The year 2023 hasn’t been kind in terms of data breaches. By October, the number of data compromises was already up by 17% (2,116 compromises) compared to the entirety of 2022.
An Apple-commissioned study carried out by MIT professor Dr. Stuart Madnick labels the current state of data breach prevalence as an “epidemic.”
The Identity Theft Resource Center (ITRC) attributes the 2023 increase to the combined increase of zero-day vulnerabilities, ransomware attacks, and supply chain attacks. Each of these elements plays a role in the breaches we’ll be looking at below.
Although the number of breaches in 2023 is unbelievably extensive, we’ve chosen to focus on the following four to delineate several lessons and key trends that companies should focus on in the coming year.
Uber continues to get hacked
Uber made the list again in April 2023 as a result of yet another supply chain hack that allowed hackers to exfiltrate highly sensitive drive information, including social security numbers.
A supply chain hack occurs when hackers target one of the company’s vendors or suppliers. Supply chain hacks are popular when targeting larger companies because their relatively smaller vendors usually have a weaker security posture. Uber had suffered another supply-chain hack just four months earlier, in December 2022.
In April’s hack, cybercriminals infiltrated the network of legal firm Genoa Burns and removed files between the dates of January 23, 2023, and January 31, 2023.
In what has become a standard response to breaches, Genoa Burns offered victims one year of credit monitoring services free of charge, although critics question the efficacy of such services.
Key lesson: It isn’t enough to secure your own network, it’s also vital to take a direct interest in the security practices of your suppliers, vendors, and anyone else in your supply chain.
Zero-day MOVEit Transfer vulnerability hits millions
Perhaps one of the most shocking attacks of 2023 was the zero-day exploitation of a MOVEit Transfer vulnerability. Hackers infiltrated a website flaw so basic, so fundamental, so Web Architecture 101 that to have this occur in 2023 defies words. The attack method? SQL Injection.
Adding to the shock is the fact that MOVEit’s primary USP is the ability to provide secure, audited file transfers. By using MOVEit, organizations can transfer data across the web from organization to organization, maintain an audit trail, and comply with key regulations, such as HIPAA (Health Insurance Portability and Accountability Act) for the medical industry, or GDPR (General Data Protection Regulation) for European data transfers.
The hack exposed data from US federal agencies, the BBC, British Airways, 2,500 organizations, and over 80 million individuals.
Days later, Progress—the company that owns MOVEit—announced even further SQL injection vulnerabilities, and provided further patches. By this time, much of the damage had been done. Malicious actors had installed rogue files on affected accounts, giving them backdoor access to MOVEit accounts so they could exfiltrate data and sensitive files.
SQL stands for Structured Query Language. It’s the language used to query certain types of databases. Because of this language’s flaws and high security risk, many other database types that don’t use SQL have since been developed, such as Google’s Cloud Bigtable, Amazon’s DynamoDB, and open-source MongoDB.
SQL injections (SQLi) have existed for over 20 years. In 2022, 1,162 new SQLi vulnerabilities were discovered and reported.
SQLi becomes possible when developers fail to properly “sanitize” user input, meaning that they fail to remove characters such as single quotation marks (‘) and backslashes (\) that have special meanings in SQL. Many tools exist to sanitize this input, but this type of flaw remains a potential risk because of the inherent flaws in SQL itself, which was developed long before the modern internet age.
SQLi remains a popular attack method because protecting against it requires:
- Following software development best practices without the slightest deviation.
- Repeated, rigorous, and comprehensive testing and penetration testing, which can quickly grow burdensome.
As for the zero-day aspect of the attack, Progress suggested that users completely switch off HTTP and HTTPS access to their MOVEit accounts while the company worked on a patch. The company announced a fix; then, days later, discovered further flaws.
Key lesson: Be on alert for any zero-day announcements and proceed on the side of extreme caution. Then, if at all possible, wait several days or even a week before re-enabling affected services.
