The year 2023 witnessed a wave of significant data breaches, prompting businesses to reassess their cybersecurity strategies. Understanding the nuances of these breaches is crucial for small- and medium-sized business owners and their staff to fortify their defenses against cyberthreats.
What is a data breach?
A data breach is any instance where unauthorized parties gain access to sensitive or confidential information, such as personal data (Social Security numbers, bank account details, healthcare information) or corporate data (customer records, intellectual property, financial information). These breaches can have far-reaching consequences, affecting businesses and their clients alike, exposing them to further cyberattacks, extortion, identity theft, and more. In terms of hard financial losses, the IBM Cost of a Data Breach Report 2023 estimates the global average cost to the victims of a data breach to be $4.5 million.
The major breaches of 2023
The following data breaches have been marked as significant due to either scale, the high-profile status of the victim, or a combination of both.
MailChimp – January
MailChimp, a widely used email marketing platform, fell victim to a data breach on January 11, 2023, compromising the data of 133 customers.
How it happened:
The breach resulted from a social engineering attack on MailChimp employees and contractors, enabling unauthorized access to internal customer service and account management tools.
Response:
MailChimp promptly detected the breach and suspended access for accounts exhibiting suspicious activity. Affected parties were notified within 24 hours, with MailChimp assuring that no credit card or password information was compromised.
Impact:
WooCommerce, a prominent eCommerce plugin for WordPress, was among the affected, exposing names, store URLs, and email addresses. While no immediate misuse was identified, concerns arose about potential targeted phishing attacks.
Activision – February
Activision, renowned for games like Call of Duty, experienced a data breach in February 2023. It was believed to have originated from an SMS phishing attack in December 2022.
How it happened:
Attackers gained access to internal systems by targeting an HR employee, obtaining sensitive information including employee information, financial data, and upcoming content details.
Response:
Activision initially downplayed the breach but faced scrutiny when evidence contradicted their claims. Questions emerged about compliance with data breach notification laws in California.
Impact:
The delayed notification impacted Activision's reputation and raised concerns about transparency regarding sensitive employee information.
ChatGPT – March
In March 2023, ChatGPT, an AI-driven chatbot by OpenAI, experienced a data breach. The breach exposed the personal information of 1.2% of subscribers, including names, addresses, payment addresses, and limited amounts of credit card information such as expiry date and final four digits.
How it happened:
A bug in the Redis open-source library led to the exposure, allowing users to view others' personal information and chat titles.
Response:
OpenAI swiftly addressed the bug, temporarily shutting down the service and introducing a bug bounty program for future detection and prevention.
Impact:
The incident emphasized previously unforeseen weaknesses and exploits pertaining to chatbot and AI technologies, highlighting the importance for all industries, especially the newest ones, to maintain proactive security postures.
Shields Healthcare Group – April
Massachusetts-based medical services provider Shields Healthcare Group faced a data breach in April 2023, impacting 2.3 million people and 56 facilities.
How it happened:
While the exact method is unknown, current speculations lean toward either the exploitation of a network software weakness or a phishing attack.
Response:
Upon detection, the intrusion triggered immediate containment measures, investigations, and even the rebuilding of entire systems.
Impact:
The information compromised can be used to target thousands, if not millions of patients with extortion, phishing, social engineering, and scams.
Related reading: How to prevent healthcare data breaches
T-Mobile – January, May, and September
T-Mobile suffered four data breaches in 2023, the first in January and the second in February–March, and two in September.
How it happened:
In January, T-Mobile discovered unauthorized access that had first infected their systems in November 2022, leading to the theft of personal information belonging to 37 million customers. The second breach began in February 2023 and was not discovered until March 30, affecting over 800 customers by stealing personal information, account information, PINs, Social Security numbers, and government ID information.
The first September breach occurred as the result of a months- old breach on the third-party service provider Connectivity Source that exposed 89 GB of primarily employee data which was posted to a dark web forum. The second September breach consisted of a glitch on the T-Mobile app that allowed customers to access each other’s personal and payment information, exposing them to potential fraud or identity theft.
Response:
Upon detection, the January breach was contained within a day. In the case of the second breach, T-Mobile reset the PINs of all affected customers and offered two years of access to free credit monitoring and identity theft detection services.
Regarding the first September breach, T-Mobile disclosed that a T-Mobile franchise, Connectivity Source, not T-Mobile corporate, had been the victims of a cyberattack in May. Connectivity Source had admitted to suffering a data breach in court on May 10. What further steps Connectivity Source has taken in response to the May breach have not been disclosed.
According to T-Mobile, the application glitch that led to the second September breach has been repaired.
Impact:
T-Mobile faces significant expenses resulting from legal suits brought on by affected customers, compounded by a $350 million settlement for a 2021 breach. Trust erosion and financial losses underline the consequences of repeated security vulnerabilities. The September breaches illustrate potential consequences brought on by vulnerabilities in business partners’ systems and the misconfiguration of applications.
Learn how you can improve your cybersecurity to protect your data. Contact us today.