5,255,944,117 known records breached in 128 newly disclosed incidents
Welcome to this week’s global round-up of the biggest and most interesting news stories.
At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.
Publicly disclosed data breaches and cyber attacks: in the spotlight
Data scraping site taken offline after billions of Discord messages offered for sale
A data scraping website called Spy.pet has been taken offline after harvesting more than 4 billion messages made by more than 256 million Discord users and offering them for sale. Data scraping or web scraping is a typically automated process that extracts information from websites, allowing criminals to compile datasets containing personal information.
“Scraping our services and self-botting are violations of our Terms of Service and Community Guidelines,” a Discord spokesperson told The Register. “In addition to banning the affiliated accounts, we are considering appropriate legal action. We identified certain accounts that we believe are affiliated with the Spy.pet website, which we have subsequently banned.”
Data breached: 4,186,879,104 messages.
Keyboard app vulnerabilities reveal keystrokes to network eavesdroppers
Security researchers have identified critical security vulnerabilities in Cloud-based pinyin keyboard apps from Baidu, Inc., Honor, Huawei, iFlytek, OPPO, Samsung Electronics, Tencent, Vivo and Xiaomi Technology. The vulnerabilities could be exploited to reveal users’ keystrokes and “up to one billion users are affected”.
Data breached: <1 billion people’s data.
Phone tracking app iSharing reveals users’ precise locations
Eric Daigle, a computer science and economics student at the University of British Columbia in Vancouver, has discovered vulnerabilities in the phone tracking app iSharing that let users access any other user’s location, as well as their name, profile photo and the email address and phone number they used to log in, even if they weren’t actively sharing their location data. iSharing is used by more than 35 million users.
The company has fixed the issue, blaming it on a vulnerability in the app’s groups feature.
Data breached: >35 million people’s data.
Publicly disclosed data breaches and cyber attacks: full list
This week, we found 5,255,944,117 records known to be compromised, and 128 organisations suffering a newly disclosed incident. 117 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 4 definitely haven’t had data breached.
We also found 5 organisations providing a significant update on a previously disclosed incident.
| Organisation(s) | Sector | Location | Data breached? | Known data breached |
| Discord (via Spy.pet) Source (New) | IT services | USA | Yes | 4,186,879,104 |
| Baidu, Inc., Honor, Huawei, iFlytek, OPPO, Samsung Electronics, Tencent, Vivo and Xiaomi Technology Source (New) | Software | China | Yes | Up to 1,000,000,000 |
| iSharingSoft Source (New) | Software | USA | Yes | >35,000,000 |
| Kaiser Permanente Source 1; source 2 (New) | Insurance | USA | Yes | 13,400,000 |
| World-Check Source 1; source 2 (Update) | Finance | UK | Yes | 5,299,116 |
| Chicony Electronics Co., Ltd. Source (New) | Manufacturing | Taiwan | Yes | 4,715,133 |
| Mustafa Centre Source 1; source 2 (Update) | Retail | Singapore | Yes | >3,5000,000 |
| TRAXERO Source (New) | Software | USA | Yes | 2,634,753 |
| Piping Rock Health Products Source 1; source 2; source 3 (New) | Manufacturing | USA | Yes | 2,103,100 |
| FBCS, Inc. Source (New) | Finance | USA | Yes | 1,955,385 |
| BerryDunn and Reliable Networks Source (New) | Finance and IT services | USA | Yes | 1,107,354 |
| VISAV Limited Source (New) | IT services | UK | Yes | >1,000,000 |
| Designed Receivable Solutions, Inc. Source 1; source 2 (Update) | Finance | USA | Yes | 498,686 |
| J.P. Morgan Source (New) | Finance | USA | Yes | 451,809 |
