Data Breach Report: April 2024 Edition

March 2024 was a rough month for data security. From major corporations to government agencies, data breaches exposed millions of individuals’ sensitive data across the globe. This month’s data breach report blog dives into some of the most significant breaches, including the colossal France Travail leak that impacted nearly half the French population, and the financial details exposed at AT&T.

The major US Cancer Center data breach reported in March 2024 involved City of Hope, a hospital operator and research center.

Scale of the Breach: Over 800,000 individuals were impacted, with some notified in December 2023 and others identified later.

Data Exposed: The breach exposed a wide range of sensitive information, including PII.

Cause of the Breach: An unauthorized third party gained access to City of Hope’s systems and copied patient files.

Aftermath: City of Hope took steps to contain the breach and began notifying affected individuals in late March 2024. They also posted an incident notice on their website in April: https://www.cityofhope.org/notice-of-data-security-incident

Scale of Breach: In February 2024, a data breach at SurveyLama, a popular survey rewards platform, exposed the personal information of over 4.4 million users.

Data Exposed: The leaked information included a variety of personal details such as: Names, dates of birth, email addresses, phone numbers, home addresses, IP addresses, etc.

Cause of Breach: The exact cause of the breach remains unknown.

Aftermath: SurveyLama notified affected users via email about the data breach and the mandatory password reset.

AT&T announced a major data breach in March 2024, impacting a staggering 73 million customers, including current and former ones. While details are still emerging, leaked data may include names, addresses, phone numbers, and even Social Security numbers.

Scale of Breach: AT&T is still investigating the source of the breach. It’s unclear if the data originated from their systems or a vendor they work with.

Data Exposed: The exact details of exposed data remain under investigation by AT&T. However, initial reports suggest it might have included PII data.

Aftermath: The aftermath of the AT&T data breach in March 2024 is still unfolding, with investigations, legal actions, and user concerns ongoing.

• Legal Actions: Class-Action Lawsuits: Several lawsuits have been filed against AT&T by users affected by the breach. These lawsuits allege negligence on AT&T’s part regarding data security and potential damages caused by the exposure of personal information.
• Password Reset: AT&T reset passwords for all current customers, aiming to prevent unauthorized access using potentially leaked credentials.
• User Notification: They began contacting affected individuals, including both current and former customers, informing them about the breach.
• Credit Monitoring: AT&T offered credit monitoring services (where applicable) to affected customers. This helps detect potential identity theft attempts related to the stolen data.

Scale of Breach: In March 2024, Mintlify, a documentation startup for developers, experienced a data breach that exposed GitHub tokens belonging to 91 customers. This breach occurred due to a security vulnerability in the software documentation platform that compromised access to private code.
Data Exposed: While not as severe as breaches exposing financial information, compromised GitHub tokens could allow attackers to:

• View private code repositories.
• Potentially modify or steal source code.
• Disrupt development workflows.

Cause of Breach: A vulnerability within Mintlify’s systems allowed unauthorized access to internal admin credentials. Hackers used these credentials to steal customer GitHub tokens.

Aftermath:

• They revoked all compromised GitHub tokens and advised users to generate new ones.
• Mintlify notified affected customers about the breach and the necessary actions.
• The company addressed the vulnerability and implemented security improvements like stronger encryption.

Incident report on March 13, 2024: https://mintlify.com/blog/incident-march-13

Scale of Breach: In March 2024, Acer Philippines confirmed that a cyberattack on a third-party vendor led to the unauthorized access of employee data. The data was then leaked on a hacking forum.

Data Exposed: Details about the specific data exposed are limited, but reports suggest it might have included current and past employees PII.

Cause of Breach: Third-party vendor attack. Acer Philippines itself wasn’t directly hacked, but a data leak occurred from a vendor managing their employee attendance data.

Aftermath: Acer notified the National Privacy Commission (NPC) and the Cybercrime Investigation and Coordinating Center (CICC) and a thorough investigation is underway.

Acer Philippines public statement – https://twitter.com/AcerPhils/status/1767551121629802875
Acer has been hit by several data breaches in recent years. These include incidents in March 2021, where millions of customer records were stolen, and February 2023, which saw a breach of their servers containing technical documents, software tools, and other sensitive data. Most recently, in October 2021, attackers compromised Acer’s systems again, stealing employee information.

Scale of Breach: A Japanese tech giant discovered malware on several of its internal computers. This malware potentially allowed unauthorized access to company systems.

Data Exposed: The potential impact of the breach depends on the nature of the stolen data. It could range from exposing employee or customer names and contact details to more sensitive information like financial data or social security numbers.

Cause of Breach: Fujitsu data breach remains under investigation. While malware is the confirmed entry point, details about its type and how it infected the systems are still uncertain.

Fujitsu Limited Notification – https://pr.fujitsu.com/jp/news/2024/03/15-1.html?=1710777600&=7194ef805fa2d04b0f7e8c9521f97343

Scale of Breach: Nearly 100,000 individuals in Australia and New Zealand were impacted by a data breach at Nissan Oceania in December 2023. The company has begun notifying affected customers, dealers, and employees in March 2024.

Data Exposed: The attackers exfiltrated a significant amount of data, including: Employee information, dealer information, customer information (including some from renault, mitsubishi, and other affiliated brands), some government identification documents (passports, driver’s licenses, etc.), potentially financial details for a smaller percentage of individuals.

Cause of Breach: The attack was attributed to the Akira ransomware group, known for targeting corporations.

Aftermath: The company has begun notifying affected customers, dealers, and employees in March 2024.

Nissan Oceania notification – https://www.nissan.com.au/website-update.html

In March 2024, France Travail, the French national employment agency (formerly known as Pôle Emploi), announced a major data breach that exposed the personal information of a significant portion of the French population.

Scale of the Breach: The breach potentially affected a staggering 43 million people. This includes:

• Job seekers registered in the last 20 years
• Individuals with a candidate profile on the agency’s websites
• People who ever created an account on their website

Data Exposed: The breach included names, dates of birth, social security numbers, employment agency identifiers, email and postal addresses, and telephone numbers, dating back 20 years.

Cause of Breach: The exact cause of the breach is still under investigation by French authorities.

Aftermath: France Travail notified the data protection agency (CNIL) and issued public announcements. While details are limited, they likely took steps to contain the breach and strengthen their cybersecurity. This event, considered one of France’s worst data breaches, is currently under investigation by the French Cybercrime Brigade.

Press release from France Travail – https://www.francetravail.fr/candidat/soyez-vigilants/cyberattaque-soyez-vigilants.html