Cybersecurity and Data Privacy in the USA: December 18 – 31, 2023

Welcome to a new year! Following our Christmas break, we’re rounding up two weeks’ worth of the biggest and most interesting news stories for the USA.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Unprotected Real Estate Wealth Network database exposes more than 1.5 billion records

Cybersecurity researcher Jeremiah Fowler discovered an unprotected database, exposing more than 1.5 billion records containing property ownership data related to millions of people. The logging records indicated that the files belonged to the New York-based company Real Estate Wealth Network. Fowler contacted the company, which secured the database.

According to Fowler, the exposed data included information on property owners, sellers, investors, internal user logging data, and more. The property owners allegedly included numerous celebrities, whose street address; purchase price and date; mortgage company; mortgage loan amount; tax ID numbers; taxes owed, paid, or due; and other information was available.

Data breached: 1,523,776,691 records.

Comcast Cable Communications LLC announces supply-chain data breach

Xfinity has notified its customers of a data security incident caused by a vulnerability in Citrix software. Xfinity patched the vulnerability on October 23, 2023, following Citrix’s mitigation guidance, but an investigation discovered unauthorized access to its systems between October 16–19, 2023.

One of Xfinity’s customers was Comcast Cable Communications LLC, which has confirmed that 35,879,455 people’s data was breached as a result.

Data breached: 35,879,455 records.


Publicly disclosed data breaches and cyber attacks in the USA: full list

The past two weeks, we’ve found 1,583,076,925 records known to be compromised in the USA, and 177 U.S. organizations suffering a newly disclosed incident. 154 of them are known to have had data exfiltrated, exposed, or breached. Only 3 definitely haven’t had data breached.

We’ve also found 12 U.S. organizations providing a significant update on a previously disclosed incident.

