Data Breaches in the USA in June 2024: 10,527,091 People Impacted

Analyzing the Maine Attorney General’s data

For June 2024, IT Governance USA’s analysis of the Office of the Maine Attorney General’s data breach notifications found the following:

  • 79 new data breaches, affecting 10,527,091 individuals*
  • 7 updates to previously reported data breaches

We look at what’s reported to a regulator to help us identify significant real-world trends and patterns.

We chose the Office of the Maine Attorney General, as this is – to the best of our knowledge and at the time of writing – the best single source for U.S. data breaches that covers a wide range of industries.

A particular feature we like is that it provides data on the number of individuals affected across the country – not just for the state in question.

*These individuals aren’t necessarily unique individuals, as the same person may be on multiple organizations’ databases.

Top 3 biggest breaches

1. Infosys McCamish Systems: more than 6 million people affected by ransomware attack

Infosys McCamish Systems, a provider of “platform-based insurance process management solutions and services” (according to its website), notified the Attorney General on June 27, 2024 of a data breach affecting 6,078,263 people.

The IT service provider first became aware of the breach in November 2023, because its systems were encrypted with ransomware.

Allegedly, the ransomware gang LockBit was behind this attack. The gang first listed Infosys McCamish Systems as a victim in November 2023, claiming to have encrypted more than 2,000 systems, and to have exfiltrated around 50 GB of data.

In its June 2024 notification, Infosys McCamish Systems specified that affected information includes email addresses, passwords, dates of birth, Social Security numbers, driver’s license numbers, state ID numbers, passport numbers, tribal ID numbers, U.S. military ID numbers, financial account information, payment card information, biometric data, and medical treatment/record information.

2. FBCS updates breach notification (again) – now nearly 3.5 million individuals affected

Debt collection agency FBCS (Financial Business and Consumer Solutions) first notified the Attorney General in April 2024 of a data breach, following discovery of “unauthorized access to certain systems in its network” two months earlier, in February 2024. This affected 1,955,385 individuals.

It has since filed three more notices, most recently on April 26, 2024. This has updated the number of individuals affected to 3,435,640.

Potentially affected data includes names, dates of birth, Social Security numbers, and account information.

3. Prudential suffers another data breach, affecting more than 2.5 million people

Insurance giant The Prudential Insurance Company of America has disclosed another data breach, affecting 2,556,210 people. This update (June 28, 2024) is a significant increase on its first filing with the Attorney General: 36,545 people affected.

This is the second breach the company suffered in the past year. Previously, it notified the Attorney General of a third-party breach, where threat actors exploited a zero-day vulnerability in MOVEit Transfer.

For its most recent filing, Prudential detected “unauthorized third-party access to certain company systems and data” in February 2024.

According to Prudential’s 8-K filing under the SEC Cybersecurity Disclosure Rules, the threat actor “accessed Company administrative and user data from certain information technology systems and a small percentage of Company user accounts associated with employees and contractors.”

Want to stay in the loop on our latest research
and other free resources? Subscribe to our free
weekly newsletter: the Security Spotlight.

