The internet has made finding, storing, and sharing information so much easier. Data can be easily processed and sent away within seconds through an array of advances in technology. While these steps have drastically improved our lives, data safety has been a growing concern through the years. Recent data breaches in 2022 have left many wondering about the actual safety of their information.
When we hear the term "data breach," we may picture a lone hacker stealing a small amount of data from a personal device. However, in our digital age, nearly all businesses, services, and government entities operate online, making data breaches much more threatening.
Large corporations have access to vast amounts of personal information, such as financial details, social security numbers, and private contact information. Entrusting these companies to safeguard our data is a risk, as they could become a target for cybercriminals who then use our information for nefarious purposes on the dark web.
A List of Data Breaches 2022: A Treasure Trove
Statista reported that during the third quarter of 2022, approximately 15 million data records were exposed worldwide through data breaches – which increased by 37% compared to the previous quarter.
Cybercriminals are targeting businesses that hold more information to exploit the private data of individuals or companies for monetary or personal gain. We’ve drawn up a list of the most recent data breach incidents to take place in 2022:
Toyota Data Breach 2022
In October, the Japanese automotive manufacturing giant Toyota suffered a data breach when the source code of one of its servers was published on GitHub. ACS reported that almost 300,000 records of email addresses and customer phone numbers were exposed in the incident.
The company issued a public apology on the Japanese section of its global website, informing customers who had signed up for T-Connect - Toyota's online telematics service - that they may have had their information leaked to hackers. The breach impacted customers who signed up for the service any time after July 2017 - with a total of 296,019 cases found to have been leaked.
The data breach was confirmed when part of the source code for the T-Connect platform was found on the public software development platform GitHub and contained an access key that could be used to view the private data of customers.
Toyota explained that the incident happened due to a website development subcontractor mistakenly uploading the critical portion of the source code which was then accessed by a third party.
The mistake went unnoticed until September of 2022, meaning that the server was left exposed for almost 5 years without any indication.
While the source code was immediately made private on the same day that it was discovered on the platform and the access key changed, there remains a high possibility that a data breach already took place within the time it was left unchecked.
Equifax Data Breach Settlement 2022
Credit reporting firm Equifax revealed in September 2017 that a data leak in its servers had exposed the personal information of 147 million clients. The records included customer names, residences, dates of birth, social security numbers, and credit card numbers.
The company agreed to a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 US states and territories that added up to $425 million to help people affected by the data breach.
In March 2017, Apache made a vulnerability in their software, Apache Struts, public and provided patches to fix it. The Department of Homeland Security informed Equifax of the flaw the following day and Equifax's Global Threats and Vulnerability Management team distributed an alert to 400 employees.
However, a few days later, the Equifax network was breached through the exploit of the Apache Struts vulnerability in their online dispute portal. The attacker was able to access and steal private consumer data in the months following the initial breach.
The Electronic Privacy Information Center commented that the scope of the data breach problem extends well beyond Equifax and that the consumer reporting industry has a sordid history of poor cybersecurity - citing that in May 2016, identity theft resulted in the stolen tax and salary data of more than 431,000 people from Equifax.
The hefty settlement was finalized in January 2022 and is open to claims until January 2024. The $425 million amount aims to assist with any account losses from unauthorized charges, attorney fees, notary charges, or time spent recovering from identity theft or fraud as a result of the data breach.
T-Mobile Data Breach 2022
T-Mobile admitted to being the victim of a data breach in January 2023. The mobile company issued a regulatory filing saying that it had identified a bad actor accessing data through an API interface - stating that the data breach probably began around November 2022.
While the accounts of approximately 37 million customers were compromised, the company insists that the data stolen did not include passwords, social security numbers, or any bank account and credit card information. The taken data was limited to menial customer account data instead - including names, billing addresses, contact details, and T-Mobile account information.
Earlier in March, the Lapsus$ hacking group took credit for stealing source code from T-Mobile in a series of breaches. Confirming the attack in a statement to The Verge, the organization assured that the “systems accessed contained no customer or government information, or other similarly sensitive information.” The telecommunications company is no stranger to data breaches – having reported eight separate data breaches since 2018.
According to the NPR, T-Mobile agreed to pay $350 million in July 2022 to customers who filed a class action lawsuit after the company revealed that personal data that included social security numbers and driver's license information had been stolen in 2021 – affecting almost 80 million US residents.
