Blog Image 1

Top 9 High-Profile Company Data Breaches in 2023

By Jessica Farrelly, Electric

The rate at which companies – large and small alike – are experiencing cybersecurity breaches is alarming. With recent high-profile attacks targeting healthcare, finance, retail, government, manufacturing, and energy, it’s clear that the threat landscape has evolved significantly over the past few years. According to projections, cybercrime is forecast to cost the global economy $10.5 trillion by 2025, reflecting a 15% increase year on year. Businesses have never been more vulnerable, and even large enterprises with substantial cybersecurity defenses can fall victim. For smaller businesses, lessons learned from these attacks can help you prepare your security strategy for any eventuality. This article discusses some of the most notable company data breaches from recent months, their causes, impacts, and what you should do to remain protected. 1. MOVEit: June 2023 The mass hack of file transfer tool, MOVEit, has impacted more than 200 organizations and up to 17.5million individuals as of July 2023. Multiple federal agencies are among those affected, including the Department of Energy, Department of Agriculture, and Department of Health and Human Services. It’s believed the majority of schools across the U.S have also been targeted by the hack. As the implications of the attack continue to emerge, further breaches have been confirmed at Shell, Siemens Energy, Schneider Electric, First Merchants Bank, City National Bank, and a number of international targets. Now a far-reaching incident, the attack originated with a security vulnerability in MOVEit’s software. While MOVEit patched the flaw once identified, hackers had already gained access to hordes of sensitive data. Clop, a Russia-linked ransomware group, claims responsibility for the breaches, and has threatened to publish stolen information on the dark web. 2. T-Mobile: May 2023 (and January 2023) It was announced in May that T-Mobile suffered its second data breach of 2023, after a hack revealed the PINs, full names, and phone numbers of over 800 customers. This is the company’s ninth data breach since 2018 and second this year. In early January 2023, T-Mobile discovered that a malicious actor gained access to their systems last November and stole personal information – including names, emails, and birthdays – from over 37 million customers. Once they identified the data breach, they were able to track down the source and contain it within a day. T-Mobile claims they may “incur significant expenses” from this data breach, which will be on top of the $350 million they agreed to pay customers in a settlement related to an August 2021 data breach. Not only has T-Mobile lost hundreds of millions of dollars because of security vulnerabilities, they have also lost customers’ trust after multiple breaches of personal information. 3. Yum! Brands (KFC, Taco Bell, & Pizza Hut): April 2023 Yum! Brands, the parent company of popular fast food chains KFC, Taco Bell, and Pizza Hut, announced in April of 2023 that a cyber attack had occurred in January. They initially believed the attack only directly affected corporate data, however they are now being cautious and notifying employees who may have had their personal data breached. In a statement provided to Electric, a representative from Yum! says, “In the course of our forensic review and investigation, we identified some personal information belonging to employees was exposed during the January 2023 cybersecurity incident. We are in the process of sending individual notifications and are offering complimentary monitoring and protection services. We have no indication that customer information was impacted.” The attack resulted in the company closing down almost 300 locations in the UK back in January, and has continued to cost the company money in adding security measures, alerting customers, and brand perception. 4. ChatGPT: March 2023 ChatGPT has been subject to public discourse because of its revolutionary AI capabilities, but the company faced a setback in late March when they announced a data breach. Officials from OpenAI, ChatGPT’s parent company, said: “In the hours before we took ChatGPT offline on Monday, it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. Full credit card numbers were not exposed at any time” (via CMSWire). The company is handling the aftermath by notifying impacted users, confirming their emails, and adding additional security measures. Many Americans are skeptical of ChatGPT and AI in general, and this data breach is likely to further diminish trust. 5. Chick-fil-A: March 2023 Popular fast-food joint, Chick-fil-A has confirmed a data breach of their mobile app that exposed customers’ personal information. The company noticed unusual login activity, investigated the anomaly, and determined the cyber attack happened within the first few months of 2023. The hacker used email addresses and passwords from a third-party to access the system and acquire data including membership numbers, names, emails, addresses, and more. Although less than 2% of customer data was breached, Chick-fil-A is already taking measures to prevent any future cyber attacks. The restaurant announced they would increase online security and monitoring, and also reimburse any accounts that suffered from the attack. If you think your account was affected, here is how you can secure your account and get reimbursed for any unauthorized transactions. 