Care Specialist
Source
(New)
HealthcareUSAYesUnknown
CellNetix Pathology and Laboratories
Source 1; source 2
(New)
HealthcareUSAYesUnknown
CINQCARE
Source 1; source 2
(New)
HealthcareUSAYesUnknown
Morgan Pilate LLC
Source
(New)
LegalUSAYesUnknown
Indigo Sky Casino
Source
(New)
LeisureUSAYesUnknown
Amenitek Inc.
Source
(New)
ManufacturingUSAYesUnknown
Corinth Coca-Cola Bottling Group
Source
(New)
ManufacturingUSAYesUnknown
Framework
Source
(New)
ManufacturingUSAYesUnknown
Lee Spring
Source
(New)
ManufacturingUSAYesUnknown
Water for People
Source 1; source 2
(New)
Non-profitUSAYesUnknown
Carta
Source
(New)
SoftwareUSAYesUnknown
Resend
Source
(New)
SoftwareUSAYesUnknown
Medjet
Source 1; source 2
(New)
TransportUSAYesUnknown
Toronto Zoo
Source
(New)
Non-profitCanadaUnknownUnknown
IT service provider of the Chambers of Craft and “vieler” [many] Handwerkskammern [Chambers of Craft]
Source 1; source 2
(New)
IT services and non-profitGermanyUnknownUnknown
Juvenile Court of the Maldives
Source 1; source 2
(New)
LegalMaldivesUnknownUnknown
Ayuntamiento de Calviá
Source
(New)
PublicSpainUnknownUnknown
Hillside Dental Practice
Source
(New)
HealthcareUKUnknownUnknown
LUSH
Source
(New)
RetailUKUnknownUnknown
Kraken Digital Asset Exchange
Source
(New)
CryptoUSAUnknownUnknown
Hyundai Middle East & Africa
Source
(New)
ManufacturingUAENo0
Alabama Medical Cannabis Commission
Source
(New)
HealthcareUSANo0
U.S. Securities and Exchange Commission
Source 1; source 2
(New)
PublicUSANo0
NETGEAR
Source
(New)
TelecomsUSANo0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


AI

European Commission calls for contributions on competition in virtual worlds and generative AI

The European Commission has launched a call for contributions on competition in virtual worlds and generative AI, and requested information from several large digital players. Interested parties are invited to submit their responses to the calls for contributions by 11 March.

NSA uses AI and ML to detect malicious Chinese cyber activity

Rob Joyce, the director of the US National Security Agency’s Cybersecurity Directorate, told the International Conference on Cyber Security at Fordham University earlier this month that the NSA is using AI and machine learning to detect Chinese attacks on US critical infrastructure.


Enforcement

Eurocollege Oxford English Institute fined €72,000 for GDPR infringements

The Spanish data protection authority has fined Eurocollege Oxford English Institute €72,000 for violating Articles 5, 6 and 9 of the GDPR by requiring trainees to provide certain personal information, including a criminal record certificate, to access a training course.

Former vice president of Commonwealth Health Corporation sentenced to probation for HIPAA violation

Mark Kevin Robison, a former vice president of Commonwealth Health Corporation (now Med Center Health) in Kentucky, has been sentenced to two years’ probation and ordered to pay $140,000 after reaching a plea agreement with federal prosecutors over a HIPAA violation.

‘Asia’s best hacker’ arrested in Philippines

Edgar Silvano Jr, 47, once dubbed ‘Asia’s best hacker’, was arrested in the Philippines last Friday. Police confiscated 11 mobile phones, 7 flash drives, 5 laptops, 4 SD cards, 3 Wi-Fi routers, 2 hard drives, a desktop and a modem, as well as several financial documents containing personal and bank account information belonging to other people.


Other news

UK government accused of being misleading over new encryption laws

techUK, a trade association representing more than 1,000 businesses in the technology sector, including Apple and Meta, has accused the UK government of underplaying the significance of the new Investigatory Powers (Amendment) Bill. According to a letter sent to James Cleverly MP, the Home Office’s description of the Bill “does not reflect the true significance of the changes that are being introduced”.

noyb accuses Meta of unlawfully ignoring users’ right to easily withdraw consent

The privacy rights group noyb has accused Meta’s “pay or okay” system, which requires users to pay a “privacy fee” to avoid being tracked, of violating the GDPR’s requirements relating to the withdrawal of consent. Under the GDPR, it must be as easy to withdraw your consent as it is to give it.

Multiple security vulnerabilities discovered in Bosch Rexroth torque wrench

Researchers at Nozomi Networks Labs have identified security vulnerabilities affecting the Bosch NXA015S-36V-B handheld pneumatic torque wrench and its NEXO-OS operating system. According to Bosch, the vulnerabilities could allow attackers to, among other things, read, upload, download and delete arbitrary files in all paths of the system; inject and execute arbitrary client-side script code or arbitrary HTTP response headers, or manipulate HTTP response bodies, inside a victim’s session; perform denial-of-service attacks; and access sensitive data inside exported packages.


Key dates

7 January 2024 – EU Cybersecurity Regulation enters into force

The EU’s Cybersecurity Regulation, which sets out measures for a high common level of cyber security at EU institutions, bodies, offices and agencies, entered into force on 7 January. The Regulation establishes an internal cyber security risk management, governance and control framework for each EU entity, and sets up a new Interinstitutional Cybersecurity Board to monitor and support its implementation, as well as extending the mandate of CERT-EU (the Computer Emergency Response Team for the EU institutions, bodies, offices and agencies).

17 January 2024 – First batch of DORA regulatory technical requirements due to be submitted

Three European supervisory authorities – the EBA (European Banking Authority), EIOPA (European Insurance and Occupational Pensions Authority) and ESMA (European Securities and Markets Authority) – are developing DORA policy products for compliance with the EU Digital Operational Resilience Act. The first batch – a set of four regulatory technical requirements covering Articles 15, 16(3), 18(3), 28(9) and 28(10) – is due to be submitted by 17 January.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.