Cybersecurity and Data Privacy in the USA: 5 – 11 February 2024

28,471,734 known records breached in 88 publicly disclosed incidents

Welcome to this week’s round-up of the biggest and most interesting news stories in the USA.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Further victims of last year’s Perry Johnson & Associates data breach identified

Last year, the medical transcription company PJ&A (Perry Johnson & Associates) suffered a data breach in which an unauthorized third party was able to access its computer network. In November 2023, Northwell Health – the largest health system in New York – confirmed that it was affected by the incident.

PJ&A has now determined that information relating to another of its clients, Concentra Health Services, was also accessed. PJ&A has filed another notice of a data breach, confirming that over 13 million people were affected. Compromised information varies from person to person.

Data breached: 13,300,750 people’s data.

Ransomware gang publishes 3 TB of data allegedly from MRA – The Management Association

The Abyss ransomware group has leaked 3 TB of data it claims to have exfiltrated from MRA – The Management Association.

Data breached: 3 TB.


Publicly disclosed data breaches and cyber attacks: full list

This week, we found 28,471,734 records known to be compromised in the USA, and 88 U.S. organizations suffering a newly disclosed incident. 73 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 2 definitely haven’t had data breached.

We also found 7 U.S. organizations providing a significant update on a previously disclosed incident.

Organization(s)SectorData breached?Known records breached
Perry Johnson & Associates, Inc. (PJ&A)
Source
Update
IT services and softwareYes                  13,300,750  
MRA – The Management Association
Source
New
Professional servicesYes3 TB
Drost Kivlahan Mcmahon & O’Connor
Source
New
LegalYes1.6 TB
KSA Architecture
Source
New
Construction and real estateYes1.5 TB
Cole, Cole, Easley & Sciba
Source
New
LegalYes1.5 TB
JP Original Corp
Source
New
ManufacturingYes1.2 TB
CTSI
Source
New
MultipleYes978 GB
Willis Lease Finance Corporation
Source
New
FinanceYes910 GB
Transaxle
Source
New
ManufacturingYes795 GB
Dalmahoy Hotel & Country Club
Source
New
Hospitality and leisureYes769,590
B&B Electric
Source
New
Construction & real estateYes750 GB
Posen Architects
Source
New
Construction and real estateYes724 GB
Upper Merion Youth Wrestling Association
Source
New
Charity and non-profitYes500 GB
Village of Skokie
Source
New
PublicYes499,988
Benchmark Management Group
Source
New
Construction and real estateYes401,148
Azura Vascular Care
Source 1; source 2
New
Health careYes348,000
SEIU (Service Employees International Union)
Source 1; source 2
New
PublicYes308 GB
Des Moines Orthopaedic Surgeons, P.C.
Source 1; source 2
New
Health careYes307,864
Planet Home Lending, LLC
Source
Update
FinanceYes284,974
Spoutible
Source 1; source 2
New
MediaYes207,000
Carespring Healthcare
Source
New
Health careYes182,725
Parksite
Source
New
Construction and real estateYes170 GB
Vail-Summit Orthopaedics & Neurosurgery
Source
New
Health careYes150 GB
Commonwealth Sign
Source
New
ManufacturingYes113.63 GB
Western Municipal Construction
Source
New
Construction and real estateYes101 GB
Tennessee Farmers Insurance
Source
New
InsuranceYes71,000
CNO ACE
Source 1; source 2
New
Health careYes65,195
Verizon Communications Inc.
Source
New
TelecomsYes63,206
Bayer Heritage Federal Credit Union
Source
Update
FinanceYes61,159  
HBL CPAs
Source
New
Professional servicesYes60 GB
Lancaster County Sheriff’s Office
Source
New
PublicYes52,567
Maximum Research
Source
New
Professional servicesYes52 GB
Facebook Marketplace
Source
New
MediaYes24,127  
PWS – The Laundry Company
Source
New
Professional servicesYes21.1 GB
City of Clemson, South Carolina
Source
New
PublicYes21,056  
DGX-Dependable Hawaiian Express
Source
New
Professional servicesYes20 GB
Signature Performance, Inc.
Source
Update
Health careYes7,122
Arch Capital Services LLC
Source
New
Health careYes7,036
Tobacco-Free Kids
Source
New
Charity and non-profitYes7 GB
Health Alliance Medical Plans
Source 1; source 2
New
Health careYes6,900
Family Healthcare Center
Source 1; source 2
New
Health careYes6,457
International Center of Photography
Source
New
Charity and non-profitYes5,985  
The Burton Corporation
Source
New
ManufacturingYes5,170
Southwest Binding & Laminating
Source
New
Professional servicesYes4.2 GB
Sun Pain Management, LLC
Source 1; source 2
New
Health careYes2,988
J.D. Gilmour & Co., Inc.
Source 1; Source 2
Update
Health careYes2,481
The New Jewish Home
Source
New
Health careYes2,000  
Finzer Roller, Inc.
Source
New
ManufacturingYes1,335
Science Systems and Applications, Inc.
Source
New
DefenseYes1,051
Connecticut College
Source
New
EducationYes954
American Alarm & Communications Inc.
Source
Update
Professional servicesYes942
The Northwestern Mutual Life Insurance Company
Source
New
FinanceYes887
Whitley Penn
Source
Update
FinanceYes729
Albertsons Companies, Inc.
Source
New
RetailYes457
Midwest Hardwood Company LLC
Source
New
ManufacturingYes373
Precision Tune Auto Care
Source
New
TransportYes0.274 GB
The Hamilton Paramedic Service
Source
New
Health careYes162
Tax Technologies, Inc.
Source
New
Professional servicesYes146  
Community School of Naples
Source
New
EducationYes4
Software Systems, Inc.
Source
New
IT services and softwareYes2
WinStar
Source
New
Hospitality and leisureYesUnknown
Pezold, Barker & Woltz, APPC
Source
New
LegalYesUnknown
Chicago Extruded Metals
Source
New
ManufacturingYesUnknown
Unidentified contractors of U.S. Department of Defense
Source
New
PublicYesUnknown
Greater Richmond Transit
Source
New
TransportYesUnknown
Hutch Paving
Source
New
Construction and real estateYesUnknown
Modern Kitchens
Source
New
ManufacturingYesUnknown
A&A Ready Mixed Concrete
Source
New
Construction and real estateYesUnknown
Northeastern Sheet Metal
Source
New
ManufacturingYesUnknown
McMillan Pazdan Smith
Source
New
Construction and real estateYesUnknown
Mason Construction
Source
New
Construction and real estateYesUnknown
Perry-McCall Construction
Source
New
Construction and real estateYesUnknown
Premier Facility Management
Source
New
Professional servicesYesUnknown
Douglas County Libraries
Source
New
PublicYesUnknown
Leaders Staffing
Source
New
OtherYesUnknown
Worthen Industries
Source
New
ManufacturingYesUnknown
PJ Green
Source
New
Professional servicesYesUnknown
YRW Limited Chartered Accountants
Source
New
Professional servicesYesUnknown
Grace Lutheran Foundation
Source
New
Charity and non-profitYesUnknown
Magi ERP Group
Source
New
IT services and softwareYesUnknown
Pacific American Fish Company
Source
New
OtherYesUnknown
Lurie Children’s Hospital
Source
New
Health careUnknownUnknown
Prima Wawona
Source
New
AgriculturalUnknownUnknown
Ultraflex Systems
Source
New
ManufacturingUnknownUnknown
Original Footwear
Source
New
ManufacturingUnknownUnknown
Perkins Manufacturing
Source
New
ManufacturingUnknown  Unknown
MacQueen Equipment Group
Source
New
ManufacturingUnknownUnknown
Town of Seymour
Source
New
Professional servicesUnknownUnknown
Bull Stockwell Allen
Source
New
Construction and real estateUnknownUnknown
Capozzi Adler
Source
New
LegalUnknownUnknown
Living Water International
Source
New
Charity and non-profitUnknownUnknown
American Integrated Security Group
Source
New
Professional servicesUnknownUnknown
Maddockhenson
Source
New
FinanceUnknownUnknown
Amoskeag Network Consulting Group
Source
New
IT services and softwareUnknownUnknown
Northern Light Health
Source
New
Health careNo0
Unified Judicial System of Pennsylvania
Source
New
PublicNo0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicized in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


