The Independent’s journalism is supported by our readers. When you purchase through links on our site, we may earn commission. Why trust us?
- CAR INSURANCE
- CAR INSURANCE
- TOOLS
- PROVIDERS
- GUIDES
- BROADBAND
- HOME SERVICES
- VPN
- HEALTH
Like it or not, cybercrime is prolific. With an estimated 8,000 cyberattacks per year, staying secure online simply can’t be assumed or left as an afterthought. Being savvy with your internet security is as much about keeping your passwords complex and secure as it is about installing a reliable VPN and remaining vigilant with two-factor authentication (2FA).
More and more companies are falling victim to cyberattacks, phishing scandals and ransomware leading to data leaks, huge payouts and often lawsuits. It’s clear that cybercriminals are getting increasingly creative, that anyone can be targeted and that there is still a lot to learn around prevention and recovery.
There is a hacker attack every 39 seconds and 2023 saw a number of high-profile cybersecurity incidents, with some rumoured to be recurring attacks from previous years or even months before, and some big data leaks on smaller companies in the healthcare sector.
According to IBM Security’s Cost of a Data Breach Report for 2022, 83 per cent of organisations have had more than one breach and 42 million records were supposedly exposed due to data breaches between March 2021 and February 2022. Alarmingly, these records can include anything from first names and email address, to passport copies, sensitive healthcare information and financial details.
Generally speaking, data breaches are taking longer to identify and contain than in previous years — with ransomware-related breaches taking 49 days longer in 2021 than the average time in previous years, according to IBM. Although most people would assume that the risk of data leaks would be higher in companies that haven’t got a fully-fledged cybersecurity team in place (for example, a small hospital), cases such as the latest Twitter cyberbreach prove that companies with perceived high cybersecurity won’t always outsmart a hacker.
According to Mimecast’s State of Email Security Report for 2023, the threat of cyber incidents is now one of the most important global risks to businesses, following the Allianz Risk Barometer survey which highlights how the risks involved might outweigh climate change, staff shortages and even the likelihood of recession.
While not all cases of a data breach lead to fraud or identity theft, compromised data is still an expensive business for companies and the repercussions stretch further to impact consumer trust and brand reputation, not to mention the mental and financial health of anyone directly involved.
Our expert researchers have compiled the most notable data breaches of 2023 so far which have led to millions of records being leaked or exposed – 346,758,345 to be precise – in one way or another. Records or data include basic personally identifiable information (PII) which can be used to identify someone – such as a name, date of birth, address, and phone number – and in some cases records may have included social security numbers, financial or sensitive health information.
Looking more closely at the data, there were 1.9 million people affected by data breaches in April 2023 and numbers have crept up for March and February, also, as new cases of data breaches have been reported around the globe. T-Mobile discovered another breach on 27 March, although 836 is a relatively small figure compared to the 37 million customers affected in their breach in January, it’s certainly enough to eat away at the brand’s credibility.
Each case varies and, although not all reports are officially “confirmed”, they carry lots of potential risk. For example, the millions of Brits now with potential data compromised due to a Labour phone banking system glitch, while across the pond, iD Tech still isn’t confirming a breach, which potentially exposed almost one million user records, even though the incident has been reported and many of those involved were made aware by Have I Been Pwned.
Number of people affected to date in 2023: 364,121,588+
2023’s biggest breach to date in 2023: Twitter, with allegedly 235 million emails leaked
UK’s biggest breach: 40 million UK voters’ details exposed
US’s biggest breach: 37 million T-mobile customers affected
Number of potential records compromised in August: At least 43 million
Number of potential records compromised in May: At least 17,363,243
Number of potential records compromised in April: 1,920,000
Number of potential records compromised in March: 31,413,302
Number of potential records compromised in February: 25,342,580
Number of potential records compromised in January: 288,082,463
Number of personal records compromised by telecom providers: 47,000,836
Number of personal records compromised in the healthcare sector: 25,949,000
Number of personal records compromised in the finance sector: 365,000
Data leaks caused by threat actors: 290,046,243
Data leaks caused by hacking: 89,240,580
Data breaches caused by third party data exposure: 11,354,000+
Data breaches caused by human error: 392,466
Common patterns that will emerge as you review the latest company data breaches are that human (and company) error is often the culprit, all types of companies can be targeted, and the motivation behind cyberattacks are, more often than not, money-related.
Data is often stolen by hacking which is someone gaining unauthorised access, usually electronically, to a system. Phishing is a type of social engineering attack whereby seemingly innocuous emails will be sent to victims containing links that may install ransomware or allow a bad actor access to systems. Phishing can also be used to lure people into entering personal information, leading to data theft or fraud. It may be used for impersonation that eventually leads onto another cybercrime being actioned, such as asking someone to transfer a large sum of money into an offshore bank account.
Bad/threat actors refers to anyone who causes harm in the digital sphere; they are slightly different to hackers in that they may not necessarily have technical skills to hack a system but will exploit a vulnerable server, eventually leading to a data breach or another other type of cybercrime.
Other factors that commonly lead to a data breach include malware – damaging software that infects devices with viruses – ransomware and spyware. which can then corrupt files and compromise data.
Below, we have created a timeline of the data breaches so far in 2023.
British Library
Company type: Library
Attack type: Threat actor
Affected: Unknown
The British Library, situated in London and the national library of the UK, suffered a cyber attack that resulted in data loss. The British Library learned it had been part of a data breach when low-resolution images were posted online and offered for sale on the dark web.
The attack took place on 31 October, and the British Library’s website has been down since. A ransomware group named Rhysida has claimed the attack. The hackers have also publicly let it be known how they plan to auction off the stolen data, which includes passport scans, for 20 bitcoins (about £596,459).
