Here’s your weekly data breach news roundup: ​

Acer, Shell, Birmingham City Council website, Astoria LLC, Hobby Lobby, Israeli citizens – voter data, California State Controller’s Office (SCO), FBS’ websites, AFCEA and the U.S. Geospatial Intelligence Foundation, Carding Mafia, SalusCare, Solairus Aviation.



The REvil ransomware gang, which has claimed a $50 million ransom after hitting Acer with an alleged ransomware attack on its servers, has been targeting major organisations around the world, stealing their data and listing them on a dark web marketplace – News18 has learnt. The cyber attackers collective runs a dark web store of sorts called ‘Happy Blog’, and under its portal, has listed vast troves of stolen data for sale – presumably from similar ransomware and remote code execution (RCE) exploits that it hit Taiwanese consumer technology company Acer with. According to independent cyber security researcher Sourajeet Majumder, the Happy Blog presently lists data from Acer, African bank Union Bank of Nigeria, and major American celebrity law firm, Grubman Shire Meiselas & Sacks.



Energy giant Shell has disclosed a data breach after attackers compromised the company’s secure file-sharing system powered by Accellion’s File Transfer Appliance (FTA).

Shell (short for Royal Dutch Shell plc) is a multinational group of petrochemical and energy companies with more than 86,000 employees in over 70 countries.

It is also the fifth-largest company in the works based on its 2020 revenue results according to Fortune’s Global 500 rankings.

Shell disclosed the attack in a public statement published on the company’s website last week and said that the incident only affected the Accellion FTA appliance used to transfer large data files securely.

“Upon learning of the incident, Shell addressed the vulnerabilities with its service provider and cyber security team, and started an investigation to better understand the nature and extent of the incident,” Shell said.

“There is no evidence of any impact to Shell’s core IT systems as the file transfer service is isolated from the rest of Shell’s digital infrastructure.”

Shell also reached out to relevant data authorities and regulators after discovering that the attackers gained access to files transferred using the compromised Accellion FTA appliance.

According to the company, some of the data accessed during the attack belongs to stakeholders and Shell subsidiaries.

“Some contained personal data and others included data from Shell companies and some of their stakeholders,” the statement reads.

“Shell is in contact with the impacted individuals and stakeholders and we are working with them to address possible risks.”

Birmingham City Council website


A “serious” online data breach at Birmingham City Council saw personal information – allegedly the details of “vulnerable children” – put at risk.

Data, said to relate to youngsters entitled to free bus passes, was uploaded “in error” by staff and was “potentially available externally”, the authority said in an email raising the alarm, sent on Friday, March 19.

The details were added to the Brum account, the facility which allows taxpayers to access and book a range of services.

The council email said the Information Commissioner’s Office, the responsible watchdog, had been informed “due to the scale and serious nature of this incident”.

The authority told BirminghamLive the alert was sent as a “precaution”, the mistake was “rectified as soon as we became aware” and the data was not downloaded. It said the ICO was not planning any action and the council would “learn from this issue”.

Astoria LLC


On January 26, 2021, Nightlion threat intelligence team became aware of several new breached databases being sold on the Dark0de market by hacking group Shiny Hunters. The data listed for sale included 400 million Facebook users, a database allegedly containing Instagram users, and a 300 million user database allegedly from Astoria Company. The details of the Astoria Company data sale included, most notably, 40 million U.S. social security numbers (these numbers were later proven to be inflated).

Nearly one week later, these databases were published for sale on the Dark0de forum by user ShinyHunters.

In addition to Dark0de, Astoria’s data later appeared for sale on two additional darkweb forums, this time by “Seller13”. The following screenshot shows the data being sold on Exploit (a popular Russian cybercrime forum). The posts list additional user samples complete with full user information.

Hobby Lobby


Hobby Lobby, the American arts and crafts giant that also happened to purchase thousands of ancient artifacts looted from modern-day Iraq, exposed a large amount of data online, including customer names, phone numbers, physical and email addresses, and the last four digits of their payment card, as well as source code for the company’s app, according to a security researcher.

The data was as recent as 2020, impacted more than 300,000 users, and totaled at around 138GB in size, the independent and pseudonymous security researcher known as “boogeyman” who discovered the leak, told Motherboard in an online chat.

Boogeyman provided multiple screenshots of the data to Motherboard for verification purposes. Those images indicate the information was hosted on an open AWS bucket, a common source for inadvertently exposed data. The data also included Hobby Lobby employee names and email addresses, Boogeyman added.

“We identified the access control involved and have taken steps to secure the system,” Hobby Lobby told Motherboard in an email. Boogeyman said they previously tried to warn Hobby Lobby of the issue but received no response.

It is unclear whether Hobby Lobby is going to notify impact users.

Israel Citizens Voter Data

Personal details of all voters were published online Monday, in another massive leak of Israelis’ personal information before Knesset elections.

The data breach was apparently linked to the Elector app, which was blamed for previous leaks when it was being used by the ruling Likud party to boost turnout.


The Haaretz daily reported that on Monday, a day before the fourth national elections in two years, some journalists received a link to the database on Ghostbin, a website that allows people to post anonymous messages.

The anonymous uploaders — identified as “The Israeli Autumn” — reportedly said they were “forced” to release the information due to the failure of authorities to deal with Elector. They did not provide evidence that the information originated from Elector.

