Data Breach Report: December 2024 Edition

The final month of 2024 brought a wave of concerning cybersecurity incidents, highlighting the growing sophistication and impact of modern data breaches. Organizations across diverse sectors, including finance, healthcare, education, government, and automotive, faced significant security challenges, resulting in the exposure of sensitive personal and financial data of millions worldwide.

From ransomware attacks on Texas Tech University and SRP Federal Credit Union to misconfigured cloud storage impacting Volkswagen’s Cariad, each incident underscores the critical need for robust cybersecurity measures. This report delves into key breaches from December 2024, their causes, scale, and implications for affected organizations and individuals.

The breach, which occurred between September 5 and November 4, 2024, and was disclosed on 19 December 2024, compromised the sensitive personal and financial information of over 240,000 members.

Scale of the Breach: The SRP Federal Credit Union data breach impacted over 240,000 members (650 GB of customer data).
Type of Data Exposed: Social Security numbers, Driver’s license numbers, Dates of birth, Financial account information.
Cause of the Breach: The breach was caused by a ransomware attack carried out by the Nitrogen group.

Data Breach Notification: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/10844f64-85d5-4b49-b683-f9ba718f60a7.html

Leading automotive parts supplier LKQ Corporation recently disclosed a cybersecurity breach affecting one of its Canadian operations. The incident, which occurred on November 13th, resulted in unauthorized access to the company’s IT systems, temporarily disrupting business activities within the affected unit.

Scale of the Breach: The exact scale of the breach is currently under investigation by LKQ.
Type of Data Exposed: Data theft occurred, but the specific type of data compromised is currently under investigation by LKQ.
Cause of the Breach: Unauthorized access to the company’s IT systems.

LKQ Form 8-K filing: https://www.sec.gov/Archives/edgar/data/1065696/000106569624000134/lkq-20241213.htm

The Ascension Health data breach, which occurred in May 2024 and was disclosed on 20 December 2024, compromised the personal information of nearly 5.6 million individuals.

Scale of the Breach: Impacted nearly 5.6 million individuals.
Type of Data Exposed: Names, Insurance information, Social Security numbers, Payment details.
Cause of the Breach: An employee accidentally downloaded a malicious file disguised as legitimate, leading to a ransomware attack.

Data Breach Notification: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/e55264f2-ff87-4b28-874d-653cfb735fe6.html

The Rhode Island government suffered a significant data breach in December 2024, impacting hundreds of thousands of residents. The attack targeted the state’s RIBridges system, a critical platform managing various social services programs, including Medicaid, SNAP, and Temporary Assistance for Needy Families. The incident forced the temporary shutdown of the RIBridges system, disrupting essential services for many residents and raising serious concerns about the security of government systems.

Scale of the Breach: Impacted hundreds of thousands of residents.
Type of Data Exposed: Social Security numbers and financial details.
Cause of the Breach: A cyberattack on the state’s RIBridges system, which handles various social services programs.

Data Breach Notification: https://governor.ri.gov/press-releases/governor-mckee-issues-update-cybersecurity-breach-ribridges-system

In December 2024, ConnectOnCall, a telemedicine and after-hours emergency call service provider, publicly disclosed a data breach impacting over 900,000 patients. The breach, discovered in May 2024, stemmed from unauthorized third-party access to the ConnectOnCall platform between February 16th and May 12th.

Scale of the Breach: Affected over 900,000 patients.
Type of Data Exposed: The compromised data included sensitive patient information such as names, phone numbers, dates of birth, medical record numbers, and details related to health conditions, treatments, and prescriptions. In some cases, Social Security numbers were also exposed.
Cause of the Breach: Unauthorized third-party access to the ConnectOnCall platform between February 16th and May 12th, 2024.

The Krispy Kreme data breach, disclosed on 11 December 2024, significantly disrupted the company’s online ordering systems following a cyberattack in November. The Play ransomware group claimed responsibility, alleging the theft of sensitive data.
This attack, detected on November 29th, forced Krispy Kreme to temporarily suspend online ordering across parts of the United States. While in-store operations remained unaffected, the breach significantly impacted the company’s digital sales, a crucial revenue stream.

Scale of the Breach: Impacted hundreds of thousands of residents.
Type of Data Exposed: IDs, corporate documents, personal data, contracts, taxes, and payroll, as well as financial and accounting information.
Cause of the Breach: A cyberattack, with the Play ransomware group claiming responsibility.

SEC filing: https://www.sec.gov/Archives/edgar/data/1857154/000185715424000123/dnut-20241211.htm

In December 2024, Texas Tech University publicly disclosed a significant data breach impacting approximately 1.4 million individuals. The breach, stemming from a ransomware attack targeting the Texas Tech University Health Sciences Center (TTUHSC) in September, resulted in the exfiltration of sensitive personal and medical information.

Scale of the Breach: Approximately 1.4 million individuals.
Type of Data Exposed: Sensitive personal and Medical information.
Cause of the Breach: A ransomware attack targeting the Texas Tech University Health Sciences Center (TTUHSC). The attack disrupted university systems and resulted in the exfiltration of sensitive data. The ransomware group “Interlock” claimed responsibility for the attack.

Incident notice: https://ttuhscinfo.com/

In late December 2024, a significant data breach affecting over 800,000 electric vehicle owners across Europe was discovered within Volkswagen’s automotive software subsidiary, Cariad. The breach, attributed to a misconfigured Amazon cloud storage system, exposed sensitive personal and location data of drivers from Volkswagen, Audi, Seat, and Skoda brands.

Scale of the Breach: Impacted over 800,000 electric vehicle owners across Europe.
Type of Data Exposed: Names, Contact details, Vehicle location data (highly accurate for some models), EV usage patterns (charging habits, driving routes)
Cause of the Breach: Misconfigured Amazon cloud storage system.

The Automation Personnel Services (APS) data breach, which occurred in November 2020 announced in March 2021and resulted in a $1.375 million settlement in December 2024, stemmed from a lawsuit alleging the company’s failure to adequately protect employee and job applicant data.

Scale of the Breach: unknown number of employees and job applicants.
Type of Data Exposed: Potentially included Social Security numbers, bank account information, and other sensitive personal data.
Cause of the Breach: Alleged failure to implement and maintain adequate cybersecurity measures to protect its database.