Please fill in the form below to subscribe to our blog

The Week in Breach News: 05/10/23 – 05/16/23

May 17, 2023

Two huge healthcare breaches, employee data gets exposed at the U.S. Department of Transportation, bad actors feast on Sysco’s data and five sometimes overlooked yet dangerous email-based cyberattacks to watch out for.

EDR represented by a rendering of connected devices

Learn how Datto EDR satisfies cyber insurance requirements for endpoint protection & EDR. DOWNLOAD REPORT>>


Exploit: Ransomware

PharMerica: Pharmacy Services

cybersecurity news gauge indicating extreme risk

Risk to Business: 1.362 = Extreme

A ransomware attack on pharmacy services company PharMerica has resulted in the exposure of confidential medical data for over 5.8 million patients. The Play ransomware group perpetrated the attack, which took place on March 12th, 2023. The gang was able to snatch the full names, addresses, dates of birth, social security numbers (SSNs), medications, and health insurance information of 5,815,591 people. The ransomware gang claimed to have stolen 4.7 TB of data during their attack on PharMerica including at least 1.6 million unique records of personal information, and it has already published the stolen data.

How It Could Affect Your Customers’ Business: This incident is going to cost PharmMerica a fortune in both recovery costs and regulatory penalties.

Kaseya to the Rescue:  Learn more about defending against often email-based cyberattacks like ransomware in our eBook A Comprehensive Guide to Email-Based Cyberattacks GET EBOOK>>   

NextGen Healthcare

Exploit: Credential Compromise

NextGen Healthcare: Software Company

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.692 = Severe

NextGen Healthcare, a maker of electronic health recordkeeping solutions, has disclosed that it has experienced a data breach. An estimated one million individuals have been impacted by this incident. NextGen said that it noticed suspicious activity in its network on March 30, and an internal investigation determined that bad actors had access to the company’s data from March 29 and April 14, 2023. Stolen patient data includes a patient’s name, address, birth date and Social Security number. In its data breach filing, NextGen Healthcare told the Maine Attorney General’s office that the attackers accessed its database using stolen client credentials.

How It Could Affect Your Customers’ Business: This type of data is extremely desirable on the dark web and valuable to bad actors, so it needs strong protection.

Kaseya to the Rescue: Data is a commodity on the dark web. Learn more about the dark web risks that businesses face in The IT Professional’s Guide to the Dark Web. DOWNLOAD IT>>


Exploit: Hacking

Sysco: Commercial Food Distributor

cybersecurity news represented by agauge showing severe risk

Risk to Business: 2.139 = Severe

Foodservice supply giant Sysco has announced that it has experienced a data breach that may have exposed customer and supplier data in the U.S. and Canada, as well as personal information belonging to U.S. employees. Sysco sent a letter to employees that revealed that the company detected an intrusion on March 5, however, the company believes bad actors had access to data as early as January 14, 2023. The company said that the hackers swiped company data, including internal operations files, customer data and personal data. Employees had their personal data compromised, with bad actors stealing their personal information provided to Sysco for payroll purposes, including name, social security number and bank account numbers.

How It Could Affect Your Customers’ Business: The longer hackers spend inside a business environment, the more damage they can do. Reducing or eliminating dwell time is important.

Kaseya to the Rescue: Develop an effective, efficient incident response plan with the tips in our guide How to Build an Incident Response Plan. GET YOUR GUIDE>>

U.S. Department of Transportation (DOT)

Exploit: Hacking

U.S. Department of Transportation (DOT): Federal Government Agency

cybersecurity news represented by a gauge indicating moderate risk

Risk to Business: 2.119 = Severe

The U.S. Department of Transportation (DOT) has experienced a data breach that has resulted in the exposure of personal data for an estimated 237,000 current and former federal employees. The agency said that the data breach impacts individuals that are enrolled in the US Department of Transportation’s (DOT) transit benefit program (TRANServe), a program that handles commuter transit benefits for federal agencies. Access to that program is currently offline. The breach impacted 114,000 current employees and 123,000 former employees. The employee information compromised as a result of the breach may include the name of TRANServe transit benefit recipients, their agency, work email address, work phone number, work address, home address, SmarTrip card number (used to ride the Washington, D.C. Metro) and/or TRANServe Card number.

