Top 3 Data Breaches of 2023, and What Lies Ahead in 2024
Take a look at last year's most impactful data breaches and what companies can do to protect themselves going forward.
COMMENTARY
The migration to the cloud, coupled with the rise of artificial intelligence (AI) and machine learning, have exponentially accelerated the use, spread, and storage of data in the cloud. The adoption of new technologies to assist with these processes, and the increasing number of privacy laws and regulations to try and govern them, heightened awareness of the need to address data as a standalone security priority in 2023.
Attackers, as always, were not far behind efforts to stop them. Alongside the adoption of data security tools and processes, 2023 was a year of data breaches, with billions of sensitive records exposed and millions affected. Take a look at the top three data breaches of 2023, categorized by type of impact, and assess what lies ahead for the dynamic security sector.
Top in Global Impact: MOVEit
In May 2023, a ransomware group that goes by the name CL0P (TA505) began abusing a zero-day exploit in MOVEit, a managed file transfer software. The attack took the form of an SQL Injection of Progress Software's MOVEit Transfer - CVE-2023-34362. Internet-facing MOVEit Transfer's Web applications were exploited and infected with a Web shell named LEMURLOOT, which was used to steal data from underlying MOVEit Transfer databases and internal servers.
The breach by the numbers:
More than 62 million individuals were impacted.
Over 2,000 organizations were breached.
Approximately 84% of breached organizations are US-based.
Approximately 30% of breached organizations are from the financial sector.
$10 billion is the total cost of the mass hacks so far.
MOVEit's data breach is notable for its scale and the variety of victims affected. It demonstrated how a flaw in a single piece of software can trigger a global data privacy disaster, exposing data from numerous governments and industries, financial information as well as sensitive healthcare data — and the scope continues to widen.
Although Progress Software issued three successive patches to mitigate the breach, the harm was already done. In every month since the attack began, new organizations report they have been breached, including Sony Interactive Entertainment, BBC, British Airways, the US Department of Energy, and Shell. A growing number of cyber incidents have been linked to the original MOVEit breach as the conduit that exposed credentials and "phishing fertilizer" details.
Top in Amount of Exposed Data: Indian Council of Medical Research (ICMR)
In October 2023, a threat actor using the alias 'pwn0001' posted a thread on Breach Forums brokering access to identification and passport details (including names, addresses, and phone numbers) of 81.5 million citizens of India. They proved their abilities by providing samples of these documents, with hundreds of thousands of confirmed personally identifying information (PII) details were taken from ICMR's COVID-19 databases.
The breach by the numbers:
5 million breached personal records and COVID test details from the New Delhi-based organization.
90GB of data offered for sale for $80,000.
This is considered the most significant data breach in India's history, and attention should be paid to both the amount of data extracted and its sensitivity. The lack of data security processes and protocols governing such a large and strategic database places government agencies and ministries at high risk. Without robust and dedicated data security plans in place, we can anticipate similar breaches leveraging sensitive data for criminal purposes.
Top in Level of Sensitivity: 23andMe
In October 2023, genetics testing company 23andMe reported the detection of unauthorized access. It said the attackers used credential-stuffing methods and scraping of 23andMe's DNA Relatives feature, which users can opt into to share more data with friends and family. According to 23andMe, the hackers detected were able to guess the login credentials of verified users to gain access to their 23andMe accounts. After obtaining access, the hackers used the DNA Relatives feature to acquire even more information about other users including names, email addresses, dates of birth, genetic ancestry and history, and more.
The breach by the numbers:
9 million user accounts were compromised — about half of the company's users.
More than 5.5 million customer records were scraped and leaked.
$6 is the average black-market price of a breached account.
Without strong data security hygiene in highly sensitive databases, threat actors can easily gain access using stolen credentials, a method gaining traction and popularity. 23andMe responded by requiring all customers to use two-step verification, temporarily disabling some DNA Relatives tool features, and advising users to change their login information and enable multifactor authentication.
Key Insights for Data Security Planning in 2024
Accountability and rebuilding trust with customers are key tenets for organizations that understand the inevitability of attacks as well as their role in preventing damage and disruption. The balance between using data and keeping it secure will continue to be a challenge, especially with the blurred lines around generative AI tools. We will continue seeing the trend of lingering impact attacks and "secondary blasts," with identity-based breaches using techniques such as credential stuffing rising in number and impact.
What Can Be Done?
There are numerous levels of risk and varying degrees of data security hygiene that permitted these breaches to occur. Quickly taking accountability for the company's sensitive data and reacting to reduce its risk by eliminating unnecessary data, encryption, and access permissions must be pillars of every organization's post-attack security protocol.
Embracing both "left-of-boom" (pre-attack) and "right-of-boom" (post-attack) responsibility helps organizations become quick to react and reduce impact, provided they have fine-grained visibility into their security controls and access policies. Complete discovery of sensitive data, wherever it resides within the organization, is a core ability that helps companies focus on risk reduction and control their data sprawl.
About the Author
You May Also Like