In an age where data is more valuable than ever, the threat posed by data breaches and breaches of security looms larger than ever before. Despite advancements in cybersecurity, the year 2023 has seen a slew of major data breaches that have affected organizations and individuals across industries and around the globe.
These breaches have highlighted the need for continued vigilance and proactive measures to protect sensitive information. Here are a couple of the biggest data breaches we’ve seen in 2023 and the lessons we can learn from them.
- PayPal
In January, PayPal notified thousands of customers that their accounts were breached by hackers (due to a “credential stuffing” incident – where bad actors took lists of usernames and passwords from the dark web and then “stuffed” those passwords into login systems, giving them access to those accounts). As a result of the attack, Social Security Numbers and other key pieces of customer’s personal information were left exposed.
- PharMerica
The national pharmacy network, which serves long-term care, senior living and behavioral health organizations, disclosed in May that an unknown third party had accessed PHI and PII stored in their systems in March. The ransomware group Money Message, who was behind the attack, claimed to have 2 million PharMerica and BrightSpring Health records, including Social Security numbers from 400 databases.
“The investigation determined that an unknown third party accessed our computer systems from March 12-13, 2023, and that certain personal information may have been obtained from our systems as a part of the incident,” the company said in their breach notification. “On March 21, 2023, we determined that the data contained personal information that included the above-referenced person’s name, address, date of birth, Social Security number, medications and health insurance information.”
- Managed Care of North America (MCNA) Dental
MCNA Dental disclosed in May that the company had been impacted by a breach in March. According to Bleeping Computer, “MCNA Dental is one of the largest government-sponsored (Medicaid and CHIP) dental care and oral health insurance providers in the U.S.” The breach, which was caused by unauthorized access to MCNA computer systems, impacted over 8 million people (for reference, about half the population of New York) including patients, parents, guardians, and guarantors.
- Okta
In October, it was announced that a security breach at Okta had impacted over 130 customers, after a bad actor was able to exploit a third-party service account to gain access to the company’s primary support system.
InfoSecurity Magazine reported, “Okta notified customers about the breach on October 19, more than two weeks after being alerted to suspicious activity by one of those customers, BeyondTrust. In his initial telling of the incident, Okta’s chief security officer, David Bradbury, explained only that it had come about after a threat actor used a stolen credential to access the firm’s support case management system. However, in an update on Friday, he shared more, explaining that the actor had access to the system between September 28 and October 17, compromising files belonging to 134 customers in total.”
- MOVEit
The widespread fallout from the exploitation of the MOVEit file transfer software tool continues. The Verge reported that, “In May 2023, a ransomware gang called Clop began abusing a zero-day exploit of Progress Software’s MOVEit Transfer enterprise file transfer tool. Progress quickly issued a patch, but the damage was already extensive. Clop’s widespread attack saw it steal data from government, public, and business organizations worldwide, including New York City’s public school system, a UK-based HR solutions and payroll company with clients like British Airways and BBC, and others.”
Since then, over 2,000 organizations have been attacked via the MOVEit vulnerability, with data thefts affecting more than 62 million (the vast majority of which have been US-based individuals), underscoring the importance of supply chain security in today’s hyperconnected world.
Lessons Learned
The biggest data breaches of 2023 serve as valuable lessons for organizations and individuals alike:
Employee Training: Proper training and awareness programs are crucial to empower employees to recognize and respond to phishing attempts.
Regular Patch Management: Timely application of software updates and security patches is vital to close vulnerabilities that could be exploited by attackers.
Security Audits and Penetration Testing: Regular security audits and penetration testing help identify and rectify weaknesses in an organization’s security infrastructure.
Access Controls and Encryption: Implementing strong access controls and encryption protocols can safeguard sensitive user data, preventing unauthorized access.
Third-party Vendor Security: Organizations must closely monitor the cybersecurity practices of third-party vendors and contractors to mitigate potential risks.
In a digital age where data breaches are a constant threat, staying vigilant and proactive in maintaining cybersecurity is essential. These breaches remind us that protecting sensitive information requires continuous effort, and every organization and individual must play their part in safeguarding data in an increasingly connected world.