As the year comes to an end, we are taking a look back on the major data breaches and vulnerabilities that disrupted the security of both small, and large and very important organizations around the world and across all industries.
According to a recently published report:
- in the first three quarters of 2023, the number of ransomware attacks increased by almost 70% compared to the first three quarters of 2022 and
- over 80% of data breaches involved data stored in the cloud.
As this trend is on the rise, governmental organizations and companies of every size put more emphasis on the security of their systems and networks. Compliance requirements, stricter access, observability and incident response processes are introduced as necessary.
Before we jump straight to the list, and possibly darken the mood, I hope you can get something positive out of this and learn from these incidents. No system is perfect and malicious actors will continue poking around. What is important is to work on our security, find ways to identify any unauthorized access to our systems and resolve the incidents as quickly as possible. #hugops 🤗
- The common trends? Data breaches, supply chain attacks, cyber attacks, unauthorized changes and access, and expensive incidents 💰
- Exploited vulnerabilities in softwares that are widely used have caused data breaches on large scales, exposing the personal information of millions of individuals.
- Unauthorized access in the systems and networks of the victim-organizations is the most common pattern we see in the majority of the breaches.
- It takes a significant amount of time for organizations to identify unauthorized access, with malicious actors and/or vulnerabilities existing in their systems for hours, to weeks and even months.
P.S. This article does not intend to portray the organizations in a negative way, but rather raise awareness of the increasing number of data breaches and the importance of security in software.
In January 2023, an API breach exposed data from 37 million T-Mobile accounts. T-Mobile disclosed that this unauthorized access began on November 5th 2022 and according to their SEC filing, the breach was discovered on January 5th, 2023, and was shut down within 24 hours.
Kolochenko, founder of ImmuniWeb, highlighted that “given that the exfiltration of 37 million customer records was visibly not detected and blocked by the anomaly detection system, we can surmise that the breached API belonged to the unknown, and thus, unprotected shadow assets.”
While T-Mobile stated no evidence of network or system compromise by the perpetrator, they did confirm that some basic customer information was obtained.
This instance started conversations around the importance of API security in SMB and enterprise organizations - a gate that is often forgotten, abandoned, or undocumented and unauthorized access through a single API can lead to a significant data breach.
The Twitter chaos already started in the beginning of the year, when hackers stole the email addresses of more than 200 million Twitter users and posted them on an online hacking forum. This is a controversial one since, outside sources said the data is connected to a 2021 vulnerability, but Twitter claims it’s not from an exploit.
Troy Hunt, creator of the breach notification site Have I Been Pwned, viewed the leaked data and said on Twitter that it seemed “pretty much what it’s been described as”.
The breach is only the latest cybersecurity failure to affect Twitter, which has long struggled to protect its users’ data. The company is already being investigated by the EU for the breach (based on first reports in July 2022) and is being probed by the FTC for similar security lapses.
Elevel (previously Eleko), a leading Russian electrical engineering company faced a data breach, when on January 24, an open dataset with 1.1TB of data was found attributed to e.way – an Elevel-owned online shop with 25,000 monthly visitors.
The dataset with 7 million data entries leaked two years’ worth of sensitive data, including names, surnames, phone numbers, email addresses, and delivery addresses of customers. It also contained login data and passwords in URL encoding, which is considered a relatively weak protection mechanism since it can be decoded easily.
“As a number of usernames and passwords are exposed, it could enable threat actors with valid credentials to gain further sensitive data and to impersonate users to make fraudulent purchases,” Cybernews researchers noted.
People-Connect Instant Checkmate and TruthFinder
Earlier this year, PeopleConnect-owned background check services Instant Checkmate and TruthFinder disclosed data breaches affecting more than 20 million users.
The incident was discovered after cybercriminals started sharing databases stolen from the two companies on underground forums. The databases contained names, email addresses, phone numbers, encrypted passwords, and password reset tokens that are either expired or inactive.
“We have confirmed that the list was created several years ago and appears to include all customer accounts created between 2011 and 2019. The published list originated inside our company,” the announcements read. According to the two announcements, the data breach was the result of the “inadvertent leak or theft” of the impacted database.
