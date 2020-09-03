Company Information Affected

Southern Water (UK) Security researcher ‘Chris H’ identified a flaw in the Southern Water website customer management area which allowed a logged-in user to view the details of fellow customers. The exposed customer information included names, addresses, customer account numbers, meter details, limited banking information, and more. Unknown

United Memorial Medical Center (US) Maze ransomware operators added United Memorial Medical Center to their data leak site. The group also leaked files which they claim to have exfiltrated. While most of the leaked data were general files, one folder did appear to contain patient records. Researchers found that names within the files matched those of individuals living within the Houston area. Unknown

Jands (Australia) The staging equipment distributor Jands was targeted in a ransomware attack by a threat actor using NetWalker ransomware. NetWalker operators posted screenshots on their website purportedly showing financial data, customer details and other information obtained from the company. Unknown

PULAU Corporation (US) An unauthorised party gained access to the PULAU network and acquired a number of confidential company files. The affected data may include employee names, contact information, dates of birth, government-issued IDs, bank account or payment card information, online credentials and medical information. Unknown

Greenville Technical College (US) Avaddon ransomware operators claim to have exfiltrated 600 GB of data from the college. According to a college spokesperson, personal data was not impacted, an assertion contested by the ransomware operators, who claim to be in possession of Social Security numbers, driver’s licenses, medical information, and more. The attackers posted financial documents relating to the college president, his wife, the vice president for finance, and other employees. Unknown

American Payroll Association (US) An unknown threat actor deployed a card skimmer on the Association’s website and online store. Further investigation revealed that the malicious activity dates back to May 13th, 2020. The perpetrator was able to access personal information such as names, email addresses, job title, dates of birth, and more, as well as payment card information. In some cases, the attackers also accessed social media usernames and profile photos of affected members and customers. Unknown

Utah Pathology Services (US) On June 30th, 2020, the laboratory found that an unknown third party attempted to fraudulently redirect funds. No financial transaction was completed; however, the personal information of certain individuals was accessible to the unauthorised party. This includes names and personal details such as date of birth, gender, phone number, mailing address, insurance information, medical information, and in some cases Social Security numbers. Unknown

Manitoba Government (Canada) On August 26th, 2020, an employee accidentally sent an email containing a spreadsheet with information related to Children Disabilities Services clients, intended for the Manitoba Advocate for Children and Youth, to about 100 other organisations. Exposed data included the children’s personal information such as diagnoses and addresses. 9,000

Transport for NSW (Australia) An open AWS storage instance exposed scanned driver’s licenses of New South Wales (NSW) residents. The exposed bucket contained both the front and back image of the driver’s license, along with scans of Road and Maritime Services tolling notice statutory declarations that included individuals’ birth dates and phone numbers. Transport for NSW believes an unnamed third party may be responsible for the leak. 54,000

State of Michigan (US) Russian media outlet Kommersant alleged that the personal data of 7.6 million Michigan voters was illegitimately obtained by hackers and leaked on the dark web. Personal data exposed in the database includes names, dates of birth, gender, dates of voter registration, email and physical addresses, and more. The leaked database reportedly contains only data compiled from publicly available sources, possibly including requests under the Freedom of Information Act. Unknown