Cybersecurity and Data Privacy in the USA: March 18 – 24, 2024

129,672,404 known records breached in 976 newly disclosed incidents

Welcome to this week’s round-up of the biggest and most interesting news stories in the USA.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Misconfigured Google Firebase instances expose almost 125 million user records

On January 10, a security researcher known as ‘MrBruh’ reported on vulnerabilities in the AI hiring system Chattr.ai, which is used by many U.S. fast food chains.

According to MrBruh, attackers could register profiles with full privileges by exploiting misconfigurations in Google Firebase – a Cloud-based mobile application platform.

This gave them access to names, phone numbers, emails, plaintext passwords, branch locations, confidential messages, and shift information for Chattr employees, franchisee managers, and job applicants.

MrBruh, alongside two other researchers who go by the names ‘Logykk’ and ‘xyzeva’/’Eva’, then scanned more than 5 million domains for personally identifiable information exposed via other misconfigured Firebase instances.

They discovered 916 misconfigured websites, exposing 124,605,664 million users’ records, including names, emails, phone numbers, passwords, and financial data.

The researchers then alerted all affected organizations, sending 842 emails over 13 days. Only 24% of site owners fixed the misconfiguration.

Data breached: 124,605,664 records.

Cactus ransomware group adds eClinical Solutions to list of victims

The Cactus ransomware group claims to have compromised the clinical data Cloud provider eClinical Solutions, allegedly exfiltrating 3 TB of data, including information relating to drug tests, clinical studies and reports, analytical data, and corporate information.

Data breached: 3 TB.


Publicly disclosed data breaches and cyber attacks in the USA: full list

This week, we found 129,672,404 records known to be compromised in the USA, and 976 U.S. organizations suffering a newly disclosed incident. 916 of those incidents are linked to Google Firebase misconfigurations, as explained above.

974 organizations are known to have had data exfiltrated, exposed, or otherwise breached. None definitely haven’t had data breached.

We also found 6 U.S. organizations providing a significant update on a previously disclosed incident.

