In the digital age, cybersecurity is the defense against the ever-evolving threats that loom over our personal data and corporate secrets. Yet, as the defenses grow more sophisticated, so do the tactics of cyber adversaries. The year 2023 has been a testament to this relentless tug-of-war, witnessing some of the most consequential data breaches. We delve into some of the most shocking data breaches of 2023.
Top 10 Data Breaches of 2023
According to the Identity Theft Resource Center, the ten most significant data breaches during the first half of 2023 have impacted more than 100 million individuals. Let’s check out some of the nastiest attacks.
1. T-Mobile Breach Affects More Than 37 Million Customers
One of the most significant data breaches in 2023 occurred at the start of the year. In the first week of January, T-Mobile discovered malicious activity from cybercriminals. Attackers were using an API to steal data — and had been doing so since November 22.
With almost two months of data collection, hackers could access the names, emails, and birthdays of more than 37 million customers.
This early 2023 attack was the eighth time T-Mobile had been targeted by cyberattackers since 2018. In May, T-Mobile faced another data breach. This second data breach in 2023 affected only around 800 customers but cost the company hundreds of millions of dollars to remediate.
2. MailChimp Data Breach Exposes Personal Information
In January, email and digital marketing leader MailChimp discovered a data breach that affected user accounts. The breach also exposed employee information and credentials.
Hackers used social engineering tactics to gain unauthorized access to internal customer support features. In cybersecurity, a social engineering attack relies on our human nature to be helpful and friendly to achieve a breach — and, unfortunately, it often works!
For example, a hacker might pose as an employee’s boss and make a seemingly innocent request for a password. The employee gives over the information, believing they’re helping their boss. In reality, they’ve given sensitive information to a cyberattacker.
3. ChatGPT Faces Major Data Breach
Known for its AI capabilities, ChatGPT has made waves in the technology world. Unfortunately, the program experienced a cyberattack in March 2023.
The attack exposed users’ first and last names and their email addresses. Additionally, the hackers gained access to payment addresses and the last four digits of subscribers’ credit cards. The site was taken down temporarily to address the breach, but users could potentially see one another’s private information prior to the shutdown.
The parent company of ChatGPT, OpenAI, quickly addressed the breach and increased security efforts. However, a data breach involving susceptible information, like payment information, could soon lead to customer distrust.
4. MOVEit Breach Affects Over 200 Organizations
A June 2023 data breach of file transfer tool MOVEit affected over 17 million individuals and 200 organizations. Affected organizations include major corporations such as Shell and Siemens Energy. The breach also reached government agencies using MOVEit’s tools to share files, including the Department of Energy, Department of Agriculture, and Department of Health and Human Services.
Russian ransomware group, Clop, has taken credit for the breach, even threatening to publish sensitive information on the dark web.
5. KFC, Taco Bell, and Pizza Hut Parent Company Discovers Breach
The parent company of popular fast food restaurants KFC and Taco Bell, Yum! Brands, revealed a cyberattack in April 2023. Somebody found the original breach in January. Initially, Yum! Brands found the attack only to affect corporate data.
In April, the company notified employees and customers of their restaurants as an additional measure after finding some employee data had also been exposed.
Following the January attack, Yum! Brands closed down nearly 300 restaurant locations in the UK. The company continues to pay for the breach through increased security measures, employee and customer notification, and brand public relations.
6. March Data Breach Affects MCNA Insurance
In May of 2023, Managed Care of North America (MCNA) Insurance Company announced a data breach from earlier in the year. The breach allowed an unauthorized third party to access information from late February to early March 2023. The exposed data included specific internal systems, which allowed hackers to remove personal information for nearly 9 million customers.
This breach, in particular, exposed loads of susceptible personal information of insurance customers. For example, hackers gained access to full names, dates of birth, and contact information, including addresses, telephone numbers, and emails.
Additionally, attackers may have accessed some customers’ Social Security numbers, driver’s license numbers, government-issued ID numbers, and health insurance information.
7. Video Game Publisher Activision Faces Data Breach
Video game publisher Activision, makers of the popular Call of Duty franchise, announced a data breach in February 2023. The breach occurred in December 2022, but it took several weeks of investigations by Activision and an independent security research group to learn the extent of the breach.
Activision claimed the breach was limited in nature and taken care of quickly. However, a third-party security research group found that the hacker could access sensitive employee information. The company’s 2023 gaming release schedule was also visible to the hacker.
