Year after year, various data leaks manage to hit the headlines, with 2023 being no different in this regard. To give you a glimpse into what we’ve experienced so far, we’ve neatly summarized 2023’s biggest data leaks

1. DarkBeam

DarkBeam, an enterprise specializing in digital risk protection, incurred a data breach when its Chief Executive Officer, Mr. Bob Diachenko, identified an inadequately secured Elasticsearch and Kibana interface on the 18th of September. This security lapse resulted in the exposure of records containing user email addresses and passwords originating from both previously documented and undisclosed data breaches.

While most of the 3.8 billion exposed records originated from previous data breaches and were collected by DarkBeam to alert its customers, the sheer volume and organization of this data presented an opportunity for creating convincing phishing campaigns. It remains uncertain if anyone accessed this data, emphasizing the importance of security precautions, like checking credentials on haveibeenpwned.com and practicing good cybersecurity habits.

data leaks

When personal data gets leaked, it’s very hard to get it wiped clean.

2. UK Electoral Commission

The UK Electoral Commission experienced a significant data breach in which malicious actors gained access to the country’s electoral registers, housing personal information of approximately 40 million individuals. The breach, initially deemed a “complex cyber-attack,” was discovered in October 2022, with suspicious activity dating back to August 2021.

Malicious actors successfully breached the security of the Electoral Commission’s servers, resulting in the compromise of email systems, control mechanisms, and archived versions of electoral registers spanning the years 2014 to 2022. Furthermore, the breach exposed sensitive information, encompassing individuals’ names, residential addresses, birthdates, email addresses, contact numbers, and additional data submitted via webforms and email correspondences.

Security lapses, including a failed Cyber Essentials audit and running unpatched software, revealed vulnerabilities in the Commission’s cybersecurity measures. The Cyber Essentials framework, endorsed by the National Cyber Security Centre, provides basic cybersecurity controls, including patch management, which the Commission had not met.

3. Genworth Financial

Genworth Financial, a United States-based life insurance provider, became a target of the MOVEit data breach, resulting in the unauthorized exposure of in excess of 2.5 million records. The breach came to light on June 16th when it was confirmed that customer’s personal information had been unlawfully appropriated. The compromised data encompassed individuals’ names, birthdates, Social Security numbers, residential addresses, and policy numbers.

Genworth’s in-house systems stayed safe and sound. The breach was actually linked to data that was shared through a file-sharing service. They got wind of the breach through a heads-up from PBI Research Services, a firm that manages population data. Interestingly, two other outfits got caught up in this mess as well: CalPERS, where a whopping 769,000 members took a hit, as well as Wilton Reassurance.

4. Shields Health Care Group

During April 2023, the Shields Health Care Group, a medical services provider located in Massachusetts, experienced a significant data breach, notable as the most substantial breach of that month. In this breach, a cybercriminal gained unauthorized access to personal data belonging to approximately 2.3 million individuals. The incident, with its origins tracing back to March 2022, was formally substantiated subsequent to the detection of suspicious activities within the organization’s internal network.

The breach resulted in the exposure of highly sensitive information, encompassing patients’ Social Security numbers, birthdates, addresses, healthcare provider details, medical histories, billing particulars, insurance identifications, and financial data. In response, Shields undertook measures to fortify their system security, conducted an exhaustive investigation, and reasserted their dedication to upholding data security and privacy standards.

5. T-Mobile

T-Mobile USA reported its second data breach of 2023. The breach, which occurred between late February and March, affected 836 customers. While the number of victims may appear relatively small compared to the earlier January breach that impacted around 37 million customers, the personal data compromised in this case is concerning.

The pilfered data encompassed complete names, contact numbers, account identifiers, phone numbers, T-Mobile account Personal Identification Numbers (PINs), Social Security numbers, government-issued identification numbers, birthdates, outstanding financial balances, internal codes employed for customer account management (such as rate plans and feature codes), and the count of active phone lines. This incident marks the ninth data breach encountered by T-Mobile since the year 2018.

Should any of it keep surfacing on the web, it’s advisable to familiarize yourself with opt-out guides for various online data brokers. Although this does not guarantee that they will follow such user-initiated requests, they are legally obliged to do so by law.

Conclusion

Data breaches of such scale teach us the important lesson that cybersecurity is not to be taken lightly. If catastrophes like these can befall even the most reputable organizations, individuals should tread even more carefully.