Welcome to our 2023 data breaches and cyber attacks page, where you can find an overview of the year’s top security incidents, as well as links to individual blogs about each month’s security news.
Use the links in the ‘On this page’ section below to navigate.
Meanwhile, you can subscribe to our free weekly newsletter, the Security Spotlight, to get the latest cyber security news and advice – including links to our Week in Cyber Security and Data Privacy blog series – delivered straight to your inbox.
Just click the banner at the foot of this page to sign up.
IT Governance is dedicated to helping organisations tackle the threat of cyber crime and other information security weaknesses. We offer a variety of resources to help understand and mitigate threats, from training courses and consultancy services to free guides.
On this page
Top data breach stats for 2023
Number of incidents in 2023: 2,814.
Number of breached records in 2023: 8,214,886,660.
Top ten data breaches in 2023
|Known records breached
|Month of public disclosure
|Real Estate Wealth Network
|Construction/ real estate
|Indian Council of Medical Research (ICMR)
|IT services/ software
|IT services/ software
|IT services/ software
|Dori Media Group
|SAP SE Bulgaria
|IT services/ software
*For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.
Month-by-month breakdown of 2023’s data breaches and cyber security incidents
You can find each month’s top three breaches, and links to blog posts covering each month’s news, below.
In October 2023, we changed the way we record and analyse each month’s incidents, which provides more insight into security trends around the world. However, it is worth noting that this might cause some minor discrepancies in our annual figures, caused by our methodology changing part-way through the year.
Also from October, you can download a free Data Breach Dashboard – a one-page summary of the month’s key findings.
Note that in November 2023, we improved our incident-finding processes, enabling us to find more publicly disclosed incidents. This has further improved the accuracy and reliability of our data, but also means that we’re likely to see an increase in the number of incidents we can report on that’s not solely down to more organisations suffering a breach.
Biggest data breaches and cyber attacks in December 2023
Number of incidents in December 2023: 1,351.
Number of breached records in December 2023: 2,241,916,765.
You can find more information about the month’s incidents here: Global Data Breaches and Cyber Attacks in December 2023 – 2,241,916,765 Records Breached.
December’s three biggest breaches were:
The security researcher Jeremiah Fowler discovered an unprotected database exposing more than 1.5 billion records containing property ownership data related to millions of people. The logging records indicated that the files belonged to the New York-based company Real Estate Wealth Network. Fowler contacted the company, which secured the database.
According to Fowler, the exposed data included information on property owners, sellers, investors, internal user logging data, and more. The property owners allegedly included numerous celebrities, whose street address; purchase price and date; mortgage company; mortgage loan amount; tax ID numbers; taxes owed, paid or due; and other information was available.
Data breached: 1,523,776,691 records.
TuneFab – a platform that converts music from popular streaming platforms, including Spotify, Apple Music, YouTube and Audible, to other formats – has exposed more than 151 million data records, including users’ IP addresses, user area, user IDs, emails and device information.
The security researcher Bob Diachenko identified the leak in September and contacted TuneFab, which fixed the misconfiguration within 24 hours.
Data breached: >151,000,000 records.
The MalekTeam Group claims to have destroyed more than 100 TB of data from Dori Media Group, an international group of media companies in Israel, Switzerland, Argentina, Spain and Singapore. The group is threatening to leak the exfiltrated data.
Data breached: >100 TB.
Biggest data breaches and cyber attacks in November 2023
Number of incidents in November 2023: 470.
Number of breached records in November 2023: 519,111,354.
Our research found 470 publicly disclosed security incidents in November 2023, accounting for 519,111,354 compromised records, bringing the year’s total to nearly 6 billion.
You can find more information about the month’s incidents, as well as our new Data Breach Dashboard, here: Data Breaches and Cyber Attacks in November 2023 – 519,111,354 Records Breached.
November’s three biggest breaches were:
The popular parental control app Kid Security, which allows parents to monitor and control their children’s online safety, exposed user activity logs to the Internet for more than a month via misconfigured Elasticsearch and Logstash instances.
The security researcher Bob Diachenko of SecurityDiscovery first identified the exposed information in mid-September. According to CyberNews, more than 300 million data records were compromised, including 21,000 telephone numbers and 31,000 email addresses. Some payment card data was also exposed.
It also appears that the data was accessed: the Readme bot “partially destroyed” the open instance, injecting a ransom note with a bitcoin wallet address to send a payment to in exchange for the files.
