66,698,348 known records breached in 103 newly disclosed incidents
Welcome to this week’s global round-up of the biggest and most interesting news stories.
At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.
Publicly disclosed data breaches and cyber attacks: in the spotlight
36 million MX3 Nutrition records allegedly leaked
A threat actor known as Chucky has leaked 36 million customer records apparently belonging to the French sports nutrition company MX3 Nutrition. According to a listing on a popular hacking forum, the database includes customers’ names, email addresses, hashed passwords, and more. The claim is yet to be verified.
Data breached: 36,000,000 records.
Glosbe dictionary exposes almost 7 million records
The multilingual online dictionary Glosbe left a MongoDB instance unsecured last year, exposing millions of users’ information, including personal data, encrypted passwords and social media identifiers. Cybernews’s research team discovered the MongoDB server in December 2023 and contacted Glosbe. Glosbe didn’t reply, but the open instance was soon closed.
Data breached: 6,935,412 records.
6.9 million OpenSea records for sale on hacking forum
A cyber criminal known as ‘bossmoves90004’ claims to have exfiltrated 6.9 million data records from the NFT (non-fungible token) marketplace OpenSea, which they have offered for sale on a hacking forum. The sample provided includes email addresses and registration dates.
Data breached: 6,900,000 records.
Publicly disclosed data breaches and cyber attacks: full list
This week, we found 66,698,348 records known to be compromised, and 103 organisations suffering a newly disclosed incident. 92 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 3 definitely haven’t had data breached.
We also found 13 organisations providing a significant update on a previously disclosed incident.
| Organisation(s) | Sector | Location | Data breached? | Known data breached |
| MX3 Nutrition Source (New) | Manufacturing | France | Yes | 36,000,000 |
| Glosbe Source (New) | IT services | Poland | Yes | 6,935,412 |
| OpenSea Source (New) | Software | USA | Yes | 6,900,000 |
| Online Trade (Онлайн Трейд) Source 1; source 2 (Update) | Retail | Russia | Yes | 3,805,265 |
| Habib’s Source (New – also see note 3 below) | Hospitality | Brazil | Yes | 3,517,679 |
| Companies and Intellectual Property Commission Source 1; source 2 (Update) | Public | South Africa | Yes | >3,000,000 |
| HuntStand Source (New) | Software | USA | Yes | 2,923,600 |
| APK.TW Source 1; source 2 (Update) | IT services | Taiwan | Yes | 2,451,197 |
| RMH Franchise Corporation Source (New) | Hospitality | USA | Yes | 1.5 TB |
| Paysign, Inc. Source (New) | Finance | USA | Yes | 1,242,575 |
| Eastern Radiologists, Inc. Source 1; source 2 (New) | Healthcare | USA | Yes | 886,746 |
| Gixen Inc Source (New) | IT services | Canada | Yes | 800,000 |
| CollegeSearch Source (New) | IT services | India | Yes | >703,000 |
| Qmerit Source (New) | Professional services | USA | Yes | 573,309 |
| Euronics Italia S.p.A. Source (New) | Retail | Italy | Yes | 436,932 |
| Toner-dumping.de Source (New) | Retail | Germany | Yes | 334,000 |
| Yakima Valley Radiology, PC Source 1; source 2 (New) | Healthcare | USA | Yes | 235,249 |
| Consorzio Innovation Source (New) | Professional services | Italy | Yes | 225 GB |
| Northeast Orthopaedics & Sports Medicine Source (New) | Healthcare | USA | Yes | 177,276 |
| Strike.me Source (New) | Crypto | USA | Yes | 112,348 |
| NewGen Administrative Services Source 1; source 2 (New) | Healthcare | USA | Yes | 105,425 |
| U.S. Citizenship and Immigration Services (USICS) and U.S. Immigration and Customs Enforcement (ICE) Source (New) | Public | USA | Yes | 100,000 |
