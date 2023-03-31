29 March
VodafoneZiggo
Company type: Telecom provider
Attack type: Data breach (third-party software issue)
Affected: 700,000
Dutch telecom provider VodafoneZiggo reported a data breach incident to the Dutch Data Protection Authority (DDPA) after an unauthorised person was able to access consumer information that included names and email addresses. This was due to an issue with the company’s party software provider. No bank details or passwords were compromised, according to the NL Times, but the exposure of personal contact details enhances exposure to phishing scams so anyone concerned should be vigilant.
28 March
T-Mobile
Company type: Large telecommunications company based in US
Attack type: Hacking
Affected: 836
T-Mobile became aware of their second attack of 2023 on 27 March. Hackers accessed the information of some 836 customers, which exposes them to phishing attacks and fraud. On 28 April, Bleeping Computer shared the notification letter that was sent to those affected. The letter states: “No personal financial account information or call records were affected.” It also highlighted how the information shared varied across customers, but that it may have included PII as well as social security numbers, government IDs and T-Mobile account pins. T-Mobile also reset customer pins and offered two years free credit monitoring as compensation.
21 March
Independent Living Systems
Company type: Large health and social support company based in US
Attack type: Hacking
Affected: 4.2 million
On 14 March 2023, Independent Living Systems, a Miami-based healthcare administration that serves 5 million Americans, issued letters to customers affected by a 2022 data breach in which sensitive patient information (potentially including names, contact information, driver’s licence, state identification, social security numbers, Medicare/Medicaid IDs, general health and health insurance information) was accessible and potentially viewed by unauthorised persons.
The notice states: “We are unaware of any identity theft or fraud resulting from this event,” ahead of detailing how its systems were hacked between 30 June and 5 July 2022 and how, on realising the breach, the company conducted a review. The results were released on 17 January 2023, at which point the company claims to have acted as quickly as possible to notify those affected. However, Independent Living Systems is now being sued for failure to adequately safeguard patient data and for the wait time ahead of notifying those 4.2 million (the majority of its customer database) that may be at risk.
17 March
Latitude Financial Services
Company type: Large financial services company based in Australia and New Zealand
Attack type: Threat actor
Affected: 14 million
Latitude Financial Services is a leading instalments and lending business. It has a current database of 2.8 million customer accounts and over 5,500 merchant partners across Australia and New Zealand. It went public about a data breach on 16 March, confirming that a threat actor stole an employee’s log-in details and was able to access two of its service providers. According to Latitude Financial’s review (which is still ongoing), approximately 7.9 million driver licence numbers were stolen and a further 6.1 million records (including PII) were stolen.
The case is ongoing, much to customers’ fury, and Latitude have confirmed they will not pay a ransom to those behind the cyberattack.
16 March
PayPal
Company type: Global online payment platform based in US
Attack type: Cyberattack
Affected: 35,000 users
In 2023, Paypal confirmed that it suffered a security breach in December 2022, compromising personal and financial information of almost 35,000 users.
According to legalscoops.com, PayPal started an investigation as soon as it detected the attack, which took place between the 6 and 8 December, but it wasn’t complete until 20 December. The letter notifying those affected was distributed 23 January, disclosing that the hackers may have had access to social security numbers, bank account numbers and PayPal account balances, in addition to PII. Although PayPal noted that log-in details weren’t accessed via its own network, it didn’t elaborate on how these credentials were acquired.
Some users have now filed lawsuits against PayPal as they are dissatisfied with the apology and compensation of free credit monitoring and identity theft protection services. Further advice from PayPal is to update passwords and keep an eye out for suspicious activity.
10 March
Postal Prescription Service (PPS)
Company type: Large mail-order pharmacy service
Attack type: Internal/human error
Affected: 82,466
PPS, a mail-order pharmacy service and part of retail company Kroger, had to notify 82,466 individuals that they may have had their data breached due to an internal error. No sensitive medical or financial information was shared, however, the names and emails of users that created grocery accounts between July 2014 and 13 January 2023 were exposed. Health IT Security noted how PPS did not share more information on the exact cause of the internal error, but that it is updating its website and making procedural changes to avoid recurrences.
10 March
Florida Medical Clinic (FMC)
Company type: Healthcare provider
Attack type: Ransomware, followed by hacking
Affected: 95,000
FMC became aware of suspicious activity on its servers on 9 January at which point it contained the incident and launched an investigation with a third-party forensic firm which confirmed that files stored on the FMC system were accessed by one or more unauthorised parties. The data included consumers’ names, social security numbers, medical information, phone numbers, email addresses, dates of birth, and addresses, according to JD Supra’s report. Letters were sent out to those affected on 10 March.
9 March
AT&T
Company type: Large multinational telecommunications holding company based in US
Attack type: Data breach, vendor hack
Affected: 9 million
AT&T told BleepingComputer that 9 million wireless customers may have had their Customer Proprietary Network Information (CPNI) accessed. This kind of data includes first names, wireless account numbers, wireless phone numbers, and email addresses, with some dated information on rate plan names and payment history. According to BleepingComputer, AT&T claimed this was due to device upgrade eligibility and that their systems were not compromised.