67,273,297 known records breached in 130 newly disclosed incidents
Welcome to this week’s global round-up of the biggest and most interesting news stories.
At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.
Publicly disclosed data breaches and cyber attacks: in the spotlight
US Environmental Protection Agency allegedly breached: nearly 8.5 million accounts compromised
A threat actor known as ‘USDoD’ claims to have exfiltrated a large database from the US EPA (Environmental Protection Agency).
According to a listing on the black-hat hacking site BreachForums, USDoD has released the EPA’s entire contact list, comprising the names, addresses, phone numbers, email addresses and other information relating to customers and contractors.
HackRead reports that once duplicate records are removed, the number of exposed accounts totals 8,460,182.
Data breached: 8,460,182 accounts.
Kid Security breached again: children’s live GPS locations exposed on the Internet
Last November, the parental control app Kid Security, which allows parents to monitor and control their children’s online safety, was found to have exposed more than 300 million records via misconfigured Elasticsearch and Logstash instances.
Cybernews has now discovered that the company has, once again, exposed highly sensitive children’s data because of configuration errors.
In this instance, Kid Security failed to configure authentication for its Kafka Broker cluster, exposing at least 456,000 private social media messages, audio recordings, IP addresses, device locations, usage statistics and more for over a year. The company is yet to comment.
Data breached: at least 456,000 records.
EyeCare Services Partners exposes more 3.5 million patients’ data via unsecured database
According to DataBreaches.net, EyeCare Services Partners – a group of eye care providers based in Dallas, Texas – left 50 TB of data exposed via an unsecured blob.
The biggest database in the blob contained 3.1 million patients and 1.6 million unique Social Security numbers. Other databases contained health insurance data, such as patents’ names, dates of birth, addresses and medical data.
The total number of affected patients is yet to be determined, but is likely to be more than 3.5 million.
Data breached: at least 3.5 million people’s data.
Publicly disclosed data breaches and cyber attacks: full list
This week, we found 67,273,297 records known to be compromised, and 130 organisations suffering a newly disclosed incident. 114 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 2 definitely haven’t had data breached.
We also found 15 organisations providing a significant update on a previously disclosed incident.
| Organisation(s) | Sector | Location | Data breached? | Known data breached |
| DataBank Source (New) | IT services | USA | Yes | 10,633,996 |
| US Environmental Protection Agency (EPA) Source (New) | Public | USA | Yes | 8,460,182 |
| boAt Lifestyle Source (New) | Manufacturing | India | Yes | 7,550,000 |
| El Salvadoran citizens Source (New) | Public | El Salvador | Yes | 5,129,518 |
| Surveylama (Globe Media) Source 1; source 2 (New) | Professional services | France | Yes | 4,426,879 |
| EyeCare Services Partners (ESP) Source (New) | Healthcare | USA | Yes | >3,500,000 |
| Benetton Group Source (New) | Retail | Italy | Yes | 3,179,093 |
| Leicester City Council Source 1; source 2; source 3 (Update) | Public | UK | Yes | 3 TB |
| Qobuz Source (New) | IT services | France | Yes | 2,700,000 |
| HSBC and Barclays Source (New) | Finance | UK | Yes | >2,000,000 |
| Department of Science and Technology Source (New) | Public | Philippines | Yes | 2 TB |
