Data Breaches in 2022

We hear about data breaches, hacks, and leaks almost every day. These can be devastating for the companies affected, and they also harm customers, employees, and others whose personal and financial data may be compromised. Here are some of the important data breaches in 2022.

Shot of a young businesswoman looking stressed out while working on a laptop in an office at night

In what is believed to be the costliest breach at a cryptocurrency platform, hackers hit the Ronin crypto “bridge” in March and stole the equivalent of more than $600 million from the service, which allows people to exchange different types of digital coins. U.S. law enforcement officials attributed the heist to the notorious North Korean hacking group known as Lazarus. One report said the hackers duped an engineer at the U.S. firm with a fake job offer over LinkedIn that enabled the attackers to access the network by using a spyware-infect PDF document.

Cryptocurrency platforms, and especially these types of bridges, have become increasingly juicy targets for hacks in recent years, with at least $1.4 billion in losses, according to some accounts. Cryptocurrency by its nature is hard to trace and thus is attractive to cybercriminals. More crypto hacks are cited below.

Microsoft Security announced in March that its servers were hit by hackers as part of a “large-scale social engineering and extortion campaign” targeting several organizations. This was believed to have come from a hacker collective known as Lapsus$ , who has committed extortion and vandalism in the past. While the attackers claimed they had gained access and exfiltrated some of Microsoft’s source code, the company said it saw no affected customer code or data and only a single compromised account. According to Microsoft, the breaching of source code is not considered a security risk. The FBI has been on the lookout for these attackers and suspects have been arrested in Britain.

Microsoft said the attacks used “a pure extortion and destruction model” without deploying ransomware, and that the hackers were brazen enough to announce their exploits on social media. Some of the techniques used include phone-based “social engineering,” or tricking people into giving up their credentials, SIM-swapping to gain access to two-factor authentication using text messages, infiltrating personal email accounts of employers, or paying people to give up credentials.

Uber said on September 17 that attackers – most likely the same Lapsus$ group that hit Microsoft and others earlier in the year – accessed its internal network including its Slack channel and downloaded some information from an internal finance tool. According to the ride-sharing firm, the attacker didn't gain access to customer information such as trip records or credit card numbers, but an investigation had been launched.

Days later, Uber said the hackers purchased a password on the dark web after a contractor’s personal device was infected with malware. Some analysts said the attack was not especially sophisticated and shows how many corporate systems are vulnerable.

One person was arrested in the UK from the group, believed to have roots in Brazil and described by some security pros as “cyberpunks” looking for fame as well as monetary rewards.

News Corp. , the publisher of the Wall Street Journal and a range of global media outlets, said in a securities filing that it was hit by a cyberattack in January 2022 and that some data was taken. Subsequently, analysts suggested China was behind the attacks and that journalists were being targeted.

This was likely an example of an espionage-related hack from a nation-state actor, which typically has motivations that aren't financial. The Wall Street Journal reported that experts hired by its parent firm concluded this was an effort to further China’s interests by collecting information on journalists, including those looking into U.S. military activity, U.S. government actions against China, and activities around Taiwan and China’s Uyghur ethnic minority. Customer and subscriber information wasn't affected.

Another crypto “bridge” service called Wormhole suffered a loss of more than $300 million in an attack in February that was announced on Twitter. This was another blockbuster hack affecting the world of digital currencies and the second-largest of its type after the Ronin breach. Reports suggested the hackers exploited a weakness in Wormhole’s code and that an update might have prevented the loss. Wormhole parent Jump Crypto said it would make up any losses to customers. The company also offered a $10 million bounty to coders who could fix the flaw.

Crypto bridges are used by people who have one type of cryptocurrency like bitcoin and need to transfer it to another blockchain. Wormhole provides a bridge between Solana and other digital coins such as Ethereum. But these bridges have also become a weak point targeted by malicious actors, according to cybersecurity specialists.

The Singapore-based digital wallet operator Crypto.com revealed in January that hackers breached its network and stole the equivalent of more than $30 million in cryptocurrency. Nearly 500 customers were affected but the company said it reimbursed anyone whose accounts were breached. Crypto.com said hackers managed to circumvent its two-factor authentication (2FA) protocols to carry out the attack.

This hack highlights the fact that even 2FA isn't foolproof. Crypto.com said it had revamped its 2FA protocols and added another layer of security: a 24-hour delay for withdrawals from new accounts.

It’s not just cryptocurrency operators facing security risks. In April 2022, the money transfer Cash App’s parent firm Block Inc. (previously known as Square, led by Jack Dorsey) disclosed in a securities filing that a former employee had accessed and downloaded information from as many as 8.2 million customers in December 2021. This included the full names and account numbers of customers, and in some cases their brokerage portfolio holdings and account activities.

The company said the stolen data didn't include personal data such as Social Security numbers, usernames or passwords, or security codes. It notified law enforcement and regulators and launched its own investigation. Initial reports indicated no financial losses, but any breach can open up users to other types of attacks such as phishing.

The Christian crowdfunding site GiveSendGo , which gained notoriety for supporting the Canadian trucker’s “Freedom Convoy,” said in February a hacker got into its servers and revealed the names and email addresses of its donors. No money was stolen in the attack, according to the group which supports conservative causes.

This was an example of a politically motivated attack combined with “ doxxing ,” or revealing information about specific individuals supporting that cause. Journalists were sent a list of some 92,000 donors to the Canadian protest in an effort to embarrass the contributors, some of whom were named in public. Because the donors’ IP addresses were also revealed, it's possible their identities could have been discovered even if they used a fake name, analysts said.

The hackers also redirected people visiting the website to another domain, with a message accusing the site of supporting “the raging fire of misinformation” and the January 6 insurrection in Washington. Some reports linked the attack to the loosely organized hacktivist collective known as Anonymous.

The International Committee of the Red Cross said in January that sophisticated hackers had penetrated its network and accessed the personal data of some 515,000 people working with the relief organization as well as the affiliated Red Crescent. According to the Red Cross, the attackers used advanced hacking tools that normally are associated with state-sponsored actors, and sophisticated obfuscation techniques, to remain active in the system for 70 days before being discovered.

The attack forced the shutdown of a program called Restoring Family Links run by the Red Cross and Red Crescent which seeks to reunite family members separated by conflict, disaster, or migration.

Red Cross officials said they received no ransom demand or other information about the attack, but expressed concern for the individuals and families affected, who could be targeted physically or online and pleaded with the attackers to sell or leak the data. The incident was believed to stem from a leak at a contractor in Switzerland storing the data and highlights how people may be victimized even by data collected by a third party.

Even the most security-savvy organizations can be hit by attackers. Case in point: LastPass , the popular password manager used by some 30 million people to secure their account credentials, disclosed in September that some of its source code and technical information was taken by cybercriminals. The company said the hack was carried out by infecting the device of a developer with malware and remaining in the network long enough to figure out multi-factor authentication.

But LastPass said no customer information was compromised because of its “zero knowledge” model. This means the company doesn't have users' master passwords to their encrypted “vaults” with login credentials, so even if LastPass is hacked, an attacker won’t get those passwords.

How to Prevent Data Breaches

As these incidents illustrate, you may not be able to prevent data breaches, but you should keep tabs on where your data – especially financial data and personally identifiable information – is stored and follow good cybersecurity practices. In particular:

  • This means being careful about sharing personal information on social media and elsewhere.
  • Be wary of suspicious offers and links sent by email or text, as these might be a phishing attack . 
  • Keep software up to date on all your devices.
  • Use antivirus software to protect your devices from malware.
  • Use strong, unique passwords for all your online accounts with the help of a password manager . 
  • Periodically check to see if any accounts have been compromised at websites such as https://haveibeenpwned.com/ .
  • Use an identity theft protection service that will monitor breaches for you. 

Related Coupons and Deals

recent reports on information security breaches

Best Buy Coupon Codes

recent reports on information security breaches

Walmart Coupon Codes

recent reports on information security breaches

Overstock Coupon Codes

  • What is Cybersecurity?
  • What is a Hacker?
  • What is Phishing?
  • What is Ransomware?

Guides From 360 Reviews 

You may be interested in our guides to these tech products:

  • Best Identity Theft Protection Services of 2023
  • Best Antivirus Software of 2023
  • Best Password Managers of 2023
  • Best VPNs of 2023
  • Best Laptops of 2023

Why You Can Trust Us

At U.S. News & World Report, we rank the Best Hospitals, Best Colleges, and Best Cars to guide readers through some of life’s most complicated decisions. Our 360 Reviews team draws on this same unbiased approach to rate tech products that you use every day. The team doesn't keep samples, gifts, or loans of products or services we review. In addition, we maintain a separate business team that has no influence over our methodology or recommendations.

Recommended Articles

Identity Theft Protection

recent reports on information security breaches

Data Breaches That Have Happened in 2022, 2023 and 2024 So Far

recent reports on information security breaches

Data breaches have been on the rise for a number of years, and sadly, this trend isn't slowing down. The last year or so has been littered with thefts of sensitive information. Data breaches have affected companies and organizations of all shapes, sizes, and sectors, and they're costing US businesses millions in damages.

The widely-covered T-Mobile data breach that occurred last year, for instance, cost the company $350 million in 2022 – and that's just in customer payouts. T-Mobile fell victim to two more breaches during 2023, putting more customer data at risk. This puts more onus than ever on businesses to secure their networks, ensure staff have strong passwords, and train employees to spot the telltale signs of phishing campaigns.

Below, we’ve compiled a list of significant, recent data breaches (and a couple of important data leaks) that have taken place since January 1, 2022, dated to the day they were first reported in the media.

February 2024

February 13.

Bank of America Data Breach: Tens of thousands of Bank of America customers have had their data exposed in a breach relating to a ransomware attack targeted at Infosys Mccamish Systems, one of the bank's service providers. The attack occurred at the beginning of November 2023.

However, the news only hit the headlines after notifications began to be sent around to customers at the start of February. This may have violated state laws determining how long companies have to notify impacted customers, some reports have pointed out.

More than 57,000 customers are thought to have been impacted by the breach. Types of information exposed include addresses, names, social security numbers, DOBs, as well as some banking information (account numbers, credit card info).

Surfshark logo

January 2024

Anthropic Data Leak:  Artificial intelligence startup Anthropic – the company behind the ChatGPT rival Claude – has suffered a small data leak. A contractor working with the company sent an email containing “non-sensitive customer information” to a third party who should not have had access to it.

Customer names and some information about their current Anthropic balances were the only types of information leaked in the incident, and customers impacted by the mistake have been notified.

Trello Data Breach: 15 million users of project management software platform Trello have their data leaked on the dark web, multiple sources report. “In January 2024, data was scraped from Trello and posted for sale on a popular hacking forum,” a cautionary email from Have I Been Pwned warning users about the breach states.

“Containing over 15 million email addresses, names, and usernames, the data was obtained by enumerating a publicly accessible resource using email addresses from previous breach corpuses” the email continues. “Trello advised that no unauthorized access had occurred.”

Victoria Court System Data Breach:  The Guardian reports that the court system in Victoria, Australia has been hacked – and the unauthorized parties gained access the recordings of various court hearings. However, “no other court systems or records, including employee or financial data, were accessed,” chief executive Louise Anderson said in a statement.

December 2023

December 11.

Norton Healthcare Data Breach: Norton Healthcare has suffered a data breach impacting an estimated 2.5 million people. The firm, based in Kentucky, says that threat actors gained unauthorized access to personal information about millions of patients, as well as a considerable number of employees.

The Healthcare provider is one of the biggest in the state, with more than 40 clinics dotted in and around Kentucky's state capital, Louiseville, TechCrunch reports. Although the data breach happened between May 7 and May 9, it only came to light this month when it was filed with Maine's attorney general. An internal investigation by Norton suggests the threat actors had access to a broad selection of sensitive information.

November 2023

November 24.

Vanderbilt University Medical Center Data Breach: A Tennessee-based medical institution has confirmed it fell victim to a ransomware attack orchestrated by the Meow ransomware gang. The Medical Center – which has over 40,000 employees – was one of several organizations added to the group leak database in November 2023.

“Vanderbilt University Medical Center (VUMC) identified and contained a cybersecurity incident in which a database was compromised and has launched an investigation into the incident,” the center revealed in a statement published by The Record. “Preliminary results from the investigation indicate that the compromised database did not contain personal or protected information about patients or employees.”

November 15

Toronto Public Library Data Breach: The Toronto Public Library has said that sensitive, personal information relating to their employees, as well as library customers and volunteers, was stolen from their systems during a highly sophisticated ransomware attack. Some of the information had been stored in the system since 1998. According to Bleeping Computer, the Black Basta ransomware gang are behind the attack, a group who's activity were first observed in 2022.

Infosys Data Breach: Indian IT services company Infosys says they've been struck with a “security event” which made several of the firm's applications unavailable in its US unit, called Infosys McCamish Systems. The company is still investigating the impact the attack has had on its systems.

Boeing Data Breach:  Aircraft manufacturer Boeing says that a “cyber incident” impacted several different elements of its business, with Reuters reporting that the company is already working with law enforcement to investigate the attack. The company has confirmed that the incident has no bearing on flight safety.

The LockBit ransomware gang initially claimed responsibility for the attack and posted a threat directed at Boeing on their website – which has since been taken down. There is no clear evidence available at this point that suggests Boeing has paid the organization a ransom.

October 2023

Indian Council of Medical Research Data Breach:  Around 815 million Indian citizens may have had their Covid test and other health data exposed to a huge data breach. A US security firm first alerted the Indian authorities in mid-October after a threat actor going by the name of “pwn0001” claimed to have the names, addresses, and phone numbers of hundreds of millions of Indians for sale.

India's opposition parties are asking the government to urgently launch a probe into the breach and create a working data security plan for government agencies and departments.

Okta Data Breach: Identity services and authentication management provider Okta has revealed that its support case management system was accessed by a threat actor using stolen credentials.

“The unauthorized access to Okta’s customer support system leveraged a service account stored in the system itself. This service account was granted permissions to view and update customer support cases” Okta's chief security office said in a recent statement . “During our investigation into suspicious use of this account, Okta Security identified that an employee had signed in to their personal Google profile on the Chrome browser of their Okta-managed laptop.”

Air Europa Data Breach:  Spanish airline carrier Air Europa has told their customers to cancel all of their credit cards after hackers managed to access their financial information during a breach. Card numbers, expiration dates, and 3-digit CVV numbers found on the back of credit and debit cards were all extracted from the company's systems. Air Europa says the relevant authorities, (including banks) have been notified and their systems are fully operational once more.

23andMe Data Breach: Biotech company 23andMe has suffered a data breach – customer accounts were broken into with a credential-stuffing attack. Genetic data belonging to people who have used the service has been stolen, which may include first names and last names, email addresses, birth dates, and information 23andMe stores relating to users' genetic ancestry and history. Reports suggest that the hackers were targeting/looking for data pertaining to individuals of Ashkenazi Jewish and Chinese descent.