Data breached: more than 300 million records.
Researchers from Aqua Nautilus have discovered Kubernetes Secrets – objects that contain small amounts of sensitive data, such as passwords, tokens or keys – relating to hundreds of organisations exposed to the Internet in public GitHub repositories.
Among those affected was SAP SE. The researchers discovered credentials that provided access to 95,592,696 artefacts, as well as download permissions and some deploy operations. They notified SAP SE, which responded “in the most professional and efficient manner”, remediating the issue, launching an investigation and maintaining communications with Aqua Nautilus.
Data breached: 95,592,696 records/artefacts.
TmaxSoft, an IT company in South Korea, has exposed 2 TB of data to the Internet via a Kibana dashboard for more than two years. The data contains more than 56 million records, some of which are duplicates.
Most of the leaked data is company information and emails, but includes employee names, phone numbers, employment contract numbers and emails, as well as email attachments, metadata and other sensitive information that could be exploited in supply chain attacks.
The dashboard was first spotted in June 2021.
Data breached: more than 56 million sensitive records.
Biggest data breaches and cyber attacks in October 2023
Number of incidents in October 2023: 114.
Number of breached records in October 2023: 867,072,315.
According to our research, there were 114 publicly disclosed security incidents in October 2023, accounting for 867,072,315 compromised records, bringing the year’s total to over 5 billion.
You can find more information about the month’s incidents, as well as our new Data Breach Dashboard, here: Data Breaches and Cyber Attacks in October 2023 – 867,072,315 Records Breached.
October’s three biggest breaches were:
Date of breach: 9 October 2023
Breached organisation: The ICMR (Indian Council of Medical Research)
Incident details: The personal data of 815 million Indian residents, apparently exfiltrated from the ICMR’s Covid-testing database, was offered for sale on the dark web earlier this month. According to the security company Resecurity, which discovered the listing, the data included victims’ name, age, gender, address, passport number and Aadhaar number (a 12-digit government identification number).
Records breached: 815,000,000
Date of breach: 2 October 2023.
Breached organisation: 23andMe, a consumer genetics and research company headquartered in California, US.
Incident details: Credential stuffing attacks, initially resulting in 1 million data packs of Ashkenazi Jews leaked on a hacking forum, to which an additional 4.1 million of genetic data profiles of UK and German residents have now been added. As the threat actor claims to have 20 million 23andMe data records in their possession, further data leaks are likely.
Records breached: 20,000,000
Date of breach: Discovered on or just before 25 October 2023, but unclear how long the database was unprotected.
Breached organisation: Medical diagnostic company Redcliffe Labs, based in India.
Incident details: A security researcher discovered a non-password-protected database and notified the company, which restricted public access that same day. We don’t know whether the data has been criminally exfiltrated.
Records breached: 12,347,297 medical records (7 TB).
Biggest data breaches and cyber attacks in September 2023
See the full list of data breaches for September 2023
September saw the biggest data breach of the year by far, when the digital risk protection company DarkBeam exposed an astounding 3.8 billion records thanks to a misconfigured Elasticsearch and Kibana interface.
Elsewhere, the effects of the MOVEit Transfer breach are still being felt.
The three elements of information security are confidentiality, integrity and availability. In other words, data has to be reliable and up to date, and accessible only to those who need it.
Instances of data being exposed to the Internet – more often than not via configuration errors – clearly breach the confidentiality principle, but are often viewed as somehow less serious than information that’s made its way into criminals’ possession via sophisticated cyber attacks or phishing campaigns, as if human error is less of an issue than criminal hacking.
This is, of course, an erroneous position to take. Search engines such as Shodan – theoretically, at least – let anyone find anything that’s connected to the Internet, not just websites that are indexed by Google. This, obviously, includes opportunistic criminals as well as civic-minded security researchers who identify exposed services and warn their operators.
This brings us to DarkBeam.
According to Cybernews, the CEO of SecurityDiscovery, Bob Diachenko, discovered on 18 September that the digital risk protection firm DarkBeam had “left an Elasticsearch and Kibana interface unprotected, exposing records with user emails and passwords from previously reported and non-reported data breaches”.
Diachenko informed DarkBeam, which closed the vulnerability immediately.