The British Library has investigated the attack and claims made by the ransomware group and has advised customers to change any logins as a precaution. The National Cyber Security Centre (NCSC) has also helped with the investigation to understand the full impact of the situation.
McLaren Health Care
Company type: Healthcare provider
Attack type: Data breach
Affected: 2.2 million
Michigan-based healthcare provider McLaren Health Care has announced a data breach that has compromised the personal health information of around 2.2 million patients. The cyber attack took place in July and August 2023, when it’s believed a hacking group gained unauthorised access to McLaren’s systems for three weeks.
In October, the ransomware group Alphv/BlackCat claimed credit for McLaren’s data breach. The hacking group also claims to have stolen around 6TB of data. McLaren began notifying impacted patients around 9 November that their personal and health data, including health insurance information, social security numbers and billing information, could have been leaked in the data breach.
Samsung Electronics
Company type: Appliance and consumer electronics
Attack type: Data breach
Affected: Unknown
Samsung Electronics is one of the largest appliance and consumer electronics companies in the world. On 13 November, Samsung warned customers of a cyberattack that only affected UK customers who purchased goods from the Samsung UK online store between 1 July 2019 and 20 June 2020.
Samsung says unauthorised individuals exploited a vulnerability in a third-party business application the company uses and that some personal information of certain customers was affected. Samsung also believes the stolen data could include names, phone numbers, email addresses and postal addresses – financial records and passwords were not part of the breach. Samsung has also assured that the cyber attack has only affected UK customers and all other regions’ customer and employee data remains unaffected.
Idaho National Laboratory
Company type: Nuclear energy
Attack type: Data breach
Affected: Unknown
Idaho National Laboratory (INL), announced it has suffered a data breach involving sensitive information belonging to its employees. INL is part of the US Department of Energy, which employs 5,700 specialists in atomic energy, integrated energy, and national security.
INL has confirmed an unknown hacktivist group – SeigedSec – has claimed responsibility for the data breach, which involved hundreds of thousands of data points from INL. Stolen data includes social security numbers, postal addresses, employment information, date of birth and email addresses. The breach is being investigated under federal law, though none of the stolen nuclear research data has been publicly disclosed.
Brookfield Global Relocation Services (BGRS) and SIRVA Worldwide Relocation & Moving Services
Company type: Relocation and moving services
Attack type: Data breach
Affected: 1.5TB of data
The Canadian government has reported that two of its contractors have been hacked. The data breach has leaked sensitive information relating to a number of government employees. Brookfield Global Relocation Services (BGRS) and SIRVA Worldwide Relocation & Moving Services are the contractors who suffered the data breach.
Both services store government data dating back to 1999. Some of this information belongs to members of the Royal Canadian Mounted Police (RCMP), Canadian Armed Forces personnel, and Government of Canada employees.
The LockBit ransomware group has claimed responsibility for the data breach, claiming to have stolen around 1.5TB of documents.
Robeson Health Care
Company type: Healthcare provider
Attack type: Data breach
Affected: 600,000
Robeson Health Care, a US-based healthcare provider, has disclosed two data breaches, with the most recent taking place on 27 November. Robeson has discovered malware in its computer systems and believes it to have been there since February of the same year.
In October, Robeson carried out a security investigation and discovered malware in its systems. The North Carolina-based company believes more than 600,000 people may have been affected. Robeson says it “has no indication that our electronic medical records databases were accessed without authorisation”. Robeson also states the stolen data may include names and social security numbers.
Following the breach, Robeson has offered those affected a year’s worth of theft protection identity services, as well as resetting passwords and ramping up its own security systems.
Okta
Company type: IT management service
Attack type: Data breach
Affected: Unknown
IT management service Okta announced it had suffered a data breach in late October. The company offers online identity management tools for companies such as FedEx and Zoom. Okta handles a plethora of sensitive data, and its main services are single sign-in and multifactor authentication. An unknown hacking group was able to infiltrate Oktas’ customer support system to access private customer data, according to the report.
Initially, Okta estimated that around 134 customers, or 1 per cent, were affected by the data breach. Okta continued its efforts to investigate the breach and discovered it was far larger than initially expected. During the breach, hackers downloaded a report including the names and email addresses of Okta’s customers who had a customer support system account. Of the stolen data, none has been publicly advertised for sale at the time of writing, but Okta’s announcement says a “threat actor may use this information to target Okta customers via phishing or social engineering attacks.”
D-Link
Company type: Networking equipment and smart device manufacturer
Attack type: Threat actor
Affected: Unknown
D-Link, a Taiwanese networking equipment manufacturer, has reported a data breach in connection with information from its network. The stolen information has been put up for sale on BreachForums.
The threat actor was able to source code from D-Links’ D-View management software, as well as the personal information of customers and employees and details relating to the company’s CEO. Reports suggest the stolen data includes phone numbers, names, email addresses, account registration dates and users’ last sign-in dates.
On an online forum, the cyber attacker provided 45 samples of the stolen records, which were dated between 2012 and 2013. The attacker also claims to have 3 million lines of customer information obtained from D-Link’s network. The data has been available for purchase on the forum with a demand of $500 since 1 October.
D-Link has since investigated the data breach and said the impacted server contained 700 outdated and fragmented records that have been inactive for the past seven years. D-Link believes the attacker has falsified timestamps to make the data theft appear more recent.
