The last 12 months have been awash with incidents that led to significant data breaches, government regulatory and legal sanctions, and loss of business services availability. In 2023 we saw the most private personally identifiable information exposed, business services shut down, and CISOs fired—and even charged for legal violations by the federal government. As we look ahead to 2024, this is a great time to survey the damage of late to understand how enterprise risk postures need to change to meet the most current threat trends.
While such exposures occur every year, 2023 taught us new lessons and offered more painful reminders about how organizations need to improve their security posture. One of the clearest lessons this year is that modern cyber threats are complex and sophisticated and all organizations need deep visibility into their attack surface so that they can manage their digital risk to the extent they need and rapidly respond to incidents.
Here are some of the biggest events that stood out, along with why they're important:
Theft of sensitive patient medical information.
Alerted to suspicious activity, Massachusetts-based medical services provider Shields Health Care Group became aware of suspicious activity in March of 2023. In its investigation, the medical services provider found evidence of a breach between March 7 and March 21, 2022. During that time, the attacker accessed sensitive patient data, including names, Social Security numbers, addresses, insurance information, medical treatment information, and more. The breach affected nearly 2.4 million patients, according to the notice the care group filed with the Maine Attorney General's office.
Why it's important
The large number of affected patients and the nature of the stolen data make this breach significant. Such breaches place patients at risk of identity theft and medical fraud. It also highlights how vulnerable healthcare providers remain to such attacks.
Theft of private genetic ancestry data.
Genetic testing company 23andMe sustained a data breach in October 2023 in which sensitive customer information was exposed. Evidence of the breach became known when Golem, a known threat actor, published a sample of 20 million data items allegedly from 23andMe. The leaked data consisted of customer names, gender, birthdays, geographical location, and some genetic ancestry results.
When 23andMe confirmed the attack, 23andMe said its systems were not breached but that user accounts were accessed through a credential stuffing attack. That's when attackers take already exposed login credentials, commonly emails and passwords or usernames and passwords, and attempt to use them to access another service. The entire scope of the incident remains unclear, as does whether the attacker used methods beyond credential stuffing to obtain the stolen data.
Why it's important
The nature of the data exposed in the 23andMe data breach makes it significant. Genetic data is very personal and sensitive. The data disclosure appears to have targeted Ashkenazi Jews.
MOVEit Attacks.
In May 2023, attacks on the MOVEit-managed file transfer service began to surface. MOVEit is used by many organizations to transfer files from site to site securely. The attackers initially exploited a zero-day vulnerability, which prompted security teams to develop strong custom-built detections to gain visibility into exposure. Months after the disclosure, some organizations were still vulnerable.
The attacks are believed to have been coordinated mainly by the CIOp ransomware group. Despite the release of a security patch by the software vendor Progress Software, many affected firms have not yet installed the patch, leaving their systems vulnerable.
Why it's important
The attacks underscore the growing threat of software supply chain security risks and the importance of timely patch applications. According to one analysis, the attacks have affected more than 2,500 organizations and 66 million people. The attack also marked a change in ransomware tactics. Instead of encrypting the files and demanding a ransom, attackers would exfiltrate the victim's data and demand payment not to release the data publicly.
Large AI data pipeline exposure
In September, Microsoft's AI research team members accidentally exposed 38 terabytes of sensitive data on a GitHub repository. The cyber leak was identified by a company and included AI training data, passwords, secret keys, and over 30,000 internal Microsoft Teams messages. An overly permissive SAS (shared access signature) token made the data exposure possible, enabling users to securely and privately share data.
Why it's important
This incident underscores the dangers of the long-standing problem of misconfigured cloud instances that become searchable and the risks that are now here while handling vast troves of AI training data and building new data pipelines to feed these models.
This incident highlights the risks of handling large amounts of data, particularly in AI. It also underscores the importance of rigorous security checks and safeguards when sharing and storing data. The breach could potentially impact Microsoft's reputation and trustworthiness, especially given the company's prominence in the tech industry.
Identity provider security incident.
In October 2023, Okta, one of the most important identity and access management providers, announced it suffered a significant data breach. This breach involved attackers using stolen credentials to gain access to Okta's support case management system. The attacker then saw data uploaded by some Okta customers with recent support cases.
Why it's important
The Okta data breach is significant because it is a leading identity and access management provider. The breach exposed sensitive customer data; Okta serves a vast range of notable clients, and the use of stolen or abused credentials is typically involved in every data breach at some point during the attack. The breach raised significant concerns due to the potential impact on the security and privacy of customer data. The incident underscores the importance of continuous monitoring to safeguard identity provider systems and protect against possible impacts.
Security incidents leading to production disruptions
In the late summer of 2023, Clorox Company and MGM Resorts were hit by significant cyberattacks. Both attacks, attributed to the Scatter Spider group, caused widespread disruption and financial losses for both companies.
The Clorox breach resulted in operational disruptions and a significant projected sales loss. The attack on MGM Resorts caused some casino and hotel computer systems to become unavailable and is estimated to have cost the company about $100 million. Names, contact information, and passport numbers were among the exfiltrated data in the MGM breach.
Why it's important
Both attacks would be considered material to investors and trigger the SEC's new disclosure rule. Both breaches also caused substantial operational disruptions and business losses. Additionally, the MGM breach involved the theft of personal data, raising data privacy concerns. The breaches also serve as a reminder of the potential financial and reputational damage that can result from a significant cybersecurity incident.
It's clear that these incidents come with significant business costs. While it's essential that the breached companies learn from these incidents, it's also vital that the rest of us learn what we can as well from these cases. Of course, it's not always possible to avoid a data breach—many of these could theoretically happen to any company. Implementing the proper security controls and defenses, continuously managing one's attack surface, and putting in place the tools and teams necessary for an effective response can minimize impact.