Cybersecurity and Data Privacy in the USA: December 11 – 17, 2023

Welcome to this week’s round-up of the biggest and most interesting news stories for the US.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Mr. Cooper reveals 14,690,284 people affected in October breach

The largest mortgage provider in the US, Nationstar Mortgage LLC, operating under the name Mr. Cooper, says its investigation into an October cyber attack has uncovered evidence of customer data being compromised.

According to its breach notification, Mr. Cooper detected suspicious activity on its network on October 31. An investigation determined that personal data, including names, addresses, phone numbers, Social Security numbers, dates of birth, and bank account numbers, belonging to nearly 15 million people was obtained by an unauthorized party between October 30 and November 1.

Data breached: personal data belonging to 14,690,284 individuals.

Delta Dental of California suffers breach affecting 6,928,932 people due to MOVEit vulnerability

Delta Dental of California, which provides dental benefits to people, was a user of Progress Software’s popular file transfer software application MOVEit Transfer. When the Russian Cl0p gang exploited a zero-day SQL injection vulnerability in MOVEit Transfer in May 2023, Delta Dental was one of hundreds of organizations whose data was compromised.

According to Delta Dental’s breach notification, affected personal data included addresses, Social Security numbers, driver’s license numbers or other state identification numbers, passport numbers, financial account information, tax identification numbers, individual health insurance policy numbers, and health information. The data belonged to nearly 7 million individuals.

Data breached: personal data belonging to 6,928,932 individuals.


Publicly disclosed data breaches and cyber attacks: full list

This week, we’ve found 28,378,073 records known to be compromised in the US, and 115 US organizations suffering a newly disclosed incident. 86 of them are known to have had data exfiltrated or exposed. None definitely haven’t had data breached.

We’ve also found 7 US organizations providing a significant update on a previously disclosed incident.

