Cybersecurity and Data Privacy in the USA: January 29 – February 4, 2024

16,166,359 known records breached in 65 publicly disclosed incidents

Welcome to this week’s round-up of the biggest and most interesting news stories in the USA.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Eye4Fraud database allegedly leaked – 14.9 million lines of unique data being sold 

A threat actor claims to be selling 14.9 million lines of data, with unique email addresses, from around 29 million order records from Eye4Fraud, a U.S. company offering fraud protection software.

At the time of writing, it’s unclear whether this is related to a 2023 data breach suffered by the company, as discussed by Have I Been Pwned’s Troy Hunt last March.

Data breached: 14.9 million lines.

MESVision updates number of people affected by MOVEit breach

Victims of last May’s MOVEit Transfer breach continue to come forward. Last November, Medical Eye Services, Inc. notified regulators that 664,824 individuals’ personal data had been compromised as a result of the incident.

The company has now confirmed that a further 2,743 people were affected by the breach, bringing the total to 667,567.

Data breached: 667,567 individuals’ personal data.


Publicly disclosed data breaches and cyber attacks in the USA: full list

This week, we found 16,166,359 records known to be compromised in the USA, and 65 U.S. organizations suffering a newly disclosed incident. 57 of them are known to have had data exfiltrated, exposed, or otherwise breached. Only 1 definitely hasn’t had data breached.

We also found 7 U.S. organizations providing a significant update on a previously disclosed incident.

Organization(s)SectorData breached?Known records breached
Eye4Fraud
Source
(New)
FinanceYes14,900,000
MESVision
Source 1; source 2
(Update)
Health careYes667,567
Black Butte Coal
Source
(New)
MiningYes213 GB
Benjamin Plumbing Inc
Source
(New)
ConstructionYes188 GB
HopSkipDrive
Source
(New)
SoftwareYes155,394
North American University
Source
(New)
EducationYes108 GB
Emmanuel College (Boston)
Source
(New)
EducationYes89,064
GEICO
Source 1; source 2
(Update)
InsuranceYes71,490
Infosys McCamish Systems
Source
(New)
InsuranceYes57,028
Veterans Health Administration [1]
Source 1; source 2
(Update)
Health careYes46,677
Bankers Life
Source
(New)
InsuranceYes45,842
Knight Barry Title Group
Source
(New)
Real estateYes44,910
Prestige Care, Inc.
Source
(New)
Health careYes38,087
TRISTAR Insurance Group
Source 1; source 2
(Update)
InsuranceYes35,120
Investor’s Business Daily
Source
(New)
MediaYes35,000
Coastal Hospice & Palliative Care
Source 1; source 2
(New)
Health careYes29,100
Arvest Bank
Source
(New)
FinanceYes26,388
Washington National Insurance Company
Source
(New)
InsuranceYes20,360
Corbett Exterminating
Source
(New)
EnvironmentalYes20 GB
National Advisors Trust Company
Source
(New)
FinanceYes14,043
Michigan Catholic Conference
Source
(New)
Non-profitYes12,652
Humana
Source 1; source 2
(New)
InsuranceYes12,539
eBay
Source
(New)
IT servicesYes12,000
TGI Direct, Inc.
Source 1; source 2
(New)
Professional servicesYes11,556
J.D. Gilmour
Source
(New)
InsuranceYes6,838
National Board of Osteopathic Medical Examiners
Source
(New)
Non-profitYes4,310
Catholic Diocese of Lansing
Source
(New)
Non-profitYes4,124
Omaha Firefighters Healthcare Trust
Source 1; source 2
(New)
InsuranceYes3,567
Sirius Federal
Source 1; source 2
(Update)
IT servicesYes3,266
PrintingCenterUSA
Source
(New)
RetailYes3,159
Concord Music Group, Inc.
Source
(New)
LeisureYes3,131
Timex Group
Source
(New)
ManufacturingYes3,085
GC Services
Source
(New)
FinanceYes2,824
Veterans Health Administration [2]
Source 1; source 2
(New)
Health careYes2,380
Ministerio de Justicia (Buenos Aires)
Source
(New)
LegalYes>2,000
Artesia General Hospital
Source 1; source 2
(New)
Health careYes1,985
Rensselaer Polytechnic Institute and Athletic Trainer System
Source
(New)
Education and softwareYes1,799
Webber Chiropractic Sports Clinic
Source 1; source 2
(New)
Health careYes1,695
Catholic Charities of the Archdiocese of Miami, Inc.
Source 1; source 2; source 3
(Update)
Non-profitYes1,500
OrthoArkansas, PA Employee Benefit Plan
Source
(New)
InsuranceYes1,270
Regence BlueCross BlueShield of Oregon
Source 1; source 2
(New)
InsuranceYes856
Kern Regional Center
Source 1; source 2
(New)
Non-profitYes700
Coppola Physical Therapy
Source
(New)
Health careYes632
Coastal Plains Community Mental Health Mental Retardation Center
Source 1; source 2
(New)
Health careYes500
Entellus, Inc.
Source
(New)
ConstructionYes491
Fort Worth
Source
(Update)
PublicYes448
Infotech
Source
(New)
SoftwareYes355
Professional Compounding Centers of America
Source
(New)
ManufacturingYes316
Yaunique Tompkins
Source
(New)
Health careYes4
CMG Drainage Engineering, Inc.
Source
(New)
ConstructionYesUnknown
Curtainwall Design and Consulting, Inc.
Source 1; source 2
(New)
ConstructionYesUnknown
Daher Contracting Inc.
Source
(New)
ConstructionYesUnknown
Nabholz Construction
Source 1; source 2
(New)
ConstructionYesUnknown
Chris Larsen (Ripple)
Source
(New)
CryptoYesUnknown
William Jewell College
Source 1; source 2
(New)
EducationYesUnknown
Encore Bank
Source
(New)
FinanceYesUnknown
Sigrist, Cheek, Potter & Huyser
Source
(New)
FinanceYesUnknown
Atlanta Women’s Health Group
Source 1; source 2
(New)
Health careYesUnknown
CarePro Health Services
Source 1; source 2
(New)
Health careYesUnknown
Saint Anthony Hospital
Source 1; source 2; source 3
(New)
Health careYesUnknown
Ortho Development Corporation
Source 1; source 2
(New)
ManufacturingYesUnknown
One America News Network
Source
(New)
MediaYesUnknown
Commonwealth Sign Company
Source
(New)
Professional servicesYesUnknown
Freehold Township School District
Source
(New)
EducationUnknownUnknown
Groton Public Schools
Source
(New)
EducationUnknownUnknown
Lurie Children’s
Source 1; source 2
(New)
Health careUnknownUnknown
City of Germantown
Source
(New)
PublicUnknownUnknown
Fulton County Government
Source
(New)
PublicUnknownUnknown
Beaumont Independent School District and phone provider
Source
(New)
Education and telecomsUnknownUnknown
Cloudflare
Source
(New)
CybersecurityNo0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicized in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


