There were data breaches galore in the US last week with various major incidents reported to state attorneys general, some in good time, some not.

We've got our top picks here for you, starting with the US's most legendary denim dealer admitting it will have to tell more than 72,000 customers they may have been the victim of an automated credential stuffing attack.

Attackers caught Levi's with its pants down on June 13, the company said in a filing with state attorneys general on Saturday, and that any data stored in a Levi's online account may have been accessed by cybercriminals.

This includes names, email addresses, saved delivery addresses, order histories, and if the account had a saved payment method then partial information like the last four digits of a card number may have been accessed too, as well as the card type and expiry date.

Levi's said there's nothing to suggest any details have been abused yet and assured customers that its own systems were compromise-free. The attackers must have gathered the credentials from other sources, like a separate data breach.

All of those who are thought to be affected by the incident have received password resets and were advised to also change their passwords on other sites as an added precaution.

From bad to worse, to even worse

The Levi's incident wasn't the only one that caught the eye last week. The February breach at debt collector Financial Business and Consumer Solutions (FBCS) keeps getting worse.

FBCS originally wrote to affected individuals in April, informing around two million people that their full names, social security numbers, date of birth, account information, and identity document numbers may have been accessed by miscreants.

It then updated the various US attorneys general earlier this month to say the number of affected people was actually considerably higher - around 3.2 million in total.

CFO Henry Stoughton must be getting pretty good at these filings with all the practice he's had this year. He was forced to tell state officials - again - that the breach affected an additional 200,000 people.

The current total of affected individuals is 3,435,640, a fresh filing shows. FBCS and Stoughton will doubtless be hoping that's the last time they'll have to tell everyone of the cracks in their counting.

A healthcare breach, again

It's never a nice day when we realize we have to write about another provider of medical support being disrupted by some script kiddies behind a keyboard.

Alas, it is taking up a great deal of our time lately. Be it the scumbags at Qilin showing no remorse whatsoever for thousands of patients having surgeries cancelled in London, or close to a billion bucks siphoned out of one of the US's largest healthcare providers just to get operations back up and running, there are plenty of sad stories to keep our typing fingers fit and active.

The latest of these concerns LivaNova. The manufacturer of medical devices for those with head and heart conditions told state AGs on Thursday, more than six months after the initial October 2023 attack, we might add, that 129,219 people had their data stolen by cybercriminals.

LivaNova didn't use the R-word in its letter to affected people, but ransomware group LockBit claimed responsibility for the attack on the UK-based Italian-American company (took us a while too).

The data affected by the breach included names, phone numbers, email addresses, postal addresses, SSNs, dates of birth, health insurance information, as well as various medical data points such as treatment, condition, diagnosis, prescription, physician, medical record number, and device serial number.

In all three cases, affected individuals were offered varying levels of credit monitoring free of charge. ®

https://www.theregister.com//2024/06/24/breaches_of_the_week/