The Week in Cyber Security and Data Privacy: 4 – 10 March 2024

66,698,348 known records breached in 103 newly disclosed incidents

Welcome to this week’s global round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

36 million MX3 Nutrition records allegedly leaked

A threat actor known as Chucky has leaked 36 million customer records apparently belonging to the French sports nutrition company MX3 Nutrition. According to a listing on a popular hacking forum, the database includes customers’ names, email addresses, hashed passwords, and more. The claim is yet to be verified.

Data breached: 36,000,000 records.

Glosbe dictionary exposes almost 7 million records

The multilingual online dictionary Glosbe left a MongoDB instance unsecured last year, exposing millions of users’ information, including personal data, encrypted passwords and social media identifiers. Cybernews’s research team discovered the MongoDB server in December 2023 and contacted Glosbe. Glosbe didn’t reply, but the open instance was soon closed.

Data breached: 6,935,412 records.

6.9 million OpenSea records for sale on hacking forum

A cyber criminal known as ‘bossmoves90004’ claims to have exfiltrated 6.9 million data records from the NFT (non-fungible token) marketplace OpenSea, which they have offered for sale on a hacking forum. The sample provided includes email addresses and registration dates.

Data breached: 6,900,000 records.


Publicly disclosed data breaches and cyber attacks: full list

This week, we found 66,698,348 records known to be compromised, and 103 organisations suffering a newly disclosed incident. 92 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 3 definitely haven’t had data breached.

We also found 13 organisations providing a significant update on a previously disclosed incident.