September 2023

September 27.

Hunter Biden Data Breach lawsuit:  Hunter Biden – the son of US President Joe Biden – is suing both Rudy Guliani and his lawyer Robert Costello for accessing and sharing his personal information after they obtained his laptop from a computer repair shop. The lawsuit says that Guliani and Co. were responsible for a “total annihilation” of Hunter Biden's privacy.

September 25

SONY Data Breach: multinational technology company SONY has reportedly been broken into by ransomware group Ransomware.vc, who say they will sell the data they've stolen because SONY is refusing to pay them for it. Over 6,000 files have allegedly been extracted from the tech company's systems by the group, including build log and Java files.

Ontario Birth Registry Data Breach (MOVEit): Ontario's birth registry has confirmed that there has been a data breach of its systems, and around 3.4 million people who sought pregnancy care over the last ten years have had their information accessed.

It is thought that more than two million babies born during this period have had their healthcare data exposed. it is one of the latest attacks to exploit the now well-known vulnerability in the MOVEit file transfer tool.

September 5

Topgolf Callaway Data Breach: US golf club manufacturer Topgolf Callaway has suffered a large data breach affecting over one million customers. Email notifications were sent out to those who were affected this week. Data stolen includes full names, shipping addresses, email addresses, phone numbers, account passwords, and security question answers.

September 4

Freecycle Data Breach: Seven million Freecycle users have been affected in a breach of the nonprofit's systems. By the time the company had discovered that the breach had taken place, extracted data had already appeared on hacking forums.

User IDs and email addresses were obtained during the breach, and Freecycle has advised all their members to reset their passwords as soon as possible.

August 2023

Forever 21 data breach: Fashion retailer Forever 21 has revealed that 500,000 customers were affected by a data breach that occurred earlier this year. Names, dates of birth, bank account information, and Social Security numbers were accessed by an unauthorized third party. Forever 21 says that the intruder no longer has access to the data, but it's unclear precisely how they've been able to negotiate this.

Duolingo Data Breach: Data pertaining to 2.6 million Duolingo users has been leaked on BreachForums. The data includes names, email addresses, phone numbers, social media information, as well as the languages that users were studying at the time of the breach.

Discord.io Data Breach:  Discord.io – an online service that helped people make custom links for their discord channels – has suffered a data breach. 760,000 users are thought to be impacted, with sensitive information such as passwords, usernames, Discord IDs, and billing addresses thought to have been extracted. Discord.io is a third-party service and not part of Discord Inc. It now seems to have shut down as a result of the breach.

IBM MOVEit Data Breach: 4.1 million patients in Colorado have had sensitive healthcare data stolen during another data breach exploiting a vulnerability in MOVEit transfer software. The systems affected are managed by tech behemoth IBM.

Police Service of Northern Ireland Data Breach:  Every police officer currently working in Northern Ireland has had their data compromised in what is being described as a “monumental” data breach. The data was leaked in error and mistakenly published while the service was responding to a Freedom of Information request. Surnames, initials, ranks, work locations, and departments of all of the police staff were leaked.

Missouri Medicaid Data Breach: Some recipients of Medicaid in Missouri have had their health information stolen. Like many recent data breaches, it seems the MOVEit transfer vulnerability was once again to blame. Information stolen may include names, dates of birth, possible benefit status, and medical claims information.

Maximus Data Breach:  US government contractor Maximus has suffered a huge data breach. Once again, hackers exploited the MOVEit transfer vulnerability and accessed health-related data pertaining to “at least 8 to 11 million” US citizens, the company said in an 8-K filing . A full review of the incident, the company says, will take “several more weeks”.

Norweigan Government Breach:  Hackers have exploited a zero-day vulnerability in a third-party IT platform to hack into the government of Norway's systems. The country's authorities have shut down email and mobile services for government employees in response. It is unclear at present who is behind the attack, but the vulnerability that they were exploiting has now been closed, the Norwegian Government said in a statement .

Roblox Data Breach:  Almost 4,000 members of Roblox's developer community have had their data exposed in a leak, including phone numbers, email addresses, and dates of birth. The sensitive information, which belongs to individuals who attended Roblox developer conferences held between 2017 and 2020, was reportedly first lifted from Roblox's systems in 2021.

PokerStars Data Breach: The world's largest online poker platform has suffered a data breach exposing the information of 110,000 customers. The attackers – known as the Cl0p ransomware cartel – exploited a MOVEit zero-day vulnerability to gain access to the poker site's systems. PokerStars has confirmed that they're no longer utilizing the MOVEit transfer application after the incident. The stolen data consists of social security numbers, names, and addresses.

American Airlines Data Breach: Hackers have reportedly stolen personal information relating to ‘thousands' of pilots that applied for roles at American Airlines and Southwest Airlines. Rather than being taken directly from either airline, the information was extracted from a database maintained by a recruiting company. Around 8,000 pilots are thought to have been affected, including 2,200 represented by the Allied Pilots Association.

UPS Canada Data Breach:  United Parcel Service has strongly hinted to customers based in Canada via a letter that their personal data may have been exposed in a breach, after fraudulent messages demanding payment before delivery were spotted.

The strangely-worded letter sent out to customers suggested that “a person who searched for a particular package or misused a package lookup tool” could have uncovered personal information relating to customers, such as phone numbers.

Bryan Cave/Mondelez Data Breach: Snack and confectionary manufacturer Mondelez, the parent company that owns Oreo, Chips Ahoy!, Sour Patch Kids, Toblerone, Milka, Cadbury, and many other well-known brands, has notified employees that their personal information has been compromised in a breach at law firm Bryan Cave.

Bryan Cave provides Mondelez and a number of other large companies with legal services. According to the data breach notice filed to the Maine Attorney General's Office, 51110 employees are thought to have been affected. Although the data breach occurred in February of this year, it was only discovered three months later in May, the filing reveals.

Reddit Data Breach:  Hackers purporting to be from the BlackCat ransomware gang have threatened Reddit with leaking 80GB of confidential data they stole from its servers in February. The gang is demanding a $4.5 million payout and also wants Reddit to renege on its new pricing policy that garnered widespread backlash.

Intellihartx Data Breach: Healthcare management firm Intellihartx confirmed that hackers stole the medical details of over half a million patients, including social security numbers. According to a notice filed with the Maine attorney general’s office, the breach took place in January, but wasn't discovered until April.

MOVEit hack, affecting Zellis, British Airways, BBC and others: MOVEit, a popular file transfer tool, was compromised, leading to sensitive data belonging to many firms that use the software being compromised as well. The hack was disclosed by Progress Software, makers of MOVEit, and since then, many companies have reported being affected. These include payroll provider Zellis,  British Airways, BBC, and the province of Nova Scotia. However, it is believed that many more companies will have been impacted. Russian ransomware group Clop has claimed responsibility for the attack on June 6th.

Apria Healthcare Data Breach: US healthcare company Apria Healthcare has told almost 1.9 million customers this week that their personal data may have been exposed during a data breach, The Register reports.

The “unauthorized third party” access detected on “select Apria systems” referenced by the company in their notification apparently occurred in 2019 and again in 2021. Why the incident has only just been made public and was not declared earlier is unclear at present.

Suzuki Data Breach: Car manufacturer Suzuki had to halt operations at a plant in India after a cyberattack, reports this week have alleged. According to Autocar's sources, “production has been stalled since Saturday, May 10, and it is estimated to have incurred a production of loss of over 20,000 vehicles in this timeframe.” The perpetrators of the attack have not been publicly identified by Suzuki.

PharMerica Data Breach: US Pharmaceutical giant PharMerica – which manages 2,500 different facilities across the US – has revealed that an unknown actor accessed its systems in March and extracted personal data pertaining to 5.8 million individuals (both alive and deceased).

Social security numbers, birth dates, names, and health insurance information were all extracted from the Kentucky-based health provider's systems.

US Government Data Breach:  Personal information pertaining to 237,000 US government employees has reportedly been exposed in a Department of Transport data breach.

Reuters reports that the breached system is usually used to process “TRANServe transit benefits”, which are effectively transport expenses that government employees commuting into offices can claim back. The Department of Transport told Congress last week that it had “isolated the breach to certain systems at the department used for administrative functions”. No systems that deal with transportation safety have been affected.

Discord Data Breach: Messaging and video chatting platform Discord has told users that their information may have been exposed in a data breach after a malicious actor gained access to it via “a third-party customer service agent”.

Discord has told users that their email addresses and customer service queries – as well as any documents sent to Discord – may have been accessed. The customer service agent's account has been locked and the company is in the process of ensuring that no persistent threat remains on their devices or network.

T-Mobile Data Breach:  T-Mobile has suffered yet another data breach, this time affecting around 800 of the telecom provider's customers. According to recent reports, customer contact information, ID cards, and/or social security numbers were scraped from PIN-protected accounts, as well as other personal information pertaining to T-Mobile customers.

A data breach notification letter sent out to customers by T-Mobile, and subsequently published by Bleeping Computer, details the full extent of the data accessed by the threat actors. Unfortunately, this is the company's second data breach of the year. The first one, which took place in January, affected 37 million customers. T-Mobile was also breached in December 2021 and November 2022.

Pizza Hut/KFC Data Breach: Yum! Brands, which owns fast food chains Pizza Hut, KFC, and Taco Bell, has informed a number of individuals that their personal data was exposed during a ransomware attack that took place in January of this year. The hospitality giant confirmed that names, driver's license, and ID card info was stolen. An investigation into whether the information has been used to commit fraud already is currently underway.

MSI Data Breach/Ransomware Attack: Computer vendor Micro-Star International has suffered a data breach , with new ransomware gang Money Message claiming responsibility for the attack. The group says they've stolen 1.5TB of information from the Taiwanese company's systems and want $4 million in payment – or they'll release the data if MSI fails to pay.

“Say [to] your manager, that we have MSI source code, including framework to develop bios, also we have private keys able to sign in any custom module of those BIOS and install it on PC with this bios,” a member of the ransomware gang said to an MSI agent in a chat seen by Bleeping Computer.

Western Digital Data Breach: Western Digital has reported a data breach , the scope of which at the time of writing is unknown. The company has stated that an unauthorized third party was able to access ‘a number' of cloud systems. Users of Western Digital products have reported being unable to access the cloud features of their devices since the hack was reported. In a statement on its site, Western Digital said it is “actively working to restore impacted infrastructure and services”, with more updates allegedly on the way.

ChatGPT Data Leak: A bug found in ChatGPT's open-source library caused the chatbot to leak the personal data of customers, which included some credit card information and the titles of some chats they initiated.  “In the hours before we took ChatGPT offline,” OpenAI said after the incident, “it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. Full credit card numbers were not exposed at any time.”

US House of Representatives Data Breach:  A breach of a Washington DC-based healthcare provider that handles sensitive data belonging to a number of federal legislators and their families may have affected up to 170,000 people. The data has been put up for sale online, although the FBI is thought to have already purchased it as part of their investigation.

February 2023

February 21.

Activision Data Breach: Call of Duty makers Activision has suffered a data breach , with sensitive employee data and content schedules exfiltrated from the company's computer systems. Although the breach occurred in early December 2022, the company has only recently revealed this to the public. According to reports, an employee's credentials were obtained in a phishing attack and subsequently used to infiltrate the system.

February 15

Atlassian Data Breach:  Australian software company Atlassian seems to have suffered a serious data breach. A hacking group known as “SiegedSec” claims to have broken into the company's systems and extracted data relating to staff as well as floor plans for offices in San Francisco and Sydney. Included in the dataset are names, email addresses, the departments that staff work in, and other information relating to their employment at Atlassian.

“THATS RIGHT FOLKS, SiegedSec is here to announce we have hacked the software company Atlassian,” the hacking group said in a message that was posted along with the data. “This company worth $44 billion has been pwned by the furry hackers uwu.”

Although Atlassian initially blamed software company office coordination platform Envoy for the breach, the company later reneged on this, revealing that the hacking group had managed to obtain “an Atlassian employee’s credentials that had been mistakenly posted in a public repository by the employee.”

February 10

Reddit Data Breach:  Reddit has confirmed that the social media company suffered a data breach on February 5.  “After successfully obtaining a single employee’s credentials” Reddit CTO Christopher Slowe explained in a recent statement regarding the attack, “the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems.”

Slowe said that Reddit's systems show “no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data),” but did confirm that “limited contact information… for company contacts and employees (current and former), as well as limited advertiser information” were all accessed.

At present, Reddit has “no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online.”

Optus Data Breach Extortion Attempt:  A man from Sydney has been served a Community Correction Order and 100 hours of community service for leveraging data from a recent Optus data breach to blackmail the company's customers. Initially arrested back in October of last year, the perpetrator sent SMS communications to 92 people saying that their personal information would be sold to other hackers if they didn't pay AU$ 2000.

Weee! Data Breach:  1.1 million customers of Asian and Hispanic food delivery service Weee! have had their personal information exposed in a data breach. A threat actor that goes by the name of IntelBroker posted some of the leaked data on the infamous hacking forum Breached. However, Weee! told Bleeping Computer that “no customer payment data was exposed” because Weee! does not retain any payment information.

Sharp HealthCare Data Breach: Sharp HealthCare, which is the largest healthcare provider in San Diego, California, has notified 62,777 patients that their personal information was exposed during a recent attack on the organization's website. Social Security numbers, health insurance data, and health records belonging to customers have all been compromised, but Sharp says no bank account or credit card information was stolen.

January 2023

JD Sports Data Breach: As many as 10 million people may have had their personal information accessed by hackers after a data breach occurred at fashion retailer JD sports, which owns JD, Size?, Millets, Blacks, and Scotts. JD Sports CFO Neil Greenhalgh told the Guardian that the company is advising customers “to be vigilant about potential scam emails, calls, and texts” while also “providing details on how to report these.”

T-Mobile Data Breach:  T-Mobile has suffered another data breach, this time affecting around 37 million postpaid and prepaid customers who've all had their data accessed by hackers. The company claims that while it only discovered the issue on January 5th of this year, the intruders are thought to have been exfiltrating data from the company's systems since late November 2022.

As discussed in the introduction to this article, this is not the first time that  T-Mobile has fallen victim to a high-profile cyber attack impacting millions of customers. In the aftermath of last year's attack, during which 76 million customers had their data compromised, the company pledged it would spend $150 million to upgrade its data security – but the recent attack raises serious questions over whether this has been well spent.

MailChimp Breach:  Another data breach for MailChimp, just six months after its previous one. MailChimp claims that a threat actor was able to gain access to its systems through a social engineering attack, and was then able to access data attached to 133 MailChimp accounts. It's a bad sign for the company, as the attack method is startling similar to last year's breach, casting serious doubts on its security protocols.

PayPal Data Breach: A letter sent to PayPal customers on January 18, 2023, says that on December 20, 2022, “unauthorized parties” were able to access PayPal customer accounts using stolen login credentials.