| Hong Kong College of Technology Source (New) | Education | Hong Kong | Yes | 450 GB |
| PT Bank Pembangunan Daerah Banten Tbk Source (New) | Finance | Indonesia | Yes | 450 GB |
| Hirsh Industries, LLC Source (New) | Manufacturing | USA | Yes | 450 GB |
| Health Gennie Source (New) | Software | India | Yes | Nearly 450,000 |
| Army Welfare Trust Source (New) | Defence | Pakistan | Yes | 400 GB |
| Anders Group, LLC Source (New) | Professional services | USA | Yes | 214.48 GB |
| Ghim Li Group Source (New) | Manufacturing | Singapore | Yes | 88 GB |
| University of Düsseldorf Source (New) | Education | Germany | Yes | >60,000 |
| Blackstone Valley Community Health Care Source 1; source 2 (Update) | Healthcare | USA | Yes | 34,518 |
| Optometric Physicians of Middle Tennessee Source (New) | Healthcare | USA | Yes | 29,000 |
| Moffitt Cancer Center (via Advarra) Source (New) | Healthcare | USA | Yes | 26,577 |
| Valley Veterinary Clinic Source (New) | Veterinary | USA | Yes | 25,969 |
| The Philadelphia Inquirer Source (New) | Media | USA | Yes | 25,500 |
| Dr Willian Segalin Source (New) | Healthcare | Brazil | Yes | 20 GB |
| Buffalo Public Schools Source (New) | Education | USA | Yes | 19,494 |
| Hungry Jack’s® Pty Ltd Source (New) | Hospitality | Australia | Yes | >19,000 |
| Aspire Health Alliance Source (New) | Healthcare | USA | Yes | 17,490 |
| ICICI Bank Source (New) | Finance | India | Yes | 17,000 |
| Somerset Dental Las Vegas Source (New) | Healthcare | USA | Yes | 11,321 |
| Diocese of Cleveland Source (New) | Non-profit | USA | Yes | 9,859 |
| Synergy Hotels, Inc. Source (New) | Hospitality | USA | Yes | 9,211 |
| State Security Committee of the Republic of Belarus Source (New) | Public | Belarus | Yes | >8,600 |
| Camino Nuevo Charter Academy Source (New) | Education | USA | Yes | 7,916 |
| Sanchez Daniels & Hoffman LLP Source (New) | Legal | USA | Yes | 3,938 |
| UNC Hospitals Source (New) | Healthcare | USA | Yes | 3,142 |
| Lagunitas Brewing Company Source (New) | Manufacturing | USA | Yes | 2,979 |
| Nothing Source 1; source 2 (New) | Manufacturing | UK | Yes | 2,250 |
| Amerit Fleet Solutions Source (New) | Manufacturing | USA | Yes | 1,912 |
| Integral Federal, Inc. Source (New) | IT services | USA | Yes | 1,724 |
| Regulator Marine Inc Source 1; source 2 (Update) | Manufacturing | USA | Yes | 1,384 |
| CoVerica Insurance Source (New) | Insurance | USA | Yes | 1,028 |
| The J D Russell Company Source 1; source 2 (New) | Manufacturing | USA | Yes | 684 |
| Phillips Academy and AthleteTrax, LLC Source (New) | Education and software | USA | Yes | 347 |
| Vericast Source 1; source 2 (New) | Professional services | USA | Yes | 319 |
| Stad Deinze Source (New) | Public | Belgium | Yes | 300 |
| Glendale Unified School District Source (New) | Education | USA | Yes | At least 231 |
| BCRA Source (New) | Finance | Argentina | Yes | Unknown |
| OracleCMS Source 1; source 2 (New) | Professional services | Australia | Yes | Unknown |
| SIAFI (Sistema Integrado de Administração Financeira) Source (New) | IT services | Brazil | Yes | Unknown |
| El Carnicero Maestro en Carnes Source (New) | Hospitality | Chile | Yes | Unknown |
| Education News in Egypt Source (New) | Media | Egypt | Yes | Unknown |
| Lucky ONE Source (New) | Software | Egypt | Yes | Unknown |
| Chivo Wallet Source (New) | Crypto | El Salvador | Yes | Unknown |
| Ministerio de Desarrollo Local Source (New) | Public | El Salvador | Yes | Unknown |
| Ateliers Jean Nouvel Source (New) | Engineering | France | Yes | Unknown |
| LATEXBIO Source (New) | Manufacturing | France | Yes | Unknown |
| l’Oracle Source (New) | Professional services | France | Yes | Unknown |
| Speedy France Source 1; source 2 (New) | Professional services | France | Yes | Unknown |
| Pondicherry University Source (New) | Education | India | Yes | Unknown |