How It Could Affect Your Customers’ Business: This could have been much worse for DOT, but they’re still going to suffer a budget hit to clean up the mess.

Kaseya to the Rescue:  Learn more about how our Security Suite can help MSPs protect their clients from expensive and damaging cyberattacks and other information security trouble. GET IT>>

Explore how AI technology helps businesses mount a strong defense against phishing GET INFOGRAPHIC>>

Exploit: Ransomware

National Gallery of Canada: Museum

cybersecurity news represented by a gauge indicating moderate risk

Risk to Business: 2.781 = Moderate

The National Gallery of Canada has been forced to shut down its IT systems for the last two weeks in response to a ransomware attack. The gallery said that it discovered the attack on April 23. The museum reassured customers and members and that no customer data was stolen in the incident, admitting that some operational data had been lost. The National Gallery of Canada has remained open throughout the incident with limited technology and the attack is currently under investigation.

How it Could Affect Your Customers’ Business: No organization is safe from becoming a victim of ransomware gangs, not even a museum.

Kaseya to the Rescue:  Explore how security awareness training helps businesses defend against today’s most dangerous cyber threats in this infographic. DOWNLOAD IT>>

See why EDR is the perfect investment to make in your future right now in our buyer’s guide. DOWNLOAD IT>>

Switzerland – ABB

Exploit: Ransomware

ABB: Technology Developer

cybersecurity news represented by a gauge indicating moderate risk

Risk to Business: 2.866 = Moderate

The Black Basta ransomware gang is behind a successful ransomware attack on Swiss technology giant ABB. The attack took place on May 7, with sources reporting that it hit the company’s Windows Active Directory, affecting hundreds of devices. ABB severed VPN connections with customers to prevent the spread of the attack. ABB has confirmed the attack but refused to offer details. No word on any ransom demand was available at press time.

How it Could Affect Your Customers’ Business: Technology companies are often service providers, making them attractive targets that can offer both profit and access to other businesses.

Kaseya to the Rescue: Email is the most likely way for employees to encounter cyberattacks like ransomware. This checklist helps companies strengthen their email security. GET CHECKLIST>>

a white woman smiling at a desk with data readouts behind her in a Managed SOC

Kaseya’s Security Suite makes keeping businesses out of cybersecurity trouble easy & affordable. SEE HOW>>

Australia – TechnologyOne

Exploit: Ransomware

TechnologyOne: Software Company

cybersecurity news represented by a gauge indicating moderate risk

Risk to Business: 1.883 = Severe

Tech company TechnologyOne is the latest Australian company to get hit by a ransomware attack. The software maker announced that it had been successfully attacked last Wednesday, with reports pointing to ransomware. The company said that bad actors gained access to its back-office systems. TechnologyOne was quick to reassure customers that “TechnologyOne’s customer-facing SaaS platform is not connected to the Microsoft 365 system, and therefore, has not been impacted.” The incident remains under investigation.

How it Could Affect Your Customers’ Business: A cyberattack like this can damage a company’s reputation leading to lost revenue.

Kaseya to the Rescue: Learn how to achieve complete endpoint security in a flash without blowing up your budget with your antivirus and Datto EDR combined in this information sheet. DOWNLOAD IT>>

Australia – Ambulance Victoria

Exploit: Human Error

Ambulance Victoria: Ambulance Service

cybersecurity news represented by a gauge indicating moderate risk

Risk to Business: 2.786 = Moderate

Ambulance Victoria is in hot water after the discovery that it had exposed the results of confidential drug and alcohol tests for more than 600 employees. Officials told members of the Victorian Ambulance Union in an email that confidential spreadsheets containing the test results of pre-employment drug and alcohol testing of graduate paramedics in 2017 and 2018 had been available on the staff intranet until the union alerted Ambulance Victoria to the problem last week. The exposed information included the full names of graduate paramedics, when they were tested, whether the result was positive or negative, and, if positive, the substance that had been detected. Ambulance Victoria blamed the data exposure on an “inadvertent process issue” and noted that it is under investigation. The Victorian Ambulance Union also said that is considering legal action.

How it Could Affect Your Customers’ Business: Employees who receive regular security awareness training are less likely to make mistakes like this.