PayPal goes on to say that the company has “no information” regarding the misuse of this personal information or “any unauthorized transactions” on customer accounts and that there isn't any evidence that the customer credentials were stolen from PayPal's systems.

Chick-fil-A Data Breach: fast food chain Chick-fil-A is investigating “suspicious activity” linked to a select number of customer accounts. The company has published information on what customers should do if they notice suspicious activity on their accounts, and advised such customers to remove any stored payment methods on the account.

Twitter Data Breach:  Twitter users' data was continuously bought and sold on the dark web during 2022, and it seems 2023 is going to be no different. According to recent reports, a bank of email addresses belonging to around 200 million Twitter users is being sold on the dark web right now for as little as $2. Even though the flaw that led to this leak was fixed in January 2022, the data is still being leaked by various threat actors.

December 2022

December 31.

Slack Security Incident: Business communications platform Slack released a statement just before the new year regarding “suspicious activity” taking place on the company's GitHub account.

“Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository. Our investigation also revealed that the threat actor downloaded private code repositories on December 27,” the company said. However, Slack confirmed that “no downloaded repositories contained customer data, means to access customer data, or Slack’s primary codebase”.

December 15

SevenRooms Data Breach: Threat actors on a hacking forum posted details of over 400GB of sensitive data stolen from the CRM platform's servers . The information included files from big restaurant clients, promo codes, payment reports, and API keys. However, it seems that the servers that were breached did not store any customer payment details.

LastPass Data Breach:  Password manager LastPass has told some customers that their information was accessed during a recent security breach. According to LastPass, however, no passwords were accessed by the intruder. This is not the first time LastPass has fallen victim to a breach of their systems this year – someone broke into their development environment in August, but again, no passwords were accessed.

November 2022

November 11.

AirAsia Data Breach: AirAsia Group has, according to reports, suffered a ransomware attack orchestrated by “Daixin Team”. The threat group told DataBreaches.net that they obtained “the personal data of 5 million unique passengers and all employees.” This included name, date of birth, country of birth, location, and their “secret question” answer.

Dropbox data breach:  Dropbox has fallen victim to a phishing attack, with 130 Github repositories copied and API credentials stolen after credentials were unwittingly handed over to the threat actor via a fake CricleCI login page.

However, Dropbox confirmed in a statement relating to the attack that “no one's content, passwords or payment information was accessed” and that the issue was “quickly resolved”. Dropbox also said that they were in the process of adopting the “more phishing-resistant form” of multi-factor authentication technique, called “WebAuthn”.

October 2022

Medibank Data Breach: Medibank Private Ltd, currently the largest health insurance provider in Australia, said today that data pertaining to almost all of its customer base (nearly 4 million Australians) had been accessed by an unauthorized party. The attack caused Medibank's stock price to slide 14%, the biggest one-day dip since the company was listed.

Vinomofo Data Breach: Australian wine dealer Vinomofo has confirmed it has suffered a cyber attack. Names, dates of birth, addresses, email addresses, phone numbers, and genders of the company's almost 500,000 customers may have been exposed – although it is currently unclear how many have been affected.

MyDeal Data Breach:  2.2 million customers of Woolworths subsidiary MyDeal, an Australian retail marketplace, has been impacted by a data breach. According to reports, the company's CRM system was compromised, with names, email addresses, telephone numbers, delivery addresses, and some dates of birth exposed during the breach.

Shein Data Breach: Fashion brand Shein's parent company Zoetop has been fined $1.9 million for its handling of a data breach back in 2018, one which exposed the personal information of over 39 million customers that had made accounts with the clothing brand.

The New York Attorney General's Office says Zoetop lied about the size of the breach, as the company initially said only 6.42 million accounts had been affected and didn't confirm credit card information had been stolen when it in fact had.

Toyota Data Breach:  In a message posted on the company's website, the car manufacturer stated that almost 300,000 customers who had used its T-Connect telematics service had had their email addresses and customer control numbers compromised. The company assured customers that there was no danger of financial data such as credit card information, nor names or telephone numbers, having been breached.

In its statement, Toyota acknowledged that the T-Connect database had been compromised since July 2017, and that customers should be vigilant for phishing emails.

Singtel Data Breach:  Singtel, the parent company of Optus, revealed that “the personal data of 129,000 customers and 23 businesses” was illegally obtained in a cyber-attack that happened two years ago. Data exposed includes “National Registration Identity care information, name, date of birth, mobile numbers, and addresses” of breach victims.

Possible Facebook Accounts Data Breach:  Meta said that it has identified more than 400 malicious apps on Android and iOS app stores that target online users with the goal of stealing their Facebook login credentials. “These apps were listed on the Google Play Store and Apple's App Store and disguised as photo editors, games, VPN services, business apps, and other utilities to trick people into downloading them,” the Tech giant said.

LAUSD Data Breach: Russian-speaking hacking group Vice Society has leaked 500GB of information from The Los Angeles Unified School District (LAUSD) after the US's second-largest school district failed to pay an unspecified ransom by October 4th. The ransomware attack itself first made the headlines in early September when the attack disrupted email servers and computer systems under the district's control.

September 2022

September 23.

Optus Data Breach: Australian telecoms company Optus – which has 9.7 million subscribers – has suffered a “massive” data breach. According to reports, names, dates of birth, phone numbers, and email addresses may have been exposed, while a group of customers may have also had their physical addresses and documents like driving licenses and passport numbers accessed.

The attackers are thought to be a state-sponsored hacking group or some sort of criminal organization and breached the company's firewall to get to the sensitive information. Australia's Information Commissioner has been notified.

The Australian government has said Optus should pay for new passports for those who entrusted Optus with their data, and Prime Minister Antony Albanese has already suggested it may lead to “better national laws, after a decade of inaction, to manage the immense amount of data collected by companies about Australians – and clear consequences for when they do not manage it well.”

September 20

American Airlines Data Breach:  The personal data of a “very small number” of American Airlines customers has been accessed by hackers after they broke into employee email accounts, the airline has said. Information accessed could have included customers' date of birth, driver's license, passport numbers, and even medical information, they added.

September 19

Kiwi Farms Data Breach:  Notorious trolling and doxing website Kiwi Farms – known for its vicious harassment campaigns that target trans people and non-binary people – has been hacked. According to site owner Josh Moon, whose administrator account was accessed, all users should “assume your password for the Kiwi Farms has been stolen”, “assume your email has been leaked”, as well as “any IP you've used on your Kiwi Farms account in the last month”.

Revolut Data Breach: Revolut has suffered a cyberattack that facilitated an unauthorized third party accessing personal information pertaining to tens of thousands of the app's clients. 50,150 customers have reportedly been impacted. The State Data Protection Inspectorate in Lithuania, where Revolut holds a banking license, said that email addresses, full names, postal addresses, phone numbers, limited payment card data, and account data were likely exposed.

September 18

Rockstar Data Breach:  Games company Rockstar, the developer responsible for the Grand Theft Auto series, was victim of a hack which saw footage of its unreleased Grand Theft Auto VI game leaked by the hacker. In addition, the hacker also claims to have the game's source code, and is purportedly trying to sell it. The breach is thought to have been caused through social engineering, with the hacker gaining access to an employee's Slack account. The hacker also claims to be responsible for the Uber attack earlier in the month.

In a statement, Rockstar said: “We recently suffered a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from our systems, including early development footage for the next Grand Theft Auto.”

September 15

Uber Data Breach: Uber's computer network has been breached, with several engineering and comms systems taken offline as the company investigates how the hack took place. Dubbed a “total compromise” by one researcher, email, cloud storage, and code repositories have already been sent to security firms and The New York Times by the perpetrator.

Uber employees found out their systems had been breached after the hacker broke into a staff member's slack account and sent out messages confirming they'd successfully compromised their network.

September 14

Fishpig Data breach: Ecommerce software developer Fishpig, which over 200,000 websites currently use, has informed customers that a distribution server breach has allowed threat actors to backdoor a number of customer systems. “We are quite used to seeing automated exploits of applications and perhaps that is how the attackers initially gained access to our system” lead developer Ben Tideswell said of the incident.

September 7

North Face Data Breach: roughly 200,000 North Face accounts have been compromised in a credential stuffing attack on the company's website. These accounts included full names purchase histories, billing addresses, shipping addresses, phone numbers, account holders' genders, and XPLR Pass reward records. No credit card information is stored on site. All account passwords have been reset, and account holders have been advised to change their passwords on other sites where they have used the same password credentials.

September 6

IHG/Holiday Inn Data Breach: IHG released a statement saying they became aware of  “unauthorized access” to its systems. The company is assessing the “nature, extent and impact of the incident”, with the full extent of the breach yet to be made clear.

September 3

TikTok Data Breach Rumour:  Rumours started circulating that TikTok had been breached after a Twitter user claimed to have stolen the social media site's internal backend source code. However, after inspecting the code, a number of security experts have dubbed the evidence “inconclusive”, including haveibeenpwned.com's Troy Hunt. Users commenting on YCombinator's Hacker News, on the other hand, suggested the data is from some sort of ecommerce application that integrates with TikTok.

Responding to a request for comment from Bloomberg UK, a spokesperson for TikTok said that the company's “security team investigated this statement and determined that the code in question is completely unrelated to TikTok’s backend source code.”

September 2

Samsung Data Breach: Samsung announced that they'd fallen victim to a “cybersecurity incident” when an unauthorized party gained access to their systems in July. In August, they learned some personal information was impacted, including names, contact information, demographics, birth dates as well as product registration information. Samsung is contacting everyone whose data was compromised during the breach via email.

August 2022

Nelnet Servicing Data Breach: Personal information pertaining to 2.5 million people who took out student loans with the Oklahoma Student Loan Authority (OSLA) and/or EdFinancial has been exposed after threat actors breached Nelnet Servicing's systems. The systems were compromised in June and the unauthorized party, who remained on the network until late July.

Facebook/Cambridge Analytica Data Breach Settlement: Meta agreed on this date to settle a lawsuit that alleged Facebook illegally shared data pertaining to its users with the UK analysis firm Cambridge Analytica. The data was subsequently used by political campaigns in the UK and US during 2016, a year which saw Donald Trump become president and Britain leave the EU via referendum.

DoorDash Data Breach :  “We recently became aware that a third-party vendor was the target of a sophisticated phishing campaign and that certain personal information maintained by DoorDash was affected,” DoorDash said in a blog post.

The delivery service went on to explain that “the information accessed by the unauthorized party primarily included [the] name, email address, delivery address and phone number” of a number of DoorDash customers, whilst other customers had their “basic order information and partial payment card information (i.e., the card type and last four digits of the card number)” accessed.

LastPass Breach: The password manager disclosed to its customers that it was compromised by an “unauthorized party”. The company assured customers that this took place in its development environment and that no customer details are at risk. A September update confirmed that LastPass's security measures prevented customer data from being breached, and the company reminded customers that they do not have access to or store users' master passwords.

Plex Data Breach:  Client-server media streaming platform Plex is enforcing a password reset on all of its user accounts after “suspicious activity” was detected on one of its databases. Reports suggest that usernames, emails, and encrypted passwords were accessed.

DESFA Data Breach: Greece's largest natural gas distributor confirmed that a ransomware attack caused an IT system outage and some files were accessed. However, a quick response from the organization's IT team – including deactivating online servers – meant that the damage caused by the threat was minimal.

Cisco Data Breach: Multi-national technology conglomerate Cisco confirmed that the Yanluowang ransomware gang had breached its corporate network after the group published data stolen during the breach online. Security experts have suggested the data is not of “great importance or sensitivity”, and that the threat actors may instead be looking for credibility.

Twilio Data Breach: Messaging behemoth Twilio confirmed on this date that data pertaining to 125 customers was accessed by hackers after they tricked company employees into handing over their login credentials by masquerading as IT department workers.

Uber Data Breach Cover-Up:  Although this data breach actually took place way back in 2016 and was first revealed in November 2017, it took Uber until July 2022 to finally admit it had covered up an enormous data breach that impacted 57 million users , and even paid $100,000 to the hackers just to ensure it wasn't made public. The case will see Uber's former chief security officer, Joe Sullivan, stand trial for the breach – the first instance of an executive being brought to the dock for charges related to a data breach.

Twitter Data Breach: The first reports that Twitter had suffered a data breach concerning phone numbers and email addresses attached to 5.4 million accounts started to hit the headlines on this date, with the company confirming in August that the breach was indeed genuine. The vulnerability that facilitated the breach was known by Twitter at the turn of the year and had been patched by January 13, 2022, so data theft must have happened within that short window.

Neopets Data Breach: On this date, a hacker going by the alias “TarTaX” put the source code and database for the popular game Neopet’s website up for sale on an online forum. The database contained account information for 69 million users , including names, email addresses, zip codes, genders, and dates of birth.

Cleartrip Data Breach: Travel booking company Cleartrip – which is massively popular in India and majority-owned by Walmart – confirmed its systems had been breached after hackers claimed to have posted its data on an invite-only dark web forum. The full extent of the data captured from the company’s internal servers is unknown.

Infinity Rehab and Avamere Health Services Data Breach: The Department of Health and Human Services was notified by Infinity Rehab that 183,254 patients had had their personal data stolen. At the same time, Avamere Health Services informed the HHS that 197,730 patients had suffered a similar fate. Information stolen included names, addresses, driver’s license information, and more. On August 16, Washington’s MultiCare revealed that 18,165 more patients were affected in the same breach.

Deakin University Data Breach:  Australia's Deakin University confirmed on this date that it was the target of a successful cyberattack that saw the personal information of 46,980 students stolen , including recent exam results. Around 10,000 of the university's students received scam text messages shortly after the data breach occurred.

Marriot Data Breach: The Hotel group – which is no stranger to a data breach – confirmed its second high-profile data breach of recent years had taken place in June, after a hacking group tricked an employee and subsequently gained computer access. According to databreaches.net, the group claimed to be in possession 20 GB of data stolen from the BWI Airport Marriott’s server in Maryland. Marriot would be notifying 300-400 individuals regarding the breach.

OpenSea Data Breach: NFT marketplace OpenSea – that lost $1.7 million of NFTs in February to phishers – suffered a data breach after an employee of Customer.io, the company’s email delivery vendor, “misused their employee access to download and share email addresses provided by OpenSea users… with an unauthorized external party”. The company said that anyone with an email account they shared with OpenSea should “assume they are affected”.

Flagstar Bank Data Breach: 1.5 million customers were reportedly affected in a data breach that was first noticed by the company on June 2, 2022. “We have no evidence that any of the information has been misused. Nevertheless, out of an abundance of caution, we want to make you aware of the incident” a letter from Flagstar bank to affected customers read.

Baptist Medical Center and Resolute Health Hospital Data Breach: The two health organizations – based in San Antonio and New Braunfels respectively – disclosed that a data breach had taken place between March 31 and April 24. Data lifted from its systems by an “unauthorized third party” included the social security numbers, insurance information, and full names of patients.

