Cybersecurity and Data Privacy in the USA: January 15 – 21, 2024

Welcome to this week’s round-up of the biggest and most interesting news stories in the USA.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

More than 70 million email addresses added to Have I Been Pwned

The security researcher Troy Hunt has added more than 70 million email addresses from the Naz.API data set to his Have I Been Pwned data breach notification service. The data set is a collection of 1 billion credentials sourced from stealer logs and hosted on the illicit.services website. According to Hunt, more than a third of the email addresses were new to Have I Been Pwned.

Data breached: 70,840,771 email addresses.

VF Corporation confirms 35.5 million customers’ data stolen

VF Corporation – the parent company of many popular clothing brands, including Vans and The North Face – has confirmed in its Form 8-K/A filing to the U.S. Securities and Exchange Commission (an amendment to its original Form 8-K filing) that its December 2023 cyber attack resulted in the theft of 35.5 million customers’ data.

Data breached: 35,500,000 records.


Publicly disclosed data breaches and cyber attacks in the USA: full list

This week, we’ve found 40,282,964 records known to be compromised in the USA, plus the 70,840,771 email addresses newly added to Have I Been Pwned.

We’ve also found 53 U.S. organizations suffering a newly disclosed incident (excluding the organizations associated with the Naz.API data set). 50 of them are known to have had data exfiltrated, exposed, or otherwise breached. None definitely haven’t had data breached.

In addition, we’ve found 7 U.S. organizations providing a significant update on a previously disclosed incident.

Organization(s)SectorData breached?Known records breached
Naz.API (likely belonging to multiple organizations)
Source
(New)
UnknownYes70,840,771
VF Corporation
Source 1; source 2
(Update)
RetailYes35,500,000
Fred Hutchinson Cancer Center
Source 1; source 2; source 3
(Update)
Health careYes890,959
Target
Source
(New)
RetailYes800,000
Busse & Busse, P.C.
Source
(New)
LegalYes637,873
Anna Jaques Hospital
Source 1; source 2; source 3
(Update)
Health careYes600 GB
Plaza Radiology, LLC
Source 1; source 2
(New)
Health careYes569,022
GEICO
Source
(New)
InsuranceYes552,900
CompleteCare Health Network
Source 1; source 2; source 3
(Update)
Health careYes313,973
Academy Mortgage Corporation
Source 1; source 2
(Update)
FinanceYes284,443
buygoods
Source
(New)
RetailYes257,562
Subway
Source
(New)
HospitalityYesHundreds of GB
Columbus Regional Healthcare System
Source
(New)
Health careYes132,887
Cooper Aerobics
Source 1; source 2; source 3
(Update)
Health careYes124,341
Oak View Group
Source
(New)
LeisureYes58,935
Arden Claims Service
Source
(New)
FinanceYes50,032
Ashford Inc.
Source
(New)
Real estateYes46,906
Hampton-Newport News Community Services Board
Source 1; source 2; source 3
(New)
Health careYes44,312
Air Methods
Source 1; source 2
(New)
Health careYes34,016
Groveport Madison Schools
Source 1; source 2; source 3
(Update)
EducationYes15.5 GB
ELO CPAs & Advisors
Source
(New)
FinanceYes15,167
Community Memorial Healthcare
Source 1; source 2
(New)
Health careYes14,798
InHealth Technologies
Source 1; source 2
(New)
ManufacturingYes12,143
Foundation Building Materials and Marjam Supply
Source
(New)
RetailYes7,957
Summit Medical Group
Source 1; source 2
(New)
Health careYes5,809
Community Tri-County Healthcare
Source 1; source 2
(New)
Health careYes4,135
Fora Financial
Source
(New)
FinanceYes3,270
International Cooling Tower USA, Inc.
Source 1; source 2
(New)
ManufacturingYes2,833
Morgan Stanley Health Benefits and Insurance Plan
Source 1; source 2
(New)
InsuranceYes2,442
Keystone First
Source 1; source 2
(New)
Health careYes1,965
Hamilton Tax and Accounting LLC
Source 1; source 2
(New)
FinanceYes1,543
Northern Inyo Healthcare District
Source 1; source 2
(New)
Health careYes1,305
Dickinson County Health Department
Source
(New)
PublicYes1,063
California Public Employees Retirement System
Source 1; source 2
(New)
PublicYes1,033
Zephyr Ventilation
Source
(New)
RetailYes514
D’Youville Life & Wellness Community
Source 1; source 2
(New)
Health careYes501
Pennsylvania Multi Family Asset Managers
Source
(New)
Real estateYes278
Farren International LLC
Source
(New)
TransportYes235
Metropolitan Area Planning Council
Source
(New)
PublicYes2
Pratt Institute
Source
(New)
EducationYesUnknown
Rocky Mountain University
Source
(New)
EducationYesUnknown
Premier Facility Management, Corp
Source
(New)
EnvironmentalYesUnknown
Ameriprise Financial Services, LLC
Source 1; source 2
(New)
FinanceYesUnknown
Beasley, Mitchell & Co., LLP
Source
(New)
FinanceYesUnknown
Hanmi Bank
Source 1; source 2
(New)
FinanceYesUnknown
Wayne Bank
Source 1; source 2
(New)
FinanceYesUnknown
McDonald’s
Source 1; source 2; source 3
(New)
HospitalityYesUnknown
CAMICO
Source 1; source 2
(New)
InsuranceYesUnknown
First Financial Security
Source 1; source 2
(New)
InsuranceYesUnknown
HMSA
Source
(New)
InsuranceYesUnknown
F.J. O’Hara & Sons, Inc.
Source
(New)
IT servicesYesUnknown
Virgin Islands Lottery
Source
(New)
LeisureYesUnknown
Ascendum Machinery
Source
(New)
ManufacturingYesUnknown
Digital Power Corporation
Source
(New)
ManufacturingYesUnknown
Maxxis International
Source
(New)
ManufacturingYesUnknown
Maine Salty Girl
Source
(New)
RetailYesUnknown
Microsoft
Source
(New)
SoftwareYesUnknown
Manta Network
Source
(New)
BlockchainUnknownUnknown
Kansas State University
Source
(New)
EducationUnknownUnknown
UC Irvine
Source
(New)
EducationUnknownUnknown

