We're halfway through 2024, but this year has already seen some of the largest and most damaging data breaches in recent history. And just when you thought these hacks couldn't get any worse, they do.
From untold amounts of personal customer information being scraped, stolen and posted online to the mass theft of medical data for most people in the United States, the worst data breaches to date in 2024 have already seen at least a billion records stolen and counting. These breaches not only impact the individuals whose data has been irretrievably compromised, but they also embolden criminals who profit from malicious cyberattacks.
Take a journey with us to the not-so-distant past to see how some of 2024's biggest security incidents happened, what their impact was, and in some cases, how they could have been prevented.
AT&T's data breach affected “almost all” of the company's customers, as well as many more non-customers.
2024 has been a very bad year for data security for AT&T, as the telecommunications giant confirmed not one but two data breaches just a few months apart.
AT&T said in July that cybercriminals had stolen a cache of data including phone numbers and call records for “almost all” of its customers — roughly 110 million people — over a six-month period and possibly longer in 2022. The data wasn't stolen directly from AT&T's systems, but rather from an account at data giant Snowflake (more on that below).
While the stolen AT&T data has not been made public (one report said AT&T paid a ransom to have the hackers delete the stolen data), and the data itself does not include the contents of calls or text messages, the “metadata” still reveals who called whom and when, and in some cases the data can be used to infer approximate locations. Worse yet, the data also includes the phone numbers of non-customers who received calls from AT&T customers during that time. If that data were made public, it could be dangerous for high-risk individuals, such as victims of domestic violence.
This is AT&T's second data breach this year: Earlier in March, a data breach broker leaked a complete cache of 73 million customer records online for anyone to see on a popular cybercrime forum, nearly three years after a much smaller sample was leaked online.
The exposed data included personal information about customers, such as names, phone numbers and postal codes, and some customers confirmed that the data was accurate.
But it wasn't until a security researcher discovered that the leaked data included encrypted passcodes used to access customers' AT&T accounts that the telecommunications giant took action. At the time, the security researcher told TechCrunch that the encrypted passcodes were easily cracked, putting approximately 7.6 million existing AT&T customer accounts at risk of being compromised. After TechCrunch reported the researcher's findings to the company, AT&T forced a reset of customer account passcodes.
One big mystery remains: AT&T still doesn't know how the data was leaked or where it came from.
Change Healthcare hackers stole medical data from a “significant percentage” of Americans
In 2022, the US Department of Justice sued health insurance giant UnitedHealth Group to block its acquisition of health tech giant Change Healthcare, fearing that the acquisition would give the health care conglomerate broad access to “roughly half of all Americans' health insurance claims” each year. The attempt to block the acquisition ultimately failed. And two years later, something even worse happened: Change Healthcare was hacked by a gang that heavily uses ransomware. One of the company's critical systems wasn't protected by multi-factor authentication, leading to the theft of an all-purpose bank of sensitive medical data.
The cyberattack caused extended downtime lasting weeks and caused widespread power outages at hospitals, pharmacies, and healthcare facilities across the U.S. But while the full impact of the data breach is yet to be fully determined, the impact on those affected is likely to be irreversible. UnitedHealth said the stolen data, which it paid hackers to obtain a copy of, included personal, medical, and billing information for a “significant proportion” of Americans.
UnitedHealth has not yet released figures on how many individuals were affected by the breach. The health care giant's CEO, Andrew Whitty, told lawmakers that the breach affected about a third of Americans, and that the number could be higher. For now, the question is how many hundreds of millions of people in the US are affected.
Synnovis ransomware attack causes widespread outages at hospitals across London
In June, a cyber attack hit the UK pathology lab Synnovis, a blood and tissue testing laboratory serving hospitals and the health service in the UK capital, causing widespread disruption to patient services for several weeks. A local National Health Service trust that relies on the lab postponed thousands of surgeries and procedures after the hack, and a major incident was declared across the UK healthcare sector.
The cyberattack, which involved the theft of data on around 300 million patient interactions going back many years, was allegedly carried out by a Russia-based ransomware gang and, as with the Change Healthcare data breach, the impacts on those affected are likely to be severe and lifelong.
Some of the data had already been published online in an attempt to force the lab to pay a ransom. Synobius reportedly refused to pay the hackers' $50 million ransom, preventing them from profiting from the hack, but the UK government is scrambling to figure out what to do if hackers post millions of medical records online.
One of the NHS trusts that runs five hospitals across London affected by the outage reportedly had not met data security standards required by the UK Health Service for several years leading up to the Synnovis cyberattack in June.
Ticketmaster allegedly had 560 million records stolen in Snowflake hack
A series of data thefts at cloud data giant Snowflake has quickly escalated into one of the biggest data breaches this year, with massive amounts of data stolen from corporate customers.
Cybercriminals used stolen credentials from a data engineer with access to their employer's Snowflake environment to steal hundreds of millions of customer records from some of the world's largest companies, including 560 million records from Ticketmaster, 79 million from Advance Auto Parts, and nearly 30 million from TEG. Snowflake did not require (or enforce) its customers to use security features that would have prevented intrusions using stolen or reused passwords.
Incident response firm Mandiant said data was stolen from the accounts of about 165 Snowflake customers, including in some cases “significant amounts of customer data.” Of the 165, only a few have admitted so far that their environments were compromised, including tens of thousands of employee records from Neiman Marcus and Santander Bank, and millions of student records from the Los Angeles Unified School District. Many of Snowflake's customers are expected to come forward.
(In)Honorable Mentions
Cencora has notified more than one million users of the data loss.
US pharmaceutical giant Sencora disclosed in February that its patients' health data had been leaked. Sencora had received the information through its partnerships with pharmaceutical companies. Sencora has steadfastly refused to say how many people were affected, but by TechCrunch's tally, well over one million people have been notified so far. Sencora claims to have served more than 18 million patients to date.
MediSecure Data Breach Affects Half of Australia:
In Australia, prescription provider Medisecure was hit by a ransomware attack in April, resulting in the theft of personal and health data for around 13 million people, roughly half the population. Medisecure, which distributed prescriptions to most Australians until late 2023, declared bankruptcy shortly after the massive theft of customer data.
Kaiser shared the health data of millions of patients with advertisers.
Kaiser, a major US health insurer, disclosed a data breach in April when it accidentally provided personal health information about 13.4 million patients, particularly website search terms related to diagnoses and medications, to technology companies and advertisers. Kaiser said it used tracking codes for website analytics. The health insurer went public after several other telemedicine startups, including Celebral, Monument and Tempest, also admitted to sharing data with advertisers.
The USPS also shared mailing addresses with the tech giant.
Now, the USPS has been found to have shared logged-in users' addresses with advertisers, including Meta, LinkedIn, and Snap, who used similar tracking codes provided by the companies. After TechCrunch notified the USPS about the improper data sharing in July, the USPS removed the tracking codes from its website but did not disclose how many individuals had their data collected. USPS has over 62 million Informed Delivery users as of March 2024.
Evolve Bank data breach affected fintech and startup customers:
In July, a ransomware attack targeting Evolve Bank resulted in cybercriminals stealing the personal information of over 7.6 million people. Evolve is a leading banking-as-a-service company whose main clients are fintech companies and startups such as Affirm and Mercury. As a result, many of the individuals notified of the data breach had never even heard of, much less had any relationship with, Evolve Bank prior to the cyberattack.