Choice Health Insurance Data Breach: On this date, Choice Health Insurance started to notify customers of a data breach caused by “human error” after it realized an unauthorized individual was offering to make data belonging to Choice Health available online. This had actually been publicly available since May 2022. The data dump consisted of 600MB of data with 2,141,006 files with labels such as “Agents” and “Contacts”.

Shields Health Care Group Data Breach: It was reported in early June that Massachusetts-based healthcare company Shields was the victim of a data breach that affected 2,000,000 people across the United States. The breach was first discovered on March 28, 2022, and information such as Social Security numbers, Patient IDs, home addresses, and information about medical treatments was stolen. A class action lawsuit was filed against the company shortly after.

Verizon Data Breach: A threat actor got their hands on a database full of names, email addresses, and phone numbers of a large number of Verizon employees in this Verizon data breach. Vice/Motherboard confirmed these numbers were legitimate by ringing the numbers contained in the databases and confirming they currently (or used to) work at Verizon. According to Vice, the hacker was able to infiltrate the system after convincing an employee to give them remote access in a social engineering scam.

Texas Department of Transportation Data Breach: According to databreaches.net, personal records belonging to over 7,000 individuals had been acquired by someone who hacked the Texas Dept. for Transportation.

Alameda Health System Data Breach: Located in Oakland, California, Alameda Health System notified the Department of Health and Human Services that around 90,000 individuals had been affected by a data breach after suspicious activity was detected on some employee email accounts, which was later found to be an unauthorized third party.

National Registration Department of Malaysia Data Breach: A group of hackers claimed to hold the personal details of 22.5 million Malaysians stolen from myIDENTITI API, a database that lets government agencies like the National Registration Department access information about Malaysian citizens. The hackers were looking for $10,000 worth of Bitcoin for the data.

Cost Rican Government Data Breach: In one of the most high-profile cyberattacks of the year, the Costa Rican government – which was forced to declare a state of emergency – was hacked by the Conti ransomware gang . Conti members breached the government's systems, stole highly valuable data, and demanded $20 million in payment to avoid it being leaked. 90% of this data – amounting to around 670GB – was posted to a leak site on May 20.

SuperVPN, GeckoVPN, and ChatVPN Data Breach: A breach involving a number of widely used VPN companies led to 21 million users having their information leaked on the dark web, Full names, usernames, country names, billing details, email addresses, and randomly generated passwords strings were among the information available. Unfortunately, this is not the first time supposedly privacy-enhancing VPNs have made the headlines for a data breach .

Cash App Data Breach: A Cash App data breach affecting 8.2 million customers was confirmed by parent company Block on April 4, 2022 via a report to the US Securities and Exchange Commission. The breach had actually occurred way back in December 2021, with customer names and brokerage account numbers among the information taken.

Emma Sleep Data Breach: First reported on April 4, customer credit card information was skimmed using a “Magecart attack”. “This was a sophisticated, targeted cyber-attack on the checkout process on our website and personal information entered, including credit card data, may have been stolen” an email to customers read.

Apple & Meta Data Breach: According to Bloomberg, in late March, two of the world’s largest tech companies were caught out by hackers pretending to be law enforcement officials. Apple and Meta provided the threat actors with customer addresses, phone numbers, and IP addresses in mid-2021. The hackers had already gained access to police systems to send out fraudulent demands for the data. Some of the hackers were thought to be members of the Lapsus$ hacking group, who reportedly stole the Galaxy source code from Samsung earlier in the month .

US Department of Education Data Breach: It was revealed that 820,000 students in New York had their data stolen in January 2022, with demographic data, academic information, and economic profiles all accessed. Chancellor David Banks blamed software company Illuminate Education for the incident.

Texas Department of Insurance Data Leak: The state agency confirmed on March 24 that it had become aware of a “data security event” in January 2022, which had been ongoing for around three years. “Types of information that may have been accessible”, the TDI said in a statement in March, included “names, addresses, dates of birth, phone numbers, parts or all of Social Security numbers, and information about injuries and workers’ compensation claims. 1.8 million Texans are thought to have been affected.

Morgan Stanley Client Data Breach: US investment bank Morgan Stanley disclosed that a number of clients had their accounts breached in a Vishing (voice phishing) attack in February 2022, in which the attacker claimed to be a representative of the bank in order to breach accounts and initiate payments to their own account. This was, however, not the fault of Morgan Stanley, who confirmed its systems “remained secure”.

February 2022

February 25.

Nvidia Data Breach: Chipmaker Nvidia confirmed in late February that it was investigating a potential cyberattack, which was subsequently confirmed in early March. In the breach, information relating to more than 71,000 employees was leaked. Hacking group Lapsus$ claimed responsibility for the intrusion into Nvidia’s systems.

February 20

Credit Suisse Data Leak: Although this is technically a “data leak”, it was orchestrated by a whistleblower against the company’s wishes and one of the more significant exposures of customer data this year. Information relating to 18,000 Credit Suisse accounts was handed over to German publication Süddeutsche Zeitung, and showed the Swiss company had a number of high-profile criminals on their books. The incident kickstarted a fresh conversation about the immorality of Switzerland's banking secrecy laws.

January 2022

Crypto.com Data Breach: On January 20, 2022, Crypto.com made the headlines after a data breach led to funds being lifted from 483 accounts. Roughly $30 million is thought to have been stolen, despite Crypto.com initially suggesting no customer funds had been lost.

Red Cross Data Breach: In January, it was reported that the data of more than 515,000 “extremely vulnerable” people , some of whom were fleeing from warzones, had been seized by hackers via a complex cyberattack. The data was lifted from at least 60 Red Cross and Red Crescent societies across the globe via a third-party company that the organization uses to store data.

Flexbooker Data Breach: On January 6, 2022, data breach tracking site HaveIBeenPwned.com revealed on Twitter that 3.7 million accounts had been breached in the month prior. Flexbooker only confirmed that customer names, phone numbers, and addresses were stolen, but HaveIBeenPwned.com said “partial credit card data” was also included. Interestingly, 69% of the accounts were already in the website’s database, presumably from previous breaches.

Data Breaches vs Data Leaks vs Cyberattacks

This article largely concerns data breaches. A data breach occurs when a threat actor breaks into (or breaches) a company, organization, or entity’s system and purposefully lifts sensitive, private, and/or personally identifiable data from that system. When this happened, companies are sometimes forced to pay ransoms, or their information is stolen ad posted online. According to one estimate, 5.9 billion accounts were targeted in data breaches last year.

This is different from a data leak , which is when sensitive data is unknowingly exposed to the public/members of the public, such as the Texas Department for Insurance leak mentioned above. The term “data leak” is often used to describe data that could, in theory, have been accessed by people it shouldn't of, or data that fell into the hands of people via non-malicious means. A government employee accidentally sending someone an email with sensitive data is usually described as a leak, rather than a breach.

Although all data breaches fall under the umbrella of a “ cyberattack “, cyberattacks are not limited to data breaches. Some cyber attacks have different motivations – such as slowing a website or service down or causing some other sort of other disruption. Not all cyberattacks lead to the exfiltration of data, but many do.

How Can I Protect My Organization From Cyber-Attacks?

Ensuring you take steps to protect your company from the sorts of cyber attacks that lead to financially fatal data breaches is one of the most crucial things you can do. It's not just businesses that are at risk, however – schools and colleges are some of the most frequently targeted organizations that suffer huge financial losses .

Some companies and organizations – like Lincoln College – have had to shut down due to the fallout costs of a cyberattack. There has never been more of an onus on companies, colleges, and other types of organizations to protect themselves.

Unauthorized access to networks is often facilitated by weak business account credentials. So, whilst passwords are still in use , the best thing you can do is get your hands on a password manager for yourself and the rest of your staff team. This will allow you to create robust passwords that are sufficiently long and different for every account you hold. However, you'll also need to use additional security measures, like 2-Factor Authentication, wherever possible, to create a second line of defense.

Another thing you must do is ensure your staff has sufficient training to spot suspicious emails and phishing scams . Around 70% of cyberattacks target business email accounts,   so having staff that can recognize danger when it's present is just as important as any software.

incogni logo

Get the latest tech news, straight to your inbox

Stay informed on the top business tech stories with Tech.co's weekly highlights reel.

By signing up to receive our newsletter, you agree to our Privacy Policy . You can unsubscribe at any time.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at [email protected]

  • Business Trends
  • Privacy and Security

Written by:

recent reports on information security breaches

Fully Remote and Hybrid Jobs at Walmart Hiring in February 2024

Walmart isn't all cut-price TVs, it's a $472bn global...

recent reports on information security breaches

The Best Free Online Cloud Storage Platforms in 2024

These platforms allow you to store everything from...

recent reports on information security breaches

How a Wyze Camera Breach Let 13,000 People Spy on Strangers

Although the overwhelming majority of Wyze users weren't...

recent reports on information security breaches

Fully Remote Jobs at Microsoft You Can Apply for in February 2024

One of the most valuable companies in the world has more...

Report: 2.6 billion personal records compromised by data breaches in past two years — underscoring need for end‑to‑end encryption

The Apple security lock logo.

Text of this article

December 7, 2023

An Apple-commissioned study shows that threats to consumer data stored in the cloud have grown dramatically since the last report was published in December 2022

Today Apple published an independent study conducted by Massachusetts Institute of Technology professor Dr. Stuart Madnick that found clear and compelling proof that data breaches have become an epidemic, threatening sensitive and personal consumer data the world over. The total number of data breaches more than tripled between 2013 and 2022 — exposing 2.6 billion personal records in the past two years alone — and has continued to get worse in 2023. The findings underscore that strong protections against data breaches in the cloud, like end-to-end encryption, have only grown more essential since last year’s report and the launch of Advanced Data Protection for iCloud.

This year’s study, “ The Continued Threat to Personal Data: Key Factors Behind the 2023 Increase ,” demonstrates threats that had already reached historic levels — as shown in last year’s report, " The Rising Threat to Consumer Data in the Cloud " — continue to rise. Increasingly, companies across the technology industry are addressing these threats by implementing end-to-end encryption, as Apple did with last year’s launch of Advanced Data Protection for iCloud.

With Advanced Data Protection for iCloud, which uses end-to-end encryption to provide Apple’s highest level of cloud data security, users have the choice to further protect important iCloud data even in the case of a data breach. iCloud already protects 14 sensitive data categories using end-to-end encryption by default, including passwords in iCloud Keychain and Health data. For users who enable Advanced Data Protection for iCloud, the total number of data categories protected using end-to-end encryption rises to 23, including iCloud Backup, Notes, and Photos.

“Bad actors continue to pour enormous amounts of time and resources into finding more creative and effective ways to steal consumer data, and we won’t rest in our efforts to stop them,” said Craig Federighi, Apple’s senior vice president of Software Engineering. “As threats to consumer data grow, we’ll keep finding ways to fight back on behalf of our users by adding even more powerful protections.”

As shown in this year’s report, the increasing digitalization of users’ personal and professional lives has fueled a dramatic rise in data breaches. Each year, thousands of data breaches expose the personal information of hundreds of millions of consumers. Hackers are evolving their methods and finding more ways to defeat security practices that once held them back. Consequently, even organizations with the strongest possible security practices are vulnerable to threats in a way that wasn’t true just a few years ago.

The report also shows that even when consumers take all the right steps to secure their sensitive data, it’s still at risk of being compromised by hackers if it’s stored in a readable form by organizations they entrust it with. For instance, when attempting to infiltrate companies with robust security practices, hackers often start by targeting a different organization with relatively weak security that has a technical business relationship with the ultimate target. They then steal credentials or information that helps them target employees or systems at the organization that is their primary objective.

As threats to user data continue to grow more frequent and sophisticated, Apple’s long track record of engineering powerful and innovative features make its products the most secure on the market. With Lockdown Mode, Apple developed a protection for those who may be targeted by extreme threats like mercenary spyware because of who they are or what they do. Apple’s Advanced Data Protection for iCloud is another feature the company has developed to protect users against growing threats to their data, keeping most user data in iCloud protected even in the case of a data breach in the cloud.

The report illustrates that the historic threats to user data that saw the number of data breaches nearly triple between 2013 and 2022, compromising 2.6 billion records over the course of two years, are only getting worse in 2023. In the U.S. alone, there were nearly 20 percent more breaches in just the first nine months of 2023 than in any prior year. The target for cybercriminals was very clear, with a 2023 survey finding that over 80 percent of breaches involved data stored in the cloud. This is after attacks targeting cloud infrastructure nearly doubled from 2021 to 2022.

This is due in part to the increased targeting of consumer data by ransomware gangs and coordinated campaigns that compromised vendors or their products to target customers. The threat of ransomware has only grown in 2023, as shown by the fact that there were nearly 70 percent more attacks reported through September 2023 than in the first three quarters of 2022. In fact, experts found that there were more ransomware attacks through September 2023 than in all of 2022 combined. This has led to alarming trends in the U.S. and abroad, with more than double the accounts getting breached in the first half of 2023 compared to the first half of 2022 in the U.K., Australia, and Canada combined.

Press Contacts

Scott Radcliffe

[email protected]

Apple Media Helpline

[email protected]

Images in this article

“The Continued Threat to Personal Data: Key Factors Behind the 2023 Increase”

Cybersecurity

RCMP helicopter flies past the Peace Tower on Parliament Hill in Ottawa

Canadian federal police says they were targeted by cyberattack

Canadian federal police said on Friday their systems were targeted by an "alarming" cyberattack but there was no impact on operations and no known threat to the safety of Canadians.

Hooded man holds laptop computer as cyber code is projected on him in this illustration picture

Palo Alto Networks was headed for its biggest one-day share drop on Wednesday and sparked a selloff in cybersecurity stocks after softer client spending and steep promotions forced the company to cut its annual billings forecast.

WikiLeaks founder Julian Assange appeals against his extradition to the United States, in London

Australia's Eagers Automotive said on Friday a third party has claimed it has published on the internet data alleged to have been removed from the automotive retailer's servers.

The United States conducted a cyberattack recently against an Iranian military ship in the Red Sea and the Gulf of Aden that had been collecting intelligence on cargo vessels, NBC News reported on Thursday, citing three U.S. officials.

Illustration shows laptop with binary code on the screen in front of Russian flag

Cart

  • SUGGESTED TOPICS
  • The Magazine
  • Newsletters
  • Managing Yourself
  • Managing Teams
  • Work-life Balance
  • The Big Idea
  • Data & Visuals
  • Reading Lists
  • Case Selections
  • HBR Learning
  • Topic Feeds
  • Account Settings
  • Email Preferences

The Devastating Business Impacts of a Cyber Breach

  • Keman Huang,
  • Xiaoqing Wang,
  • William Wei,
  • Stuart Madnick

recent reports on information security breaches

No company can afford to underestimate the long-term financial costs.