In March this year, major Australian and New Zealand non-bank lender Latitude Financial revealed it had been the victim of a major data breach, with up to 14 million of its customers having their personal information exposed.
According to the company, 96% of the data breached was copies of driver license or driver license numbers, while less than 4% was copies of passports or passport numbers, and less than 1% was Medicare numbers.
The impact of it? For six weeks following the cyber attack, Latitude paused new originations and pricing actions, saw a decline in receivables and had its collections activities “significantly disrupted” 👀
In the following month, Latitude’s chief executive, Bob Belan, said in a statement that they “will not pay a ransom to criminals”, because “there is simply no guarantee that doing so would result in any customer data being destroyed and it would only encourage further extortion attempts on Australian and New Zealand businesses in the future.”
Just like we will see later in 2023, managed file systems are targets to ransomware attacks for obvious reasons - they are used by many organizations and they carry files with possibly sensitive data.
Even though the GoAnywhere vulnerability was first discovered in the beginning of the year, March was when a large number of organizations announced that they have been affected by the vulnerability, tracked as CVE-2023-0669.
Some of these organizations area: sustainable energy giant Hitachi Energy, California-based digital bank Hatch Bank, cybersecurity firm Rubrik, healthcare provider Community Health Systems, the City of Toronto, luxury retailer Saks Fifth Avenue, giant P&G, the online education platform Pluralsight, Virgin Red, Atos and Rio Tinto.
According to the company, “The unauthorized party used CVE-2023-0669 to create unauthorized user accounts in some MFTaaS customer environments. For a subset of these customers, the unauthorized party leveraged these user accounts to download files from their hosted MFTaaS environments."
Shields Healthcare Group
Shields Health Care Group (SHCG), a US medical service provider, disclosed a data breach impacting over 2.3 million people whose sensitive data was exposed, such as full names, driver’s license numbers and other non-driver ID card numbers. Even though the news broke in April 2023, the incident happened in March 2022, when unknown attackers infiltrated SHCG’s systems.
“The investigation determined an unknown actor gained access to certain Shields systems from March 7, 2022, to March 21, 2022. Furthermore, the investigation revealed certain data was acquired within that time frame,” reads the letter.
NCB Management Services
NCB Management Services, a US-based debt collector, fell victim to an attack on their system that exposed sensitive financial data such as payment card numbers with security codes of nearly 1.1 million people.
The US company claims that attackers penetrated its systems on February 1st and it took NCB three days to notice that the company’s systems were breached
“Recently, confidential client account information maintained by NCB was accessed by an unauthorized party. To date, we are unaware of any misuse of your information as a result of this incident,” the company’s letter to potential victims said.
Attackers roamed MCNA systems for nearly two weeks exposing data of approximately 9 million people. The company only noticed unauthorized access on March 6th, even though first access to MCNA’s systems occurred as early as February 26th
“MCNA subsequently discovered that certain systems within the network may have been infected with malicious code. Through its investigation, MCNA determined that an unauthorized third party was able to access certain systems and remove copies of some personal information,” the company said.
PharMerica disclosed a data breach that affected the personal information of more than 5.8 million individuals after an unauthorized party accessed its systems.
PharMerica did not provide details on the type of cyberattack that it suffered, but it appears that the Money Message ransomware group is responsible for the incident.
A few weeks later, the ransomware operators told DataBreaches.net that they encrypted almost the entire PharMerica infrastructure and that they had engaged in negotiations with the company.
MOVEit Transfer Vulnerability
I really hope it’s not the first time you hear about this, but June (and the following months) was all about the MOVEit Transfer vulnerability (CVE-2023-34362). The news burst at the very end of May 2023 and on June 6th, CL0P claimed responsibility for some of the attacks.
First of all, MOVEit is a managed file transfer software tool widely used by many healthcare, technology, financial and energy companies as well as government agencies. The vulnerability allowed attackers to perform an SQL injection in the web application and gain access to MOVEit Transfer’s database, causing massive data theft within minutes of deployment of web shells.
