Over the past few years, TechCrunch has taken a look back at some of the most serious, mishandled data breaches and security incidents in the hope that — maybe! –Other corporate giants will be careful not to repeat the mistakes of last year.
It goes without saying that this year we’re listing many of the same bad behaviors again from a whole new category of companies, plus there are a few extra (dis)honorable mentions from that year that you may have missed.
Last year, genetic testing giant 23andMe lost the genetic and ancestry data of nearly 7 million customers due to a data breach. Hackers violently accessed thousands of accounts and stole the data of millions of people. 23andMe is belatedly rolling out multi-factor authentication, a security feature that can prevent accounts from being hacked.
Just days after the new year, 23andMe began blaming victims for the massive data theft, claiming its users didn’t adequately protect their accounts. Lawyers representing hundreds of 23andMe users who are suing the company after the hack say the accusation is “frivolous.” British and Canadian authorities soon announced a joint investigation into 23andMe’s data breach last year.
Change Healthcare was a medical technology company that few people had heard of until February of this year, when a cyberattack forced the company to shut down its entire network, causing immediate massive outages across the United States and bringing much of the nation’s health care system to its knees. paralysis. Change, owned by health insurance giant UnitedHealth Group, handles billing and insurance for thousands of health care providers and practices across the U.S. and handles one-third to half of all U.S. health care transactions each year.
The company’s handling of the hack has been criticized by Americans, who have been unable to get medication dispensed or hospital approvals approved, affecting health care providers on the verge of bankruptcy. Lawmakers questioned the company’s CEO about the hack. Change Healthcare paid a $22 million ransom to hackers — which the federal government has long warned would only help cybercriminals profit from cyberattacks — only to have to pay a new ransom other Hacker group deletes its stolen data.
Ultimately, it wasn’t until October (about seven months later) that it was discovered that more than 100 million people’s private health information had been stolen in a cyber attack. Granted, it must have taken a while, because by all accounts this is the largest medical data breach this year, if not the largest ever.
The NHS has suffered months of disruption this year after London-based pathology services provider Synnovis suffered a ransomware attack in June. The attack, claimed by the Qilin ransomware group, left patients in southeast London unable to get blood tests from doctors for more than three months and caused thousands of outpatient appointments and more than 1,700 surgeries to be cancelled.
Experts say the attack could have been avoided if two-factor authentication had been implemented, leading the UK’s main union Unite to announce a five-day strike by Synnovis staff in December in light of the attack. Unite said the incident had “an alarming impact on staff, who were forced to work overtime while dealing with the attack and were denied access to essential computer systems for months.”
It is unclear how many patients were affected by the incident. The Qilin ransomware group claims to have leaked 400 gigabytes of sensitive data it said was stolen from Synnovis, including patient names, healthcare system registration numbers and blood test descriptions.
Cloud computing giant Snowflake has found itself at the center of a series of massive hacking attacks this year targeting corporate customers including AT&T, Ticketmaster and Santander. The hackers were later charged with criminal charges for the intrusion, which they carried out using login details stolen by malware found on the computers of employees of companies that relied on Snowflake. Due to Snowflake’s lack of enforced use of multi-factor security, hackers were able to break in and steal massive amounts of data stored by hundreds of Snowflake customers, holding it for ransom.
Snowflake said nothing about the incident at the time, but admitted the breaches were the result of “targeted activity targeting users using single-factor authentication.” Snowflake subsequently rolled out preset multifactor to its customers in hopes of preventing a similar incident from happening again.
When Columbus, Ohio, reported a cyberattack this summer, the city’s mayor, Andrew Ginther, assured concerned residents that the stolen city data was “either encrypted or corrupted” and that the data was stolen Hackers cannot use this data. A security researcher whose work has been tracking data leaks on the dark web has found evidence that ransomware teams were actually able to access the data of at least 500,000 residents, including their Social Security numbers and driver’s licenses, as well as arrest warrants. Records, information for minors and survivors of domestic violence. The researchers alerted reporters to the data.
The city successfully obtained an injunction against the researcher, requiring him to share evidence of the breach he discovered, a move seen as an attempt by the city to silence security researchers rather than remediate the breach. The city later dropped the lawsuit.
