Here’s your weekly #databreach news roundup:

Naivas, OT&P Healthcare, WhizComms, U.S. Transportation Department (USDOT), PharMerica, and Luxottica.



Naivas, one of Kenya’s largest supermarkets, recently experienced a significant data breach involving customer and staff data, underlining the critical importance of stringent compliance with the Kenya Data Protection Act (DPA). This incident spotlights the necessity for companies to be clear about their data collection, usage, and protection measures. It also brings to the fore the potential financial and reputational damage that data breaches can cause, as evidenced by the multi-million dollar fines and settlements paid by international companies like Target and Morrisons following their own data breaches. Ultimately, the Naivas case serves as a stark reminder for all Kenyan companies about the importance of adhering to the DPA in order to protect their customers’ personal information​1​.

OT&P Healthcare

Hong Kong’s OT&P Healthcare, a group operating eight clinics with over 200 staff across multiple specialties, recently suffered a cyberattack that potentially led to the leak of personal data and medical history of 100,000 patients. The breach, detected due to system instability, took place within the group’s management and operating system, with a “serious cyber-threat from a sophisticated party as yet unknown” suspected. Upon becoming aware of the incident, OT&P Healthcare initiated an investigation in collaboration with a leading global third-party forensics firm and informed the relevant authorities. Despite the breach, services continued as normal, and the group took steps to stop further data leakage and reinforce its systems​1​​2​.


WhizComms, a broadband service provider in Singapore, suffered a data breach where about 24,000 customers, roughly half of the company’s customer base, had their personal information stolen by an external party. The affected customers were informed via email about the breach, which involved a third party accessing the company’s web server and downloading scanned images of customers’ personal information. The bulk of the information downloaded were scanned images of National Registration Identity Cards (NRICs), which are needed to register for the broadband service. Some scanned images of work permits and visa approval documents were also downloaded​4​.

U.S. Transportation Department (USDOT)

A major data breach at the U.S. Transportation Department (USDOT) has exposed the personal information of 237,000 current and former federal government employees. The compromised systems were responsible for processing TRANServe transit benefits, a scheme that reimburses government employees for some commuting costs up to $280 per month. Following the breach, the USDOT has frozen access to the transit benefit system and is currently investigating the incident. While it has not been confirmed whether the exposed data has been used for criminal purposes, the transportation safety systems remain unaffected​1​.


The company discovered suspicious activity on its computer network. An investigation found that an unknown third party accessed PharMerica’s computer systems, and that certain personal information and limited medical information (names, dates of birth, Social Security numbers, medication lists, and health insurance information) may have been obtained. The company is not aware of any fraud or identity theft as a result of this incident, but is notifying potentially affected individuals and providing them with identity protection and credit monitoring services. They also stated that they are implementing additional security measures to prevent a similar incident in the future​6​.



In May 2023, Luxottica Group S.p.A. confirmed reports of a data breach from 2021 that exposed the personal information of nearly 70 million individuals. This breach involved a vendor’s computer network and resulted in unauthorized access to sensitive consumer data, including names, addresses, email addresses, and dates of birth. The breach was first identified in late 2022 when a user on a now-defunct hacker forum attempted to sell a database allegedly containing 300 million records of Luxottica customers in the United States and Canada. The stolen data was later posted for free on several hacking forums on April 30, 2023, and May 12, 2023. The database was reported to contain 305 million lines and 74.4 million unique email addresses, and it was believed that the data was initially extracted by hackers on March 16, 2021. As the incident is still under investigation, Luxottica is in the process of sending out data breach notification letters to all individuals affected by this data security incident​1​.