Here’s your weekly data breach news roundup:​

  1. Solar Winds
  2. Two million CCP members
  3.  Moderna COVID-19 Vaccine
  4. Banijay, maker of MasterChef and Big Brother
  5. People’s Energy
  6. Streaming service Spotify
  7. Inova Health Systems
  8.  Automation Personnel Service
  9. 45 million images of X-rays
  10. Marriage Tax Refund



SolarWinds, whose Orion network monitoring software was used by Russian hackers in a widespread breach of the US government

What started off as a single breach in Commerce Department, turned our to a much bigger one.

Initial vector of intrusion was found to Solarwinds and the impacts companies list is almost greater than 14,000. Companies like Microsoft , FireEye and a whole lot of larger organisations were also found to be breached through this channel.



A major leak containing a register with the details of nearly two million CCP members has occurred – exposing members who are now working all over the world, while also lifting the lid on how the party operates under Xi Jinping, says Sharri Markson.

Ms Markson said the leak is a register with the details of Communist Party members, including their names, party position, birthday, national ID number and ethnicity.

“It is believed to be the first leak of its kind in the world,” the Sky News host said.

Moderna COVID-19 Vaccine Data Breach

Moderna Inc has recently stated that it was informed by the official European Medicine Agency or EMA that certain documents that were related to the pre-submission talks of its own COVID-19 vaccine candidate were said to be unlawfully accessed in a cyberattack on the known medicines regulator. This meant that information regarding the Moderna COVID vaccine have been accessed by hackers.

Banijay, maker of MasterChef and Big Brother

Highly sensitive employee data, including bank account details and home addresses, may have been breached after super-producer Banijay was the victim of what could be a major hack late last week.


Banijay, the company behind global hits including MasterChef and Big Brother, had its IT systems compromised by a bad actor demanding a ransom, potentially exposing the personal information of hundreds, if not thousands of staff.

Deadline understands that it was the systems of Endemol Shine Group, Banijay’s $2.2B acquisition, that were breached in the cyber attack and the company has notified the relevant authorities in the UK and Netherlands.

People's Energy Company

Scotland-based low-cost energy company People’s Energy has admitted to suffering a cyber attack targeting its IT systems that resulted in hackers accessing the personal information of over 250,000 present and former customers.

The company People’s Energy has contacted all its 270,000 current customers, following a data breach.

Co-founder Karin Sode told BBC News an entire database had been stolen by hackers and included information on previous customers.

Data stolen included names, addresses, dates of birth, phone numbers, tariff and energy meter IDs, she said.


Streaming service Spotify has notified an unspecified number of its customers of a data breach, responding by resetting passwords on the accounts that were attacked.

The company filed the breach under California’s new privacy law, the California Consumer Privacy Act, which went into effect on Jan. 1. While the notice did not specify the precise number of people breached, under the CCPA, a sample copy of a breach notice sent to more than 500 California residents must be provided to the California attorney general

Inova Health Systems

Inova Health Systems has notified customers that it was hit by a ransomware attack through a third-party vendor. Blackbaud, a vendor that provides fundraising support to nonprofit organizations, was itself hit by an attack that resulted in Inova data being exfiltrated from the Blackbaud servers.

According to Blackbaud, data was exfiltrated between February 7, 2020, and May 20, 2020. The exfiltration was part of a ransomware attack that did not succeed in encrypting significant data at Blackbaud. Ultimately, though, the company says that it paid a ransom in order to have the exfiltrated data destroyed, which it says was done.

Automation Personnel Services

A 440GB archive that purportedly belongs to Automation Personnel Services, a US-based temporary employment agency, has been leaked on a popular hacker forum. Automation Personnel Services says the post-breach investigation “is currently ongoing and the scope and nature of the data impacted is not yet confirmed.”

According to the forum post, the archive includes confidential company data and sensitive documents related to Automation Personnel Services users, partners, and employees, such as accounting and payroll data, as well as various legal documents.

The archive was leaked on November 24. It appears to have been made public as a consequence of a failed negotiation with cybercriminals, after Automation Personnel Services apparently refused to pay the ransom.

45 million images of X-rays

45 million medical scans from hospitals all over the world left exposed online for anyone to view – some servers were laced with malware.

Two thousand servers containing 45 million images of X-rays and other medical scans were left online during the course of the past twelve months, freely accessible by anyone, with no security protections at all.

Or so says research by CybelAngel, which sells a Digital Risk Protection Platform. Not only was the sensitive personal information unsecured, but malicious folk had also accessed those servers and poisoned them with apparent malware, the company added.

Marriage Tax Refund

A UK business specializing in tax relief for its clients has exposed the personal details of over 100,000 of them via a misconfigured content management system (CMS).

Researchers at Website Planet told Infosecurity exclusively about the privacy snafu, which they discovered on October 13 and notified the firm about the next day.

That company was Marriage Tax Refund, a Wolverhampton-based organization whose business model is to recover marriage tax allowance funds for UK clients.

According to the research team, the firm had misconfigured its WordPress CMS, leaving a directory listing of PDF documents available for public view, with no password protection.