Most Headlined Data Breaches of 2022
Data breaches have been on the rise for several years, and 2022 has been littered with thefts of sensitive information. This year, they’ve affected companies and organizations of all shapes, sizes, and sectors, and they’re costing businesses millions in damages around the world.
Below, is the compilation of a list of significant, recent data breaches that have taken place between January 2022 and today. It’s been ordered month-wise alphabetically.
On January 17, 2022, the attack targeted 483 users’ wallets on Crypto.com and the attackers stole approximately $18 million worth of bitcoin and $15 million worth of Ethereum, plus other cryptocurrencies. This was primarily possible thanks to the hackers’ ability to bypass two-factor authentication and access users’ wallets. Crypto.com later retracted its statement, confirming that money had been stolen and that affected users had been reimbursed. The company also stated that it had audited its systems and worked to improve its security posture.
On January 6, 2022, data breach tracking site HaveIBeenPwned.com revealed on Twitter that 3.7 million accounts had been breached in the month prior. Flexbooker only confirmed that customer names, phone numbers, and addresses were stolen, but HaveIBeenPwned.com said “partial credit card data” was also included. Interestingly, 69% of the accounts were already in the website’s database, presumably from previous breaches.
Data of over 515,000 people had been seized via a cyberattack. The data was lifted from over 60 Red Cross societies globally via a third-party company that the organization uses to store data.
This was orchestrated by a whistle-blower against the company’s wishes and one of the more significant exposures of customer data this year. Information relating to 18,000 Credit Suisse accounts was handed over to German publication Süddeutsche Zeitung, and showed the Swiss company had several high-profile criminals on their books. The incident kickstarted a fresh conversation about the immorality of Switzerland’s banking secrecy laws.
The hijacking of a fundraising site, GiveSendGo, took place in response to the Ottawa truckers’ protests and resulted in the personal details of those who donated to their funds being compromised. The hackers redirected the fundraising site to a page that condemned the Freedom Convoy protests – a case of Distributed Denial of Service attack. They then published the personal information of the 90,000 donors who had contributed to the initiative via the GiveSendGo website.
Nvidia revealed that it was investigating a possible cyberattack, which was confirmed in early March. The infamous hacking group Lapsus$ leaked information pertaining to more than 71,000 employees.
Apple and Meta
In late March, Apple and Meta were outwitted by hackers pretending to be law enforcement officials. The big techs provided the threat actors with customers’ personal information in mid-2021. Some of the hackers were assumed to be Lapsus$ members.
On March 20, 2022, Lapsus$ targeted Microsoft. The group posted a screenshot on Telegram indicating they had hacked Microsoft and compromised several other products. By March 22, Microsoft announced that it had stopped the hacking attempt, and only one account was compromised. Microsoft also said that no customer data had been stolen.
Morgan Stanley Client
US investment bank Morgan Stanley disclosed that several clients had their accounts breached in a Vishing attack in February 2022, in which the attacker claimed to be a representative of the bank to breach accounts and initiate payments to their own account. This was, however, not the fault of Morgan Stanley, who confirmed its systems “remained secure”.
Cash App admitted that a former employee had breached the servers in April. The hack involved sensitive financial as well as personal information of the customers. As a result, the company contacted over eight million customers to inform them about the incident.
In April of 2022, Ronin reported that they were hacked for $540 Million. Not only did they lose that money, but they also had to reimburse their customers for the amount they lost. This is the second biggest crypto hack of all time and is sure to not be the last. While the prospect of accruing more crypto wealth and having non-fungible tokens grow in value is enticing, it’s important to evaluate the crypto network’s cyber security protocols to make sure your assets aren’t affected in a data breach.
Costa Rican Government
The Conti ransomware gang hacked the Costa Rican government—which was forced to declare a state of emergency. Conti members stole highly valuable data and demanded $20 million in payment to not leak it. Nearly 90% of this data—amounting to around 670GB—was posted to a leak site on May 20.
Malaysian National Registration Department
A group of hackers claimed to hold the personal details of 22.5 million Malaysians stolen from myIDENTITI API, a database that lets government agencies like the National Registration Department access information about Malaysian citizens. The hackers were looking for $10,000 worth of Bitcoin for the data.
