A data breach is when someone breaks into an organization and steals sensitive data. Attackers are able to get past security measures with tactics as varied as they are malicious, including phishing, planting malware, credential stuffing, and tracking keystrokes, to name a few.
Once they breach security barriers, cybercriminals might publicly expose sensitive information or steal data to sell on the dark web. In ransomware attacks, criminals hold data or computers hostage in exchange for a hefty ransom. These types of attacks often involve installing malware to lock up files or even entire system networks so that legitimate users can no longer access them—until they pay up, that is. Between 2021 and 2022, the average ransomware attack payment increased 71% according to one cybersecurity firm, with an average payout of almost $1 million. According to data for the first quarter of 2022, reported breach incidents have gone up by 14% compared to the same quarter in 2021 (although the number of victims per cyberattack has gone down).
To give important context to these troubling trends, Beyond Identity collected information about some of the largest and most high-profile data breaches of 2022. The dates included are when the breach was disclosed to the media, though the incidents themselves happened earlier. The damage from breaches can be costly; according to an IBM report, the average cost of a data breach to a company was more than $4 million in 2021.
The 10 breaches covered here affected companies, international organizations, and even governments. (These incidents and many others can be seen in Aaron Drapkin's regularly updated article tracking data breaches.) Read on to learn how these security attacks occurred and what has been done to remediate them.
On Jan. 18, the International Committee of the Red Cross revealed that the organization had experienced a data breach. This attack resulted in a loss of personal data for more than a half a million people—many in vulnerable positions—including names, locations, and contact information. The hackers attacked a contractor in Switzerland that was storing this data. As a result, the Red Cross was temporarily forced to halt a program that helps reunite families torn apart by armed conflict, migration, natural disasters, and other tragedies.
In a statement, they pleaded with the hackers to keep the stolen data confidential and partnered with "highly specialized" firms to assist them in dealing with the attack. The Red Cross systems are back online, and the organization is working to inform people who have been affected by the data breach and also with partners to spread the word to states and other major actors about the importance in protecting humanitarian organizations online.
OpenSea experienced a data breach on Feb. 20. While this attack only affected 17 users, the hackers made off with $1.7 million in crypto assets and leaked emails of OpenSea users. OpenSea was completing a migration, providing a perfect opportunity for a phishing attack. There is wide speculation that whoever caused this data breach tricked some OpenSea users to sign a contract partially, leaving some portions blank and thus making it possible for the bad actor to finish filling it out, calling for the creation of a new contract that, for free, transferred NFT ownership.
Since the breach, OpenSea has remediated the issue by warning its users about email phishing and implementing new security policies to make it harder to download customer data. They also terminated the employee they suspected to be working with the bad actor and reported the person to law enforcement.
On March 24, the Texas Department of Insurance disclosed they experienced a data breach in January. The breach resulted in the loss of personal information including social security numbers, contact information, and data about the injuries of 1.8 million Texans. For almost three years, this information had been exposed and available publicly on the TDI website, because of a programming code issue in a web application. This made it possible for people outside of TDI to access what was supposed to be a protected part of an online application.
To deal with the issue, the Texas Department of Insurance fixed the programming code and partnered with a company in the forensics sector to find out whether there had been any misuse of the leaked personal information. Fortunately, there was no evidence of foul play. The department also provided support, including one year of identity protection and credit monitoring services, to the people affected by the data breach.
Cash App went public with a data breach on April 4. Losses included names and account numbers for more than 8 million users. A former Cash App employee downloaded reports that contained American users' personal information—specifically, users of Cash App Investing were affected. To address the issue, Cash App contacted all former and current users of the feature so they could answer users' questions and provide resources and information. They also notified law enforcement about the breach, and advised all users of Cash App to change their passwords and utilize two-factor authentication.
On May 17, the Costa Rican government disclosed a data breach. A large chunk of the federal government was locked down due to a ransomware attack that crippled medical, tax, and other systems. More than 670 gigabytes of data was stolen and eventually leaked. This data breach occurred when the Russian ransomware group known as Hive hacked the country's national health service, after which they left a ransom note copy. Experts suspect that Hive has been working with another Russian ransomware gang, Conti, to help Conti in a rebranding effort so they can evade international sanctions.
As a result of this attack, Costa Rican Social Security Fund systems were taken offline at the start of May 31, and the Costa Rican government has responded to ransomware attacks more generally by declaring a "national emergency"—becoming the first country to do so in response to a cyberattack.
On July 22, Twitter announced a data breach that resulted in the loss of 5.4 million phone numbers and email addresses. The attacker exploited one of the microblogging platform's log-in identification features, which allows a user to submit a publicly known phone number or email address and match it to a Twitter account. The attacker was able to create a list that contained scraped emails and phone numbers from the accounts of users with publicly available information. In response, Twitter remediated the issue by patching the vulnerability, and it has also encouraged its users to use two-factor authentication for their Twitter accounts.
On Aug. 4, Twilio, a programmable communication platform, announced hackers had accessed data for more than 100 customers. This was particularly worrying because it included access to about 100 individual Authy accounts. Authy is a two-factor authentication provider. The hacker used sophisticated social engineering to trick Twilio employees into giving the attackers their credentials, which were then used to gain access to some of the company's internal systems where they could access customer data.
To resolve the issue, Twilio confirmed the incident, revoked the access of the compromised employee accounts so they could mitigate the attack, and they started an investigation with the aid of a top forensics firm. Twilio has also trained staff to be aware of social engineering attacks, issued security advisories related to those tactics, examined technical precautions, and contacted customers who were affected by the attack.
Due to the compromise of certain two-factor authentication accounts from the Twilio breach, the same group of hackers gained access to customers' personal data stored by DoorDash, which disclosed this event on Aug. 25. This included names, emails, phone numbers, and addresses. After accessing accounts, the hackers were able to gain access to internal tools through an unnamed third-party vendor. That allowed access to the personal data of DoorDash customers. To solve the issue, DoorDash started an investigation with the help of a cybersecurity expert they have not named. DoorDash is also taking action to enhance its security systems.
On Aug. 25, LastPass announced a data breach where source code was lost. By using one compromised developer account, an unauthorized party was able to access certain areas of the LastPass developer environment. After doing this, they stole source code, as well as some LastPass proprietary technical information.
This isn't the first time LastPass has had security problems. A major outage caused login and password issues in 2020, and they experienced another significant security problem in 2019. To fix the 2022 data breach, LastPass enacted mitigation and containment measures, engaged a forensics and cybersecurity firm, and enhanced security measures.
Nelnet Servicing also experienced a breach, which they announced on Aug. 29. The company lost personal data for 2.5 million student loan accounts including names, addresses, and social security numbers. Hackers compromised Nelnet Servicing's network—likely after having exploited a vulnerability. Threat actors with access to Nelnet's information could use it to take part in scamming, impersonation, social engineering, or phishing attacks.
Nelnet Servicing took immediate action to secure its information system, blocked the criminal activity, fixed the issue, and started an investigation with the aid of third-party forensic specialists. Nelnet Servicing then informed the U.S. Department of Education of the breach, after which the department informed law enforcement. For individuals potentially affected by the breach, Nelnet Servicing provided two years of free access to identity theft and credit monitoring services.
This story originally appeared on Beyond Identity and was produced and distributed in partnership with Stacker Studio.