Kaseya to the Rescue: These 10 tips can help you implement an effective security awareness training program that reduces the chance of employee data handling mistakes. GET TIPS>>

dark web threats represented by a hacker in a hoodie shrouded in shadows with faint binary code

Find out about five of today’s biggest dark web threats to businesses in this infographic. DOWNLOAD IT>>

Japan – Toyota

Toyota: Automaker

Exploit: Misconfiguration

cybersecurity news represented by a gauge indicating moderate risk

Risk to Business: 2.786 = Moderate

A cloud misconfiguration is to blame for a data security incident at Japanese motor company Toyota that exposed information about two million vehicles. The automaker has apologized for the incident that affected users of the onboard T-Connect driver assistance and emergency contact system for Toyota and Lexus G-Link technology. The company said that the data collected by those systems was improperly stored, resulting in the data being publicly available from November 2013 until the snafu was discovered last month. The exposed information included in-vehicle terminal IDs, chassis numbers and vehicle locations.

How it Could Affect Your Customers’ Business: Employee mistakes like misconfiguration are a gateway to expensive, damaging disasters but they can be prevented.

Kaseya to the Rescue: This infographic can help businesses and MSPs create a comprehensive security awareness training policy that supports a strong training program. GET INFOGRAPHIC>>

1 – 1.5 = Extreme Risk

1.51 – 2.49 = Severe Risk

2.5 – 3 = Moderate Risk

Risk scores for The Week in Breach are calculated using a formula that considers a range of factors for each incident

Get the scoop on 5 of the worst email-based attacks plus tips to protect businesses from them. GET INFOGRAPHIC>>

Check Out This New BullPhish ID Training Course Update 

A new version of the course Phishing: Brand Fraud and Spoofing is now available in 6 languages! In this newly refreshed course, users will learn about brand fraud, spoofing and how to avoid becoming a victim of that type of phishing.  

The course is available in the following languages: 

  • English: Phishing – Brand Fraud and Spoofing 
  • Portuguese: Spoofing e fraude de marcas VO 
  • Canadian French: Fraude aux marques et usurpation d’identité VO 
  • Latin American Spanish: Fraude de marca y spoofing VO 

Subtitles are available in the following languages: 

  • German: Markenmissbrauch und Spoofing 
  • Dutch: Merkfraude en spoofing 

Find these new courses now in the BullPhish ID Training Portal

Learn more about BullPhish ID

This infographic helps IT professionals get the most out of a security awareness training solution. DOWNLOAD IT>>

3 Resources to Explore Email-based Cyberattacks

These three resources are packed with data and tips that will help you (and your customers) learn about the most common style of cyberattack. 

eBook: A Comprehensive Guide to Email-based Cyberattacks – Dive into the details of seven major email-based cyberattacks and how to avoid them. DOWNLOAD IT>>

Infographic: 5 Nastiest Email-based Scams – Learn about five scams that bad actors spring on employees every day. DOWNLOAD IT>> 

Checklist: Preventing Email-based Cyberattacks – Get a checklist of technologies that help prevent email attacks. DOWNLOAD IT>>

Did you miss… the infographic How AI Enables Graphus to Protect Businesses from PhishingGET IT>>

Learn to defend against devastating cyber threats with A Comprehensive Guide to Email-based Cyberattacks. GET IT>>

These 5 Email-based Cyberattacks Illustrate Why Phishing is a Top Cybersecurity Concern

Organizations in every sector are under siege thanks to a proliferation of phishing-based cyberattacks. In fact, scammers have sent out an estimated three billion phishing emails every day in 2023, and the pace isn’t expected to slow down anytime soon. However, when you’re reading up on cyberattacks that start with phishing, oftentimes articles devote the most real estate to the two biggest headline grabbers: ransomware and business email compromise (BEC). But while those two attacks are some of the worst email-based cyberattacks that businesses face today, they aren’t the only phishing-based attacks that are being thrown at businesses. There are several other types of phishing attacks that can do devastating damage to any organization that can sometimes be overlooked.   

