2024 Data Breaches: A Review of Major Incidents

Reflecting on Recurring Data Breach Failures

Over the last several years, TechCrunch has consistently reviewed some of the most significant and poorly managed data breaches and security incidents. The intention behind these reviews is to encourage larger corporations to learn from past mistakes and prevent similar disasters.

Unfortunately, as many predicted, we find ourselves once again documenting a pattern of problematic conduct. This year’s list features a new cohort of companies exhibiting the same vulnerabilities, alongside some additional noteworthy incidents that may have gone unnoticed.

A Persistent Cycle of Security Lapses

The recurrence of these incidents highlights a concerning trend within the corporate world. Despite increased awareness and available resources, fundamental security practices are often overlooked or inadequately implemented.

This leads to preventable compromises of sensitive user data and erodes public trust. The following list details examples of this ongoing issue.

Notable Data Breach Examples

• Companies continue to demonstrate a lack of preparedness for evolving cyber threats.
• Insufficient investment in robust security infrastructure remains a common factor.
• A failure to prioritize data protection often results in significant consequences.

These issues are not isolated incidents, but rather symptoms of a broader systemic problem. Addressing these challenges requires a fundamental shift in corporate mindset.

A proactive approach to cybersecurity, prioritizing prevention over reaction, is essential for safeguarding user data and maintaining a secure digital environment.

The repeated nature of these breaches underscores the need for continuous improvement and a commitment to learning from past errors.

It is imperative that organizations prioritize data security and implement comprehensive measures to mitigate risks.

23andMe Attributes Data Breach to Insufficient User Security

Genetic testing company 23andMe experienced a significant data breach last year, compromising the genetic and ancestry information of approximately 7 million customers. This incident stemmed from hackers gaining unauthorized access through brute-force attacks on numerous accounts, ultimately extracting data from millions of individuals.

Following the breach, 23andMe implemented multi-factor authentication, a security measure that could have potentially mitigated the initial account compromises. However, shortly after the start of the new year, the company shifted responsibility for the extensive data theft to its users.

23andMe asserted that the breach occurred because customers had not adequately protected their accounts. This claim was met with criticism from legal representatives of a group of 23andMe users who initiated a lawsuit in response to the hack, labeling the assertion as illogical.

Investigations were subsequently launched by authorities in both the U.K. and Canada to examine the circumstances surrounding 23andMe’s data breach.

The company’s financial stability is now in question, leading to a workforce reduction of 40% later in the year. This situation also raises concerns about the security of the substantial collection of customer genetic data held by 23andMe.

Key Points Regarding the Breach:

• Approximately 7 million customers were affected.
• The breach was enabled by brute-force attacks on user accounts.
• Multi-factor authentication was implemented after the incident.
• 23andMe blamed users for inadequate account security.
• Joint investigations are underway in the U.K. and Canada.

The future remains uncertain for 23andMe, both financially and regarding the safeguarding of its extensive genetic database. The incident highlights the importance of robust security practices for companies handling sensitive personal data.

Change Healthcare’s Delayed Disclosure of Massive Data Breach

Change Healthcare, a healthcare technology firm, gained notoriety in February following a cyberattack that necessitated a complete network shutdown. This disruption caused significant and immediate outages throughout the United States, severely impacting the functionality of the U.S. healthcare system.

Owned by UnitedHealth Group, Change Healthcare manages billing and insurance processes for a vast number of healthcare providers and medical practices nationwide. The company processes approximately one-third to one-half of all healthcare transactions annually within the U.S.

Criticism Surrounding the Incident Response

The company’s response to the cyberattack – stemming from a compromised user account lacking multi-factor authentication – drew substantial criticism. Patients experienced difficulties obtaining prescriptions and securing approval for hospital admissions.

Affected healthcare providers faced financial hardship due to the attack’s consequences. Lawmakers questioned the company’s CEO during a congressional hearing in May regarding the security breach and its handling.

Change Healthcare initially paid a ransom of $22 million to the attackers, a practice discouraged by federal authorities as it incentivizes further cybercriminal activity. Subsequently, an additional ransom was paid to a separate hacking group to facilitate the deletion of the stolen data.

Extent of the Data Compromise

It wasn't until October, a period of seven months, that the full scope of the breach was disclosed. The attack resulted in the theft of private health information belonging to over 100 million individuals.

This incident is considered the largest healthcare data breach recorded to date, requiring considerable time for a complete assessment of the compromised information.

The delayed revelation underscores the complexities involved in investigating and quantifying the impact of large-scale data breaches within the healthcare sector.

Synnovis Cyberattack Caused Prolonged U.K. Healthcare Interruptions

U.K.'s National Health Service (NHS) experienced significant disruptions throughout the year following a ransomware attack on Synnovis, a pathology services provider located in London. The incident, which occurred in June, was attributed to the Qilin ransomware group.

As a direct consequence of the attack, patients in southeast London faced over three months of difficulty obtaining necessary blood tests through their physicians. This led to the postponement of thousands of outpatient appointments and over 1,700 scheduled surgical procedures.

