20 January, 2023
Top 20 IT Security Breaches in 2022
Cyberattacks have continued to evolve in sophistication with increasing financial impacts every year – as was the case in 2022. The impacts from the security breaches experienced in 2022 were far worse than any previous year to date. For instance, the global average total cost of a data breach is $4.35M, while in the US companies, the average cost of a data breach reached $9.44M.
The healthcare industry has had the highest data breach cost across different industries for 12 years in a row. The average total cost of a breach in the healthcare industry reached a stunning $10.1M in 2022. According to Verizon’s Data Breach Investigations Report, credentials, phishing, botnets, and exploiting vulnerabilities were primary attack vectors in 2022. The extent of damage due to these cyberattacks continued to increase for breached organizations, as billions of sensitive personal data records were stolen and millions of individuals affected.
As security teams focus on protecting IT assets in an uncertain cyberspace and preventing breaches in 2023, we must take a look at major incidents from the last year and glean the lessons learned.
Security Risks Revealed in 2022
In the last year, the attackers majorly targeted insecure code development, phishing attacks, open-source accounts on GitHub, and unaddressed third-party security risks. Security gaps and user errors have continued to be the leading reasons behind data breaches. It has become crucial for businesses to understand that security awareness is a must from the receptionist to DevOps teams. Otherwise, the “human element” in cybersecurity will continue to be targeted by attackers via phishing, spear-phishing, and advanced persistent threats (APTs).
- Insecure Code
- Third-Party Security
- Undetected Security Gaps
An increasing number of breaches are emerging from insecure code that does not get tested adequately before deployment. For example, a zero-day vulnerability affected 5.4M Twitter user accounts. The vulnerability was reported to Twitter on January 01, 2022, and remediated by January 13, 2022. However, this window of thirteen days was sufficient for the malicious actor to read the threat hunter’s report and successfully steal sensitive user data such as phone numbers and email addresses. Ideally, this vulnerability should have been discovered before Twitter updated its code in June 2021 with application penetration testing.
Ransomware, one of the most popular types of malware, prevents users from accessing their devices and data until the demanded ransom is paid. Once the payload is executed on a user’s system, the stored data gets encrypted and becomes inaccessible. As attackers’ tactics, techniques, and procedures (TTPs) have evolved, ransomware-as-a-service and initial access brokers are proliferating on the dark web, leading to more ransomware attacks in 2022. For example, Toyota had to shut down operations across 14 production plants due to a ransomware attack at one of their supplier companies for one day in March 2022, which cut down one-third of the company’s global output.
One highlight to note, after years on an upward trend, ransomware payments fell by over 40% in 2022 compared to 2021, according to new research. Victim payments to ransomware crime gangs dropped to $456.8M in 2022 from $765.6M in 2021. Industry experts speculate that organizations are better prepared for ransomware attacks, as they leverage system and data backups to recover, along with other security methods. Concurrently, the 2021 advisory from the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) describes how organizations that pay ransomware criminals will face sanctions, has also helped stop companies from meeting the ransomware extortion demands.
More often than not, third-party vendors are the weak link in an organization’s security posture, as they may not have the same level of defenses in place. A third party security attack can expose an organization’s data. The number of cyber attacks on the supply chain increased in 2022. The Toyota breach demonstrates how devastating a supply chain attack can be for an organization. Meanwhile, the digital supply chain was also attacked in 2022, with popular security vendors, such as Okta, LastPass, and GitHub, reporting breaches. The focus on third-party security and carefully conducting due diligence exercises for external vendors has never been more important.
A significant cyberattack today is inevitable without proper security measures, such as testing and patch management of connected systems and environments. Vulnerabilities due to misconfigured clouds, known vulnerabilities left unpatched, and excessive privileged access without the required checks have also led to increased IT security breaches in 2022.