Organisation(s)SectorLocationData breached?Known data breached
MX3 Nutrition
Source
(New)
ManufacturingFranceYes36,000,000
Glosbe
Source
(New)
IT servicesPolandYes6,935,412
OpenSea
Source
(New)
SoftwareUSAYes6,900,000
Online Trade (Онлайн Трейд)
Source 1; source 2
(Update)
RetailRussiaYes3,805,265
Habib’s
Source
(New – also see note 3 below)
HospitalityBrazilYes3,517,679
Companies and Intellectual Property Commission
Source 1; source 2
(Update)
PublicSouth AfricaYes>3,000,000
HuntStand
Source
(New)
SoftwareUSAYes2,923,600
APK.TW
Source 1; source 2
(Update)
IT servicesTaiwanYes2,451,197
RMH Franchise Corporation
Source
(New)
HospitalityUSAYes1.5 TB
Paysign, Inc.
Source
(New)
FinanceUSAYes1,242,575
Eastern Radiologists, Inc.
Source 1; source 2
(New)
HealthcareUSAYes886,746
Gixen Inc
Source
(New)
IT servicesCanadaYes800,000
CollegeSearch
Source
(New)
IT servicesIndiaYes>703,000
Qmerit
Source
(New)
Professional servicesUSAYes573,309
Euronics Italia S.p.A.
Source
(New)
RetailItalyYes436,932
Toner-dumping.de
Source
(New)
RetailGermanyYes334,000
Yakima Valley Radiology, PC
Source 1; source 2
(New)
HealthcareUSAYes235,249
Consorzio Innovation
Source
(New)
Professional servicesItalyYes225 GB
Northeast Orthopaedics & Sports Medicine
Source
(New)
HealthcareUSAYes177,276
Strike.me
Source
(New)
CryptoUSAYes112,348
NewGen Administrative Services
Source 1; source 2
(New)
HealthcareUSAYes105,425
U.S. Citizenship and Immigration Services (USICS) and U.S. Immigration and Customs Enforcement (ICE)
Source
(New)
PublicUSAYes100,000
Duvel Moortgat
Source 1; source 2
(New)
HospitalityBelgiumYes88 GB
medQ, Inc.
Source 1; source 2; source 3
(Update)
HealthcareUSAYes54,725
Elsap Spa
Source
(New)
RetailItalyYes49 GB
La bonne alternance
Source
(New)
IT servicesFranceYes47,808
XPLAIN
Source
(Update)
IT servicesSwitzerlandYes47,413
Bradford-Scott Data, Massachusetts Family Credit Union, Methuen Federal Credit Union, Priority Plus Federal Credit Union, StagePoint Federal Credit Union and Wellness Federal Credit Union
Source 1; source 2
(Update)
IT services and financeUSAYes41,968
Van der Helm
Source
(New)
TransportNetherlandsYes39 GB
cheat-database.com
Source
(New)
IT servicesUSAYes38,000
Chocotopia
Source
(New)
LeisureCzech RepublicYes33 GB
University of Chicago
Source
(New)
EducationUSAYes29,861
Total Flex B.V.
Source
(New)
Professional servicesNetherlandsYes28.3 GB
GL-SH.de
Source
(New)
IT servicesGermanyYes26,000
P-Fleet
Source
(New)
FinanceUSAYes22 GB
World of Tanks
Source 1; source 2
(New)
SoftwareFranceYes21,994
Interior Health Authority
Source
(New)
HealthcareCanadaYes20,000
Mission Régionale pour l’Emploi de Liège
Source
(New)
Professional servicesBelgiumYes19 GB
Datamatch
Source
(New)
SoftwareUSAYes>16,000
Roku
Source
(New)
SoftwareUSAYes15,363
WorldWide Medical Staffing (Bay Area Anesthesia, LLC)
Source 1; source 2
(New)
Professional servicesUSAYes15,196
Military Police of the State of Maranhão
Source
(New)
DefenceBrazilYes14,816
Century Federal Credit Union
Source
(New)
FinanceUSAYes13,984
Littleton Regional Healthcare
Source 1; source 2
(New)
HealthcareUSAYes12,614
CVS Caremark Part D Services, L.L.C.
Source 1; source 2
(New)
HealthcareUSAYes11,193
dasauge
Source
(New)
Professional servicesGermanyYes11,000
Princeton University
Source
(New)
EducationUSAYes10,573
Orlando VA Medical Center
Source
(New)
HealthcareUSAYes10,059
Pacific Cataract and Laser Institute
Source 1; source 2
(New)
HealthcareUSAYes9,967
Swiss federal government, including Federal Department of Justice and Police, Federal Office of Justice, Federal Office of Police, State Secretariat for Migration and internal IT service centre ISC-FDJP
Source
(Update)
Public and IT servicesSwitzerlandYes9,040
NALS Apartment Homes
Source 1; source 2
(Update)
Real estateUSAYes7,509
AlgoSec
Source
(New)
Cyber securityUSAYes7,000
Aya Town
Source
(New)
PublicJapanYes6,939
Duke University
Source
(New)
EducationUSAYes6,297
Ohio Neurologic Institute
Source 1; source 2
(New)
HealthcareUSAYes5,548
Directors Guild of America – Producer Pension & Health Plans
Source 1; source 2
(New)
InsuranceUSAYes4,211
GMP Academy
Source
(New)
Professional servicesGermanyYes4,000
Southeast Vermont Transit, Inc.
Source
(New)
TransportUSAYes3,815
Shah Dixit & Associates, P.C.
Source
(New)
FinanceUSAYes3,494
Woodruff Sawyer
Source
(New)
InsuranceUSAYes3,087
Blackburn College
Source
(New)
EducationUSAYes3,039
CAIRE Inc.
Source
(New)
ManufacturingUSAYes2,607
Booking.com
Source 1; source 2
(New)
SoftwareNetherlandsYes1,000
Stanford University
Source
(New)
EducationUSAYes996
Labour Party (Croydon East)
Source
(New)
PublicUKYes>500
Highland Health Systems
Source 1; source 2
(New)
HealthcareUSAYes500
St Anthony Ministries
Source 1; source 2
(New)
HealthcareUSAYes500
Robinson+Cole
Source
(New)
LegalUSAYes497
Harvey Construction
Source
(New)
ConstructionUSAYes145
Bethany Church
Source
(New)
ReligiousUSAYes134
Laurentian University
Source 1; source 2
(Update)
EducationCanadaYesUnknown
Lululemon
Source
(New)
RetailCanadaYesUnknown
Jersey Financial Services Commission
Source
(New)
PublicChannel IslandsYesUnknown
En Act Architecture
Source
(New)
ConstructionFranceYesUnknown
HAWITA Gruppe GmbH
Source
(New)
AgriculturalGermanyYesUnknown
German Federal Ministry of Defence
Source
(New)
DefenceGermanyYesUnknown
Sapir College
Source
(New)
EducationIsraelYesUnknown
unizen
Source
(New)
CryptoLiechtensteinYesUnknown
Auxo Software
Source
(New)
IT servicesNew ZealandYesUnknown
Ministry of Defense of the Russian Federation
Source
(New)
DefenceRussiaYesUnknown
Bright Wires Company
Source
(New)
TelecomsSaudi ArabiaYesUnknown
2+ South Korean microchip equipment companies
Source
(New)
ManufacturingSouth KoreaYesUnknown
Sophiahemmet
Source 1; source 2
(New)
HealthcareSwedenYesUnknown
International Electromechanical Services Co. LLC
Source
(New)
ConstructionUAEYesUnknown
Cybersecurity and Infrastructure Security Agency
Source
(New)
Cyber securityUSAYesUnknown
Central School District 13J
Source 1; source 2
(New)
EducationUSAYesUnknown
Park City School District
Source
(New)
EducationUSAYesUnknown
BEM Systems, Inc.
Source
(New)
EnvironmentalUSAYesUnknown
American Express
Source
(New)
FinanceUSAYesUnknown
Kids Care Dental & Orthodontics
Source
(New)
HealthcareUSAYesUnknown
Rebound Orthopedics & Neurosurgery
Source
(New)
HealthcareUSAYesUnknown
Assurance IQ
Source
(New)
InsuranceUSAYesUnknown
Berger Montague
Source
(New)
LegalUSAYesUnknown
Jaguar Health
Source 1; source 2
(New)
ManufacturingUSAYesUnknown
Syndax Pharmaceuticals
Source 1; source 2
(New)
ManufacturingUSAYesUnknown
Federal Bureau of Investigation (FBI)
Source
(New)
PublicUSAYesUnknown
Western National Property Management
Source 1; source 2
(New)
Real estateUSAYesUnknown
Radiant Logic
Source
(New)
SoftwareUSAYesUnknown
CVE North America
Source
(New)
UtilitiesUSAYesUnknown
WOOFi
Source
(New)
CryptoUnknownYesUnknown
Zain Group
Source 1; source 2
(New)
TelecomsBahrainUnknownUnknown
Beyers Koffie
Source
(New)
ManufacturingBelgiumUnknownUnknown
FINTRAC Canada
Source 1; source 2
(New)
PublicCanadaUnknownUnknown
Supply chain of a software developer of Tibetan language translation apps, including Kagyu Monlam
Source 1; source 2
(New)
SoftwareChinaUnknownUnknown
Leicester City Council
Source
(New)
PublicUKUnknownUnknown
South St. Paul Public Schools
Source
(New)
EducationUSAUnknownUnknown
PetSmart
Source
(New)
RetailUSAUnknownUnknown
Vikramaditya Vedic clock app server
Source
(New)
SoftwareIndiaNo0
DataBreaches.net and PogoWasRight.org
Source
(New)
MediaUSANo0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.