| Luxor International Source (New) | Manufacturing | India | Yes | Unknown |
| Yamaha & Friends Source (New) | IT services | Indonesia | Yes | Unknown |
| Gelora Bung Karno Stadium Source (New) | Leisure | Indonesia | Yes | Unknown |
| Tunas Toyota Pecenongan Source (New) | Retail | Indonesia | Yes | Unknown |
| Sentry MBA (Cyberint) Source (New) | Cyber security | Israel | Yes | Unknown |
| Porsche Financial Services Italia S.p.A. Source (New) | Finance | Italy | Yes | Unknown |
| CDSHotels Source (New) | Hospitality | Italy | Yes | Unknown |
| Fashion Evolution Network Source (New) | Retail | Japan | Yes | Unknown |
| Kintetsu World Express Source (New) | Transport | Japan | Yes | Unknown |
| EuroParcs Enkhuizer Strand Source (New) | Hospitality | Netherlands | Yes | Unknown |
| Nigeria Customs Service Source (New) | Public | Nigeria | Yes | Unknown |
| Mr. CRAB Source (New) | Hospitality | Russia | Yes | Unknown |
| United Russia Source (New) | Public | Russia | Yes | Unknown |
| Interregional Transit Telecom JSC (MTT) Source (New) | Telecoms | Russia | Yes | Unknown |
| 10 South Korean defence contractors and subcontractors Source (New) | Defence | South Korea | Yes | Unknown |
| Universidad Miguel Hernández de Elche Source (New) | Education | Spain | Yes | Unknown |
| Air Arabia Source (New) | Transport | UAE | Yes | Unknown |
| 2plan wealth management Ltd Source (New) | Finance | UK | Yes | Unknown |
| Lekpharm Source (New) | Manufacturing | Ukraine | Yes | Unknown |
| Savage IO Source (New) | Crypto | USA | Yes | Unknown |
| Okta Source (New) | Cyber security | USA | Yes | Unknown |
| Rensselaer Polytechnic Institute Source (New) | Education | USA | Yes | Unknown |
| University System of Georgia Source (New) | Education | USA | Yes | Unknown |
| Biggs Cardosa Associates, Inc. Source (New) | Engineering | USA | Yes | Unknown |
| WRA Architects, Inc. Source (New) | Engineering | USA | Yes | Unknown |
| Transamerica Source (New) | Finance | USA | Yes | Unknown |
| Direct Federal Credit Union and Wescom Resources Group, LLC Source (New) | Finance and IT services | USA | Yes | Unknown |
| NorthBay VacaValley Hospital Source 1; source 2 (New) | Healthcare | USA | Yes | Unknown |
| OrthoNY Source (New) | Healthcare | USA | Yes | Unknown |
| South Texas Oncology and Hematology, PLLC Source (New) | Healthcare | USA | Yes | Unknown |
| Amerlux LLC Source (New) | Manufacturing | USA | Yes | Unknown |
| JB Poindexter & Co Source (New) | Manufacturing | USA | Yes | Unknown |
| UNICEF Source (New) | Non-profit | USA | Yes | Unknown |
| Weapon Systems Training Council Source (New) | Professional services | USA | Yes | Unknown |
| Panama City Police Department Source (New) | Public | USA | Yes | Unknown |
| Paul Stuart, Inc. Source (New) | Retail | USA | Yes | Unknown |
| Autodesk Source (New) | Software | USA | Yes | Unknown |
| DATAIR Employee Benefit Systems, Inc. Source (New) | Software | USA | Yes | Unknown |
| Nota Source (New) | Software | USA | Yes | Unknown |
| StarWallets Source (New) | Crypto | Unknown | Yes | Unknown |
| SKANLOG Source (New) | Transport | Denmark | Unknown | Unknown |
| Ministry of the Interior Source (New) | Public | Greece | Unknown | Unknown |
| Cisco Source (New) | Cyber security | USA | Unknown | Unknown |
| CONSOL Energy Source (New) | Energy | USA | Unknown | Unknown |
| Kansas City Scouts Source (New) | Leisure | USA | Unknown | Unknown |
| Coffee County Source 1; source 2 (New) | Public | USA | Unknown | Unknown |
| Gemeente Voorschoten and Gemeente Wassenaar Source (New) | Public | Netherlands | No | 0 |
| Puerto Rico Terminals Source (New) | Transport | Puerto Rico | No | 0 |
| Systembolaget AB Source (New) | Manufacturing | Sweden | No | 0 |
Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.
Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.