Sony
Company type: Entertainment
Attack type: Data breach
Affected: 6,800
Sony Interactive Entertainment has notified 6,800 current and former employees, including family members, that their data may have been involved in a data breach earlier this year. It’s reported that Sony sent a data breach notification in October after discovering that a third party had exploited a zero-day vulnerability in the MOVEit transfer platform.
The zero-day vulnerability CVE-2023-34362 has been exploited in large-scale attacks, and ransomware group Clop used it to leverage data from Sony. The attack took place in June, however, Sony did not release a public statement until October.
On 31 May, MOVEit announced a vulnerability in its transfer software. Sony and hundreds of other businesses and organisations use the software – a number of those have reported security breaches. Two days prior, on 28 May, Sony sent out notices to affected individuals that some SIE files were downloaded from its MOVEit platform. The vulnerability was reportedly fixed in early June and the platform was taken offline.
23andMe
Company type: Biotechnology
Attack type: Cyberattack
Affected: About 6.9 million
Genetics testing company 23andMe informed its customers in October that a number of customer profiles had been involved in a data breach. 23andMe provides DNA testing that helps users learn more about their ancestry.
The company itself was not hacked, but the attackers gained access to around 14,000 user accounts using leaked credentials, then were able to gain access to a huge number of other profiles linked to the ones they had hacked through the website’s DNA Relatives feature, which allows customers to compare ancestry information with other 23andMe users. The company was made aware of the breach when a hacker advertised unlawfully obtained customer data on a large scale in an online forum.
An unknown threat actor has obtained access to customers’ personal information, which may include first and last names, email addresses, date of birth and information relating to the user’s ancestry. 23andMe believes the hackers may have used a technique called credential stuffing, which involves hackers using leaked credentials from other websites to breach 23andMe accounts.
The company confirmed on 5 December that around 6.9 million profiles were accessed in the breach, accounting for more than half its customer base. It said in some cases, hackers were able to access family trees, birth years and geographic locations, but not DNA records.
Air Europa
Company type: Aviation
Attack type: Cyberattack
Affected: 110,000
Spanish airline Air Europa – the country’s third-largest airline company and a member of the Sky Team Alliance – suffered a cyberattack on its online payment system in October 2023. Data security analysts have concluded that Air Europa’s cyber attack lasted around nine days and affected around 110,000 customers.
Hackers were able to obtain customers’ card numbers, expiration dates, and the three-digit card verification value (CVV). The airline carrier informed its customers of a data breach and advised them to cancel credit cards used on its system. Data obtained during the attack is thought to have been put up for sale on the dark web, and Air Europa has assumed full responsibility for the breach. It’s unknown who the hackers were, and no known hacking groups have claimed the attack.
Casio
Company type: Electronics manufacturer
Attack type: Cyberattack
Affected: 91,921 credentials
Casio, a popular Japanese electronics manufacturer, revealed a data breach that has impacted customers from 149 countries. During the cyberattack, hackers gained access to the servers used for Casio’s ClassPad education platform. The breach was detected on 11 October, following the failure of a ClassPad database. One day later, on 12 October, hackers accessed customers’ personal information, including names and email addresses, country of residence and purchase information, such as payment methods and licence codes.
It has been revealed that hackers have accessed 91,921 credentials belonging to Japanese customers – including 1,108 educational institution customers – as well as 35,049 records belonging to customers from 148 countries and regions outside of Japan.
Seiko
Company type: Watchmaker
Attack type: Cyberattack
Affected: 60,000 items of personal data
In October, Japanese watchmaker Seiko confirmed it experienced a data breach earlier this year. Seiko says it suffered a Black Cat ransomware attack, where its data was leaked, including sensitive personnel, partner and customer information. Seiko has confirmed that 60,000 items of personal data were compromised in the attack.
In August, Seiko warned at least one of its servers had been compromised on 28 July. In late August, ransomware group Black Cat added Seiko to its extortion site. The group claimed to have stolen employee passport scans, new model release plans, specialised lab test results and confidential plans of new watch models.
Seiko has confirmed the customer and personnel information such as names, email addresses and telephone numbers were obtained from the data breach, but no customer credit card information was stolen.
Ministry of Defence
Company type: Government
Attack type: Cyberattack
Affected: 10 GB of data
The LockBit ransomware group from Russia has infiltrated the UK’s Ministry of Defence (MoD), releasing thousands of documents online. The breach occurred in August 2023, when LockBit targeted MoD contractor Zaun. The Wolverhampton fencing system manufacturer recently disclosed that it was a victim of a cyberattack by LockBit at the beginning of August.
The exposed data includes details on the Porton Down chemical weapon laboratory, HMNB Clyde nuclear submarine base, a GCHQ surveillance station in Cornwall, and a pivotal military location essential for cyber defence.
Reports indicate that detailed blueprints for the perimeter fencing at Cawdor, a British Army location in Pembrokeshire, and a map showing site installations have also been jeopardised. Moreover, the breach resulted in the theft of documents from several Category A prisons, including Long Lartin in Worcestershire and Whitemoor in Cambridgeshire.
Freecycle
Company type: Non-profit organisation
Attack type: Data breach
Affected: 7 million users
Freecycle, a non-profit organisation for recycling and reusing items, reported a data breach that affected more than 7 million users. The breach was only discovered by Freecycle when the threat actor posted the stolen data on an online forum on 30 May 2023 – weeks after the breach took place.
The online recycling platform notified its users and warned affected users to change their passwords. According to Freecycle, the stolen data includes usernames, user IDs, email addresses, and MD5-hashed passwords. During the breach, the credentials of the Freecycle founder Deron Beal were stolen, which gave the threat actor access to member information and forum posts.