AI

Europcar confirms alleged data breach is false

Europcar has confirmed that a database of nearly 50 million customer records purportedly stolen from the company is fake. “The record number is completely wrong, the sample data is probably generated by ChatGPT (addresses do not exist, ZIP code does not match the US state, first and last names do not match email addresses, email addresses use very unusual tlds), and, most importantly, none of the email addresses are in our database,” the company said.


Enforcement

INTERPOL operation targets global cyber crime

Operation Synergia, an INTERPOL operation involving 60 law enforcement agencies from more than 50 countries, has identified 1,300 malicious command-and-control servers involved in phishing, malware, and ransomware attacks. 70% of the servers have been taken down and the remainder are under investigation.

Former CIA software engineer sentenced to 40 years in prison

Joshua Schulte, a former CIA software engineer, has been sentenced to 40 years’ imprisonment for “crimes of espionage, computer hacking, contempt of Court, making false statements to the FBI, and child pornography.” Schulte was responsible for the CIA’s largest data breach – the so-called Vault 7 leak of classified materials to WikiLeaks, which it published in 2017.

Uber fined €10 million for GDPR breaches

The Dutch data protection authority, Autoriteit Persoonsgegevens, has fined Uber €10 million (about $11 million) for failing to be transparent about its data retention practices and making it difficult for drivers to exercise their data privacy rights.


Other news

USA and EU enhance cybersecurity cooperation

The USA and EU have issued a joint statement about the importance of cooperation about cyber resilience. The statement sets out the EU and USA’s shared objectives for a secure cyberspace.

U.S. GAO publishes ransomware report

The U.S. Government Accountability Office has published a study into federal agencies’ cybersecurity practices and, in particular, how prepared they are to mitigate the risk of ransomware.


Key dates

March 31, 2024 – PCI DSS v4.0 transitioning deadline 

Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on March 31, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Tuesday, you’ll get a short email with:

  • Industry news, including this weekly round-up
  • Our latest research and statistics
  • Free useful resources
  • Upcoming webinars
  • Other ways we can help