Cybersecurity risks are becoming more systematic and more severe. Although the short-term impacts of a cyberattack on a business are quite severe, the long-term impacts can be even more important, such as the loss of competitive advantage, reduction in credit rating, and increase in cyber insurance premiums. They should not be ignored. To address these concerns effectively, companies need to: 1) Have a cybersecurity champion on the board to help set the tone for the organization, and 2) develop a long-term cybersecurity strategy, which should be a priority for every organization.

Cyber risks are skyrocketing. The latest IBM Data Breach Report revealed that an alarming 83% of organizations experienced more than one data breach during 2022. According to the 2022 Verizon Data Breach Investigations Report , the total number of ransomware attacks surged by 13%, which is a rise equal to the last five years combined. The severity of the situation continues to be evident with the public disclosure of at least 310 cyber incidents that occurred in the past three months alone, according to January , February , and March data from IT Governance. These include OpenAI’s ChatGPT, which exposed the payment-related and other sensitive information of 1.2% of its ChatGPT Plus subscribers due to a bug in an open-source library it used. Moreover, Samsung semiconductor has recorded three incidents where employees accidentally leaked company information when using ChatGPT.

recent reports on information security breaches

  • KH Keman Huang is an Associate Professor at the Renmin University of China and a Research Affiliate at the MIT Sloan School of Management, where he works on cybersecurity management and strategy, innovation ecosystems, and big data analysis.
  • XW Xiaoqing Wang is a Ph.D student majoring in information security at the School of Information, Renmin University of China. Her research interests include cybersecurity behaviors, innovations, and strategies.
  • WW William Wei is the leader of the Multi-Cloud Working Group of Cloud Security Alliance (CSA) Greater China, and has over 20 years of cyber security experience. He was the General Manager of Trusteer Greater China, Senior Security Specialist of IBM Greater China, Head and Technical Director of Entrust Asia Pacific, and has Silicon Valley startup experience. His research interests include Edge computing, Zero trust, Secure access service edge (SASE), Extended detection and response (XDR) and cyber security culture, etc.
  • Stuart Madnick  is the John Norris Maguire (1960) Professor of Information Technologies in the MIT Sloan School of Management, Professor of Engineering Systems in the MIT School of Engineering, and Director of Cybersecurity at MIT Sloan (CAMS): the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity. He has been active in the cybersecurity field since co-authoring the book Computer Security in 1979.

Partner Center

Prototype pollution

Prototype pollution project yields another Parse Server RCE

Prototype-pollution

Bug Bounty Radar

The latest programs for February 2023

Bug bounties

All Day DevOps

AppSec engineer keynote says Log4j revealed lessons were not learned from the Equifax breach

DevOps

Infosec beginner?

A rough guide to launching a career in cybersecurity

cyber-career

Cybersecurity conferences

A schedule of events in 2022 and beyond

More topics

Latest data breach news

Read about the latest data breaches, who and what was impacted, and how these security incidents could have been prevented.

This is one of the biggest issues in both government and corporate information security today.

The Daily Swig covers data leaks from all sectors, and we always aim to bring you the inside line on the latest stories.

Check out the latest data breach news from around the world below.

To revisit this article, visit My Profile, then View saved stories .

  • Backchannel
  • Wired World
  • Artificial Intelligence
  • Newsletters
  • Wired Insider

Lily Hay Newman

The Worst Hacks and Breaches of 2022 So Far

A handful of apartments in Lviv Ukraine. Russian and Ukrainian cyberattacks have punctuated the war since Moscow's...

Whether the first six months of 2022 have felt interminable or fleeting—or both—massive hacks, data breaches, digital scams, and ransomware attacks continued apace throughout the first half of this complicated year. With the Covid-19 pandemic, economic instability, geopolitical unrest, and bitter human rights disputes grinding on around the world, cybersecurity vulnerabilities and digital attacks have proved to be thoroughly enmeshed in all aspects of life.

With another six months left in the year, though, there's more still to come. Here are the biggest digital security debacles that have played out so far.

For years, Russia has aggressively and recklessly mounted digital attacks against Ukraine, causing blackouts , attempting to skew elections, stealing data, and releasing destructive malware to rampage across the country—and the world.  After invading Ukraine in February, though, the digital dynamic between the two countries has changed as Russia struggles to support a massive and costly kinetic war and Ukraine mounts resistance on every front it can think of. This has meant that while Russia has continued to pummel Ukrainian institutions and infrastructure with cyberattacks, Ukraine has also been hacking back with surprising success. Ukraine formed a volunteer “IT Army” at the beginning of the war, which has focused on mounting DDoS attacks and disruptive hacks against Russian institutions and services to cause as much chaos as possible . Hacktivists from around the world have also turned their attention—and digital firepower—toward the conflict. And as Ukraine launches other types of hacks against Russia, including attacks utilizing custom malware, Russia has suffered data breaches and service disruptions at an unprecedented scale .

The digital extortion gang Lapsus$ went on an extreme hacking bender in the first months of 2022. The group emerged in December and began stealing source code and other valuable data from increasingly prominent and sensitive companies—including Nvidia, Samsung, and Ubisoft—before leaking it in apparent extortion attempts. The spree reached its zenith in March when the group announced that it had breached and leaked portions of Microsoft Bing and Cortana source code and compromised a contractor with access to the internal systems of the ubiquitous authentication service Okta . The attackers, who appeared to be based in the United Kingdom and South America, largely relied on phishing attacks to gain access to targets’ systems. At the end of March, British police arrested seven people believed to have associations with the group and charged two at the beginning of April. Lapsus$ seemed to briefly continue to operate following the arrests but then became dormant.

In one of the most disruptive ransomware attacks to date, Russia-linked cybercrime gang Conti brought Costa Rica to a screeching halt in April—and the disruptions would last for months. The group's attack on the country's Ministry of Finance paralyzed Costa Rica's import/export businesses, causing losses of tens of millions of dollars a day. So serious was the attack that Costa Rica's president declared a “national emergency”—the first country to do so because of a ransomware attack—and one security expert described Conti's campaign as “unprecedented.” A second attack in late May, this one on the Costa Rican Social Security Fund, was attributed to the Conti-linked HIVE ransomware and caused widespread disruptions to the country's health care system. While Conti's attack on Costa Rica is historic, some believe that it was meant as a diversion while the gang attempts to rebrand to evade sanctions against Russia over its war with Ukraine.

As the cryptocurrency ecosystem has evolved, tools and utilities for storing, converting, and otherwise managing it have developed at breakneck speed. Such rapid expansion has come with its share of oversights and missteps, though. And cybercriminals have been eager to capitalize on these mistakes, frequently stealing vast troves of cryptocurrency worth tens or hundreds of millions of dollars. At the end of March, for example, North Korea's Lazarus Group memorably stole what at the time was $540 million worth of Ethereum and USDC stablecoin from the popular Ronin blockchain “bridge.” Meanwhile, in February, attackers exploited a flaw in the Wormhole bridge to grab what was then about $321 million worth of Wormhole's Ethereum variant. And in April, attackers targeted the stablecoin protocol Beanstalk, granting themselves a “flash loan” to steal about $182 million worth of cryptocurrency at the time.

Health care providers and hospitals have long been a favorite target of ransomware actors, who look to create maximum urgency to entice victims to pay up in the hopes of restoring their digital systems. But health care data breaches have also continued in 2022 as criminals pool data they can monetize through identity theft and other types of financial fraud. In June, the Massachusetts-based service provider Shields Health Care Group disclosed that it suffered a data breach throughout much of March impacting roughly 2 million people in the United States. The stolen data included names, Social Security numbers, birth dates, addresses, and billing information, as well as medical information like diagnoses and medical record indicators. In Texas, patients of Baptist Health System and Resolute Health Hospital announced a similar breach in June that exposed similar data, including Social Security numbers and sensitive patient medical information. Both Kaiser Permanente and Yuma Regional Medical Center in Arizona also disclosed data breaches in June.

At the beginning of June, the US Cybersecurity and Infrastructure Security Agency warned that Chinese government-backed hackers had breached a number of sensitive victims worldwide, including “major telecommunications companies.” They did so, according to CISA, by targeting known router vulnerabilities and bugs in other network equipment, including those made by Cisco and Fortinet among other vendors. The warning did not identify any specific victims, but it hinted at alarm over the findings and a need for organizations to step up their digital defenses, especially when handling massive quantities of sensitive user data. “The advisory details the targeting and compromise of major telecommunications companies and network service providers,” CISA wrote. “Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often overlooked.”

Separately, hackers likely conducting Chinese espionage breached News Corp in an intrusion that was discovered by the company on January 20. Attackers accessed journalists' emails and other documents as part of the breach. News Corp owns a number of high-profile news outlets, including The Wall Street Journal and its parent, Dow Jones, the New York Post , and several publications in Australia.

Just days after a consequential US Supreme Court decision at the end of June pertaining to concealed-carry permit laws, an unrelated data breach potentially exposed the information of everyone who applied for a concealed-carry permit in California between 2011 and 2021. The incident impacted data including names, ages, addresses, and license types. The breach occurred after a misconfiguration in the California Department of Justice 2022 Firearms Dashboard Portal exposed data that should not have been publicly accessible. "This unauthorized release of personal information is unacceptable and falls far short of my expectations for this department," state attorney general Rob Bonta said in a statement. "The California Department of Justice is entrusted to protect Californians and their data. We acknowledge the stress this may cause those individuals whose information was exposed. I am deeply disturbed and angered."

The Best Theragun Alternatives For Soothing Sore Muscles

Medea Giordano

Frequent Heavy Rain Has Made California a Mudslide Hotspot

Audrey Gray

8 Sweet Deals on Streaming Devices, Smart TVs, and Projectors

Nena Farrell

What's the Best Place to Watch the Solar Eclipse? This Simulator Can Help You Plan

Elissaveta M. Brandon

You Might Also Like …

📩 Get the long view on tech with Steven Levy’s Plaintext newsletter

“Over time the trust will come”: an exclusive interview with TikTok’s CEO

I stopped using passwords . It’s great—and a total mess

Inside the beef industry’s campaign to influence kids

Meet the pranksters behind Goody-2 , the world’s “most responsible” AI chatbot

Is there lead in your reusable water bottle ?

🌲 Our Gear team has branched out with a new guide to the best sleeping pads and fresh picks for the best coolers and binoculars

recent reports on information security breaches

Matt Burgess

Ransomware Payments Hit a Record $1.1 Billion in 2023

Andy Greenberg

A Global Police Operation Just Took Down the Notorious LockBit Ransomware Gang

Justin Ling

A Top White House Cyber Official Is Staying Surprisingly Optimistic

Garrett M. Graff

The Mystery of the $400 Million FTX Heist May Have Been Solved

Andrew Couts

The Hidden Injustice of Cyberattacks

Nicole Tisdale

Health care data breaches hit 1 in 3 Americans last year: Is your data vulnerable?

recent reports on information security breaches

Patients were inundated with spam texts and other annoyances after the massive HCA Healthcare data hack disclosed last July compromised the records of more than 11 million people.

A Florida resident learned through a credit monitoring service that his personal information had turned up on dark web forums. He had to swap out credit and debit cards after fraudulent charges surfaced, according to a federal lawsuit.

A Richmond, Virginia, mom, who'd given birth to triplets in September 2022, received data breach notices addressed to herself and one of her three infants. Since then, she’s received “suspicious medical bills” the hospital has been unable to explain, according to the same class action suit.

The HCA theft was the largest hospital breach in 2023, a year in which about 1 in 3 Americans were affected by health-related data breaches. The number of attacks has surged in recent years . They've typically been carried out by organized hackers, often operating overseas, who target the computer systems of health providers and the vendors and companies that serve them. Most of the largest hacks targeted vendors who bill, mail or provide other services for hospitals, doctors and other health providers.

Last year, a record 133 million health records were exposed in data breaches mainly carried out by hackers who've attacked health providers and their vendors, infiltrated computer systems and demanded ransom or other payments. An average of two health data hacks or thefts of at least 500 records were carried out daily last year in the United States, according to an analysis by The HIPAA Journal .

The health care industry has sought to bolster its defenses against these sophisticated hacks with some success.

These now-routine attacks can hassle consumers and their families must monitor their credit histories with credit-reporting agencies. In the worst cases, bad actors use or sell personal identifying information to credit and debit card fraudsters who open accounts in the victims' names, leaving a digital trail that can take years for victims to clear.

The HCA theft targeted an external storage system for the Nashville, Tennessee-based company, a hospital chain with locations in 20 states. This system contained patient names, addresses, emails, phone numbers, dates of birth and genders of patients along with dates and locations they'd received service. No health data, such as diagnoses or conditions, was stolen, HCA officials said.

Attorneys for 15 victims said in court documents filed Feb. 2 at the U.S. District Court in Nashville that they "seek to hold HCA responsible" for the data hack "due to its impermissibly inadequate data security measures."

HCA has not yet responded to the filing, which seeks class-action status, but a representative said the health provider would respond in court. The official defended the hospital chain's efforts to improve its cyber defenses.

"HCA Healthcare has several robust security strategies, systems and protocols in place to help protect data," said Harlow Sumerford, HCA's spokesperson. "Not publicly discussing the details of our security measures is part of our overall protection strategy."

Sabita Soneji, one of the lawyers representing HCA patients whose identifying information was accessed, said the victims have "good reason to be worried" because the breach puts them at risk for identity theft, fraud and scams.

"If you're going to be in the business of collecting (personal) data, you better take care of it," Soneji said.

Health care hacks set new record in 2023

Government regulators who enforce data privacy laws have tracked a record number of major data hacks.

Health care providers, health plans and other entities covered by the Health Insurance Portability and Accountability Act, or HIPAA, must notify the Department of Health and Human Services and individuals if their health information has been breached.

The HHS Office of Civil Rights, which oversees how companies protect health data, requires that health providers report breaches of protected health information. The agency investigates whether the breaches involve violations of health information privacy and security laws and publicly reports attacks that affect 500 or more on its website .

Last year, HHS reported the highest number ever of major health data hacks: 725, and people impacted by those hacks: 133 million. Those numbers eclipsed the previous record in 2015 when hackers targeted the health insurance giant Anthem. The Anthem attack remains the largest-ever health data breach . In that electronic heist, hackers accessed names, Social Security and medical identification numbers, addresses, dates of birth, emails and employment information of more than 78 million people.

Experts say last year's figures show the changing nature of such attacks, as hackers increasingly target businesses that handle health information but don't provide direct care to patients.

Of the top 20 hacks in which 1 million or more records were accessed last year, the vast majority targeted businesses that provide services to hospitals and health providers, said John Riggi, the American Hospital Association’s national adviser for cybersecurity and risk.

Perry Johnson & Associates (PJ&A), a Henderson, Nevada, company that transcribes medical notes on behalf of hospitals, doctors and other health providers, reported a data breach last year that affected nearly 9 million, according to a November filing with HHS.