Top 20 IT Security Breaches in 2022
- Advocate Aurora Health
- Nelnet Servicing
- Connexin Software
- Shields Health Care Group
- Professional Finance Company
- Baptist Medical Center
- American Airlines
- The North Face
OneTouchPoint is a US company based in Wisconsin, and is identified as a “Business Associate” under the Health Insurance Portability and Accountability Act (HIPAA). According to the company’s disclosure to the Office of Civil Rights (OCR) on July 27, 2022, 4.1M users were affected in this hacking incident on the company’s network server. According to researchers, the threat actor was able to access encrypted files on OneTouchPoint’s server, and they stole names, member IDs, and patient health information (PHI) provided to doctors at appointments.
Advocate Aurora Health is a U.S. non-profit healthcare company headquartered in Illinois with more than 25 hospitals and 500 sites of care. As disclosed to OCR on October 14, 2022, 3M users were affected due to unauthorized access to patients’ electronic medical records (EMRs). Sensitive information such as physical location, IP address, name, and PHI was exposed to third-party vendors. The primary reason behind this data breach was code pieces called “pixels” put on by companies like Google and Meta.
Nelnet Servicing is a U.S.-based company headquartered in Nebraska that offers educational services in loan servicing, education planning, and payment processing. Nelnet’s services, including a web portal, are used by EdFinancial and Oklahoma Student Loan Authority (OSLA). Reports claim that the hackers exploited an existing vulnerability and compromised Nelnet’s network. In this security incident, full name, physical address, email address, phone number, and social security number of more than 2.5M individuals have been impacted. Per the company’s disclosure report submitted to the Office of the Maine Attorney General, the breach occurred between June 01, 2022, and July 22, 2022, and was discovered on August 17, 2022. Affected individuals were subsequently notified on August 26, 2022.
On November 16, 2022, a threat actor put mobile numbers of 487M WhatsApp users up for sale on a well-known hacking forum. This dataset belonged to users from 84 countries, with researchers estimating those affected included 32M users from the U.S., 45M users from Egypt, 35M users from Italy, and 29M users from Saudi Arabia. Reportedly, the hacker was selling the U.S. dataset for $7,000. It is believed that the hacker might have obtained this information through data scrapping, which is against WhatsApp’s Terms of Service.
Uber, a leading ride-hailing service provider, suffered a massive breach in September 2022 when a hacker obtained a “golden ticket.” A golden ticket means that the hacker had administrative-level access to everything. The hacker even notified Uber directly on their internal Slack workspace. They secured access to the Sentinel One dashboard and an AWS account along with Slack after obtaining the user credentials of an employee through a phishing email. The hacker impersonated Uber’s IT team and reached out to an employee after spamming them with push authentication notifications for 2FA. The employee accepted the authentication request, and the hacker successfully added their device for 2FA. While the extent of actual damage is unknown, Uber’s public statement on September 16, 2022, read that the incident did not involve access to sensitive user data. They had notified law enforcement, and all of their services were operating as expected.
Learn more about the Uber breach and the essential takeaways here.
Connexin Software is a U.S.-based software development company headquartered in Pennsylvania that offers products for electronic medical records and patient management systems. The company does business as Office Practicum and is identified as a “Business Associate” under HIPAA. According to the OCR disclosure on November 11, 2022, 2.2M individuals were affected in a hacking incident on the company’s network server. Due to this breach, around 120 pediatric physician practices were impacted. A subsequent investigation revealed that a threat actor secured unauthorized access to an offline patient data set for data conversion and troubleshooting. The exposed PHI data included social security numbers, billing and claims information, treatment information, health insurance details, and demographics.
Shields Health is a surgical and MRI/CT scan services provider based in the U.S. located in Quincy, Massachusetts. Like Connexin, it is identified as a “Business Associate” under HIPAA. The company disclosed to OCR on May 27, 2022, wherein 2M users were affected due to a hacking incident on their network server. The hackers accessed the company’s systems from March 07, 2022, to March 21, 2022, which exposed patient information that included full name, social security number, address, date of birth, provider information, billing information, diagnosis, health insurance detail, and patient ID, among others. Since Shields Health partners with hospitals and medical centers, more than 50 medical facilities were affected.