The message included encrypted links and codes to access two databases, one of which contains the full voter registry, including names and ballot numbers of all 6,528,565 eligible voters. The other includes up-to-date names, addresses, ID numbers, and more details.

California State Controller’s Office (SCO)


A phishing attack last week gave attackers access to email and files at the California State Controller’s Office (SCO), an agency responsible for handling more than $100 billion in public funds each year. The phishers had access for more than 24 hours, and sources tell KrebsOnSecurity the intruders used that time to steal Social Security numbers and sensitive files on thousands of state workers, and to send targeted phishing messages to at least 9,000 other workers and their contacts.

In a “Notice of Data Breach” message posted on Saturday, Mar. 20, the Controller’s Office said that for more than 24 hours starting on the afternoon of March 18 attackers had access to the email records of an employee in its Unclaimed Property Division after the employee clicked a phishing link and then entered their email ID and password.

“The SCO has reason to believe the compromised email account had personal identifying information contained in Unclaimed Property Holder Reports,” the agency said, urging state employees contacted by the agency to place fraud alerts on their credit files with the major consumer bureaus.  “The unauthorized user also sent potentially malicious emails to some of the SCO employee’s contacts.”

The SCO responded in an email that no state employee data was compromised.

FBS’ websites


The data from FBS.com and FBS.eu comprised millions of confidential records including names, passwords, email addresses, passport numbers, national IDs, credit cards, financial transactions and more.

FBS, a major online forex trading site, left an unsecured ElasticSearch server containing almost 20TB of data and over 16 billion records. Despite containing very sensitive financial data, the server was left open without any password protection or encryption. The WizCase team found that the FBS information was accessible to anyone. The breach is a danger to both FBS and its customers. User information on online trading platforms should be well secured to prevent similar data leaks.

Nearly 20TB of data was leaked comprising more than 16 billion records. Millions of FBS users spread across the world were affected. Leaked information included the following:

PIIs such as

  • Names and surnames
  • Email addresses
  • Phone numbers
  • Billing addresses
  • Country
  • Time zone
  • IP addresses
  • Coordinates
  • Passport numbers
  • Mobile device models
  • Operating system
  • Email sent to FBS users
  • Social media IDs including GoogleIDs and FacebookIDs
  • Files uploaded by users for verification including personal photos, national ID cards, drivers licenses, birth certificates, bank account statements, utility bills and unredacted credit cards

AFCEA and the U.S. Geospatial Intelligence Foundation

At least two large government conference organizers are warning past attendees that their information may have been stolen in a recent data breach. AFCEA and the U.S. Geospatial Intelligence Foundation both sent email notifications saying the third party vendor they use for conference registration was the victim of a ransomware attack. That company, SPARGO, Inc., appears to have had data like names, addresses and phone numbers taken from its database. The breach doesn’t appear to have involved more sensitive data like credit card numbers or passwords.

Carding Mafia


Carding Mafia, a forum for stealing and trading credit cards has been hacked, exposing almost 300,000 user accounts, according to data breach notification service Have I Been Pwned.

The data breach allegedly exposed the email addresses, IP addresses, usernames, and hashed passwords of 297,744 users. Have I Been Pwned announced the data breach on Tuesday, saying the breach happened last week. 

On the Carding Mafia forum and its public Telegram channel, however, there was no sign that its users have been warned. Carding Mafia has more than 500,000 users, according to the forum’s own statistics. The site administrator did not immediately respond to an email asking for comment. 



SalusCare, the largest provider of mental health services in Southwest Florida, says as many as 85,688 patient and employee records were copied and potentially accessed following a malware attack last week.

The Fort Myers-based provider says its database was likely accessed the week of March 15 by means of a “phishing” scam, in which a fraudulent email meant to trick users into providing security information, such as passwords, was sent to one or more SalusCare accounts.

The organization’s entire database was then downloaded to a cloud-based storage account managed by Amazon, said Tom Smoot, an attorney for SalusCare. Amazon has since frozen access to that account, Smoot said.

As of Thursday, it was unknown how many, if any, records were actually accessed from the storage site. “The worst-case scenario is 85,688 files,” said Smoot, a Fort Myers-based attorney. “Best-case scenario is zero.”

Solairus Aviation


Private aviation services provider Solairus Aviation on Tuesday announced that some employee and customer data was compromised in a security incident at third-party vendor Avianis.

In a data breach announcement on March 23, Solairus said aviation business management platform provider Avianis provided notification last December about an intrusion into Avianis’ Microsoft Azure cloud platform, which hosts Solairus flight scheduling and tracking system.

An investigation into the incident has revealed that some of Solairus’ data that was hosted on that environment was indeed accessed by an unknown party.

Solairus data stored in that environment possibly includes employee and client names, along with information such as dates of birth, Social Security numbers, driver’s license numbers, passport numbers, and financial account numbers, the company says.

The private aviation services provider says it has already informed some of the affected individuals, but claims that it does not have the “current addresses for all such individuals.”  

The company also notes that both employees and clients should remain vigilant for any sign of unauthorized activity and to review their financial account statements for any unauthorized charges or activity. If any suspicious activity is identified, the affected individuals should immediately contact their financial institution.