Cybersecurity and Data Privacy in the USA: April 15 – 21, 2024

4,338,910 known records breached in 59 newly disclosed incidents

Welcome to this week’s round-up of the biggest and most interesting news stories in the USA.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Tyler Technologies breach affects DISB data

Last week, we listed a breach at DISB (District of Columbia Department of Insurance, Securities and Banking), in which the LockBit 3.0 ransomware group exfiltrated a “few hundred GBs” of data. LockBit has now confirmed the amount of data, threatening to publish “the whole 800GB data dump” if DISB doesn’t pay the ransom.

Meanwhile, DISB has announced a third-party data breach, after Tyler Technologies discovered unauthorized access to a private Cloud that stored DISB’s STAR system client data. In an update published on 19 April, Tyler confirmed that the threat actor has “released information they claim was acquired from the STAR system.” No further information is available at this time.

Data breached: 800 GB.

Hunters International targets City of St. Cloud, FL

The Hunters International ransomware group has attacked the City of St. Cloud, Florida, apparently exfiltrating more than 715,000 files. St. Cloud’s response to the cyber attack, which confirmed that it was working with an incident response team to resume normal operations, has been removed from its website.

Data breached: 719,597 files.


Publicly disclosed data breaches and cyber attacks in the USA: full list

This week, we found 4,338,910 records known to be compromised in the USA, and 59 U.S. organizations suffering a newly disclosed incident. 54 of them are known to have had data exfiltrated, exposed, or otherwise breached. Only 2 definitely haven’t had data breached.

We also found 7 U.S. organizations providing a significant update on a previously disclosed incident.

Organization(s)SectorData breached?Known data breached
DISB (District of Columbia Department of Insurance, Securities and Banking) and Tyler Technologies
Source 1; source 2; source 3; source 4
(Update)
Public and softwareYes800 GB
City of St. Cloud, FL
Source
(Update)
PublicYes719,597
Regulator Marine Inc
Source
(New)
ManufacturingYes630 GB
Risas Dental and Braces
Source 1; source 2
(New)
Health careYes618,189
HUB International
Source
(New)
InsuranceYes514,477
Lee University
Source 1; source 2
(New)
EducationYes387.49 GB
Village Family Dental
Source 1; source 2
(New)
Health careYes240,214
Cherry Health
Source 1; source 2
(Update)
Health careYes184,372
Arby’s
Source 1; source 2
(New)
HospitalityYes175 GB
sa.global
Source
(New)
IT servicesYes41 GB
Blackstone Valley Community Health Care
Source 1; source 2
(Update)
Health careYes34,416
Green Diamond Resource Company
Source
(New)
EnvironmentalYes27,896
Kisco Senior Living
Source
(New)
Health careYes26,663
Roman Catholic Diocese of Phoenix
Source
(New)
ReligiousYes23,853
Bi-State Development
Source
(New)
PublicYes21,953
University of Tennessee Health Science Center
Source 1; source 2
(New)
EducationYes19,353
Township of Montclair
Source
(New)
PublicYes17,835
Carl Buddig and Company
Source
(New)
HospitalityYes11,830
Island Ambulatory Surgery Center
Source 1; source 2
(New)
Health careYes7,900
Taft Stettinius & Hollister LLP
Source 1; source 2
(Update)
LegalYes5,980
Citizens Property Insurance Corporation
Source
(New)
InsuranceYes4,948
Northern Colorado Long Term Acute Hospital
Source 1; source 2
(New)
Health careYes4,335
Numotion
Source
(New)
ManufacturingYes4,190
Olive View – UCLA Medical Center
Source 1; source 2
(New)
EducationYes3,716
Butler, Lavanceau & Sober, LLC
Source
(New)
FinanceYes3,370
Catholic Medical Center
Source
(New)
Health careYes2,792
Atlanta Technical College
Source
(New)
EducationYes1,523
WIS International
Source
(New)
RetailYes1,295
HBL CPAs, P.C.
Source
(New)
FinanceYes1,206
DES
Source
(New)
EngineeringYes1,144
Baylor College of Medicine
Source 1; source 2; source 3
(Update)
EducationYes801
Medical Home Network
Source
(New)
Health careYes681
Moveable Feast
Source
(New)
Non-profitYes568
Jackson Medical Center
Source 1; source 2
(New)
Health careYes509
Washington County Department of Human Services
Source 1; source 2
(New)
PublicYes501
SMRT Architects & Engineers
Source 1; source 2
(Update)
EngineeringYes348
Big Ass Fans
Source
(New)
ManufacturingYes146
Cocoon, Inc.
Source
(New)
ManufacturingYes50
Avalon Trust
Source
(New)
FinanceYes27
Tasteful Selections LLC
Source
(New)
AgriculturalYesUnknown
Cisco Duo and its telephony supplier
Source
(New)
Cybersecurity and telecomsYesUnknown
Brandeis University
Source
(New)
EducationYesUnknown
ASMFC (Atlantic States Marine Fisheries Commission)
Source
(New)
EnvironmentalYesUnknown
Bauknight Pietras & Stormer, P.A.
Source
(New)
FinanceYesUnknown
BlueChip Financial
Source
(New)
FinanceYesUnknown
Continuing Healthcare Solutions
Source
(New)
Health careYesUnknown
SysInformation
Source
(New)
Health careYesUnknown
Space-Eyes
Source
(New)
IT servicesYesUnknown
VIP (Visionary Integration Professionals)
Source
(New)
IT servicesYesUnknown
Allcare Pharmacy | W.P. Malone, Inc.
Source
(New)
ManufacturingYesUnknown
Cembell Industries Inc
Source
(New)
ManufacturingYesUnknown
HB Molding, Inc.
Source
(New)
ManufacturingYesUnknown
The Post and Courier
Source
(New)
MediaYesUnknown
European Wax Center
Source
(New)
Professional servicesYesUnknown
Solano County Library
Source
(New)
PublicYesUnknown
Blooms Today
Source
(New)
RetailYesUnknown
Payroll Select Services
Source
(New)
SoftwareYesUnknown
Unspecified U.S. consumer database
Source
(New)
UnknownYesUnknown
Frontier Internet
Source
(New)
TelecomsYesUnknown
MITRE
Source
(New)
CybersecurityUnknownUnknown
Octapharma Plasma, Inc.
Source
(New)
ManufacturingUnknownUnknown
Systems used by New York’s legislature
Source
(New)
PublicUnknownUnknown
Gmail And YouTube users
Source
(New)
IT servicesNo0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicized in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.