Solana is a high-performance blockchain that allows creators to develop scalable crypto apps. In August 2022, more than 8000 wallets on Solana were affected, resulting in a loss of $8M to the wallet owners. An initial investigation found that this incident happened due to a vulnerability in Slope mobile wallet app. This incident affected wallet addresses created, imported or used in Slope’s mobile applications. Other wallets on Solana remained unaffected, along with Slope’s hardware wallets. In one of the tweets, Solana’s Twitter account stated that there is no evidence of this incident impacting Solana protocol or the underlying cryptographic mechanisms.
Twilio is a U.S.-based service provider for communication APIs for SMS, voice, video calls, and authentication with headquarters in California. The company acknowledged that hackers used social engineering to trick employees into sharing their login credentials. The hackers accessed the data of 125 customers, who have a customer base of more than 150,000 corporate entities, including Facebook and Uber. The hackers were able to deceive multiple Twilio employees through a smishing campaign. “Smishing” is a type of phishing campaign that uses SMS to force text messages that appear to come from Twilio’s IT department.
DoorDash is a food delivery giant with its headquarters in San Francisco, California. On August 25, 2022, the company accepted in a public statement that third party security was compromised by one of their vendors who experienced a sophisticated phishing attack. The threat actor accessed the internal tools of DoorDash through the stolen credentials of vendor employees. The company acknowledged that the hacker could access name, email address, phone number, and delivery address. Basic order and partial payment card information were also accessed for a smaller set of consumers. This incident is linked to the same hacking group that successfully targeted Twilio. Moreover, this is not the first time the company has become a data breach victim due to unauthorized access by a third-party service provider. In 2019, 4.9M customers, delivery executives, and restaurants were compromised because a third-party service provider had recently experienced an IT security breach.
Toyota, the second biggest global automaker by revenue, suffered a data breach in October last year due to a security lapse by a third-party contractor. One of Toyota’s website development subcontractors mistakenly published a part of the company’s source code on their public GitHub account. A hacker obtained credentials for one of their servers and accessed email addresses and customer management information for more than 2,96,000 customers. However, it appears that Toyota might have caught a stroke of luck as the source was published in December 2017, and the access key had remained publically exposed for close to 5 years.
Based in Colorado, Professional Finance Company (PFC) is a leading accounts receivable management company in the U.S. The company identifies healthcare providers as one of its leading customer bases and is a “Business Associate” under HIPAA. On July 01, 2022, it disclosed to OCR that it had become a victim of a hacking incident on its network. According to news outlets, the company was hit by ransomware attack in February, and more than 650 healthcare providers were affected. The hackers stole patient names, addresses, account information, and outstanding balance of 1.91M users. The hacker also accessed social security number, date of birth, and treatment information for a subset of users.
Established in 1955 in Florida, Baptist Health is a healthcare service provider through 50+ primary care offices and five hospitals in the U.S. In its OCR disclosure on June 15, 2022, the non-profit company submitted that more than 1.6M users were affected by an IT incident with their network. The medical center stated that the breach was discovered on April 20, 2022, because systems were infected with malicious code. The threat actor accessed IT systems containing personal information such as social security number, health insurance information, and medical information. Later that year, on August 15, 2022, Baptist Medical Center was reportedly one of the hospitals affected due to a data breach at Conifer Revenue Cycle Solutions, a revenue cycle management company.
LastPass is a renowned password management application with over 33M individual users and 100,000 enterprises. In late August 2022, the company’s CEO acknowledged that an unauthorized party accessed their development environment after compromising a developer account. The hacker stole parts of source code and proprietary technical information. On December 22, 2022, a blog update detailed that the hacker used the data stolen in the August breach to target another employee and steal their account credentials and keys. These keys include a cloud storage access key and dual storage container decryption keys. As a result, the hacker could retrieve customer information from the backup. The information exposed in this data breach included user names, billing information, email address, IP address, and telephone numbers.
TransUnion is one of the three major credit card bureaus in the U.S. On November 07, 2022, the company reported the data breach incident to Massachusetts Attorney General’s Office. The company reported that a threat actor accessed sensitive personal information such as name, social security number, driver’s license number, and account number. Like the Equifax breach in 2017 that affected 147M U.S. customers, TransUnion now faces a class-action lawsuit that was filed less than a month after the breach report disclosed 200M U.S. customers were affected. And considering they collect financial information for over 1 billion individuals around the world, this is unlikely to be the last time TransUnion makes the IT security news headlines.
