The Week in Breach News: 09/04/24 – 09/10/24

Between May 27 and May 31, 2023, a data breach occurred when unauthorized third parties exploited a vulnerability in the MOVEit service, compromising beneficiaries’ personal information, according to the Centers for Medicare & Medicaid Services (CMS). MOVEit’s developer, Progress Software, disclosed the breach on May 31, but the Wisconsin Physicians Service Insurance, a CMS contractor, recently discovered that files containing Medicare claims data and personal information had been affected. CMS and WPS are notifying 946,801 individuals whose data may have been exposed, outlining steps to take in response.

New Jersey-based rental car giant Avis has reported a data breach affecting 299,006 individuals. In this breach, bad actors accessed sensitive customer information such as names, addresses, emails, phone numbers, birth dates, credit card details and driver’s license numbers. A filing with Maine’s attorney general disclosed the breach. Texas is the most affected state, accounting for 34,592 individuals. Avis also owns the Budget car rental and Zipcar car-sharing brands. 

Drugstore chain Rite Aid has disclosed that it experienced a data breach on June 6, 2024. Bad actors successfully compromised an employee’s credentials and gained access to sensitive business data. The breach exposed customer addresses, dates of birth and ID numbers from purchases between June 6, 2017, and July 30, 2018. Social Security numbers and healthcare information were not affected.

Officials in St. Charles Parish, Louisiana, recently discovered a cyberattack involving a vendor whose email system was compromised. This allowed a threat actor to alter the vendor’s banking details, leading to a $1 million invoice payment being redirected to the fraudulent new account. An investigation by local and federal law enforcement is underway following the vendor’s inquiry about the payment.

Planned Parenthood of Montana confirmed a cyberattack that began on Aug. 28, 2024. The cybercrime group RansomHub has claimed responsibility. In a post on the group’s dark web leak site, the gang claimed to have stolen 93 gigabytes of data. The healthcare organization said that it was able to quickly institute its incident response plan and minimize damage.

Highline Public Schools, a district south of Seattle with 17,500 students, canceled classes for Monday due to a cyberattack. The district detected unauthorized activity on its systems and is working with partners to restore them. The closure affects all school activities, athletics, and meetings. The attack has disrupted communications, transportation and attendance records, but no personal information theft has been detected.

Tewkesbury Borough Council in Gloucestershire, England, has warned residents of a cyberattack and is assuming its systems have been compromised. The council has shut down its systems as part of the response, leading to service disruptions and busy phone lines. The specifics of the attack and whether personal information was affected are still unclear. Residents have been asked not to contact the council except in an emergency.

Guam Seventh-Day Adventist Clinic has experienced a data breach. The healthcare provider said that unauthorized persons gained access to a few employee email accounts occurred between Jan. 23 and Feb. 3, 2023. An investigation revealed that personal and protected health information, including names, contact details, financial information and medical records, was exposed. Not all types of data were affected for every individual.