| Duvel Moortgat Source 1; source 2 (New) | Hospitality | Belgium | Yes | 88 GB |
| medQ, Inc. Source 1; source 2; source 3 (Update) | Healthcare | USA | Yes | 54,725 |
| Elsap Spa Source (New) | Retail | Italy | Yes | 49 GB |
| La bonne alternance Source (New) | IT services | France | Yes | 47,808 |
| XPLAIN Source (Update) | IT services | Switzerland | Yes | 47,413 |
| Bradford-Scott Data, Massachusetts Family Credit Union, Methuen Federal Credit Union, Priority Plus Federal Credit Union, StagePoint Federal Credit Union and Wellness Federal Credit Union Source 1; source 2 (Update) | IT services and finance | USA | Yes | 41,968 |
| Van der Helm Source (New) | Transport | Netherlands | Yes | 39 GB |
| cheat-database.com Source (New) | IT services | USA | Yes | 38,000 |
| Chocotopia Source (New) | Leisure | Czech Republic | Yes | 33 GB |
| University of Chicago Source (New) | Education | USA | Yes | 29,861 |
| Total Flex B.V. Source (New) | Professional services | Netherlands | Yes | 28.3 GB |
| GL-SH.de Source (New) | IT services | Germany | Yes | 26,000 |
| P-Fleet Source (New) | Finance | USA | Yes | 22 GB |
| World of Tanks Source 1; source 2 (New) | Software | France | Yes | 21,994 |
| Interior Health Authority Source (New) | Healthcare | Canada | Yes | 20,000 |
| Mission Régionale pour l’Emploi de Liège Source (New) | Professional services | Belgium | Yes | 19 GB |
| Datamatch Source (New) | Software | USA | Yes | >16,000 |
| Roku Source (New) | Software | USA | Yes | 15,363 |
| WorldWide Medical Staffing (Bay Area Anesthesia, LLC) Source 1; source 2 (New) | Professional services | USA | Yes | 15,196 |
| Military Police of the State of Maranhão Source (New) | Defence | Brazil | Yes | 14,816 |
| Century Federal Credit Union Source (New) | Finance | USA | Yes | 13,984 |
| Littleton Regional Healthcare Source 1; source 2 (New) | Healthcare | USA | Yes | 12,614 |
| CVS Caremark Part D Services, L.L.C. Source 1; source 2 (New) | Healthcare | USA | Yes | 11,193 |
| dasauge Source (New) | Professional services | Germany | Yes | 11,000 |
| Princeton University Source (New) | Education | USA | Yes | 10,573 |
| Orlando VA Medical Center Source (New) | Healthcare | USA | Yes | 10,059 |
| Pacific Cataract and Laser Institute Source 1; source 2 (New) | Healthcare | USA | Yes | 9,967 |
| Swiss federal government, including Federal Department of Justice and Police, Federal Office of Justice, Federal Office of Police, State Secretariat for Migration and internal IT service centre ISC-FDJP Source (Update) | Public and IT services | Switzerland | Yes | 9,040 |
| NALS Apartment Homes Source 1; source 2 (Update) | Real estate | USA | Yes | 7,509 |
| AlgoSec Source (New) | Cyber security | USA | Yes | 7,000 |
| Aya Town Source (New) | Public | Japan | Yes | 6,939 |
| Duke University Source (New) | Education | USA | Yes | 6,297 |
| Ohio Neurologic Institute Source 1; source 2 (New) | Healthcare | USA | Yes | 5,548 |
| Directors Guild of America – Producer Pension & Health Plans Source 1; source 2 (New) | Insurance | USA | Yes | 4,211 |
| GMP Academy Source (New) | Professional services | Germany | Yes | 4,000 |
| Southeast Vermont Transit, Inc. Source (New) | Transport | USA | Yes | 3,815 |
| Shah Dixit & Associates, P.C. Source (New) | Finance | USA | Yes | 3,494 |
| Woodruff Sawyer Source (New) | Insurance | USA | Yes | 3,087 |
| Blackburn College Source (New) | Education | USA | Yes | 3,039 |
| CAIRE Inc. Source (New) | Manufacturing | USA | Yes | 2,607 |
| Booking.com Source 1; source 2 (New) | Software | Netherlands | Yes | 1,000 |
| Stanford University Source (New) | Education | USA | Yes | 996 |
