Data breaches have steadily increased over recent years, and unfortunately, there’s no sign of this trend diminishing. The past year has witnessed numerous instances of confidential information being compromised. From small startups to large corporations across various industries, no one seems immune, leading to substantial financial losses for US enterprises.
Take, for example, the highly-publicized T-mobile breach from the previous year. In 2022 alone, it set the company back by $350 million, solely in compensations to affected customers. This escalating threat underscores the pressing need for businesses to fortify their digital defenses, emphasize robust password practices among staff, and educate their teams to recognize and thwart phishing attempts.
Here, we present a chronicle of notable data breaches (along with a few significant data leaks) that have transpired since January 1, 2022, listed by the date they first made headlines.
Data Breaches in October 2023
October 11 Air Europa Data Breach: Spain’s airline, Air Europa, has alerted its patrons to immediately cancel their credit cards. This comes after cyber attackers successfully infiltrated their systems, gaining access to financial details. The compromised data includes card numbers, expiration dates, and the 3-digit CVV codes. Air Europa has informed the necessary authorities, including banks, and assures that their systems are now secure and fully functional.
October 6 23andMe Data Breach: The biotech firm, 23andMe, recently faced a data breach where customer accounts were compromised through a credential-stuffing attack. The stolen data encompasses genetic information, potentially revealing names, email addresses, birth dates, and genetic ancestry details. There’s speculation that the cybercriminals were specifically searching for data related to individuals of Ashkenazi Jewish and Chinese heritage.
Data Breaches in September 2023
September 27 Hunter Biden Data Breach Lawsuit: Hunter Biden, son of US President Joe Biden, has initiated a lawsuit against Rudy Giuliani and his attorney, Robert Costello. The suit alleges that they accessed and disseminated his personal data after procuring his laptop from a computer repair outlet. The legal action accuses Giuliani and his team of causing a “total annihilation” of Hunter Biden’s privacy.
September 25 SONY Data Breach: Global tech giant SONY has reportedly fallen victim to the ransomware group, Ransomware.vc. The group claims they’ll auction off the stolen data, given SONY’s refusal to meet their ransom demands. The cybercriminals allege to have extracted over 6,000 files, including build logs and Java files.
September 25 Ontario Birth Registry Breach: The birth registry of Ontario has confirmed a security breach. Approximately 3.4 million individuals who sought prenatal care over the past decade have had their data accessed. It’s believed that the health records of over two million infants born during this span are exposed. This breach is among the recent attacks exploiting the known vulnerability in the MOVEit file transfer tool.
September 5 Topgolf Callaway Data Breach: US-based golf equipment manufacturer, Topgolf Callaway, has reported a significant data breach impacting over a million customers. Affected individuals received email alerts this week. The compromised data encompasses full names, shipping addresses, email IDs, phone numbers, account passwords, and security question responses.
September 4 Freecycle Data Breach: Freecycle, a nonprofit organization, has experienced a breach affecting seven million of its users. By the time the breach was detected, the stolen data had already surfaced on hacker forums. The breach led to the exposure of user IDs and email addresses. Freecycle has since urged its members to promptly reset their passwords.
Data Breaches in August 2023
August 31 Forever 21 Data Breach: Fashion giant Forever 21 has disclosed a breach affecting 500,000 of its customers earlier this year. The compromised data includes names, birth dates, bank details, and Social Security numbers. While Forever 21 assures that the unauthorized party no longer has access, the specifics of this resolution remain ambiguous.
August 23 Duolingo Data Breach: Information of 2.6 million Duolingo users has surfaced on BreachForums. The exposed data encompasses names, email IDs, phone numbers, social media profiles, and the languages users were learning during the breach.
August 14 Discord.io Data Breach: Discord.io, a service aiding in creating custom links for Discord channels, has reported a breach. An estimated 760,000 users are believed to be affected, with data like passwords, usernames, Discord IDs, and billing addresses potentially compromised. It’s crucial to note that Discord.io operates independently of Discord Inc. The service appears to have ceased operations post-breach.
August 11 IBM MOVEit Data Breach: A vulnerability in the MOVEit transfer software has led to a breach affecting 4.1 million patients in Colorado. Their sensitive healthcare data was compromised in systems overseen by tech giant IBM.
August 8 Police Service of Northern Ireland Data Breach: In a significant oversight, data of every active police officer in Northern Ireland was inadvertently exposed. This mishap occurred while responding to a Freedom of Information request, leading to the leak of surnames, initials, ranks, work locations, and departments of all police personnel.
Missouri Medicaid Data Breach: Medicaid recipients in Missouri have faced a data breach, with their health details being stolen. This breach, like several recent ones, exploited the MOVEit transfer software vulnerability. The stolen data may consist of names, birth dates, potential benefit statuses, and medical claim details.
