Data breaches are an unfortunate fact of life in the modern world. One thing that businesses and organizations of all sorts need to prioritize is learning from previous data security mistakes. The new year provides an opportunity to reflect on attack patterns, review security practices, and learn from miscalculations to avoid costly missteps in the future.
In this overview, the focus is on breaches that have happened after mid-July. Information about breaches from the first half of 2022 can be found in the following articles:
- Cybersecurity Roundup: Data Breaches from the First Half of 2022 (Part One)
- Cybersecurity Roundup: Data Breaches from the First Half of 2022 (Part Two)
With that in mind, take a look at the breaches below and see what can be learned to be more secure in 2023!
July
July 20th – Neopets
Neopets announced the breach via Twitter, and urged users to change their passwords after a database was put up for sale online. Affected data included details like name, date of birth, email addresses, and zip codes for 69 million users.
July 25 – Boeing Employees’ Credit Union (BECU)
BECU was alerted on June 6th that a third-party printing vendor “had experienced a network security incident that […] involved unauthorized access to certain data of some members.” The credit union cut ties with the vendor. This breach impacted 344,752 consumers and included social security numbers and credit scores for some members of the credit union. BECU filed notification of the breach on July 25.
Organizations should expect vendors to have the same commitment to cybersecurity as they do and vet them accordingly. Read more about choosing third party vendors.
August
August 4 – Advanced
After widespread National Health Service (NHS) issues across the United Kingdom, IT vendor Advanced confirmed what it termed as a “cybersecurity incident caused by ransomware” in August. The company did not state how many patients may be impacted, or what sort of data had been accessed, though according to TechCrunch, data “pertaining to over a dozen NHS trusts” was exfiltrated.
August 4 – Twilio
Twilio, a company that provides users with the ability to build things such as two factor authentication into applications, realized their data was breached as part of a sophisticated social engineering attack. This attack was probably perpetrated as part of a larger campaign by “0ktapus.”
August 20 – DESFA
DESFA, a Greek natural gas distributor, suffered a ransomware attack by Ragnar Locker, which ended in files being leaked on the dark web.
August 25 – DoorDash
DoorDash posted a blog on their website stating that, due to a cybersecurity incident with one of their vendors, customer data was accessed including some names, email addresses, delivery addresses and phone numbers, with some customers’ “basic order information and partial payment card information (i.e., the card type and last four digits of the card number)” being accessed. This breach is reportedly connected to the Twilio breach via the unnamed third party vendor.
August 29 – Nelnet Servicing
2.5 Million individuals who took out student loans with Oklahoma Student Loan Authority or EdFinancial had been exposed after Nelnet’s systems were breached between June and July.
September
September 2 – Samsung
Samsung announced a breach from late July that revealed some customers’ data, including “name, contact and demographic information, date of birth, and product registration information.”
September 11 – Revolut
Start-up Revolut was targeted by an unauthorized third party that gained access to customer data. Their breach disclosure in Lithuania indicated that 50,150 customers were impacted, potentially exposing partial card payment data, along with names, addresses, email addresses, and phone numbers.
September 15 – Uber
Uber was breached, though customer data did not appear to be accessed, in an attack suspected to have been perpetrated by Lapsus$. While not a sophisticated attack, the fact that a “cyberpunk” could simply buy a password online and cause such havoc shows how vulnerable corporate systems can be.
September 22 – Optus
Telecommunications company Optus experienced a breach that exposed names, dates of birth, phone numbers, email addresses, addresses, and driver’s license or passport numbers. This breach impacted one in three Australians.
October
October 2 – Receivables Performance Management
This debt collection company was breached in April of 2021, but did not notice the attack until over a year later per the Individual Notice Letter provided to various Departments of Justice across the United States. The company began notifying the 3,766,573 consumers whose social security numbers may have been stolen, though the organization claims the information is no longer in the possession of the third parties associated with the breach.
October 4 – The Los Angeles Unified School District (LAUSD)
LAUSD data was released on the dark web after the school district refused to pay ransom. Around 500 gigabytes of data was extracted, which included passport details, Social Security numbers and tax forms, contract and legal documents, and financial reports containing bank account details.
October 27 – Twilio
Twilio announced the second breach within the year. Attackers accessed customer contact information.
October 13 – Medibank Data
On October 12, Australia’s Medibank noticed some odd network activity, which it announced the next day, stating they had no reason to suspect any customer data had been accessed at that time. However, by early November the organization announced that a staggering amount of data had been taken, impacting over 9.7 million individuals.
Information breached included customer and representative “names, addresses, dates of birth, phone numbers, email addresses,” medicare numbers, some passport details and health claims data (including service provider names, service locations, and codes linked to diagnoses and procedures), and health provider names, numbers, and addresses.
By December 1, customer data was released on the dark web, with the company stating that they “expected the criminal to continue to release files.”
November
November 1 – DropBox
The file sharing company announced it fell victim to a phishing attack, though they stated that “no content, passwords, or payment information was accessed.”
December
December 2 – Rackspace
Thousands of enterprise cloud computing customers were left without access to their email history when Rackspace underwent a ransomware attack. The organization stated after an investigation that only 27 Hosted Exchange customers’ Personal Storage Tables were accessed by the attacker.
December 22 – Last Pass
The saga of password manager LastPass began in August of 2022. On August 25, the company announced they noticed suspicious activity two weeks prior, and that a malicious actor had gained access to a developer environment, stealing source code and proprietary technical information. That technical information was utilized to gain access to third party cloud storage in November. The breach granted attackers access to “certain elements of our customers’ information,” though LastPass asserted that passwords were still encrypted.
A December 22 update stated the attacker gained access to “basic customer account information and related metadata” and customer vault data including “both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”
While the company maintains that it would take “millions of years” to brute force passwords given the encryption (if the customers were following their suggested best practices), it did outline some steps to take if the password was not set to these standards.
Tools like Have I Been Pwned are a good starting place if you are concerned about personal data being compromised.
December 23 – Twitter
Security company Hudson Rock stated that 400,000,000 records were leaked, though the number has been adjusted down to 235,000,000 records as of January 4 with additional verification.
What Does 2023 Look Like for Data Security?
This is not an all-encompassing list; there are simply too many security incidents to log each one. Vendor weaknesses proved a concerning trend in 2022, and events such as the LastPass hack should raise concerns and cause individuals to take a strong look at their password hygiene and individual security posture.
From gaming sites to social media, transportation applications to password managers, the second half of 2022 has been rife with breaches impacting data security. By avoiding repeated mistakes that lead to data breaches, 2023 can be a more secure year for personal and proprietary data.
About DriveStrike
DriveStrike is an Endpoint Security Software solution that integrates Remote Wipe, Lock, Location capabilities, and encryption management. Manage any number of devices from anywhere in the world on a secure online console at an affordable price! Reach out with any questions and start your 30 Day Free Trial to begin defending against data breaches today!