This attack came from an SMS phishing attack. A hacker sent a text to an HR employee that led to a phishing website. The hack then gained access to employee emails, phone numbers, salary details, and work locations.
8. Google Fi Feels Effects of T-Mobile Breach
Google offers wireless phone services, including call, text, and data, through their sub-company Google Fi Wireless. However, Google itself doesn’t manage or operate a wireless network. Instead, the company offers mobile phone plans using the T-Mobile network infrastructure.
Google Fi customer phone numbers were exposed in the January 2023 T-Mobile data breach. Hackers are expected to use this information to launch further attacks, such as SMS phishing attacks.
The Google Fi data breach is an excellent example of how serious a breach can be. A breach of one company can lead to compromised data for any company working with the attacked company.
9. Chick-fil-A Works to Manage App Breach
Chick-fil-A, the fast food chain known for its chicken sandwiches and efficiency, notified customers of a data breach in early 2023. The breach occurred through the chain’s mobile app and compromised customers’ personal information.
Although only an estimated 2% of mobile app users were affected, the Chick-fil-A breach potentially caused unauthorized transactions for users. Chick-fil-A has since taken measures to increase security on their app and are offering reimbursement for users who face unauthorized transactions.
10. Almost 6 Million Affected in PharMerica Breach
A reported 5.8 million individuals were affected in a March 2023 data breach at PharMerica, one of the largest pharmacy services providers in the United States. The breach is the most significant healthcare data breach reported by a HIPAA-covered company in 2023.
The ransomware group “Money Message” has claimed they are behind the attack, gaining access to the personal information of both alive and deceased individuals. Information exposed in the breach includes names, addresses, dates of birth, Social Security numbers, medications, and health insurance information.
Regulatory Issues and Legal Consequences Data Breaches Cause
Data breaches can have severe regulatory and legal consequences for businesses. The General Data Protection Regulation (GDPR) and Data Protection Act 2018 require appropriate technical and organizational security. Non-compliance can result in fines, enforcement notices, or an investigation from the data protection regulator.
If a data breach occurs, there are four legal implications preserved in data protection laws across all jurisdictions, including:
- Notification: A company that has suffered a data breach must notify all affected individuals immediately.
- Investigation: A company must investigate the breach to determine what happened and how it occurred.
- Remediation: A company must take steps to remediate the breach and prevent it from happening again.
- Liability: A company may be liable for damages resulting from the breach, including financial losses, reputational damage, and other costs.
Companies that suffer a data breach should take swift action to minimize the damage and prevent future incidents. An excellent approach to navigating today’s cyber landscape is for leaders to develop an incident response plan or IRP. An IRP enables impacted companies to respond quickly and precisely to the attack instead of scrambling to clean up the mess.
While some industries, such as manufacturing and finance, are more likely to see a cyberattack than others, any company can be a victim of cybercrime. Fortunately, there are ways to help reduce your risk of cyber crimes, such as:
- Ongoing employee training
- Securing networks and devices
- Conducting regular cyber audits
- Using multi-factor authentication
- Keeping software and technology up-to-date
- Developing an IRP or disaster recovery plan
- Purchasing cyber liability insurance
One of the most common ways hackers access company and customer data is through phishing attacks. These attacks rely on human mistakes rather than advanced computer or hacking skills. For example, a hacker might send a phishing link to an employee disguised as a bank login. Employee training and requiring multi-factor authentication can help significantly reduce your chances of being a victim of a phishing attack.
Unfortunately, prevention doesn’t mean you won’t be the victim of an attack or breach. It’s essential to have a disaster recovery strategy if hackers do gain access to your data. Disaster recovery should include a plan to recover and secure data and manage your reputation, like notifying customers or credit monitoring.
Our General Manager Jonathan Selby says of the current online outlook, “It’s not if you experience a cyberattack; it’s when.” Company leaders must be prepared to navigate these threats, giving up on the idea of playing Roulette.
The good news is that underwriters have created a policy for organizations specifically designed to cover cyberattacks, data breaches, and other electronic activities that cause financial harm. Cyber liability insurance protects businesses from third-party lawsuits relating to electronic activities. Plus, it provides many recovery benefits, so you’re not tackling the cleanup alone.
The question is, are you ready to manage hackers and cyber threats? Could your company recover quickly if a bad actor infiltrated your systems and network?
As the digital landscape evolves, it’s helpful to know your exposure and what’s at stake. We encourage you to use our Cyber Risk Management Guide as a benchmark to see how your company measures against real-world threats. Request access to the Guide today.