Here’s your weekly #databreach news roundup:
Nominet, Stiiizy, Telefónica, Medusind, Gravy Analytics, Casio, PowerSchool, and UN aviation agency.
Nominet
UK domain giant Nominet has experienced a cybersecurity incident that it confirmed is linked to the recent exploitation of a new Ivanti VPN vulnerability https://t.co/OoV71j7XaP
— Carly Page (@CarlyPage_) January 13, 2025
Nominet, the UK domain registry managing .co.uk domains, confirmed a cybersecurity incident linked to a zero-day vulnerability in Ivanti’s VPN software, Connect Secure. Hackers exploited the flaw to access Nominet’s systems, though the company states there is no evidence of data breach or leakage. Access to the affected VPN has been restricted while investigations continue.
Stiiizy
Popular Los Angeles-based cannabis brand Stiiizy has confirmed that hackers accessed reams of sensitive customer data, including government-issued documents and medical cannabis cards,. #databreach @CarlyPage_ https://t.co/YYN70Ekp53
— DevaOnBreaches (@DevaOnBreaches) January 12, 2025
Stiiizy, a Los Angeles-based cannabis brand, confirmed a cyberattack in November 2024 that compromised sensitive customer data, including government IDs and medical cannabis cards, from four California retail locations. The Everest ransomware group claimed responsibility, alleging theft of data from over 420,000 customers, which it leaked after ransom demands were ignored. Stiiizy is investigating the breach with its point-of-sale vendor.
Telefónica
Spanish telecommunications company Telefónica confirms its internal ticketing system was breached after stolen data was leaked on a hacking forum. #databreachhttps://t.co/EmFGixJlrO
— DevaOnBreaches (@DevaOnBreaches) January 11, 2025
Telefónica, Spain’s largest telecommunications company, confirmed a breach of its internal ticketing system after 2.3 GB of data was leaked on a hacking forum. The attackers, using compromised employee credentials, accessed documents and tickets, some possibly customer-related. Telefónica has blocked unauthorized access and reset affected passwords while investigating the incident.
Green Bay Packers
American football team Green Bay Packers says cybercriminals stole the credit card data of over 8,500 customers after hacking its official Pro Shop online retail store in a September breach. #databreachhttps://t.co/OEWDAbFNcw
— DevaOnBreaches (@DevaOnBreaches) January 11, 2025
The Green Bay Packers confirmed a September 2024 breach of their Pro Shop website, where attackers used malicious code to steal credit card data from 8,514 customers. Payment information, including card details, names, and addresses, was harvested between September 23-24 and October 3-23. The team has since removed the code, secured the site, and is offering affected customers three years of identity theft protection through Experian.
Medusind
Medusind, a leading billing provider for healthcare organizations, is notifying hundreds of thousands of individuals of a #databreach that exposed their personal and health information more than a year ago. https://t.co/EtRPoJMIC5
— DevaOnBreaches (@DevaOnBreaches) January 11, 2025
Medusind, a healthcare billing provider, disclosed a December 2023 data breach affecting 360,934 individuals, exposing personal and health information such as medical history, insurance details, and payment data. The breach was detected after suspicious network activity, prompting the company to secure its systems and offer two years of free identity monitoring via Kroll. Impacted individuals are advised to monitor accounts and credit reports for potential fraud.
Gravy Analytics
New from 404 Media: data hacked from location giant Gravy reveals thousands of ordinary apps hijacked to steal your location data. Candy Crush, MyFitnessPal, Tinder. Period trackers, prayer apps. Because of how data collected, apps may not even know https://t.co/ZEgk4lrTEM
— Joseph Cox (@josephfcox) January 9, 2025
Hacked files from location data firm Gravy Analytics reveal that thousands of popular apps, including Tinder, Candy Crush, and religious and health apps, may unknowingly expose sensitive location data via the advertising ecosystem. This real-time bidding process allows rogue actors to harvest user locations without app developers’ or users’ consent. The stolen data, allegedly involving millions of mobile device coordinates, highlights privacy risks in the ad tech industry. Gravy has previously sold data to commercial clients and U.S. government agencies, raising concerns about widespread misuse of personal information.
Casio
Japanese electronics manufacturer Casio says that the October 2024 ransomware incident exposed the personal data of approximately 8,500 people. #databreach @billtoulas https://t.co/FrUq0zifLM
— DevaOnBreaches (@DevaOnBreaches) January 9, 2025
Casio confirmed an October 2024 ransomware attack by the Underground gang, exposing the personal data of 8,500 individuals, including employees, business partners, and a small set of customers. Leaked data includes sensitive employee details, partner information, and customer delivery records, though no credit card or broader customer databases were affected. Casio declined to negotiate with the attackers and has since restored most services. Impacted individuals will receive personalized notifications.
PowerSchool
US edtech giant PowerSchool says hackers compromised the personal data of students and teachers after breaching its customer support portal. PowerSchool's software is used by over 16,000 customers to support more than 50 million students https://t.co/Ommiy0aeVy
— Carly Page (@CarlyPage_) January 8, 2025
PowerSchool, a leading K-12 education technology provider, disclosed a December 2024 cybersecurity incident where hackers breached its PowerSource customer support portal, potentially exposing student and teacher data. Compromised information may include Social Security numbers, medical records, grades, and other sensitive details. PowerSchool confirmed the breach was contained and denied a ransomware attack but admitted to paying to prevent data leaks. The company continues to face scrutiny, including a class action lawsuit alleging improper use of student data for commercial gain.
UN aviation agency
UN aviation agency ‘investigating’ security breach after hacker claims theft of personal data. #databreach @CarlyPage_ https://t.co/YSQWiDKCsC
— DevaOnBreaches (@DevaOnBreaches) January 7, 2025
The International Civil Aviation Organization (ICAO), a UN agency, is investigating a potential cybersecurity breach after a hacker claimed to have stolen 42,000 documents, including personal information such as names, contact details, and employment records. Some data reportedly pertains to ICAO employees. ICAO has not commented further but stated it is actively investigating the incident.
