Cybersecurity and Data Privacy in the USA: March 4 – 10, 2024

15,009,813 known records breached in 58 newly disclosed incidents

Welcome to this week’s round-up of the biggest and most interesting news stories in the USA.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

6.9 million OpenSea records for sale on hacking forum

A cyber criminal known as ‘bossmoves90004’ claims to have exfiltrated 6.9 million data records from the NFT (non-fungible token) marketplace OpenSea, which they have offered for sale on a hacking forum. The sample provided includes email addresses and registration dates.

Data breached: 6,900,000 records.

Alleged HuntStand database leaked on hacking forum

A threat actor known as ‘21tr232tr45f’ leaked a database apparently belonging to the hunting and land management app HuntStand. The data allegedly includes nearly 3 million users’ first and last names, email addresses, dates of birth, state and country, and more.

Data breached: 2,923,600 people’s data.


Publicly disclosed data breaches and cyber attacks in the USA: full list

This week, we found 15,009,813 records known to be compromised in the USA, and 58 U.S. organizations suffering a newly disclosed incident. 54 of them are known to have had data exfiltrated, exposed, or otherwise breached. Only 2 definitely haven’t had data breached.

We also found 4 U.S. organizations providing a significant update on a previously disclosed incident.

Organization(s)SectorData breached?Known data breached
OpenSea
Source
(New)
SoftwareYes6,900,000
HuntStand
Source
(New)
SoftwareYes2,923,600
RMH Franchise Corporation
Source
(New)
HospitalityYes1.5 TB
Paysign, Inc.
Source
(New)
FinanceYes1,242,575
Eastern Radiologists, Inc.
Source 1; source 2
(New)
Health careYes886,746
Qmerit
Source
(New)
Professional servicesYes573,309
Yakima Valley Radiology, PC
Source 1; source 2
(New)
Health careYes235,249
Northeast Orthopaedics & Sports Medicine
Source
(New)
Health careYes177,276
Strike.me
Source
(New)
CryptoYes112,348
NewGen Administrative Services
Source 1; source 2
(New)
Health careYes105,425
U.S. Citizenship and Immigration Services (USICS) and U.S. Immigration and Customs Enforcement (ICE)
Source
(New)
PublicYes100,000
medQ, Inc.
Source 1; source 2; source 3
(Update)
Health careYes54,725
Bradford-Scott Data, Massachusetts Family Credit Union, Methuen Federal Credit Union, Priority Plus Federal Credit Union, StagePoint Federal Credit Union, and Wellness Federal Credit Union
Source 1; source 2
(Update)
IT services and financeYes41,968
cheat-database.com
Source
(New)
IT servicesYes38,000
University of Chicago
Source
(New)
EducationYes29,861
P-Fleet
Source
(New)
FinanceYes22 GB
Datamatch
Source
(New)
SoftwareYes>16,000
Roku
Source
(New)
SoftwareYes15,363
WorldWide Medical Staffing (Bay Area Anesthesia, LLC)
Source 1; source 2
(New)
Professional servicesYes15,196
Century Federal Credit Union
Source
(New)
FinanceYes13,984
Littleton Regional Healthcare
Source 1; source 2
(New)
Health careYes12,614
CVS Caremark Part D Services, L.L.C.
Source 1; source 2
(New)
Health careYes11,193
Princeton University
Source
(New)
EducationYes10,573
Orlando VA Medical Center
Source
(New)
Health careYes10,059
Pacific Cataract and Laser Institute
Source 1; source 2
(New)
Health careYes9,967
NALS Apartment Homes
Source 1; source 2
(Update)
Real estateYes7,509
AlgoSec
Source
(New)
CybersecurityYes7,000
Duke University
Source
(New)
EducationYes6,297
Ohio Neurologic Institute
Source 1; source 2
(New)
Health careYes5,548
Directors Guild of America – Producer Pension & Health Plans
Source 1; source 2
(New)
InsuranceYes4,211
Southeast Vermont Transit, Inc.
Source
(New)
TransportYes3,815
Shah Dixit & Associates, P.C.
Source
(New)
FinanceYes3,494
Woodruff Sawyer
Source
(New)
InsuranceYes3,087
Blackburn College
Source
(New)
EducationYes3,039
CAIRE Inc.
Source
(New)
ManufacturingYes2,607
Stanford University
Source
(New)
EducationYes996
Highland Health Systems
Source 1; source 2
(New)
Health careYes500
St Anthony Ministries
Source 1; source 2
(New)
Health careYes500
Robinson+Cole
Source
(New)
LegalYes497
Harvey Construction
Source
(New)
ConstructionYes145
Bethany Church
Source
(New)
ReligiousYes134
Cybersecurity and Infrastructure Security Agency
Source
(New)
CybersecurityYesUnknown
Central School District 13J
Source 1; source 2
(New)
EducationYesUnknown
Park City School District
Source
(New)
EducationYesUnknown
BEM Systems, Inc.
Source
(New)
EnvironmentalYesUnknown
American Express
Source
(New)
FinanceYesUnknown
Kids Care Dental & Orthodontics
Source
(New)
Health careYesUnknown
Rebound Orthopedics & Neurosurgery
Source
(New)
Health careYesUnknown
Assurance IQ
Source
(New)
InsuranceYesUnknown
Berger Montague
Source
(New)
LegalYesUnknown
Jaguar Health
Source 1; source 2
(New)
ManufacturingYesUnknown
Syndax Pharmaceuticals
Source 1; source 2
(New)
ManufacturingYesUnknown
Federal Bureau of Investigation (FBI)
Source
(New)
PublicYesUnknown
Western National Property Management
Source 1; source 2
(New)
Real estateYesUnknown
Radiant Logic
Source
(New)
SoftwareYesUnknown
CVE North America
Source
(New)
UtilitiesYesUnknown
South St. Paul Public Schools
Source
(New)
EducationUnknownUnknown
PetSmart
Source
(New)
RetailUnknownUnknown
DataBreaches.net and PogoWasRight.org
Source
(New)
MediaNo0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicized in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