Although most of the 3.8 billion exposed data records come from previous data breaches, ironically having been assembled by DarkBeam in order to alert its customers to security incidents affecting their personal information, the extent of the information held by DarkBeam, as well as the way it was organised, means anyone who managed to access it has the opportunity to create very plausible phishing campaigns.
It’s not yet known whether anyone did access it but, as Benjamin Franklin said, distrust and caution are the parents of security. So, it’s worth checking your credentials via haveibeenpwned.com and taking the usual precautions, such as changing your password where it’s been reused, implementing multifactor authentication where possible and not clicking on any links unless you’re absolutely sure of their source.
As with last month (see below), victims of the MOVEit breach are still coming forward, among which the most significant – at least in terms of the number of individual victims – was Better Outcomes Registry & Network, which discovered that “personal health information of approximately 3.4 million people – mostly those seeking pregnancy care and newborns who were born in Ontario between January 2010 and May 2023” had been compromised.
Other recently identified MOVEit victims include:
- Microsoft’s healthcare technology company Nuance, which issued a breach notice on behalf of 13 healthcare organisations;
- The National Student Clearinghouse, which issued a data breach notification on behalf of 900 schools; and
- CareSource – a Medicaid and Medicare plan provider – which reported that information relating to 212,193 people was exposed.
The scale of the MOVEit breach remains unquantified, but some estimates now put the number of affected organisations at over 2,000 and the number of individual victims at over 60 million.
It’s likely that we’ll continue to see breach disclosures related to MOVEit Transfer in the weeks and months to come.
3. Undisclosed restaurant database
The personal information of 2.2 million Pakistani citizens, including their contact numbers and credit card details, has been offered for sale online on the dark web for 2 Bitcoin. The data was apparently compromised when criminal hackers accessed a database used by more than 250 restaurants.
Indolj – a popular food ordering app – has taken the step of denying any involvement, saying in a press release reported by Pro Pakistani: “We have conducted a detailed audit of the sample data and determined that the data records do not match the current transactional records of customers on the Indolj platform. Furthermore, Indolj does not store any credit card or payment-related information and therefore it is impossible for any customer payment data to be breached from our platform.”
According to Geo News, the criminals provided a sample of the stolen data as part of their online listing, while naming “dozens of food outlets”.
However, having analysed the available data, the security company CTM360 confirms Indolj’s analysis. In a comment published by Pakstani Pro, the company claims that the data in fact comes from a 2022 leak, and says it will continue to monitor the post “and will notify impacted organizations urgently if any credible data is released”.
Biggest data breaches and cyber attacks in August 2023
See the full list of data breaches for August 2023
The ongoing fallout from May’s MOVEit Transfer breach continues to dominate the news, with one large breach of particular interest this month: the French unemployment agency Pôle emploi (10 million breached records). However, as 12 of this month’s data breaches relate to MOVEit Transfer, we’ve grouped them together in this round-up.
1. UK Electoral Commission
On 8 August, the Electoral commission issued a public notification of what it called a “complex cyber-attack” in which “hostile actors” gained access to the UK’s electoral registers, which contain an estimated 40 million people’s personal information.
According to the statement, the Commission identified the incident in October 2022 after detecting suspicious activity on its systems that dated back to August 2021.
Attackers were able to access Electoral Commission servers that held emails, control systems and reference copies of the electoral registers of those registered to vote in the UK between 2014 and 2022, as well as overseas voters.
Electoral registers contain voters’ names, addresses and the date on which they achieve voting age that year.
Personal data contained in the Commission’s compromised email system included names, email addresses, home addresses and telephone numbers, as well as other personal data that might have been submitted as part of webforms or emails.
However, it seems that the cyber attack might not have been as “complex” as the Commission initially suggested: a whistleblower has told the BBC that the Commission had failed a Cyber Essentials audit around the time the attackers gained access to its systems.
Although there’s no evidence to suggest that the attackers exploited any vulnerability associated with this audit failure, the failure itself is indicative that security at the Commission was not what it ought to have been.
This seems to be borne out by the security researcher Kevin Beaumont, who explains on doublepulsar.com that the Commission was known to have been running an unpatched version of Microsoft Exchange Server that was vulnerable to ProxyNotShell attacks at the time of the incident.
The Cyber Essentials scheme is a government-backed framework supported by the National Cyber security Centre. It sets out five basic cyber security controls that organisations can implement to protect themselves from around 80% of common cyber attacks, including patch management – in other words, ensuring software, apps and operating systems are kept up to date.