Organization(s)SectorData breached?Known data breached
916 Google Firebase websites (via Chattr)
Source 1; source 2; source 3
(New)
Retail and hospitalityYes124,605,664
eClinical Solutions
Source
(New)
SoftwareYes3 TB
Philips Respironics
Source 1; source 2; source 3; source 4
(New)
ManufacturingYes457,152
NewAgeSys, Inc
Source
(New)
Professional servicesYes319 GB
V12Software
Source 1; source 2
(New)
SoftwareYes286,396
Therapeutic Health Services
Source
(New)
Health careYes218,940
Sun Holdings
Source
(New)
HospitalityYes182,756
University of Wisconsin Hospitals and Clinics
Source 1; source 2
(New)
Health careYes85,902
Select Education Group
Source
(New)
Professional servicesYes67,097
Valley Oaks Health
Source
(New)
Health careYes50,352
City of Jacksonville Beach
Source
(New)
PublicYes48,949
Kirkland & Ellis
Source 1; source 2
(New)
LegalYes48,802
Monmouth College
Source 1; source 2
(New)
EducationYes44,737
GardaWorld
Source
(New)
Professional servicesYes39,928
Citizens Bank of West Virginia
Source 1; source 2
(Update)
FinanceYes35,105
Fidelity Investments Life Insurance
Source 1; source 2
(Update)
InsuranceYes29,073
Bethel School District
Source
(New)
EducationYes28,844
Weirton Medical Center
Source
(New)
Health careYes26,793
American Renal Associates
Source
(New)
Health careYesAt least 19,295
Tiegerman
Source 1; source 2
(New)
EducationYes19,000
R1 RCM
Source 1; source 2; source 3
(Update)
SoftwareYes16,121
Newton Public Schools
Source
(New)
EducationYes10,545
Healthfirst
Source 1; source 2
(New)
InsuranceYes6,836
Johnson Matthey
Source
(New)
ManufacturingYes6,095
St. Mary’s Healthcare System for Children
Source
(New)
Health careYes5,650
Simpson Strong-Tie
Source
(New)
RetailYes5,570
Victory Bank
Source 1; source 2
(New)
FinanceYes4,292
Dental Group of Amarillo
Source 1; source 2
(New)
Health careYes3,821
Eastside Union School District
Source
(New)
EducationYes3,592
Schuster Co
Source
(New)
TransportYes3,532
Dedicated Senior Medical Centers
Source 1; source 2
(New)
Health careYes3,441
Sycamore Rehabilitation Services, Inc.
Source
(New)
Health careYes3,414
A5 Pharmacy Inc.
Source 1; source 2
(New)
Health careYes3,000
Plymouth Tube Company Employee Benefit Plan
Source 1; source 2; source 3
(Update)
InsuranceYes2,652
Orthopedics Associates of Flower Mound
Source 1; source 2; source 3
(Update)
Health careYes1,759
UC San Diego Health
Source 1; source 2
(New)
Health careYes1,642
Homeaglow
Source
(New)
IT servicesYes1,556
California Correctional Health Care Services
Source 1; source 2
(New)
Health careYes1,348
Ascend Healthcare Inc
Source 1; source 2
(New)
Health careYes791
Cypress Capital Group, Inc.
Source
(New)
FinanceYes756
Community Health Group Partnership Plan
Source 1; source 2
(New)
InsuranceYes708
Seaglass Chiropractic
Source 1; source 2
(New)
Health careYes650
Lindsay Municipal Hospital
Source 1; source 2
(New)
Health careYes500
Massachusetts Department of Developmental Services
Source 1; source 2
(New)
PublicYes500
Mercy Home for Children
Source
(New)
Health careYes356
Gnome Landscapes & Design
Source 1; source 2
(Update)
Professional servicesYes356
Mintlify
Source
(New)
SoftwareYes91
TD
Source
(New)
FinanceYes4
Kolbe Striping, Inc
Source
(New)
ConstructionYesUnknown
Dolomite
Source
(New)
CryptoYesUnknown
Lewis & Clark College
Source
(New)
EducationYesUnknown
St. Mary Parish School Board
Source
(New)
EducationYesUnknown
Fiduciary Outsourcing, LLC
Source
(New)
FinanceYesUnknown
M&D Capital
Source 1; source 2
(New)
FinanceYesUnknown
Aveanna Healthcare
Source 1; source 2
(New)
Health careYesUnknown
Commonwealth Healthcare Corporation
Source
(New)
Health careYesUnknown
EMSA (Emergency Medical Services Authority)
Source
(New)
Health careYesUnknown
Jordano’s Inc.
Source 1; source 2
(New)
HospitalityYesUnknown
BioLife Plasma Services
Source
(New)
ManufacturingYesUnknown
Crinetics Pharmaceuticals
Source 1; source 2
(New)
ManufacturingYesUnknown
I.A.T.S.E. National Benefit Funds
Source
(New)
Non-profitYesUnknown
Ampersand
Source 1; source 2
(New)
Professional servicesYesUnknown
Henry County, VA
Source
(New)
PublicYesUnknown
Arx Capital
Source 1; source 2
(New)
Real estateYesUnknown
MarineMax
Source 1; source 2; source 3
(Update)
RetailYesUnknown
Apex Legends Global Series
Source
(New)
LeisureUnknownUnknown
City of Pensacola Government
Source
(New)
PublicUnknownUnknown

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicized in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


AI

Google VLOGGER generates video from photos, raising security concerns

Google researchers have unveiled VLOGGER, an AI model that can generate photorealistic videos of people from photographs and audio samples. However, security professionals have expressed concern about the technology’s potential misuse to create deepfakes that could be used for social engineering attacks.


Enforcement

House passes bill to block sale of U.S. data to foreign adversaries

The House of Representatives has unanimously voted in favor of a bill to block data brokers from selling U.S. citizens’ data to foreign adversaries.

“Today’s overwhelming vote sends a clear message that we will not allow our adversaries to undermine American national security and individual privacy by purchasing people’s personally identifiable sensitive information from data brokers,” said House Energy and Commerce Committee leaders Cathy McMorris Rodgers and Frank Pallone in a joint statement. 


Other news

CISA publishes new guide on DDoS attacks

CISA, the U.S. Cybersecurity and Infrastructure Agency, has published a new guide on Understanding and Responding to Distributed Denial-of-Service Attacks. The guidance includes detailed insight into volumetric, protocol, and application attacks.

CISA® qualification chosen by UK NCSC as part of GovAssure

ISACA’s® CISA (Certified Information Security Auditor) qualification has been chosen by the UK NCSC (National Cyber Security Centre) as an industry-leading standard and qualifying criterion for companies licensed to conduct assurance reviews of government organizations, as part of its new cyber assurance regime for government systems, GovAssure.


New guidance and recently published reports


Key dates

March 31, 2024 – PCI DSS v4.0 transitioning deadline 

Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on March 31, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.

April 30, 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by April 30. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place. Until then, have a good Easter.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Tuesday, you’ll get a short email with:

  • Industry news, including this weekly round-up
  • Our latest research and statistics
  • Free useful resources
  • Upcoming webinars
  • Other ways we can help