Preventative Measures and Labor Action

Security professionals suggest the attack could have been avoided with the implementation of two-factor authentication. Following the breach, Unite, a prominent U.K. trade union, declared that Synnovis employees would engage in a five-day strike in December.

Unite stated the attack had a considerable negative effect on staff, compelling them to work extended hours and operate without access to critical computer systems for an extended period during the remediation process.

Data Breach and Patient Impact

The full extent of patient impact remains undetermined. The Qilin ransomware group asserts to have leaked 400 gigabytes of confidential data purportedly extracted from Synnovis’ systems.

This compromised data reportedly includes patient names, health system registration identifiers, and detailed information regarding blood test results.

Snowflake Customer Hacks Escalated into Significant Data Breaches

This year, Snowflake, a leading cloud computing provider, became a focal point in a wave of large-scale hacks impacting its clientele. Affected organizations included prominent names such as AT&T, Ticketmaster, and Santander Bank.

The intrusions were carried out by individuals who subsequently faced criminal charges. These hackers gained access utilizing login credentials compromised through malware infections on the computers of personnel employed by companies utilizing Snowflake’s services.

The Role of Authentication Security

A critical factor contributing to the success of these attacks was Snowflake’s initial absence of a requirement for multi-factor authentication (MFA). This allowed the attackers to infiltrate systems and exfiltrate substantial volumes of data belonging to numerous Snowflake customers.

The stolen data was then leveraged for ransomware demands.

Snowflake’s Response and Subsequent Actions

Initially, Snowflake offered limited public commentary regarding these incidents. However, the company acknowledged that the breaches stemmed from a “targeted campaign” focused on users who relied solely on single-factor authentication.

Following the attacks, Snowflake implemented a policy of enabling multi-factor authentication by default for all customers. This change was intended to mitigate the risk of similar incidents occurring in the future.

The aim of this update is to proactively enhance security and prevent unauthorized access to sensitive data.

Key Takeaways

• The breaches highlighted the importance of robust authentication measures.
• The lack of mandatory MFA significantly increased vulnerability.
• Snowflake responded by implementing MFA as a default security setting.

Columbus, Ohio Initiated Legal Action Against a Security Researcher for Accurate Breach Reporting

Following a cyberattack experienced by the city of Columbus, Ohio during the summer months, Mayor Andrew Ginther sought to alleviate public anxieties. He communicated to residents that any compromised city data had been rendered inaccessible to attackers through encryption or corruption.

However, a security researcher, whose profession involves monitoring data breaches on the dark web, uncovered evidence contradicting the city’s statement. This evidence indicated that the ransomware group had, in fact, gained access to data pertaining to at least 500,000 individuals.

The exposed data included sensitive personal information such as Social Security numbers and driver’s license details. Furthermore, records relating to arrests, minors, and individuals impacted by domestic violence were also compromised.

The researcher subsequently shared this information with members of the press.

Legal Action and Subsequent Withdrawal

The city of Columbus successfully petitioned for and received an injunction preventing the researcher from disseminating the evidence he had collected regarding the data breach. This action was widely perceived as an attempt to suppress the researcher’s findings rather than address the underlying security vulnerabilities.

Ultimately, the city chose to discontinue the legal proceedings and dropped the lawsuit against the security researcher.

Salt Typhoon Exploited U.S. Law to Compromise Telecom Networks

A decades-old legal provision has inadvertently aided malicious actors this year. Hackers identified as Salt Typhoon – a China-linked hacking collective potentially preparing for future conflict with the United States – have infiltrated the networks of major U.S. phone and internet service providers.

These intrusions allowed the hackers to access sensitive data, including real-time calls, text messages, and communication metadata belonging to prominent U.S. political figures and high-level government officials, even those running for president.

The Role of CALEA

The breach reportedly occurred through exploitation of the companies’ wiretap capabilities. These systems were established in response to the Communications Assistance for Law Enforcement Act (CALEA), enacted in 1994.

Ongoing access to these wiretap systems, coupled with the extensive data retained by telecommunications companies regarding American citizens, has prompted a security advisory from the U.S. government.

Government Recommendations

Citizens and senior officials are now being urged to adopt end-to-end encrypted messaging applications. This measure aims to safeguard private communications from unauthorized access, including potential interception by groups like Salt Typhoon.

The use of encryption will help ensure that even if communications are intercepted, the content remains unreadable to those without the proper decryption keys.

Salt Typhoon’s activities highlight the complex interplay between national security legislation and cybersecurity vulnerabilities.

MoneyGram Remains Silent on the Scope of Data Breach Affecting Customer Information

MoneyGram, a leading money transfer service in the United States serving over 50 million individuals, experienced a hacking incident in September. The company publicly acknowledged the event over a week after it occurred, following reports from customers regarding several days of service disruptions. Initially, the disclosure described only a general “cybersecurity issue.”

While initially not confirming a data theft, MoneyGram later informed the U.K.’s data protection authority that a data breach report had been filed. This report indicated that customer data had, in fact, been compromised.