However, other notices suggest the PJ&A data breach might be larger. That hack breached information from health providers such as Northwell Health of New York, Concentra Health Services of Texas and Cook County Health .

In an updated notice filed this month with the Maine attorney general, PJ&A said the data hack spanned from March 27 through May 2 and affected the records of 13.3 million people, which would make it the largest hack of 2023.

New York Attorney General Letitia James urged 4 million New York City and Syracuse-area residents affected by the PJ&A breach to take steps such as credit monitoring and placing a fraud alert on credit reports. She also encouraged affected individuals to obtain copies of their medical records, contest unrecognized medical bills and inform their health insurers about the hack.

PJ&A representatives did not respond on Friday to questions from USA TODAY about the hack.

Riggi, of the American Hospital Association, said third-party data breaches are particularly challenging for hospitals and other health providers to police. HIPAA requires that hospitals and health providers ensure that the companies handling their health records do so in a secure manner.

"It's virtually impossible in this day and age of highly complex networks and software to ensure our third parties meet all the security standards," Riggi said. "Hospitals don't have control or visibility into their networks. We have to take their word that they patched their liability."

Even Medicare was targeted by hackers

The federal, state and local government has not been immune to such data intrusions. Last July, the Centers for Medicare & Medicaid Services announced a breach that compromised the records of 2.3 million beneficiaries. The hack targeted MOVEit Transfer, a software program by the computer network of the Medicare contractor Maximus Federal Services Inc.

The MOVEit Transfer software hack was first disclosed by the software manufacturer Progress Software Corp. The hack ultimately affected tens of millions of people across more than 2,000 companies, government agencies and universities, according to an analysis by the data security company Emsisoft.

Federal investigators determined that a Russian ransomware group called Clop was able to exploit a vulnerability in the MOVEit software program in a wide-ranging attack.

"Through that one vulnerability across government and all types of private sector industries, including health care, they were able to access millions and millions of health care records," Riggi said.

Ransomware organizations wreaking havoc

These organized hacks are often carried out by criminal organizations seeking to profit from these attacks.

In recent years, hackers have disrupted hospital and health care systems in ransomware attacks. As the name implies, hackers take control of a hospital's data systems and demand a ransom payment for the return of control. Ransomware attacks more than doubled from 2016 through 2021, according to a study published in JAMA Health Forum .

Criminal organizations are also branching out and trying new strategies to make money, said Charles Henderson, global head of IBM Security X-Force, which provides threat intelligence and data security services.

Among their tactics: They demand ransom, threatening to release or sell personal identifying information of a health system's patients.

"They're figuring out that certain monetization strategies are more lucrative than others," Henderson said.

Other cybersecurity experts said the health care industry has been a popular target because it has transformed from a pen-and-paper orders and records to one that increasingly relies on software systems for electronic health records and remote communication with advent of telehealth services.

The hackers likely have view hospitals and doctors – and especially vendors who serve these health providers – as "soft targets," said Anurag Lal, president & CEO of Infinite Convergence Solutions, which provides secure messaging services.

While the health care industry has been slow to make the type of investment in computer security necessary to repel hackers, Lal said, there are signs the industry is catching up: "The hospitals and health care entities that recognize (modern hacking threats), understand it and get up and do something about it are the ones who will be in the best position to get past this current situation."

Ken Alltucker is on X, formerly Twitter, at @kalltucker, or can be emailed at [email protected] .

U.S. flag

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Summer 2021 OCR Cybersecurity Newsletter

Controlling Access to ePHI: For Whose Eyes Only?

A recent report of security incidents and data breaches found that 61% of analyzed data breaches in the healthcare sector were perpetrated by external threat actors and 39% by insiders. 1  Without appropriate authorization policies and procedures and access controls, hackers, workforce members, or anyone with an Internet connection may have impermissible access to the health data, including protected health information (PHI), that HIPAA regulated entities hold.  News stories and OCR investigations abound of hackers infiltrating information systems, workforce members impermissibly accessing patients’ health information, and electronic PHI (ePHI) being left on unsecured servers.  

Information Access Management and Access Control are two HIPAA Security Rule standards that govern access to ePHI.  These standards include several implementation specifications that are either required 2  or addressable. 3   HIPAA regulated entities must implement required implementation specifications. Addressable implementation specifications require HIPAA regulated entities to assess whether an implementation specification is a reasonable and appropriate safeguard in its environment, and if so to implement it.  If a particular implementation specification is not reasonable and appropriate, entities must document why, and implement equivalent alternative measures if reasonable and appropriate.  

Information Access Management is an administrative safeguard for ePHI and Access Control is a technical safeguard for ePHI. Although their roles in securing ePHI are distinct, together, they ensure that organizations implement policies and procedures and technical controls that limit access to ePHI to only authorized persons or software programs that have been granted access rights. 

Information Access Management

The Information Access Management standard requires HIPAA covered entities and business associates to “implement policies and procedures for authorizing access to [ePHI] that are consistent with the applicable requirements of [the HIPAA Privacy Rule].” 4   This standard has three implementation specifications, two of which have general applicability to covered entities and business associates (Access Authorization 5  and Access Establishment and Modification 6 ) and the other which is specific to health care clearinghouses (Isolating Health Care Clearinghouse Functions 7 ). While the Access Authorization and Access Establishment and Modification implementation specifications are similar, the former focuses on the policies for granting access to ePHI, whereas the latter focuses on the procedural aspects about how such access is established, documented, reviewed, and modified.

Access Authorization concerns the implementation of policies and procedures that govern how covered entities and business associates authorize or grant access to ePHI within their organization. This may include how access to each information system containing ePHI is requested, authorized, and granted, who is responsible for authorizing access requests, and the criteria for granting access.  These policies typically govern the parameters for which individuals in particular workforce roles may be granted access to particular systems, applications, and data. Those parameters would reflect what information access is necessary for a workforce member to do their job.  For example, a billing clerk role may not need access to medical images on a Pictures Archiving and Communication System (PACS) server in order to carry out their billing responsibilities.

Access Establishment and Modification policies describe how to establish, document, review, and modify a user’s access to workstations, transactions, programs, or processes. For example, a workforce member being promoted or given some change in responsibility may require increased access to certain systems and decreased access to others. Another example is that a covered organization could change its system access requirements to permit remote access to systems containing ePHI during a pandemic. Policies and procedures should cover situations such as these to ensure that each workforce member’s access continues to be appropriate for their role.

Access Control

The Access Control standard is a technical safeguard that requires covered entities and business associates to implement access controls for electronic information systems to allow access to ePHI only to those approved in accordance with the organization’s Information Access Management process. 8  The flexible, scalable, and technology-neutral nature of the Security Rule permits organizations to consider various access control mechanisms to prevent unauthorized access to ePHI.  Such access controls could include role-based access, user-based access, attribute-based access, or any other access control mechanisms the organization deems appropriate. 9  Further, access controls need not be limited to computer systems. Firewalls, network segmentation, and network access control (NAC) solutions can also be effective means of limiting access to electronic information systems containing ePHI. Properly implemented, network-based solutions can limit the ability of a hacker to gain access to an organization’s network or impede the ability of a hacker already in the network from accessing other information systems – especially systems containing sensitive data.

The Access Control standard includes four implementation specifications for limiting access to only authorized users and software programs. The first, Unique User Identification, 10  is a required implementation specification and is a key security requirement for any system, but particularly those containing ePHI. While the use of shared or generic usernames and passwords may seem to provide some short-term convenience, it severely degrades the integrity of a system because it removes accountability from individual users and makes it much easier for the system to become compromised. If information is improperly entered, altered, or deleted, whether intentionally or not, it can be very difficult to identify the person responsible (e.g., for training or sanctions) or determine which users may have been the victim of a phishing attack that introduced ransomware into the organization. Additionally, because shared usernames and passwords can become widely known, it may be difficult to know whether the person responsible was an authorized user. A former employee or contractor, a current employee not authorized for access, a friend or family member of an employee, or an outside hacker could be a source of unauthorized access. The inability to identify and track a user’s identity due to the use of shared user IDs can also impede necessary investigations when the shared user ID is used for unauthorized or even criminal activity. For example, a malicious insider could take advantage of known shared user IDs to hide their activities when collecting personal medical and financial information to use for identity theft. In such as case, an organization’s implemented audit controls would document the actions of the shared user ID, thus potentially limiting the organization’s ability to properly identify and track the malicious insider.

The second implementation specification, Emergency Access Procedure, 11  is also a required implementation specification. This implementation specification is applicable in situations in which normal procedures for obtaining ePHI may not be available or may be severely limited, such as during power failures or the loss of Internet connectivity. Access controls are still necessary during an emergency, but may be very different from normal operations. For example, due to the recent COVID-19 public health emergency, many organizations quickly implemented mass telework policies. How workforce members can securely access ePHI during periods of increased teleworking should be part of an organization’s Emergency Access Procedures. Appropriate procedures should be established beforehand for how to access needed ePHI during an emergency.

The third implementation specification, Automatic Logoff, 12  is an addressable implementation specification. Users sometimes inadvertently leave workstations unattended for various reasons.  In an emergency setting, a user may not have time to manually log out of a system.  Implementing a mechanism to automatically terminate an electronic session after a period of inactivity reduces the risk of unauthorized access when a user forgets or is unable to terminate their session.  Failure to implement automatic logoff not only increases the risk of unauthorized access and potential alteration or destruction of ePHI, it also impedes an organization’s ability to properly investigate such unauthorized access because it would appear to originate from an authorized user.

The final implementation specification is Encryption and Decryption, 13  which is also an addressable implementation specification. This technical safeguard can reduce the risks and costs of unauthorized access to ePHI.  For example, if a hacker gains access to unsecured ePHI on a network server or if a device containing unsecured ePHI is stolen, a breach of PHI will be presumed and reportable under the Breach Notification Rule (unless the presumption can be rebutted in accordance with the breach risk assessment described in 45 C.F.R. § 164.402(2)). The Breach Notification Rule applies to unsecured PHI which is PHI “that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under [the HITECH Act].” 14   OCR’s  Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals , which provides guidance for securing PHI, states that ePHI that is “at-rest” (i.e., stored in an information system or electronic media) is considered secured if it is encrypted in a manner consistent with NIST Special Publication 800-111 ( Guide to Storage Encryption Technologies for End User Devices ) (SP 800-111).

EPHI encrypted in a manner consistent with SP 800-111 is not considered unsecured PHI and therefore is not subject to the Breach Notification Rule. Encrypting ePHI in this manner is an excellent example of how implementing an effective encryption solution may not only fulfill an organization’s encryption obligation under the Access Control standard, but also provides a means to leverage the Breach Notification Rule’s safe-harbor provision.

As the use of mobile computing devices (e.g., laptops, smartphones, tablets) becomes more and more pervasive, the risks to sensitive data stored on such devices also increases. Many mobile devices include encryption capabilities to protect sensitive data. Once enabled, a device’s encryption solution can protect stored sensitive data, including ePHI, from unauthorized access in the event the device is lost or stolen.

Information Access Management and Access Control are complementary requirements of the Security Rule. Information Access Management defines how access to ePHI is authorized and Access Control implements technical controls to limit access to ePHI. The rise in data breaches due to hacking as well as threats to ePHI by malicious insiders highlight the importance of establishing and implementing appropriate policies and procedures regarding these Security Rule requirements. Ensuring that workforce members are only authorized to access the ePHI necessary and that technical controls are in place to restrict access to ePHI can help limit potential unauthorized access to ePHI for both threats.

Summer 2019 Cyber Security Newsletter: Managing Malicious Insider Threats: https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-summer-2019/index.html

Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals: https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html

Guide to Storage Encryption Technologies for End User Devices: https://csrc.nist.gov/publications/detail/sp/800-111/final

Summer 2021 OCR Cybersecurity Newsletter: Controlling Access to ePHI:  For Whose Eyes Only? **

*  This document is not a final agency action, does not legally bind persons or entities outside the Federal government, and may be rescinded or modified in the Department’s discretion.

** People using assistive technology may not be able to fully access information in this file. For assistance, contact the HHS Office for Civil Rights at (800) 368-1019, TDD toll-free: (800) 537-7697, or by emailing  [email protected] .

  • back to note 1
  • back to note 2
  • back to note 3
  • back to note 4
  • back to note 5
  • back to note 6
  • back to note 7
  • back to note 8
  • back to note 9
  • back to note 10
  • back to note 11
  • back to note 12
  • back to note 13
  • back to note 14

Frequently Asked Questions for Professionals  - Please see the HIPAA FAQs for additional guidance on health information privacy topics.

U.S. flag

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization

Actions to take today to mitigate malicious cyber activity:.

  • Continuously remove and disable accounts and groups from the enterprise that are no longer needed, especially privileged accounts.
  • Enable and enforce multifactor authentication with strong passwords.
  • Store credentials in a secure manner, such as with a credential manager, vault, or other privilege account management solution.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) conducted an incident response assessment of a state government organization’s network environment after documents containing host and user information, including metadata, were posted on a dark web brokerage site. Analysis confirmed that an unidentified threat actor compromised network administrator credentials through the account of a former employee—a technique commonly leveraged by threat actors—to successfully authenticate to an internal virtual private network (VPN) access point, further navigate the victim’s on-premises environment, and execute various lightweight directory access protocol (LDAP) queries against a domain controller.[ 1 ] Analysis also focused on the victim’s Azure environment, which hosts sensitive systems and data, as well as the compromised on-premises environment. Analysis determined there were no indications the threat actor further compromised the organization by moving laterally from the on-premises environment to the Azure environment.

CISA and MS-ISAC are releasing this Cybersecurity Advisory (CSA) to provide network defenders with the tactics, techniques, and procedures (TTPs) used by the threat actor and methods to protect against similar exploitation of both unnecessary and privileged accounts.

Download the PDF version of this report:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actor’s activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool .

A state government organization was notified that documents containing host and user information, including metadata, were posted on a dark web brokerage site. After further investigation, the victim organization determined that the documents were accessed via the compromised account of a former employee. Threat actors commonly leverage valid accounts, including accounts of former employees that have not been properly removed from the Active Directory (AD), to gain access to organizations.[ 1 ] CISA and MS-ISAC assessed that an unidentified threat actor likely accessed documents containing host and user information to post on the dark web for profit after gaining access through the account of a former employee.

The scope of this investigation included the victim organization’s on-premises environment, as well as their Azure environment, which hosts sensitive systems and data. Analysis determined the threat actor did not move laterally from the compromised on-premises network to the Azure environment and did not compromise sensitive systems.

Untitled Goose Tool

Incident responders collected Azure and Microsoft Defender for Endpoint (MDE) logs using CISA’s Untitled Goose Tool —a free tool to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments. CISA developed the Untitled Goose Tool to export and review AAD sign-in and audit logs, M365 unified audit logs (UAL), Azure activity logs, and MDE data. By exporting cloud artifacts, Untitled Goose Tool supports incident response teams with environments that do not ingest logs into a security information and event management (SIEM) tool.

