These were the most poorly handled data breaches of 2024
to last few yearsTechCrunch has I looked back In some of the worst cases of data breaches and security incidents that were hopefully mishandled – maybe! – Other giant companies will take notice and avoid committing some of the same disasters of yesteryear. To absolutely no one’s surprise, here we are again this year listing much of the same bad behavior from a whole new class of companies.
23andMe blamed users for the massive data breach
Last year, genetic testing giant 23andMe lost the genetic and ancestry data of nearly 7 million customers, thanks to a data breach that saw hackers forcefully access thousands of accounts to extract data from millions more. 23andMe recently rolled out multi-factor authentication, a security feature that could have prevented account hacking.
Within days of the new year, 23andMe began doing just that Deflect blame Due to widespread data theft of victims, claiming that its users did not adequately secure their accounts. Lawyers representing the group of hundreds of 23andMe users who sued the company after the hack said the finger-pointing was “irrational.” British and Canadian authorities soon after Announced a joint investigation into the 23andMe data breach last year.
23andMe later in the year Laying off 40% of its employees As the beleaguered company faces an uncertain financial future – as does… The company’s huge bank of genetic data on its customers.
Change Healthcare took months to confirm that hackers had stolen most of America’s health data
Change Healthcare is a healthcare technology company that few had heard of until last February when a cyberattack forced the company to shut down its entire network. Immediate and widespread outages Throughout the United States and caused a large part of the US health care system to stop. Change, owned by health insurance giant UnitedHealth Group, processes billing and insurance for thousands of health care providers and medical practices across the United States, and processes between one-third and one-half of all health care transactions in the United States each year.
The company’s handling of a breach — caused by a breach Basic user account with Lack of multi-factor authentication – Was criticized by Americans who were unable to obtain their medications or agree to hospital stays; Health care providers who went bankrupt as a result of the cyberattack were affected, and lawmakers questioned the company’s CEO about the hack during a congressional hearing in May. Changing health care He paid the hackers a ransom of $22 million — which the feds have long warned about only to help cybercriminals take advantage of cyberattacks — only to have to Dowry get new ransom to ask last Hacking group to delete its stolen data.
Ultimately, it took until October — about seven months later — to reveal that more than 100 million people’s private health information had been stolen in the cyberattack. It certainly took some time, because – by all accounts – it was him The largest healthcare data breach of the yearif not ever.
The Synnovis hack disrupted UK healthcare services for months
The NHS has suffered months of turmoil this year after Synnovis, a London-based pathology services company, was hit by a ransomware attack in June. The attack, claimed by the Qilin ransomware group, left patients in south-east London unable to get blood tests from their doctors for more than three months, and led to the cancellation of thousands of outpatient appointments and more than 1,700 surgeries.
In light of the attack that Experts For example, this could have been prevented if two-factor authentication had been implemented. Unite, the UK’s leading trade union, Announce Synnovis employees will go on strike for five days in December. Unite said the incident had a “worrying impact on staff who were forced to work overtime without access to essential computer systems for months while dealing with the attack”.
It is still unknown how many patients were affected by the accident. The Qilin ransomware group claims to have leaked 400GB of sensitive data allegedly stolen from Synnovis, including patient names, health system registration numbers, and blood test descriptions.
Snowflake customer hacks have escalated into major data breaches
This year, cloud computing giant Snowflake found itself in the middle of a series of mass hacks targeting its corporate customers, such as AT&T, Ticketmaster, and Santander Bank. Hackers, who were He was later criminally charged with hackingusing login details stolen by malware found on employee computers at companies that rely on Snowflake. Due to Snowflake’s lack of mandatory use of multi-factor security, hackers were able to break into and rob huge banks of Data stored by hundreds of Snowflake customers And hold the data for ransom.
Snowflake said from her side A little about the events of that timebut acknowledged that the breaches were caused by a “targeted campaign directed at users with single-factor authentication.” Snowflake later rolled out multiple factors by default to its customers in hopes of avoiding a repeat of the incident.
The city of Columbus, Ohio, has sued a security researcher for truthfully reporting a ransomware attack
When the city of Columbus, Ohio, reported a cyberattack over the summer, Mayor Andrew Ginther moved to reassure concerned residents that the stolen city data was “either encrypted or corrupted,” and unusable by the hackers who stole it. All the while, a security researcher who tracks data breaches on the dark web for his job finds evidence that the ransomware crew… In fact he had access to population data – At least half a million people – including their Social Security numbers and driver’s licenses, as well as arrest records, information on minors, and domestic violence survivors. The researcher alerted journalists to the buried data.
city successfully I got a warrant against the researcher from sharing evidence he found about the hack, a move seen as an attempt by the city to silence the security researcher rather than address the hack. The city later His lawsuit was dropped.
Salt Typhoon has hacked into phone and internet service providers, thanks to a US backdoor law
30 years The backdoor law is back to bite This year after hackers, dubbed Salt Typhoon – one of several Chinese-backed hacking groups Laying the digital foundation for a potential conflict with the United States – It was discovered in the networks of some of the largest American telephone and Internet companies. Hackers were found to have accessed calls, messages and real-time communications metadata of top US politicians and high-ranking officials, including Presidential candidates.
Hackers are said to have broken into some of the companies’ wiretapping systems, which telecom companies were required to set up after the law, called CALEA, was passed in 1994. Now, thanks to continued access to these systems – and the data that telecom companies provide – the companies store… On Americans – the United States government is Now providing advice to US citizens And major Americans To use end-to-end encrypted messaging apps So that no one, not even Chinese hackers, can access their private communications.
Moneygram has not yet said how many people had their transaction data stolen during the data breach
MoneyGram, the US money transfer giant with more than 50 million customers, was attacked by hackers in September. Company certain The incident occurred more than a week after customers experienced days of unexplained outages, revealing only an unspecified “cybersecurity issue.” MoneyGram did not say whether customer data was taken, but the UK’s data protection watchdog said TechCrunch said In late September, it received a data breach report from the US-based company, indicating that customer data had been stolen.
Weeks later, MoneyGram Admit to hackers It stole customer data during the cyberattack, including Social Security numbers and government identification documents, as well as transaction information, such as the dates and amounts of each transaction. The company admitted that the hackers also stole criminal investigation information on a “limited number” of customers. MoneyGram has not yet said how many customers had their data stolen, or how many customers it has notified directly.
Hot Topic remains silent after 57 million customer records leaked online
with 57 million customers affectedThe October hack of US retail giant Hot Topic is one of the largest retail data breaches ever. However, despite the massive scope of the breach, Hot Topic has not publicly confirmed the incident, nor alerted customers or state attorneys general’s offices about the data breach. The retailer also ignored TechCrunch’s multiple requests for comment.
Hack reporting site Have you been Pwnedwhich obtained a copy of the data breach, alerted nearly 57 million affected customers that the stolen data included their email addresses, physical addresses, phone numbers, purchases, gender and date of birth. The data also included partial credit card data, including credit card type, expiration dates, and the last four digits of the card number.
