The Week in Cyber Security and Data Privacy: 22 – 28 April 2024

5,255,944,117 known records breached in 128 newly disclosed incidents

Welcome to this week’s global round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Data scraping site taken offline after billions of Discord messages offered for sale

A data scraping website called Spy.pet has been taken offline after harvesting more than 4 billion messages made by more than 256 million Discord users and offering them for sale. Data scraping or web scraping is a typically automated process that extracts information from websites, allowing criminals to compile datasets containing personal information.

“Scraping our services and self-botting are violations of our Terms of Service and Community Guidelines,” a Discord spokesperson told The Register. “In addition to banning the affiliated accounts, we are considering appropriate legal action. We identified certain accounts that we believe are affiliated with the Spy.pet website, which we have subsequently banned.”

Data breached: 4,186,879,104 messages.

Keyboard app vulnerabilities reveal keystrokes to network eavesdroppers

Security researchers have identified critical security vulnerabilities in Cloud-based pinyin keyboard apps from Baidu, Inc., Honor, Huawei, iFlytek, OPPO, Samsung Electronics, Tencent, Vivo and Xiaomi Technology. The vulnerabilities could be exploited to reveal users’ keystrokes and “up to one billion users are affected”.

Data breached: <1 billion people’s data.

Phone tracking app iSharing reveals users’ precise locations

Eric Daigle, a computer science and economics student at the University of British Columbia in Vancouver, has discovered vulnerabilities in the phone tracking app iSharing that let users access any other user’s location, as well as their name, profile photo and the email address and phone number they used to log in, even if they weren’t actively sharing their location data. iSharing is used by more than 35 million users.

The company has fixed the issue, blaming it on a vulnerability in the app’s groups feature. 

Data breached: >35 million people’s data.


Publicly disclosed data breaches and cyber attacks: full list

This week, we found 5,255,944,117 records known to be compromised, and 128 organisations suffering a newly disclosed incident. 117 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 4 definitely haven’t had data breached.

We also found 5 organisations providing a significant update on a previously disclosed incident.

