2023 witnessed a series of impactful data breaches, each leaving a unique mark on cybersecurity. This retrospective dives into these incidents, offering insights and underscoring the evolving challenges in data security.
This article will overview the most intriguing and widely escalated data breaches of every month of 2023. We will also look at the tendencies of cyber-attacks and the forecast for the next year (spoiler alert: it’s going to be hot!).
Key facts of 2023’s data breaches we know so far
The year still has a few weeks to go, but everyone is already busy thinking about the holiday season and next year's plans. Hopefully, malicious actors are also humans and as busy with end-of-the-year errands as possible, leaving businesses some space to breathe and relax, not thinking about cyber-attacks (unlikely, but we all can dream).
KonBriefing Research does a colossal job of collecting information about ransomware and cyber-attacks on businesses worldwide. The data they have so far reveal the scope and impact that follows every month.
Looking into data breach statistics specifically, the total number of breached accounts since 2004 reached a number of over 16.5 billion. According to this Surfshark research, a single email address is breached approximately 3 times.
The average cost of a data breach worldwide continues to rise steadily, reaching 4.45 million U.S. dollars in 2023. According to Statista, the healthcare sector has the highest average cost of a data breach.
IBM Cost of a Data Breach research revealed that the healthcare industry had been the leading sector in data breach costs for 12 years in a row. In 2022, the average cost of a data breach was $10.10 million. Notably, the overall global cost of such breaches has increased by 15% over 3 years.
The United States is at the top of the list of countries most affected by data breach costs, with an average total cost of $9.48 million per breach. The Middle East follows second with $8.07 million per data breach.
1 U.S. dollar—this is how much higher the average data breach per record cost will be in 2023, reaching $165/record compared to last year’s average cost.
The same IBM research suggests that, on average, companies with incorporated AI and automation solutions save $1.76 million compared to organizations that don’t apply similar measures to mitigate data breach risks.
Organizations that don’t follow compliance requirements tend to pay a 12.6% higher average cost than companies that have a high level of compliance.
Verizon’s 2023 Data Breach Investigations Report revealed that financially motivated external actors induced 83% of breaches. Human error, the most common reason behind successful cyber-attacks, remains a consistent factor in 2023, with a human element present in 74% of breaches.
Verizon research also listed system intrusion as the most popular pattern of breaches. Basic web application attacks, social engineering, miscellaneous errors, privilege misuse, and lost and stolen assets follow it.
Let’s dive into the latest data breach news that happened in 2023. This overview is based on publicly available information about data breaches and is subject to change as more new findings are discovered and revealed over time.
MailChimp data breach
MailChimp, an Intuit-owned email marketing platform, suffered a data breach. The breach occurred on January 11, 2023, when an unauthorized actor accessed Mailchimp’s tools used by teams interacting with customers.
The actor gained access to a tool used for internal customer service and account management, compromising the data of 133 customers.
The breach was executed through a social engineering attack on MailChimp employees and contractors, enabling attackers to obtain employee credentials.
This incident was first detected when MailChimp noticed an unauthorized person accessing their support tools on January 11. MailChimp temporarily suspended access for accounts exhibiting detected suspicious activity to protect users' data.
MailChimp notified the primary contacts for all affected accounts on January 12, less than 24 hours after the initial discovery.
MailChimp assured that no credit card or password information was compromised in this incident.
One of the notable customers affected by this breach was WooCommerce, a popular eCommerce plugin for WordPress. WooCommerce informed its customers that the breach exposed their names, store URLs, and email addresses.
Although there was no indication that the data stolen had been misused, there was a concern. Such data could be used for targeted phishing attacks to steal credentials or install malware.
Activision data breach
Activision, a video game publisher known for games like Call of Duty and World of Warcraft, experienced a data breach in early December 2022, which surfaced only in February 2023.
Attackers gained access to the company's internal systems through an SMS phishing attack on an employee. Supposedly, the targeted employee belonged to the Human Resources department and had access to a significant amount of sensitive employee information.
Bad actors were able to obtain sensitive employee information, such as full names, email addresses, phone numbers, and financial data like salaries, work locations, and more. The compromised data also included details about upcoming content for the Call of Duty Modern Warfare II franchise.
This breach was not publicly or internally disclosed until screenshots of the stolen data, including the schedule of planned content for Call of Duty, were shared by the cybersecurity and malware research group vx-underground several months after the accident.
Activision's response to the breach involved swiftly addressing the SMS phishing attempt and conducting a thorough investigation.
The company initially asserted that no sensitive employee data, game code, or player data was accessed. However, the evidence provided by vx-underground and 'Insider Gaming' contradicted this claim, showing that sensitive workplace documents and employee information had indeed been exfiltrated.