Capital One Data Breach 2022
In September 2022, the approval of a class action settlement was granted relating to a data breach within Capital One. The weighty $190 million settlement comes after the bank holding company suffered a data breach in 2019 that exposed the personal information of more than 100 million people and resulted in the theft of social security numbers and bank account details.
The organization revealed on the data breach settlement website that specific information accessed for each person included a combination of names, addresses, zip codes, phone numbers, email addresses, credit scores, balances, transactional data, and much more from 2016, 2017, and 2018. Added to this was the theft of almost 120,000 social security numbers and 80,000 linked bank account numbers.
The breach was carried out by Paige Thompson, a former systems engineer at Amazon Web Services, who used a self-made tool to detect misconfigured AWS accounts and then use those accounts to hack into the systems of more than 30 organizations - including Capital One. The US Department of Justice said in a release that she had posted about the theft on GitHub which led to her eventual arrest.
According to her indictment, Thompson used the access she gained to steal data while “mining” cryptocurrency with the stolen computer power through crypto-jacking.
Cash App Data Breach 2022
The parent company, Block, announced in an SEC disclosure statement released in April 2022 that its subsidiary organization, Cash App, had experienced a data breach. This comes after a former employee downloaded certain reports from the mobile cash payment platform in December 2021 that contained US customer information.
The statement reads that “while this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended.” The data exposed included names, brokerage account numbers, brokerage portfolio values and holdings, and stock trading activity for one trading day.
While the information did not include usernames, passwords, social security numbers, bank account information, or any other personally identifiable information, Cash App Investing had to still contact approximately 8.2 million of its current and former customers to inform them of the incident.
A proposed class action lawsuit highlights that Block, a financial services company, detected a data breach in mid-December 2021 but delayed four months before reporting it in a regulatory filing with the Securities and Exchange Commission.
The lawsuit claims that both Block and Cash App were aware of the potential risks of unauthorized disclosure of customer information, but failed to take adequate steps to protect it. The breach demonstrated that sensitive data was kept in a vulnerable condition, susceptible to misuse.
Google Data Breach 2022
Search engine giant, Google recently released a security update for Google Chrome that protects users against a newly discovered security vulnerability in the browser that is already actively being exploited by hackers and risking the data of over 2.5 billion users.
The company confirmed a zero-day vulnerability affected its Chrome web browser client - the 9th vulnerability of the year. Google states on the official rollout for the browser that users of Chrome on the Windows, Mac, Android, and Linux platforms are impacted by the high-severity CVE-2022-4262 0day security vulnerability.
Samsung Data Breach 2022
The leading cellular company, Samsung, admitted to a security breach in its system in July 2022 that resulted in the exposure of internal company data - including source code related to its Galaxy smartphones.
In September 2022, Samsung released a notice admitting that some of their US systems had been breached by an unauthorized third party. The breach resulted in the exposure of personal customer information, which they discovered in August of the same year.
The compromised information included names, contact details, demographic information, dates of birth, and product registration information. However, the company stated that no social security numbers or credit card information were exposed.
This is the second data breach that Samsung has suffered in 2022. In March, the company discovered that the Lapsus$ hacking group had infiltrated and leaked almost 200 gigabytes of confidential data – including source code for various Samsung tech and algorithms for biometric unlock operations.
A statement made to Bloomberg in March confirmed the hack when Samsung noted that "the breach involves some source code relating to the operation of Galaxy devices, but does not include the personal information of our consumers or employees."
Marriott Data Breach 2022
In July 2022, hotel chain leader Marriot International revealed that it was the victim of a data breach. The company lost almost 20GB of data that included sensitive customer information such as credit card information, confidential business documents, and customer payment information. Up to 400 customers were affected and notified by Marriot following the data breach.
The Verge reported that Melissa Froehlich Flood, a spokesperson for the Marriott, assured them that the company was “aware of a threat actor who used social engineering to trick one associate at a single Marriott hotel into providing access to the associate’s computer.” The hacker tried to extort the hotel chain to no avail before going public with the breach.
The hospitality industry leader has experienced data breaches before. In 2020, it had another incident where the personal information of 5.2 million guests was affected. According to a press release, the company discovered that the guest data was accessed by using the login details of two franchise property employees. They believe that this breach started in mid-January 2020 and was identified at the end of February 2020.