Organisation(s)SectorLocationData breached?Known data breached
Discord (via Spy.pet)
Source
(New)
IT servicesUSAYes4,186,879,104
Baidu, Inc., Honor, Huawei, iFlytek, OPPO, Samsung Electronics, Tencent, Vivo and Xiaomi Technology
Source
(New)
SoftwareChinaYesUp to 1,000,000,000
iSharingSoft
Source
(New)
SoftwareUSAYes>35,000,000
Kaiser Permanente
Source 1; source 2
(New)
InsuranceUSAYes13,400,000
World-Check
Source 1; source 2
(Update)
FinanceUKYes5,299,116
Chicony Electronics Co., Ltd.
Source
(New)
ManufacturingTaiwanYes4,715,133
Mustafa Centre
Source 1; source 2
(Update)
RetailSingaporeYes>3,5000,000
TRAXERO
Source
(New)
SoftwareUSAYes2,634,753
Piping Rock Health Products
Source 1; source 2; source 3
(New)
ManufacturingUSAYes2,103,100
FBCS, Inc.
Source
(New)
FinanceUSAYes1,955,385
BerryDunn and Reliable Networks
Source
(New)
Finance and IT servicesUSAYes1,107,354
VISAV Limited
Source
(New)
IT servicesUKYes>1,000,000
Designed Receivable Solutions, Inc.
Source 1; source 2
(Update)
FinanceUSAYes498,686
J.P. Morgan
Source
(New)
FinanceUSAYes451,809
Hong Kong College of Technology
Source
(New)
EducationHong KongYes450 GB
PT Bank Pembangunan Daerah Banten Tbk
Source
(New)
FinanceIndonesiaYes450 GB
Hirsh Industries, LLC
Source
(New)
ManufacturingUSAYes450 GB
Health Gennie
Source
(New)
SoftwareIndiaYesNearly 450,000
Army Welfare Trust
Source
(New)
DefencePakistanYes400 GB
Anders Group, LLC
Source
(New)
Professional servicesUSAYes214.48 GB
Ghim Li Group
Source
(New)
ManufacturingSingaporeYes88 GB
University of Düsseldorf
Source
(New)
EducationGermanyYes>60,000
Blackstone Valley Community Health Care
Source 1; source 2
(Update)
HealthcareUSAYes34,518
Optometric Physicians of Middle Tennessee
Source
(New)
HealthcareUSAYes29,000
Moffitt Cancer Center (via Advarra)
Source
(New)
HealthcareUSAYes26,577
Valley Veterinary Clinic
Source
(New)
VeterinaryUSAYes25,969
The Philadelphia Inquirer
Source
(New)
MediaUSAYes25,500
Dr Willian Segalin
Source
(New)
HealthcareBrazilYes20 GB
Buffalo Public Schools
Source
(New)
EducationUSAYes19,494
Hungry Jack’s® Pty Ltd
Source
(New)
HospitalityAustraliaYes>19,000
Aspire Health Alliance
Source
(New)
HealthcareUSAYes17,490
ICICI Bank
Source
(New)
FinanceIndiaYes17,000
Somerset Dental Las Vegas
Source
(New)
HealthcareUSAYes11,321
Diocese of Cleveland
Source
(New)
Non-profitUSAYes9,859
Synergy Hotels, Inc.
Source
(New)
HospitalityUSAYes9,211
State Security Committee of the Republic of Belarus
Source
(New)
PublicBelarusYes>8,600
Camino Nuevo Charter Academy
Source
(New)
EducationUSAYes7,916
Sanchez Daniels & Hoffman LLP
Source
(New)
LegalUSAYes3,938
UNC Hospitals
Source
(New)
HealthcareUSAYes3,142
Lagunitas Brewing Company
Source
(New)
ManufacturingUSAYes2,979
Nothing
Source 1; source 2
(New)
ManufacturingUKYes2,250
Amerit Fleet Solutions
Source
(New)
ManufacturingUSAYes1,912
Integral Federal, Inc.
Source
(New)
IT servicesUSAYes1,724
Regulator Marine Inc
Source 1; source 2
(Update)
ManufacturingUSAYes1,384
CoVerica Insurance
Source
(New)
InsuranceUSAYes1,028
The J D Russell Company
Source 1; source 2
(New)
ManufacturingUSAYes684
Phillips Academy and AthleteTrax, LLC
Source
(New)
Education and softwareUSAYes347
Vericast
Source 1; source 2
(New)
Professional servicesUSAYes319
Stad Deinze
Source
(New)
PublicBelgiumYes300
Glendale Unified School District
Source
(New)
EducationUSAYesAt least 231
BCRA
Source
(New)
FinanceArgentinaYesUnknown
OracleCMS
Source 1; source 2
(New)
Professional servicesAustraliaYesUnknown
SIAFI (Sistema Integrado de Administração Financeira)
Source
(New)
IT servicesBrazilYesUnknown
El Carnicero Maestro en Carnes
Source
(New)
HospitalityChileYesUnknown
Education News in Egypt
Source
(New)
MediaEgyptYesUnknown
Lucky ONE
Source
(New)
SoftwareEgyptYesUnknown
Chivo Wallet
Source
(New)
CryptoEl SalvadorYesUnknown
Ministerio de Desarrollo Local
Source
(New)
PublicEl SalvadorYesUnknown
Ateliers Jean Nouvel
Source
(New)
EngineeringFranceYesUnknown
LATEXBIO
Source
(New)
ManufacturingFranceYesUnknown
l’Oracle
Source
(New)
Professional servicesFranceYesUnknown
Speedy France
Source 1; source 2
(New)
Professional servicesFranceYesUnknown
Pondicherry University
Source
(New)
EducationIndiaYesUnknown
Luxor International
Source
(New)
ManufacturingIndiaYesUnknown
Yamaha & Friends
Source
(New)
IT servicesIndonesiaYesUnknown
Gelora Bung Karno Stadium
Source
(New)
LeisureIndonesiaYesUnknown
Tunas Toyota Pecenongan
Source
(New)
RetailIndonesiaYesUnknown
Sentry MBA (Cyberint)
Source
(New)
Cyber securityIsraelYesUnknown
Porsche Financial Services Italia S.p.A.
Source
(New)
FinanceItalyYesUnknown
CDSHotels
Source
(New)
HospitalityItalyYesUnknown
Fashion Evolution Network
Source
(New)
RetailJapanYesUnknown
Kintetsu World Express
Source
(New)
TransportJapanYesUnknown
EuroParcs Enkhuizer Strand
Source
(New)
HospitalityNetherlandsYesUnknown
Nigeria Customs Service
Source
(New)
PublicNigeriaYesUnknown
Mr. CRAB
Source
(New)
HospitalityRussiaYesUnknown
United Russia
Source
(New)
PublicRussiaYesUnknown
Interregional Transit Telecom JSC (MTT)
Source
(New)
TelecomsRussiaYesUnknown
10 South Korean defence contractors and subcontractors
Source
(New)
DefenceSouth KoreaYesUnknown
Universidad Miguel Hernández de Elche
Source
(New)
EducationSpainYesUnknown
Air Arabia
Source
(New)
TransportUAEYesUnknown
2plan wealth management Ltd
Source
(New)
FinanceUKYesUnknown
Lekpharm
Source
(New)
ManufacturingUkraineYesUnknown
Savage IO
Source
(New)
CryptoUSAYesUnknown
Okta
Source
(New)
Cyber securityUSAYesUnknown
Rensselaer Polytechnic Institute
Source
(New)
EducationUSAYesUnknown
University System of Georgia
Source
(New)
EducationUSAYesUnknown
Biggs Cardosa Associates, Inc.
Source
(New)
EngineeringUSAYesUnknown
WRA Architects, Inc.
Source
(New)
EngineeringUSAYesUnknown
Transamerica
Source
(New)
FinanceUSAYesUnknown
Direct Federal Credit Union and Wescom Resources Group, LLC
Source
(New)
Finance and IT servicesUSAYesUnknown
NorthBay VacaValley Hospital
Source 1; source 2
(New)
HealthcareUSAYesUnknown
OrthoNY
Source
(New)
HealthcareUSAYesUnknown
South Texas Oncology and Hematology, PLLC
Source
(New)
HealthcareUSAYesUnknown
Amerlux LLC
Source
(New)
ManufacturingUSAYesUnknown
JB Poindexter & Co
Source
(New)
ManufacturingUSAYesUnknown
UNICEF
Source
(New)
Non-profitUSAYesUnknown
Weapon Systems Training Council
Source
(New)
Professional servicesUSAYesUnknown
Panama City Police Department
Source
(New)
PublicUSAYesUnknown
Paul Stuart, Inc.
Source
(New)
RetailUSAYesUnknown
Autodesk
Source
(New)
SoftwareUSAYesUnknown
DATAIR Employee Benefit Systems, Inc.
Source
(New)
SoftwareUSAYesUnknown
Nota
Source
(New)
SoftwareUSAYesUnknown
StarWallets
Source
(New)
CryptoUnknownYesUnknown
SKANLOG
Source
(New)
TransportDenmarkUnknownUnknown
Ministry of the Interior
Source
(New)
PublicGreeceUnknownUnknown
Cisco
Source
(New)
Cyber securityUSAUnknownUnknown
CONSOL Energy
Source
(New)
EnergyUSAUnknownUnknown
Kansas City Scouts
Source
(New)
LeisureUSAUnknownUnknown
Coffee County
Source 1; source 2
(New)
PublicUSAUnknownUnknown
Gemeente Voorschoten and Gemeente Wassenaar
Source
(New)
PublicNetherlandsNo0
Puerto Rico Terminals
Source
(New)
TransportPuerto RicoNo0
Systembolaget AB
Source
(New)
ManufacturingSwedenNo0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.