SuperVPN, GeckoVPN, and ChatVPN
The breach led to the information of 21 million users being leaked on the dark web. Full names, usernames, country names, billing details, email addresses, and randomly generated password strings were among the information available.
A threat actor got their hands on a database that contains PII of many Verizon employees in this Verizon data breach. Vice/Motherboard confirmed these numbers were legitimate by ringing the numbers contained in the databases and confirming they currently (or used to) work at Verizon. According to Vice, the hacker was able to infiltrate the system after convincing an employee to give them remote access in a social engineering scam.
A data breach on student loan servicer Nelnet Servicing caused the confidential information of more than 2.5 million users to be leaked in June 2022. It was concluded by the investigation on August 17, 2022, that due to a vulnerability in its system, student loan account registration information including names, home and email addresses, phone numbers, and social security numbers, were accessible to an unknown third party from June until July 22, 2022. Nelnet Servicing notified the US Department of Education and law enforcement.
NFT marketplace OpenSea suffered a data breach after a Customer.io employee misused their employee access to share Opensea users’ email addresses with an unauthorized external party. As a result, the company stated that anyone with an email account shared with OpenSea should “assume they are affected”.
Shields Health Care Group
It was reported in early June that Massachusetts-based healthcare company Shields was the victim of a data breach that affected 2,000,000 people across the United States. The breach was first discovered on March 28, 2022, and information such as Social Security numbers, Patient IDs, home addresses, and information about medical treatments was stolen. A class action lawsuit was filed against the company shortly after.
Travel booking company Cleartrip which is massively popular in India and majority-owned by Walmart confirmed its systems had been breached after hackers claimed to have posted its data on an invite-only dark web forum. The full extent of the data captured from the company’s internal servers is unknown.
The Hotel group – which is no stranger to a data breach – confirmed its second high-profile data breach of recent years had taken place in June after a hacking group tricked an employee and subsequently gained computer access. According to databreaches.net, the group claimed to be in possession of 20 GB of data stolen from the BWI Airport Marriott’s server in Maryland. Marriot would be notifying 300-400 individuals regarding the breach.
Neopets kid’s online pet platform shop
Neopets is a virtual pet platform with hundreds of millions of users, and with two different kinds of virtual currency. In July, emerged that around 69 million Neopets accounts may have been compromised. Stolen data including usernames, emails and passwords, dates of birth, countries, zip codes, and genders were offered for sale along with live access to the database, where intruders could alter stats, pets, and in-game credits. All for a merger of four Bitcoins (about $65,000 in today’s money).
Twitter suffered a data breach of 5.4 million accounts after threat actors built a database of phone numbers and email addresses. The data of accounts, including celebrities, companies, and random users, is now sold on a hacker forum for $30,000.
Multi-national technology conglomerate Cisco confirmed that the Yanluowang ransomware gang had breached its corporate network after the group published data stolen during the breach online. Security experts have suggested the data is not of “great importance or sensitivity”, and that the threat actors may instead be looking for credibility.
“We recently became aware that a third-party vendor was the target of a sophisticated phishing campaign and that certain personal information maintained by DoorDash was affected,” DoorDash said in a blog post. The delivery service went on to explain that “the information accessed by the unauthorized party primarily included [the] name, email address, delivery address and phone number” of a number of DoorDash customers, whilst other customers had their “basic order information and partial payment card information (i.e., the card type and last four digits of the card number)” accessed.
Last Pass, a password management provider used by over 30 million people, announced that a third party had been able to infiltrate their network by accessing a compromised developer account. Although the security of the company had been breached, they stated that they don’t believe any encrypted customer data had been accessed, but rather the user “took portions of source code and some proprietary LastPass technical information”. This means that no customer data was breached and that Last Pass’s security and encryption measures for their customer’s passwords did their job. Although this cyber security breach has prompted Last Pass to hire third-party investigators and work towards protecting themselves against more breaches in the future.
An August data breach into Plex, a media server app used by millions, resulted in personal encrypted data of their customers being compromised, including passwords, usernames, and emails. Millions of people’s personal info being accessed can damage a brand’s trust for years to come. Although the vulnerability was addressed and secured, Plex still is encouraging its customers to reset their passwords and enable multi-factor authentication. Again, this should be standard practice to protect yourself against data breaches in 2022.
