Last year was a big year of data breaches. By October 2023, there had already been 2,116 compromises in the US alone, compared to 1,802 in the entire 2022. And whilst the number of people affected in these attacks was just over half that of the previous year, it still shows a worrying trend.
Here are five of the biggest data breaches from 2023.
Digital risk protection firm, DarkBeam, found that 3.8bn records from their database of previous data breaches had been exposed. This was because the company had left an Elasticsearch and Kibana interface unprotected, exposing records (including user emails and passwords) from previously reported and non-reported data breaches. This is likely to have been caused by human error. And whilst the leaked database was made up of already exposed records, the way it was organised could make it easier for cyberhackers to create very realistic phishing campaigns.
2. ICMR (Indian Council of Medical Research)
In October 2023, the ICMR’s covid-testing database was infiltrated resulting in the personal data of 815m Indian residents being stolen and offered for sale on the dark web. According to the security company Resecurity, which discovered the listing, the data included victims’ name, age, gender, address, passport number and Aadhaar number (a 12-digit government identification number).
3. Kid Security
More than 300m records from the popular parental control app Kid Security, were exposed in November 2023. The app, which allows parents to monitor and control their children’s online safety, exposed user activity logs to the internet for more than one month as a result of misconfigured Elasticsearch and Logstash instances. During this time, more than 300m records including 21,000 telephone numbers, 31,000 email addresses and some payment card data were exposed.
4. SAP SE Bulgaria
In November last year, cybersecurity researchers discovered credentials that provided access to more than 95.5m artefacts from SAP SE had been exposed through public FitHub repositories. They were revealed through Kubernetes Secrets – objects that contain small amounts of sensitive data, such as passwords, tokens or keys – and SAP were not the only organisation to be affected by this.
One of the most wide-reaching data breaches of 2023 came from MOVEit, a popular file transfer tool, which led to sensitive data from the firms that use the software being compromised too. Some of the initial victims, revealed in June last year, included Zellis, British Airways and the BBC. Throughout the year, more organisations were revealed as falling victim, including Oregon and Louisiana departments of motor vehicles and Microsoft’s healthcare technology company Nuance. The scale of the breach is still unclear, however there are estimates of over 2000 companies and 60m individual records being affected.
Data breaches and ransomware attacks will continue to occur through 2024 and beyond, so it’s crucial that organisations are prepared for these risks, and have plans in place to mitigate the fallout in case any user data is compromised.