Here’s your weekly data breach news roundup:

Acer, American Osteopathic Association (AOA), Hariexpress, Macquarie Health Corporation, Belgium’s Covid App, and Harvard-Westlake School.

American Osteopathic Association (AOA)


The personal data of thousands of individuals have been stolen from a non-profit professional membership organization located in Illinois.

Cyber-thieves struck the American Osteopathic Association (AOA) in the summer of 2020, making off with information that included names, Social Security numbers, and financial account details.

The AOA, which is headquartered in Chicago, represents around 151,000 osteopathic physicians and medical students across the United States. The association was tipped off to the attack when suspicious activity was recorded on some of its systems on June 25 last year.

The network was shut down, and computer forensic specialists were brought in to investigate the nature and scope of the security incident. It was determined that attackers had managed to breach systems where personally identifiable information was contained and had exfiltrated data from those systems. 

AOA undertook a review to establish what data had been accessed and which individuals had been impacted by the cyber-attack. As a result, it was concluded that the exfiltrated data included names, addresses, dates of birth, Social Security numbers, financial account information, and email addresses/usernames and passwords.

In a breach report submitted on October 13 to the state of Maine’s attorney general’s office, the AOA stated that 27,485 individuals, including 209 Maine residents, had been impacted by the incident.

The AOA has just begun mailing out breach notification letters to affected individuals, offering them a year of free credit monitoring. 

A sample of the breach notice states that the total population of impacted individuals was determined by June 1, 2021. The delay in notifying those individuals is attributed in the letter to the coronavirus pandemic. 



The Brazilian E-commerce Marketplace Integrator platform Hariexpress (Hariexpress.com.br) has been caught exposing a massive trove of sensitive data belonging to its customers and vendors.

In total, the company has exposed more than 610 GB worth of data containing over 1.75 billion (1,751,023,279) records without any security authentication.

Launched in 2018; Hariexpress integrates eCommerce marketplaces into a single platform to automate processes across different online stores.

It is worth noting that this massive exposure has been caused by a misconfigured Elasticsearch server. This means anyone with knowledge of exploiting the misconfigured Elasticsearch servers can access these records without the need for login credentials.

Macquarie Health Corporation


Hackers have bragged about leaking highly sensitive documents containing patients’ private information that were stolen from a Sydney-based healthcare firm.

Macquarie Health Corporation confirmed on Monday many of its systems remained offline after the private company was hit by cybercriminals.

NCA NewsWire has been told medical and legal documents containing highly personal information were posted to the dark web after the hack.

It’s understood one such multi-page document details the medical history, name and birth date of a NSW woman.

Macquarie Health Corporation, which operates 12 private hospitals in Sydney and Melbourne, first revealed the hack had occurred on Thursday and published an update on Monday.



A hacker group has claimed to have breached the servers of Acer India, with approximately 60GB of sensitive data belonging to several million of the company’s customers being leaked online.

Known as Desordern, the group said it had stolen customer information, corporate data, financial data, and information related to recent company audits, according to a post on a popular hacking forum, seen by Privacy Affairs researchers.

The hackers said that the breach includes data on several million Acer customers, mostly from India. It appears to have taken place on 5 October, as this is the most recent date listed in the leaked databases.

Desordern also said that it will give Acer access to the database to verify the data and prove the breach is real. A sample of the data released for free, which included information on over 10,000 individuals, was found to be accurate and genuine by researchers at Privacy Affairs, who were able to make contact

Belgium’s Covid App


Belgium’s app that verifies coronavirus vaccinations reported a data leak, just days before Brussels is set to require people to prove they’ve been jabbed in order to enter restaurants.

A potential leak of the CovidScan app may have exposed the sensitive health data of 39,000 people, the country’s data protection authority said in an emailed press release. The app is used to read the QR codes — usually on a phone — that prove people have received a vaccine or have recently tested negative for the virus.

Harvard-Westlake School

Students’ confidential academic files were hacked and exposed at Los Angeles private school Harvard-Westlake. Archived SAT scores, GPAs, transcripts and college recommendation letters were downloaded, then sent to a group of parents and the school newspaper, as well as The Hollywood Reporter.

The materials encompass approximately 150 alumni who graduated over the past decade. They include the children of Oscar winners, media chieftains, household names, assorted billionaires and influential political donors of both major political parties.

Harvard-Westlake’s president, Rick Commons, informed the school’s parents and alumni via email on Sept. 3 that a data breach had occurred on the servers of Naviance, a third-party, cloud-based college-counseling platform the institution had used from 2012 through 2020. “The school is outraged by this violation of student privacy,” he wrote, adding that Harvard-Westlake had established an ad hoc committee to address the issue. He noted that its response had already included contacting the FBI and engaging with network security experts to both ensure its own systems hadn’t been compromised by the incident and to uncover the source of the attack.