Healthcare Data Breaches 2022
The healthcare sector has suffered a startling amount of cyber-attacks in recent years. With growing ransomware in the healthcare industry and data breaches that threaten the necessary care services that the public relies on.
A study published in 2020 found that hacking incidents are the most prevalent forms of attack behind healthcare data breaches - followed by unauthorized internal disclosures.
Shields Healthcare Group provides imaging and outpatient services throughout New England and suffered a data breach in March 2022.
In a notice released by the hospital group, they say that an unknown actor gained access to certain Shields systems from March 7, 2022, to March 21, 2022. Upon further investigation, it was revealed that data that affected 2 million people was acquired by the unknown actor within that time frame.
According to Fortified Health Security’s mid-year report, the healthcare sector suffered nearly 337 breaches in the first half of 2022 alone. Medical staff are not equipped to handle the pressure of saving lives while fighting cyber-attacks.
Sangfor’s Healthcare Solution helps build up an advanced and secure IT infrastructure within medical industries to mitigate the risks of being targeted by a data breach - or any form of cyber-attack again.
Data Breach Fines 2022
Data breaches are a severe violation, and it is crucial for companies and organizations to comply with stringent rules and regulations enforced by governments and lawmakers to safeguard their users' information. However, several companies tend to bypass these guidelines, leading to significant penalties.
As seen above, the class action settlements for these organizations in the wake of a data breach are not a matter of easy pocket change. The past year had its fair share of penalties for companies that misused or acted carelessly with user data.
Statista reported that the global average cost per data breach amounted to 4.35 million U.S. dollars as of 2022. Here's a brief overview of just some of the fines dealt with in the past year:
Meta 2022 Data Breach Penalty
In September 2022, the Facebook parent company, Meta, received a $400 million penalty after an investigation by Ireland's Data Protection Commission (DPC) into its handling of children's data.
According to The New York Times, the investigation started in 2020 and focused on Instagram's default settings for accounts of children between 13 and 17, which made them public by default. The investigation also looked into the platform's policy of allowing teenage business account holders to share their email addresses and phone numbers publicly.
Morgan Stanley 2022 Data Breach Penalty
Investment bank and financial services provider, Morgan Stanley had to pay a sum of $60 million in a legal claim settlement in January 2022 related to data security.
In July 2020, the company was sued in a class-action lawsuit due to two data breaches that impacted approximately 15 million customers. The lawsuit claims that the company failed to properly wipe clean data center equipment that was decommissioned in 2016 and 2019.
Additionally, a software flaw allowed unencrypted sensitive data to be accessible to anyone who purchased the equipment after the decommissioning.
Enel Energia 2022 Data Breach Penalty
A $29.3 million fine was handed to Enel Energia in January 2022 by the Italian data protection authority, Garante. The multi-national electrical and gas supplier failed to get user consent before using private client data for telemarketing calls. Garante received multiple complaints from customers about unwanted promotional calls.
Cosmote Mobile Telecommunications 2022 Data Breach Penalty
In February, the Greek data protection authority fined Cosmote Mobile Telecommunications $6.6 Million after a data breach in September 2020 led to the private information of customers being exposed.
It has come to light that the company was engaged in unlawful processing of customer data and failed to adequately secure their private information. Additionally, the parent group OTE was fined for their lack of involvement in the initial stages of the process.
Sourced from EQS Group
Preventing Data Breaches In 2023
While data breaches may appear to be merely avaricious or malevolent attacks on large corporations that don't harm anyone, in reality, they jeopardize the security of countless innocent individuals by revealing their personal information. To prevent such breaches, enterprises and businesses must establish sophisticated and intelligent cybersecurity systems.
In March 2022, the Securities and Exchange Commission proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.
Gary Gensler, the EC chair, said that “cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks.
The Federal Trade Commission of the US provided resources in a report titled “Data Breach Response: A Guide for Business” that will help enterprises who have suffered a recent data breach.
It is crucial to select a cybersecurity partner who comprehends the dangers and menaces present in the virtual domain. Sangfor Technologies provides the most optimal solution for cloud computing resources and cybersecurity, prioritizing your data security. You can rely on our broad range of products and platforms to guarantee that your customers will not have to worry about their sensitive data being compromised by a data breach. You can contact Sangfor anytime to know more about the Security, IT Infrastructure and cloud products.