Organization nameSectorData exfiltrated?Known records breached
Nationstar Mortgage LLC (Mr. Cooper)
Source 1; source 2
(Update)
FinanceYes14,690,284
Delta Dental of California
Source
(New)
Health careYes6,928,932
Independent Recovery Resources, Inc.
Source
(New)
FinanceYes1.1 TB
Greenbox Loans, Inc.
Source
(New)
FinanceYes1 TB
DonorView
Source 1; source 2
(New)
SoftwareUnknown948,029
West Virginia University Health System
Source
(New)
Health careYes495,331
Dameron Hospital
Source 1; source 2
(Update)
Health careYes>480 GB
World Emblem
Source
(New)
ManufacturingYes417.12 GB
City of Defiance
Source
(New)
PublicYes>390 GB
National Student Clearinghouse
Source 1; source 2
(Update)
Non-profitYes271,496
PCTEL
Source
(New)
TelecomsYes267.45 GB
Greater Buffalo United Accountable Healthcare Network
Source
(New)
Health careYes235.66 GB
AGL Welding Supply Co., Inc.
Source
(New)
ManufacturingYes171.54 GB
Gaido & Fintzen
Source
(New)
LegalYes170 GB
Harrisburg Medical Center
Source
(New)
Health careYes 147,826
InstantResume
Source
(New)
SoftwareYes>142,000
Regional Family Medicine
Source
(New)
Health careYes80,166
Greater Cincinnati Behavioral Health Services
Source
(New)
Health careYes72.4 GB
SmartWAVE Technologies
Source
(New)
TelecomsYes65 GB
Heart of Texas Behavioral Health Network
Source 1; source 2
(New)
Health careYes63,776
The Teaching Company (Wondrium by The Great Courses)
Source
(New)
EducationYes60 GB
Lunacon Construction Group, Corp.
Source
(New)
ConstructionYes50.93 GB
PTSolutions and Berkshire eSupply
Source 1; source 2
(New)
ManufacturingYes33,570
Warrior Met Coal
Source
(New)
EnergyYes19,794
Coos Health & Wellness
Source
(New)
Health careYes14,040
Grayhill
Source
(New)
ManufacturingYes19.71 GB
Plug Power
Source
(New)
ManufacturingYes8,323
AMCP Payments Intermediate Company LLC (Talus Pay)
Source
(New)
FinanceYes7,292
CareTree
Source 1; source 2
(Update)
SoftwareYes5,474
Jacmar Companies, LLC
Source
(New)
HospitalityYes4,863
Florida Water Products
Source 1; source 2
(Update)
RetailYes2,946
Atlas Technical Consultants, Inc.
Source
(New)
EnvironmentalYes2,148
National Electric Coil
Source 1; source 2; source 3
(New)
ManufacturingYes1,750
Wianno Club
Source
(New)
HospitalityYes1,731
Iscar Metals
Source
(New)
ManufacturingYes1,359
Butler Bros.
Source
(New)
RetailYes1,268
Lipsey Communications, LLC (Paycom Payroll, LLC)
Source 1; source 2
(New)
TelecomsYes1,202
Yorkshire Wellness Group, Corp.
Source 1; source 2
(New)
Health careYes1,000
Pinnacle Bank Texas
Source
(New)
FinanceYes809
Tool-Flo
Source
(New)
ManufacturingYes660
American Meteorological Society
Source
(New)
Non-profitYes557
City of Hope
Source
(New)
Health careYes501
Lucifer Lighting Company
Source 1; source 2
(New)
ManufacturingYes331
R. David Wheeler, CPA P.C.
Source
(New)
FinanceYes325
Precision Cutting Tools
Source
(New)
ManufacturingYes256
Marjorie E. Wolasky P.A.
Source
(New)
LegalYes124
KV Federal Credit Union
Source
(New)
FinanceYes97
BioMatrix Specialty Pharmacy
Source
(New)
Health careYesUnknown
Kohl Wholesale
Source
(New)
RetailYesUnknown
DSG US
Source
(New)
SoftwareYesUnknown
Share & Haris LLC
Source
(New)
FinanceYesUnknown
Woodruff Enterprises
Source
(New)
TransportYesUnknown
Hebeler LLC
Source
(New)
ManufacturingYesUnknown
Spaulding Clinical
Source
(New)
Health careYesUnknown
Philips Global
Source
(New)
ManufacturingYesUnknown
Bemes, Inc.
Source
(New)
ManufacturingYesUnknown
Pagano & Company
Source
(New)
FinanceYesUnknown
Spirit Leatherworks
Source
(New)
RetailYesUnknown
Chaney, Couch, Callaway, Carter & Associates Family Dentistry
Source
(New)
Health careYesUnknown
Grand Rapids Women’s Health
Source
(New)
Health careYesUnknown
Austen Consultants
Source
(New)
IT servicesYesUnknown
Catholic Charities of the Archdiocese of Miami, Inc.
Source
(New)
CharityYesUnknown
E. & J. Gallo Winery
Source
(New)
ManufacturingYesUnknown
Mortgage Contracting Services, LLC
Source
(New)
FinanceYesUnknown
King Aerospace
Source
(New)
ManufacturingYesUnknown
Insomniac Games (Sony)
Source 1; source 2
(New)
SoftwareYesUnknown
CHI St. Alexius Health
Source
(New)
Health careYesUnknown
GlobalSpec
Source
(New)
EngineeringYesUnknown
Bayonne Board of Education
Source
(New)
EducationYesUnknown
ATCO Products
Source
(New)
ManufacturingYesUnknown
Keenan & Associates
Source 1; source 2
(New)
InsuranceYesUnknown
Memorial Sloan Kettering Cancer Center
Source
(New)
Health careYesUnknown
Restek Corporation
Source 1; source 2
(New)
ManufacturingYesUnknown
CVC Holding Corp
Source 1; source 2
(New)
ConstructionYesUnknown
Tulane University
Source
(New)
EducationYesUnknown
Carolina Beverage Group, LLC
Source
(New)
ManufacturingYesUnknown
Converze Media Group
Source
(New)
Professional servicesYesUnknown
Hyman Hayes Associates
Source
(New)
ConstructionYesUnknown
MongoDB
Source
(New)
SoftwareYesUnknown
New York School of Interior Design
Source
(New)
EducationYesUnknown
Insidesource
Source
(New)
RetailYesUnknown
TaxPlus
Source 1; source 2
(New)
FinanceYesUnknown
AGY
Source
(New)
ManufacturingYesUnknown
TRISTAR Insurance Group
Source 1; source 2
(New)
InsuranceYesUnknown
The Greenbrier Sporting Club
Source
(New)
LeisureYesUnknown
Dillard Door & Security Inc.
Source
(New)
ManufacturingYesUnknown
VAC-U-MAX
Source
(New)
ManufacturingYesUnknown
Hawkins Sales
Source
(New)
ManufacturingYesUnknown
VF Corporation
Source
(New)
RetailYesUnknown
Petersen Health Care
Source
(New)
Health careYesUnknown
Tri-City Medical Center
Source 1; source 2
(Update)
Health careYesUnknown
Bayer Heritage Federal Credit Union
Source 1; source 2
(Update)
FinanceYesUnknown
Battle.net (Blizzard Entertainment)
Source
(New)
SoftwareUnknownUnknown
Newfound Area School District
Source
(New)
EducationUnknownUnknown
About two dozen US critical infrastructure organizations
Source 1; source 2
(New)
Includes utilities, transport, and energyUnknownUnknown
Kraft Heinz
Source 1; source 2
(New)
ManufacturingUnknownUnknown
Discord
Source
(New)
SoftwareUnknownUnknown
Rocket League (Psyonix)
Source
(New)
SoftwareUnknownUnknown