| Labour Party (Croydon East) Source (New) | Public | UK | Yes | >500 |
| Highland Health Systems Source 1; source 2 (New) | Healthcare | USA | Yes | 500 |
| St Anthony Ministries Source 1; source 2 (New) | Healthcare | USA | Yes | 500 |
| Robinson+Cole Source (New) | Legal | USA | Yes | 497 |
| Harvey Construction Source (New) | Construction | USA | Yes | 145 |
| Bethany Church Source (New) | Religious | USA | Yes | 134 |
| Laurentian University Source 1; source 2 (Update) | Education | Canada | Yes | Unknown |
| Lululemon Source (New) | Retail | Canada | Yes | Unknown |
| Jersey Financial Services Commission Source (New) | Public | Channel Islands | Yes | Unknown |
| En Act Architecture Source (New) | Construction | France | Yes | Unknown |
| HAWITA Gruppe GmbH Source (New) | Agricultural | Germany | Yes | Unknown |
| German Federal Ministry of Defence Source (New) | Defence | Germany | Yes | Unknown |
| Sapir College Source (New) | Education | Israel | Yes | Unknown |
| unizen Source (New) | Crypto | Liechtenstein | Yes | Unknown |
| Auxo Software Source (New) | IT services | New Zealand | Yes | Unknown |
| Ministry of Defense of the Russian Federation Source (New) | Defence | Russia | Yes | Unknown |
| Bright Wires Company Source (New) | Telecoms | Saudi Arabia | Yes | Unknown |
| 2+ South Korean microchip equipment companies Source (New) | Manufacturing | South Korea | Yes | Unknown |
| Sophiahemmet Source 1; source 2 (New) | Healthcare | Sweden | Yes | Unknown |
| International Electromechanical Services Co. LLC Source (New) | Construction | UAE | Yes | Unknown |
| Cybersecurity and Infrastructure Security Agency Source (New) | Cyber security | USA | Yes | Unknown |
| Central School District 13J Source 1; source 2 (New) | Education | USA | Yes | Unknown |
| Park City School District Source (New) | Education | USA | Yes | Unknown |
| BEM Systems, Inc. Source (New) | Environmental | USA | Yes | Unknown |
| American Express Source (New) | Finance | USA | Yes | Unknown |
| Kids Care Dental & Orthodontics Source (New) | Healthcare | USA | Yes | Unknown |
| Rebound Orthopedics & Neurosurgery Source (New) | Healthcare | USA | Yes | Unknown |
| Assurance IQ Source (New) | Insurance | USA | Yes | Unknown |
| Berger Montague Source (New) | Legal | USA | Yes | Unknown |
| Jaguar Health Source 1; source 2 (New) | Manufacturing | USA | Yes | Unknown |
| Syndax Pharmaceuticals Source 1; source 2 (New) | Manufacturing | USA | Yes | Unknown |
| Federal Bureau of Investigation (FBI) Source (New) | Public | USA | Yes | Unknown |
| Western National Property Management Source 1; source 2 (New) | Real estate | USA | Yes | Unknown |
| Radiant Logic Source (New) | Software | USA | Yes | Unknown |
| CVE North America Source (New) | Utilities | USA | Yes | Unknown |
| WOOFi Source (New) | Crypto | Unknown | Yes | Unknown |
| Zain Group Source 1; source 2 (New) | Telecoms | Bahrain | Unknown | Unknown |
| Beyers Koffie Source (New) | Manufacturing | Belgium | Unknown | Unknown |
| FINTRAC Canada Source 1; source 2 (New) | Public | Canada | Unknown | Unknown |
| Supply chain of a software developer of Tibetan language translation apps, including Kagyu Monlam Source 1; source 2 (New) | Software | China | Unknown | Unknown |
| Leicester City Council Source (New) | Public | UK | Unknown | Unknown |
| South St. Paul Public Schools Source (New) | Education | USA | Unknown | Unknown |
| PetSmart Source (New) | Retail | USA | Unknown | Unknown |
| Vikramaditya Vedic clock app server Source (New) | Software | India | No | 0 |
| DataBreaches.net and PogoWasRight.org Source (New) | Media | USA | No | 0 |
Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.
Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.
Note 3: As the Habib’s data breach was part of the MOAB (mother of all beaches), we didn’t log this separately as part of our annual research.
Enforcement
ICO takes action against five public authorities under FOI Act
The ICO (Information Commissioner’s Office) has taken action against five public authorities for failing to meet their obligations under the Freedom of Information Act. It issued enforcement notices to Sussex Police and South Yorkshire Police, and issued practice recommendations to the Department for Education, the Foreign and Commonwealth Office, and the Financial Ombudsman Service.
UniCredit fined €2.8 million for data breach
Italy’s data protection authority, the Garante per la Protezione dei Dati Personali, has fined the country’s second-largest bank, UniCredit, €2.8 million for security failings relating to a 2018 cyber attack on its mobile banking platform.
US Attorneys General write to Meta about account takeovers
New York Attorney General Letitia James has led a bipartisan coalition of 41 attorneys general, writing to Meta Platforms, Inc. about the recent rise in Facebook and Instagram account takeovers by scammers.
Other news
ISO (the International Organization for Standardization) and the IEC (International Electrotechnical Commission) have published a new standard in the ISO 27000 information security series. ISO/IEC 27006-1:2024 Information security, cybersecurity and privacy protection – Requirements for bodies providing audit and certification of information security management systems complements ISO/IEC 17021-1 and requires ISO 27001-certified organisations to show evidence that they are maintaining their compliance with the Standard.
CISA and the NSA release cyber security information sheets on Cloud security best practices
The US’s CISA (Cybersecurity and Infrastructure Security Agency) and NSA (National Security Agency) have released five joint cyber security information sheets, setting out best practices for organisations to improve the security of their Cloud environments.
CISA updates Public Safety Communications and Cyber Resiliency Toolkit
The US’s CISA has added seven new resources to its Public Safety Communications and Cyber Resiliency Toolkit to better help public safety agencies and others responsible for communications networks evaluate their current resiliency capabilities, identify ways to improve their resilience, and develop plans for mitigating the effects of potential threats.
New IC3 report: US lost $12.5 billion to cyber crime in 2023
A new report from IC3 (the FBI’s Internet Crime Complaint Center) found that the US suffered $12.5 billion in cyber crime losses in 2023 – a 22% increase on 2022’s figures. The Internet Crime Report 2023 also reports that four online crimes caused the most financial losses in the US last year: BEC (business email compromise), investment fraud, ransomware, and tech/customer support and government impersonation scams.
Capita lost over £106 million after cyber attack last year
The outsourcing giant Capita reports that it lost £106.6 million last year, roughly a quarter of which was the due to the ransomware attack it suffered in March 2023. In May 2023, it predicted that responding to and recovering from the ransomware attack would cost it £20 million.
ICO launches call for views on “consent or pay” cookie compliance
As part of its cookie compliance work, the ICO has called for views on its proposed “consent or pay” mechanism – a model designed to let people use websites for free if they consent to their personal information being used for personalised advertising, or pay a fee for data privacy. The consultation closes on 17 April.
Key dates
31 March 2024 – PCI DSS v4.0 transitioning deadline
Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on 31 March, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.
30 April 2024 – ISO/IEC 27001:2013 certification unavailable
Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.
That’s it for this week’s round-up. We hope you found it useful.
We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.
In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.
Security Spotlight
To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.
Every Wednesday, you’ll get a 4-minute email with:
- Industry news, including this weekly round-up;
- Our latest research and statistics;
- Interviews with our experts, sharing their insights and expertise;
- Free useful resources; and
- Upcoming webinars.
