The Week in Breach News: 09/06/23 – 09/12/23

Risk to Business: 1.676 = Severe

Pharma and medtech conglomerate Johnson & Johnson has experienced a data breach that impacts consumers who use its CarePath platform. IBM, the developer of the platform, notified customers that their data may have been accessed by unauthorized parties after the pharma giant discovered an exploitable flaw. IBM fixed the problem and investigated the incident. That investigation showed that bad actors had snatched data from users who enrolled before July 2023. The stolen data includes a user’s full name, contact information, date of birth, health insurance information, medication information and medical condition information. IBM is offering a free year of credit monitoring to those who may be affected by the incident. 

Risk to Business: 1.832 = Severe

Major travel booking platform Sabre has experienced a data breach caused by a ransomware attack. The Dunghill Leak ransomware group claimed responsibility for the attack. The gang said on its dark web leak site that it had stolen 1.3 terabytes of data, including databases on ticket sales and passenger turnover, employees’ personal data and corporate financial information. The group posted several screenshots as proof of the July 2023 hack. Some included passport images, employee records and tax forms. The incident is under investigation.

Risk to Business: 2.873 = Moderate

Freecycle, a nonprofit organization that enables members to exchange reusable items to prevent them from ending up in landfills, has disclosed a data breach that may impact seven million people. The company said that some user data was stolen in the attack including usernames, User IDs, email addresses and passwords. Freecycle said that it became aware of the data breach on August 30, 2023, although its data has been available on the dark web since May 2023.

Risk to Business: 1.210 = Extreme

 MGM Resorts, operator of hotels like the MGM Grand in Las Vegas, has announced that it is experiencing a cyberattack that drastically impedes its business. Major systems are impacted at its hotels and casinos as well as online, including its main website, online reservations, and in-casino services, like ATMs, slot machines and credit card machines. Some guests reported problems with room keys. MGM said that the attack began on September 10, and systems remained down as of September 11.

Risk to Business: 1.673 = Severe

The LockBit ransomware gang is responsible for an August 2023 ransomware attack on UK fencing company Zaun that may have resulted in sensitive military data becoming exposed. The company, a contractor for The Ministry of Defense, said that the breach occurred through a Windows 7 PC that was running software for one of its manufacturing machines. Zaun says that nothing was encrypted but confirmed that LockBit has stolen some very sensitive data. Reports say that the group accessed information that could help bad actors access HMNB Clyde nuclear submarine base, Porton Down chemical weapons lab and a GCHQ listening post. Detailed drawings of other military sites and high-security prisons were also included among the stolen data. LockBit demanded payment by August 29. When that deadline passed, the gang began publishing data on its dark web leak site.  

Risk to Business: 2.612 = Moderate

Dutch semiconductor company NXP has informed customers that they may have had their personal information exposed in a data breach. The affected customers appear to have an online NXP account, which provides access to technical content and community support. The exposed data includes customers’ full names, email addresses, postal addresses, business phone numbers, mobile phone numbers, company names, job titles and descriptions and communication preferences. The hack occurred on July 11, 2023, and was discovered by NXP a few days later on July 14. It remains under investigation.

Risk to Business: 1.802 = Severe

Dymocks, a venerable bookstore chain, has announced that it experienced a data breach that may impact 836k customers. The company discovered the hack after researchers informed it that its customer data had appeared on the dark web on September 6, 2023. The company said that it sees no intrusion of its own systems and contends that the data may have come from a third-party service provider. The exposed data includes a customer’s full name, date of birth, email address, postal address, gender and specialty membership details (gold expiry date, account status, account creation date, card ranking). The company says the incident has been reported to the relevant authorities and it remains under investigation. 

Risk to Business: 2.382 = Severe

TissuPath is investigating a data security incident that led to the exposure of sensitive health data going back a decade. The company says that the data was exposed due to one of its storage drives being illegally accessed by compromised user accounts at one of its service providers. TissuPath stressed that its main database and reporting system that stores patient diagnoses was not compromised. Stolen data includes scanned pathology request forms with information such as patient names, dates of birth, contact details, Medicare numbers and private health insurance details. The BlackCat/ALPHV group has claimed responsibility, claiming that it stole 446GB of data which has been published on the dark web.