“This is potentially one of the most significant breaches of recent years,” said Brett Callow, an analyst at the cybersecurity firm Emsisoft. “We’ll have a better sense of how significant it is as more details emerge about the number and type of organizations impacted.”
Even though the number of the affected organizations is not known up to this day, we know that Shell, BBC, British Airways, Nova Scotia and other US federal government agencies were some of the victims whose data of their users were compromised.
The news revealed that malicious actors exploited an unknown flaw in Revolut’s payment systems to steal more than $20 million of the company’s funds in early 2022.
According to FT’s sources, the software vulnerability affected the communication between its US and European payment systems. Because of this, when some transactions were declined, Revolut would incorrectly refund accounts with money from the bank itself rather than the money belonging to the account.
More Data Breaches due to MOVEit Vulnerability
More organizations identified the MOVEit vulnerability in their systems, increasing the number of impacted victims to many many millions.
Calpers said that hackers downloaded data of approximately 769,000 members. Genworth Financial was harder hit, saying personal information of nearly 2.5 million to 2.7 million of its customers was breached.
Louisiana’s Office of Motor Vehicles issued a similar alert, saying that “all Louisianans with a state-issued driver’s license, ID, or car registration” had their data exposed to the hackers. Compromised details include Social Security number, address, and driver’s license number.
Shell has not specified what kind of personal information was compromised, and it confirmed the hack only after the Cl0p cybergang published the data it allegedly stole from the company because Shell refused to negotiate.
Wilton Re, a US-based insurer, said that a third-party vendor breach via the MOVEit transfer exploit exposed the details of nearly 1.5 million people.
Indonesian Immigration Directorate General
More than 34 million Indonesians had their passport data leaked after a hacker gained unauthorized access to the country’s Immigration Directorate General at the Ministry of Law and Human Rights.
In this instance, the malicious actor stole vast quantities of personal data, that include Indonesian residents’ full names, genders, passport numbers, dates of issue, expiry dates, dates of birth.
“The biggest real-world consequence of a breach like this is identity theft,” said Andrew Whaley, Senior Technical Director at Promon.
Adobe ColdFusion Vulnerability
Adobe’s ColdFusion Vulnerability dates back to July 2023 and (just between us 🤫) it comes back in December of this year. Essentially in August 2023, the CISA warned organizations and government agencies that the known Adobe ColdFusion Vulnerability CVE-2023-26359 has been exploited in attacks.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise”, CISA warned.
To give you some heads up, as we write this in December 2023, CISA has warned of active exploitation of a high-severity Adobe ColdFusion vulnerability by unidentified threat actors to gain initial access to government servers.
The attackers leveraged a service account to infiltrate Rollbar’s systems from Aug 9 to 11, from which they were able to exfiltrate sensitive user data, including usernames and project information, as well as customers’ project access tokens, which allowed interactions with Rollbar projects.
“The party first tried to launch compute resources, and after that failed for lack of permission, they accessed the data warehouse and ran searches that suggested they were interested in Bitcoin wallets or other cloud credentials.”
A “cybersecurity issue” at MGM Resorts forced the famous hotel and casino company to shut down many of its systems. The company expects the breach will have a negative impact of about $100 million.
According to Reuters, the ransomware group used a social engineering attack to compromise their systems, but MGM “have no evidence that the criminal actors have used this data to commit identity theft or account fraud.”
The private data of customers who used MGM services before March 2019, including contact information, gender, date of birth and driver’s license numbers, was breached. The company also said that “we believe a more limited number of Social Security numbers and passport numbers were obtained”.
Another data breach of authentication giant Okta has impacted nearly 200 of its clients. 1Password, BeyondTrust, and CloudFare had notified Okta of suspicious and concerning activities that ultimately were tied to the support system incident weeks before Okta disclosed the incident.
According to Reuters, hackers downloaded a report containing data including names and email addresses of all clients that use Okta’s customer support system. As an access and authentication service, a breach of Okta always comes with risks to other organizations, and the company confirmed that “certain Okta customers” were affected.
Months after the incident, Okta said security breach disclosed in October was way worse than first thought
Old news, fresh fines. Equifax has been admitted with a fine of approximately $13.4 million by the FCA following the 2017 data breach.