Atlas VPN
Company type: Cyber security
Attack type: Data leak caused by security vulnerability
Affected: Unknown
Atlas VPN has announced the existence of a zero-day vulnerability affecting the Linux client, which allows website owners to discover the real IP addresses of Atlas users. The details relating to the exploit code were posted on Reddit by the person who discovered the security flaw and has since been confirmed by the company.
Linux 1.0.3, which is the latest version, has an API endpoint that listens to the local host. It offers a command-line interface (CLI), which is responsible for disconnecting a VPN session. It was found this API does not perform an authentication, allowing any user to issue commands to the CLI – even a website you have visited. This vulnerability could potentially breach the privacy of Atlas VPN users and could expose their physical location and real IP address.
The Reddit user who exposed the flaw claims there was no immediate response from Atlas VPN – which led to public exposure. When Atlas VPN did respond, it stated its team was working on a fix and that it would notify Linux users when there is an update available.
Sabre Corporation
Company type: Travel agency
Attack type: Data breach
Affected: 1.3TB of data
Sabre Corporation, a travel booking agency, reported the company was targeted by hackers in September. Sabre is a reservation system used by many companies around the world, with its software and data used for airline check-ins, hotel bookings and related apps.
The cyber attack has been claimed by Dunghill Leak Group. The hackers claimed responsibility for the attack by listing on its dark web leak site that it had allegedly stolen around 1.3TB of data from Sabre. The leaked data includes sensitive information from ticket sales and passenger turnover, as well as corporate financial information and personal information from employees.
Save the Children
Company type: Non-profit organisation
Attack type: Data breach
Affected: 6.8TB of data
The ransomware group BianLian has claimed responsibility for a cyber attack against the non-profit organisation Save the Children. The ransomware group claims to have stolen 6.8TB of data from the organisation on 11 September. It’s reported the stolen data includes personal data and HR files, as well as more than 800GB of financial records.
A spokesperson for the charity said the hackers had gained unauthorised access to its network, but it had not affected operations, and the organisation has functioned as normal. Save the Children, which has 1,300 employees across 100 countries, says it will continue to work with external specialists to investigate the cyber attack and continue to follow cyber security protocols to protect its data.
Airbus
Company type: Aviation
Attack type: Data breach
Affected: 3,200
Aviation giant Airbus has reportedly investigated a data breach following reports that a hacker has posted personal information belonging to 3,200 of the company’s employees to the dark web. Cybercrime intelligence firm Hudson Rock reported the online moniker ‘USDoD’ claimed on a cybercrime forum that they had hacked Airbus.
The hacker claims to have gained access to Airbus systems via a compromised account that belongs to a Turkish Airline employee. Credentials were stolen using malware. The compromised data includes email addresses, job titles, addresses, names and phone numbers.
Metropolitan Police Service
Company type: Government
Attack type: Data breach
Affected: Currently unknown
The Metropolitan Police Service (MPS) launched an investigation into a potential data breach after detecting unauthorised access to the IT system of an MPS print supplier, Digital IT. The supplier had information, including names, ranks, photos, vetting levels, and pay numbers of officers and personnel.
Digital IT also printed ID cards for the BBC, while ITV, Mitie and Royal Mail used its blank cards, loading the data in-house and leaving them unexposed to any breaches.
Duolingo
Company type: Global language learning platform
Attack type: Data breach
Affected: 2.6 million
The global learning language app Duolingo has over 74 million monthly users and, in January 2023, the scraped data of 2.6 million users appeared on the Breached hacking forum. An unknown party on the now-shutdown forum was advertising the data for $1,500.
The disclosed data consists of both public elements, like login and real names, and confidential details, such as email addresses and internal Duolingo service data. Although the real and login names can be accessed from a user’s Duolingo profile, the revelation of email addresses is particularly troubling as it can facilitate potential attacks using the information.
The 16.3 million data points have just been readvertised for sale for $2.13 on a new version of the Breached forum, according to BleepingComputer.
Electoral Commission
Company type: Government
Attack type: Data breach
Affected: 40 million
The UK Electoral Commission revealed in August that an attack which took place as far back as August 2021 (and was discovered in October 2022), left the data of 40 million voters openly accessible.
Who the attackers were remains a mystery, with theories ranging from a hostile state such as Russia, or a cyber criminal gang. According to the Electoral Commission, much of the data already existed in the public domain and said it would be difficult to influence an election using this data, due to the UK’s largely paper-based election system.
With that said, the attackers were able to view full copies of the electoral registers, which include the name and address of anyone who was registered to vote between 2014 and 2022.
PSNI (Police Service of Northern Ireland)
Company type: Government
Attack type: Human error
Affected: Around 10,000
Another damaging data breach was revealed in August, when the details of every serving member and staff of the Police Service of Northern Ireland (PSNI) was made public for up to three hours.
The data was accidentally published online after a Freedom of Information request was made.
The breach included the surname, initials, rank or grade, a work location, and the department of all PSNI staff, but did not involve the officers’ and civilians’ private addresses. It also exposed the officers in the organised crime unit, intelligence officers, and nearly 40 officers based at the MI5 HQ in Northern Ireland.
Topgolf Callaway
Company type: US sports equipment manufacturer
Attack type: Data breach
Affected: 1.1 million
In early August, Topgolf Callaway (Callaway) experienced a data breach that jeopardised the account information and emails of over a million customers, including users of its subsidiaries – Odyssey, Ogio, and Callaway Gold Preowned.
The US sports equipment manufacturer focuses on golf-related products and has a global footprint in over 70 countries, making over $1.2 billion annually.
