Cybersecurity and Data Privacy in the USA: February 26 – March 3, 2024

194,982,987 known records breached in 79 newly disclosed incidents

Welcome to this week’s round-up of the biggest and most interesting news stories in the USA.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Millions of Pure Incubation Ventures records listed on hacking forum

183,754,481 records apparently belonging to the venture capital and private equity group Pure Incubation Ventures have been listed for sale on a hacking forum.

The threat actor, KryptonZambie, has provided a sample of 100,000 records. The claim is yet to be verified.

Data breached: 183,754,481 records.

BlackCat/ALPHV claims responsibility for Optum attack

The BlackCat/ALPHV ransomware group has claimed responsibility for a cyber attack on Optum, a subsidiary of UnitedHealth Group, which led to an outage affecting the Change Healthcare platform.

BlackCat/ALPHV claims to have exfiltrated 6 TB of data from Change Healthcare’s network, including medical and insurance records, patient data, and payment information.

Data breached: 6 TB.


Publicly disclosed data breaches and cyber attacks in the USA: full list

This week, we found 194,982,987 records known to be compromised in the USA, and 79 U.S. organizations suffering a newly disclosed incident. 72 of them are known to have had data exfiltrated, exposed, or otherwise breached. Only 4 definitely haven’t had data breached.

We also found 5 U.S. organizations providing a significant update on a previously disclosed incident.

Organization(s)SectorData breached?Known data breached
Pure Incubation Ventures
Source
(New)
Professional servicesYes183,754,481
Optum
Source 1; source 2
(New)
Health careYes6 TB
Array Networks
Source
(New)
CybersecurityYes2.5 TB
STOCK Development
Source
(New)
Real estateYes1 TB
Houser LLP
Source
(New)
LegalYes326,386
PR Newswire
Source
(New)
MediaYes250,000
Yakima Valley Radiology
Source
(New)
Health careYes235,249
TalentLaunch (Alliance Solutions Group)
Source
(New)
Professional servicesYes119,261
Egyptian Health Department
Source 1; source 2
(New)
Health careYes100,000
Cogdell Memorial Hospital (Scurry County Hospital District)
Source 1; source 2
(New)
Health careYes86,981
Webber International University
Source
(New)
EducationYes65 GB
Northwestern Mutual
Source 1; source 2
(Update)
InsuranceYes62,656
Brady Martz & Associates
Source 1; source 2
(Update)
FinanceYes58,520
Greensboro College
Source
(New)
EducationYes52,569
Employee Benefits Corporation of America and Benefit Design Group, Inc.
Source 1; source 2
(New)
InsuranceYes38,912
Muscatine Power and Water
Source
(New)
UtilitiesYes36,955
Bradford-Scott Data and 4 credit unions
Source
(New)
IT services and financeYes35,736
Renton School District
Source
(New)
EducationYes30,373
Fidelity Investments Life Insurance
Source
(New)
InsuranceYes28,268
Qualcomm
Source 1; source 2
(New)
TelecomsYes27,038
McKenzie Health
Source 1; source 2
(New)
Health careYes21,000
The Brody School of Medicine at East Carolina University
Source 1; source 2
(New)
EducationYes19,085
Human Affairs International of California
Source 1; source 2
(New)
InsuranceYes18,347
Maryville Addiction Treatment Center
Source 1; source 2; source 3
(Update)
Health careYes15,503
Bay Area Anesthesia, LLC
Source
(New)
Health careYes15,196
Elemetal
Source
(New)
FinanceYes13,608
Aspen Dental (APEO)
Source
(New)
Health careYes12,053
Nashua School District
Source
(New)
EducationYes9,829
Hospice of Huntington
Source 1; source 2
(New)
Health careYes9,013
Veolia North America
Source 1; source 2
(Update)
EnvironmentalYes8,951
Alliance College-Ready Public Schools
Source
(New)
EducationYes8,793
KRD, Ltd.
Source
(New)
FinanceYes7,154
CBIZ Marks Paneth
Source 1; source 2
(New)
FinanceYes5,562
First National Bank of Hartford
Source
(New)
FinanceYes5,316
Virgin Hotels North America
Source
(New)
HospitalityYes4,634
Lena Pope
Source 1; source 2
(New)
Non-profitYes3,954
Humana
Source 1; source 2
(New)
InsuranceYes3,480
Erie Indemnity Company Group Dental Assistance Plan
Source 1; source 2
(New)
InsuranceYes3,122
Interventional Pain & Regenerative Medicine
Source 1; source 2
(New)
Health careYes2,500
Santa Clarita Community College District
Source 1; source 2
(New)
EducationYes2,324
National Association of Home Builders
Source
(New)
ConstructionYes2,020
Lexington Medical Center
Source 1; source 2
(New)
Health careYes1,994
Sunway Hospitality
Source
(New)
HospitalityYes1,427
City of Dubuque Fire Department
Source 1; source 2
(New)
PublicYes1,381
Prague Regional Memorial Hospital
Source 1; source 2
(New)
Health careYes1,347
Citrus Diagnostic Center (Amin Radiology)
Source 1; source 2
(New)
Health careYes1,273
MCS (Mortgage Contracting Services)
Source 1; source 2
(New)
Real estateYes1,143
North Hill Needham Inc.
Source 1; source 2
(New)
Health careYes1,096
Mental Health Center of North Central Alabama, Inc.
Source 1; source 2
(New)
Health careYes1,000
Spaulding Clinical Research, LLC
Source
(New)
ResearchYes884
Dignity Health Welfare Benefits Plan
Source 1; source 2
(New)
InsuranceYes744
King Aerospace
Source 1; source 2
(Update)
ManufacturingYes727
East Side Health District
Source 1; source 2
(New)
Health careYes559
Arsenault and Cline CPAs, Inc.
Source
(New)
FinanceYes421
Northgate Environmental Management
Source
(New)
EnvironmentalYes404
Icetro America
Source
(New)
ManufacturingYes280
Empire Auto Parts
Source
(New)
TransportYes150
PGAL
Source
(New)
ConstructionYesUnknown
Orange Public School District
Source
(New)
EducationYesUnknown
DCO Energy, LLC
Source 1; source 2
(New)
EnergyYesUnknown
Fairway Independent Mortgage Corporation
Source 1; source 2
(New)
FinanceYesUnknown
Wyatt Leasing
Source
(New)
FinanceYesUnknown
Conrade Insurance Group
Source
(New)
InsuranceYesUnknown
Casino Del Sol Resort
Source 1; source 2
(New)
LeisureYesUnknown
RCI
Source
(New)
LeisureYesUnknown
Cencora
Source
(New)
ManufacturingYesUnknown
Divvies LLC
Source 1; source 2
(New)
ManufacturingYesUnknown
Ewig USA
Source
(New)
ManufacturingYesUnknown
Intercept Pharmaceuticals
Source 1; source 2
(New)
ManufacturingYesUnknown
Pik Rite, Inc.
Source 1; source 2
(New)
ManufacturingYesUnknown
Institute of Food Technologists
Source 1; source 2
(New)
Non-profitYesUnknown
Vulcan Industries
Source 1; source 2
(New)
RetailYesUnknown
City of Oakley, California
Source
(New)
PublicUnknownUnknown
GitHub
Source
(New)
SoftwareUnknownUnknown
Bill and Hillary Clinton National Airport
Source
(New)
TransportUnknownUnknown
Lowell Public School
Source 1; source 2
(New)
EducationNo0
Federal Home Loan Bank of New York
Source
(New)
FinanceNo0
Matthew Perry
Source
(New)
MediaNo0
Town of Poughkeepsie
Source
(New)
PublicNo0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicized in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


