Last year, we gathered a list of the worst data breaches of 2022, looking back at corporate giants’ misbehavior when faced with hacks and breaches. This included everything from downplaying the real-world impact of leaking personal information to failing to answer basic questions.
It turns out that this year, many organizations continue to make the same mistakes. Here’s this year’s dossier on how not to respond to security incidents.
The Electoral Commission has been hiding details of a massive hack for a year, but still under wraps
The Electoral Commission, the watchdog responsible for overseeing UK elections, confirmed in August that it had been targeted by “hostile actors” who had access to personal information — including names, email addresses, home addresses, phone numbers and any personal images are sent to the Commission — of up to 40 million UK voters.
While it may sound like the Election Commission was upfront about the cyber attack and its impact, the incident happened in August 2021 — about two years ago — when hackers first gained access to the Commission’s systems. It took another year for the Commission to catch the hackers in the act. The BBC reported the following month that the guard had failed a basic cybersecurity test at the same time hackers broke into the organization. It has not yet been revealed who carried out the hack — or if it is known — and how the Commission was breached.
Samsung won’t say how many customers were affected by a year-long data breach
Samsung has once again made our list of poorly managed breaches. The electronics giant once again took its standard approach when dealing with questions about a year-long breach of its systems that gave hackers access to the personal data of its UK customers. In a letter sent to affected customers in March, Samsung admitted that attackers exploited a vulnerability in an anonymous third-party business app to gain access to unspecified personal information of customers who shopped at its UK store between July 2019 and June 2020.
In the letter, Samsung admitted it didn’t discover the compromise until more than three years later, in November 2023. When asked by TechCrunch, the tech giant declined to answer further questions about the incident, such as how many customers were affected or how hackers they were able to gain access to its internal systems.
Hackers stole Shadow’s data and Shadow fell silent
French cloud gaming provider Shadow is a company living up to its name, as an October breach at the company remains shrouded in mystery. The breach led the attackers to conduct an “advanced social engineering attack” against one of Shadow’s employees that allowed access to customers’ personal data, according to an email sent to affected Shadow customers.
However, the full impact of the event remains unknown. TechCrunch obtained a sample of data believed to have been stolen from the company that contained 10,000 unique records, which included private API keys corresponding to customer accounts. When asked by TechCrunch, the company declined to comment and did not say whether it had notified the French data protection regulator, CNIL, of the breach, as required by European law. The company also failed to publicize news of the breach outside of emails sent to affected customers.
Lyca Mobile declined to say what kind of cyberattack it hit
Lyca Mobile, the UK-based mobile virtual network operator, said in October that it had been the target of a cyberattack that caused widespread disruption to millions of its customers. Lyca Mobile later admitted to a data breach in which anonymous hackers accessed “at least some of the personal information maintained on our system” during the breach.
Now more than two months have passed and Lyca Mobile has yet to say what data was stolen from its systems (despite storing sensitive personal information such as copies of IDs and financial data) or how many of its 16 million customers were affected by the breach. Despite TechCrunch’s repeated requests, the company also declined to comment on the nature of the incident, despite the fact that the incident was presented as ransomware.
MGM Resorts still hasn’t said how many customers had their data stolen after the hack
The MGM Resorts breach is one of the most memorable of 2022. The incident saw hackers linked to a gang known as the Scattered Spiders undermine the company’s systems to cause weeks of disruption at MGM hotels and casinos in Las Vegas. MGM said the outage would cost the company at least $100 million.
MGM first disclosed that it had been targeted by hackers on 9/11. However, it wasn’t until October that the company confirmed in a regulatory filing that hackers had obtained certain personal information belonging to customers who had done business with MGM Resorts prior to March 2019. This includes customer names, contact information, gender, dates of birth , driver’s license numbers and social security numbers and passport scans for some customers.
Now more than three months have passed and we still don’t know how many MGM customers were affected. MGM representatives have repeatedly declined to answer TechCrunch’s questions about the incident.
Dish tampering can affect millions — possibly many more
In February, satellite TV giant Dish confirmed in a public filing that a ransomware attack was responsible for an ongoing outage and warned that hackers had leaked data from its systems that may have included personal customer information. However, Dish has not provided a meaningful update since then, and customers still don’t know if their personal information is at risk.
TechCrunch has learned that despite the company’s silence, the impact of the breach could extend far beyond Dish’s roughly 10 million customers. A former Dish retailer told TechCrunch that Dish keeps a wealth of customer information on its servers, including customer names, dates of birth, email addresses, phone numbers, social security numbers and credit card information. The person said that information is kept indefinitely, even for prospective customers who didn’t pass Dish’s initial credit check.
CommScope was slow to tell its employees that their data had been stolen
TechCrunch heard from CommScope employees who say they were left in the dark about a data breach at the company affecting their personal information. The North Carolina-based company, which designs and manufactures network infrastructure products for a range of clients, was targeted by the Vice Society ransomware gang in April. The data leaked by the gang and reviewed by TechCrunch included the personal data of thousands of CommScope employees, including names, postal addresses, email addresses, social security numbers, social security numbers, passport scans and bank account information.
CommScope declined to answer our questions about the leaked employee data and also failed to respond to those affected. Several employees told TechCrunch at the time that CommScope executives remained tight-lipped about the breach, saying little beyond that there was “no evidence” to suggest employee data was involved.