This year, a 30-year-old backdoor law came into play again as hackers known as “Salt Typhoon” — one of several China-backed hacking groups working for possible U.S. The conflict laid the digital foundation. Hackers were found to have accessed the instant calls, messages and communication metadata of senior US politicians and officials, including presidential candidates.
Hackers reportedly broke into some companies’ eavesdropping systems that telecommunications companies were required to set up after the passage of a 1994 law called CALEA. Hacked.
American money transfer giant MoneyGram, which has more than 50 million customers, was attacked by hackers in September. The company confirmed the incident more than a week later, disclosing only an unspecified “cybersecurity issue” after customers experienced several days of unexplained service outages. the data protection regulator told TechCrunch in late September.
Weeks later, MoneyGram acknowledged that hackers stole customer data during the cyberattack, including Social Security numbers and government identification documents, as well as transaction information such as the date and amount of each transaction. The company acknowledged that hackers also stole criminal investigation information from a “limited number” of customers.
In October, a data breach at US retail giant Hot Topic affected 57 million customers, making it one of the largest retail data breaches in history. However, despite the scale of the breach, Hot Topic has not publicly confirmed the incident and has not alerted customers or the state attorney general’s office about the breach. The retailer also ignored TechCrunch’s repeated requests for comment.
Leak notification site Have I Been Pwned obtained a copy of the leaked data and alerted nearly 57 million affected customers that the stolen data included their email addresses, physical addresses, phone numbers, purchases, gender and birth dates. The data also includes certain credit card data, including credit card type, expiration date and the last four digits of the card number.
AT&T’s first Three years ago, more than 73 million customer records were exposed online after hackers posted a smaller sample on a known cybercrime forum. AT&T has always denied that the cache belonged to the company and said there was no evidence of a data breach. That is until a security researcher discovered that some of the encrypted material found in the collection was easily cracked. The decrypted records turned out to be account passwords that could be used to access AT&T customer accounts. Researchers alerted TechCrunch, and we alerted AT&T, prompting the mobile phone giant to massively reset the account passwords of some 7.6 million existing customers and notify tens of millions of other customers.
Even cybersecurity companies are not immune to breaches, but the way four companies handled cybersecurity scandals this year prompted regulators to issue rare fines for their misconduct. Companies including Avaya, Check Point, Mimecast and Unisys have paid a total of $6.9 million in fines for a series of violations, including “negligence” in downplaying and minimizing damage caused by the 2019 SolarWinds espionage attack, according to the SEC. Losses Caused by Violations and Transactions Commission.
In May, a spyware app called pcTattletale was hacked and its website compromised with downloadable links to data files stolen from the company’s servers, exposing some 138,000 customers who had signed up to use the monitoring service. data. The company’s founder told TechCrunch that he “removed everything because the breach could have exposed my customers,” rather than notify affected individuals and those whose devices had been compromised without their knowledge. pcTattletale is the latest in a string of tracking software and spyware makers to have lost or exposed spyware victim data in recent years, and the company was shut down after the breach.
Another prolific spyware, mSpy, also suffered a major data breach this year, exposing emails sent to and from customer support email systems since 2014. World of Ukrainian company Brainstack, which was behind the operation. The company did not dispute this claim when contacted by TechCrunch. A few weeks later, Brainstack sent a takedown notice to the hosting provider of DDoSecrets, a transparent collective hosting copies of the leaked mSpy material, asking the website host to remove the site because it hosted “text belonging to MSpy (a brand)” Confidential Enterprise Data”. Our company. ” Web host FlokiNET rejected the request and instead issued a takedown notice, which confirmed that Brainstack was behind the mSpy operation, as previous evidence had suggested.
Evolve Bank, a financial giant that provides services to many growing financial technology startups, revealed in May that the bank was hacked by the LockBit ransomware gang, resulting in the leakage of the private financial information of approximately 7.6 million people. As affected startups scramble to understand the extent of the breach’s impact on their businesses, Evolve chose to send a cease-and-desist letter to a respected financial newsletter writer who was reporting on the unfolding incident despite happened, but the corresponding author continued to make false legal threats to the bank.