Threat Actor Activity

The logs revealed the threat actor first connected from an unknown virtual machine (VM) to the victim’s on-premises environment via internet protocol (IP) addresses within their internal VPN range. CISA and MS-ISAC assessed that the threat actor connected to the VM through the victim’s VPN [ T1133 ] with the intent to blend in with legitimate traffic to evade detection.

Initial Access: Compromised Domain Accounts

USER1 : The threat actor gained initial access through the compromised account of a former employee with administrative privileges ( USER1 ) [ T1078.002 ] to conduct reconnaissance and discovery activities. The victim organization confirmed that this account was not disabled immediately following the employee’s departure.

  • The threat actor likely obtained the USER1 account credentials in a separate data breach due to the credentials appearing in publicly available channels containing leaked account information [ T1589.001 ].
  • USER1 had access to two virtualized servers including SharePoint and the workstation of the former employee. The workstation was virtualized from a physical workstation using the Veeam Physical to Virtual (P2V) function within the backup software.

USER2 : The threat actor likely obtained the USER2 account credentials from the virtualized SharePoint server managed by USER1 [ T1213.002 ]. The victim confirmed that the administrator credentials for USER2 were stored locally on this server [ T1552.001 ].

  • Through connection from the VM, the threat actor authenticated to multiple services [ T1021 ] via the USER1 account, as well as from an additional compromised global domain administrator account ( USER2 ) [ T1078.002 ].
  • The threat actor’s use of the USER2 account was impactful due to the access it granted to both the on-premises AD and Azure AD [ T1021.007 ], thus enabling administrative privileges [ T1078.004 ].

Following notification of the dark web posting, the victim organization immediately disabled the USER1 account and took the two virtualized servers associated with the former employee offline. The victim also changed the password for the USER2 account and removed administrator privileges. Neither of the administrative accounts had multifactor authentication (MFA) enabled.

LDAP Queries

Through connection from the VM, the threat actor conducted LDAP queries of the AD, likely using the open source tool AdFind.exe , based on the format of the output. CISA and MS-ISAC assess the threat actor executed the LDAP queries [ T1087.002 ] to collect user, host [ T1018 ], and trust relationship information [ T1482 ]. It is also believed the LDAP queries generated the text files the threat actor posted for sale on the dark web brokerage site: ad_users.txt , ad_computers.txt , and trustdmp.txt .

Table 1 lists all queries that were conducted between 08:39:43-08:40:56 Coordinated Universal Time (UTC).

Service Authentication

Through the VM connection, the threat actor was observed authenticating to various services on the victim organization’s network from the USER1 and USER2 administrative accounts. In all instances, the threat actor authenticated to the Common Internet File Service (CIFS) on various endpoints [ T1078.002 ],[ T1021.002 ]—a protocol used for providing shared access to files and printers between machines on the network. This was likely used for file, folder, and directory discovery [ T1083 ], and assessed to be executed in an automated manner.

  • USER1 authenticated to four services, presumably for the purpose of network and service discovery [ T1046 ].
  • USER2 authenticated to twelve services. Note: This account had administrative privileges to both the on-premises network and Azure tenant.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 2-9 for all referenced threat actor’s tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool .

MITIGATIONS

Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST), which apply to all critical infrastructure organizations and network defenders. The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Secure and Monitor Administrator Accounts

The threat actor gained access to the network via compromised administrator accounts that did not have MFA enabled. The compromised USER2 Global Domain Administrator account could have enabled the threat actor to move laterally from the on-premises environment to the Azure tenant. In response to the incident, the victim organization removed administrator privileges for USER2 . Additionally, the victim organization disabled unnecessary administrator accounts and enabled MFA for all administrator accounts. To prevent similar compromises, CISA and MS-ISAC recommend the following:

  • Review current administrator accounts to determine their necessity and only maintain administrator accounts that are essential for network management. This will reduce the attack surface and focus efforts on the security and monitoring of necessary accounts.
  • Restrict the use of multiple administrator accounts for one user.
  • Create separate administrator accounts for on-premises and Azure environments to segment access.
  • Implement the principle of least privilege to decrease threat actor’s ability to access key network resources. Enable just-in-time and just enough access for administrator accounts to elevate the minimum necessary privileges for a limited time to complete tasks.
  • Use phishing-resistant multifactor authentication (MFA) [ CPG 2.H ] (e.g., security tokens) for remote access and access to any sensitive data repositories. Implement phishing-resistant MFA for as many services as possible—particularly for webmail and VPNs—for accounts that access critical systems and privileged accounts that manage backups. MFA should also be used for remote logins [ M1032 ]. For additional guidance on secure MFA configurations, visit CISA’s More than a Password webpage and read CISA’s Implementing Phishing-Resistant MFA fact sheet.

Reduce Attack Surface

Unnecessary accounts, software, and services in the network create additional vectors for a threat actor to compromise. CISA and MS-ISAC recommend the following:

  • Establish policy and procedure for the prompt removal of unnecessary accounts and groups from the enterprise, especially privileged accounts. Organizations should implement a robust and continuous user management process to ensure accounts of offboarded employees are removed and can no longer access the network.
  • Determine the need and functionality of assets that require public internet exposure [ CPG 1.A ].
  • Follow a routine patching cycle for all operating systems, applications, and software (including all third-party software) to mitigate the potential for exploitation.
  • Restrict personal devices from connecting to the network . Personal devices are not subject to the same group policies and security measures as domain joined devices.

Evaluate Tenant Settings

By default, in Azure AD all users can register and manage all aspects of applications they create. Users can also determine and approve what organizational data and services the application can access. These default settings can enable a threat actor to access sensitive information and move laterally in the network. In addition, users who create an Azure AD automatically become the Global Administrator for that tenant. This could allow a threat actor to escalate privileges to execute malicious actions. CISA and MS-ISAC recommend the following:

  • Restrict users’ ability to register applications. By default, all users in Azure AD can register and manage the applications they create and approve the data and services the application can access. If this is exploited, a threat actor can access sensitive information and move laterally in the network.
  • Restrict non-administrators from creating tenants. Any user who creates an Azure AD automatically becomes the Global Administrator for that tenant. This creates an opportunity for a threat actor to escalate privileges to the highest privileged account.
  • Restrict access to the Azure AD portal to administrators only. Users without administrative privileges cannot change settings, however, they can view user info, group info, device details, and user privileges. This would allow a threat actor to gather valuable information for malicious activities.

Create a Forensically Ready Organization

  • Collect access- and security-focused logs (e.g., intrusion detection systems/intrusion prevention systems, firewall, data loss prevention, and virtual private network) for use in both detection and incident response activities [ CPG 2.T ].
  • Enable complete coverage of tools , including Endpoint Detection and Response (EDR), across the environment for thorough analysis of anomalous activity and remediation of potential vulnerabilities.

Assess Security Configuration of Azure Environment

CISA created the Secure Cloud and Business Applications (SCuBA) assessment tool to help Federal Civilian Executive Branch (FCEB) agencies to verify that a M365 tenant configuration conforms to a minimal viable secure configuration baseline. Although the SCuBA assessment tool was developed for FCEB, other organizations can benefit from its output. CISA and MS-ISAC recommend the following:

  • Use tools that identify attack paths . This will enable defenders to identify common attack paths used by threat actors and shut them down before they are exploited.
  • Review the security recommendations list provided by Microsoft 365 Defender . Focus remediation on critical vulnerabilities on endpoints that are essential to mission execution and contain sensitive data.

Evaluate Conditional Access Policies

Conditional access policies require users who want to access a resource to complete an action. Conditional access policies also account for common signals, such as user or group memberships, IP location information, device, application, and risky sign-in behavior identified through integration with Azure AD Identity Protection.

  • Review current conditional access policies to determine if changes are necessary.

Reset All Passwords and Establish Secure Password Policies

In response to the incident, the victim organization reset passwords for all users.

  • Employ strong password management alongside other attribute-based information, such as device information, time of access, user history, and geolocation data. Set a password policy to require complex passwords for all users (minimum of 16 characters) and enforce this new requirement as user passwords expire [ CPG 2.A ],[ CPG 2.B ],[ CPG 2.C ].
  • Store credentials in a secure manner, such as with a credential manager, vault, or other privileged account management solution [ CPG 2.L ].
  • For products that come with default passwords, ask vendors how they plan to eliminate default passwords, as highlighted in CISA’s Secure by Design Alert: How Manufacturers Can Protect Customers by Eliminating Default Passwords .

Mitigations for Vendors

CISA recommends that vendors incorporate secure by design principles and tactics into their practices, limiting the impact of threat actor techniques and strengthening the secure posture for their customers.

  • Prioritize secure by default configurations, such as eliminating default passwords and providing high-quality audit logs to customers with no additional configuration, at no extra charge. Secure by default configurations should be prioritized to eliminate the need for customer implementation of hardening guidance.
  • Immediately identify, mitigate, and update affected products that are not patched in accordance with CISA’s  Known Exploited Vulnerabilities (KEV) catalog .
  • Implement multifactor authentication (MFA), ideally phishing-resistant MFA , as a default (rather than opt-in) feature for all products.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA and MS-ISAC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  • Select an ATT&CK technique described in this advisory (see table 2-9).
  • Align your security technologies against the technique.
  • Test your technologies against the technique.
  • Analyze your detection and prevention technologies’ performance.
  • Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  • Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

  • MS-ISAC: Center for Internet Security (CIS) Cyber-Attack Defense: CIS Benchmarks + CDM + MITRE ATT&CK

[1] CISA Analysis: Fiscal Year 2022 Risk and Vulnerability Assessments

The information in this report is being provided “as is” for informational purposes only. CISA and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or MS-ISAC.

VERSION HISTORY

February 15, 2024: Initial version.

This product is provided subject to this  Notification  and this  Privacy & Use  policy.

Please share your thoughts

We recently updated our anonymous product survey ; we’d welcome your feedback.

Related Advisories

Prc state-sponsored actors compromise and maintain persistent access to u.s. critical infrastructure, known indicators of compromise associated with androxgh0st malware, #stopransomware: alphv blackcat, #stopransomware: play ransomware.

A newsletter briefing on cybersecurity news and policy.

The largest cyberattack of its kind recently happened. Here’s how.

recent reports on information security breaches

with research by David DiMolfetta

Welcome to The Cybersecurity 202! Hey, there’s a Washington Post Live event that I’ll be participating in tomorrow morning along with some of my other Post colleagues and the cyber experts we’ll be interviewing. Please join us.

Was this forwarded to you? Sign up here.

Below: A Navy officer admits to transmitting sensitive military data, and Google announces a major authentication update. First:

A massive DDoS attack shines a spotlight on vulnerabilities in core parts of the internet

A trio of internet giants revealed on Tuesday that they had fought off an “unprecedented” distributed denial-of-service (DDoS) attack — used to disrupt the availability of systems like websites and services — that registered as the biggest on record, by far.

Cloudflare, Google and Amazon Web Services (AWS) said the attack relied on a previously undisclosed vulnerability in a key piece of internet architecture. 

And it was massive.

“For a sense of scale, this two minute attack generated more requests than the total number of article views reported by Wikipedia during the entire month of September 2023,” Google wrote in a blog post.

News of the attack comes as maintainers of a foundational open-source internet tool announced severe vulnerabilities, and as four federal agencies published guidance on the security of open-source software (OSS).

HTTP/2 ‘Rapid Reset’

The attack, known as HTTP/2 “Rapid Reset,” abuses a weakness in the HTTP/2 protocol. HTTP stands for Hypertext Transfer Protocol and is used to load webpages. HTTP/2 was a revision of an earlier version, meant to make pages load faster, among other improvements.

“The DDoS events AWS detected were a type of HTTP/2 request flood, which occurs when a high volume of illegitimate web requests overwhelms a web server’s ability to respond to legitimate client requests,” Tom Scholl , vice president and distinguished engineer at the company, and Mark Ryland , AWS’s director of the office of chief information security officer, wrote in a blog post .

(Amazon founder Jeff Bezos owns The Washington Post. Interim CEO Patty Stonesifer sits on Amazon’s board.)

“Because the attack abuses an underlying weakness in the HTTP/2 protocol, we believe any vendor that has implemented HTTP/2 will be subject to the attack,” Cloudflare engineers Lucas Pardue and Julian Desgats wrote. “This included every modern web server.”

The novel nature of the vulnerability allowed for some interesting attack numbers. Cloudflare said it was three and a half times bigger than its previous biggest attack on record, while Google said it was seven and half times larger than the previous record.

  • “Concerning is the fact that the attacker was able to generate such an attack with a botnet of merely 20,000 machines,” Cloudflare’s engineers wrote . “There are botnets today that are made up of hundreds of thousands or millions of machines.”
  • “Given that the entire web typically sees only between 1-3 billion requests per second, it's not inconceivable that using this method could focus an entire web’s worth of requests on a small number of targets,” they continued.

There’s been no attribution for who was behind the attack.

For the most in-depth technical breakdowns of the attack, check out the Cloudflare blog post and this second Google blog post .

Open source

News of the vulnerabilities put an additional bit of recent focus on vulnerabilities in some of the internet’s building blocks.

Tuesday’s Cybersecurity 202 had the news about two vulnerabilities to curl, the aforementioned open-source tool. One of them is “probably the worst curl security flaw in a long time,” lead developer Daniel Stenberg said.

The Cybersecurity and Infrastructure Security Agency, FBI and Treasury Department also published guidance on Tuesday about securing open-source software for operational technology (OT) and a subset of that called industrial control systems (ICS), which are most heavily relied upon in sectors like energy and manufacturing. Those sectors need special systems to detect or cause changes in physical processes.

“Critical infrastructure organizations using OT/ICS face heightened cybersecurity and safety concerns due to the potentially far-reaching impacts of incidents and associated life safety implications, particularly to connected infrastructure,” the agencies explained in a news release. “Applying generally applicable cyber hygiene practices, such as routinely updating software, can be challenging for organizations using OSS in OT and ICS applications.”

The agencies produced the guidance in conjunction with the CISA’s Joint Cyber Defense Collective, designed to bring cyber defenders from industry and elsewhere together to share and act on information. 

Navy officer admits taking bribes to share military data with China

U.S. Navy Petty Officer Wenheng “Thomas” Zhao on Tuesday pleaded guilty to accepting $15,000 in bribes from a Chinese intelligence officer in exchange for transmitting U.S. military information that was unclassified, Reuters ’s Andrew Goudsward reports . 

Zhao, a 26-year-old who worked on Naval Base Ventura County in California, “admitted sending his Chinese handler plans for U.S. military exercises in the Indo-Pacific region, operational orders and electrical diagrams and blueprints for a radar system on a U.S. military base in Okinawa, Japan, according to court documents and U.S. officials,” Goudsward writes. He was arrested in August and faces up to 20 years in prison.

