The hits just keep on coming in the world of headline-grabbing data breaches. Threat actors kept busy in 2022 and right on into the new year, with several notable data breaches already making news in 2023. Tech.co recently released a list highlighting some of the biggest data breaches from both years.
As the article notes, data breaches impact companies and organizations of all shapes, sizes, and sectors and cost victims millions of dollars in damages. “The widely-covered T-Mobile data breach that occurred last year,” the article reads, “cost the company $350 million in 2022 – and that’s just in customer payouts.” More than ever, it is imperative that businesses invest in technology to secure their networks, educate employees on the dangers of phishing and to create best practices around data protection.
Below is a summary of data breaches Tech.co compiled since January 1, 2022:
March 9 – US House of Representatives Data Breach
Impact: Healthcare related data related to 170,000 federal legislators and their families was sold online (the FBI may have purchased the data as part of its investigation).
Feb. 21 – Activision Data Breach
Impact: Sensitive employee data and content schedules were breached through a phishing attack.
Feb. 15 – Atlassian Data Breach
Impact: The personal data of staff, including names, email addresses, staff assignments and other employment information was breached after an employee’s credentials were mistakenly posted in a public repository.
Feb. 10 – Reddit Data Breach
Impact: Attackers gained access to internal documents, code, and internal dashboards and business systems as well as contact information for current and former employees.
Feb. 8 – Optus Data Breach Extortion Attempt
Impact: A blackmailer, who has since been arrested and sentenced to community service, tried to leverage data from a published data breach to blackmail customers.
Feb. 8 – Weee! Data Breach
Impact: The personal information of 1.1 million customers of this delivery service was exposed by threat actor Intelbroker.
Feb. 6 – Sharp HealthCare Data Breach
Impact: The personal information of more than 62,000 patients was exposed during an attack on the healthcare provider’s website, including Social Security numbers, health insurance data and health records.
Jan. 30 – JD Sports Data Breach
Impact: The personal information of as many as 10 million people may have been accessed by hackers — the company is advising customers to be vigilant about potential scam contacts.
Jan. 19 – T-Mobile Data Breach
Impact: The personal data of around 37 million customers was accessed by hackers starting in late November, 2022 through January 5, 2023.
Jan. 18 – MailChimp Data Breach
Impact: A social engineering attack led to the breach of data associated with 133 MailChimp accounts.
Jan. 18 – PayPal Data Breach
Impact: Stolen login credentials allowed access to an undisclosed number of PayPal customer accounts.
Jan. 6 – Chick-fil-A Data Breach
Impact: The company reported that it is investigating suspicious activity related to some customer accounts.
Jan. 4 – Twitter Data Breach
Impact: Twitter user data related to around 200 million twitter users was bought and sold throughout 2022 and into 2023 on the dark web. The data is still being leaked and sold.
Dec. 31 – Slack Security Incident
Impact: The company reported suspicious activity related to the company’s GitHub account, including a threat actor downloading private code repositories.
Dec. 15 – SevenRooms Data Breach
Impact: 400GB of sensitive data was stolen and published on a hacking forum, including files from big restaurant clients, promo codes, payment report, and API keys.
Dec. 1 – LastPass Data Breach
Impact: Customer information was accessed during a security breach, though no passwords were revealed.
Nov. 11 – AirAsia Data Breach
Impact: A ransomware attack orchestrated by “Daixin Team” involved the personal data of 5 million unique passengers and the company’s employees, including names, dates of birth, countries of birth, addresses, and “secret question” answers.
Nov. 1 – Dropbox Data Breach
Impact: 130 GitHub repositories were copied and API credentials were stolen via a fake CircleCI login page.
Oct. 26 – Medibank Data Breach
Impact: The health insurance data of nearly 4 million Australian patients was accessed by an unauthorized party.
Oct. 18 – Vinomofo Data Breach
Impact: The names, dates of birth, addresses, email addresses, phone numbers, and genders of nearly 500,000 customers may have been exposed during a cyber attack, according to the company.
Oct. 17 – MyDeal Data Breach
Impact: Data associated with 2.2 million customers was exposed when the company’s CRM system was compromised, including names, email addresses, telephone numbers, delivery addresses, and dates of birth.
Oct. 15 – Shein Data Breach
Impact: Shein’s parent company, Zoetop, was fined $1.9 million for its mishandling of a 2018 data breach, which exposed the personal information of nearly 40 million customers.