It’s very much a base level of cyber security that every organisation should comply with as a matter of course.
The Commission has confirmed that it has still not passed.
2. Pôle emploi
The fallout from May’s MOVEit breach, which saw the Russian Cl0p gang exploit a zero-day SQL injection vulnerability in Progress Software’s popular file transfer app MOVEit Transfer, continues.
This month, the French unemployment agency, Pôle emploi, has the dubious honour of having the most breached records thanks to the MOVEit breach (10 million), according to research by the security company Emsisoft.
[7 September EDIT: Emsisoft now seems to have removed Pôle emploi from its list of MOVEit victims. Whatever the cause of the breach, Pôle emploi retains second place in this month’s top three biggest breaches.]
The full extent of the MOVEit breach unlikely to be determined for many months, but more than 1,000 organisations are now known to have been caught up in the breach, with over 60 million individuals affected, making it the largest breach of the year so far.
The US government contractor Maximus, which appears twice in this month’s list thanks to contracts with two organisations that published data breach notifications in August, was one of the worst affected, with as many as 11 million breached records, according to an 8-K filing it made to the SEC in late July.
Other organisations that were found to have been affected by the MOVEit breach this month were:
- Colorado Department of Health Care Policy and Financing
- Bank OZK
- Unum Group
- Indiana University Health
- Missouri Department of Social Services
- United Bank
- UMass Chan Medical School
- Data Media Associates
- Hillsborough County
3. University of Minnesota
The University of Minnesota has verified that an attacker has accessed its systems and exfiltrated personal data.
According to Security Week, the attacker claimed to have accessed 7 million unique Social Security numbers. The University launched an investigation to verify the claims on 21 Jul, confirming that “the data at issue is from 2021 and earlier” – although it is yet to confirm the number of affected individuals.
The university told Security Week: “Our investigation is continuing, but our security professionals have not detected any system malware (including ‘ransomware’), encrypted files or fraudulent emails related to the incident. There have been no known disruptions to current University operations as a result of this data security incident.”
It did not provide any information about how the breach occurred.
Biggest data breaches and cyber attacks in July 2023
See the full list of data breaches for July 2023
While the biggest data breaches of June were dominated by the knock-on effects of the MOVEit vulnerability, we only have one such incident in the top three of July’s list.
However, that has more to do with a handful of huge breaches in Asia than anything else, given that almost a third of our list this month comes from the now infamous security flaw.
Reports emerged in July that the video chat platform Tigo leaked more than 700,000 people’s personal data online.
The information contained people’s names, usernames, gender, email addresses and IP addresses. It also included photos that users had uploaded to users’ accounts as well as private messages.
According to Have I Been Pwned, more than 100 million records were compromised in total. Troy Hunt, who runs the site, says he was compelled to disclose the incident after Tigo failed to respond to multiple attempts to contact the firm regarding the breach.
Tigo is one of China’s most popular online messaging platforms, despite known concerns regarding its data privacy practices.
For instance, those attempting to download the app on Google Play are informed that Tigo doesn’t encrypt information over a secure connection. This means that unauthorised actors could potentially hijack messages in transit to spy on people’s conversations.
2. Indonesian Immigration Directorate General
More than 34 million Indonesians had their passport data leaked after a hacker gained unauthorised access to the country’s Immigration Directorate General at the Ministry of Law and Human Rights.
Cyber security researcher Taguh Aprianto, who founded Ethical Hacker Indonesia, disclosed the incident on his Twitter account, attributing the attack to a hacktivist known as Bjorka.
It’s unclear how exactly this could be considered hacktivism, which is the practice of gaining unauthorised access into a system to promote a political agenda or social change. It’s usually designed to disrupt an organisation’s systems while minimising the damage for users.
In this instance, the supposed hacktivist stole vast quantities of personal data, which they have listed for on the dark web for $10,000.
It includes Indonesian residents’ full names, genders, passport numbers, dates of issue, expiry dates, dates of birth.
Law enforcement continue to investigate the incident, which looks a lot more like a traditional cyber attack than a politically motivated one.
3. Teachers Insurance and Annuity Association of America
July saw the TIAA (Teachers Insurance and Annuity Association of America) became the latest in a long line of organisations to confirm that it had been affected by the MOVEit vulnerability.
Rumours of its involvement began weeks ago, when two schools said that the non-profit organisation, which provides financial services for individuals in academic fields, had been compromised.
