This year, 2023, it was a hell of a year for data breaches, just like the year before (and the year before that, etc.). Over the past 12 months, we’ve seen hackers ramp up their exploitation of bugs in popular file transfer tools to compromise thousands of organizations, ransomware gangs adopt new offensive tactics aimed at blackmailing their victims, and attackers continue to target organizations that they don’t have resources. such as hospitals, to infiltrate highly sensitive data such as patient healthcare information and insurance information.
In fact, according to October data from the US Department of Health and Human Services (HHS), healthcare breaches it affected more than 88 million people, up 60% from last year. And that’s not even counting the last two months of the year.
We’ve rounded up the most devastating data breaches of 2023. We hope we don’t have to update this list before the year is out…
Fortra GoAnywhere
Just weeks after 2023, hackers exploited a zero-day vulnerability affecting Fortra’s GoAnywhere file transfer software, allowing the mass hacking of more than 130 companies. This vulnerability, tracked as CVE-2023-0669it was known as zero-day because it was actively used before Fortra could release a patch.
Massive hacks exploiting this critical remote injection flaw were quickly claimed by the notorious Clop ransomware and extortion gang, which stole data from more than 130 victim organizations. Among those affected was NationBenefits, a Florida-based technology company that offers supplemental benefits to its more than 20 million members across the United States. Brightline, a virtual guidance and therapy provider for children. Canadian financial giant Investissement Québec. Switzerland-based Hitachi Energy. and the city of Toronto, to name just a few.
As revealed by TechCrunch in March, two months after news of the massive hacks first broke, some victim organizations only learned that data had been breached from their GoAnywhere systems after each received a ransom demand. Fortra, the company that developed the GoAnywhere tool, previously told those organizations that their data was not affected by the incident.
Royal Mail
January was a busy month for cyberattacks, as it also saw UK postal giant Royal Mail confirm it had fallen victim to a ransomware attack.
This cyberattack, first confirmed by Royal Mail on January 17, caused months of disruption, leaving the British postal giant unable to process or deliver letters or parcels to destinations outside the UK. The incident, which was claimed by the Russian-linked LockBit ransomware gang, also saw the theft of sensitive data, which the hacker group posted on its darkly leaked website. This data included technical information, HR and disciplinary personnel records, wage and overtime details, and even a staff member’s vaccination records against COVID-19.
The full scale of the data breach remains unknown.
3CX
The 3CX software-based phone system builder is used by more than 600,000 organizations worldwide with more than 12 million active daily users. But in March, the company was breached by hackers trying to target its downstream customers by installing malware on the 3CX client software while it was in development. This hack was attributed to Labyrinth Chollima, a sub-unit of the infamous Lazarus Group, the North Korean government hacking unit known for stealthy intrusions targeting cryptocurrency exchanges.
To date, it is unknown how many 3CX customers were targeted by this brazen supply chain attack. We do know, however, that another supply chain attack caused the breach. According to Google Cloud-owned Mandiant, attackers breached 3CX through a malware-infected version of X_Trader financial software found on a 3CX employee’s laptop.
Capita
April saw hackers compromise UK outsourcing giant Capita, whose clients include the National Health Service and the UK Department for Work and Pensions. The fallout from this hack lasted for months as more Capita customers learned that sensitive data had been stolen, many weeks after the compromise. The Universities Superannuation Scheme, the UK’s largest private pension provider, was among those affected, confirming in May that the personal details of 470,000 members had likely been accessed.
This was only the first cyber security incident to hit Capita this year. Shortly after Capita’s massive data breach, TechCrunch has learned that the outsourcing giant has left thousands of files, totaling 655 gigabytes, exposed online since 2016.
MOVEit transfer
The mass exploitation of MOVEit Transfer, another popular file transfer tool used by businesses to securely share files, remains the biggest and most damaging breach of 2023. The fallout from this incident — which continues to emerge — started the May when Progress Software disclosed a critical-rated zero-day vulnerability in MOVEit Transfer. This flaw allowed the Clop gang to carry out a second round of mass hacks this year to steal the sensitive data of thousands of MOVEit Transfer customers.
According to the most up-to-date statistics, the MOVEit Transfer breach has so far claimed more than 2,600 victim organizations, with hackers accessing the personal data of nearly 84 million people. This includes the Oregon Department of Transportation (3.5 million records stolen), the Colorado Department of Health Policy and Financing (four million), and US government outsourcing giant Maximus (11 million).
Microsoft
In September, Chinese-backed hackers obtained a highly sensitive Microsoft email signature key, which allowed hackers to sneak into dozens of email inboxes, including those belonging to several federal government agencies. Those hackers, who Microsoft claims belonged to a newly discovered espionage group identified as Storm-0558, leaked unclassified email data from those email accounts, according to US cybersecurity agency CISA.
In an autopsy, Microsoft said it still doesn’t have specifics (or is willing to share) how those attackers first broke in and allowed hackers to steal its skeleton key to access email accounts. The tech giant has since faced significant scrutiny for its handling of the incident, which is believed to be the biggest breach of unclassified government data since the Russian spy campaign that hacked SolarWinds in 2020.
CitrixBleed
And then it was October, and it spawned yet another wave of massive attacks, this time exploiting a critical-rated vulnerability in Citrix NetScaler systems. Security researchers say they have observed attackers exploiting this flaw, now known as “CitrixBleed,” to break into organizations around the world spanning retail, healthcare and manufacturing.
The full impact of these massive hacks continues to unfold. But LockBit, the ransomware gang responsible for the attacks, claims to have put large companies at risk by exploiting the flaw. The CitrixBleed flaw allowed the Russia-linked gang to extract sensitive information, such as session cookies, usernames and passwords, from affected Citrix NetScaler systems, giving hackers deeper access to vulnerable networks. This includes well-known victims such as aerospace giant Boeing, law firm Allen & Overy and Industrial and Commercial Bank of China.
23 and I
In December, DNA testing company 23andMe confirmed that hackers had stolen the ancestry data of half of its customers, about 7 million people. However, that admission came weeks after it was first revealed in October that user and genetic data had been obtained after a hacker posted a portion of the stolen profile and DNA information of 23andMe users on a well-known hacking forum.
23andMe initially said hackers accessed user accounts using stolen user passwords already made public by other data breaches, but later admitted the breach also affected those who opted into its DNA Relatives feature, which matches users with their their genetic relatives.
After revealing the full extent of the data breach, 23andMe changed its terms of service to make it more difficult for victims of the breach to file legal claims against the company. Advocates described some of these changes as “cynical” and “self-serving.” If the breach did one good thing, it’s that it prompted other DNA and genetic testing companies to beef up the security of their user accounts in light of the 23andMe data breach.