Oct. 11 – Toyota Data Breach
Impact: The email addresses and customer control numbers of nearly 300,000 T-Connect telematics customers were compromised.
Oct. 10 – Singtel Data Breach
Impact: The personal data of 129,000 customers and 23 businesses was illegally obtained in a cyber attack, including names, dates of birth, mobile numbers, and addresses.
Oct. 7 – Facebook Data Breach
Impact: Meta identified more than 400 malicious Android and iOS apps that target users with the goal of stealing their Facebook login credentials, including photo editors, games, VPN services, business apps, and other utilities.
Oct. 3 – LAUSD Data Breach
Impact: The Los Angeles Unified School District (LAUSD) was hit with a ransom attack; when the district failed to pay the ransom, the hacking group Vice Society leaked 500GB of data related to operations.
Sept. 23 – Optus Data Breach
Impact: In what was reported as a “massive” data breach, an unspecified number of subscribers had personal identifying information exposed to hackers; some customers’ physical addresses and documents like driver’s licenses and passport numbers were accessed, as well.
Sept. 20 – American Airlines Data Breach
Impact: A small number of customers’ personal data was exposed, including dates of birth, driver’s license and passport numbers and medical information.
Sept. 19 – Kiwi Farms Data Breach
Impact: The trolling/doxxing website was hacked and the site owner reported that all users should assume their password was stolen, their email address leaked and IP addresses collected.
Sept. 19 – Revolut Data Breach
Impact: The email addresses, full names, postal addresses, phone numbers, payment card data, and account data of more than 50,000 customers were likely exposed.
Sept. 18 – Rockstar Data Breach
Impact: Footage of the company’s unreleased Grand Theft Auto VI game was leaked by a hacker, who claims to also have the game’s source code. The origin of the breach is suspected to be related to social engineering, with the hacker accessing an employee’s Slack account.
Sept. 15 – Uber Data Breach
Impact: Reported as a “total compromise,” this attack included access to employee email, cloud storage, and code repositories, which were sent to security firms and The New York Times by the threat actor.
Sept. 14 – Fishpig Data Breach
Impact: Threat actors accessed a “backdoor” to access customer systems.
Sept. 7 – North Face Data Breach
Impact: Around 200,000 accounts were compromised in a credential-stuffing attack on the company’s website. Compromised information included full names, purchase histories, billing addresses, shipping information, phone numbers and gender.
Sept. 6 – IHG/Holiday Inn Data Breach
Impact: IHG reported unauthorized access to its network.
Sept. 3 – TikTok Data Breach Rumor
Impact: A Twitter user claimed to have stolen TikTok’s internal backend source code, but the company refutes the claim.
Sept. 2 – Samsung Data Breach
Impact: The company reported a cybersecurity incident involved unauthorized access to its networks and personal information exposure to the threat actors involved.
Aug. 29 – Nelnet Servicing Data Breach
Impact: 2.5 million student loan borrowers had their personal data exposed.
Aug. 27 – Facebook/Cambridge Analytica Data Breach Settlement
Impact: Meta agreed to settle a lawsuit alleging that Facebook illegally shared user data with Cambridge Analytica, which was used by political campaigns in the UK and the US in 2016.
Aug. 25 – DoorDash Data Breach
Impact: A phishing campaign resulted in authorized access to data associated with an undisclosed number of customer accounts.
Aug. 24 – Plex Data Breach
Impact: The company forced a password reset for all users after suspicious activity was detected on one of its databases.
Aug. 20 – DESFA Data Breach
Impact: Greece’s largest natural gas distributor reported a ransomware attack that allowed some files to be accessed.
Aug. 10 – Cisco Data Breach
Impact: The Yanluowang ransomware gang published stolen data; security experts speculate that the data was not of great importance, but that the threat actors were trying to establish credibility.
Aug. 5 – Twilio Data Breach
Impact: The data of 125 customers was accessed by hackers who tricked employees into handing over login credentials by posing as IT staff.
July – Uber Data Breach Cover-Up
Impact: Uber admitted that it suffered an enormous data breach in 2016 that impacted 57 million users. The company’s chief security was sent to trial for the breach and found guilty in October, 2022 — the first time an executive has been brought up on criminal charges related to a data breach.