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicized in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


AI

Microsoft gives all businesses access to AI-powered Office features

When Microsoft launched Copilot for Office 365 in November 2023, it required enterprise customers to have at least 300 users. It has now removed that requirement, opening up Copilot to businesses of all sizes. According to Microsoft, “Microsoft 365 Copilot provides real-time intelligent assistance, enabling users to enhance their creativity, productivity, and skills.”


Enforcement

BreachedForums owner sentenced to at least 15 years in prison

Two weeks ago, we reported that the former admin of the now-defunct BreachForums website, Conor Brian Fitzpatrick, aka Pompompurin, had violated his parole. Fitzpatrick has now been sentenced to time served on 3 counts and supervised release of 20 years with special conditions.

Two Russian nationals charged in the USA with fraud and other hacking offenses

Two indictments have been unsealed in the District of New Jersey, charging two Russian nationals – Aleksey Timofeyevich Stroganov and Tim Stigal – with fraud and related offenses in connection with a series of computer intrusions, which harvested data associated with hundreds of millions of credit cards and bank accounts.

CNIL fines Yahoo! €10 million for cookie violation

France’s data protection authority, the CNIL, has fined Yahoo EMEA Ltd €10 million (about $11 million) for failing to take account of users’ cookie choices. Yahoo installed about 20 advertising cookies on users’ devices without their consent and failed to allow users of the Yahoo! Mail service to freely withdraw their consent.


Other news

Ivanti Connect Secure VPN breached with more than 1,700 devices exposed

On January 10, the cybersecurity company Volexity published details of attacks exploiting two zero-day vulnerabilities in Ivanti Connect Secure VPN appliances. Ivanti published a mitigation the same day and announced that it was developing a patch. Volexity now reports that it has identified more than 1,700 compromised Ivanti Connect Secure VPN devices worldwide.

Two-fifths of employees sacked over email security breaches

Nearly half of workers who were responsible for email security breaches in the past year were sacked, according to research from the cybersecurity company Egress. The organization also found that 94% of organizations have experienced a serious email security incident in the past 12 months.

CISA releases 2023 Year in Review

The U.S. Cybersecurity and Infrastructure Security Agency has released its fourth annual Year in Review. CISA’s accomplishments in 2023 included launching a Secure by Design campaign, publishing a Roadmap for AI, launching an initiative to reduce the risk of ransomware, encouraging good cyber hygiene, providing resources to local and state governments, and strengthening security support for regional elections.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Tuesday, you’ll get a short email with:

  • Industry news, including this weekly round-up
  • Our latest research and statistics
  • Free useful resources
  • Upcoming webinars
  • Other ways we can help