Enforcement

U.S. Attorneys General write to Meta about account takeovers

New York Attorney General Letitia James has led a bipartisan coalition of 41 attorneys general, writing to Meta Platforms, Inc. about the recent rise in Facebook and Instagram account takeovers by scammers.


Other news

ISO/IEC 27006:2024 published

ISO (the International Organization for Standardization) and the IEC (International Electrotechnical Commission) have published a new standard in the ISO 27000 information security series.

ISO/IEC 27006-1:2024 Information security, cybersecurity and privacy protection – Requirements for bodies providing audit and certification of information security management systems complements ISO/IEC 17021-1 and requires ISO 27001-certified organizations to show evidence that they’re maintaining their compliance with the Standard.

CISA and NSA release cybersecurity information sheets on Cloud security best practices

The CISA (Cybersecurity and Infrastructure Security Agency) and the NSA (National Security Agency) have released five joint cybersecurity information sheets, setting out best practices for organizations to improve the security of their Cloud environments.

CISA updates Public Safety Communications and Cyber Resiliency Toolkit

The CISA has added seven new resources to its Public Safety Communications and Cyber Resiliency Toolkit to better help public safety agencies and others responsible for communications networks evaluate their current resiliency capabilities, identify ways to improve their resilience, and develop plans for mitigating the effects of potential threats.

New IC3 report: US lost $12.5 billion to cyber crime in 2023

A new report from IC3 (the FBI’s Internet Crime Complaint Center) found that the USA suffered $12.5 billion in cyber crime losses in 2023 – a 22% increase on 2022’s figures. The Internet Crime Report 2023 also reports that four online crimes caused the most financial losses in the USA last year: BEC (business email compromise), investment fraud, ransomware, and tech/customer support and government impersonation scams.


Key dates

31 March 2024 – PCI DSS v4.0 transitioning deadline 

Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on March 31, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.

30 April 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by April 30. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Tuesday, you’ll get a short email with:

  • Industry news, including this weekly round-up
  • Our latest research and statistics
  • Free useful resources
  • Upcoming webinars
  • Other ways we can help