This year, as the world has emerged from the cocoon created by the global pandemic, many businesses began the slow transition from remote to hybrid working models, with some even making a full return to the office. It’s been a time of significant change, and yet one constant remains – cyber incidents.
More and more high-profile cases have come to light throughout the year, and the term ‘data breach’ seems to be all that anyone can speak about, causing a stir in the media, discussed in depth in the office, and muttered in personal conversations. This is particularly true in Australia, where two of the country’s biggest ever data breaches occurred within just weeks of each other, affecting almost 10 million citizens respectively.
We’ve compiled a list of some of the biggest data breaches of the year. You’ve probably read about them at some point and gawked at the numbers. Although the companies mentioned can withstand the blow from such attacks, many SMEs cannot. In fact, one study estimated that 60% of small businesses close within six months of a data breach or cyberattack. Share this list with your customers so that they can learn from the mistakes of others and better protect their business.
Crypto.com
On the 17th of January, Crypto.com’s risk monitoring systems detected unauthorised activity on 483 user accounts, and hackers were bypassing two-factor authentication methods to authorise transactions. Although the company initially just referred to the attack as an incident and assured customers that all wallets were safe, it later came to light that approximately $33.8 million worth of user’s crypto assets were stolen in the attack.
Red Cross
On the 19th of January, the International Committee of the Red Cross (ICRC) announced they had suffered from a sophisticated cyberattack, which “compromised personal data and confidential information on more than 515,000 highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention. The data originated from at least 60 Red Cross and Red Crescent National Societies around the world.” The login information of around 2,000 ICRC employees was also stolen in the hack.
Hackers were able to gain access to Red Cross’s network by exploiting an unpatched critical vulnerability in an authentication module, which took 70 days to detect.
US Department of Education
In January, the US Department of Education suffered from what is likely the largest-ever breach of personal student data in US history. By gaining unauthorised access to the online grading and attendance system of public schools in New York City, hackers compromised the data of 820,000 current and former students, which prompted a shutdown of the system for weeks.
The exposed data affected students back to the 2016-2017 school year, and included names, birthdays, home languages, ethnicities, student ID numbers, and information on whether they received special education services or free lunch, and class and teacher schedules.
CashApp
Affecting 8.2 million customers, the Cash App breach was caused by a disgruntled former employee. After being terminated, the ex-employee downloaded customer data without permission and stole full names, brokerage account numbers, values and portfolio holdings, and the trading activity for one day of trading. Cash App only notified affected customers four months after the breach, which led to some users suffering from financial fraud, and having their accounts cleared, and resulted in a class action filing against Cash App and their parent company, Block.
Neopets
Virtual pet website, Neopets disclosed in August that they had suffered from a data breach which exposed the personal details of 69 million members. The company only learned that their systems had been compromised after a hacker was attempting to sell their database for four bitcoins. An investigation then discovered that the hackers had been in their system for 18 months undetected.
In November, the user records of 5.4 million Twitter users were exposed online, which included personal phone numbers and email addresses. Although these details are often readily available online, it posed a security risk for users who wished to remain anonymous.
Samsung
The tech giant suffered two major attacks in 2022, which have both led to lawsuits against them. On the 7th of March, Samsung announced that a group of hackers had accessed their company data. Almost 200GB of confidential data was compromised, including the source code of several products, including Galaxy smartphones and tablets, full source code for authorizing and authenticating Samsung accounts, algorithms for all biometric authentication unlock operations, and much more.
On September 2nd, Samsung confirmed that their systems in the US had been hacked and data belonging to more than half of their US customer database had been compromised, including name, contact details, demographic data, date of birth, and product registration data. Samsung first became aware that customer data had been accessed without permission a month prior to their announcement, which left affected customers vulnerable to attacks for an extended period of time.
Uber
Uber also suffered from two allegedly unrelated attacks throughout the year. In September, the ride-share company announced that its systems had been breached. Using social engineering, a hacker was able to compromise an Uber employee’s Slack account and then was able to gain complete access to their cloud-based systems which contained sensitive customer and financial data. At present, there has been no ransom or data published online, so it appears that the hacker used this as an exercise, rather than an extortion attempt.
In mid-December 2022, Uber confirmed they had suffered from a second data breach, which was a result of an attack on a third-party vendor, Teqtivity, which provides tracking and asset management services for the ride-share company. The stolen data included source code, IT asset management reports, data destruction reports, other corporate information, and the email address and Windows Directory information for more than 77,000 Uber employees. The breach did not impact customers.
Optus
In September, Optus announced that they had suffered a cyberattack, which has since been dubbed as one of the biggest in Australian history. The hacker, who stole names, dates of birth, phone numbers, addresses, passports, healthcare, and driver’s licence details belonging to 9.7 million customers, demanded a $1 million ransom from Optus.
After it was clear the telco would not pay, the hacker uploaded the information of 10,000 customers online, but days later stated there were too many eyes on the situation, apologised for their involvement in the attack, and promised that they had deleted the only copy of the data and would not upload any further files.
Medibank
In mid-October, Australian private health insurer, Medibank became aware of unauthorised access of their systems. At first, it was believed that no customer data had been accessed until they were contacted by the hacker directly to alert them otherwise. The stolen information, belonging to almost 10 million past and present customers of Medibank, ahm and international students, included full names, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers, and some claims data, “including the location of where a customer received medical services and codes relating to their diagnoses and procedures”.
After their demands for a ransom of AUD $15 million were ignored, the hackers began uploading Medibank data onto the dark web in a series of data dumps as a warning to the insurer. Files were stored under files with titles such as “psycho.csv, hiv.csv, viral_hepatitis.csv, std.csv” and more as an attempted scare tactic. Finally, at the end of November, the hackers declared it “case closed” and dumped all 200GB worth of stolen data onto the dark web.
On November 16, someone posted on a well-known hacking forum, claiming that they were selling an up-to-date database of nearly 500 million WhatsApp user mobile numbers from 84 countries. Cybernews obtained data samples which were confirmed to contain up-to-date user information. If accurate, this data breach would be the 8th largest in history.
Invest in email security
Prevention is always better than a cure, and the best defence is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in their inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
No one vendor can stop all threats, so it’s crucial to remind your customers that if they are using Microsoft 365 or Google Workspace, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a third-party cloud email solution like MailGuard.
Talk to us
MailGuard's partner blog is a forum to share information and we want it to be an open dialogue. Reach out to us and tell us how we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian Partners please call 1300 30 65 10
United States Partners please call 1888 848 2822
United Kingdom Partners please call 0 800 404 8993
Email: We are happy to manage any non-urgent requests via email. Your email will automatically establish your request within our service system and will be handled by our service desk team within AEDT business hours.
MailGuard Console: All MailGuard Partners can also make any request via the Support Tab in the MailGuard console. As with an email, your request will be established within our system and dealt with during AEST business hours by our service desk team.