American Airlines is one of the major airlines in the U.S. The airline became a data breach victim after a threat actor accessed multiple employee accounts through a phishing attack. The company discovered the data breach on July 05, 2022, and swiftly secured the impacted email accounts. On September 26, 2022, the company sent a legal notice to the Office of the New Hampshire Attorney General. The notice states that the threat actor used IMAP protocol to facilitate account takeover of one employee’s email account, which was then used to send phishing emails to other employee accounts. The information exposed in this breach includes personally identifiable information (PII), including name, date of birth, address, phone number, email address, driver’s license number, passport information, and medical information provided by customers.
Following the Twilio incident, Cloudflare disclosed a couple of weeks later that their employees’ credentials were also stolen in an SMS phishing attack. This phishing attack was similar to the Twilio incident. While the attackers could access Cloudflare’s employee accounts, they failed to achieve privilege escalation to facilitate lateral movement onto internal IT systems, since the attackers did not have the company-issued security keys. Thankfully, as a result, threat actors were blocked from accessing employee login accounts.
MailChimp, a popular email service provider, became the victim of two data breaches in 2022. At the time of writing this article, the email marketing company had suffered its third breach in twelve months. In the first incident in April 2022, hackers compromised an internal company tool used by customer support and account administration teams to gain access to MailChimp’s customer accounts. This access was possible due to a successful social engineering attack. Before the necessary actions were taken, the threat actor accessed the data of 300 MailChimp accounts and successfully exported audience data from 102 accounts. In the second incident in August 2022, attackers once again used phishing and social engineering to target company employees. This time, the attackers targeted over 214 MailChimp accounts related to the cryptocurrency and finance industries.
The North Face is a popular U.S.-based outdoor clothing retailer headquartered in California. In September 2022, the company faced a credential-stuffing attack that compromised over 194,000 accounts. In a credential stuffing attack, attackers use login information from previous data breaches to compromise accounts whose owners reuse the same login credentials across different websites. While the company detected unusual activity on August 11, 2022, the attack started on July 26, 2022. The PII exposed in this data breach included full name, phone number, gender, purchase history, billing and shipping addresses, loyalty points, and account creation date.
Sequoia is a leading outsourced HR and payroll management services company. Their fintech services are widespread across the globe, and in the US, it works with more than 500 venture-backed companies. In their breach report filed with the Office of the Attorney General for California, the company disclosed that a threat actor might have accessed their cloud storage system for two weeks between September 22, 2022, and October 06, 2022. The information exposed in this breach included both PII and PHI data, as names, addresses, date of birth, gender, marital address, employment status, government identity cards, social security numbers, and COVID-19 test results were exposed. The company declined to comment on how this security incident happened and the number of users affected due to this incident.
Breach Prevention Strategies in 2023
There is only one certainty in the ever-evolving cyberspace: threat actors continue to evolve their methods and sophistication. As seen in these incidents from the last year, phishing attacks, third-party security risks, insecure code deployment, and exploitation of existing vulnerabilities are common themes.
To prevent breaches in 2023, organizations can take a proactive, two-pronged approach.
- First, they should review their security training programs for employees and check whether they are effective.
- Second, organizations should opt for proactive pentesting with on-demand security testing exercises with embedded vulnerability and patch management programs.
This is where BreachLock, the global leader in Pen Testing as a Service (PTaaS), can augment your in-house teams and extend your security tech stack’s capabilities. PTaaS gives you controls so you can test early, often, and as needed – you can start your next pentest in one business day. With BreachLock’s cloud platform powered by AI, you’ll experience accelerated pentest results that are validated by certified hackers with years of offensive security expertise. Our proprietary methodology gives you penetration testing at half the cost delivered in half the time when compared to other pentesting companies – without the false positives or third party security risks. Schedule a discovery call today, and see how PTaaS can work for your organization.