| Mexican citizen database Source (New) | Public | Mexico | Yes | 1,800,000 |
| Keenan & Associates Source 1; source 2 (Update) | Insurance | USA | Yes | 1,573,844 |
| Pandabuy Source 1; source 2; source 3 (New) | Retail | China | Yes | 1,348,407 |
| Gobierno de la Ciudad de México Source (New) | Public | Mexico | Yes | 1.3 TB |
| Allium UPI, UAB, Apotheka, Apotheka Beauty and PetCity Source (New) | Manufacturing | Estonia | Yes | 1,190,000 |
| Aero Dynamic Machining, Inc. Source (New) | Manufacturing | USA | Yes | 1.1 TB |
| City of Hope Source 1; source 2 (Update) | Healthcare | USA | Yes | 827,149 |
| Tiger-One Distribution Source (New) | Retail | Spain | Yes | 780,000 |
| BeneCare Dental Plans Source (New) | Insurance | USA | Yes | 554,752 |
| Sociedad de Ahorro y Crédito Constelación Source (New) | Finance | El Salvador | Yes | >470 GB |
| Kid Security Source (New) | Software | Kazakhstan | Yes | 456,000 |
| Citi Trends Source (New) | Retail | USA | Yes | 442,754 |
| TELUS Source (New) | Telecoms | Canada | Yes | 408,000 |
| Interface Source (New) | Manufacturing | USA | Yes | 382,084 |
| Greylock McKinnon Associates, Inc. Source 1; source 2 (Update) | Legal | USA | Yes | 341,650 |
| dr.CAFE® COFFEE SAUDI ARABIA Source (New) | Hospitality | Saudi Arabia | Yes | 336,700 |
| Otolaryngology Associates, P.C. Source (New) | Healthcare | USA | Yes | 316,802 |
| Regency Furniture Source (New) | Manufacturing | USA | Yes | 300 GB |
| Israeli Ministry of Justice Source 1; source 2 (New) | Legal | Israel | Yes | Nearly 300 GB |
| M&D Capital Premier Billing Source 1; source 2 (New) | Finance | USA | Yes | 284,326 |
| On Q Financial, LLC Source (New) | Finance | USA | Yes | 211,650 |
| Casio India Source (New) | Manufacturing | India | Yes | >200 GB |
| McAlvain Companies, Inc Source (New) | Construction | USA | Yes | 175 GB |
| Pacific Guardian Life Source (New) | Insurance | USA | Yes | 167,103 |
| Mall El Jardín Source (New) | Retail | Ecuador | Yes | 139,413 |
| Designed Receivable Solutions, Inc. Source 1; source 2 (New) | Finance | USA | Yes | 129,584 |
| The European House-Ambrosetti Source (New) | Professional services | Italy | Yes | >100,000 |
| Prosecutor General’s Office of the the Russian Federation Source 1; source 2 (New) | Public | Russia | Yes | 100,000 |
| XpressBees Source (New) | Transport | India | Yes | 95,000 |
| Aveanna Healthcare Source 1; source 2; source 3 (Update) | Healthcare | USA | Yes | 65,482 |
| Grupo La Moderna Source (New) | Manufacturing | Mexico | Yes | 51,000 |
| American Renal Associates Source 1; source 2 (Update) | Healthcare | USA | Yes | >37,700 |
| Family Health Center Source 1; source 2; source 3 (Update) | Healthcare | USA | Yes | 33,240 |
| York County School of Technology Source (New) | Education | USA | Yes | 30,914 |
| INTERSPORT FRANCE Source (New) | Retail | France | Yes | 25,934 |
| Best Transportation LLC Source (New) | Transport | USA | Yes | 24 GB |
| Pembina County Memorial Hospital Source 1; source 2; source 3 (Update) | Healthcare | USA | Yes | 23,811 |
| Palauan government Source 1; source 2 (New) | Public | Palau | Yes | 21.3 GB |
| University of Winnipeg Source 1; source 2 (Update) | Education | Canada | Yes | >18,800 |
| Bene-Marc Source (New) | Insurance | USA | Yes | 17,000 |
| Ethos Source 1; source 2; source 3 (Update) | Non-profit | USA | Yes | 14,503 |
| Hong Kong Cyberport Source (Update) | IT services | Hong Kong | Yes | 13,632 |
| May Institute Source (New) | Non-profit | USA | Yes | 12,619 |
| The Home Depot Source 1; source 2 (New) | Retail | USA | Yes | 10,000 |
