Cybersecurity and Data Privacy in the USA: March 11 – 17, 2024

8,227,551 known records breached in 48 newly disclosed incidents

Welcome to this week’s round-up of the biggest and most interesting news stories in the USA.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

73,481,539 records from alleged AT&T breach offered for sale

A threat actor known as MajorNelson has listed more than 70 million data records on a dark web forum, claiming it to be data originally exfiltrated from AT&T by a threat actor known as ShinyHunters in 2021.

The data includes names, addresses and mobile phone numbers, as well as encrypted birth dates and Social Security numbers.

AT&T has denied the breach since 2021. However, numerous researchers, including Dark Web Informer and vx-underground, have confirmed that the data does indeed relate to AT&T customers.

Data breached: 73,481,539 records.

Unprotected Kids Empire database exposes more than 2.3 million documents

The cybersecurity researcher Jeremiah Fowler has discovered an unsecured database belonging to Kids Empire, an operator of recreational centres across the USA. The exposed database contained 2,363,222 documents and totalled 92.3 GB.

Exposed data included reservations, injury waivers, receipts, and digital gift cards. Personally identifiable information in these documents included names, physical and email addresses, and phone numbers.

Fowler notified Kids Empire, which secured the database.

Data breached: 2,363,222 documents.


Publicly disclosed data breaches and cyber attacks in the USA: full list

This week, we found 8,227,551 records known to be compromised in the USA, and 48 U.S. organizations suffering a newly disclosed incident. 44 of them are known to have had data exfiltrated, exposed, or otherwise breached. Only 3 definitely haven’t had data breached.

We also found 9 U.S. organizations providing a significant update on a previously disclosed incident.

Organization(s)SectorData breached?Known data breached
AT&T
Source 1; source 2
(Update)
TelecomsYes73,481,539
Kids Empire
Source
(New)
LeisureYes2,363,222
Plymouth Tube Company
Source
(New)
ManufacturingYes1.83 TB
GLG (Gerson Lehrman Group)
Source
(New)
Professional servicesYes152,621
Prince George County Public Schools
Source
(New)
EducationYes117,785
Saint Louis University
Source
(New)
EducationYes93,612
Nations Direct Mortgage
Source
(New)
FinanceYes83,108
Bradford-Scott Data, Massachusetts Family Credit Union, Methuen Federal Credit Union, Priority Plus Federal Credit Union, StagePoint Federal Credit Union,  Wellness Federal Credit Union, and Community Credit Union of New Milford
Source 1; source 2
(Update)
IT services and financeYes43,414
CCM Health
Source
(New)
Health careYes29,182
Stanford University Department of Public Safety
Source 1; source 2
(Update)
EducationYes27,000
Eland Energy, Inc.
Source
(New)
EnergyYes18,237
Precision Tune Auto Care
Source 1; source 2
(Update)
ManufacturingYes15,633
Teleflora
Source 1; source 2
(Update)
ManufacturingYes12,635
The Biltmore Company
Source
(New)
RetailYes11,530
Rudman Winchell
Source
(New)
LegalYes11,327
Double Eagle Energy Holdings IV LLC
Source 1; source 2
(Update)
EnergyYes9,040
Texas Health and Human Services
Source
(New)
PublicYes3,392
Ada Technologies Incorporated
Source 1; source 2
(New)
ManufacturingYes2,398
KMJ Health Solutions
Source 1; source 2
(New)
IT servicesYes2,191
ACR Electronics, Inc.
Source
(New)
ManufacturingYes2,045
Grow Financial Federal Credit Union
Source
(New)
FinanceYes1,635
Bay Surgical Specialists
Source 1; source 2
(New)
Health careYes1,505
Orsini Specialty Pharmacy
Source 1; source 2
(New)
ManufacturingYes1,433
BlueCross BlueShield of Tennessee, Inc. and Volunteer State Health Plan, Inc. d/b/a BlueCare Plus Tennessee
Source 1; source 2
(Update)
InsuranceYes1,251
Taft Stettinius & Hollister LLP
Source
(New)
LegalYes641
Oakland Community Health Network
Source 1; source 2
(New)
Health careYes607
East Side Health District
Source 1; source 2
(New)
Health careYes559
Lake of the Woods County Department of Social Services
Source 1; source 2
(New)
PublicYes537
Jewish Home Lifecare
Source 1; source 2
(New)
Health careYes501
Four Seasons Sales & Service
Source
(New)
RetailYes269
RPS Defense
Source
(New)
ManufacturingYes213
Port City Air
Source
(New)
TransportYes125
West Chester University of Pennsylvania
Source
(New)
EducationYes>36
MSI United States and DonorPerfect
Source
(New)
Non-profit and softwareYes24
Northeast Credit Union
Source
(New)
FinanceYes9
Intuit
Source
(New)
SoftwareYes1
Brooks Tropicals
Source
(New)
AgriculturalYesUnknown
DHanis ISD
Source
(New)
EducationYesUnknown
Scranton School District
Source
(New)
EducationYesUnknown
Encina Wastewater Authority
Source
(New)
EnvironmentalYesUnknown
ATMCo
Source
(New)
FinanceYesUnknown
EquiLend
Source 1; source 2; source 3
(Update)
FinanceYesUnknown
Orthopedics Associates of Flower Mound
Source 1; source 2
(New)
Health careYesUnknown
Rancho Medical Family Group
Source 1; source 2
(New)
Health careYesUnknown
St. Rose Dominican Hospitals (Rose de Lima)
Source 1; source 2
(New)
Health careYesUnknown
Facey Goss & McPhee P.C.
Source
(New)
LegalYesUnknown
International Monetary Fund
Source
(New)
PublicYesUnknown
Wyoming Financial Group (WERCS)
Source
(New)
Real estateYesUnknown
The North Face
Source
(New)
RetailYesUnknown
Opus Match
Source
(New)
SoftwareYesUnknown
R1 RCM
Source 1; source 2
(New)
SoftwareYesUnknown
Jonathan Katz (former manager of a telecoms company from Burlington County, New Jersey)
Source
(New)
TelecomsYesUnknown
Option Care Health
Source
(New)
Health careUnknownUnknown
Multiple Alabama government agencies
Source
(New)
PublicNo0
MarineMax
Source
(New)
RetailNo0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicized in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


