October was full of data breaches, cyber attacks, and costly lawsuits. Innumerable data breaches continued to make headlines, spotlighting the need for higher cybersecurity defenses.
Compiled on November 1, the following lists are composed of data breach headlines that were primarily published during the month of October—but also includes September headlines published since our last list went live (September 2024 Data Breaches [LIST]). Source articles have been organized by industry in reverse chronological order.
Biggest Security Breaches Covered in October 2024
We'll start with the top five biggest breaches for October:
Tip: For a point of reference, the American population is approximately 347 million according to the United States Population Clock at the date of this post.
5. 100 Million Individuals (28.8% of Americans) Affected
10/24/2024
UnitedHealth says Change Healthcare data breach affects over 100 million people in America | TechCrunch
More than 100 million individuals had their private health information stolen during the ransomware attack on Change Healthcare, a cyberattack that caused months of unprecedented outages and widespread disruption across the U.S. healthcare sector. This is the first time that UnitedHealth Group (UHG), the U.S. health insurance provider that owns the health tech company, has put a number of affected individuals to the data breach.
4. 270 Million Users Affected in the U.S., U.K., and Canada.
10/14/2024
National Public Data, the hacked data broker that lost millions of Social Security numbers and more, files for bankruptcy | TechCrunch
A Florida data broker that lost hundreds of millions of Social Security numbers and other personally identifiable information in a data breach earlier this year has filed for Chapter 11 bankruptcy protection as the company faces a wave of litigation.
3. More than 300 Million Customers Affected Worldwide
10/9/2024
Marriott agrees to pay $52 million, beef up data security to resolve probes over data breaches | AP News
Marriott International has agreed to pay $52 million and make changes to bolster its data security to resolve state and federal claims related to major data breaches that affected more than 300 million of its customers worldwide. The FTC and the states ran parallel investigations into three data breaches, which took place between 2014 and 2020.
2. Up to 560 Million Customers Affected Worldwide
10/14/2024
Ticketmaster Sued Over Massive Data Breach | Rolling Stone
Ticketmaster is facing a class action lawsuit over the massive data breach the company suffered from the hacker group ShinyHunters earlier this year. ShinyHunters claimed that it had obtained personal data of 560 million Ticketmaster accounts through third-party cloud data company Snowflake, ransoming the data for $500,000.
1. $101.5 Million Fine for 600 Million Passwords
09/27/2024
Meta fined $102 million for storing passwords in plain text | Engadget
The Irish Data Protection Commission (DPC) has slapped Meta with a $101.5 million (€91 million) fine after wrapping up an investigation into a security breach in 2019, wherein the company mistakenly stored users' passwords in plain text. While Meta didn't say how many accounts were affected, a senior employee told Krebs on Security back then that the incident involved up to 600 million passwords.
Security Breaches Reported in October 2024
Entertainment
10/14/2024
Internet Archive Breached Again–Third Cyber Attack In October 2024 | Forbes
The Internet Archive has confirmed a third security breach on Oct. 20 in what has become a series of escalating cyberattacks. Despite previous warnings and multiple breaches earlier this month, the organization had not adequately secured the system, leaving the tokens vulnerable to continued exploitation. This breach follows two major attacks earlier in October, which have compounded the damage to the organization’s infrastructure.
10/14/2024
Pokemon dev Game Freak confirms breach after stolen data leaks online | Bleeping Computer
Co-owner and the primary developing studio of the Pokémon series video game, Japanese video game developer Game Freak has confirmed it suffered a cyberattack in August after source code and game designs for unpublished games were leaked online.
10/9/2024
The Internet Archive is under attack, with a breach revealing info for 31 million accounts | The Verge
A pop-up message on the Internet Archive said the online archive has suffered ‘a catastrophic security breach,’ as its operators say the site has been DDoS’d for days. Internet Archive founder Brewster Kahle confirmed the breach and said the website had been defaced with the notification via a JavaScript library.
10/7/2024
Personal Information Compromised in Universal Music Data Breach | SecurityWeek
680 individuals are impacted in a recent data breach where unauthorized activity was discovered in an internal application in early July. The company says that while it has no evidence that the information has been misused, it has decided to offer impacted individuals 24 months of free credit monitoring and identity theft protection services.
Finance
10/30/2024
Interbank confirms data breach following failed extortion, data leak - Bleeping Computer
Interbank, one of Peru's leading financial institutions, has confirmed a data breach after a threat actor who hacked into its systems leaked stolen data online. While customers have been reporting that the bank's mobile app and online platforms stopped working throughout the day and during a separate outage reported two weeks ago, Interbank says that most of its operations are now back online and that its clients' deposits are secure.
10/21/2024
Crypto payment services firm says more than 92,000 affected by data breach | The Record
A recent data breach at the crypto payment processor Transak exposed the information of more than 92,000 people after an employee's laptop was accessed. The company said on Sunday that “no financially sensitive or critical information was compromised” but admitted that names, birthdays, passports, driver’s license information and user selfies were leaked in the breach.