This delay in notification raised questions about whether Activision complied with data breach notification laws. This is particularly relevant as California, where Activision is headquartered, has specific laws requiring companies to notify victims of data breaches when a significant number of state residents are affected.
ChatGPT data breach
In March 2023, ChatGPT, an AI-driven chatbot developed by OpenAI, experienced a significant data breach.
The data breach was caused by a bug in the Redis open-source library, which led to the exposure of other users' personal information and chat titles. This bug allowed certain users to view brief descriptions of other users' conversations from the chat history sidebar.
The breach wasn’t directly caused by a threat actor but resulted from a vulnerability in the Redis open-source library. This vulnerability was inadvertently exploited due to a server-side change introduced by OpenAI. This changed to a surge in request cancellations and increased the error rate.
The breach potentially revealed information about 1.2% of ChatGPT Plus subscribers. It included the active user's first and last name, email address, payment address, the last four digits of a credit card number, and the expiration date. However, it's emphasized that full credit card numbers were not exposed.
The first message of a newly-created conversation might have been visible in someone else's chat history if both users were active around the same time. Additionally, viewing other users' chat history and conversation titles was possible.
OpenAI promptly addressed the bug soon after its discovery and temporarily shut down the ChatGPT service to manage the issue. The company announced a bug bounty program in April to help detect future issues and prevent similar incidents.
The incident highlighted the potential risks for chatbots and AI technologies and the importance of robust security measures, especially when using open-source libraries.
Shields Healthcare Group data breach
Shields Healthcare Group is a Massachusetts-based medical services provider. It specializes in MRI and PET/CT diagnostic imaging, radiation oncology, and ambulatory surgical services. In 2023, the company experienced a significant data breach.
The data breach involved unauthorized access to Shields’ systems. The breach was detected when suspicious activity suggesting a data compromise was observed.
The exact method used by the attackers to gain access is unclear, but possibilities include exploiting a network software weakness or using a phishing attack to compromise an employee account
The attackers accessed a wide range of sensitive patient information and confidential data. This included full names, Social Security numbers, dates of birth, home addresses, provider information, diagnoses, billing information, health insurance information, medical record numbers, patient IDs, and other medical or treatment information.
Approximately 2.3 million people were affected by this breach. Shields’ business model, which involves partnerships with hospitals and medical centers, meant the breach had far-reaching consequences, impacting 56 facilities and their patients.
Upon discovering the breach, the healthcare provider took immediate steps to contain the incident. They initiated a thorough investigation with the help of third-party forensic specialists. They secured their systems, including rebuilding certain systems, to prevent further unauthorized access.
Shields has continued reviewing the potentially impacted information and notifying individuals and regulators. Additionally, they have committed to enhancing their data security measures and protections.
MOVEit data breach
MOVEit Transfer software, a file transfer tool developed by Progress Software, transfers large amounts of often-sensitive data over the internet. It's employed by organizations worldwide to manage file transfers, including pension information, social security numbers, medical records, and billing data. The MOVEit data breach of May 2023 was a significant cybersecurity incident.
The breach involved a zero-day vulnerability in MOVEit Transfer. This critical-rated vulnerability allowed attackers, particularly the "cl0p", a ransomware and extortion gang, to raid MOVEit Transfer servers and steal customers' sensitive data stored within.
The attackers, identified as the group "cl0p", exploited the MOVEit software vulnerability starting around May 27, 2023. Progress Software became aware of the compromise in the computer systems the next day after a customer noticed strange activity.
As of August 2023, over 1,000 victim organizations and more than 60 million individuals were impacted by this high-profile data breach.
Victims ranged from New York public school students to Louisiana drivers to California retirees, indicating the vast variety of data compromised. Other significant victims included the French government’s unemployment agency, Pôle emploi, multiple federal agencies, and U.S. state departments.
Approximately one-third of hosts running vulnerable MOVEit servers belonged to financial service-related organizations, with significant percentages in the healthcare, IT, government, and military sectors.
The estimated total cost of the MOVEit mass-attacks so far is about $9.9 billion, based on the average cost of data breaches and the number of individuals affected. This figure could potentially scale to at least $65 billion.
Progress Software acknowledged the cyber-attack and focused on supporting its customers. They issued a patch to fix the vulnerability and alerted users to the issue.
Not all organizations could deploy the patch in time, resulting in varying levels of data compromise. The breach is notable for its scale and the variety of victims affected, demonstrating how a flaw in a single piece of software can trigger a global privacy disaster.
JumpCloud data breach
JumpCloud, an identity and access management firm, experienced a data breach incident in June 2023. The company offers a directory platform that enables enterprises to authenticate, authorize, and manage users and devices.
