A Year in Review: The Most Notorious Data Breaches of 2023
In an era where data security is paramount, the past few years have seen TechCrunch revisiting some of the most poorly handled data breaches and security incidents. The hope? That other corporate giants might learn from these mistakes. Unfortunately, this year’s list showcases a new class of companies repeating old errors, with some noteworthy (dis)honorable mentions you may have missed.
- 23andMe: The genetic testing titan suffered a major breach, compromising the genetic and ancestry data of nearly 7 million customers. Hackers accessed thousands of accounts by brute force, scraping data on millions more. Despite eventually implementing multi-factor authentication, it was too little, too late. Instead of taking responsibility, 23andMe shifted the blame to users for not securing their accounts adequately, a move criticized as “nonsensical” by attorneys representing affected users. The breach led to investigations by U.K. and Canadian authorities, layoffs affecting 40% of its staff, and an uncertain future for both the company and its vast customer data bank.
- Change Healthcare: This lesser-known healthcare tech company became infamous after a cyberattack in February forced it to shut down its entire network. The outage disrupted the U.S. healthcare system significantly, as Change processes one-third to half of all U.S. healthcare transactions annually. The breach resulted from compromised basic user accounts lacking multi-factor authentication. Criticism ensued over their handling of the situation—culminating in a $22 million ransom payment and another ransom to delete stolen data. Ultimately, over 100 million individuals had their private health information compromised in what was one of the biggest healthcare data breaches recorded.
- Synnovis: A ransomware attack on this London-based pathology service provider in June left patients in southeast London unable to access blood tests for more than three months. Experts suggest that two-factor authentication could have prevented this attack. Synnovis staff faced immense pressures during this period, leading to a planned strike by Unite, the UK’s leading trade union.
- Snowflake: This cloud computing giant found itself embroiled in mass hacks targeting corporate customers like AT&T and Ticketmaster. Hackers used stolen login details due to Snowflake’s lack of mandatory multi-factor security. This incident forced Snowflake to roll out multi-factor authentication by default.
- City of Columbus: Over the summer, a cyberattack exposed residents’ sensitive data, including Social Security numbers and arrest records. Although city officials initially reassured residents that stolen data was “either encrypted or corrupted,” evidence surfaced proving otherwise. The city faced backlash for attempting to silence a researcher who discovered the breach.
- Telecommunications Breach: Salt Typhoon hackers accessed real-time communications metadata from senior U.S. politicians through wiretap systems mandated by CALEA law — revealing vulnerabilities that led to advisories for U.S. citizens to use encrypted messaging apps.
- MoneyGram: September saw a cyberattack on MoneyGram leading to stolen customer data including Social Security numbers and transaction information. Despite widespread outages and eventual disclosure of the breach’s extent, MoneyGram has yet to fully inform its affected customers.
- Hot Topic: In October, a breach affecting 57 million customers took place at retail giant Hot Topic — one of the largest retail data breaches ever — yet has gone publicly unaddressed by the company.
- AT&T: Early in the year, AT&T had over 73 million customer records leaked online due to weak encryption practices. This prompted a massive reset of account passcodes for millions of customers.
- Cybersecurity Companies: Even cybersecurity firms like Avaya and Check Point were fined $6.9 million collectively for mishandling their breaches linked to the SolarWinds espionage attack.
- Spyware Apps: Spyware providers like pcTattletale and mSpy suffered significant breaches that exposed user data, underscoring ongoing privacy concerns surrounding digital surveillance tools.
- Evolve Bank: The LockBit ransomware gang hacked Evolve Bank in May, exposing sensitive financial data on approximately 7.6 million people — highlighting vulnerabilities within financial institutions dealing with emerging fintech companies.
“In today’s digital landscape, ensuring robust cybersecurity measures is not just an option; it’s a necessity.” – Cybersecurity Expert
{ Cybersecurity Expert }
This year has served as a stark reminder that robust cybersecurity measures are non-negotiable in our increasingly digital world. As companies navigate these challenging waters, let’s hope they learn from these incidents and prioritize protecting user data as we move forward into another year.