What happened then you ask? Equifax suffered a data breach that saw the personal data of up to 148 million customers accessed by malicious actors during the hack. The data accessed during the hack included Equifax membership login details, customer names, dates of birth, partial credit card details and addresses.
What is more interesting is that the data breach was “entirely preventable” and ”there were known weaknesses in Equifax Inc’s data security systems and Equifax failed to take appropriate action in response to protect UK customer data,” the FCA explained.
Sumo Logic reported a security breach, involving a compromised credential that allowed unauthorized access to one of their AWS accounts. Despite this, they claim to have not found any impact on their networks or systems, and customer data continues to be encrypted.
As read on the Security Week, there is no indication that the company’s systems, networks, or customer data have been impacted. However, users have been advised to “rotate credentials that are either used to access Sumo Logic or that you have provided to Sumo Logic to access other systems”.
“Immediately upon detection we locked down the exposed infrastructure and rotated every potentially exposed credential for our infrastructure out of an abundance of caution”, the company said in its security notice.
Industrial and Commercial Bank of China (ICBC)
A ransomware attack hit the world’s largest bank, the Industrial and Commercial Bank of China (ICBC), disrupted trades in the U.S. Treasury market and undermined confidence in the security of the worldwide financial system. The attack is known to be linked to a Citrix vulnerability referred to as “CitrixBleed.”
“We don’t often see a bank this large get hit with this disruptive ransomware attack,” said Allan Liska, a ransomware expert at the cybersecurity firm Recorded Future.
Reuters reported that LockBit, the ransomware gang has taken responsibility for the attack, and a representative said that ICBC had “paid a ransom, deal closed.”
Fidelity National Financial
According to TechCrunch, Fidelity National Financial fell victim to a “cybersecurity incident that impacted certain FNF systems.”
“Based on our investigation to date, FNF has determined that an unauthorized third party accessed certain FNF systems and acquired certain credentials. The investigation remains ongoing at this time”, the SEC report included.
Since then, agents, homeowners and prospective buyers who are purchasing properties with FNF have been left confused, with all systems being blocked, including phones and emails, not knowing what to do.
Yes, it also comes as a surprise for me that it’s only the beginning of December and we can already report two significant incidents that occurred.
LogoFAIL firmware attack
First week of December and hundreds of Windows and Linux computer models are vulnerable to a new attack that executes malicious firmware early in the boot-up sequence - LogoFAIL.
“LogoFAIL is a newly discovered set of high-impact security vulnerabilities affecting different image parsing libraries used in the system firmware by various vendors during the device boot process. These vulnerabilities are present in most cases inside reference code, impacting not a single vendor but the entire ecosystem across this code and device vendors where it is used. This attack can give a threat actor an advantage in bypassing most endpoint security solutions and delivering a stealth firmware bootkit that will persist in a firmware capsule with a modified logo image.” said Binarly founder and CEO Alex Matrosov.
The affected parties are releasing advisories that disclose which of their products are vulnerable and where to obtain security patches.
Delta Dental of California
Delta Dental of California is the latest victim of the MOVEit vulnerability that was disclosed in the beginning of the year. The organization announced the data breach in June 2023, but the lengthy investigation was concluded at the end of November 2023.
According to the Maine Attorney General and the results of the investigation, the data breach has impacted almost 7 million customers of Delta Dental of California. The data exposed included names, financial account numbers, and credit/debit card numbers and security codes.
As we mentioned in the beginning of the article, the number of cyber attacks, security and data breaches as well as malicious activities are increasing drastically year after year. The trend does not seem to be reaching an end, so one needs to understand it’s not a question on whether an incident will occur to their system, but when.
Security is shifting left and more and more people realize the importance of it - which is great! 👏. However, strict security policies can be harmful for an organization when they slow down processes (see CAB meetings for every deployment), are built around limited access rights and do not allow people to do their job efficiently.
There needs to be a balance. And organizations need to have processes in place for when security incidents occur, from being able to quickly identify the threat, to having a system in place on how to resolve it.