The casino industry loses big, suffering multiple data breaches
MGM Resorts was hit by a megahack that shut down slot machines, disabled guest room keys, brought down its websites, and ultimately cost the company $100 million in lost revenue. MGM Resorts also had to pay an additional $10 million in legal fees, risk remediation, incident response measures, and other related post-breach services.
Customer data was also leaked, including Social Security Numbers (SSNs) and passport numbers, although MGM didn’t disclose how many records were affected.
Details of how the hack was perpetrated are vague, with MGM providing minimal details in its official statement. However, one report suggests that the attack came about through social engineering.
The claim is plausible, considering that social engineering tactics are on the rise, according to Verizon’s 2023 Data Breach Investigations Report (DBIR), which also states that 74% of all breaches involve the “human element”—human error, stolen credentials, social engineering, etc.
Although details of the hack remain vague, what’s abundantly clear is how casinos and the entertainment industry are becoming attractive high-profile targets. Just weeks before the MGM attack, Caesars paid hackers “tens of millions of dollars” in a ransomware attack, reports Bloomberg.
The attacks appear to be part of a coordinated effort by a “hyper-aggressive” gang set on targeting corporate America.
Key lesson: The attacks highlight the urgent need for large corporations to secure their networks and train employees using effective cybersecurity training methods that address the risks involved in social engineering attacks.
Medical breaches reach new heights
The medical industry continues to be a high-risk industry because of the immense value of PHI (Protected Health Information). Unlike other PII (Personally Identifiable Information) such as email addresses and phone numbers, PHI contains far more comprehensive and sensitive data, which can be used to carry out large-scale fraud, including insurance fraud. On the black market, PII typically sells for $1-$10, whereas PHI can fetch upwards of $360 per record.
Medical data breaches increased by more than double in 2023, with over 87 million records breached. However, there is a silver lining: The number of attacks was fewer in the first half of the year, even if the number of records disclosed increased. The reason for few attacks given in the above-linked article, is that medical organizations hardened their defenses against phishing. This means that there were far fewer successful email-driven attacks, which are a primary driver of data breaches. Although this is good news, further hardening of network services is still required, because this is where hackers have now shifted their attention.
Key lesson: Comprehensive coverage is essential because hackers will adapt as necessary when an organization increases its resilience.
What organizations can do today to prepare for 2024
The primary takeaways from these breaches are:
- Supply chains remain incredibly vulnerable. Companies need to consider the security of their entire supply chain, not only their internal security posture.
- Ransomware gangs are getting more organized and aggressive. It’s risky to develop a false sense of complacency. The time to invest in comprehensive cybersecurity protection is now.
- Err on the side of caution for zero-day vulnerabilities. Take affected systems offline and wait for the dust to settle before assuming you’re in the clear. While that may not always be feasible, it’s still important to develop the mindset of being extra vigilant whenever possible.
- At-risk sectors such as medicine and finance must double down on cybersecurity.
Even large enterprises struggle to stay abreast of the latest threats. The massive lack of skilled cybersecurity professionals is exacerbating the risks. Even if that workforce were readily available, to be truly secure these days requires investing in a wide variety of security skill sets. That often increases the security budget beyond a company’s ability to sustain.
In this respect, a Managed Security Program is the most logical solution and is something to which many enterprises and small businesses are turning. A managed security program lets companies invest in the full gamut of cybersecurity tools while benefiting from the economies of scale.
A managed security program provider such as SolCyber maintains a team of cybersecurity specialists who can serve multiple companies at once. This solves both the workforce shortage and the need for specialized skills. Such a managed security provider uses a mixture of AI and human-driven solutions, allowing it to offer full coverage at a fraction of the cost of supplying all the necessary tools and personnel in-house.
SolCyber provides multiple solutions that fit businesses of all needs and sizes. These solutions include detection and response, network monitoring, cyber insurance options (to offset financial and reputational risk), as well as other security services that can be tailored to help your company achieve and maintain cyber resilience.
To learn how SolCyber’s services can help you stay cyber secure, contact us today for more information.