Data Breaches of 2023: And the Award Goes to...

It’s Emmys season! That time of the year when we look back at the excellent television that we have watched since last summer and decide how many awards “Succession” and “The Last of Us” should share between them.

In keeping with the awards season motif, this year’s Ruddys will be equally well contested. The Ruddys are the annual awards given to those companies that have suffered the reddest faces as a result of a data breach or cyberattack. This year is like every other year – the competition is strong.

The winners are:

Most Expensive Data Breach: T-Mobile

In January 2023, T-Mobile suffered a huge data breach affecting 37 million customer or 11% of the total population of the United States. This was the company’s eighth data breach but their first big win in the Ruddys.

The breach is likely to cause the company a loss of around hundreds of millions of dollars after settlements and fines have been paid, not to mention the cost of the reputational hit. The information stolen included names, emails and birthdays – more than enough for a clever hacker to cause untold trouble to unsuspecting customers.

Most Far-Reaching Data Breach: MOVEit

The attack targeted the widely used file transfer tool, MOVEit, and its resulting impact has been enormous. More than 200 organizations and as many as 17.5 million individuals have been affected as of July 2023.

Notably, several federal agencies, including the Departments of Energy, Agriculture and Health and Human Services, have fallen victim to this breach. Moreover, it is believed that a majority of schools across the United States have also been targeted.

The implications of this attack are still unfolding, and there are second-order breaches at prominent organizations such as Shell, Siemens Energy, Schneider Electric, First Merchants Bank, City National Bank and various international targets.

Clop, a Russia-linked ransomware group, has claimed responsibility for the breaches, and has threatened to publish stolen information on the dark web.

Biggest Data Breach: Twitter

Recent reports reveal that a substantial collection of email addresses belonging to approximately 200 million Twitter users is currently available for purchase on the dark web, with prices as low as $2. Despite the fact that the underlying vulnerability responsible for this data leak was addressed in January 2023, various malicious actors continue to disseminate this information. The magnitude of this situation cannot be overstated, as it jeopardizes the privacy and security of countless individuals.

Biggest Data Breach in a Health-Care-Related Company: PharMerica 

Kentucky-based U.S. Pharmaceutical giant PharMerica, which manages 2,500 different facilities across the U.S., has revealed that an unknown actor accessed its systems in March and extracted personal data from 5.8 million individuals. The hacker took social security numbers, birth dates, names and health insurance information from the compromised system.

Special Achievement in Government Data Breaches: U.S. Department of Transportation

Personal information pertaining to 237,000 U.S. government employees has reportedly been exposed in a Department of Transportation data breach.

Reuters reported that the breached system is usually used to process “TRANServe transit benefits,” which are effectively transportation expenses that government employees commuting into offices can claim back. The Department of Transportation told Congress earlier in July that it had “isolated the breach to certain systems at the department used for administrative functions.” No systems that deal with transportation safety have been affected.

It is clear that the size of company, or even government department does nothing to deter a hacker. Businesses across the globe need to take precautions and have in place a plan to deal with the fallout of a cyber breach when it inevitably does occur. The only way to minimize your company’s exposure and avoid making this list next year is to take the threat of cybercrime seriously and protect the valuable data your company holds.