However, it wasn’t until the TIAA notified the Maine Attorney General about the breach on 14 July that the scale of the incident became known.
The organisation said that its systems had been compromised after an attack on its vendor, Pension Benefit Information. In total, data on 2,630,717 of its clients’ consumers had been compromised.
What isn’t clear from the report is whether that is the total number of TIAA’s clients’ consumers or a subset of those affected – some of which have already reported the breach.
Biggest data breaches and cyber attacks in June 2023
June was a top-heavy month in terms of cyber attacks, with the three biggest security incidents accounting for over 13 million breaches records – almost the entirety of this month’s total.
See the full list of data breaches for June 2023
1. Oregon and Louisiana departments of motor vehicles
The US states of Oregon and Louisiana said that their departments of motor vehicles were compromised as part of the the MOVEit software vulnerability that has been wreaking havoc in recent weeks.
Louisiana’s OMV (Office of Motor Vehicles) said that at least six million records, including driver’s license information, were stolen.
The state was quick to point out that the crooks did not breach its internal systems but rather those of MOVEit, the third-party software provider that the OMV used to share files.
It’s made it difficult to gauge the full extent of the damage in this incident, but the OMV believes that all Louisianans with a state-issued driver’s license, ID or car registration may have had personal dataexposed.
Meanwhile, the Oregon DMV (Department of Motor Vehicles) said that an estimated 3.5 million driver’s license and identity card detailed have been compromised. In a disclosure notice, the organisation said:
“We do not have the ability to identify if any specific individual’s data has been breached. Individuals who have an active Oregon ID or driver’s license should assume information related to that ID is part of this breach.
“We recommend individuals take precautionary measures to protect themselves from misuse of this information, such as accessing and monitoring personal credit reports.”
In both instances, the compromised data could include a range of personal details that residents provide when obtaining a driver’s license.
In all likelihood, names, addresses and birthdates have been exposed, as well as Social Security numbers, vehicle registration numbers and handicap placard information.
2. Genworth Financial
Genworth Financial was another organisation caught up in the MOVEit breach, with at least 2.5 million records exposed in the attack.
The US-based organisation, which provides life insurance services, said that it was notified about the breach on 16 June and subsequently verified that customers’ personal data was stolen.
The exposed information includes names, dates of birth, Social Security numbers, physical addresses and policy numbers.
As with many other MOVEit attacks, Genworth Financial clarified that its own systems had not been compromised. Rather, the attack stemmed from information it shared with the file-sharing service.
Genworth Financial was informed about the breach from PBI Research Services, a population management firm that provides death audit and locate services. Three of its clients were caught up in the incident, with Genworth Financial being the largest.
A second organisation compromised was CalPERS (California Public Employees’ Retirement System), in which 769,000 of its members were affected.
Meanwhile, the third organisation caught up in the incident was Wilton Reassurance, which we discuss below.
3. Wilton Reassurance
To round off a hattrick of stories about organisations affected by the MOVEit breach, Wilton Reassurance learned in June that its customers too were implicated in the software vulnerability.
The New York-based insurance provider was informed that 1,482,490 of its members were affected.
As with the other incidents affecting PBI Research Services, few specific details emerged regarding the breach. However, in a statement shared with Bleeping Computer, the organisation said:
“PBI Research Services uses Progress Software’s MOVEit file transfer application with a number of clients. At the end of May, Progress Software identified a zero-day vulnerability in the MOVEit software that was actively being exploited by cyber criminals.
“PBI promptly patched its instance of MOVEit, assembled a team of cybersecurity and privacy specialists, notified federal law enforcement and contacted potentially impacted clients.
“The cyber criminals did not gain access to PBI’s other systems – access was only gained to the MOVEit administrative portal subject to the vulnerability.” The organisation added that it is working directly with its clients to identify affected consumers and develop notice plans.
Biggest data breaches of May 2023
The three biggest security incidents of May 2023 accounted for more than 84 million breached records – or 86% of the month’s total.
See the full list of data breaches for May 2023
Rumours began to circulate late last year that Luxottica, one of the world’s largest eyewear companies, had been targeted in a cyber attack.
Luxottica – which owns popular brands including Ray-Ban, Oakley and Costa and makes sunglasses and prescription frames for the likes of Giorgio Armani, Versace and Dolce and Gabbana – has suffered several security incidents in recent years.