Data Breaches in July 2023
July 27 Maximus Data Breach: US-based government contractor, Maximus, has reported a significant data breach. The familiar MOVEit transfer vulnerability was the hackers’ entry point, compromising health data of “at least 8 to 11 million” US residents, as mentioned in their 8-K filing. Maximus anticipates a comprehensive review of the breach to span “several more weeks.”
July 24 Norwegian Government Breach: A zero-day flaw in a third-party IT system allowed hackers to infiltrate Norway’s government infrastructure. In a preventive measure, the nation’s authorities have suspended email and mobile services for their government staff. While the culprits remain unidentified, the exploited vulnerability has been addressed, as confirmed by the Norwegian Government.
July 21 Roblox Data Breach: A data leak has exposed personal details of nearly 4,000 members from Roblox’s developer community. The leaked data, which includes phone numbers, email IDs, and birth dates, pertains to attendees of Roblox developer conferences held between 2017 and 2020. It’s believed that this data was initially extracted from Roblox’s systems back in 2021.
July 20 PokerStars Data Breach: PokerStars, the globe’s premier online poker platform, has faced a data breach affecting 110,000 of its users. The Cl0p ransomware group, exploiting a MOVEit zero-day vulnerability, accessed the platform’s systems. Post-incident, PokerStars has confirmed discontinuation of the MOVEit transfer tool. The compromised data includes social security numbers, names, and residential addresses.
Data Breaches in May 2023
May 23 Apria Healthcare Data Breach: Apria Healthcare, a prominent US healthcare firm, has informed nearly 1.9 million clients about a potential data exposure, as highlighted by The Register. Intriguingly, the unauthorized access on “select Apria systems” took place in 2019 and again in 2021. The reasons for the delayed public disclosure remain a mystery.
May 19 Suzuki Data Breach: Suzuki, the renowned car manufacturer, faced operational disruptions at an Indian plant due to a cyberattack. As per Autocar’s insights, “production has been on hold since May 10, leading to an estimated production loss of over 20,000 vehicles.” Suzuki has yet to publicly identify the culprits.
May 16 PharMerica Data Breach: PharMerica, a US pharmaceutical titan overseeing 2,500 facilities nationwide, disclosed a breach by an unidentified entity in March. This breach compromised data of 5.8 million individuals, both living and deceased. The stolen data from the Kentucky-based health provider includes social security numbers, birth dates, names, and health insurance details.
May 12 US Government Data Breach: A breach at the Department of Transport has reportedly exposed personal details of 237,000 US government staff. Reuters indicates that the compromised system typically processes “TRANServe transit benefits” – essentially, transportation expenses claimable by government employees. The Department of Transport assured Congress that the breach was confined to specific administrative systems, leaving transportation safety systems unaffected.
May 12 Discord Data Breach: Discord, the popular messaging and video chat platform, alerted users about a potential data exposure. This breach occurred when a malevolent actor accessed the platform through “a third-party customer service agent.” Discord has conveyed that user email addresses, customer service inquiries, and any documents shared with Discord might have been compromised. The affected customer service agent’s account has since been secured, and Discord is ensuring no lingering threats persist.
May 1 T-Mobile Data Breach: T-Mobile has once again fallen victim to a data breach, this time impacting approximately 800 customers. Recent revelations suggest that customer contact details, ID cards, and/or social security numbers were extracted from PIN-protected accounts. A notification letter by T-Mobile, shared by Bleeping Computer, provides a comprehensive overview of the accessed data. Regrettably, this marks T-Mobile’s second breach this year, with the first in January affecting 37 million users. Previous breaches also occurred in December 2021 and November 2022.
Data Breaches in April 2023
April 10 Pizza Hut/KFC Data Breach: Yum! Brands, the parent company of popular fast-food chains Pizza Hut, KFC, and Taco Bell, has notified several individuals about a data exposure stemming from a ransomware attack in January. The conglomerate verified the theft of names, driver’s licenses, and ID card details. An ongoing probe aims to determine if the stolen data has been misused for fraudulent activities.
April 6 MSI Data Breach/Ransomware Attack: Micro-Star International, a renowned computer vendor, has fallen victim to a data breach. The emerging ransomware group, Money Message, has taken credit for this intrusion. They claim to have extracted 1.5TB of data from the Taiwanese firm’s systems and demand a hefty $4 million ransom. Failure to comply, they warn, will result in the public release of the stolen data. A conversation shared by Bleeping Computer reveals a ransomware group member telling an MSI representative, “Inform your manager that we possess MSI’s source code, including the framework for BIOS development. We also have private keys to sign any custom BIOS module and install it on PCs with this BIOS.”