6. Activision: February 2023 The video game publisher behind the Call of Duty franchise, Activision, confirmed on February 19th, that they had suffered a data breach back in December. The hacker used an SMS phishing attack on an HR employee to gain access to employee data, including their emails, cell phone numbers, salaries, and work locations. Activision claims that the attack was addressed swiftly and the hackers didn’t obtain sufficient data to warrant alerting their employees directly after the data breach. However, a security research group investigated the breach and reported that the hacker had also gained access to the gaming company’s 2023 release schedule, along with the sensitive employee info. Under California law, if 500 or more employees’ data is breached, the company must alert those affected. 7. Google Fi: February 2023 Google Fi’s high-profile data breach comes as a consequence of the T-Mobile data breach earlier in 2023 (discussed above). Because Google doesn’t have its own network infrastructure, they piggyback on T-Mobile’s network and were affected by their massive data breach, compromising their customers’ phone numbers. Even with just stolen phone numbers, cybercriminals can continue to wreak havoc, especially through smishing attacks that trick users into clicking dangerous SMS links. If you are a Google Fi user, be extra careful of suspicious messages in 2023. 8. MailChimp: January 2023 MailChimp, the email marketing platform, alerted customers to a data breach in January. The incident was the results of a social engineering attack that allowed unauthorized users into an internal customer support tool. The hackers gained access to employee information and credentials, but the company has since identified and suspended those accounts. In response to the data breach, MailChimp has said: “Our investigation into the matter is ongoing, and includes identifying measures to further protect our platform”, according to Bleeping Computer. This is MailChimp’s first attack of 2023, but they also had data breaches in April and August of 2022. For businesses of all sizes, it’s important to know what to do after a data breach to prevent further attacks in future. 9. Norton Life Lock: January 2023 Norton Life Lock notified their customers in mid-January that over 6,000 accounts had been breached in recent weeks due to a “stuffing” attack. Stuffing attacks are when previously compromised passwords are used to hack into accounts that use a shared password, another reason why multi-factor authentication is so important. Gen Digital, Norton Life Lock’s parent company, sent the notice to accounts they believe could have been compromised and recommended changing passwords and enabling two-factor authentication. Other Cyber Security Breaches Hackers aren’t just after customer data, they may breach a company’s cyber security measures in order to steal other important information. On August 25th 2022, Last Pass, a password management provider used by over 30 million people, announced that a third-party had been able to infiltrate their network by accessing a compromised developer account. Although the security of the company had been breached, they stated that they don’t believe any encrypted customer data had been accessed, but rather the user “took portions of source code and some proprietary LastPass technical information”. This means that no customer data was breached and that Last Pass’s security and encryption measures for their customer’s passwords did its job. Although this cyber security breach has prompted Last Pass to hire third-party investigators and work towards protecting themselves against more breaches in the future. Data breaches in small businesses are on the rise. 61% of SMBs experienced at least one cyber attack in the past year, and 40% endured eight or more hours of downtime as a result. Watch this on-demand webinar to learn how to handle a data breach and establish a response plan. Companies with the Most Data Breaches in 2023 Some of the most high-profile company data breaches are notorious for their frequency as well as the damage caused. Facebook is one of the most popular websites in the world today. However, the company has faced numerous privacy issues over the years. Their most recent attack occurred in 2021, affecting 533 million users. Before that, Facebook was also hacked in 2018 and 2014, leaving 2.2 billion and 50 million people impacted, respectively. Yahoo is another infamous victim of back-to-back cybersecurity incidents. The company was hacked in 2013 and 2014, leaving 1 billion and 500 million people affected, respectively. Their most recent attack in 2017 impacted 32 million users. Other companies that have experienced repeat data breaches in the recent past include Amazon, Twitter, Microsoft, Uber, AOL, Dropbox, eBay, and more. But why do these companies experience repeat attacks? Here’s a quick overview of three common reasons: Old vulnerabilities: It’s not uncommon for a hacker to leave a secret window that they can use to access a company’s systems again after a successful first attempt. Failing to patch these vulnerabilities can lead to a second attack. Human error: Employees using weak passwords may expose a company’s systems to subsequent attacks. Other common human errors include employees clicking on malicious links and visiting phishing sites. Unless you perform follow-up security training following an initial breach, employees can repeat previous mistakes that leave your business vulnerable. Malware: Hackers use malicious software such as viruses, ransomware, Trojans, spyware, adware, etc., to steal confidential information from an organization’s network system. If a company fails to step up monitoring protocols after its first breach, there is nothing to stop repeat attacks from occurring. Don’t Fall Victim to Company Data Breaches It doesn’t matter if you’re a small business or a large corporation; in 2023, every modern company is at heightened risk of cyber attack. To keep your data secure, you need a comprehensive cybersecurity solution. At Electric, we help businesses protect their most valuable asset from threat actors. Get in touch to learn more about our unified IT security at the device, application, and network levels.