| Clackamas Community College Source 1; source 2 (Update) | Education | USA | Yes | 8,797 |
| Tri-City Medical Center Source 1; source 2 (Update) | Healthcare | USA | Yes | 7,847 |
| HALO Branded Solutions Source (New) | Professional services | USA | Yes | 7,305 |
| Ace Hardware Corporation Source 1; source 2; source 3 (Update) | Retail | USA | Yes | 7,295 |
| Detroit Symphony Orchestra Source (New) | Leisure | USA | Yes | 6,778 |
| Robert Peterson DD.S. PC Source 1; source 2 (New) | Healthcare | USA | Yes | 6,500 |
| Campbell Killin Brittan & Ray, LLC Source (New) | Legal | USA | Yes | 4,448 |
| Northern Virginia Oral Surgery Centers Source 1; source 2 (New) | Healthcare | USA | Yes | 4,333 |
| RxBenefits, Inc. Source 1; source 2 (New) | Manufacturing | USA | Yes | 3,396 |
| Mary H. Makhlouf, DMD, MS, PA Source 1; source 2 (New) | Healthcare | USA | Yes | 1,797 |
| American Farmland Trust Source (New) | Non-profit | USA | Yes | 1,503 |
| George & George Source (New) | Legal | USA | Yes | 1,455 |
| County of Los Angeles Department of Mental Health Source 1; source 2 (New) | Public | USA | Yes | 1,408 |
| Skender Source (New) | Construction | USA | Yes | 1,067 |
| Continental Bank Source (New) | Finance | USA | Yes | 1,045 |
| City of Conneaut Source 1; source 2 (New) | Public | USA | Yes | 771 |
| Bonney Forge Source 1; source 2 (New) | Energy | USA | Yes | 672 |
| Human Development Services of Westchester, Inc. Source 1; source 2 (New) | Non-profit | USA | Yes | 506 |
| Andor Labs Source 1; source 2 (New) | Healthcare | USA | Yes | 500 |
| Tri Delta Source (New) | Non-profit | USA | Yes | 448 |
| Platt Builders Inc. Source (New) | Construction | USA | Yes | 248 |
| S3WaaS and Indian government Source (New) | IT services and public | India | Yes | At least hundreds |
| Wysocki Family of Companies Source (New) | Agricultural | USA | Yes | 136 |
| Ohio Mutual Insurance Group Source (New) | Insurance | USA | Yes | 1 |
| Municipalidad de Berazategui Source (New) | Public | Argentina | Yes | Unknown |
| Municipio de Morón Source (New) | Public | Argentina | Yes | Unknown |
| Quilmes Municipio Source (New) | Public | Argentina | Yes | Unknown |
| Diabetes WA Source (New) | Healthcare | Australia | Yes | Unknown |
| IXMETRO POWERHOST® Source (New) | Telecoms | Chile | Yes | Unknown |
| Urban Sports Club Source (New) | Professional services | Germany | Yes | Unknown |
| Delhi Police Source (New) | Public | India | Yes | Unknown |
| PT Sarana Multi Infrastruktur (Persero) Source (New) | Finance | Indonesia | Yes | Unknown |
| EAS change systems Source (New) | Manufacturing | Netherlands | Yes | Unknown |
| National Home Mortgage Finance Corporation Source (New) | Public | Philippines | Yes | Unknown |
| Remitano – Cryptocurrency Exchange Source (New) | Crypto | Seychelles | Yes | Unknown |
| Seven Seas Technology Source (New) | IT services | UAE | Yes | Unknown |
| Southend-on-Sea City Council Source (New) | Public | UK | Yes | Unknown |
| Axiom Construction & Consulting Source 1; source 2 (New) | Construction | USA | Yes | Unknown |
| Blueline Associates, Inc. Source (New) | Construction | USA | Yes | Unknown |
| Grote Enterprises, LLC Source 1; source 2 (New) | Construction | USA | Yes | Unknown |
| Benefit Management, Inc. Source 1; source 2 (New) | Finance | USA | Yes | Unknown |
| SouthState Bank Source (New) | Finance | USA | Yes | Unknown |
| Advanced Care Hospital of Southern New Mexico Source 1; source 2 (New) | Healthcare | USA | Yes | Unknown |
| Denver Regional Rehabilitation Hospital Source 1; source 2 (New) | Healthcare | USA | Yes | Unknown |