Organization nameSectorData exfiltrated?Known records breached
Real Estate Wealth Network
Source 1; source 2
(New)
Real estateUnknown1,523,776,691
Comcast Cable Communications, LLC (Xfinity)
Source 1; source 2
(New)
TelecomsYes35,879,455
INTEGRIS Health
Source 1; source 2
(New)
Health careYes4,674,000
Ohio Lottery
Source 1; source 2
(New)
LeisureYes>3,000,000
ESO
Source
(New)
SoftwareYes2,700,000
Yale New Haven Health
Source
(New)
Health careYes1,930,870
LoanCare (Fidelity National Financial)
Source
(New)
FinanceYes1,316,938
Insomniac Games (Sony)
Source 1; source 2
(Update)
SoftwareYes1,300,000
Unknown organization(s); USA probably affected
Source
(New)
UnknownYes1,169,843
Corewell Health
Source
(New)
Health careYes1,000,000
Transformative Healthcare (Fallon Ambulance Service)
Source
(New)
Health careYes911,757
Orrick, Herrington & Sutcliffe LLP
Source
(Update)
LegalYes637,620
The Webb Law Firm
Source
(New)
LegalYes578 GB
American Alarm and Communications, Inc.
Source 1; source 2
(New)
Professional servicesYes504 GB
The Retina Group of Washington
Source
(New)
Health careYes455,935
PriceSmart
Source 1; source 2
(New)
RetailYes420 GB
Bay Orthopedic & Rehabilitation Supply Co. Inc.
Source
(New)
ManufacturingYes>400 GB
Quaker Windows & Doors
Source
(New)
RetailYes233 GB
Bunker Hill Community College
Source
(New)
EducationYes195,588
United Nations Security Council
Source
(New)
DefenceYes188,000
Blink Mobility (Blink Charging)
Source
(New)
TransportUnknown181,000
Hunter Buildings
Source
(New)
ConstructionYes166 GB
HealthEC, LLC and MD Value Care
Source
(New)
IT services and health careYes112,005
Navigation Financial Group
Source
(New)
FinanceYes111 GB
National Nail
Source
(New)
ManufacturingYes111 GB
DBM Group
Source
(New)
Professional servicesYes110 GB
Chuze Fitness
Source
(New)
LeisureYes>100,000
Bladen County Public Library
Source
(New)
PublicYes85 GB
National Amusements
Source
(New)
LeisureYes82,128
Enstar Group Limited
Source 1; source 2
(Update)
InsuranceYes71,301
Kimco Staffing Services, Inc.
Source
(New)
Professional servicesYes69,687
Vi Living
Source
(New)
Health careYes61,425
Rockford Gastroenterology Associates
Source
(New)
Health careYes56 GB
FranConnect
Source
(New)
SoftwareYes56,000
ACE Air Cargo
Source
(New)
TransportYes52.6 GB
Richmont Graduate University
Source
(New)
EducationYes37 GB
CBIZ KA
Source 1; source 2; source 3
(Update)
Health careYes36,295
La Red Health Center
Source
(New)
Health careYes35,602
Kinetic Leasing, Inc.
Source
(New)
FinanceYes33.96 GB
Eye Physicians of Central Florida
Source 1; source 2
(Update)
Health careYes31,189
Ultra Intelligence & Communications
Source
(New)
DefenceYes30 GB
St. Lucie County Tax Collector’s Office
Source
(New)
PublicYes22,403
Clay County Social Services and Next Chapter Technology (CaseWorks)
Source 1; source 2
(New)
Public and softwareYes22,005
Estes Express Lines
Source
(New)
TransportYes21,184
Bellin Health
Source 1; source 2
(New)
Health careYes20,790
International Electronic Machines Corporation
Source
(New)
TransportYes16 GB
ZOLL Medical Corporation
Source
(New)
ManufacturingYes15,276
TTM Technologies
Source
(New)
ManufacturingYes7,333
Citrin Cooperman
Source
(New)
Professional servicesYes7,018
Rush System for Health
Source
(New)
Health careYes4,961
Exactech
Source 1; source 2
(Update)
ManufacturingYes4,230
ABNB Federal Credit Union
Source
(New)
FinanceYes3,800
HORNE, Cal-Maine Foods, Inc. and Citizens National Bank
Source
(New)
Professional services, manufacturing, and financeYes3,538
Mountain Dermatology Specialists, PC
Source 1; source 2
(New)
Health careYes2,705
College of the Canyons
Source
(New)
EducationYes>2,400
Garr Silpe, P.C.
Source
(New)
LegalYes1,933
City Facilities Management (US) LLC
Source
(New)
Professional servicesYes1,854
RevSpring and Waystar
Source
(New)
IT services and softwareNo1,706
BlueCross BlueShield of Tennessee
Source
(New)
InsuranceYes1,665
Donald W. Wyatt Detention Facility
Source
(New)
PublicYes1,454
Brunswick Corporation
Source
(New)
ManufacturingYes1,400
Noteboom Law Firm
Source 1; source 2
(New)
LegalYes1,297
Kirksey Architecture
Source 1; source 2
(New)
ConstructionYes1,292
McCarthy Fingar LLP
Source
(New)
LegalYes1,216
Spudnik Equipment Company LLC
Source
(New)
ManufacturingYes1,164
Instron
Source
(New)
ManufacturingYes1,059
Bauer Built
Source 1; source 2
(New)
ManufacturingYes1,005
Tungaloy-NTK America, Inc.
Source 1; source 2
(Update)
ManufacturingYes912
Cumberland Advisors
Source
(New)
FinanceYes805
HEICO
Source
(New)
ManufacturingYes632
AccessDx Lab
Source
(New)
Health careYes535
360 Physical Therapy
Source
(New)
Health careYes520
CACI International Inc
Source
(New)
IT servicesYes520
Cardiothoracic & Vascular Surgeons, PA