The breach was the result of a sophisticated nation-state actor's intrusion. The attackers gained access to JumpCloud’s systems to target a small and specific set of customer accounts. The attack vector was a data injection into the commands framework, and it was highly targeted.
The exact number of affected customers and the types of organizations targeted have not been disclosed. However, JumpCloud provides its software to more than 180,000 organizations and counts over 5,000 paying customers, indicating a potentially large impact.
The initial attack was traced back to a spear-phishing campaign initiated on June 22, 2023. The adversaries leveraged domains such as nomadpkg[.]com and nomadpkgs[.]com, likely related to a Go-based workload orchestrator used to deploy and manage containers.
The extent of the damage and the specific details about the customers impacted have not been fully disclosed, but the breach highlights the importance of robust cybersecurity measures against sophisticated and persistent nation-state actors
JumpCloud reset customers' API keys as a precaution. The company took security steps to shield its network, rotating credentials and rebuilding systems. After detecting unusual activity, JumpCloud forced the rotation of all admin API keys and started notifying affected customers.
The company has published a list of indicators of compromise (IoCs) to help other organizations identify similar attacks and is enhancing its own security measures
Indonesian Immigration Directorate General data breach
The Indonesian Immigration Directorate General is responsible for managing immigration-related matters in Indonesia, including issuing and managing passports. In July of 2023, the institution fell victim to a major data breach.
The data breach involved the unauthorized access and leakage of passport data of more than 34 million Indonesian citizens. The leaked data included the full names, passport numbers, expiry dates, dates of birth, and genders of the passport holders.
The breached data of 34.9 million Indonesian passport holders was offered for sale for $10,000. A sample of the stolen data was also made available on a hacker platform, showcasing passport data from 2009 to 2020. The data is considered valid based on the given sample.
The leaked data potentially included National Identity Community Identity Card (NIKIM) information, a digital identity used to secure electronic passports containing personal data such as names, addresses, and identity numbers.
The specifics of how the breach was achieved were not detailed in the available sources. However, the data was reportedly leaked and sold on the bjork.ai website, indicating that it may have been a sophisticated cyber attack or hacking incident.
The ministry noted differences in the data structure between the breached data and the data in the national data center, indicating ongoing investigations to understand the extent and nature of the breach.
The available sources did not fully detail the outcome of the investigation and the broader impact of the breach. However, the breach underscores the importance of robust cybersecurity measures for government databases, particularly those containing sensitive personal information like passport details.
UK Electoral Commission data breach
The Electoral Commission, an independent body overseeing elections and regulating political finance in the UK, fell victim to hostile actors in August 2023. This complex cyber-attack involved unauthorized access to internal emails, control systems, and copies of electoral registers, which contain voter data.
A malicious actor gained access to the Electoral Commission's systems in August 2021, but the breach was only identified in October 2022 after suspicious activity was detected.
The accessed registers held the names and addresses of UK voters registered between 2014 and 2022, including those registered as overseas voters. Notably, the details of anonymous voters were not included in these registers.
Predicting the exact number of people impacted is challenging, but it's estimated that the register for each year includes details of about 40 million individuals.
While the full extent of the damage is not conclusively known, the Electoral Commission acknowledged that they could not determine exactly what files may have been accessed.
The attack is considered to be sophisticated, with hostile actors attempting to use software to evade the systems.
In response to the breach, the Electoral Commission collaborated with the National Cyber Security Centre (NCSC), law enforcement officials, and external experts to investigate and secure its systems. Subsequently, they have made improvements to the security of their IT systems.
The outcome of this breach reiterates the vulnerability of democratic institutions to cyber threats. It emphasizes the importance of robust cybersecurity measures, especially for bodies involved in the electoral process.
T-Mobile data breach
In September 2023, T-Mobile, one of the largest mobile carriers in the United States, experienced a significant data breach. This incident is part of a series of security lapses that have affected the company in recent years.
The breach in September 2023 involved two separate security incidents:
Employee data exposure: on September 21, 2023, 89 gigabytes of data primarily related to T-Mobile employees, including email addresses and partial Social Security Numbers, were posted on a hacker forum.
This data was tied to an earlier breach in April of Connectivity Source, a T-Mobile retailer. T-Mobile itself denied being directly hacked as part of this incident, indicating the breach occurred at a third-party service provider. The exposed employee confidential data could pose risks of identity theft or fraud.
Customer data exposure: the second data breach occurred later in September when a system error in the T-Mobile app exposed customer payment data of fewer than 100 customers. Users of the app inadvertently accessed other customers' personal information, including phone numbers and billing addresses. T-Mobile attributed this to a glitch related to a technology update.
The glitch in the T-Mobile app exposed the personal information of several customers, including names, phone numbers, physical addresses, account balances, and partial credit card details.