10/10/2024
Fidelity says data breach exposed personal data of 77,000 customers | TechCrunch
Fidelity Investments, one of the world’s largest asset managers, has confirmed that over 77,000 customers had personal information compromised during an August data breach. An unnamed third party accessed information from its systems between August 17 and August 19 “using two customer accounts that they had recently established.”
10/6/2024
Comcast and Truist Bank customers caught up in FBCS data breach | Bleeping Computer
Comcast Cable Communications and Truist Bank have disclosed they were impacted by a data breach at FBCS. The data breach is believed to have impacted 4.2 million individuals. 273k Comcast customers and an unspecified number of Truist customers have been impacted.
10/1/2024
More Than a Million People Affected by Patelco Credit Union's Data Breach | Credit Union Times
In an amended public filing, the $9.5 billion Patelco Credit Union reported the personal information of more than one million current and former members and employees had been accessed during a June ransomware attack.
09/30/2024
TIAA Retail Customer Data Exposed in Vendor Breach | ThinkAdvisor
Personal information for almost 9,000 retail TIAA and TIAA-CREF Life Insurance customers was exposed in a hack that appears related to a breach that caught other financial services firms. A TIAA support services vendor, Infosys McCamish Systems, was breached between Oct. 29 and Nov. 2, when IMS discovered the hack, according to a letter from TIAA to affected customers.
09/30/2024
Wells Fargo Announces Data Breach Involving Unauthorized Access by Former Employee | JD Supra
Wells Fargo filed a notice of data breach with the Attorney General of Vermont after discovering that a former employee accessed customer information without authorization for fraudulent purposes. The incident resulted in an unauthorized party being able to access consumers’ sensitive information.
Healthcare
10/31/2024
Mystic Valley Elder Services Data Breach Impacts 87,000 People - SecurityWeek
Mystic Valley Elder Services, a Massachusetts-based non-profit that provides health and other services to the elderly and people with disabilities, has suffered a data breach impacting many individuals. The investigation revealed a few months later that the attacker may have stolen files containing personal information
10/18/2024
Boston Children's Health Physicians confirms September data breach | The Record from Recorded Future News
Boston Children’s Health Physicians warned patients that a breach in September exposed troves of sensitive information. The organization was notified of unusual activity on its systems, and further investigation revealed that the hackers took files off of their network that contained patient information.
10/18/2024
Omni Family Health Data Breach Impacts 470,000 Individuals | SecurityWeek
California network of health centers Omni Family Health is notifying close to 470,000 individuals that their personal information was stolen in a cyberattack earlier this year. The leaked information pertains to current and former patients and employees.
10/14/2024
Gryphon Healthcare, Tri-City Medical Center Disclose Significant Data Breaches | SecurityWeek
Gryphon Healthcare and Tri-City Medical Center last week disclosed separate data breaches, a third-party data breach and a cyberattack respectively, in which the personal information of more than 500,000 individuals was stolen.
10/3/2024
Weiser Memorial Hospital investigates potential data breach | TechTarget
Idaho-based Weiser Memorial Hospital is investigating a potential data breach after cyberthreat actors claimed to be in possession of the hospital's data. A cyberthreat actor group has claimed responsibility for this incident, and the hospital is in the process of researching these claims.
Infrastructure
10/24/2024
Free, France's second largest ISP, confirms data breach after leak | Bleeping Computer
The data stolen in the attack is now being auctioned on BreachForums to the highest bidder, with the threat actor—known as "drussellx"—claiming that the breach impacts almost a third of France's population. The company, which says it had over 22.9 million mobile and fixed subscribers at the end of June, is the second-largest telecommunications company in France and a subsidiary of the Iliad Group, Europe's sixth-largest mobile operator by number of subscribers.
10/8/2024
Water supplier American Water Works says systems hacked | CBS News
American Water Works—a supplier of drinking water and wastewater services to more than 14 million people—said hackers had breached its computer networks and systems, prompting it to pause billing to customers. The company does not believe its facilities or operations were impacted by the cybersecurity incident, but is "currently unable to predict the full impact," it stated.
10/7/2024
China's Salt Typhoon Hacked AT&T, Verizon: Report | SecurityWeek
The China-linked threat group known as Salt Typhoon has hacked into the networks of several major broadband providers such as Verizon, AT&T and Lumen in the United States, potentially compromising wiretap systems. The incident has raised concerns of national security risks because these systems enable investigations into criminal and national security matters.
10/4/2024
Comcast confirms 237K affected in feisty breach notification | The Register
Comcast says data on 237,703 of its customers was stolen in a cyberattack on debt collections agency, Financial Business and Consumer Solutions aka FBCS. The agency was compromised in February, and the firm informed the US cable giant about the unauthorized access in March.
09/30/2024
Media giant AFP hit by cyberattack impacting news delivery services | Bleeping Computer
Global news agency AFP (Agence France-Presse) is warning that it suffered a cyberattack on Friday, which impacted IT systems and content delivery services for its partners. As for the type of the attack and the perpetrators, no details were provided.
