IT Governance, the global provider of cyber risk and privacy management solutions, discovered that more than 3.81 billion records were compromised in 71 publicly disclosed security incidents in September 2023.
September’s incidents pushed the number of compromised data records this year to more than 4.5 billion. This alarming milestone was primarily driven by the largest data breach of the year, in which Darkbeam exposed a staggering 3.8 billion records via a misconfigured Elasticsearch and Kibana interface.
The number of records compromised in September represents an astounding 10,598% surge compared to September 2022 and a 4,677% rise from August 2023.
On 18 September, Bob Diachenko, the CEO of SecurityDiscovery, discovered that Darkbeam had inadvertently left an Elasticsearch and Kibana interface unprotected, exposing user emails and passwords from reported and non-reported breaches. Diachenko alerted Darkbeam, which swiftly addressed the vulnerability.
The majority of the 3.8 billion exposed data records originated from previous breaches and were, ironically, compiled by Darkbeam to inform its clients of incidents affecting their personal data. However, the sheer volume and organisation of this information provided an opportunity for anyone who accessed it to craft convincing phishing campaigns.
Though it remains uncertain if anyone accessed this data, users should check their credentials via haveibeenpwned.com, and adopt precautionary measures like updating passwords, implementing multifactor authentication and looking out for phishing attacks. In general, you should always be cautious about opening email attachments and clicking links unless you can be certain they are not malicious.
Elsewhere, the repercussions of the MOVEit Transfer breach continue.
The most significant impact, in terms of the number of people affected, was on Better Outcomes Registry & Network. It found that the personal health information of approximately 3.4 million people, primarily those seeking pregnancy care and newborns born in Ontario between January 2010 and May 2023, was compromised.
Other recent victims of the MOVEit breach include Microsoft’s healthcare tech company, Nuance, which issued a breach notice for 13 healthcare organisations; the National Student Clearinghouse, which notified 900 schools of the breach; and CareSource, a Medicaid and Medicare plan provider, which reported that information of 212,193 people was exposed.
While the full extent of the MOVEit breach is still unknown, current estimates suggest it has affected more than 2,000 organisations and more than 60 million people. It’s likely we’ll see further disclosures in the coming months.
The personal details of 2.2 million Pakistani citizens, including their contact numbers and credit card information, have surfaced on the dark web, available to buy for 2 Bitcoin. This data breach appears to be the result of criminal hackers infiltrating a database used by more than 250 restaurants.
Indolj, a popular food ordering app, denies any involvement, asserting that a thorough examination revealed no correlation between the compromised data and current customer transactions on its platform. It further clarified that it does not retain any credit card or payment-related information, making it impossible for any customer payment data to be exposed from its platform.
Geo News reports that the perpetrators provided a sample of the stolen data in their online listing, as well as naming “dozens of food outlets”. The security company CTM360 examined this data and corroborated Indolj’s assessment, having found that the data originates from a 2022 leak. CTM360 is monitoring the situation and will notify any affected organisations should any credible data be released.