July 22 – Twitter Data Breach
Impact: The company reported that the phone numbers and email addresses of 5.4 million accounts were accessed in January, 2022.
July 19 – Neopets Data Breach
Impact: The source code and database for the game’s website was put up for sale on an online forum, including the account information of 69 million users.
July 18 – Cleartrip Data Breach
Impact: Travel booking company Cleartrip, majority owned by Walmart, reported that its systems had been breached after hacked posted data to an invite-only dark web forum.
July 13 – Infinity Rehab and Avamere Health Services Data Breach
Impact: The personal data of nearly 400,000 patients was stolen from the two companies, including names, addresses, driver’s license information and more.
July 12 – Deakin University Data Breach
Impact: The personal information of 46,980 students was stolen and 10,000 students received scam text messages after the breach occurred.
July 5 – Marriott Data Breach
Impact: The personal information of 300-400 Marriott guests was stolen after a phishing attack.
June 29 – OpenSea Data Breach
Impact: A phishing attack led to the exposure of all customers’ email addresses.
June 17 – Flagstar Bank Data Breach
Impact: The private information of 1.5 million customers was exposed.
June 14 – Baptist Medical Center and Resolute Health Hospital Data Breach
Impact: The Social Security numbers, insurance information, and full names of an undisclosed number of patients was exposed.
July 11 – Choice Health Insurance Data Breach
Impact: The company notified customers that a human error led to the exposure of customer data.
June 7 – Shields Health Care Group Data Breach
Impact: The company reported that the Social Security numbers, patient IDs, home addresses, and information about medical treatments of two million people was stolen in March, 2022.
May 26 – Verizon Data Breach
Impact: Employee data, including names, email addresses, and phone numbers was stolen in a social engineering scam involving remote access.
May 23 – Texas Department of Transportation Data Breach
Impact: The personal records of more than 7,000 people were accessed by a hacker.
May 20 – Alameda Health System Data Breach
Impact: 90,000 individuals were impacted by a data breach after suspicious activity was detected on some employee email accounts.
May 17 – National Registration Department of Malaysia Data Breach
Impact: The personal data of 22.5 million Malaysians was exposed.
May 17 – Costa Rican Government Data Breach
Impact: Costa Rica declared a state of emergency when government servers were hacked by the Conti ransomware gang. Stolen data was published on the dark web.
May 7 – SuperVPN, GeckVPN, and ChatVPN Data Breach
Impact: Personal identifying information for 21 million users was leaked on the dark web.
April 4 – Cash App Data Breach
Impact: The customer names and brokerage account numbers of 8.2 million customers were breached.
April 4 – Emma Sleep Data Breach
Impact: Customer credit card information was skimmed in a “magecart attack.”
March 30 – Apple & Meta Data Breach
Impact: Hackers posing as law enforcement officers were able to access customer addresses, phone numbers, and IP addresses in mid-2021, according to reports.
March 26 – US Department of Education Data Breach
Impact: The personal data of 820,000 New York students was stolen, including demographic data, academic information, and economic profiles.
March 24 – Texas Department of Insurance Data Leak
Impact: The agency reported that a data security event involving personal identifying information associated with 1.8 million Texans occurred in January, 2022 that had been ongoing for about three years.
March 18 – Morgan Stanley Client Data Breach
Impact: A voice phishing (vishing) attack occurred in Feb. 2022, allowed the breach of accounts and transfer of payments into fraudulent accounts.
Feb. 25 – Nvidia Data Breach
Impact: Employee data related to 71,000 workers was leaked on the dark web.
Feb. 20 – Credit Suisse Data Leak
Impact: A whistleblower turned over information to a German publication related to 18,000 Credit Suisse accounts, showing that the company held accounts belonging to many high-profile criminals.
Jan. 20 – Crypto.com Data Breach
Impact: Around $30 million was stolen from 483 accounts after a data breach.
Jan. 19 – Red Cross Data Breach
Impact: The organization reported that the data of more than 515,000 “extremely vulnerable” people, including many fleeing from war zones, was stolen by hackers through a “complex” cyberattack.
Jan. 6 – Flexbooker Data Breach
Impact: 3.7 million accounts were breached and names, phone numbers, and addresses stolen.
Many of these attacks involved elements of ransomware, where threat actors extorted funds from victims. Learn more about ransomware and how the MixMode platform applies third-wave AI technology to combat the disturbing rise in this cybercrime tactic.