Messaging behemoth Twilio confirmed on this date that data pertaining to 125 customers was accessed by hackers after they tricked company employees into handing over their login credentials by masquerading as IT department workers.
The personal data of a “very small number” of American Airlines customers has been accessed by hackers after they broke into employee email accounts, the airline has said. Information accessed could have included customers’ date of birth, driver’s license, passport numbers, and even medical information, they added.
IHG released a statement saying they became aware of “unauthorized access” to its systems. The company is assessing the “nature, extent, and impact of the incident”, with the full extent of the breach yet to be made clear.
Far from being an agricultural enterprise for large, edible berries, Kiwi Farms is a community forum best known as a haven of vitriol and hate, where users are free to organize trolling, harassment, and stalking. Originally formed to harass one artist, Kiwi Farms boasts 16,000 active logins per day, and has been linked to multiple suicides. The attack was possible through the misuse of session cookies and may have led some members of the forum to reconsider their relationship with the toxic site.
Microsoft recently confirmed that a misconfigured system had exposed the data of thousands of customers.
The breach might have affected over 65,000 entities across 111 countries.
Australian telecommunication company Optus suffered a devastating data breach on September 22, 2022, that has led to the details of 11 million customers being accessed. The information accessed included customers’ names, dates of birth, phone numbers, email and home addresses, driver’s licenses and/or passport numbers, and Medicare ID numbers. Files containing this confidential information were posted on a hacking forum after Optus refused to pay a ransom demanded by the hacker. Victims of the breach also said that they were contacted by the supposed hacker demanding they pay AU$2,000 (US$1,300) or their data would be sold to other malicious parties.
Samsung announced that they’d fallen victim to a “cybersecurity incident” when an unauthorized party gained access to their systems in July. In August, they learned some personal information was impacted, including names, contact information, demographics, birth dates as well as product registration information. Samsung is contacting everyone whose data was compromised during the breach via email.
The personal information of more than 50,000 users of fintech start-up Revolut was accessed during a data breach that took place on September 11, 2022. The breach involved a third-party gaining access to Revolut’s database and the personal information of 50,150 users. The data accessed included names, home, and email addresses, and partial payment card information, although Revolut has stated that card details were masked. The Lithuanian government said that Revolut had taken “prompt action to eliminate the attacker’s access to the company’s customer data and stop the incident” once it was discovered.
Uber & Rockstar
On September 15, Uber’s internal servers were accessed following a contractor’s device was infected with malware and their login details were sold on the dark web. The hacker accessed several other employee accounts, which then gave them access to several internal tools. The hacker then posted a message to a company-wide Slack channel and reconfigured Uber’s Open DNS to display a graphic image to employees on some internal sites.
The hack into Rockstar Games, developer of the Grand Theft Auto (GTA) game series, was discovered on September 19, 2022. A user called teapotuberhacker posted on Grand Theft Auto game series fan site GTAForums: “Here are 90 footage/clips from GTA 6. It’s possible I could leak more data soon, GTA 5 and 6 source code and assets, GTA 6 testing build.”
The hacker claimed they had “downloaded from Slack” via hacking into a channel used for communicating about the game. Rockstar Games made a statement via Twitter that said the company had suffered a “network intrusion” which had allowed an unauthorized third party to “illegally access and download confidential information from [its] systems”, including the leaked GTA 6 footage.
Carding marketplaces are dark websites where users trade stolen credit card details for financial fraud, usually involving large sums of money. On October 12, 2022, carding marketplace BidenCash released the details of 1.2 million credit cards for free. A file posted on the site contained the information on credit cards expiring between 2023 and 2026, in addition to other details needed to make online transactions.
BidenCash had previously leaked the details of thousands of credit cards in June 2022 to promote the site. As the carding marketplace had been forced to launch new URLs three months later in September after suffering a series of DDoS attacks, some cyber security experts suggested this new release of details could be another attempt at advertising.
Health insurer Medibank revealed on October 25,2022 that almost 4 million of their customers’ data had been exposed to a hacker. The Australian health insurer said the personal information that could have been obtained includes name, address, date of birth, and even insurance card numbers. Medibank said it would offer compensation to those who were taken advantage of due to their private information being accessed. The estimated cost of this cyber-attack to the company is between $25M and $35M. They have since investigated and added more network monitoring and determined the hacker is no longer present.