Note 3: As the Habib’s data breach was part of the MOAB (mother of all beaches), we didn’t log this separately as part of our annual research.


Enforcement

ICO takes action against five public authorities under FOI Act

The ICO (Information Commissioner’s Office) has taken action against five public authorities for failing to meet their obligations under the Freedom of Information Act. It issued enforcement notices to Sussex Police and South Yorkshire Police, and issued practice recommendations to the Department for Education, the Foreign and Commonwealth Office, and the Financial Ombudsman Service.

UniCredit fined €2.8 million for data breach

Italy’s data protection authority, the Garante per la Protezione dei Dati Personali, has fined the country’s second-largest bank, UniCredit, €2.8 million for security failings relating to a 2018 cyber attack on its mobile banking platform.

US Attorneys General write to Meta about account takeovers

New York Attorney General Letitia James has led a bipartisan coalition of 41 attorneys general, writing to Meta Platforms, Inc. about the recent rise in Facebook and Instagram account takeovers by scammers.


Other news

ISO/IEC 27006:2024 published

ISO (the International Organization for Standardization) and the IEC (International Electrotechnical Commission) have published a new standard in the ISO 27000 information security series. ISO/IEC 27006-1:2024 Information security, cybersecurity and privacy protection – Requirements for bodies providing audit and certification of information security management systems complements ISO/IEC 17021-1 and requires ISO 27001-certified organisations to show evidence that they are maintaining their compliance with the Standard.

CISA and the NSA release cyber security information sheets on Cloud security best practices

The US’s CISA (Cybersecurity and Infrastructure Security Agency) and NSA (National Security Agency) have released five joint cyber security information sheets, setting out best practices for organisations to improve the security of their Cloud environments.

CISA updates Public Safety Communications and Cyber Resiliency Toolkit

The US’s CISA has added seven new resources to its Public Safety Communications and Cyber Resiliency Toolkit to better help public safety agencies and others responsible for communications networks evaluate their current resiliency capabilities, identify ways to improve their resilience, and develop plans for mitigating the effects of potential threats.

New IC3 report: US lost $12.5 billion to cyber crime in 2023

A new report from IC3 (the FBI’s Internet Crime Complaint Center) found that the US suffered $12.5 billion in cyber crime losses in 2023 – a 22% increase on 2022’s figures. The Internet Crime Report 2023 also reports that four online crimes caused the most financial losses in the US last year: BEC (business email compromise), investment fraud, ransomware, and tech/customer support and government impersonation scams.

Capita lost over £106 million after cyber attack last year

The outsourcing giant Capita reports that it lost £106.6 million last year, roughly a quarter of which was the due to the ransomware attack it suffered in March 2023. In May 2023, it predicted that responding to and recovering from the ransomware attack would cost it £20 million.

ICO launches call for views on “consent or pay” cookie compliance

As part of its cookie compliance work, the ICO has called for views on its proposed “consent or pay” mechanism – a model designed to let people use websites for free if they consent to their personal information being used for personalised advertising, or pay a fee for data privacy. The consultation closes on 17 April.

Key dates

31 March 2024 – PCI DSS v4.0 transitioning deadline 

Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on 31 March, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.

30 April 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.