Sysco
Company type: Food distributor
Attack type: Threat actor
Affected: 126,243
Leading food distribution company Sysco confirmed its network was breached earlier this year in an internal memo sent out to its employees. The cybersecurity attack was believed to have begun in January 2023 and was carried out by a threat actor who gained access to Sysco’s systems with no authorisation.
According to bleepingcomputer.com, an investigation revealed the threat actor extracted certain company data, including data relating to the operation of the business, customers, employees and personal data of 126,243 customers.
Sysco has stated the attack is not ongoing and the company has hired a cybersecurity firm to investigate the incident and notified federal law enforcement.
PharMerica
Company type: Pharmacy services
Attack type: Data breach
Affected: 5.8 million
National pharmacy network PharMerica had to send letters out to more than 5.8 million individuals of a data breach that occurred in March 2023. PharMercia informed the Maine Attorney General’s Office in the US that more than 5.8 million individuals’ personal information was compromised after an unauthorised party accessed its computer system between 12 and 13 March.
Names, addresses, birth dates, Social Security numbers, health insurance, and medication information were among the personal data compromised during the breach. Security Week noted the letters sent out to individuals did not disclose details of the type of cyberattack, but it reportedly appears the Money Message ransomware group is responsible for the incident.
PharMercia posted a data breach notice on its website, and informed Security Week, notifying the public of the attack, but made no mention of ransomware.
US Department of Transportation (DOT)
Company type: Government department
Attack type: Data breach
Affected: 237,000
Threat actors targeted the TRANServe system, which is responsible for compensating US Department of Transportation (USDOT) employees’ transportation costs. Cyber Security Connect noted the breach led to the data of 237,000 people being leaked, including 114,000 current and 123,000 former USDOT employees.
USDOT said in a statement the breach didn’t affect any transportation systems and didn’t comment on who was behind the attack. It also said transport safety systems remained unaffected.
Dish
Company type: American television provider
Attack type: Data leak caused by ransomware
Affected: Nearly 300,000
Satellite broadcast giant Dish confirmed it was hit by ransomware and as a result, nearly 300,000 people’s personal information was leaked. The broadcast company suffered widespread outages and the attack affected internal communications, customer call centres and websites, according to The Record.
On 18 May, Dish confirmed in letters sent out to customers that personal data was involved, including driver’s licence numbers. The letters also confirmed the network outage began on 23 February, which affected internal servers and IT systems. Dish claims it received confirmation the compromised data had been deleted, potentially implying the company paid a ransom to the threat actor involved.
The Record noted Dish is offering those affected by the data breach two years of free credit-monitoring services.
Apria Healthcare
Company type: Healthcare
Attack type: Data breach
Affected: Nearly 2 million
Apria Healthcare, one of America’s leading providers of home respiratory services and medical equipment, was impacted by a multi-year, months-long data breach between 2019 and 2021.
According to Tech Target, nearly 2 million patients were only notified of the breach by Apria in May 2023 despite being alerted to unauthorised access to its systems in September 2021. Data potentially accessed during the incident included customers’ personal, medical, health insurance and financial information, as well as Social Security numbers. However, Apria claims there is no proof any of this data was taken from its systems.
Apria said it has since implemented additional security measures under the recommendations of forensic investigators to help prevent any future breaches.
Tesla
Company type: Automotive and energy
Attack type: Whistleblower data breach
Affected: Unknown
According to Cyber Security News, Tesla suffered a data leak exposing thousands of safety complaints, with the leak traced back to a whistleblower who handed around 100GB of data to German newspaper Handelsblatt. It was reported Tesla received more than 2,400 complaints about self-acceleration issues and 1,500 complaints about brake problems on its vehicles’ Full Self-Driving (FSD) features between 2015 and March 2022. The newspaper received 23,000 files, including 3,000 entries outlining customers’ safety concerns and accounts of more than 1,000 collisions from the whistleblower. The files also reveal customer and employee information, including phone numbers, salaries of employees and bank details of customers.
Tesla says it protects the confidential information of its customers and employees. The company intends to initiate legal proceedings for the theft of Tesla’s confidential information.
MCNA
Company type: Dental services
Attack type: Data breach
Affected: 8.9 million
MCNA, One of the largest government-sponsored dental care services in America, published a data breach notification on its website informing nearly 9 million patients their data had been compromised.
MCNA became aware of the cyberattack on its computer systems on 6 March, and an investigation revealed hackers had first gained access to the network on 26 February. The data extracted included phone numbers, addresses, driving licence numbers and health insurance plan details.
According to bleepingcomputer.com, the LockBit ransomware gang claimed the cyberattack on 7 March.
Capita
Company type: Professional services
Attack type: Hacking
Affected: 90 organisations
Capita, the outsourcing and professional services group that runs pension schemes for Royal Mail and Axa, suffered a cyber attack that affected around 90 organisations. Crucial services for local councils, the military and the NHS were among those affected by the attack, which also caused IT outages in March 2023.
The Pension Regulator (TPR) wrote to more than 300 pension funds requesting them to check whether they had been affected.
According to The Guardian, a second data breach occurred in May when Capita reportedly left benefits data files in publicly accessible storage, prompting several councils to announce their data had been compromised. The Information Commissioner’s Office (ICO) is urging organisations that use Capita’s services to investigate whether they have been affected by the breaches.
American Bar Association (ABA)
Company type: Legal
Attack type: Hacking
Affected: 1.4 million
According to Bleeping Computer, ABA, the largest association of lawyers and legal professionals globally, disclosed that 1,466,000 members were affected by a data breach caused by an unauthorised third party accessing company networks on 6 March. Investigations were launched by ABA and cybersecurity experts on 17 March when the unusual activity was detected.