2.2 million customers of Woolworths subsidiary MyDeal, an Australian retail marketplace, have been impacted by a data breach. According to reports, the company’s CRM system was compromised, with names, email addresses, telephone numbers, delivery addresses, and some dates of birth exposed during the breach.
Singtel, the parent company of Optus, revealed that “the personal data of 129,000 customers and 23 businesses” was illegally obtained in a cyber-attack that happened two years ago. Data exposed includes “National Registration Identity care information, name, date of birth, mobile numbers, and addresses” of breach victims.
On October 14, Tata Power disclosed that a cyberattack had hit its IT infrastructure, and some of its systems were affected. However, in a Bombay Stock Exchange filing, the Mumbai-headquartered company said all critical operational systems were functioning and had “taken steps to retrieve and restore its systems”.
In a message posted on the Toyota website, the car manufacturer stated that almost 300,000 customers who had used its T-Connect telematics service had had their email addresses and customer control numbers compromised. The company assured customers that there was no danger of financial data such as credit card information, nor names or telephone numbers, having been breached. In its statement, Toyota acknowledged that the T-Connect database had been compromised since July 2017 and that customers should be vigilant for phishing emails.
Australian wine dealer Vinomofo has confirmed it has suffered a cyber-attack. PII of the company’s almost 500,000 customers may have been exposed – although it is currently unclear how many have been affected.
AirAsia Group has, according to reports, suffered a ransomware attack orchestrated by “Daixin Team”. The threat group told DataBreaches.net that they obtained “the personal data of 5 million unique passengers and all employees.” This included name, date of birth, country of birth, location, and their “secret question” answer.
Dropbox has fallen victim to a phishing attack, with 130 Github repositories copied, and API credentials stolen after credentials were unwittingly handed over to the threat actor via a fake CricleCI login page.
However, Dropbox confirmed in a statement relating to the attack that “no one’s content, passwords or payment information was accessed” and that the issue was “quickly resolved”. Dropbox also said that they were in the process of adopting the “more phishing-resistant form” of MFA technique, called “WebAuthn”
On November 16, 2022, a hacker posted a dataset to Breach Forums containing what they claimed to be the up-to-date personal information of 487 million WhatsApp users from 84 countries.
The alleged hacker said those who bought the datasets would receive “very recent mobile numbers” of WhatsApp users. According to the bad actor, among the 487 million records are the details for 32 million US users, 11 million UK users, and six million German users. The hacker did not explain how such a large amount of user data had been collected, saying only that they had “used their strategy” to obtain it.
Password manager LastPass has told some customers that their information was accessed during a recent security breach. According to LastPass, however, no passwords were accessed by the intruder. This is not the first time LastPass has fallen victim to a breach of their systems this year – someone broke into their development environment in August, but again, no passwords were accessed.
Uber announced on December 12th, 2022, that a hacker under the pseudonym “UberLeaks” gained access to 70,000+ Uber employees’ data and was posting stolen corporate data. They believe this data breach occurred because of a third-party vendor, Teqtivity who had their mobile device management compromised.
The hacker also claimed it could hack into several of the company’s databases, including messaging data. Uber got in touch with law enforcement and found out the hacker compromised an employee’s account. Uber had dealt with a cyber-attack in the past and didn’t report it, which led to a legal battle and thousands of dollars in fees. Now that another big data breach has happened in 2022, they may need to spend more money to upgrade their cyber security.
Protection from Cyber-Attacks
To protect organization from the sorts of cyber-attacks that lead to financially fatal data breaches, ensuring proper defenses are in place and kept integrated is one of the most crucial things you can do.
Some companies and organizations have had to shut down due to the fallout costs of a cyberattack. There has never been more of an onus on companies, colleges, and other types of organizations to protect themselves.
Unauthorized access to networks is often facilitated by weak business account credentials. Keep stringent password policies and validate crown jewel accounts. This will allow you to create robust passwords that are sufficiently long and different for every account you hold. Also ensure security measures, like 2-Factor Authentication, wherever possible, to create a second line of defense.
Another thing you must do is ensure your staff has sufficient training to spot suspicious emails and phishing campaigns. 70% of cyberattacks target business email accounts, so having staff that can recognize danger when it’s present is just as important as any software.