We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Among the stories we’re highlighting this month: How Hackers Are Exploiting Cloud Organizations, Mispadu Banking Trojan Targets Latin America, PayPal Data Breach Exposes Personal Information of 35,000 Users, and more.
Energy
Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Hitachi Energy has blamed a data breach affecting employees on the recent exploitation of a zero-day vulnerability in Fortra’s GoAnywhere solution. Hitachi Energy said the Cl0p ransomware gang targeted the GoAnywhere product and may have gained unauthorized access to employee data in some countries. Click to read entire article.
Retail
Chick-fil-A Confirms Data Breach
The fast food giant says it received information that hackers launched an attack on its website and mobile app between December 18, 2022, and February 12, 2023. After commencing an investigation with a national forensics firm, Chick-fil-A determined the app was actually attacked on February 12. However, in early January, Chick-fil-A had received reports from several customers that their Chick-fil-A app credentials were used to access linked bank accounts and transfer funds. Click to read entire article.
Cybersecurity Regulations
SEC Issues Multiple Cybersecurity Rule Proposals
The Securities and Exchange Commission (SEC) continued its focus on cybersecurity regulations this month by announcing three new proposed rules and re-opening the comment period on an additional proposed rule from last year. Click to read entire article.
Financial Services
PayPal Data Breach Exposes Personal Information of 35,000 Users
The company began notifying affected users on January 19th, 2023, with a letter explaining that their accounts had been hacked between December 6th and 8th, 2022. The letter stated that the hackers may have accessed names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, bank account numbers, and PayPal account balances. Click to read entire article.
Voya Financial Advisors, Inc. Reports Recent Data Breach Leaking an Unknown Number of Social Security Numbers
On March 14, 2023, Voya Financial Advisors, Inc. (“VFA”) filed a notice of data breach with the Massachusetts Office of Consumer Affairs and Business Regulation after learning that sensitive consumer information stored on the company’s computer system was accessible to an unauthorized party. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, addresses, and Social Security numbers. Click to read entire article.
Happy State Bank Notifies 10,069 Customers of Recent Data Breach
On March 16, 2023, Happy State Bank (“HSB”) filed a notice of data breach with the Maine Attorney General’s office after learning that confidential consumer information stored on the company’s computer system was compromised following an email phishing attack. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names and Social Security numbers. Click to read entire article.
Healthcare
Alabama Healthcare Provider Announces 441,000-Record Data Breach
The Birmingham, AL, Heart Hospital, Cardiovascular Associates, has recently announced that unauthorized individuals gained access to certain parts of its network between November 28, 2022, and December 5, 2022, and removed files containing patient information. Click to read entire article.
US Healthcare Provider Reports User Data Breach of 4.2 Million Users
Florida’s leading third-party healthcare administration and managed care solution provider, Independent Living Systems (ILS), acknowledged the data breach where over 4.2 million individuals’ personal data was affected. Click to read entire article.
Trinity Health of New England Discloses Employee Email Breach that Exposed Patients’ Personal Data
Trinity Health of New England recently informed patients of a December data breach that compromised personal identifying information, payment information and care details, the organization said in notices and statements. Click to read entire article.
AllCare Plus Pharmacy, Inc. Notified Patients of Recent Data Breach Leaking Their SSNs and PHI
On March 16, 2023, AllCare Plus Pharmacy, Inc. filed a notice of data breach with the Texas Attorney General after learning that confidential patient information stored on the company’s computer system was compromised following a cyberattack. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, addresses, Social Security numbers, driver’s license numbers, financial account information, credit or debit card numbers, insurance information and protected health information. Click to read entire article.
Orlando Family Physicians Data Breach Class Action Settlement
Orlando Family Physicians agreed to a class action settlement to resolve claims surrounding a 2021 healthcare data breach. Click to read entire article.
Public Entity
District Court Approves $1.75 Million Data Breach Settlement
On March 3, 2023, the U.S. District Court for the Central District of California granted final approval of a $1.75 million class action settlement resolving allegations related to a 2020 data breach that compromised nearly 100,000 individuals’ personally identifiable information, including financial information, social security numbers, health records, and other personal data. The affected individuals are students, parents, and guardians who were enrolled in a system used to manage student data in a California school district. Click to read entire article.
Multnomah Co. Security Breach May Have Exposed Details of 2,000 Health Dept. Clients, County Says
Hackers Post More Stolen Minneapolis Public School Data to Dark Web
Minneapolis Public Schools notified parents that hackers who stole district data in a recent system breach released that information onto the dark web, where users are untraceable. Click to read entire article.
Crypto
General Bytes Bitcoin ATMs Hacked Using Zero-Day, $1.5M Stolen
Leading Bitcoin ATM maker General Bytes disclosed that hackers stole cryptocurrency from the company and its customers using a zero-day vulnerability in its BATM management platform. Click to read entire article.
Cyber Research
Hackers Mostly Targeted Microsoft, Google, Apple Zero-Days in 2022
Hackers continue to target zero-day vulnerabilities in malicious campaigns, with researchers reporting that 55 zero-days were actively exploited in 2022, most targeting Microsoft, Google, and Apple products. Click to read entire article.
How Hackers Are Exploiting Cloud Organizations
As more and more data moves to the cloud, hackers are getting smarter in their attempts to access it and cloud data breaches are running rampant. In recent weeks, we’ve seen several high-profile data breaches that have exposed sensitive information belonging to customers of various companies. In each case, the attacker used sophisticated techniques to gain unauthorized access to cloud services and steal data. Click to read entire article.
Pro Sports
US National Basketball Association Warns of Data Breach
Bleeping Computer is reporting that the US basketball league has sent out “Notice of Cybersecurity Incident” emails to a number of its followers, noting that while names and emails have been compromised, no other personally identifiable information was breached. Click to read entire article.
Latin America
Mispadu Banking Trojan Targets Latin America: 90,000+ Credentials Stolen
A banking trojan dubbed Mispadu has been linked to multiple spam campaigns targeting countries like Bolivia, Chile, Mexico, Peru, and Portugal, with the goal of stealing credentials and delivering other payloads. Click to read entire article.
Asia Pacific
Latitude Financial Warns Customer Data Breach Could Widen and Hack ‘Remains Active’
The amount of customer data stolen from Australian company Latitude Financial may grow, with the non-bank lender confirming that drivers licenses, passports and Medicare numbers have already been hacked. It said then that about 330,000 customers were thought to have had their personal information stolen. Click to read entire article.
