Monthly Data Breach Report: November 2023 Edition

In the ever-evolving landscape of digital security, October 2023 marked a pivotal moment as an unprecedented breach sent shockwaves through the interconnected realms of cyberspace. The ramifications of this intrusion have been felt far and wide, affecting individuals, businesses, and organizations alike.

A data breach is a serious incident that can have a significant impact on the lives of the individuals affected. It is important for companies to take steps to protect their customers’ data and to be transparent about any breaches that occur. This post aims to guide you through the intricate details of a few October 2023 breaches, shedding light on what, why, and how these cyber incidents occurred.

A European budget hotel chain announced that it had suffered a data breach. The breach affected approximately 10 million guests, whose names, addresses, phone numbers, email addresses, and dates of birth were compromised. The hackers also gained access to payment card information for some guests.

This is the second major data breach to hit a hotel chain in recent months. In September 2023, Marriott International announced that it had suffered a breach that affected approximately 5.2 million guests.

In a recent discovery, cybersecurity researchers uncovered a significant data breach exposing over 3 million records. The breach involved a non-password-protected database associated with global B2B CRM provider Really Simple Systems, potentially compromising sensitive information from various organizations.

Exposed documents included internal invoices, communications, customer CRM files, and more. The database consisted of hundreds of folders containing documents related to individual companies and their customers. Shockingly, the records exposed personal details such as customer’s names, addresses, and CRM plan information, making them highly sensitive.

Just after India recently launched its Data Protection law, “the Digital Personal Data Protection Act 2023”, on August 11, 2023, reports emerged of a massive data breach involving the Aadhaar database, India’s national biometric ID system. A threat actor known as “pwn0001” claimed to have access to the personal information of over 81.5 crore (815 million) Indian citizens, including names, addresses, phone numbers, Aadhaar numbers, and passport details.

As per media reports, Central Bureau of Investigation (CBI) is currently investigating the data breach and If the investigation yields affirmative results, it could potentially mark the largest data breach in history.

Genetic testing company 23andMe notified customers that there had been a data breach that exposed the DNA Relatives profile information of some users. The breach was caused by threat actors who gained unauthorized access to 23andMe accounts through “credential stuffing,” a technique that uses leaked usernames and passwords from other websites to gain access to accounts on different platforms.

The extent of the breach is still being investigated, but 23andMe has estimated that it may have affected millions of users. The company has said that it is working to identify and notify all affected users and has implemented additional security measures to prevent future breaches.

AIDS Alabama, a non-profit organization that provides HIV/AIDS services in Alabama, announced that it had experienced a data breach that exposed the personal information of approximately 1,922 individuals. The breach occurred between October 2021 and August 2022, and the organization discovered it in August 2023.

The type of information exposed in the breach included names, addresses, phone numbers, HIV test results, and dates of birth. AIDS Alabama has not released any information about how the breach occurred, but it is investigating the incident and has notified law enforcement.

D-Link, a Taiwanese networking equipment manufacturer, confirmed a data breach that exposed the personal information of approximately 700 customers and employees. The breach occurred due to a phishing attack that tricked an employee into clicking on a malicious link, which granted the attacker access to the company’s network.

The stolen data included names, email addresses, postal addresses, phone numbers, and account registration dates.

The leaked data included the personal information of over 820,000 customers, including names, addresses, phone numbers, email addresses, warranty claim status, phone models, purchase date, International Mobile Equipment Identity (IMEI) numbers, store from which the item was purchased, and cell carrier and the data breach was caused by a misconfiguration in DNA Micro’s systems.

DNA Micro is an Irvine, California-based company that provides screen warranty services for mobile phones. The company’s customers include InstaProtek, Liquipel, and Otterbox.

Casio Computer Co., Ltd., a Japanese electronics company, disclosed a data breach that affected 91,921 customers in Japan and 35,049 customers in 148 other countries. The breach resulted in the unauthorized access and leak of personal information.

Casio has not provided any information about the total number of affected individuals or any information about the identity of the attackers.