Cybersecurity and Data Privacy in the USA: April 22 – 28, 2024

4,244,763,831 known records breached in 57 newly disclosed incidents

Welcome to this week’s round-up of the biggest and most interesting news stories in the USA.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Data scraping site taken offline after billions of Discord messages offered for sale

A data scraping website called Spy.pet has been taken offline after harvesting more than 4 billion messages made by more than 256 million Discord users and offering them for sale. Data scraping or web scraping is a typically automated process that extracts information from websites, allowing criminals to compile datasets containing personal information.

“Scraping our services and self-botting are violations of our Terms of Service and Community Guidelines,” a Discord spokesperson told The Register. “In addition to banning the affiliated accounts, we are considering appropriate legal action. We identified certain accounts that we believe are affiliated with the Spy.pet website, which we have subsequently banned.”

Data breached: 4,186,879,104 messages.

Phone tracking app iSharing reveals users’ precise locations

Eric Daigle, a computer science and economics student at the University of British Columbia in Vancouver, has discovered vulnerabilities in the phone tracking app iSharing that let users access any other user’s location, as well as their name, profile photo, and the email address and phone number they used to log in, even if they weren’t actively sharing their location data. iSharing is used by more than 35 million users.

The company has fixed the issue, blaming it on a vulnerability in the app’s groups feature. 

Data breached: >35 million people’s data.

Health conglomerate Kaiser Permanente notifies millions of data breach

The U.S. health care service provider Kaiser Permanente is notifying 13.4 million members of a data breach after “certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors,” including Google, Microsoft, and X (formerly Twitter).

Kaiser operates 40 hospitals and 618 medical facilities across the USA.

Data breached: 13,400,000 people’s data.


Publicly disclosed data breaches and cyber attacks in the USA: full list

This week, we found 4,244,763,831 records known to be compromised in the USA, and 57 U.S. organizations suffering a newly disclosed incident. 53 of them are known to have had data exfiltrated, exposed, or otherwise breached. None definitely haven’t had data breached.

We also found 3 U.S. organizations providing a significant update on a previously disclosed incident.

