Over the past few years, TechCrunch has looked back at some of the worst, poorly handled data breaches and security incidents with a sense of hope. — Other big companies will take heed and avoid disasters like last year. Surprisingly, this year it lists much of the same bad behavior from a whole new kind of company.
23andMe blames users for massive data breach
Last year, genetic testing giant 23andMe lost genetic and ancestry data for about 7 million customers in a data breach in which hackers raked in millions of people’s data through brute force access to millions of accounts. 23andMe belatedly launched multi-factor authentication, a security feature that could prevent your account from being hacked.
Just days into the new year, 23andMe shifted responsibility for a massive data theft onto victims, claiming that users had failed to do enough to protect their accounts. Lawyers representing a group of hundreds of 23andMe users who sued the company after the hack called the accusations “nonsense.” It came shortly after authorities in the UK and Canada announced a joint investigation into the 23andMe data breach last year.
23andMe laid off 40% of its workforce later this year as the embattled company faces an uncertain financial future. The same goes for the company’s vast bank of customer genetic data.
It took Change Healthcare months to confirm that hackers had stolen most of America’s health data.
Change Healthcare is a health technology company almost unheard of until February of this year when a cyberattack shut down the company’s entire network, causing immediate and widespread disruptions across the United States and shutting down much of the U.S. healthcare system. Change, owned by health insurance giant UnitedHealth Group, processes claims and insurance for thousands of health care providers and practices across the U.S., handling about one-third to half of all U.S. health care transactions each year.
The company’s handling of the hack, which stemmed from a breach of basic user accounts that lacked multi-factor authentication, was criticized by Americans who were left unable to fill their medications or be approved for hospital admissions. The aftermath of the cyberattack, and lawmakers questioning the company’s CEO about the hack at a congressional hearing in May. Change Healthcare paid $22 million in ransom to hackers. The federal government has long warned that the amount helps cybercriminals profit from cyberattacks, but has requested a new ransom be paid. other Hacking groups delete stolen data.
It wasn’t until October, about seven months later, that it was revealed that more than 100 million people had had their personal health information stolen in a cyberattack. Of course, it may have taken some time, as this was by all accounts the largest healthcare data breach of the year.
The Synnovis hack disrupted UK healthcare for months.
The NHS has been in turmoil for months this year after London-based pathology service provider Synnovis suffered a ransomware attack in June. The attack, claimed by the Qilin ransomware group, left patients in south-east London unable to get blood tests from their doctors for more than three months, leading to the cancellation of thousands of outpatient appointments and more than 1,700 surgical procedures.
In light of the attacks, which experts say could have been prevented with two-factor authentication, the UK’s main trade union, Unite, announced that Synnovis staff would go on strike for five days in December. Unite said the incident had a “devastating impact on staff who were forced to work extra hours and were unable to access essential computer systems for months while the attack was dealt with”.
It is not yet known how many patients are affected by this incident. The Qilin ransomware group claims to have leaked 400GB of sensitive data, including patient names, health system registration numbers, and blood test descriptions, which were allegedly stolen from Synnovis.
The Snowflake customer hack snowballed into a serious data breach.
Cloud computing giant Snowflake has found itself at the center of a series of large-scale hacks this year targeting corporate customers such as AT&T, Ticketmaster and Santander Bank. The hackers, who were later criminally charged with the intrusion, used stolen login information to break in with malware found on the computers of company employees using Snowflake. Because Snowflake did not have mandatory multi-level security, hackers were able to break into the massive data banks stored by hundreds of Snowflake customers, holding data they could steal and hold for ransom.
Snowflake said little about the incident at the time, but acknowledged the breach was caused by a “targeted campaign targeting users using single-factor authentication.” Snowflake launched multi-factor by default to customers to avoid repeat incidents in the future.
Columbus, Ohio is suing a security researcher who truthfully reported a ransomware attack.
When the city of Columbus, Ohio, reported a cyberattack last summer, Mayor Andrew Ginter went out of his way to reassure concerned residents that stolen city data was “encrypted or compromised” and unusable by the hackers who stole it. Meanwhile, a security researcher tracking data breaches on the dark web found evidence that the ransomware gang had actually accessed the data of at least 500,000 residents, including social security numbers and driver’s licenses. , arrest records, minor information, and domestic violence survivor information are also available. Researchers informed journalists about the data collected.
The city successfully obtained an injunction against the researcher by sharing evidence of the researcher’s discovery of the breach, which appears to be an effort by the city to silence the security researcher rather than correct the breach. The city later dismissed the lawsuit.
Salt Typhoon hacked phone and internet providers thanks to US backdoor laws.
The 30-year-old backdoor law resurfaced this year after hackers called Salt Typhoon, one of a number of Chinese-backed hacking groups laying the digital foundation for a possible conflict with the United States, were discovered on some networks. America’s largest telephone and Internet company. Hackers were found to be accessing real-time calls, messages, and communication metadata of high-ranking U.S. government officials, including senior politicians and presidential candidates.
Hackers have reportedly broken into some of the company’s wiretapping systems, which telecommunications companies were required to install after a law called CALEA was passed in 1994. Now, thanks to constant access to these systems and data provided by carriers, companies are targeting Americans to save them. The U.S. government is now recommending that U.S. citizens and older Americans use end-to-end encrypted messaging apps to ensure that no one, including Chinese hackers, can access their private communications.
Moneygram has not yet revealed how many people had their transaction data stolen in the data breach.
MoneyGram, a giant U.S. money transfer company with more than 50 million customers, was attacked by hackers last September. The company confirmed the incident, disclosing only an unspecified “cybersecurity issue” a week after customers experienced unexplained outages for several days. MoneyGram did not say whether customer data had been leaked, but the UK’s data protection watchdog told TechCrunch in late September that it had received a data breach report indicating customer data had been stolen from the US-based company.
Weeks later, MoneyGram acknowledged that hackers stole customer data during a cyberattack, including social security numbers and government identification cards, as well as transaction information such as the date and amount of each transaction. The company admitted that hackers also stole forensic information about a ‘limited number’ of customers. MoneyGram has not yet revealed how many customers had their data stolen or how many customers were notified directly.
Trending topic remains silent even after 57 million customer records leaked online
The October breach of US retail giant Hot Topic, which affected 57 million customers, marked one of the largest breaches of retail data. But despite the massive breach, Hot Topic has not publicly confirmed the incident, nor has it notified customers or state attorneys general’s offices about the data breach. The retailer also ignored multiple requests for comment from TechCrunch.
Have I Been Pwned, a breach notification site that obtained a copy of the breached data, alerted approximately 57 million affected customers that the stolen data included email addresses, physical addresses, phone numbers, purchases, gender and date of birth. . The data also included some credit card data, including credit card type, expiration date, and the last four digits of the card number.