Full list of data breaches in June 2024

Organization nameNumber of individuals affectedNew/update
Infosys McCamish Systems, LLC6,078,263New
Financial Business and Consumer Solutions, Inc.3,435,640Update
(older updates: 1, 2)
The Prudential Insurance Company of America2,556,210Update
Ann & Robert H. Lurie Children’s Hospital of Chicago791,784New
Frontier Communications Parent, Inc.751,895New
Designed Receivable Solutions, Inc585,204New
Consulting Radiologists LTD.511,947New
Association of Texas Professional Educators426,280New
Panorama Eyecare377,911New
Greylock McKinnon Associates, Inc.346,600Update
(older update: 1)
South Texas Oncology and Hematology, PLLC176,303Update
(substitute notice)
LivaNova USA, Inc.129,219New
My Daily Choice, Inc.89,188New
Highland Health Systems83,543New
Levi Strauss & Co.72,231New
Gapbuster Worldwide Pty Ltd64,811New
The Neiman Marcus Group LLC64,472New
Greater Cincinnati Behavioral Health Services60,080New
The Northwestern Mutual Life Insurance Company53,668Update
(older updates: 1, 2)
Christie’s Inc.45,798New
Ventura County Credit Union44,474New
First American Financial Corporation41,638New
Family Health Center34,926New
Council for Relationships, Inc.27,377New
Tobin, Carberry, O’Malley, Riley & Selinger, P.C.21,887New
Gaia Software LLC21,866New
The Mount Kisco Surgery Center LLC d/b/a The Ambulatory Surgery Center of Westchester21,073New
Drive Sally, LLC20,033New
Disability Rights Wisconsin16,561New
Assist System, LLC and Medjet Assistance, LLC14,400New
Santander Holdings U.S.A., Inc.12,786New
Manitou Equipment America, LLC and Manitou North America, LLC11,414New
Kirkland & Ellis LLP11,156New
Jacobsen Construction Co., Inc.9,667New
Parksite, Inc.7,886New
McKim & Creed, Inc.7,079New
CRG Lynwood, LLC, d/b/a Lynwood Manor6,566New
Leonard’s Express6,540New
Santoro Whitmire, LTD6,397New
Altoona Logan Township Mobile Medical
Emergency Department Authority
Matthews, Gold, Kennedy & Snow, Inc.5,018New
Quechee Lakes Landowners’ Association, Inc.4,548New
Visionary Integration Professionals3,433New
Plavan Commercial Fueling Inc.2,948New
STS Aviation Group, LLC2,810New
Bank of America2,676Update
The Intrepid Museum Foundation, Inc.2,217New
Sirva, Inc.2,169New
Wold Architects and Engineers2,105New
D’Amico & Pettinicchi LLC1,899New
Eastern Shipbuilding Group1,778New
JSI Cabinetry1,731New
Liaison International LLC1,503New
Concord Public Schools and Concord-Carlisle Regional School District1,485Update
AEG Presents, LLC1,473New
Hotel Gansevoort, LLC1,298New
Holstein Association USA, Inc.,
Holstein Foundation, Inc., and
Holstein Services, Inc.
HFM Investment Advisors1,185New
Ticketmaster LLC>1,000New
Angels Neurological Centers, P.C.934New
NEI General Contracting, Inc.689New
Bimbo Bakeries USA560New
Cross Catholic Outreach, Inc.546New
College Park Industries521New
The Boxoffice Company480New
City of New Haven404New
Braverman CPA PC234New
Idaho Botanical Gardens, Inc.204New
D&D Power LLC202New
Crooker Construction164New
Recht Kornfeld, P.C.140New
Learnosity Inc.125New
Counseling Associates of New London, PLLC102New
Scout Energy Management LLC≥61New
Sponge-Jet, Inc55New
Covington & Burling LLP35New
American Equity Investment Life Insurance Company18New
Enoch Kever PLLC18New
Bourque, Clegg, Causey & Morin, LLC15New
United Financial Casualty Company and Progressive Northwestern Insurance Company≥14New
Panera, LLC≥11New
Tulane University≥10New
Bayonne Board of Education≥1New
School Specialty, LLC≥1New
Landmark Admin, LLC1New

A rise in ransomware attacks?

When asked about what security trends he’s been seeing, James Pickard – our head of security testing – said:

Ransomware will continue to be an issue for organizations, given the financial benefits to threat actors. We’re already seeing signs that ransomware attacks are rising.

Vanessa Horton, our cyber incident responder, also reported some worrying ransomware trends:

First, ransomware gangs are much more organized now. Many have their own logos and conduct job interviews, and there have even been calls for research papers on the dark web! As a result, these groups have become even more dangerous than they already were.

Second, gangs seem to be putting all their efforts into data exfiltration, moving away from data encryption in the process. Or they do both, in what’s known as a ‘double-extortion’ attack. This really is worrying.

The Infosys McCamish Systems data breach from this month is just one example. Ransomware gangs list new victims daily, illustrating the scale of the threat, both to U.S. organizations and internationally.

How can organizations protect themselves?

James suggests the following:

Organizations should start with a risk assessment, so they can identify and prioritize their risks, and address them accordingly.

As you evaluate the level of a risk, take factors into account like:

  • Is the service publicly accessible?
  • What data is being requested and sent?
  • From where are the connections being made?

Take, for example, the Terrapin attack, which exploits vulnerabilities in the SSH [Secure Shell] transport protocol.

To exploit them, the attacker would need to be in an MITM [man-in-the-middle] scenario to compromise the connection. That means the attack complexity is high – it can’t just be exploited from an external connection, lowering the risk.

Nonetheless, organizations should protect themselves by patching both the client and the server.

What can organizations do if their data has already been exfiltrated?

Vanessa explained:

It’s tricky. The criminals already have the data, so that’s not going to help you recover from this attack.

However, a fast response remains critical to both minimize the impact of this attack and prevent future incidents, particularly of a similar nature.

One of the most important things to do is conduct an initial forensic investigation. That means figuring out:

  • What happened?
  • What was the root cause?
  • When did the initial attack happen?
  • What data has been breached, exactly?

Did the attackers put a back door in your systems, so they could easily re-access them later? This is something I’ve actually seen with clients, though can’t share the specifics due to client confidentiality.

By conducting this type of early investigation, you’re not just meeting your legal and regulatory obligations, but also gathering the information you need to take the right measures to prevent such situations from recurring.

Want to speak to a cybersecurity expert?

With more than 20 years’ experience in cybersecurity, we understand risk management.

Our experts have implemented cybersecurity programs for hundreds of organizations across the globe, in a multitude of industries.

New to the world of cybersecurity and need advice on how to get started?

Or updating an existing cybersecurity program?

Our cybersecurity experts are here to help.

Leave a Reply