We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Among the stories we’re highlighting this month: Honeywell Facing Multiple Lawsuits Over Data Breach, Hackers Steal $200M From Crypto Company Mixin, Lawsuit Filed in Skidmore College Data Breach, Sony Investigates the Alleged Data Breach That Has Led to Hacker Infighting, and more.
Casinos
MGM Resorts Faces Class Action Over Cyberattack, Operations Resume After 10-Day Shutdown
The cyberattack began on September 7, 2023, when hackers impersonated an IT admin and gained access credentials. The attack led to a lockdown of MGM’s network, preventing resort guests from using their electronic room cards, Wi-Fi, ATM kiosks, electronic gaming devices, and other resort services. Two cybercriminal organizations, “The Scatter Spider” and ALPHV, have claimed responsibility for the attack. Click to read entire article.
Clorox Warns of Q1 Loss From Cyberattack Linked to Vegas Casino Hackers
Clorox, a maker of cleaning products, said Wednesday it expects to post a first-quarter loss after a cyberattack in August caused product outages and disrupted supplies and operations. Click to read entire article.
Public Entity/ EMS
MO: Maries County Emergency Managements Says It Was Hit With Cyber Attack, Says One 911 Call Affected
Maries County EM said the attack appeared to have caused intermittent phone and internet issues, before causing issues with administration phones, 911 lines, radio communications and MULES connectivity. Click to read entire article.
Hinds County Approves Spending Hundreds of Thousands of Dollars in Payments for Cyberattack Recovery Efforts
Hinds County approved more than $600,000 in payments to restore its computer system after cyberattacks took it down days ago. Click to read entire article.
Healthcare
IBM and Johnson & Johnson Health Care Systems Sued Over August 2023 Data Breach
A lawsuit has been filed against IBM Corp. and Johnson & Johnson Health Care Systems Inc. over an August 2023 data breach that exposed the protected health information of thousands of people who used the Janssen CarePath patient assistance program. Click to read entire article.
(MOVEit Breach Related)
Caresource Sued for $9.9m in Data Breach Class Action Lawsuit
Plaintiffs are saying CareSource did not have adequate cybersecurity in place, which caused more than 3 million customers to have their data stolen, according to a complaint signed by attorney Jesse A. Shore on behalf of Todd Higham. Click to read entire article.
(MOVEit Breach Related)
WVU Medicine Patients Exposed to Data Breach Through Third-Party Vendor
WVU Medicine patients who received radiology services through its group of hospitals were exposed to a data breach earlier this year through a third-party vendor WVU Medicine contracts with. A letter sent to radiology patients dated Sept. 19 from Nuance Communications, the third-party vendor that provides some software services to WVU Medicine among many other organizations. The letter from Nuance stated that a third-party company it contracts with to securely transfer files, Progress Software, notified Nuance of a “previously unknown vulnerability” in their software. Click to read entire article.
Financial Services
(MOVEit Breach Related)
Omaha-Based TD Ameritrade, Charles Schwab Facing Lawsuits Over Data Breach in March
TD Ameritrade Inc. and Charles Schwab, which acquired the company in 2019, have been sued in federal court in Omaha over a data breach of customer information earlier this year. Two cases filed by Floridians Keren Jeanfort and Fortuno Jeanfort in U.S. District Court in Omaha are seeking class-action status on behalf of the approximately 61,000 customers whose names, Social Security numbers and other personally identifiable information were stolen by hackers. Click to read entire article.
(MOVEit Breach Related)
Financial Institution Service Corp. Notifies Over 750k Consumers of Massive Data Breach Related to MOVEit Vulnerability
On September 22, 2023, Financial Institution Service Corp. (“FISC”) filed a notice of data breach with the Attorney General of Maine after discovering that a vulnerability in the file-transfer application MOVEit allowed hackers to access the personal information of more than 750,000 people. Click to read entire article.
Manufacturing
Honeywell Facing Multiple Lawsuits Over Data Breach
Charlotte-based manufacturing company Honeywell failed to protect customers’ personal information from cybercriminals and did not alert people when their data was breached, according to three separate class-action lawsuits filed in September. Honeywell stored a significant amount of personal information on its network including, Social Security, passport, driver’s license and financial account numbers, the lawsuits said. Click to read entire article.
Sony Investigates the Alleged Data Breach That Has Led to Hacker Infighting
A threat actor under the name “MajorNelson,” claimed that Ransomed.vc lied about its access. The alleged Sony data breach just got messier. Relatively new hacking group Ransomed.vc made the lofty claim that it had successfully compromised “all” of the company’s systems, as reported by Cybersecurity Connect. Now a second threat actor has leaked the data believed to be in Ransomed.vc’s possession, claiming the former are “scammers” trying to “chase influence.” Click to read entire article.
Tech – AI
(MOVEit Breach Related)
Microsoft-Owned AI Company Data Breach Affects 1.2 Million Patients
Nuance Communications, a healthcare artificial intelligence company owned by Microsoft, announced that 13 of its healthcare clients’ data was affected by the MOVEIt software breach, The HIPAA Journal reported. Click to read entire article.
Higher Ed
(MOVEit Breach Related)
National Student Clearinghouse Data Breach: Nearly 900 Schools Impacted
Cl0p ransomware gang gained access to its MOVEit server and stole files containing personally identifiable information. The National Student Clearinghouse (NSC) revealed a recent data breach impacted 890 schools that use its services. Clearinghouse is a nonprofit that provides educational reporting, data exchange, verification, and research services to approximately 22,000 high schools and 3,600 colleges and universities, which make up roughly 97% of students in public and private institutions, according to Bleeping Computer. Click to read entire article.
Lawsuit Filed in Skidmore College Data Breach
“Students and employees are now having to take their personal time to clean up the mess that was not of their making,” said William B Federman, managing partner at Federman & Sherwood Law Firm. The firm has filed a class action lawsuit representing anywhere from 12,100 to 121,000 people —who are either staff or students at Skidmore College — that were victims of a data breach this past February. Click to read entire article.
UPDATE: University of Minnesota Reports Data Breach May Have Impacted Student and Faculty Info Dating Back to 1989
On September 21, 2023, the University of Minnesota (“U of M”) provided an update regarding a data security incident that may have compromised millions of current and former students’ Social Security numbers. Click to read entire article.
Cryptocurrency
Hackers Steal $200M From Crypto Company Mixin
Hong Kong-based crypto company Mixin announced that it was breached and that the hackers stole around $200 million. Click to read entire article.
Canada
SickKids Impacted by BORN Ontario Data Breach That Hit 3.4 Million
The BORN Ontario data breach that impacted 3.4 million people was caused by the exploitation of well-known zero-day vulnerability (CVE-2023-34362) in Progress MOVEIt Transfer software. Click to read entire article.
Asia Pacific
Pizza Hut Australia’s Data Breach Impacts Over 190K Customers
Pizza Hut Australian operation’s Chief Executive Phil Reed said the company became aware of the incident in early September and launched an investigation. The probe determined there was unauthorized third-party access to personal information stored on the compromised system. Click to read entire article.
Consumer Council Says Over 20,000 Alerted of Data Breach
Hong Kong’s Consumer Council chief said that over two days, around 25,000 notices had been sent to people believed to be affected in a recent data breach, with another 1,600 who previously participated in a voting event alerted of the incident. Click to read entire article.
Middle East
Hacker Demands $400,000 Ransom From Kuwaiti Ministry of Finance Following System Breach
Hacker threatens to sell data unless ransom paid, sets 7-day ultimatum. Click to read entire article.