Get tips & advice to help you build a smart incident response plan in our guide. GET YOUR GUIDE>>

Phishing tops business cybersecurity concerns 

Businesses have been dealing with a steadily increasing stream of cyberattacks. That challenge has been made more complex by the wide variety of vectors and approaches that cybercriminals exploit. IT teams face challenges from every side, making it harder and more stressful to defend systems and data against cyberattacks, as we discovered in the Datto SMB Cybersecurity for MSPs Survey in 2022

Main causes of cybersecurity issues according to SMBs 

Issue  Response 
Phishing emails  37% 
Malicious websites/web ads 27% 
Weak passwords/access management 24% 
Poor user practices/gullibility   24% 
Lack of end-user cybersecurity training   23% 
Lack of administrator cybersecurity training   19% 
Phishing phone calls   19% 
Lack of defense solutions (antivirus)   19% 
Insufficient security support for different types of user devices   18% 
Outdated security patches   18% 
Lack of funding for IT security solutions   17% 
Lost/stolen employee credentials   17% 
Lack of executive buy-in for adopting security solutions   16% 
Open remote desktop protocol (RDP) access   15% 
Shadow IT   13% 

Source: Datto SMB Cybersecurity for MSPs Report 

Learn more about how the Kaseya Security Suite helps MSPs & their customers thrive in a dangerous world. GET BRIEF>>

5 dangerous phishing-based cyberattacks that aren’t ransomware or BEC 

These five email-based cyberattacks can do major operational, financial and reputational damage to an organization fast, but businesses can take precautions to reduce their risk.  

Account takeover  

In an account takeover attack, cybercriminals steal a user’s account credentials to facilitate other cybercrimes. Using social engineering tricks in phishing emails, hackers compel users to provide their credentials, then take ownership of their accounts by barring the original user from accessing their account. Cybercriminals use these verified credentials to make a profit by selling these credentials on dark web forums or abusing the account for financial gains or other nefarious activities. 

Typically, financial institutions and e-commerce websites experience higher incidence of account takeover fraud than other industries, but no business is immune to this danger. For instance, hackers may take over an existing e-commerce account and use it to purchase high-value goods, paying with the victim’s stored payment credentials while changing the shipping address to their own. 

Go inside BEC scams & get tips to keep businesses safe from today’s most expensive cyberattack. DOWNLOAD EBOOK>>

Brand impersonation and spoofing 

In brand impersonation cyberattacks, cybercriminals imitate a trusted brand to trick victims into disclosing sensitive information or providing their credentials. Hackers primarily use domain-spoofing techniques or lookalike domains in phishing emails to trick their targets in these attacks.  

Cybercriminals can leverage advanced tools and techniques to design highly convincing email templates that resemble emails from trusted brands. An estimated 25% of all branded emails companies receive are spoofed or brand impersonation attempts. Spoofed emails from trusted brands allow adversaries to make a compelling case through social engineering by preying on employees’ likelihood to trust familiar things.  Microsoft, Apple, DHL and Google are the top brands that cyber criminals attempt to impersonate. 

Get 10 tips to help you build a strong security culture & reduce your risk of cybersecurity trouble! GET INFOGRAPHIC>>

Spear phishing 

Spear phishing is a highly targeted, well-researched email attack that can target anyone within a company. Spear-phishing emails are a tool utilized by an estimated 65% of cybercrime groups when they carry out targeted cyberattacks. Sometimes, spear phishing attempts are made against a few specific people within a company, but a spear phishing attack can also target employees in general. Cybercriminals who use this technique put great care into ensuring that their malicious messages are detailed and highly believable. 

A spear phishing attack starts with a phishing email from a seemingly trustworthy source, but that email can lead the recipient down several dangerous roads. Bad actors may aim to persuade the recipient to do many things including: 

  • Hand over their credentials 
  • Provide access to sensitive systems or data 
  • Transfer money 
  • Share privileged information 
  • Click a malicious link  
  • Download a malware-laden document  

Due to the high pay-out potential of spear phishing attacks, threat actors spend considerable time researching their target. They use clever tactics, individually designed approaches and social engineering techniques to gain victims’ attention and compel them to click on the phishing links. 

For example, the FBI released a warning about a spear phishing scam making the rounds in which bad actors were sending spear phishing messages designed to look like they came from the National Center for Missing and Exploited Children. The subject of the email was “Search for Missing Children,” with an attached zip file titled “resources” that actually contained three malicious files.  