In August 2020, it was embroiled in a data breach affecting more than 800,000 EyeMed and Lenscrafters patients. A month later, a ransomware attack shut down the company’s operations in Italy and China.
It initially seemed as though the latest batch of stolen data might have come from one or both of those incidents.
However, cyber security researcher Andrea Draghetti discovered that the information was exfiltrated on 16 Match 2021, and concluded that the data might likely came from a separate, previously undisclosed data breach.
His research also revealed that the stolen data contains 305 lines of data, including 74.4 million unique email addresses and 2.6 million unique domain email addresses.
The information was offered for a private sale on the now-defunct hacking forum Breached, and it was later leaked in its entirety for free.
According to the seller, the database contained customers’ full names, email addresses, home addresses and dates of birth.
Luxottica says that it is investigating the incident, and in a statement added: ““We immediately reported the incident to the FBI and the Italian Police. The owner of the website where the data was posted has been arrested by the FBI, the website was shut down and the investigation is ongoing.
2. MCNA Insurance
MCNA Insurance, also known as MCNA Dental, was caught up in a cyber hacking incident last week, in which 112 covered entities were affected.
According to the organisation’s disclosure – which was released the Friday before Memorial Day weekend – the specific types of information compromised in the attack varied by individual.
However, it included patients’ first and last names, physical addresses, dates of birth, phone numbers, email addresses, Social Security numbers, driver’s license numbers and other government-issued ID.
In addition, the attackers stole health insurance data (including plan information, insurance provider, member number, Medicaid-Medicare ID numbers), information about treatment that patients had received, their bills they had been given and insurance claims.
MCNA Insurance later confirmed that 8,923,662 people were affected in the incident and said the breach was a result of a ransomware attack.
The unauthorised access reportedly occurred between 27 February and 7 March, and the attackers leaked the information on the dark web in April, but the organisation waited until 26 May to disclose it.
The US pharmacy network PharMerica began notifying 5.8 million patients in May that it had suffered a data breach earlier this year.
In a disclosure notice to the Maine Attorney General’s Office, the organisation explained that an unauthorised party had compromised its computer systems between 12 March and 13 March.
Personal information compromised during the incident includes patients’ names, addresses, dates of birth, Social Security numbers, health insurance data and medical data.
In some instances, the stolen data belongs to deceased individuals, and PharMerica has encouraged executors or surviving family members to contact the national credit reporting agencies to notify them of the breach.
The organisation did not explain how the intrusion occurred, although some reports speculate that it was a ransomware attack. One criminal gang said that it had targeted the organisation and encrypted its systems.
However, PharMerica has made no mention of ransomware in neither public statements nor its breach disclosure.
Biggest data breaches of April
Our research identified 120 publicly disclosed security incidents during April, accounting for 4,353,257 breached records.
See the full list of data breaches for April 2023
The biggest data breaches in April 2023 were:
1. Shields Health Care Group
The largest data breach of April 2023 was at the Shields Health Care Group, a Massachusetts-based medical services provider. Reports emerged near the end of the month that a cyber criminal had gained unauthorised access to the organisation’s systems and had stolen the personal data of 2.3 million people.
In a letter sent to affected individuals, Shields said that the incident dates to March 2022, when it first identified suspicious activity on its internal network.
The breach had been speculated about at the time, but the firm’s investigation concluded last month and revealed that the scale of the damage.
The crooks reportedly had access to sensitive data for two weeks and that information included patients’ Social Security numbers, dates of birth, home addresses, healthcare provider information and healthcare history.
Additionally, billing information, insurance numbers and other financial details were stolen in the attack.
In a statement, Shields said that it “takes the confidentiality, privacy, and security of information in our care seriously. Upon discovery, we took steps to secure our systems, including rebuilding certain systems, and conducted a thorough investigation to confirm the nature and scope of the activity and to determine who may be affected.
“Additionally, while we have safeguards in place to protect data in our care, we continue to review and further enhance these protections as part of our ongoing commitment to data security.”
2. NCB Management
NCB Management learned last month that a cyber criminal infiltrated its systems and stole almost one million financial records.
An internal investigation from the debt collection services provider found that criminal hacker first accessed NCB Management’s systems on 1 February 2023, but it’s unclear how long they remained in its systems.
What is apparent is that the crook accessed credit card data for consumers’ Bank of America past-due accounts.
