Plus, a further 3,029,461 known records newly breached
Welcome to this week’s global round-up of the biggest and most interesting news stories.
At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.
Publicly disclosed data breaches and cyber attacks: in the spotlight
More than 6 million accounts compromised from streaming service MovieBoxPro
MovieBoxPro, a streaming service of “questionable legality”, suffered a data scraping incident on 15 April 2024, according to Have I Been Pwned.
Data scraping is a typically automated process that extracts information from websites, allowing criminals to compile data sets containing personal information.
The data breached included usernames and email addresses.
Reportedly, the vulnerability has now been mitigated.
Data breached: 6,009,014 accounts.
A further 381,000 New York City public school students affected by 2022 data breach
In January 2022, personal data from around 820,000 New York City public school students, both current and former, was breached.
It emerged this week, according to the New York City Department of Education, that data from a further 381,000 students was also compromised in this incident.
Data breached: 1,201,000 people’s data.
At least 191 Australian organisations affected by ZircoDATA ransomware attack
The ransomware group BlackBasta listed Australia-based ZircoDATA as a victim in February, allegedly exfiltrating 395 GB of data.
This week, it turns out at least 191 further Australian organisations, including government entities, were affected by this breach, highlighting the risks of supply chain attacks. Apparently, the data belongs to tens of thousands of Australians.
Data breached: 395 GB.
Publicly disclosed data breaches and cyber attacks: full list
This week, we found 9,038,475 records known to be compromised, and 258 organisations suffering a newly disclosed incident. 253 of them are known to have had data exfiltrated, exposed or otherwise breached. None definitely haven’t had data breached.
We also found 11 organisations providing a significant update on a previously disclosed incident.
| Organisation(s) | Sector | Location | Data breached? | Known data breached |
| MovieBoxPro Source 1; source 2 (New) | Leisure | China? | Yes | 6,009,014 |
| New York City public school Source 1; source 2 (Update) | Education | USA | Yes | 1,201,000 |
| ClubsNSW (via Outabox) Source (New) | Hospitality | Australia | Yes | 1,050,169 |
| Firstmac Source (New) | Finance | Australia | Yes | >500 GB |
| ZircoDATA and 191 Australian organisations Source 1; source 2 (Update on ZircoDATA; other affected organisations new) | IT services and unknown (but includes public) | Australia | Yes | 395 GB |
| Continuum Health Alliance, LLC Source 1; source 2 (Update) | Healthcare | USA | Yes | 377,119 |
| MedStar Health Source (New) | Healthcare | USA | Yes | 183,079 |
| OrthoConnecticut Source (New) | Healthcare | USA | Yes | 118,141 |
| Companies Registry Source (New) | Public | Hong Kong | Yes | 110,000 |
| Bluebonnet Trails Community Services Source (New) | Healthcare | USA | Yes | 76,165 |
| Enstar (US) Inc. Source 1; source 2 (Update) | Insurance | USA | Yes | 75,101 |
| Airsoftc3.com Source (New) | Software | USA | Yes | 75,000 |
| Hôpital de Cannes – Simone Veil Source 1; source 2 (Update) | Healthcare | France | Yes | 61 GB |
| Associated Wholesale Grocers Source (New) | Retail | USA | Yes | 26,579 |
| The Philadelphia Inquirer Source 1; source 2 (Update) | Media | USA | Yes | 25,549 |
| Bay Oral Surgery & Implant Center Source (New) | Healthcare | USA | Yes | 13,055 |
| Bousquet Holstein PLLC Source (New) | Legal | USA | Yes | 12,690 |
| Lamont, Hanley & Associates, Inc. Source (New) | Finance | USA | Yes | 11,484 |
| Inteplast Group Source (New) | Manufacturing | USA | Yes | 7,717 |
| Dental Health Services Source (New) | Insurance | USA | Yes | 6,340 |
| Los Angeles County Department of Health Services Source (New) | Public | USA | Yes | 6,085 |
| Bundeswehr Source (New) | Defence | Germany | Yes | >6,000 |
| Empath Health Source (New) | Healthcare | USA | Yes | 5,545 |