Source 1; source 2; source 3
(New)
Health careYes500
The Pennsylvania School for the Deaf
Source
(New)
EducationYes489
Ascentia Real Estate Holding Company, LLC
Source 1; source 2; source 3
(New)
Real estateYes270
Blackstone Valley Community Health Care
Source
(New)
Health careYes>116
Gnome Landscapes & Design
Source
(New)
Professional servicesYes39
The Rowley Agency, LLC
Source
(New)
InsuranceYes3
Ronald & Elizabeth Brent
Source
(New)
FinanceYes2
Fager-McGee Commercial Construction, Inc.
Source
(New)
ConstructionYesUnknown
Integrated Geotechnical Solutions, Inc.
Source
(New)
ConstructionYesUnknown
WELBRO Building Corporation
Source
(New)
ConstructionYesUnknown
Thunder (thunder.gg)
Source
(New)
CryptoYesUnknown
Milton Town School District
Source 1; source 2
(New)
EducationYesUnknown
Armstrong Consultants
Source
(New)
EngineeringYesUnknown
JAE Oregon
Source
(New)
EngineeringYesUnknown
Recology
Source 1; source 2
(New)
EnvironmentalYesUnknown
Colony Family Offices
Source 1; source 2
(New)
FinanceYesUnknown
ML & CO
Source
(New)
FinanceYesUnknown
More than 40 banks in North America, South America, Europe, and Japan*
Source
(New)
FinanceUnknownUnknown
Sharonview Federal Credit Union
Source 1; source 2
(New)
FinanceYesUnknown
The Middlefield Banking Company
Source 1; source 2
(New)
FinanceYesUnknown
Fresno Surgical Hospital
Source
(New)
Health careYesUnknown
Liberty Hospital
Source
(New)
Health careYesUnknown
Meridian Behavioral Healthcare, Inc.
Source 1; source 2
(New)
Health careYesUnknown
NYBRA Plastic Surgery
Source
(New)
Health careYesUnknown
OptumRx
Source
(New)
Health careYesUnknown
ThedaCare
Source
(New)
Health careYesUnknown
Valley Health System
Source
(New)
Health careYesUnknown
Olde Towne Pet Resorts
Source
(New)
HospitalityYesUnknown
Orchard Foods
Source
(New)
HospitalityYesUnknown
Dentegra Insurance Company
Source 1; source 2
(New)
InsuranceYesUnknown
DataNet Systems Corporation
Source
(New)
IT servicesYesUnknown
Cullman County Courthouse
Source 1; source 2
(New)
LegalYesUnknown
Davis, Cedillo & Mendoza, Inc.
Source
(New)
LegalYesUnknown
Kaufman Borgeest & Ryan LLP
Source
(New)
LegalYesUnknown
Richard Harris Law Firm
Source
(New)
LegalYesUnknown
Wolf Haldenstein Adler Freeman & Herz LLP
Source
(New)
LegalYesUnknown
C.M. Paula Company
Source
(New)
ManufacturingYesUnknown
Delphinus Engineering, Inc.
Source
(New)
ManufacturingYesUnknown
Packaging Solutions, Inc.
Source
(New)
ManufacturingYesUnknown
Panasonic Avionics Corporation
Source
(Update)
ManufacturingYesUnknown
Peco Foods, Inc.
Source
(New)
ManufacturingYesUnknown
Qorvo, Inc.
Source
(New)
ManufacturingYesUnknown
Viking Therapeutics, Inc.
Source 1; source 2
(New)
ManufacturingYesUnknown
Vyera Pharmaceuticals, LLC
Source
(New)
ManufacturingYesUnknown
Waldner’s Business Environments
Source
(New)
ManufacturingYesUnknown
Whitlam Group
Source
(New)
ManufacturingYesUnknown
Employ Milwaukee
Source
(New)
Professional servicesYesUnknown
Unite Here
Source
(New)
Professional servicesYesUnknown
Lake County Health Department and Community Health Center
Source
(New)
PublicYesUnknown
Pickens County, SC
Source
(New)
PublicYesUnknown
Security 1st Title
Source
(New)
Real estateYesUnknown
RCSB Protein Data Bank
Source
(New)
ResearchYesUnknown
Horizon Spa & Pool Parts, Inc.
Source
(New)
RetailYesUnknown
La Jolla Group
Source
(New)
RetailYesUnknown
Xerox
Source
(New)
RetailYesUnknown
DOB Systems
Source
(New)
SoftwareYesUnknown
Mint Mobile
Source
(New)
TelecomsYesUnknown
Oradell Animal Hospital
Source
(New)
VeterinaryYesUnknown
Ace Hardware Corporation, Berkshire eSupply, Iscar Metals, and SpaceX
(All via Signature-IT)
Source 1; source 2
(Update)
Retail and manufacturingYesUnknown
443 online merchants
(in the USA, but also Albania, Belgium, Bosnia and Herzegovina, Colombia, Croatia, Finland, Germany, Georgia, Greece, Hungary, Moldova, Netherlands, Poland, Romania, Spain, and the UK)*
Source
(New)
UnknownYesUnknown
Blaine County School District
Source
(New)
EducationUnknownUnknown
First American
Source
(New)
FinanceUnknownUnknown
Anna Jaques Hospital
Source
(New)
Health careUnknownUnknown
SiriusXM
Source
(New)
LeisureUnknownUnknown
Tarrytown Expocare Pharmacy
Source
(New)
ManufacturingUnknownUnknown
Michigan Department of Transportation (Charlevoix)
Source
(New)
PublicUnknownUnknown
Washington County
Source
(New)
PublicUnknownUnknown
Downfall (Steam Standalone)
Source
(New)
SoftwareUnknownUnknown
Microsoft OneDrive
Source
(New)
SoftwareUnknownUnknown
Pinterest
Source
(New)
SoftwareUnknownUnknown
Twitch
Source
(New)
SoftwareUnknownUnknown
CHI Memorial
Source
(New)
Health careNo0
LNP Media Group
Source
(New)
MediaNo0
Small Press Distribution
Source 1; source 2
(New)
RetailNo0