Though the company initially claimed the breach affected fewer than 100 individuals, later reports suggested the personal information of millions could have been exposed. However, the company has not released the exact number of T-Mobile customers affected.
The September 2023 T-Mobile data breach underscores the ongoing cybersecurity challenges faced by large corporations, especially in sectors handling vast amounts of personal data. This incident, stemming from a system glitch rather than a direct hack, reveals the multifaceted nature of data security threats. It also emphasizes the importance of robust and continuously updated security measures to protect against both external attacks and internal vulnerabilities.
23andMe data breach
The 23andMe is a genetics testing company that offers DNA testing services to help users learn more about their ancestry. Users can discover their ethnic backgrounds and connect with relatives through shared DNA. A data breach in October 2023 was a significant event, revealing vulnerabilities in the protection of sensitive genetic and personal information.
The breach involved unauthorized access to the "DNA Relatives" feature of 23andMe, where users can share personal data, including ancestry reports and matching DNA segments, with other users globally.
The breach exposed personal information, including display names, birth years, sex, and details about genetic ancestry results. Initially, data of one million users of Ashkenazi Jewish descent and another 100,000 users of Chinese descent were claimed to be stolen. This later expanded to include records of four million more general accounts. However, genetic data itself was not included in the breach.
Bad actors likely used a technique called 'credential stuffing attack,' where actors tried combinations of usernames and passwords from previous data breaches on other websites, hoping people had reused passwords.
23andMe responded by requiring all customers to utilize email two-step verification (2SV), temporarily disabling some features within the DNA Relatives tool for added security, and advising users to change their login information and enable multi-factor authentication.
The company launched an investigation with third-party forensic experts. 23andMe also emphasized its commitment to security, highlighting its ISO certifications and continuous monitoring and auditing of the company’s systems. They assured us they would notify customers directly if their data were accessed without authorization.
Idaho National Laboratory (INL) data breach
The Idaho National Laboratory (INL), a key component of the U.S. Department of Energy, suffered one of the most recent data breaches in November 2023. As part of the U.S. Department of Energy, INL is one of the country's premier advanced nuclear energy testing labs. Its work includes research and development in nuclear and non-nuclear energy sources, national security, and related fields.
The breach involved the compromise of INL's Oracle Human Capital Management servers, which are used for human resources applications. It was executed by the SiegedSec hacking group. The attackers managed to access "hundreds of thousands of user, employee, and citizen data."
The leaked data included sensitive personal information like Social Security numbers, bank account and routing numbers, health care details, marital status, and account types. This data related to current, former, and retired employees of the laboratory.
The attackers targeted a federally approved third-party vendor system outside INL that supports the lab's cloud-based human resources services.
INL took swift action to bolster employee data protection following the breach. They also communicated with federal law enforcement agencies, including the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, to investigate the breach's impact.
The investigation into the breach is ongoing. INL is working with federal law enforcement to fully grasp the extent of the impacted data and implement measures to prevent similar security incidents.
EasyPark data breach
The EasyPark website confirms they experienced a cyberattack leading to a data breach discovered on December 10, 2023. EasyPark is a parking applications developer for locating and booking parking spaces, and finding EV charging stations, popular in 20 countries and more than 4,000 cities across the world.
The breach involved non-sensitive customer data like names, contact details, and partial numbers of credit/debit cards.
Although the exact number of accounts leaked is unknown, it could be assumed to extend to millions. EasyPark app used in the European market has over 10M application downloads, while UK and US markets targeted applications RinGo and ParkMobile have 5M app downloads each.
The company took swift measures to halt the attack and maintained service operations. The security team at EasyPark is actively implementing enhanced security and privacy measures. These steps are focused on ensuring that any negative impacts from the recent incident are fully mitigated and contained.
EasyPark emphasizes that this stolen data cannot be used to make payments and advises caution against phishing attempts.
It’s not the first time this company has dealt with a data breach. In 2021, EasyPark was attacked and suffered a massive data breach that affected millions of users.
Due to the recency of the events, the full scale and impact of the attacks are unknown, and breach methods are not disclosed to open sources.
What to expect in 2024?
The latest data breaches served as stark reminders of cyber threats' dynamic and relentless nature for gaining access to sensitive data. They reinforced the necessity for businesses and organizations across all sectors to prioritize and continuously update their cybersecurity measures, ensuring their data protection and stakeholders' trust.
To prevent a potential data leak or breach, think two steps ahead and implement a robust cybersecurity strategy to protect sensitive data and avoid reputational and financial consequences that follow the breach.
Comprehensive network access security solutions like NordLayer provide organizations with the best in the industry-based security frameworks and models known as Security Service Edge (SSE) and Zero Trust Network Access (ZTNA). Choose simple and effective security by design and protect your network and teams in all ways of working.