The accounts were already closed, but the attacker would have had access to a gamut of information, including people’s first and last names, address, phone number, email address, date of birth, employment position, pay amount, driver’s licence number, Social Security number, account number, credit card number, routing number, account balance and/or account status.
When combined with the knowledge that these people had been pursued by a debt collection agency, it creates the possibility for a variety of scams.
The incident was reported to the relevant authorities by Bank of America, but it’s unclear what part the bank had to play in the breach beyond the fact that its customers were affected.
The open-source media player Kodi reported last month that an unauthorised actor compromised its MyBB forum database and stole personal data belonging to 400,635 users.
“MyBB admin logs show the account of a trusted but currently inactive member of the forum admin team was used to access the web-based MyBB admin console twice: on 16 February and again on 21 February,” Kodi said in a statement.
The crooks were able to download nightly backups of the complete database, which contained all public forum posts, team forum posts and direct messages. More worryingly, the same database contained usernames, email addresses and encrypted passwords.
Fortunately for Kodi, its team said that there was no evidence that the criminal hackers gained access to the underlying server hosting the MyBB software.
Biggest data breaches of March
Our research identified exactly 100 publicly disclosed incidents in March, accounting for 41,970,182 breached records.
See the full list of data breaches for March 2023
The three biggest data breaches in March 2023 were:
1. Latitude Financial
The largest confirmed data breach of March 2023 occurred at Latitude Financial, with more than 14 million records being compromised.
The Melbourne-based company, which provides personal loans and credit cards to people in Australia and New Zealand, reported that cyber criminals had captured several different types of data.
Almost 8 million drivers’ licences were stolen, along with 53,000 of passport numbers and dozens of monthly financial statements.
An additional 6 million records dating back to “at least 2005” were also compromised in the attack, the source of which is not yet known.
The most concerning aspect of this breach is that Latitude Financial originally reported that only 300,000 people had been affected. This suggests that it had a poor understanding of the attack and rushed to disclose the breach.
Having to then update its estimate invites further public scrutiny of the attack and could see customers lose faith in the company.
Most of us are aware by now that data breaches can occur anywhere, so falling victim to an attack isn’t necessarily a sign of ineffective security measures. However, a mismanaged response suggests that an organisation isn’t prepared for an attack, and it bodes poorly for ongoing remediation efforts.
A vulnerability in the file transfer service GoAnywhere has enabled cyber criminals to exploit dozens of organisations that use the tech. Details of the sprawling attack continue to emerge, with some reports estimating that as many as 130 organisations have been targeted.
Until recently, these details were coming from GoAnywhere or its parent company, Fortra, but individual victims.
Organisations that are confirmed to have been targeted include Hatch Bank, the City of Toronto, the cyber security company Rubrik and Hitachi Energy. In each case, the victim has reported that it was breached through the GoAnywhere MFT remote code execution vulnerability.
The attacks have been attributed to the Clop ransomware gang, but coverage of their activity is not consistent with traditional ransomware attacks. Reports suggest that the group is stealing the data rather than encrypting the organisations’ systems and holding them to ransom.
Regardless of the specific techniques being used, it’s likely that millions of sensitive data records have been compromised – although few victims have listed specific figures.
AT&T has notified approximately 9 million customers that their personal data has been exposed in a data breach.
The telecoms giant said that the breached records include people’s names, wireless account numbers, phone numbers and email addresses. It’s confident that more sensitive data, such as payment card numbers, Social Security numbers and passwords, have not been affected.
However, AT&T conceded that, in a “a small percentage” of cases, customers’ rate plan name, past due amounts, monthly payment amounts and other account data was affected, although it said that the information was “several years old”.
AT&T was eager to note that the breach related to a vendor and that its own systems had not been compromised. It didn’t name the vendor.
Biggest data breaches of February
Our research identified 106 publicly disclosed incidents in February, accounting for 29,582,356 breached records.
See the full list of data breaches for February 2023
The biggest data breaches in February 2023 were:
PeopleConnect, the organisation behind the background check services TruthFinder and Checkmate, confirmed in February that it had suffered a data breach affecting 20 million people.
The incident occurred after criminal hackers leaked a 2019 backup database containing personal information from customers.
According to disclosure reports, the compromised information includes email addressed, hashed passwords, first and last names, and full names.