| Ernest Health Source 1; source 2 (Update) | Healthcare | USA | Yes | Unknown |
| Greenwood Regional Rehabilitation Hospital Source 1; source 2 (New) | Healthcare | USA | Yes | Unknown |
| Kootenai Health Source (New) | Healthcare | USA | Yes | Unknown |
| Lafayette Regional Rehabilitation Hospital Source 1; source 2 (New) | Healthcare | USA | Yes | Unknown |
| Midlands Regional Rehabilitation Hospital Source 1; source 2 (New) | Healthcare | USA | Yes | Unknown |
| Mountain Valley Regional Rehabilitation Hospital Source 1; source 2 (New) | Healthcare | USA | Yes | Unknown |
| Norman Urology Associates P C Source (New) | Healthcare | USA | Yes | Unknown |
| NorthBay Health Source (New) | Healthcare | USA | Yes | Unknown |
| Northern Colorado Rehabilitation Hospital Source 1; source 2 (New) | Healthcare | USA | Yes | Unknown |
| Northern Utah Rehabilitation Hospital Source 1; source 2 (New) | Healthcare | USA | Yes | Unknown |
| Rehabilitation Hospital of the Northwest Source 1; source 2 (New) | Healthcare | USA | Yes | Unknown |
| Rehabilitation Hospital of Southern California Source 1; source 2 (New) | Healthcare | USA | Yes | Unknown |
| Rehabilitation Hospital of Southern New Mexico Source 1; source 2 (New) | Healthcare | USA | Yes | Unknown |
| Sisu Healthcare Solutions Source (New) | Healthcare | USA | Yes | Unknown |
| Spartanburg Rehabilitation Institute Source 1; source 2 (New) | Healthcare | USA | Yes | Unknown |
| Summa Rehab Hospital Source 1; source 2 (New) | Healthcare | USA | Yes | Unknown |
| West Idaho Orthopedics Source (New) | Healthcare | USA | Yes | Unknown |
| Omni Hotels & Resorts Source (New) | Hospitality | USA | Yes | Unknown |
| Panera Bread Source (New) | Hospitality | USA | Yes | Unknown |
| Roberson & Sons Insurance Services Source (New) | Insurance | USA | Yes | Unknown |
| Acuity, Inc. Source (New) | IT services | USA | Yes | Unknown |
| Xenwerx Initiatives, LLC Source (New) | IT services | USA | Yes | Unknown |
| The Wacks Law Group, LLC Source (New) | Legal | USA | Yes | Unknown |
| East Baton Rouge Sheriff’s Office Source (New) | Public | USA | Yes | Unknown |
| W.P.J. McCarthy & Company Source (New) | Real estate | USA | Yes | Unknown |
| Citizens Channel Source (New) | Media | Albania | Unknown | Unknown |
| Düsseldorf Airport Source (New) | Transport | Germany | Unknown | Unknown |
| Indian Support Center Inc Source (New) | Non-profit | India | Unknown | Unknown |
| Hoya Corporation Source 1; source 2; source 3 (New) | Manufacturing | Japan | Unknown | Unknown |
| Ministry of Foreign and European Affairs of the Slovak Republic Source (New) | Public | Slovakia | Unknown | Unknown |
| AUCORSA Source (New) | Transport | Spain | Unknown | Unknown |
| PrePay Technologies SA Source (New) | IT services | Spain | Unknown | Unknown |
| Tharindu Jayawardhana Source (New) | Media | Sri Lanka | Unknown | Unknown |
| City of Birmingham Source (New) | Public | UK | Unknown | Unknown |
| NYCAPS/ESS (New York City Automated Personnel System, Employee Self Service) Source (New) | IT services | USA | Unknown | Unknown |
| Florida Department of Juvenile Justice Source (New) | Public | USA | Unknown | Unknown |
| Hernando County Government Source (New) | Public | USA | Unknown | Unknown |
| Jackson County, Missouri Source (New) | Public | USA | Unknown | Unknown |
| NYC Office of the Mayor Source (New) | Public | USA | Unknown | Unknown |
| A ship off the coast of Iran Source (New) | Transport | Iran | No | 0 |
| Bureau of Jail Management and Penology Source (New) | Public | Philippines | No | 0 |
Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.
Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.
AI
UK and US announce AI safety partnership
Following commitments they made at last November’s AI Safety Summit, the UK and US have signed a memorandum of understanding that will see them work to align their scientific approaches to develop tests to evaluate AI models, systems and agents.
Rise in criminal campaigns using AI
Bitdefender Labs reports that, over the past year, it’s seen an increase in “AI-powered illicit operations conducted by threat actors over social media, from stream-jacking attacks that delivered crypto-doubling schemes on YouTube to audio deep fakes that overflow on Meta’s social platforms”.
Enforcement
Google agrees to delete billions of records and reduce incognito user tracking
Google has agreed to settle a 2020 class action lawsuit accusing it of invading people’s privacy by collecting user data even in incognito mode.
Google’s spokesman Jorge Castaneda said: “We are pleased to settle this lawsuit, which we always believed was meritless. We are happy to delete old technical data that was never associated with an individual and was never used for any form of personalization.”
Police launch investigation into spear phishing attack on MPs
Leicestershire Police have begun an inquiry after 12 people working in Westminster reported that they had received unsolicited WhatsApp messages. According to Politico, the targets include three MPs, including a serving government minster.
ENISA publishes Cyber Resilience Act Requirements Standards Mapping
The EU agency for cyber security, ENISA, has published a new study identifying the existing cyber security standards that are most relevant to each requirement of the Cyber Resilience Act and highlights possible gaps to be addressed.
Other news
ICO joins global data protection and privacy enforcement programme
The UK’s ICO (Information Commissioner’s Office) has signed a new international multilateral agreement with the Global CAPE (Cooperation Arrangement for Privacy Enforcement) to cooperate in cross-border data protection and privacy enforcement. Global CAPE members include Australia, Canada, Japan, the Republic of Korea, the Philippines, Singapore, Chinese Taipei and the US.
Germany to launch cyber military branch to combat Russian cyber aggression
As part of a military restructuring programme, Germany will introduce a fourth independent branch of its armed forces – the German Cyber and Information Domain Service. The country’s defence minister, Boris Pistorius, told a press conference in Berlin: “No one should have the idea of attacking us as a NATO territory. We have to convey this credibly and truthfully.”
New Google features to improve security
Google has announced a new feature for the Chrome browser called Device Bound Session Credentials, which associates cookies with specific devices, preventing criminal hackers from using them to access victims’ accounts by bypassing multifactor authentication.
It’s also started automatically blocking bulk emails to help prevent spam and phishing campaigns.
Recently published reports
- CSA (Cloud Security Alliance): The State of AI and Security Survey Report
- CSRB (Cyber Safety Review Board): Review of the Summer 2023 Microsoft Exchange Online Intrusion
- RiskRecon: The 2024 state of third-party risk management
- SecurityScorecard: A Quantitative Analysis of the Security Ratings of the S&P 500
- SonicWall: The 2023 Threat Mindset Survey
- Sophos: Active Adversary Report for 1H 2024
- Sophos: Unpatched Vulnerabilities: The Most Brutal Ransomware Attack Vector
Key date
30 April 2024 – ISO/IEC 27001:2013 certification unavailable
Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.
That’s it for this week’s round-up. We hope you found it useful.
We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.
In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.
Security Spotlight
To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.
Every Wednesday, you’ll get a 4-minute email with:
- Industry news, including this weekly round-up;
- Our latest research and statistics;
- Interviews with our experts, sharing their insights and expertise;
- Free useful resources; and
- Upcoming webinars.