Note 1: The asterisked incidents also affect organizations outside the USA. We’ve accounted for this in our summary above the table via a proportionate calculation. E.g. the Europol action against digital skimming revealed 443 compromised online merchants across 17 countries, including the USA, so we’ve counted this as 443 x ¹⁄₁₇.

Note 2: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed during this two-week period, or whether a significant update was released during this period. The updated data point is italicized in the table.


AI

New ISO 42001 standard on artificial intelligence management systems

ISO has published the world’s first AIMS (artificial intelligence management system) standard, ISO/IEC 42001:2023 – Information technology – Artificial intelligence – Management system. The Standard aims to help organizations derive value from AI safely and efficiently.

NIST seeks information to support response to Executive Order on AI

NIST has issued a request for information to help it meet its responsibilities under the recent Executive Order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. Responses will be accepted until February 2.

OpenAI patches ChatGPT vulnerability

OpenAI has fixed a data exfiltration bug in ChatGPT, although Johann Rehberger, the researcher who discovered the vulnerability last April, says attackers can still exploit it under certain conditions. The fix is also yet to be implemented on the iOS mobile app, which remains at risk.


Enforcement

FBI develops ALPHV/BlackCat ransomware decryption tool

The U.S. Justice Department has announced a disruption campaign against the prolific APLHV/BlackCat ransomware group, including a decryption tool developed by the FBI. The FBI has so far used the tool to help more than 500 ALPHV/BlackCat victims restore their systems, saving them approximately $68 million in potential ransom payouts.

FCC adopts updated data breach notification rules

The Federal Communications Commission has adopted an update to its 16-year-old data breach notification rules for telecoms, interconnected VoIP (Voice over Internet Protocol), and TRS (telecoms relay services) providers. Phone companies are now accountable for protecting sensitive customer information, and customers can protect themselves if their data is compromised.

INTERPOL Operation HAECHI IV disrupts international online financial crime operation

A multinational police operation in 34 countries, Operation HAECHI IV, blocked 82,112 suspicious bank accounts, seizing a combined $199 million in hard currency and $101 million in virtual assets, and made nearly 3,500 arrests.


Other news

Tallinn Mechanism established to bolster Ukraine’s cyber security

The foreign ministries of Canada, Denmark, Estonia, France, Germany, the Netherlands, Poland, Sweden, the UK, and the USA have formalized the Tallinn Mechanism, which aims to coordinate and facilitate civilian cyber capacity building to help Ukraine uphold its fundamental right to self-defense in cyber space, and address longer-term cyber resilience needs.

CISA announces update to cyber threat information sharing

CISA has announced that it is modernizing its approach to cyber threat information sharing. It has identified three key areas of progress, including launching threat intelligence enterprise services to simplify information sharing.


Key dates

January 4, 2024 – Google starts testing its Tracking Protection feature to block third-party cookies in Chrome

Google is testing a system designed to block third-party cookies by default in the Chrome browser, with the aim of phasing out third-party cookies for all users by the second half of the year. The test will affect 1% of Chrome’s global users, with participants selected randomly. Meanwhile, the latest update to Google Maps will store users’ location history locally on their devices rather than in the Cloud. Among other effects, this will make it harder for law enforcement authorities to access users’ locations with so-called “geofence warrants.”


That’s it for this round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories for the USA, all rounded up in one place.

In the meantime, if you missed it, check out our previous round-up. Alternatively, you can view our full archive.