We are only three months into 2023 but the number of data breach incidents remain high (if not higher) compared to last year. But what is more concerning is that these incidents are not only occurring frequently but are also hitting more high-profile targets with the likes of T-Mobile, Atlassian, Reddit, and even the US House of Representatives.
The most worrying aspect of all this is how these cyberattacks successfully hit these high-profile targets despite the supposedly high level of security these entities employ. To understand how these cyberattacks were carried out successfully, we shall take a closer look at these high-profile data breaches and see what we can learn from each of them.
It was revealed on January 4, a few days removed from the New Year, that Twitter users' data was continuously bought and sold on the dark web during 2022. According to recent reports, a bank of email addresses belonging to around 200 million Twitter users is being sold on the dark web for as low as $2. Even though the flaw that led to this leak was fixed that month, the leaks continue.
On January 6, fast food chain Chick-fil-A disclosed that it was looking into “suspicious activity” linked to a select number of customer accounts. The company has published information on what customers should do if they notice suspicious activity on their accounts, and advised such customers to remove any stored payment methods on the account.
On January 18, MailChimp found that an unauthorized individual was able to access its systems and 133 accounts through a social engineering attack. This was not the first time MailChimp experienced a cybersecurity breach and in fact, it last experienced a cyberattack just six months prior. Because of these attacks, serious doubts have been cast on MailChimp’s cybersecurity infrastructure and to date, the company has yet to disclosed what it has done at this point to improve its security and allay those fears.
Also on January 18, PayPal sent out a letter to its customers which belatedly revealed that on December 20, 2022, “unauthorized parties” were able to access PayPal customer accounts with the use of stolen login credentials. While the company admitted it had no information on possible misuse of the information found on these customer accounts, it found no evidence that the customer credentials were stolen from PayPal's systems.
A day later, T-Mobile announced that on January 5, it was hit with a data breach which saw hackers gain access to around 37 million postpaid and prepaid customers. This happened just two months after a high-profile cyberattack impacted 76 million customers. In the wake of that previous attack, the mobile giant claimed to have spent $150 million to upgrade its cybersecurity infrastructure but the new attack has cast doubts on this claim, especially as it was surmised that the same cybercriminals who launched the cyberattack on November 2022 was behind the January 2023 attacks.
It was revealed on January 30 that as many as 10 million people may have had their personal information accessed by hackers in the wake of a data breach that hit fashion retailer JD Sports. The company has advised its customers to be vigilant about potential scam emails, calls, and texts and provided details on how to report these.
Sharp HealthCare, the largest healthcare provider in San Diego, California, sent out a message to its 62,777 patients on February 6 that their personal information was exposed during a recent attack on the organization's website. Such information included social security numbers and health records though Sharp maintains that no bank account or credit card information was stolen.
Reddit confirmed on February 10 that it suffered a data breach five days prior, with the attacker using the credentials of an employee to gain access to some internal documents, code, as well as some internal dashboards and business systems. However, Reddit has maintained that there were no indications of breach of its primary production systems and only information relating to company contacts and employees, as well as that of advertisers were accessed and on a limited basis.
A hacker group known as “SiegedSec” put out a release on February 14, saying that they managed to break into Atlassian’s systems and extracted data relating to staff as well as floor plans for offices in San Francisco and Sydney. Although Atlassian initially blamed software company office coordination platform Envoy for the breach, the company later reneged on this, revealing that the hackers gained access through an Atlassian employee’s credentials that had been mistakenly posted in a public repository by the employee.
Activision disclosed on February 21 that it fell victim to a data breach back in December 2022, with sensitive employee data and content schedules having been accessed from the company's computer systems as a result. Reportedly, an employee's credentials were obtained in a phishing attack and subsequently used to infiltrate the system.
US House of Representatives
One of the most high-profile cyberattacks that occurred targeted no less than the US House of Representatives itself through an indirect attack. It was reported on March 9 that cybercriminals actually breached the data of a Washington DC-based healthcare provider that handles sensitive data belonging to a number of federal legislators and their families, which totaled to an estimated 170,000 people that were affected. The data was actually put up for sale online, although the FBI is thought to have already purchased it as part of their investigation.
One common trend that can be gleaned from this list is that these data breaches were successful because the attackers were able to use an employee’s credentials that were exposed inadvertently. While there may be an element of employee oversight as to the exposure of these credentials, the organization bears some responsibility as well as their existing cybersecurity measures are not stringent enough to at least minimize such incidences.
Regardless of the organization’s responsibility in the occurrence of such incidences, more concerning is the fact that these organizations may not be doing enough to ensure that these data breaches and other cybercriminal activities will not happen again, or at least will have lesser chances of succeeding in the future. It does not help that some of these organizations have not disclosed the measures they have taken to improve their cybersecurity. And some of the ones who have disclosed what they have done have said it in a vague or generic statement that does not allay the concerns of their employees and customers.
Ensuring protection from data breaches
Ensuring that the organization is safe from data breaches entails two important elements: education and improving cybersecurity infrastructure and processes.
For one, employees should be given sufficient training about the best practices in cybersecurity not only in their conduct of sharing information but also in detecting and acting upon suspicious activities online. This empowers the employees and serves as the first line of defense in fighting data breaches.
Complementing this is the need to invest in more secure systems and processes that can at least minimize the threats of data breaches and minimize their impact. One example is strengthening account credentials through multi-factor authentication for more secure login activities.