Insider risk is up by 40%. Help your clients stay out of trouble with The Guide to Reducing Insider Risk GET IT>>


Whaling is a primarily email-based cyberattack in which cybercriminals attempt to trap a “big fish,” like someone within the C-suite of a company. Almost 60% of organizations say an executive has been the target of whaling attacks and in about half of those attacks the targeted executives fell for the bait. To pull this attack off, bad actors spend considerable time researching and profiling a high-value target for a sizeable reward potential. Recently, whaling emails have become highly sophisticated with the adoption of fluent business terminology, industry knowledge, personal references and spoofed email addresses. Even cautious eyes can fail to identify a whaling email. 

Conversation hijacking 

Conversation hijacking is another targeted email-based cyberattack in which cybercriminals insert themselves into existing business conversations or initiate new conversations for financial gains. It starts with attackers gaining access to a user’s credentials in an organization. Subsequently, they monitor the compromised account to understand business operations and to learn about deals in progress, payment procedures and other sensitive details. Cybercriminals leverage that knowledge to trick victims into taking harmful actions like wiring money or providing sensitive information. 

How much is data really worth on the dark web? Find out in The IT Professionals Guide to the Dark Web! GET EBOOK>>

BullPhish ID and Graphus power up any company’s email security 

BullPhish ID is a comprehensive and affordable security awareness solution that automates training delivery, testing and reporting, making it the ideal training solution for companies of every size.   

  • It’s simple to conduct phishing simulations with pre-loaded phishing kits or customize the content to reflect the unique phishing threats your users face daily and reduce the chance they’ll fall for a phishing-based cyberattack.   
  • Video lessons about dangers like ransomware, credential compromise and phishing give every employee a solid grounding in cybersecurity best practices with quizzes to determine who needs more help.   
  • Through a personalized employee portal, you can track every user’s assigned courses and training progress plus ensure seamless training delivery.   

Graphus AI-driven, automated email security can help you stay miles ahead of cybercriminals at half the cost of the competition.   

  • Deployable via API with just three clicks, Graphus instantly starts monitoring communication patterns between people, devices and networks to reveal untrustworthy emails, making it a simple, powerful and cost-effective phishing defense solution for companies of all sizes.   
  • Puts three layers of defense between a phishing email and your organization and automatically prevents 99% of sophisticated phishing messages from reaching an employee’s inbox, protecting your organization from advanced social engineering and zero-day attacks.   

BullPhish ID and Graphus work together with a key workflow integration  

The Drop-a-Phish integration between BullPhish ID and Graphus can help you quickly deploy phishing simulation exercises and security awareness training campaigns by eliminating the need for domain whitelisting. The Graphus API allows BullPhish ID to drop phishing and training emails directly into end-user inboxes, saving hours of whitelisting time and ensuring 100% deliverability of training exercises.  

Learn more about the amazing benefits you get from combining Graphus and BullPhish ID here

Can you spot a phishing message? This infographic points out red flags to watch for to sniff them out! DOWNLOAD IT>>

May 17: Kaseya + Datto Connect Local LA IT Professionals Series MME Track REGISTER NOW>>

May 18: Kaseya + Datto Connect Local Brisbane REGISTER NOW>>

May 23: Kaseya + Datto Connect Local Houston   REGISTER NOW>>

May 25: Kaseya + Datto Connect Local Austin REGISTER NOW>>

May 30: Kaseya + Datto Connect Local Washington DC REGISTER NOW>>

June 8: Kaseya + Datto Connect Local Belgium REGISTER NOW>>

June 13: Kaseya + Datto Connect Local Philadelphia REGISTER NOW>>

June 15: Kaseya + Datto Connect Local Chicago Security & Compliance Track REGISTER NOW>>

June 20: Kaseya + Datto Connect Local Tampa REGISTER NOW>>

June 22: Kaseya + Datto Connect Local Atlanta REGISTER NOW>>

June 26-28:  Kaseya DattoCon Europe   REGISTER NOW>>

dark web threats

Read case studies of MSPs and businesses that have conquered challenges using Kaseya’s Security Suite. SEE CASE STUDIES>>

Do you have comments? Requests? News tips? Complaints (or compliments)? We love to hear from our readers! Send a message to the editor.

Partners: Feel free to reuse this content. When you get a chance, email [email protected] to let us know how our content works for you!

let us help secure you against passwords reuse with contact information and the ID Agent logo on grey.

Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!


Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>

See Graphus in action in an on-demand video demo WATCH NOW>>

Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!