AI

NSA published guidance on strengthening the security of AI systems

The U.S. National Security Agency has published a cybersecurity information sheet entitled Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems. The guidance was designed for national security purposes, but can be applied by anyone bringing AI capabilities into a managed environment.

Protect AI releases April 2024 vulnerability report

Protect AI has published its latest monthly report into security vulnerabilities affecting AI systems. This month contains 48 vulnerabilities, up 220% from the 15 it identified in November 2023.


Enforcement

Proposed FTC order will fine Cerebral, Inc. $7 million and restrict its use of sensitive data

Cerebral, Inc. has agreed to an FTC order that will prohibit it from using or disclosing sensitive consumer data for advertising purposes. Under the proposed order, the company will be required to pay more than $7 million for violating its customers’ privacy rights.

International law enforcement operation disrupts LabHost phishing-as-a-service platform

A law enforcement operation involving 19 countries has disrupted LabHost, one of the world’s largest phishing-as-a-service platforms. 37 suspects have been arrested and the LabHost platform has been shut down.


Other news

HHS patches security after cyber attack

Following a cyber attack on the U.S. Department of Health and Human Services last year, in which criminals stole $7.5 million, the Department is removing HHS Login from its grantee payment system.

NATO to launch new cyber center

Acknowledging that “cyberspace is contested at all times,” NATO will create a new cyber center at its military headquarters in Mons, Belgium. James Appathurai, NATO’s deputy assistant secretary general for innovation, hybrid, and cyber, said the new center would be modelled on the UK’s NCSC (National Cyber Security Centre).

CREST launches new cyber threat intelligence guide

CREST has published a new guide: What is Cyber Threat Intelligence and How is it Used?

It provides accessible advice on the theory and practice of CTI products and services, outlining key concepts and principles underpinning CTI, along with the ways organizations can use CTI to predict, prevent, detect, and respond to potential cybersecurity threats and reduce cyber risk.


Recently published reports


Key date

April 30, 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by April 30. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Tuesday, you’ll get a short email with:

  • Industry news, including this weekly round-up
  • Our latest research and statistics
  • Free useful resources
  • Upcoming webinars
  • Other ways we can help