April 3 Western Digital Data Breach: Storage giant Western Digital has announced a data breach, though the full extent remains uncertain. The company confirmed unauthorized access to ‘a number’ of their cloud systems. Following the breach disclosure, several Western Digital product users reported issues accessing their devices’ cloud functionalities. Western Digital’s official statement emphasizes their active efforts to restore the affected infrastructure and services, with further updates anticipated.
Data Breaches in March 2023
March 24 ChatGPT Data Leak: A glitch in ChatGPT’s open-source library inadvertently exposed customer data, encompassing some credit card details and chat titles. OpenAI clarified, “Before ChatGPT was taken offline, some users could view another user’s personal details, including names, email addresses, payment addresses, and partial credit card information. Full credit card numbers remained secure.”
March 9 US House of Representatives Data Breach: A healthcare provider in Washington DC, responsible for safeguarding data of numerous federal legislators and their families, experienced a breach. The compromised data, affecting potentially 170,000 individuals, is now up for sale online. However, the FBI is believed to have procured it for investigative purposes.
Data Breaches in February 2023
February 21 Activision Data Breach: Activision, the creators of Call of Duty, disclosed a data breach that led to the theft of sensitive employee data and content schedules. The breach, which took place in early December 2022, was only recently made public. Reports indicate that a phishing attack secured an employee’s credentials, which were then used for unauthorized access.
February 15 Atlassian Data Breach: Atlassian, an Australian software firm, reportedly faced a significant data breach. The hacking group “SiegedSec” claims responsibility, stating they accessed staff data and office floor plans. The group announced their feat, saying, “Atlassian, valued at $44 billion, has been compromised by us.” Atlassian initially pointed fingers at software company Envoy but later admitted that an employee had inadvertently posted credentials publicly.
February 10 Reddit Data Breach: Reddit confirmed a breach on February 5. Reddit CTO, Christopher Slowe, stated that an attacker accessed internal documents, code, and some business systems after obtaining an employee’s credentials. While primary production systems remain unaffected, limited contact information for company contacts, employees, and advertisers was accessed.
February 8 Optus Data Breach Extortion Attempt: A Sydney resident faced legal consequences for attempting to extort Optus customers using data from a recent breach. The individual threatened 92 people via SMS, demanding a payment of AU$ 2000 to prevent the sale of their data to hackers.
Weee! Data Breach: Weee!, an Asian and Hispanic food delivery service, reported a breach affecting 1.1 million customers. While some data appeared on the Breached hacking forum, Weee! assured that no payment data was exposed.
February 6 Sharp HealthCare Data Breach: Sharp HealthCare, San Diego’s leading healthcare provider, informed 62,777 patients about a data exposure during a recent website attack. Although financial data remained secure, personal and health records were compromised.
Data Breaches in January 2023
January 30 JD Sports Data Breach: JD Sports, the parent company of several fashion brands, reported a breach potentially affecting 10 million individuals. JD Sports CFO, Neil Greenhalgh, advised customers to remain vigilant against scams and provided guidance on reporting suspicious activities.
January 19 T-Mobile Data Breach: T-Mobile disclosed another breach, impacting approximately 37 million customers. Despite discovering the breach on January 5th, the intrusion dates back to late November 2022. This incident marks another in a series of breaches for T-Mobile, raising concerns about their security measures.
January 18 MailChimp Breach: MailChimp faced another breach, a mere six months after its last. The company identified a social engineering attack as the cause, compromising 133 MailChimp accounts. This breach mirrors a previous one, casting doubts on MailChimp’s security measures.
PayPal Data Breach: PayPal informed customers of a breach on December 20, 2022, where unauthorized parties accessed accounts using stolen credentials. PayPal emphasized the absence of evidence suggesting misuse of the accessed data.
January 6 Chick-fil-A Data Breach: Chick-fil-A is probing “suspicious activity” linked to specific customer accounts. The company has provided guidance for customers noticing unusual account activities.
January 4 Twitter Data Breach: Data of Twitter users, continuously traded on the dark web throughout 2022, remains a concern in 2023. A database containing email addresses of roughly 200 million Twitter users is currently available on the dark web for a mere $2. Despite rectifying the flaw responsible for this leak in January 2022, the data continues to circulate among threat actors.
Conclusion
Throughout 2023, the digital realm witnessed a surge in data breaches, affecting entities ranging from tech giants to government bodies. These incidents underscore the ever-evolving challenges of cybersecurity and the paramount importance of robust digital defenses. As technology continues to advance, so do the tactics of cybercriminals. Organizations, regardless of size or sector, must prioritize data protection, continuously update their security protocols, and educate their workforce to safeguard against potential threats. The events of this year serve as a stark reminder: in the digital age, vigilance is not just recommended; it’s essential.