Note: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicized in the table.


AI

Panel discussion on AI and privacy in health care

At a recent panel discussion hosted by Georgetown University and the World Bank, experts discussed the opportunities and challenges of using AI in healthcare. One of the major issues the panel focused on was the use of patient data to teach AI models.


Enforcement

ALPHV/BlackCat ransomware site outage

The ALPHV/BlackCat ransomware-as-a-service group, which has often featured in the news in recent years for its numerous high-profile attacks, has suffered online disruption to its leak site and payment infrastructure.

The cyber intelligence company RedSense claimed that ALPHV’s site was “taken down by law enforcement,” although Infosecurity Magazine reports that the group has blamed the outage on “unspecified ‘hosting’ issues.” Whatever the cause, the site is missing its database of previous data breaches and currently lists only one: Advantage Group International.

Man sentenced to two years in prison for damaging former employer’s network

A former Cloud engineer for a San Francisco bank has been sentenced to 24 months in prison for accessing the bank’s network after he was sacked and causing over $220,000 worth of damage. Miklos Daniel Brody “deleted the bank’s code repositories, ran a malicious script to delete logs, left taunts within the bank’s code for former colleagues, and impersonated other bank employees by opening sessions in their names” as well as emailing himself proprietary code.


Other news

CISA issues update on school cybersecurity challenges

The Department of Education and CISA (Cybersecurity and Infrastructure Agency) have published a brief about how to meet the cybersecurity challenges facing the K-12 sector. K-12 Digital Infrastructure Brief: Defensible and Resilient urges school vendors and suppliers to implement secure-by-design principles that make robust security settings the default.


Key dates

December 15, 2023 – SEC cybersecurity rules, Forms 10-K and 20-F

Deadline for all registrants, including smaller reporting companies, to start providing cybersecurity risk management, strategy, and governance disclosures in Forms 10-K and 20-F.

December 18, 2023 – SEC cybersecurity rules, Forms 8-K and 6-K

Deadline for registrants that aren’t smaller reporting companies to start disclosing material cybersecurity incidents in Forms 8-K and 6-K.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back in the new year with the biggest and most interesting news stories, all rounded up in one place.