The Week in Breach News: 05/22/24 – 05/28/24

Risk to Business: 1.401 = Extreme

11 major drug companies have disclosed that they have suffered a data breach as the result of a February 2024 hacking incident at pharma services giant Cencora. The impacted companies include Bayer Corporation, Novartis Pharmaceuticals, Regeneron Pharmaceuticals, AbbVie, Incyte Corporation, Genentech, Sumitomo Pharma America, GlaxoSmithKline Group, Acadia Pharmaceuticals and Endo Pharmaceuticals. The California Attorney General’s Office said in a posting that Cencora had determined in an investigation that ended in April 2024 that patient data that Cencora retained for each of those companies including a patient’s full name, address, health diagnosis, medications and prescription data was accessed by bad actors. Cencora is offering recipients two years of free identity protection and credit monitoring services through Experian.

Risk to Business: 1.856 = Severe

Albany County Executive Daniel McCoy has confirmed that the county is experiencing cybersecurity trouble. So far, there hasn’t been a major disruption to county services. However, anyone seeking certificates of residency online will need to call the county Division of Finance, rather than use the county’s online service which is down. No determination has been made about the extent of the breach or if any data was stolen. County officials said that they are working with the U.S. Department of Homeland Security and the Emergency Services Cyber Incident Response Team to investigate the incident. 

Risk to Business: 1.721 = Severe

The city of Wichita, Kansas is beginning the slow climb back to full functionality after a successful ransomware attack by LockBit. The city disclosed last week that law enforcement incident and traffic information was snatched from its computer network between May 3 and 4, 2024. City officials pointed to an unnamed software vulnerability as the bad actors’ entry point. Data stolen in the incident includes peoples’ names, Social Security numbers, driver’s license or state identification card numbers and payment card information. The city warned residents that it will take time for all systems to be restored, including systems used to pay utility bills.

Risk to Business: 1.803 = Severe

 Over 2.8 million people had personal and medical data exposed in a breach at prescription manager Sav-Rx. In a disclosure to the Maine Attorney General, the company noted that in October 2023, bad actors accessed data including patients’ names, dates of birth, email addresses, physical addresses, phone numbers, social security numbers, insurance identification numbers and eligibility data for prescriptions. The company said that it is working with law enforcement in its continuing investigation.

Risk to Business: 1.712 = Severe

1,883 Walmart employees who participate in the Walmart 401(k) Retirement Plan were notified last week about a data breach that occurred at recordkeeper Merrill Lynch, Pierce, Fenner & Smith Inc. The company told the impacted Walmart employees that on April 16, a Merrill employee mistakenly disclosed personal information to an unauthorized recipient in an email. The information exposed included the employees’ first names, last names and Social Security numbers. Merrill is providing a complimentary two-year membership in an identity theft protection service eligible for affected individuals.  

Risk to Business: 2.376 = Severe

Illinois-based Trionfo Solutions told the Attorney General of Maine that it had experienced a data security incident. The company said that bad actors illegally accessed its systems between December 4, 2023, and December 6, 2023. Breached information varies depending on the individual, but it may include a consumer’s name, address, date of birth, Social Security number, phone number and email address. Trionfo Solutions said that it has sent out data breach letters to anyone who was affected. 

Risk to Business: 1.866 = Severe

TRC Talent Solutions, a Georgia-based staffing company sometimes known as TRC Staffing Services, has disclosed that it suffered a data breach to the Attorney General of Maine. The May 24, 2024, filing said that unauthorized parties gained access to a trove of data between March 25 and April 12, 2024. The intruders stole personal data that TRC was holding including the names and Social Security numbers of job seekers. TRC said that it has sent out data breach letters to anyone who was affected.

Risk to Business: 2.602 = Moderate

The Welsh Rugby Union (WRU) said that it is investigating a data breach that may have exposed nearly 70,000 members’ personal information. The organization pointed to a misconfigured AWS S3 bucket left publicly accessible as the source of the trouble. WRU disclosed that member data including full names, dates of birth, phone numbers, home addresses, email addresses, membership purchase details and the type of membership purchased was stored in that bucket. WRU stressed that no password or payment information has been compromised.