09/30/2024
T-Mobile pays $31.5 million FCC settlement over 4 data breaches | Bleeping Computer
The Federal Communications Commission (FCC) announced a $31.5 million settlement with T-Mobile over multiple data breaches that compromised the personal information of millions of U.S. consumers and impacted T-Mobile's customers in 2021, 2022, and 2023.
Tech
10/18/2024
Tech giant Nidec confirms data breach following ransomware attack | Bleeping Computer
The Japanese tech giant Nidec Corporation has revealed that hackers behind a ransomware attack have stolen data and leaked it on the dark web. The attack did not encrypt files and the incident is considered fully remediated at this time.
10/15/2024
Alleged Cisco data breach could affect Microsoft, Barclays, and SAP developer data | CSO Online
A BreachForum post made by IntelBroker claims source code was taken from Cisco customers in the breach. The breach allegedly affected a huge amount of developer data for customers including such as Microsoft, Barclays, SAP, T-Mobile, AT&T, and Verizon. Cisco is reportedly investigating the breach claims.
10/2/2024
Zero-Day Breach at Rackspace Sparks Vendor Blame Game | SecurityWeek
Enterprise cloud host Rackspace has been hacked via a zero-day flaw in ScienceLogic’s monitoring app. ScienceLogic shifted the blame to an undocumented vulnerability in a different bundled third-party utility. This incident follows a previous ransomware attack on Rackspace‘s hosted Microsoft Exchange service in December 2022, which resulted in millions of dollars in expenses and multiple class action lawsuits.
09/27/2024
Amgen Announces Third-party Data Breach Stemming from Incident at Sirva Relocation | JD Supra
Amgen, Inc. filed a notice of data breach with the Attorney General of Massachusetts after discovering that confidential information that was provided to the company was subject to unauthorized access after an incident at Sirva Relocation, LLC. Amgen explains that the incident resulted in an unauthorized party being able to access sensitive information belonging to certain individuals.
Retail
10/16/2024
Varsity Brands Data Breach Impacts 65,000 People | SecurityWeek
Apparel giant Varsity Brands this week disclosed a data breach impacting a significant number of individuals. Varsity had detected “unusual activity” on its systems where the intruder obtained “a small subset of company files” that stored personal information.
10/15/2024
Volkswagen Says IT Infrastructure Not Affected After Ransomware Gang Claims Data Theft | SecurityWeek
Volkswagen has issued a brief statement that the IT infrastructure of the Volkswagen Group is not affected after the 8Base ransomware group claimed to have stolen valuable data from the company’s systems. The company has not shared any other information on the cyberattack.
10/14/2024
Casio Confirms Data Breach as Ransomware Group Leaks Files | SecurityWeek
Japanese electronics giant Casio has revealed that the recent cyberattack was carried out by a ransomware group and confirmed that the incident has resulted in a data breach. Casio detected unauthorized access to its network on October 5. The incident resulted in a system failure and some service disruptions.
10/1/2024
Data of 300k digiDirect customers leaked in alleged attack | CSO Online
One of Australia’s leading retailers of consumer electronics, digiDirect, is allegedly facing theft of data belonging to over 300k customers from a cybersecurity breach. A threat actor using the alias “Tanaka” posted on the dark web and added a sample of the stolen data in the post for confirmation.
Miscellaneous
10/24/2024
Insurance admin Landmark says data breach impacts 800,000 people | Bleeping Computer
Landmark says it detected suspicious activity on May 13th, 2024, causing the company to shut down IT systems and remote access to its network to prevent the spread of the attack. Landmark says it found evidence that the threat actor accessed some files during the attack that contained the personal information of 806,519 people.
10/14/2024
Insurance Firm Johnson & Johnson Discloses Data Breach | SecurityWeek
Insurance company Johnson & Johnson has disclosed a data breach impacting the personal information of thousands of people. The firm has told the Maine AG that more than 3,200 individuals are impacted by the data breach.
10/8/2024
Security provider ADT discloses second cybersecurity incident in two months | Cyberscoop
An unauthorized party stole encrypted internal data related to employee user accounts from home and small business security provider ADT. The incident is the second cyberattack disclosed by the company in two months. That incident did not include credit card data or banking information, nor was there any reason to believe that home security systems were compromised as a result of the incident.
Access Control Matters
Companies are updating their access control measures to deter and prevent these costly data breaches before they happen. Regulating who or what is allowed to access particular information can prevent lateral movement even if the system is breached to effectively minimize the fallout. The best time to secure systems is before the breach or attack happens.
Built upon the idea of continuous verification, Pomerium is a zero-trust reverse proxy that helps enterprises manage secure application access. Authenticate, authorize, monitor, and secure user access to any application without a VPN.
Companies are replacing VPNs with Pomerium to secure internal resources within the zero trust architecture framework.