  • Zhao took at least 14 separate payments, according to a Justice Department release . He admitted to transmitting plans for a maritime training exercise, as well as operational orders, electrical diagrams and blueprints.
  • “Zhao further admitted to using sophisticated encrypted communication methods to transmit the information, destroying evidence and concealing his relationship with the intelligence officer,” the department said.
  • “Officer Zhao betrayed his country and the men and women of the U.S. Navy by accepting bribes from a foreign adversary,” said U.S. Attorney Martin Estrada for the Central District of California. A lawyer for Zhao did not immediately return a request for comment from Reuters. 

The Hamas-Israel cyber dynamic puts disinformation on the top shelf

Cybersecurity coverage of the Israel-Hamas war has focused heavily on disinformation dynamics while direct hacking activities appear to have taken a less prevalent seat.

Elon Musk ’s X, formally known as Twitter, has shown how the conflict’s disinformation can spread. 

E.U. Digital Commissioner Thierry Breton warned Musk in a letter posted Tuesday that his platform may be violating disinformation rules that X and several other large entities are required to adhere to after parts of a new European digital law took effect this year.

  • “We have, from qualified sources, reports about potentially illegal content circulating on your service, despite flags from relevant authorities,” Breton said , citing instances of reported fake images and facts, as well as repurposed old footage. 
  • Musk pushed back , asking for a list of violations. Breton replied saying that Musk is “well aware” of specifics and reiterated that officials were available to assist with compliance.   
  • Musk promoted the accounts @WarMonitors and @sentdefender on Sunday to his 150 million followers, which gained some 11 million views in three hours before he later deleted the post. The pair of accounts have been criticized for previously promoting false information.

As for broader hacking dynamics, the United States has not yet detected major cyberattacks between Israel and Hamas, the Wall Street Journal ’s Warren P. Strobel reports , citing National Security Agency Cybersecurity Director Rob Joyce . Hacktivist groups have taken part in the war, and denial-of-service attacks from various groups have knocked Israeli websites offline but were not long-lasting.

  • How Hamas worked around Israel’s historically powerful signals intelligence apparatus continues to remain somewhat of a mystery, though reports from Bloomberg News on Tuesday suggest the group took a less electronic approach in their planning.
  • Our national security colleagues reported Tuesday that Iranian allies provided logistical aid and weaponry to Hamas, and had been helping plan this weekend’s assault for at least the past year.

Google makes passkeys default login setting for users

Google announced Tuesday it would make a password replacement functionality, known as “passkeys,” the default login method for users on its platforms, WIRED ’s Lily Hay Newman reports .

Passkeys are digital credentials stored in a user’s computer that provide an alternative authentication method which doesn’t force the user to remember their password to accounts. The tool is designed as a less hackable alternative to passwords by relying on encrypted code stored on devices. 

Google in a blog post did not give specific figures on passkey adoption but noted that accounts have adopted the login methods on platforms like YouTube or Maps. 

  • “Password-based authentication is so ubiquitous in digital systems that it isn’t easy to replace. But passwords have inherent security problems because they can be guessed and stolen,” Newman writes, later adding: “Passkeys are specifically designed to address these issues and dramatically reduce the risk of phishing attacks by instead relying on a scheme that manages cryptographic keys stored on your devices for account authentication.”

Big Tech companies over the past year have been moving ahead to adopt non-password authentication and give some users the ability to elect those methods for logging in. Proponents of technology say it is safer and lowers firms’ security costs, though some argue the adoption costs for small businesses or platforms may pose a hindrance.

“Passwordless is something we set out to achieve 10-plus years ago, and we’re thrilled to not only see us already on the next step of the journey with passkeys by offering them by default, but also to see the great feedback from users who have made the switch,” Google identity and security group product manager Christiaan Brand told WIRED.

Government scan

Neuberger provides details on ratings effort to determine security of pipeline, rail sectors (Inside Cybersecurity)

FBI looks to build diverse workforce to meet cyber needs (MeriTalk)

SEC probes Twitter security lapse before Elon Musk took over (Bloomberg News)

Securing the ballot

North Carolina Republicans override governor’s veto on key election law (Patrick Marley)

Industry report

IT staff take as long as 1 month to fix security flaws (Axios)

National security watch

Hamas got around Israel’s surveillance prowess by going dark (Bloomberg News)

U.S. surging cyber support to Israel (Politico Pro)

Global cyberspace

How to limit graphic social media images from the Israel-Hamas war (Shira Ovide)

Savvy Israel-linked hacking group reemerges amid Gaza fighting (CyberScoop)

Nation-state hacker group targeting Taiwan, US, Vietnam and Pacific Islands (The Record)

Israel freezes crypto accounts seeking Hamas donations, police say (Reuters)

Philippine Statistics Authority probing alleged data breach (Bloomberg News)

  • The Institute of World Politics holds a seminar on cybersecurity intelligence at 6 p.m.
  • Your newsletter host, CISA executive director Brendan Wales and others participate in a Washington Post Live event featuring your newsletter host tomorrow at 9 a.m.
  • State Department CISO Donna Bennett speaks with Billington CyberSecurity tomorrow at 12:30 p.m.
  • FCC Commissioner Nathan Simington speaks with the Hudson Institute on security threats of Chinese telecom equipment in U.S. networks tomorrow at 2 p.m.

Secure log off

Product tester. pic.twitter.com/g5RoP9nMN0 — cats with jobs 🛠 (@CatWorkers) October 10, 2023

Thanks for reading. See you tomorrow.

recent reports on information security breaches

  • Security News
  • Special Report: Data Breach

Latest Incidents

Wendy’s credit card breach across 300 stores caused by pos malware.

Wendy's, the world's third largest quick-service hamburger company, confirms that 300 of its point-of-sale (PoS) systems have been infected with info-stealing malware.

Read more   

Turkish Hackers Claim Responsibility for Qatar National Bank Breach

Hackers leak personal information of 30,000 fbi and dhs employees, 250 hyatt hotels across 50 countries hit by data breach, another hotel chain gets hit: hilton reports payment card breach, superfish-style certificates installed by dell support tools, starwood hotels hit by pos malware, compromises credit card information, talktalk reports breach, up to 4 million unencrypted records stolen, the emv switch: chip-and-pin cards and the target breach, the ashley madison breach isn't just about infidelity.

We've detected unusual activity from your computer network

To continue, please click the box below to let us know you're not a robot.

Why did this happen?

Please make sure your browser supports JavaScript and cookies and that you are not blocking them from loading. For more information you can review our Terms of Service and Cookie Policy .

For inquiries related to this message please contact our support team and provide the reference ID below.

IMAGES

  1. Recent Cyber Attacks In 2023

    recent reports on information security breaches

  2. Notifiable Data Breaches Report: July to December 2022

    recent reports on information security breaches

  3. Infographic: The global impact of cybersecurity breaches

    recent reports on information security breaches

  4. 2018 in numbers: Data breaches cost $654 billion, expose 2.8 billion

    recent reports on information security breaches

  5. 17 Data Breach Statistics to Know in 2023

    recent reports on information security breaches

  6. cyber-security-breaches-report-2020-Infographic-cropped

    recent reports on information security breaches

VIDEO

  1. Three Accused In Data Breach

  2. Government pledge significant changes to cyber security

  3. Defending Against Modern Breaches: Lookout’s Defense-in-Depth Solution

COMMENTS

  1. Recent Data Breaches in 2022

    Oct. 28, 2022, at 11:54 a.m. Jay Yuno Ronin In what is believed to be the costliest breach at a cryptocurrency platform, hackers hit the Ronin crypto "bridge" in March and stole the equivalent of...

  2. Why Data Breaches Spiked in 2023

    In spite of recent efforts to beef up cybersecurity, data breaches — in which hackers steal personal data — continue to increase year-on-year: there was a 20% increase in data breaches from ...

  3. Data Breaches That Have Happened in 2024 So Far

    Below, we've compiled a list of significant, recent data breaches (and a couple of important data leaks) that have taken place since January 1, 2022, dated to the day they were first reported...

  4. IBM Report: Identity Comes Under Attack, Straining Enterprises

    IBM released the 2024 X-Force Threat Intelligence Index highlighting an emerging global identity crisis as cybercriminals double down on exploiting user identities to compromise enterprises worldwide. According to IBM X-Force, IBM Consulting's offensive and defensive security services arm, in 2023, cybercriminals saw more opportunities to "log in" versus hack into corporate networks through ...

  5. Millions of Americans' personal data exposed in global hack

    CNN — Millions of people in Louisiana and Oregon have had their data compromised in the sprawling cyberattack that has also hit the US federal government, state agencies said late Thursday. The...

  6. Report: 2.6B records compromised by data breaches, underscoring need

    Report: 2.6 billion personal records compromised by data breaches in past two years — underscoring need for end‑to‑end encryption An Apple-commissioned study shows that threats to consumer data stored in the cloud have grown dramatically since the last report was published in December 2022

  7. Cybersecurity

    February 15, 2024. World US conducted cyberattack on suspected Iranian spy ship, NBC News reports. The United States conducted a cyberattack recently against an Iranian military ship in the Red ...

  8. IBM Report: Cost of a Data Breach Hits Record High During Pandemic

    CAMBRIDGE, Mass., July 28, 2021 /PRNewswire/ -- IBM (NYSE: IBM) Security today announced the results of a global study which found that data breaches now cost surveyed companies $4.24 million per incident on average - the highest cost in the 17-year history of the report. Based on in-depth analysis of real-world data breaches experienced by over 500 organizations, the study suggests that ...

  9. The Devastating Business Impacts of a Cyber Breach

    The latest IBM Data Breach Report revealed that an alarming 83% of organizations experienced more than one data breach during 2022. According to the 2022 Verizon Data Breach...

  10. Latest data breach news

    Check out the latest data breach news from around the world below. Indian gov flaws allowed creation of counterfeit driving licenses 28 February 2023 Password managers part II A rough guide to enterprise secret platforms 27 February 2023 Password manager security Which is the right option for me? 14 February 2023 Deserialized roundup

  11. The Worst Hacks and Breaches of 2022 So Far

    Lily Hay Newman Security Jul 4, 2022 7:00 AM The Worst Hacks and Breaches of 2022 So Far From cryptocurrency thefts to intrusions into telecom giants, state-backed attackers have had a field...

  12. Data leak exposes tens of millions of private records from ...

    But while the information was unsecured, names, Social Security numbers, phone numbers, dates of birth, demographic information, addresses and even dates of employer drug tests and union ...

  13. Hospitals and Pharmacies Reeling After Change Healthcare Cyberattack

    Healthcare organizations have been forced to revert to manual procedures after Change Healthcare, part of Optum, disconnected services.

  14. US companies hit by 'colossal' cyber-attack

    The cyber-breach emerged on Friday afternoon as companies across the US were clocking off for the long Independence Day weekend. Another supply-chain attack nightmare

  15. Data Breaches and Cyber Attacks in 2024 in the USA

    Welcome to a new page, giving you an overview of the year's biggest security incidents in the USA, the sectors most frequently breached in 2024, month-on-month trends in the USA, links to our monthly reports, and much more. Use the links in the 'On this page' section below to navigate. IT Governance's global 2023 overview is here.

  16. Gartner Identifies the Top Cybersecurity Trends for 2024

    Generative AI (GenAI), unsecure employee behavior, third-party risks, continuous threat exposure, boardroom communication gaps and identity-first approaches to security are the driving forces behind the top cybersecurity trends for 2024, according to Gartner, Inc. "GenAI is occupying significant headspace of security leaders as another challenge to manage, but also offers an opportunity to ...

  17. Health data breaches hit new record in 2023

    The HCA theft was the largest hospital breach in 2023, a year in which about 1 in 3 Americans were affected by health-related data breaches. The number of attacks has surged in recent years.They ...

  18. 4 companies affected by security breaches in June

    Peloton. Earlier in June, Peloton warned users of its Bike+ about a newly found security threat relating to the touchscreen. Researchers at cybersecurity company McAfee discovered a vulnerability ...

  19. HHS Office for Civil Rights Delivers Annual Reports to Congress on

    The HIPAA Rules provide the minimum required privacy and security safeguards for protected health information, and give individuals rights with respect to that information, such as the right to access their health information. These reports, delivered to Congress, help regulated entities (such as most health care providers, health plans, and ...

  20. Summer 2021 OCR Cybersecurity Newsletter

    A recent report of security incidents and data breaches found that 61% of analyzed data breaches in the healthcare sector were perpetrated by external threat actors and 39% by insiders. 1 Without appropriate authorization policies and procedures and access controls, hackers, workforce members, or anyone with an Internet connection may have ...

  21. Threat Actor Leverages Compromised Account of Former Employee to ...

    SUMMARY. The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) conducted an incident response assessment of a state government organization's network environment after documents containing host and user information, including metadata, were posted on a dark web brokerage site.

  22. The largest cyberattack of its kind recently happened. Here's how

    The Cybersecurity 202 The largest cyberattack of its kind recently happened. Here's how. Analysis by Tim Starks with research by David DiMolfetta October 11, 2023 at 7:09 a.m. EDT A newsletter...

  23. Warning As 26 Billion Records Leak: Dropbox, LinkedIn, Twitter ...

    Security researchers have warned that a database containing no less than 26 billion leaked data records has been discovered. The supermassive data leak, or mother of all breaches as the...

  24. Latest Incidents

    The most trusted cloud security platform for developers, security teams, and businesses. Learn more. ... Special Report: Data Breach; Latest Incidents; ... Hilton Worldwide is the latest target of a security breach in the hospitality industry, as PoS malware was used to compromise payment card data over a 17-week period. ...

  25. UnitedHealth Cites 'Nation-State' in Hack Disrupting Pharmacies

    Connecting decision makers to a dynamic network of information, people and ideas, Bloomberg quickly and accurately delivers business and financial information, news and insight around the world

  26. January 2024 Healthcare Data Breach Report

    January 2024 Healthcare Data Breach Report. Posted By Steve Alder on Feb 21, 2024. In January, 61 data breaches of 500 or more records were reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which is a 22% month-over-month reduction in reported data breaches, with data breaches falling to two below the monthly average of 63 data breaches a month.

  27. Think you know what the top scam of 2023 was? Take a guess

    We won't post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov. We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above.

  28. List of Data Breaches and Cyber Attacks in 2023

    IT Governance is dedicated to helping organisations tackle the threat of cyber crime and other information security weaknesses. We offer a variety of resources to help understand and mitigate threats, from training courses and consultancy services to free guides. Click here for the 2024 data breaches and cyber attacks page On this page

  29. Latest Health Data Breaches News

    8.5M Records Impacted By Welltok Data Breach Stemming From MOVEit Hack. November 29, 2023 by Jill McKeon. Healthcare software-as-a-service company Welltok recently notified 8.5 million individuals ...