AI

Scientists successfully use AI to detect AI-generated videos

Scientists at the MISL (Multimedia and Information Security Lab) in Drexel University’s College of Engineering have developed a suite of tools to detect AI-generated videos at the sub-pixel level. In Beyond Deepfake Images: Detecting AI-Generated Videos, a paper due to be presented at the IEEE Computer Vision and Pattern Recognition conference in June, Danial Samadi Vahdati, Tai D. Nguyen, Aref Azizpour and Matthew C. Stamm explain how a constrained neural network can be used to detect synthetic videos “at 98% accuracy”.

US Department of Homeland Security announces AI Safety and Security Board

The US DHS (Department of Homeland Security) has announced the establishment of its Artificial Intelligence Safety and Security Board. The group will advise on the safe and secure development and deployment of AI technology in the country’s critical national infrastructure.


Enforcement

US Federal Trade Commission refunds $5.6 million to Ring customers

The US FTC (Federal Trade Commission) is paying $5.6 million to settle a complaint alleging that the home security camera company Ring “allowed employees and contractors to access consumers’ private videos and failed to implement security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos”.

Biden-Harris administration issues new rule to support reproductive healthcare privacy

The Biden-Harris administration has announced the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, a rule that strengthens HIPAA’s (the Health Insurance Portability and Accountability Act) privacy rule by restricting the disclosure of protected health information related to lawful reproductive healthcare.

European Parliament adopts European Health Data Space and regulation on substances of human origin

The European Commission has welcomed the European Parliament’s adoption of the EHDS (European Health Data Space) and new rules on SoHO (substances of human origin), both of which aim to protect individuals’ health and improve the resilience of healthcare systems. The Council will now formally adopt both regulations.

ICO fines two companies £340,000 for 1.43 million unwanted marketing calls

The UK’s ICO (Information Commissioner’s Office) has fined two telemarketing companies for making 1.43 million calls to people registered with the Telephone Preference Service. Cardiff-based Outsource Strategies Ltd and London-based Dr Telemarketing Ltd targeted elderly and vulnerable people, using aggressive sales tactics to persuade them to sign up for products.


Other news

FTC announces changes to Health Breach Notification Rule

The FTC has announced that it has finalised its changes to the HBNR (Health Breach Notification Rule), which will clarify its applicability to health apps and other similar technologies.

European police chiefs call for an end to end-to-end encryption

A joint declaration by the European police chiefs calls for tech companies to limit end-to-end encryption so the companies can identify and report illegal activity on their platforms, and enable law enforcement investigations to access secure messages.


New guidance

EDPB publishes information on Data Protection Framework redress mechanism

The European Data Protection Board’s Information Note on the redress mechanism for EU/EEA individuals in relation to alleged violations of U.S. law with respect to their data collected by U.S authorities competent for national security sets out how data subjects in the EU and EEA can formally complain about the processing of their personal data by US intelligence agencies.


Recently published reports


Key dates

29 April 2024 – UK Product Security and Telecommunications Infrastructure Act 2022 comes into effect

The UK’s consumer connectable product security regime comes into effect on 29 April 2024. Businesses in the supply chains of these products need to be compliant with the legislation from that date.

30 April 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.