Over the past few years, TechCrunch has looked back with anticipation at some of the worst, mishandled data breaches and security incidents. — Other giant companies will take note and avoid the same disasters. To no one's surprise, this year we're listing many of the same bad acts by a whole new class of companies.
23andMe blames users for massive data breach
Last year, genetic testing giant 23andMe lost the genetic and ancestry data of nearly 7 million customers thanks to a data breach in which hackers brute-forced access to thousands of accounts and collected data on millions more. I lost. 23andMe belatedly introduced multi-factor authentication, a security feature that was able to prevent accounts from being hacked.
Within days of the new year, 23andMe tried to shift the blame for a massive data theft onto victims, claiming that users did not adequately protect their accounts. Lawyers representing a group of hundreds of 23andMe users who sued the company after being hacked said the accusations were “nonsense.” Shortly after, British and Canadian authorities announced a joint investigation into last year's 23andMe data breach.
23andMe, along with the vast banks that store customers' genetic data, laid off 40% of its employees later this year as the beleaguered company faces an uncertain financial future. .
Change Healthcare took months to confirm that hackers had stolen most of America's health data
Change Healthcare was a healthcare technology company that few had heard of until a cyberattack brought down its entire network in February of this year. The result was immediate and widespread service outages across the United States, shutting down large portions of the U.S. health care system. Change, owned by health insurance giant UnitedHealth Group, processes billing and insurance for thousands of healthcare providers and practices across the country, processing one-third to half of all U.S. healthcare transactions each year .
The company's response to the hack, which was caused by a breach of basic user accounts due to a lack of multi-factor authentication, was criticized by Americans who were unable to get prescriptions for medication or approval for hospitalization. Ta. Those affected included healthcare workers who went bankrupt as a result of the cyberattack, as well as members of Congress who blasted the company's chief executive officer for the hack during a Congressional hearing in May. Change Healthcare paid the hackers a $22 million ransom, but the federal government has long warned that this only helps cybercriminals profit from cyberattacks. They simply had to pay a new ransom to request deletion of the stolen data.
In the end, it took until October, about seven months later, to discover that more than 100 million people had had their personal health information stolen in a cyberattack. Granted, it must have taken a while because this was by all accounts the biggest healthcare data breach of the year, if not the biggest in history.
Synovis hack disrupts UK health service for months
Earlier this year, London-based pathology service provider Synovis was hit by a ransomware attack in June, causing months of disruption to the NHS. The attack, claimed by the Qilin ransomware group, left patients in south-east London unable to get blood tests from their doctors for more than three months, leading to the cancellation of thousands of outpatient appointments and more than 1,700 surgical procedures. Ta.
In light of the attack, which experts say could have been prevented had two-factor authentication been in place, Britain's main trade union Unite announced that Synovis workers would go on a five-day strike in December. announced that it would be done. Unite said the incident had “a worrying impact on staff who have been forced to work additional hours without access to critical computer systems for several months while we dealt with the attack”. .
The number of patients affected by this incident remains unknown. The Qilin ransomware group claims to have leaked 400 gigabytes of sensitive data allegedly stolen from Synovis, including patient names, health system registration numbers, and blood test descriptions.
Snowflake customer hacks snowball into massive data breaches
Cloud computing giant Snowflake has been at the center of a series of major hacks this year targeting corporate customers including AT&T, Ticketmaster and Santander Bank. The hackers, who were later charged criminally for the break-in, did so using login information stolen by malware found on the computers of employees of companies that relied on Snowflake. Because Snowflake was not required to use multi-factor security, hackers were able to break into and steal the vast databanks stored by hundreds of Snowflake customers and hold the data for ransom.
Snowflake, for its part, said little about the incident at the time, but acknowledged that the breach was caused by a “targeted campaign targeting users who use single-factor authentication.” Snowflake then rolled out multi-factor by default to customers in hopes of avoiding a repeat of the incident.
Columbus, Ohio, charges security researcher for truthfully reporting ransomware attacks
When the city of Columbus, Ohio, reported a cyberattack over the summer, Mayor Andrew Ginther said the stolen city data was “encrypted or corrupted” and could not be used by the hackers who stole it. The move was made to reassure concerned residents. All the while, security researchers who track data breaches on the dark web for their work have discovered that the ransomware team actually accessed residents' data (at least 500,000 people), including their social security numbers and driver's licenses. I found evidence that it was. , including information on arrest records, minors, and survivors of domestic violence. Researchers warned journalists about the mountain of data.
The city successfully obtained an injunction to prevent researchers from sharing evidence of the violations they found, but this was seen as an effort by the city to silence security researchers rather than fix the violations. There is. The city later dropped the lawsuit.
Salt Typhoon hacks phone and internet providers thanks to US backdoor law
Thirty years after hackers known as Salt Typhoons, one of a group of Chinese-backed hackers laying the digital foundations for a potential conflict with the United States, were discovered on networks in some countries. The previous backdoor law was once again all the rage this year. America's largest telephone and internet company. The hackers were found to have accessed real-time phone calls, messages, and communications metadata of U.S. politicians and senior officials, including presidential candidates.
The hackers reportedly infiltrated some of the corporate eavesdropping systems telecom companies were required to install after a law called CALEA was passed in 1994. Now, thanks to continued access to these systems, data collected by carriers is also available. Businesses depend on Americans – The US government is now providing end-to-end encrypted messaging to Americans and older Americans to ensure that no one, including Chinese hackers, can access their private communications. We advise you to use the app.
MoneyGram has not yet disclosed how many people's transaction data was stolen in the data breach.
MoneyGram, the US money transfer giant with more than 50 million customers, was attacked by hackers in September. After customers experienced unexplained outages for several days, the company acknowledged the incident more than a week later, disclosing only an unspecified “cybersecurity issue.” MoneyGram did not say whether customer data had been stolen, but in late September the UK data protection watchdog issued a data breach report showing customer data had been stolen from the US-based company. He told TechCrunch that he had received it.
Weeks later, MoneyGram admitted that hackers had stolen customer data during the cyberattack, including social security numbers, government identification, and transaction information such as the date and amount of each transaction. The company acknowledged that the hackers also stole criminal investigation information for a “limited number” of customers. MoneyGram has not yet disclosed how many customers had their data stolen or directly notified.
57 million customer records leaked online, but the story remains silent
The October breach of US retail giant Hot Topic, which affected 57 million customers, is recorded as one of the largest breaches of retail data in history. However, despite the scale of the breach, Hot Topic has not publicly acknowledged the incident or alerted customers or state attorney general's offices to the breach. The retailer also ignored TechCrunch's multiple requests for comment.
The breach notification site Have I Been Pwned, which obtained a copy of the compromised data, told its nearly 57 million affected customers that the stolen data included email addresses, physical addresses, phone numbers, purchases, and gender. , warned that it contained a date of birth. This data also included partial credit card data, such as credit card type, expiration date, and last four digits of the card number.