2022 was quite the year for data breaches, security incidents, and compromises. There were over 4,000 data breaches recorded in 2022 and, collectively, over 22B records were exposed. Data breaches are also becoming more and more expensive. IBM’s Cost of a Data Breach report found that 83% of organisations surveyed suffered more than one breach and the average cost reached $4.35M, a new record.
To prevent a repeat of what was a fairly damaging year, it’s important to review some of the more notable data breaches of 2022 and see what we can learn from them.
Uber’s 2022 breach dominated headlines for quite some time and it’s a reminder that data breaches don’t always result in leaked data or hefty fines but can be reputationally damaging.
Essentially, a hacker got into Uber’s internal systems by compromising a third-party contractor via credentials obtained on the dark web. The contractor did have MFA in place but the attacker reached out to the contractor via text to push him to accept the MFA prompt, giving the hacker access.
Once in, the attacker accessed Uber’s Slack channels as well as key systems containing sensitive information. However, the hacker, who was discovered to be a young teenager, seemed to be more interested in bragging rights than actually damaging Uber or stealing personal information.
The lesson: Cyber risk can also lead to reputational risk. While a more mal-intentioned hacker could have done much more damage, the breach did impact the company’s reputation, even affecting the stock price when news of the incident occurred. It also reminds us that third-parties are becoming increasingly compromised and being used as a vector to target a primary organisation. Make sure your employees and your partners are aware of security concerns. This brings us to our next hack…
Twilio, a customer engagement management company providing several communication, authentication, and engagement platforms, was hacked through voice phishing. This resulted in hundreds of customers being compromised through their various associations with Twilio products, including Authy, a 2FA authentication app. One of the affected customers included Signal, an encrypted messaging app, prompting concerns within the privacy community.
As TechCrunch reported, this breach was part of a larger campaign targeting a number of third-party providers such as Mailchimp and Cloudflare, though those companies were better equipped to fend off the attacks.
The lesson: Secure your third-parties. Malicious hackers know that targeting a third-party provider, especially a digital supply chain partner can compromise hundreds of organisations. With reliance on third-parties becoming more and more common, prioritising third-party security is a key component of any comprehensive cyber resilience strategy.
Optus Telecommunications, an Australian telecom company was hit with a huge data breach in 2022. Hackers were able to access PII on 40% of the Australian population, a figure rising above 10M. Further reporting found that more sensitive details were stolen from 2.8M people, which increased the risk of identity theft.
While Optus maintained that the attack was sophisticated, hackers claimed that the hack was a trivial effort. To make matters worse, just weeks later, hackers claimed responsibility for an attack against Medibank, an Australian health insurer.
“These hacks have resulted in government responses that sought to find out more information, levy hefty fines, and call for cybersecurity government reform. One major change that was called for was the increase in fines for cybersecurity penalties.”
At the time of writing, the cap stands at $2.2M but Optus’ hack renewed calls for increases in order to motivate organisations to take cybersecurity and consumer data protection seriously.
The Lesson: Data breaches can have major fallout beyond the initial compromise and data leak. Depending on the scope of the attack, a government investigation may follow suit, resulting in heavy fines, additional compliance standards, and industry reform. For example, Shein and ROMWE were fined $1.9M for improperly handling a data breach that occurred in 2018 and Uber’s former CSO was convicted of federal charges for covering up a data breach that occurred in 2016.
2022 was also the year of cryptocurrency and NFT hacks and thefts. Ronin, creator of the NFT game Axie Infinity, saw its game explode in popularity. Unfortunately, hackers also took notice and hit Ronin with an advanced phishing and social engineering attack levied against its developer partner, Sky Mavis.
A key aspect that facilitated the hack was that Ronin expanded Sky Mavis’ permissions to keep up with user growth and server capacity. Given Axie Infinity’s rapid increase in popularity, Ronin decided to loosen some security controls to move faster. Unfortunately, this meant that if Sky Mavis was compromised, it could be used against Ronin. This is exactly what ended up happening and the hack ultimately led to over $600M being stolen from Ronin and Axie Infinity players, one of the costliest attacks we’ve seen.
The lesson: Don’t trade security for growth. It’s easy to think that a misconfiguration isn’t needed or that security controls will only slow things down but part of risk management requires companies to consider the tradeoff. Is it worth moving quickly if it means hackers can more easily get into your network? There’s often a better balance to be had and the risk is rarely worth it.
This hack occurred in 2021 but the real fallout came in 2022. In December 2021, a terminated employee seeking revenge downloaded personal information of over 8 million Cash App customers (Block is the owner of Cash App). Cash App, however, didn’t notify impacted customers until four months later. As a result, many users ended up finding their accounts compromised and their funds depleted in the time between the compromise and the eventual notice.
This prompted a class action lawsuit that claims Block was negligent in implementing safeguards to protect customer information and that it took too long in notifying impacted customers which led to preventable damage. The lawsuit is still ongoing and it doesn’t look good for Block or Cash App.
The lesson: Communication is key. Not only should Block have had security controls in place to prevent a terminated employee from accessing personal information, but it should have had a communication strategy in place that notified consumers as soon as possible. There are legal and compliance standards that require a notice of a data breach and the sooner it happens, the better, especially when customer finances are at stake.
Hackers don’t seem to be letting up their attacks. Their methods and motivations are wide-ranging and can lead to a whole host of complicated consequences, whether financial, legal, or reputational.
Companies need to ensure they have the right security controls in place, they’re aware of their third-party risk, and that they know where their data is living. Given the increased use of SaaS apps and cloud-based infrastructure, it’s easy to lose track of where all a company’s data is, making it easier for hackers to take off with it.
This is why we recommend considering Metomic. It’s an automated data discovery and protection tool that finds your data for you across your apps and cloud environment. It can help ensure your data is protected and accounted for so you don’t make it onto the list of 2023 hacks.
To learn more about how Metomic has helped keep company data secure, check out our recent case study with TravelPerk.