AI

UK NCSC publishes new guidance on AI and cybersecurity

The UK’s National Cyber Security Centre has published new guidance on cybersecurity issues organizations need to be aware of when deploying artificial intelligence. AI and cyber security: what you need to know is “designed to help managers, board members and senior executives (with a non-technical background) to understand some of the risks – and benefits – of using AI tools”.

EU lawmakers vote to ratify political deal on AI Act

Two committees at the European Parliament have ratified the provisional agreement on the AI Act. LIBE (the European Parliament Committee on Civil Liberties, Justice and Home Affairs) posted on X (formerly Twitter): “AI Act takes a step forward: MEPs in @EP_Justice & @EP_SingleMarket have endorsed the provisional agreement on an Artificial Intelligence Act that ensures safety and complies with fundamental rights”.


Enforcement

State Department offers $10 million for Hive ransomware information

The U.S. Department of State is offering a reward of up to $10 million for information leading to the identification and/or location of the leaders of the Hive ransomware group, and a reward of up to $5 million for information that leads to the arrest and/or conviction of anyone conspiring to participate in Hive ransomware activity.

U.S. announces visa restriction policy, banning people associated with spyware

Secretary of State Antony J Blinken has announced that the State Department is implementing a new policy “that will allow the imposition of visa restrictions on individuals involved in the misuse of commercial spyware”.

Denmark orders schools not to transfer students’ data to Google

The Danish data protection authority, Datatilsynet, has ordered 53 municipalities across Denmark to change their data processing activities so that they no longer transfer students’ personal data to Google.


Other news

Chinese Volt Typhoon group hid in U.S. infrastructure network for 5 years

CISA (the Cybersecurity and Infrastructure Security Agency), the NSA (National Security Agency) and the FBI (Federal Bureau of Investigation) have issued a joint advisory about the Chinese Volt Typhoon cyber espionage group, which infiltrated U.S. critical infrastructure.

Google confirms that spyware vendors are behind 50% of zero-day attacks

Google’s Threat Analysis Group has analyzed 40 commercial spyware vendors and found that they were behind half of known 0-day exploits targeting Google products and Android ecosystem devices.

Ransomware payments topped $1 billion last year

Research by Chainalysis has found that ransom payments made to attackers reached an all-time high of more than $1 billion in 2023. The most profitable ransomware gangs were ALPHV/BlackCat, Clop, Play, LockBit, BlackBasta, Royal, Ransomhouse and Dark Angels. The previous record figure – $983 million – was set in 2021.

Fortinet brushes off DDoS claims

Despite going viral, a story that 3 million electric toothbrushes were hacked and used as a botnet to conduct DDoS (distributed-denial-of-service) attacks is, of course, untrue. The security company Fortinet confirmed that it was a hypothetical scenario, saying: “To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.”


Key dates

31 March 2024 – PCI DSS v4.0 transitioning deadline 

Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on 31 March, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Tuesday, you’ll get a 4-minute email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.