AI

MEPs adopt EU Artificial Intelligence Act

The European Parliament has endorsed the EU Artificial Intelligence Act, with 523 MEPs voting in favour and 46 against the Act. There were 49 abstentions.

The Act “aims to protect fundamental rights, democracy, the rule of law and environmental sustainability from high-risk AI, while boosting innovation and establishing Europe as a leader in the field.” It also “establishes obligations for AI based on its potential risks and level of impact.”


Enforcement

LockBit associate pleads guilty to cyber extortion

Mikhail Vasiliev, a hacker awaiting extradition from Canada to the USA on cyber crime charges, has pleaded guilty to eight counts of cyber extortion, mischief, and weapons charges. Vasiliev was arrested over a year ago for committing crimes in connection with the LockBit ransomware group.

Justice officials say Vasiliev took tens of millions of dollars in ransom payments from at least 1,000 ransomware attacks.

Meanwhile, LockBit’s purported leader has vowed to continue its ransomware attacks, despite the massive law enforcement operation that disrupted the group earlier this year.


Other news

Browsers add extra protection to help secure users

Google has announced that Chrome will now use real-time Safe Browsing protections to show warnings when users visit potentially unsafe websites.

And Microsoft has announced that new security protections in Edge and other Chromium-based browsers will prevent criminal hackers from using an exploit in a Renderer Process to escape the Renderer sandbox. This will prevent “attackers from using an exploit to enable the Mojo JavaScript bindings (MojoJS) for their site context within the Renderer.”

President Biden announces cybersecurity budget proposal

President Biden’s budget proposal for the fiscal year of 2025 includes $13 billion in cybersecurity funding across civilian departments and agencies. CISA’s (the Cybersecurity and Infrastructure Security Agency’s) budget would also increase to $3 billion. The aim is to advance the Biden administration’s “commitment to making cyberspace more resilient and defensible.”


Key dates

31 March 2024 – PCI DSS v4.0 transitioning deadline 

Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on March 31, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.

30 April 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by April 30. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Tuesday, you’ll get a short email with:

  • Industry news, including this weekly round-up
  • Our latest research and statistics
  • Free useful resources
  • Upcoming webinars
  • Other ways we can help