Enforcement

President Biden signs executive order to restrict sale of U.S. data

President Biden has signed an executive order designed to “prevent the large-scale transfer of Americans’ personal data to countries of concern.”

It also “provides safeguards around other activities that can give those countries access to Americans’ sensitive data.”

Italian data protection authority fines Enel €79 million

Italy’s data protection regulator, the Garante per la Protezione dei Dati Personali, has fined the country’s largest utility company, Enel, more than €79 million (about $86 million) for misusing customer data for telemarketing.

The fine is the largest the Garante has issued to date.


Other news

NIST releases version 2.0 of Cybersecurity Framework

NIST has updated its CSF (Cybersecurity Framework). CSF 2.0 has “an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It also has a new focus on governance, which encompasses how organizations make and carry out informed decisions on cybersecurity strategy.”

CISA publishes guide to support university cybersecurity clinics

CISA has announced several actions to support university cybersecurity clinics, including a resource guide and an engagement program. It’s also “taking steps to leverage our State and Local Cybersecurity Grant Program (SLCGP), which aims to address cyber risks to information systems owned or operated by state and local governments.”

University cybersecurity clinics train students “to strengthen the digital defenses of non-profits, hospitals, municipalities, small businesses, and other under-resourced organizations, while also developing a talent pipeline for cyber civil defense.”

Critical vulnerability could have allowed threat actors to hijack any Facebook account

Meta has addressed a critical security vulnerability and rewarded the security researcher who reported it under Facebook’s bug bounty program. Samip Aryal described the vulnerability as a “rate-limiting issue in a specific endpoint of Facebook’s password reset flow that could’ve allowed the takeover of any Facebook account by bruteforcing a particular type of nonce.”

Anycubic 3D printers hacked

Users of Anycubic 3D printers have reported that their machines have been hacked. The person responsible added a text file to their devices, which reads:

“Your machine has a critical vulnerability, posing a significant threat to your security. Immediate action is strongly advised to prevent potential exploitation. Feel free to disconnect your printer from the Internet if you don’t wanna get hacked by a bad actor. This is just a harmless message. You have not been harmed in any way.”

Nearly 3 million devices have downloaded this warning.


Key dates

March 31, 2024 – PCI DSS v4.0 transitioning deadline 

Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on March 31, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.

April 30, 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by April 30. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.

ISO 27001:2022 itself has been amended to refer to climate change. The amendment adds two sentences, requiring compliant organizations to determine whether climate change is a relevant issue, and noting that relevant interested parties can have requirements related to climate change.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Tuesday, you’ll get a short email with:

  • Industry news, including this weekly round-up
  • Our latest research and statistics
  • Free useful resources
  • Upcoming webinars
  • Other ways we can help