Organization(s)SectorData breached?Known data breached
Discord (via Spy.pet)
Source
(New)
IT servicesYes4,186,879,104
iSharingSoft
Source
(New)
SoftwareYes>35,000,000
Kaiser Permanente
Source 1; source 2
(New)
InsuranceYes13,400,000
TRAXERO
Source
(New)
SoftwareYes2,634,753
Piping Rock Health Products
Source 1; source 2; source 3
(New)
ManufacturingYes2,103,100
FBCS, Inc.
Source
(New)
FinanceYes1,955,385
BerryDunn and Reliable Networks
Source
(New)
Finance and IT servicesYes1,107,354
Designed Receivable Solutions, Inc.
Source 1; source 2
(Update)
FinanceYes498,686
J.P. Morgan
Source
(New)
FinanceYes451,809
Hirsh Industries, LLC
Source
(New)
ManufacturingYes450 GB
Anders Group, LLC
Source
(New)
Professional servicesYes214.48 GB
Blackstone Valley Community Health Care
Source 1; source 2
(Update)
Health careYes34,518
Optometric Physicians of Middle Tennessee
Source
(New)
Health careYes29,000
Moffitt Cancer Center (via Advarra)
Source
(New)
Health careYes26,577
Valley Veterinary Clinic
Source
(New)
VeterinaryYes25,969
The Philadelphia Inquirer
Source
(New)
MediaYes25,500
Buffalo Public Schools
Source
(New)
EducationYes19,494
Aspire Health Alliance
Source
(New)
Health careYes17,490
Somerset Dental Las Vegas
Source
(New)
Health careYes11,321
Diocese of Cleveland
Source
(New)
Non-profitYes9,859
Synergy Hotels, Inc.
Source
(New)
HospitalityYes9,211
Camino Nuevo Charter Academy
Source
(New)
EducationYes7,916
Sanchez Daniels & Hoffman LLP
Source
(New)
LegalYes3,938
UNC Hospitals
Source
(New)
Health careYes3,142
Lagunitas Brewing Company
Source
(New)
ManufacturingYes2,979
Amerit Fleet Solutions
Source
(New)
ManufacturingYes1,912
Integral Federal, Inc.
Source
(New)
IT servicesYes1,724
Regulator Marine Inc
Source 1; source 2
(Update)
ManufacturingYes1,384
CoVerica Insurance
Source
(New)
InsuranceYes1,028
The J D Russell Company
Source 1; source 2
(New)
ManufacturingYes684
Phillips Academy and AthleteTrax, LLC
Source
(New)
Education and softwareYes347
Vericast
Source 1; source 2
(New)
Professional servicesYes319
Glendale Unified School District
Source
(New)
EducationYesAt least 231
Savage IO
Source
(New)
CryptoYesUnknown
Okta
Source
(New)
CybersecurityYesUnknown
Rensselaer Polytechnic Institute
Source
(New)
EducationYesUnknown
University System of Georgia
Source
(New)
EducationYesUnknown
Biggs Cardosa Associates, Inc.
Source
(New)
EngineeringYesUnknown
WRA Architects, Inc.
Source
(New)
EngineeringYesUnknown
Transamerica
Source
(New)
FinanceYesUnknown
Direct Federal Credit Union and Wescom Resources Group, LLC
Source
(New)
Finance and IT servicesYesUnknown
NorthBay VacaValley Hospital
Source 1; source 2
(New)
Health careYesUnknown
OrthoNY
Source
(New)
Health careYesUnknown
South Texas Oncology and Hematology, PLLC
Source
(New)
Health careYesUnknown
Amerlux LLC
Source
(New)
ManufacturingYesUnknown
JB Poindexter & Co
Source
(New)
ManufacturingYesUnknown
UNICEF
Source
(New)
Non-profitYesUnknown
Weapon Systems Training Council
Source
(New)
Professional servicesYesUnknown
Panama City Police Department
Source
(New)
PublicYesUnknown
Paul Stuart, Inc.
Source
(New)
RetailYesUnknown
Autodesk
Source
(New)
SoftwareYesUnknown
DATAIR Employee Benefit Systems, Inc.
Source
New)
SoftwareYesUnknown
Nota
Source
(New)
SoftwareYesUnknown
Cisco
Source
(New)
CybersecurityUnknownUnknown
CONSOL Energy
Source
(New)
EnergyUnknownUnknown
Kansas City Scouts
Source
(New)
LeisureUnknownUnknown
Coffee County
Source 1; source 2
(New)
PublicUnknownUnknown

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicized in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.


AI

Scientists successfully use AI to detect AI-generated videos

Scientists at the MISL (Multimedia and Information Security Lab) in Drexel University’s College of Engineering have developed a suite of tools to detect AI-generated videos at the sub-pixel level.

In Beyond Deepfake Images: Detecting AI-Generated Videos, a paper due to be presented at the IEEE Computer Vision and Pattern Recognition conference in June, Danial Samadi Vahdati, Tai D. Nguyen, Aref Azizpour, and Matthew C. Stamm explain how a constrained neural network can be used to detect synthetic videos “at 98% accuracy.”

DHS announces AI Safety and Security Board

The U.S. DHS (Department of Homeland Security) has announced the establishment of its Artificial Intelligence Safety and Security Board. The group will advise on the safe and secure development and deployment of AI technology in the U.S. critical national infrastructure.


Enforcement

FTC refunds $5.6 million to Ring customers

The U.S. FTC (Federal Trade Commission) is paying $5.6 million to settle a complaint alleging that the home security camera company Ring “allowed employees and contractors to access consumers’ private videos and failed to implement security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos.”

Biden-Harris administration issues new rule to support reproductive health care privacy

The Biden-Harris administration has announced the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, a rule that strengthens HIPAA’s (Health Insurance Portability and Accountability Act) privacy rule by restricting the disclosure of protected health information related to lawful reproductive health care.


Other news

FTC announces changes to Health Breach Notification Rule

The FTC has announced that it has finalized its changes to the HBNR (Health Breach Notification Rule), which will clarify its applicability to health apps and other similar technologies.


Recently published reports


Key date

April 30, 2024 – ISO/IEC 27001:2013 certification unavailable

As of April 30, certification bodies can no longer offer (re)certification to ISO 27001:2013. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Tuesday, you’ll get a short email with:

  • Industry news, including this weekly round-up
  • Our latest research and statistics
  • Free useful resources
  • Upcoming webinars
  • Other ways we can help