Several weeks following the initial incident, MoneyGram conceded that hackers had successfully extracted customer data during the cyberattack. This stolen data encompassed sensitive information like Social Security numbers and government-issued identification.

Furthermore, details pertaining to financial transactions – including dates and amounts – were also compromised. The company also revealed that investigation data related to a limited subset of customers was accessed by the attackers.

Despite these admissions, MoneyGram has yet to disclose the total number of customers whose data was stolen. The company has also not revealed how many affected customers have been directly informed about the breach.

Key Data Points Compromised

• Social Security numbers
• Government identification documents
• Transaction dates
• Transaction amounts
• Criminal investigation information (limited number of customers)

The lack of transparency regarding the scale of the breach raises concerns about the potential impact on MoneyGram’s customer base. Continued updates are anticipated as the investigation progresses.

Hot Topic Data Breach: Millions of Records Exposed

A significant data security incident at Hot Topic, impacting approximately 57 million customers, has come to light. This breach ranks among the most substantial compromises of retail data recorded to date.

Despite the extensive nature of the incident, Hot Topic has maintained a public silence, neither confirming the breach nor notifying affected customers or relevant state attorney general offices.

Furthermore, the retailer did not respond to repeated inquiries for comment from TechCrunch regarding the situation.

Details of the Compromised Data

The data breach was discovered by Have I Been Pwned, a website dedicated to tracking data breaches. They acquired a sample of the stolen data and subsequently informed nearly 57 million individuals whose information was exposed.

The compromised data encompasses a wide range of personally identifiable information (PII). This includes email addresses, physical addresses, phone numbers, and details regarding customer purchases.

Additional data points exposed in the breach were gender and date of birth.

Critically, the stolen data also contained partial credit card information. This included credit card type, expiration dates, and the final four digits of the card number.

• Scope of the Breach: Approximately 57 million customer records.
• Data Types Compromised: PII, including contact information and purchase history.
• Financial Data: Partial credit card details were also exposed.
• Company Response: Hot Topic has not publicly acknowledged the breach.

The lack of transparency from Hot Topic raises concerns about its commitment to data security and customer notification protocols.

Notable Cybersecurity Incidents of the Year:

AT&T's Delayed Breach Disclosure

Initially, AT&T refuted claims of a substantial data breach. However, over 73 million customer records ultimately surfaced online, originating from a hacker's post three years prior on a cybercrime forum. The company maintained its stance of no breach until a security researcher successfully decrypted portions of the leaked data.

Security Firms Face SEC Penalties for Breach Minimization

Four cybersecurity companies – Avaya, Check Point, Mimecast, and Unisys – were collectively fined $6.9 million by the U.S. Securities and Exchange Commission. This action stemmed from their handling of cybersecurity incidents, specifically for downplaying the severity of breaches linked to the 2019 SolarWinds espionage attack.

pcTattletale's Controversial Data Handling

Following a hack of the pcTattletale spyware application, the company’s servers were compromised, exposing data from approximately 138,000 users. Instead of notifying those affected, including individuals whose devices were compromised unknowingly, the founder opted to delete the data, citing concerns about exposing customers.

mSpy Breach Reveals Parent Company

A significant data breach impacted the mSpy spyware, revealing emails from its customer support system dating back to 2014. This incident also exposed Brainstack, a Ukrainian company operating secretly behind mSpy. Brainstack acknowledged the connection when contacted by TechCrunch.

Evolve Bank's Response to Breach Reporting

Evolve Bank, a provider of services to fintech companies, experienced a ransomware attack by the LockBit gang in May, potentially exposing financial data of around 7.6 million individuals. Subsequently, the bank sent a cease and desist letter to a journalist from a financial newsletter who was reporting on the incident, despite the questionable legal basis of the threat.

Further Details on Specific Cases:

AT&T Breach Details

The initial sample of data posted by the hacker was dismissed by AT&T. However, the researcher’s decryption efforts revealed account passcodes within the dataset. This discovery prompted AT&T to reset the passcodes for 7.6 million current customers and issue notifications to a far larger number of potentially impacted users.

SEC Findings on Cybersecurity Companies

The SEC determined that the four cybersecurity firms had been “negligent” in their handling of the SolarWinds-related breaches. Their actions involved minimizing the extent of the damage and failing to adequately disclose the risks to investors.

pcTattletale's Shutdown

pcTattletale ceased operations following the breach. This case highlights a recurring pattern of stalkerware and spyware developers experiencing data losses or exposures affecting their users.

Brainstack's Takedown Request

Brainstack attempted to remove copies of the leaked mSpy data hosted by DDoSecrets, a transparency collective. Their takedown notice to FlokiNET, the web host, inadvertently confirmed their association with mSpy, corroborating previous evidence.

Evolve Bank and the Financial Newsletter

The fintech startups served by Evolve Bank were left to assess the impact of the breach on their own operations. The bank’s attempt to silence reporting on the incident through legal threats was widely criticized.