“We have confirmed that the list was created several years ago and appears to include all customer accounts created between 2011 and 2019. The published list originated inside our company,” the organisation said in a statement.
At the time of publishing, PeopleConnect was still investigating the incident, but it was confident that it was an “inadvertent leak or theft of a particular list”.
The company has engaged with a third-party cybersecurity firm to investigate the incident and found no evidence of their network being breached.
Tthe Moscow-based firm Elevel suffered a data breach earlier this year, leaking 1.1TB of personal data.
The breach was discovered by researchers at Cybernews, which found an open dataset belonging to e.way, an online shop operated by the electrical engineering firm.
In total, 7 million data entries from the past two years were found, including customers’ names, phone numbers, email addresses and delivery addresses.
“If left exposed, threat actors could download and clone the cluster’s data and use it for nefarious purposes, including phishing attacks, as they possess sufficient PII and to make their scam seem legitimate,” Cybernews researchers said.
“As a number of usernames and passwords are exposed, it could enable threat actors with valid credentials to gain further sensitive data and to impersonate users to make fraudulent purchases,” they added.
Cybernews confirmed that the dataset has since been secured.
3. CentraState Medical Center
New Jersey’s CentraState Medical Center was embroiled in a security incident in February after it was found to have failed to protect the sensitive personal data of 617,000 patients.
The breach involved a cache of personal data that was compromised in a ransomware attack in December 2022, which paralysed the Freehold, NJ, hospital.
According to disclosure reports, the hospital detected the attack on 29 December and launched an investigation to determine the nature and scope of the breach.
The compromised data includes patients’ names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers and patient account numbers.
Biggest data breaches of January
Our research discovered 104 publicly disclosed security incidents, which accounted for 277,618,767 leaked records.
That’s more breached records than we found in any calendar month last year, and it’s among the most incidents we’ve ever seen.
See the full list of data breaches for January 2023
The biggest data breaches in January 2023 were:
Twitter is in the middle of yet another PR disaster after a criminal hacker leaked more than 220 million users’ email addresses.
The fraudster, who goes by the name ‘Ryushi’, initially demanded $200,000 (about £166,000) to hand over or delete the stolen information. A week later – after presumably being rebuffed by Twitter – the hacker put the data up for sale on the hacking forum Breached.
Although it appears that no personal information beyond email addresses was compromised, the incident poses significant privacy risks.
For instance, many people can be easily identified by their email address – particularly if they use their name or the name of their business. This could be particularly troublesome for celebrities and other high-profile figures.
The cyber crime intelligence firm Hudson Rock says it was the first to raise the alarm about the sale of the data. Alon Gal, the organisation’s co-founder, believes that the damage could extend beyond simple cyber crime.
“This database is going to be used by hackers, political hacktivists and of course governments to harm our privacy even further,” he said.
T-Mobile USA has disclosed its second data breach of 2023. In a letter to those affected by the breach, it said:
“In March 2023, the measures we have in place to alert us to unauthorized activity worked as designed and we were able to determine that a bad actor gained access to limited information from a small number of T-Mobile accounts between late February and March 2023.”
According to SC Media, the breach “involved the theft of personal details […] belonging to 836 customers”.
Compared with the data breach T-Mobile disclosed in January, which affected approximately 37 million customers, the number of victims in this case might seem relatively small, but the extent of the personal data relating to those customers is particularly alarming:
T-Mobile’s letter continues:
“The information obtained for each customer varied, but may have included full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, balance due, internal codes that T-Mobile uses to service customer accounts (for example, rate plan and feature codes), and the number of lines.”
T-Mobile has now fallen victim to nine data breaches since 2018.
3. JD Sports
JD Sports confirmed in January that it had leaked the personal information of 10 million customers.
The fashion retailer said the breached information included names, billing and delivery addresses, phone numbers, order details and the final four digits of payment cards of “approximately 10 million unique customers”.
The incident is believed to affect customers who made orders between November 2018 and October 2020, and who purchased products in its Size?, Millets, Blacks, Scotts and Millets Sports brands.
“We want to apologise to those customers who may have been affected by this incident,” said Neil Greenhalgh, the organisation’s chief financial officer. “We are advising them to be vigilant about potential scam emails, calls and texts and providing details on how to report these.”
It added that it had taken the “necessary immediate steps” to investigate and respond to the incident, including working with cyber security experts. However, it urged customers to be wary of potential fraud and phishing attacks.