The Week in Breach News: 09/18/24 – 09/24/24

Leading wedding dress retailer David’s Bridal has notified customers that their data may have been exposed in a January 2024 incident. The company reported to the Attorney General of Maine that they detected unusual activity on January 21, 2024, prompting them to secure their system, launch an investigation and notify federal law enforcement. The investigation revealed that on January 20, certain files containing confidential consumer data, including names and Social Security numbers, were accessed without authorization. David’s Bridal sent out data breach letters to anyone who was affected by this data security incident. 

New Hampshire-based Access Sports Medicine & Orthopaedics reported a data breach involving personal health information. The healthcare provider admitted that unauthorized actors accessed patient PHI and PII including names, birthdates, medical data, Social Security numbers, health insurance and limited financial details. Impacted individuals were notified by mail after the breach was discovered in July 2024.  

Mt. Carmel Behavioral Healthcare (MCBH) reported a data breach after an unauthorized party accessed an employee email account on June 12, 2024. The breach exposed sensitive consumer information, including names, Social Security numbers, birth dates, addresses and medical and health insurance details. MCBH secured the account, launched an investigation and notified affected individuals by mail between August 9 and August 30, 2024. 

Aramark, a top food service and facilities services provider, has disclosed that it has experienced a data breach. Aramark discovered that an unauthorized party created a fake website to steal employee login credentials and access the myPay site. The attacker aimed to change direct deposit details but also accessed other personal information, including names, addresses, Social Security numbers, and direct deposit details. 

On September 17, 2024, Fireworks Software reported a data breach after discovering unauthorized access to its network, affecting sensitive data from Rowan College at Burlington County. The breach occurred between June 23 and June 26, 2024. After securing its systems and investigating, Fireworks Software notified impacted individuals. The data breach letter that was uploaded to the Maine Attorney General’s site did not mention what type of information was compromised. 

Cybercriminals claim that Dell Technologies has experienced two related data breaches. One breach exposed over 10,000 employee records. Hackers claim to have obtained records that include an employee’s full name, ID number, active status, and internal employee ID information. The same hacker behind the original breach claims to have gone back for round two, this time snatching up data related to Jira files, database tables, and schema migrations, amounting to 3.5 GB of uncompressed data. The hackers claim to have gained access by compromising Dell’s Atlassian software suite.

Foodservice giant Compass Group confirmed a ransomware attack on its Compass Group Australia subsidiary. The Medusa gang claims to have stolen 785.5 GB of data. Medusa is demanding $2 million to delete or sell the data and has shared stolen documents. The documents may contain employee information including employee wage declarations, passports, driver’s licenses, and other internal files. The gang has threatened to publish the data in eight days if the ransom is not paid. 

Total Tools has disclosed that it has experienced a data breach. Initial investigations by a third-party cyber forensics team suggest that the data of 38,000 customers was compromised. Data reportedly includes customers’ names, log-on details, email addresses and credit card information. The company said that its investigation into the nature and size of the incident is still ongoing. Total Tools said that it has also informed the Australian Cyber Security Centre and Office of the Australian Information Commissioner.