The Week in Breach News: 01/10/24 – 01/16/24

Risk to Business: 1.702 = Severe

Texas-based HMG Healthcare is informing patients and their families that it has experienced a data breach that impacts the personal health information of employees and residents at 40 affiliated nursing facilities. HMG said that it first discovered the intrusion in November 2023, but an investigation determined that the data breach occurred in August 2023. Exposed data includes names, contact information, dates of birth, health information, medical treatment details, Social Security numbers and employee records.

Risk to Business: 2.591 = Severe

Water for People, a Colorado-based non-profit that works to provide access to clean water and sanitation in under-resourced countries, has been added to the website of the Medusa ransomware gang. The gang is demanding a $300k ransom. A spokesperson for Water for People said that the bad actors accessed data from before 2021, did not compromise the non-profit’s financial systems and no business operations were impacted. Philanthropist MacKenzie Scott, once married to Amazon founder Jeff Bezos, recently granted the non-profit $15 million toward its effort to improve water access for more than 200 million people over the next eight years. 

Risk to Business: 2.703 = Moderate

The Toronto Zoo announced it’s been hit by a ransomware attack. The January 5 attack impacted some of the zoo’s systems. Officials were quick to reassure the public that animal care and welfare were not affected. The zoo said it is investigating to determine if guest, member or donor records might be impacted. It also said that online ticket purchases and the zoo’s website are still functioning. Zoo officials also reminded the public that it doesn’t have any credit card information stored on hand. 

Risk to Business: 1.762 = Severe

The Midwives of Windsor, a maternity healthcare provider, has disclosed that it has experienced a data breach. The association said that it discovered that an unauthorized party gained entry to an employee email account in April 2023, giving them access to client data. The client information compromised includes a patient’s name, mailing address, email address, telephone number, date of birth, information regarding your pregnancy, treatment/diagnosis information, prescription information, patient ID and health insurance information. That patient’s child’s name and date of birth may have also been exposed. 

Risk to Business: 1.423 = Extreme

The largest public university in Atlantic Canada, Memorial University of Newfoundland (MUN), has experienced a cyberattack that has impacted its operations, causing one of its campuses to delay learning. Officials said that the college discovered the attack on December 29 and activated security protocols that included isolating impacted systems to prevent further damage. Grenfell campus was the hardest hit. As a result, the start of classes, in person and remote, was postponed from January 4 to January 8. Internet and WiFi for resident students and payment terminals for credit and debit card transactions are also not working. Services at the Marine Institute campus have been fully restored.  

Risk to Business: 1.736 = Severe

Beloved British retailer Lush has disclosed that it is experiencing a cyber incident that is widely believed to be a ransomware attack. The company said in a statement that a comprehensive investigation is underway utilizing external IT forensic specialists. Lush has not disclosed what if any, data was stolen by the attackers or the extent that it expects that the incident will impact its operations.  

Risk to Business: 2.736 = Moderate

Printed music publishing company Hal Leonard Australia, the subsidiary of a US-based parent company also called Hal Leonard, has fallen victim to a ransomware attack. The Qilin ransomware gang has claimed responsibility for the attack, subsequently sharing 37.6 GB of the company’s data online last week. That data included a full list of Hal Leonard employees along with their contact information and ranking. Also included were emails regarding credit details with third-party customers, debt notices and banking summaries. Hal Leonard sells sheet music for well-known acts including The Beatles, Miles Davis, Irving Berlin and Stevie Wonder. 

Risk to Business: 1.433 = Extreme

A misconfiguration is to blame for a data breach at Inspiring Vacations, a Melbourne-based travel agency. Most of the victims are Australian citizens, but identification documents from New Zealand, the United Kingdom and Ireland were also exposed. Altogether, the database contained information about 13,684 customers, including names, email addresses, trip costs, and destinations, contained in 48 Excel spreadsheets. It also contained 24,000 itinerary and e-ticket documents, some showing partial credit card numbers, and internal company documents, including 17,000 tax invoices to partners and affiliates.