The data breach may have exposed old member login credentials for a system that was decommissioned in 2018. The credentials were “hashed and salted” (converted from plain text into a more secure format). Although no personal or corporate data was stolen, this leaves room for threat actors to abuse credentials over time, especially if members have not changed the original password assigned by ABA.
Kodi
Company type: Open source media player software
Attack type: Threat actor
Affected: 400,000
User records and private messages were stolen by a threat actor that twice logged into the account of an inactive Kodi MyBB forum admin member in February. The Hacker News reported that this allowed them to create, download and delete backups of the forum’s entire database. The database contained the information of 400,635 users, including public and team forum posts, user-to-user messages and general user credentials (email addresses as well as encrypted passwords). The threat actor also attempted to sell the data on cybercrime marketplace: BreachForums, which has now been taken down as the founder is being charged for stolen data.
Kodi’s MyBB forum was taken down as it commissioned a new server to relaunch a newer version of the software. Although no malicious activity or credential theft was detected, Kodi hoped to run a global password reset to stay on the side of caution, and urged users to update passwords on other websites if it was the same as they had been using for the member forum. Additionally, Kodi is reinforcing security measures to prevent future incidents, mostly around admin roles and access.
NewYork-Presbyterian (NYP) Hospital
Company type: Healthcare organisation
Attack type: Data exposure through use of third-party tracking and analytics tools
Affected: 54,000
NYP Hospital has been stung for using third-party tracking tools to analyse how visitors interacted with its website. Over 54,000 people have been notified that their patient information may have been compromised. According to Health IT Security’s report, once NYP Hospital had realised the error, it disabled use of the tracking tools and launched an investigation. It concluded that information, including the IP addresses and URls of visited pages, as well as names, email addresses and gender information, if available on particular pages, may have been exposed. There was nothing to suggest that social security numbers, financial or sensitive data was compromised and since NYP Hospital is reevaluating how it collects data and monitors user engagement.
VodafoneZiggo
Company type: Telecom provider
Attack type: Data breach (third-party software issue)
Affected: 700,000
Dutch telecom provider VodafoneZiggo reported a data breach incident to the Dutch Data Protection Authority (DDPA) after an unauthorised person was able to access consumer information that included names and email addresses. This was due to an issue with the company’s party software provider. No bank details or passwords were compromised, according to the NL Times, but the exposure of personal contact details enhances exposure to phishing scams so anyone concerned should be vigilant.
T-Mobile
Company type: Large telecommunications company based in US
Attack type: Hacking
Affected: 836
T-Mobile became aware of their second attack of 2023 on 27 March. Hackers accessed the information of some 836 customers, which exposes them to phishing attacks and fraud. On 28 April, Bleeping Computer shared the notification letter that was sent to those affected. The letter states: “No personal financial account information or call records were affected.” It also highlighted how the information shared varied across customers, but that it may have included PII as well as social security numbers, government IDs and T-Mobile account pins. T-Mobile also reset customer pins and offered two years free credit monitoring as compensation.
Independent Living Systems
Company type: Large health and social support company based in US
Attack type: Hacking
Affected: 4.2 million
On 14 March 2023, Independent Living Systems, a Miami-based healthcare administration that serves 5 million Americans, issued letters to customers affected by a 2022 data breach in which sensitive patient information (potentially including names, contact information, driver’s licence, state identification, social security numbers, Medicare/Medicaid IDs, general health and health insurance information) was accessible and potentially viewed by unauthorised persons.
The notice states: “We are unaware of any identity theft or fraud resulting from this event,” ahead of detailing how its systems were hacked between 30 June and 5 July 2022 and how, on realising the breach, the company conducted a review. The results were released on 17 January 2023, at which point the company claims to have acted as quickly as possible to notify those affected. However, Independent Living Systems is now being sued for failure to adequately safeguard patient data and for the wait time ahead of notifying those 4.2 million (the majority of its customer database) that may be at risk.
Latitude Financial Services
Company type: Large financial services company based in Australia and New Zealand
Attack type: Threat actor
Affected: 14 million
Latitude Financial Services is a leading instalments and lending business. It has a current database of 2.8 million customer accounts and over 5,500 merchant partners across Australia and New Zealand. It went public about a data breach on 16 March, confirming that a threat actor stole an employee’s log-in details and was able to access two of its service providers. According to Latitude Financial’s review (which is still ongoing), approximately 7.9 million driver licence numbers were stolen and a further 6.1 million records (including PII) were stolen.
The case is ongoing, much to customers’ fury, and Latitude have confirmed they will not pay a ransom to those behind the cyberattack.
PayPal
Company type: Global online payment platform based in US
Attack type: Cyberattack
Affected: 35,000 users
In 2023, Paypal confirmed that it suffered a security breach in December 2022, compromising personal and financial information of almost 35,000 users.
According to legalscoops.com, PayPal started an investigation as soon as it detected the attack, which took place between the 6 and 8 December, but it wasn’t complete until 20 December. The letter notifying those affected was distributed 23 January, disclosing that the hackers may have had access to social security numbers, bank account numbers and PayPal account balances, in addition to PII. Although PayPal noted that log-in details weren’t accessed via its own network, it didn’t elaborate on how these credentials were acquired.
Some users have now filed lawsuits against PayPal as they are dissatisfied with the apology and compensation of free credit monitoring and identity theft protection services. Further advice from PayPal is to update passwords and keep an eye out for suspicious activity.
