The Week in Breach News: 10/09/24 – 10/15/24

Fidelity Investments has reported a data breach to Maine’s attorney general. The filing revealed that over 77,000 customers’ personal information, including Social Security numbers and driver’s licenses, was compromised between August 17 and 19, 2024. The breach occurred through two newly established customer accounts, though Fidelity did not explain how these accounts accessed other customers’ data. Fidelity stopped the breach on August 19. The impacted clients, only a small portion of Fidelity’s 51.5 million customers, are being offered 24 months of free credit monitoring and identity restoration services.

Security titan ADT has experienced another data breach. The company said that this breach was caused by credentials that were stolen from a third-party business partner. Those credentials then enabled threat actors to breach ADT’s systems. The company disclosed that it is investigating the incident with third-party cybersecurity experts. As part of its investigations, it was determined that encrypted account data for employees was stolen in the attack. This is ADT’s second breach in the past two months after a late August 2024 leak of an estimated 38K customer records. No ransomware gangs or other threat actors have claimed responsibility for the attack.  

American Water, the largest US water utility, disclosed a cyberattack affecting internal systems on October 3. The company, which serves over 14 million people across 14 states, said that it acted quickly to secure its networks and confirmed that its water and wastewater facilities remain fully operational. There was no interruption in service. While assessing the breach’s scope, American Water has disconnected certain systems and suspended customer billing, assuring customers they won’t incur late fees. No cybercrime group has claimed responsibility. 

Australian entertainment company Funlab has confirmed a ransomware attack after being listed by the Lynx gang, a suspected rebranding of the INC Ransomware on its leak site. The company said that the incident took place between September 20 and 22. Funlab does not believe guest data has been accessed, and the leak was limited to current and former employees. While Lynx hasn’t disclosed the ransom or data volume stolen, they posted screenshots and documents as proof, revealing folders like Payroll, Finance and Gsuite Backup. Leaked files include budget spreadsheets and internal communications. Funlab operates a variety of entertainment venues including Strike Bowling.

Australian produce company Perfection Fresh has been listed by the Sarcoma ransomware group, one of three Australian victims in 24 hours. Sarcoma claims to have stolen 690GB of data, including files and SQL databases and has leaked internal documents as proof. While no ransom demand has been made public, Perfection Fresh has confirmed the breach. Perfection Fresh said that it has informed the Australian Cyber Security Centre and the Office of the Australian Information Commissioner. 

Sydney-based manufacturer The Plastic Bag Company suffered a data breach, with the up-and-coming ransomware group Sarcoma ransomware group claiming to have stolen 3.6GB of data. The company’s website has also been knocked offline. Sarcoma has leaked documents, including tax returns, wage details, insurance records and passport scans from Australian and New Zealand nationals. The gang threatens to release the full data in 26 days, though no ransom has been specified.

Game Freak, the developer behind the Pokémon video games confirmed a major data breach affecting over 2,000 current and former employees. A wide array of information was shared on a forum called r/PokeLeaks including employee information, development documents, source code and art. The incident has been dubbed the “TeraLeak,” Game Freak said in a statement that the breach occurred due to unauthorized server access in August 2024.

Casio has confirmed that it experienced a ransomware attack earlier this month, with personal and confidential data of employees, job candidates and some customers stolen. Disclosed Monday, the attack caused system disruptions and outages. The Underground ransomware group claimed responsibility. The compromised data includes personal details of Casio employees, business partners, job candidates and customers, along with contracts, financial data and internal documents. Casio clarified that customer payment information and systems like CASIO ID and ClassPad.net were unaffected, as they are hosted separately.