| Liberty University Source (New) | Education | USA | Yes | 5,434 |
| States of Guernsey Source (New) | Public | UK | Yes | >5,000 |
| West Idaho Orthopedics Source 1; source 2 (Update) | Healthcare | USA | Yes | 5,000 |
| Health First Urgent Care Source (New) | Healthcare | USA | Yes | 4,538 |
| Dohman Akerlund & Eddy Source (New) | Finance | USA | Yes | 3,687 |
| Illinois State Credit Union Source (New) | Finance | USA | Yes | 3,084 |
| Mana Products Source (New) | Manufacturing | USA | Yes | 2,470 |
| Bluegrass Care Navigators Source (New) | Healthcare | USA | Yes | 2,282 |
| Directive Communication Systems Source (New) | Finance | USA | Yes | 1,546 |
| VeriSource Services, Inc. Source (New) | IT services | USA | Yes | 1,382 |
| Worthen Industries Source 1; source 2 (Update) | Manufacturing | USA | Yes | 1,277 |
| R.J. Grondin & Sons Source (New) | Construction | USA | Yes | 741 |
| Mt Hira College Source (New) | Education | Australia | Yes | >700 |
| WELBRO Building Corporation Source 1; source 2 (Update) | Construction | USA | Yes | 693 |
| American Renal Management LLC Source (New) | Healthcare | USA | Yes | 501 |
| Rebound Orthopedics & Neurosurgery Source 1; source 2 (Update) | Healthcare | USA | Yes | 500 |
| Chambers Construction Co. Source (New) | Construction | USA | Yes | 489 |
| ClearVision Optical Source (New) | Retail | USA | Yes | 261 |
| Symphony Financial, LLC. Source (New) | Finance | USA | Yes | 151 |
| City of Pensacola Government Source 1; source 2 (Update) | Public | USA | Yes | 22 |
| Edenred Source (New) | Finance | Belgium | Yes | 10 |
| Victorian Ambulance Union Incorporated Source (New) | Non-profit | Australia | Yes | Unknown |
| Qantas Source (New) | Transport | Australia | Yes | Unknown |
| BC Libraries Cooperative Source (New) | IT services | Canada | Yes | Unknown |
| The Post Millennial Source (New) | Media | Canada | Yes | Unknown |
| Cariboo Regional District Library Network Source (New) | Public | Canada | Yes | Unknown |
| Digicel Group Source (New) | Telecoms | El Salvador | Yes | Unknown |
| Magnet+ Source (New) | Telecoms | Ireland | Yes | Unknown |
| Mellitah Oil and Gas B.V Source (New) | Energy | Italy | Yes | Unknown |
| Bitvavo Source (New) | Crypto | Netherlands | Yes | Unknown |
| Shook Lin & Bok Singapore Source (New) | Legal | Singapore | Yes | Unknown |
| University of Alicante Source (New) | Education | Spain | Yes | Unknown |
| io.net Source (New) | Blockchain | USA | Yes | Unknown |
| Virginia Union University Source (New) | Education | USA | Yes | Unknown |
| George F. Young, Inc. Source (New) | Engineering | USA | Yes | Unknown |
| OE Federal Credit Union Source (New) | Finance | USA | Yes | Unknown |
| Harlowe Source (New) | Healthcare | USA | Yes | Unknown |
| Northern California Behavioral Health System Source (New) | Healthcare | USA | Yes | Unknown |
| Primary Care Health Partners Source (New) | Healthcare | USA | Yes | Unknown |
| Panda Restaurant Group Source (New) | Hospitality | USA | Yes | Unknown |
| CAI Technologies Source (New) | IT services | USA | Yes | Unknown |
| SUN SSC Source (New) | IT services | USA | Yes | Unknown |
| Formosa Plastics Corporation, U.S.A. Source (New) | Manufacturing | USA | Yes | Unknown |
| Human Events. Source (New) | Media | USA | Yes | Unknown |
| GDI Services, Inc. Source (New) | Professional services | USA | Yes | Unknown |
| Sterling Plumbing Inc. Source (New) | Professional services | USA | Yes | Unknown |
| City of Wichita Kansas Source (New) | Public | USA | Yes | Unknown |
| Dropbox Source (New) | Software | USA | Yes | Unknown |
| Pike Finance Source (New) | Blockchain | Unknown | Yes | Unknown |
| La Nacion Source (New) | Media | Argentina | Unknown | Unknown |
| London Drugs Source (New) | Retail | Canada | Unknown | Unknown |
| Superintendencia del Subsidio Familiar Source (New) | Public | Colombia | Unknown | Unknown |
| Diario El Salvador Source (New) | Public | El Salvador | Unknown | Unknown |
| Hong Kong Arts Development Council Source (New) | Public | Hong Kong | Unknown | Unknown |
Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.
Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.
AI
noyb files complaint against OpenAI for not correcting inaccurate information
The non-profit noyb filed a complaint against OpenAI with the Austrian data watchdog for failing to meet a key GDPR requirement: that personal data is accurate, and that data subjects have full access to that data along with source information.
noyb says: “OpenAI openly admits that it is unable to correct incorrect information on ChatGPT. Furthermore, the company cannot say where the data comes from or what data ChatGPT stores about individual people. The company is well aware of this problem, but doesn’t seem to care.”
Also this week, a group of US newspapers sued OpenAI and Microsoft for misusing their reporters’ writing to train their AI systems.
ICO publishes its response to regulating AI consultation
With the ICO (Information Commissioner’s Office) consultation on “Regulating AI: the ICO’s strategic approach – a response to the DSIT Secretary of State” now closed, the UK regulator has published its response.
New publications by DHS and NIST to help ensure safety and security of AI systems, as instructed by EO 14110
The US Department of Homeland Security has developed safety and security guidelines for critical infrastructure operators, as tasked by Executive Order 14110: “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence”.
Also this week, NIST released four draft publications “intended to help improve the safety, security and trustworthiness of [AI] systems”.
Enforcement
New UK laws for IoT device security
The UK government has published new laws, mandating Internet-connected smart devices to meet a minimum security standard. Most notably, it’s banning bad default passwords on IoT (Internet of Things) devices, becoming the first country to do so.
Group CEO Alan Calder commented:
It’ll certainly improve the long-term robustness of the UK’s cyber security infrastructure – but that’ll only be gradual, because it only applies to new devices.
The laws don’t apply retrospectively to the millions of inadequately protected smart devices already in service – and which are replaced over decades rather than months.
So, there won’t be any immediate benefit in terms of reduction in data breaches – progress on that front will continue to depend on better-educated consumers!
FCC fines four wireless carriers $196 million
The US Federal Communications Commission has fined four large US wireless carriers – AT&T, Sprint, T-Mobile and Verizon – $196 million for illegally sharing access to customers’ location data.
Unrelated, AT&T also recently suffered a large data breach, affecting more than 51 million customers’ data.
Three new GDPR fines
The ICO issued a £7,500 fine under the UK GDPR to Central Young Men’s Christian Association for failing to use Bcc, thereby revealing HIV status.
Under the EU GDPR, the Czech supervisory authority issued a €13.9 million fine for violating Articles 6 and 13. Meanwhile, the Greek authority issued the Hellenic Post a fine of 1% of the most recent global annual turnover for violating Articles 5(1)(f) and 32.
Other news
Security research team finds nearly 3 million Docker Hub repositories host malicious content
JFrog and Docker partnered for security research, finding that nearly 3 million Docker Hub repositories – almost 20% of all public repositories – host malicious content.
ICO and Ofcom publish statement on collaboration on regulating online services
Two UK regulators, the ICO and Ofcom (the UK’s communications regulator) have published a joint statement on “the regulation of online services where online safety and data protection intersect” to ensure “a coherent approach to regulation”.
New guidance
New NCSC guidance: AMS (Advanced Mobile Solutions)
The UK NCSC (National Cyber Security Centre) has published new guidance, called ‘AMS’ or ‘Advanced Mobile Solutions’. This risk model, along with “a set of architecture patterns and associated technologies” allows “high-threat organisations to stay connected ‘on the go’.”
Recently published reports
- Bitsight: A Global View of the CISA KEV Catalog: Prevalence and Remediation
- Cloudflare: Q1 2024 Internet disruption summary
- Corvus: Q1 Ransomware Report
- Cyber Threat Alliance: 2024 Cyber Threats to NGOs
- Sophos: The State of Ransomware 2024
- Verizon: 2024 Data Breach Investigations Report
- VulnCheck: State of Exploitation – A Peek into the Last Decade of Vulnerability Exploitation
- World Economic Forum: Cyber Readiness in Latin American Public Sectors: Lessons from the Frontline
That’s it for this week’s round-up. We hope you found it useful.
We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.
In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.
Security Spotlight
To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.
Every Wednesday, you’ll get a 4-minute email with:
- Industry news, including this weekly round-up;
- Our latest research and statistics;
- Interviews with our experts, sharing their insights and expertise;
- Free useful resources; and
- Upcoming webinars.