Postal Prescription Service (PPS)
Company type: Large mail-order pharmacy service
Attack type: Internal/human error
Affected: 82,466
PPS, a mail-order pharmacy service and part of retail company Kroger, had to notify 82,466 individuals that they may have had their data breached due to an internal error. No sensitive medical or financial information was shared, however, the names and emails of users that created grocery accounts between July 2014 and 13 January 2023 were exposed. Health IT Security noted how PPS did not share more information on the exact cause of the internal error, but that it is updating its website and making procedural changes to avoid recurrences.
Florida Medical Clinic (FMC)
Company type: Healthcare provider
Attack type: Ransomware, followed by hacking
Affected: 95,000
FMC became aware of suspicious activity on its servers on 9 January at which point it contained the incident and launched an investigation with a third-party forensic firm which confirmed that files stored on the FMC system were accessed by one or more unauthorised parties. The data included consumers’ names, social security numbers, medical information, phone numbers, email addresses, dates of birth, and addresses, according to JD Supra’s report. Letters were sent out to those affected on 10 March.
AT&T
Company type: Large multinational telecommunications holding company based in US
Attack type: Data breach, vendor hack
Affected: 9 million
AT&T told BleepingComputer that 9 million wireless customers may have had their Customer Proprietary Network Information (CPNI) accessed. This kind of data includes first names, wireless account numbers, wireless phone numbers, and email addresses, with some dated information on rate plan names and payment history. According to BleepingComputer, AT&T claimed this was due to device upgrade eligibility and that their systems were not compromised.
TMX Finance
Company type: Lending business
Attack type: Hacking
Affected: 4,822,580
On 30 March, TMX Finance started sending letters to 4,822,580 customers that had their data leaked. The Canadian finance company detected malicious activity on 13 February and, according to Bleeping Computer’s report, it suspects that client information – including social security and driver’s licence number, financial, tax and personal identification information – was stolen between 3 and 14 February.
TMX believes the situation is contained but is continuing to monitor its systems and looks to enhance online employee and system access security. It is also encouraging those affected to enrol in a free 12-month identity protection service via Experian with a security freeze.
Heritage Provider Network, Regal Medical Group
Company type: Largest private healthcare network based in US
Attack type: Ransomware cyberattack
Affected: 3.3 million
A data breach notice was sent out on 1 February by Regal Medical Group disclosing that malware was detected on some of its servers as a result of a threat actor hacking its systems. Cybernews.com reported that the compromised data of those 3.3 million affected may have included basic PII as well as medical information, including radiology reports and prescriptions and health plan details.
Highmark Health
Company type: Large non-profit healthcare company based in US
Attack type: Phishing attack
Affected: 300,000
According to Beckershospitalreview.com, between 13 and 15 December an employee received a phishing link via email which allowed a hacker to access data of some 300,000 members. Customers were notified by letter on 13 February. On 6 Feb Highmark Health filed the notice and Databreaches, one of the first to report on the incident, says that two versions of the letter were sent out as some had social security numbers compromised and others protected health information, passport numbers and financial information. Highmark Health, who currently serve 5.6 million members, now has details online about how to spot a phishing email and avoid email fraud.
TruthFinder and Instant Checkmate
Company type: Large subscription-based background check services based in US
Attack type: Cyberattack
Affected: 20.22 million
According to BleepingComputer, on 21 January, hackers leaked a 2019 backup database containing the information of 20.22 million users of PeopleConnect-owned background check services TruthFinder and Instant Checkmate.
Subsequent announcements share that the exposed lists were created internally several years before and logged information of customer accounts created between 2011 and 2019. The lists contained PII as well as encrypted passwords and expired or inactive password reset tokens, but no payment details or user data was included.
JD Sports
Company type: Large fashion retailer based in UK
Attack type: Cyberattack
Affected: 10 million
Fashion retailer JD Sports notified the Information Commissioner’s Office about the incident which affected approximately 10 million online users, including customers purchasing items on Size?, Blacks and Millets at the end of 2022. According to a statement, the affected data was limited but included names, phone numbers, order details and the final four digits of payment cards (but not full payment details). JD is said to be investigating the incident with cybersecurity experts to avoid recurrences.
Diksha Indian Education app
Company type: Public education app launched in 2017 based in India
Attack type: Unsecured server
Affected: 1.6 million
Data stored in an obligatory public education app that was launched in 2017 was left unprotected for at least four years, meaning that even a simple Google search could have exposed the personal information of students and teachers. According to Wired, the files were available for download via Grayhat Warfare, a go-to searchable database on which hackers and security researchers can access unsecured servers.
The files contained full names, phone numbers and email addresses of some 1 million teachers. Another file that kept student information, although it partially concealed their email addresses and phone numbers, nearly 600,000 student names along with their schooling history, details of when they enrolled on the app and progress on the course was exposed.
T-Mobile
Company type: Large telecommunications company based in US
Attack type: Bad actor, hacker
Affected: 37 million
Hit once again following no less than eight disclosed hacks since 2018, T-Mobile said that it detected malicious activity on its servers on 5 January and shut it down within 24 hours. The company was said to be less forthcoming concerning information that the bad actor gained access to customer data from 37 million accounts, around 25 November 2022. The customer information included names, birth dates, and phone numbers.
According to wraltechwire, no passwords, PINs, bank account or credit card information were disclosed, nor were social security numbers or other government IDs.
Transportation Security Administration (TSA)
Company type: Agency of the United States Department of Homeland Security
Attack type: Hacker of unsecured server (accidental)
Affected: 1.5 million
A Swiss hacker who goes by the name maia arson crimew obtained an old copy of the US government’s Terrorist Screening Database and a “no fly” list that was available on an unsecured server.