AI
Scientists successfully use AI to detect AI-generated videos
Scientists at the MISL (Multimedia and Information Security Lab) in Drexel University’s College of Engineering have developed a suite of tools to detect AI-generated videos at the sub-pixel level. In Beyond Deepfake Images: Detecting AI-Generated Videos, a paper due to be presented at the IEEE Computer Vision and Pattern Recognition conference in June, Danial Samadi Vahdati, Tai D. Nguyen, Aref Azizpour and Matthew C. Stamm explain how a constrained neural network can be used to detect synthetic videos “at 98% accuracy”.
US Department of Homeland Security announces AI Safety and Security Board
The US DHS (Department of Homeland Security) has announced the establishment of its Artificial Intelligence Safety and Security Board. The group will advise on the safe and secure development and deployment of AI technology in the country’s critical national infrastructure.
Enforcement
US Federal Trade Commission refunds $5.6 million to Ring customers
The US FTC (Federal Trade Commission) is paying $5.6 million to settle a complaint alleging that the home security camera company Ring “allowed employees and contractors to access consumers’ private videos and failed to implement security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos”.
Biden-Harris administration issues new rule to support reproductive healthcare privacy
The Biden-Harris administration has announced the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, a rule that strengthens HIPAA’s (the Health Insurance Portability and Accountability Act) privacy rule by restricting the disclosure of protected health information related to lawful reproductive healthcare.
European Parliament adopts European Health Data Space and regulation on substances of human origin
The European Commission has welcomed the European Parliament’s adoption of the EHDS (European Health Data Space) and new rules on SoHO (substances of human origin), both of which aim to protect individuals’ health and improve the resilience of healthcare systems. The Council will now formally adopt both regulations.
ICO fines two companies £340,000 for 1.43 million unwanted marketing calls
The UK’s ICO (Information Commissioner’s Office) has fined two telemarketing companies for making 1.43 million calls to people registered with the Telephone Preference Service. Cardiff-based Outsource Strategies Ltd and London-based Dr Telemarketing Ltd targeted elderly and vulnerable people, using aggressive sales tactics to persuade them to sign up for products.
Other news
FTC announces changes to Health Breach Notification Rule
The FTC has announced that it has finalised its changes to the HBNR (Health Breach Notification Rule), which will clarify its applicability to health apps and other similar technologies.
European police chiefs call for an end to end-to-end encryption
A joint declaration by the European police chiefs calls for tech companies to limit end-to-end encryption so the companies can identify and report illegal activity on their platforms, and enable law enforcement investigations to access secure messages.
New guidance
EDPB publishes information on Data Protection Framework redress mechanism
The European Data Protection Board’s Information Note on the redress mechanism for EU/EEA individuals in relation to alleged violations of U.S. law with respect to their data collected by U.S authorities competent for national security sets out how data subjects in the EU and EEA can formally complain about the processing of their personal data by US intelligence agencies.
Recently published reports
- Algemene Inlichtingen- en Veiligheidsdienst [General Intelligence and Security Service]: AIVD-jaarverslag 2023
- BeyondTrust: Microsoft Vulnerabilities Report 2024
- Cisco Talos: Talos IR Quarterly Trends Report (Q1 2024)
- Coalition: 2024 Cyber Claims Report
- CYFIRMA: APT Quarterly Highlights : Q1 – 2024
- Dragos: Industrial Ransomware Analysis: Q1 2024
- EDPB: Annual Report 2023
- Forescout: Better Safe Than Sorry
- Honeywell: USB Threat Report
- Mandiant: M-Trends 2024 Special Report
- MinterEllison: Perspectives on Cyber Risk 2024
- NCC Group: Monthly Threat Pulse – Review of March 2024
- Zscaler: ThreatLabz 2024 Phishing Report
Key dates
29 April 2024 – UK Product Security and Telecommunications Infrastructure Act 2022 comes into effect
The UK’s consumer connectable product security regime comes into effect on 29 April 2024. Businesses in the supply chains of these products need to be compliant with the legislation from that date.
30 April 2024 – ISO/IEC 27001:2013 certification unavailable
Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.
That’s it for this week’s round-up. We hope you found it useful.
We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.
In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.
Security Spotlight
To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.
Every Wednesday, you’ll get a 4-minute email with:
- Industry news, including this weekly round-up;
- Our latest research and statistics;
- Interviews with our experts, sharing their insights and expertise;
- Free useful resources; and
- Upcoming webinars.