The data belongs to commercial airline, CommuteAir who confirmed it contained 1.5 million entries, including names and birthdates of individuals (not all unique as the list contains multiple aliases) that the government has banned from air travel as well as information on 1,000 company employees according to the Daily Dot, who first reported on the case.
NortonLifeLock
Company type: Large multinational cybersecurity software and services provider with 80 million users across 150 countries based in US
Attack type: Credential stuffing attack
Affected: 925,000
Consumer safety provider NortonLifeLock, part of Gen Digital, was subject to a credential stuffing attack, compromising the data of 925,000 customers.
According to IT governance, customers’ full names, phone numbers and mailing addresses may have been leaked, and hackers may have also been able to access information stored in the Norton Password Manager feature to find passwords for other accounts, the latter being the most likely motivation for the attack. NortonLifeLock shared that the breach started 1 December 2022 and urges customers to use 2FA alongside other security measures.
Zurich Insurance (car insurance)
Company type: Leading insurer serving 200 countries, founded in Zurich
Attack type: Data breach
Affected: 757,463
This data leak stemmed from an external service provider compromised names, gender, date of birth, email addresses, policy number and more of 757,463 Zurich “Super Automobile Insurance” holders in Japan. According to the Switzerland Times, customers outside of Japan were not affected and credit card numbers or bank account information was not revealed.
Aflac Life Insurance (cancer insurance policyholders)
Company type: Fortune 500 company based in US
Attack type: Data breach
Affected: 1.3 million
Aflac confirmed on 9 January that it was notified about customer information being leaked onto a data breach forum by a hacker that had accessed a server 7 January, via an external contractor.
Aflac told Data Breach Today that the risk of misuse of information by third parties is low since it’s difficult to identify customers by the specific data leaked: last name, age, gender, insurance type number, coverage amount and premiums. 3.2 million records were accessed in total, 1.3 million of which were related to “New Cancer Insurance” and “Super Cancer Insurance” policyholders.
Company type: Large social media company based in US
Attack type: Data leak (threat actor)
Affected: 235 million
On 4 January, an estimated 235 million Twitter users and their associated email addresses were leaked to an online hacking forum, selling for around $2 according to BleepingComputer. This isn’t the first data breach for Twitter and BleepingComputer continued to report that it may be a cleaned-up version of the 400 million Twitter profiles which were circulated in November 2022, created by threat actors as far back as 2021. Twitter doesn’t believe there is evidence to show the data exploited a vulnerability in its systems and urges account holders to enable 2FA and hardware security apps to stay better protected.
If you were affected by a breach, the company will usually inform you by letter or email. However, it could depend on the nature of the cyberattack. Many US-based companies prefer to keep information regarding a breach quiet when they are first made aware, and will sometimes attempt to contain the situation in a way in which they may not be legally obliged to inform those involved or to officially report the incident at all. In some cases, months have gone by without the people concerned being notified, as with the Independent Living Systems breach when almost eight months had passed, increasing the chances of lawsuits.
If you’re in any doubt, you can simply check if your email address has been compromised, and where, on Have I Been Pwned. Also, if you have been officially notified, said company should also offer up information on how it’s rectifying the situation, how you can stay secure and how they will prevent problems in the future. It goes without saying that you should stay wary of phishing emails, and fact check the business or company’s data breach claim(s) by keeping an eye out for official communication on news outlets, or even for word on socials, like (albeit ironically) Twitter, Reddit and so on, to be a part of the immediate conversation.
Companies in the UK must notify the ICO within 24 hours of discovering the data breach to avoid penalty, the website offers further information on what to include in the alert and how to let customers know. In the US, the Federal Trade Commission has a step-by-step guide on best practice.
Prevention is the best protection when it comes to cybersecurity according to experts and, although 80 per cent of data breaches are caused by external actors as per Verizon’s Data Breach Investigations Report 2022, rigorous training of staff to help recognise phishing emails and malicious activity is a must. “Human error was a major contributing cause in 95 per cent of all breaches,” according to a historic IBM Cyber Security Intelligence Index Report. Further, the more recent 2022 report notes that: “Human errors, meaning breaches caused unintentionally through negligent actions of employees or contractors, were responsible for 21 per cent of breaches” in organisations.
With that in mind, SoSafe Cyber Trends Report 2023 shares that people can also be the biggest asset to a company when it comes to cybersecurity, so companies should invest in knowledge and training concerning cybercrime. The same report highlights how security teams should strive to keep up with the pace of cybercriminals, considering AI-powered tools and more that can fend off attacks.
Forging a sense of trust with employees is worthwhile, too, so that, should someone realise they opened a file or clicked a link they shouldn’t have, they will be comfortable reporting the incident rather than ignoring it, which could lead to an aggravated outcome. Cybercrime causes lots of different stresses, notably financial and emotional stress, and if companies don’t offer enough support to employees in their cybersecurity departments by investing in their training, and that of the general staff, it can lead to burnout and increased resignation rates.
An easy way to start protecting your data is to set up a secure VPN across all of your devices (laptop, mobile, tablet, etc). Note that the most protected options will usually be monitisied, but for many it’s a small price to pay for peace of mind and better security.
Also, turning on 2FA where you can and updating passwords regularly with a mix of uppercase and lowercase letters, special characters, and numbers that don’t relate to your personal information. You should try not to replicate your password(s) across multiple log-ins. If you’ve run out of steam for new passwords, you can use online tools like Secure Password Generator to help.
PCWorld advised in the wake of the PayPal data leaks that by using a good password and 2FA some of the data would have been better protected and secured. This is likely to be the case for the Twitter breaches and the NortonLifeLock case. If you own a company, there are payable options with enhanced security settings for employees, like LastPass and Dashlane.
