List of Data Breaches and Cyber Attacks in 2023

Welcome to our new-look list of data breaches and cyber attacks. On this page, you will find all our usual information breaking down the month’s security incidents.

However, we’ve decided to consolidate our records onto a single page. So, each month, we’ll update this page with the latest figures and links, so be sure to bookmark it to keep an eye out for the latest data breach news.

Meanwhile, you can subscribe to our Weekly Round-up to receive the latest cyber security news and advice delivered straight to your inbox.

IT Governance is dedicated to helping organisations tackle the threat of cyber crime and other information security weaknesses. We offer a variety of resources to help understand and mitigate threats, from training courses and consultancy services to free guides.

With that out of the way, it’s time to move on to May 2023. Our research found 98 security incidents during the month, accounting for 98,226,877 breached records.

You can find a link to the full list below, along with our rundown of the biggest incidents of the month.



Top data breach stats for 2023

Number of data breaches in 2023: 528

Number of breached records in 2023: 451,724,931

Biggest data breach of 2023 so far: Twitter (220 million breached records)

Biggest data breach in the UK: JD Sports (10 million breached records)

Most breached sectors: Healthcare (155), education (95), technology (59)


If you’re facing a cyber security disaster, IT Governance is here to help. Our Cyber Incident Response service provides the help you need to deal with the threat, as our experts guide you through the recovery process.

They’ll review the breach, mitigate the damage and ensure that you are up and running again as soon as possible.


Biggest data breaches of May 2023

The three biggest security incidents of May 2023 accounted for more than 84 million breached records – or 86% of the month’s total.

1. Luxottica

Rumours began to circulate late last year that Luxottica, one of the world’s largest eyewear companies, had been targeted in a cyber attack.

Luxottica – which owns popular brands including Ray-Ban, Oakley and Costa and makes sunglasses and prescription frames for the likes of Giorgio Armani, Versace and Dolce and Gabbana – has suffered several security incidents in recent years. 

In August 2020, it was embroiled in a data breach affecting more than 800,000 EyeMed and Lenscrafters patients. A month later, a ransomware attack shut down the company’s operations in Italy and China. 

It initially seemed as though the latest batch of stolen data might have come from one or both of those incidents. 

However, cyber security researcher Andrea Draghetti discovered that the information was exfiltrated on 16 Match 2021, and concluded that the data might likely came from a separate, previously undisclosed data breach. 

His research also revealed that the stolen data contains 305 lines of data, including 74.4 million unique email addresses and 2.6 million unique domain email addresses. 

The information was offered for a private sale on the now-defunct hacking forum Breached, and it was later leaked in its entirety for free. 

According to the seller, the database contained customers’ full names, email addresses, home addresses and dates of birth. 

Luxottica says that it is investigating the incident, and in a statement added: ““We immediately reported the incident to the FBI and the Italian Police. The owner of the website where the data was posted has been arrested by the FBI, the website was shut down and the investigation is ongoing.

2. MCNA Insurance

MCNA Insurance, also known as MCNA Dental, was caught up in a cyber hacking incident last week, in which 112 covered entities were affected.

According to the organisation’s disclosure – which was released the Friday before Memorial Day weekend – the specific types of information compromised in the attack varied by individual.

However, it included patients’ first and last names, physical addresses, dates of birth, phone numbers, email addresses, Social Security numbers, driver’s license numbers and other government-issued ID.

In addition, the attackers stole health insurance data (including plan information, insurance provider, member number, Medicaid-Medicare ID numbers), information about treatment that patients had received, their bills they had been given and insurance claims.

MCNA Insurance later confirmed that 8,923,662 people were affected in the incident and said the breach was a result of a ransomware attack.

The unauthorised access reportedly occurred between 27 February and 7 March, and the attackers leaked the information on the dark web in April, but the organisation waited until 26 May to disclose it.

3. PharMerica

The US pharmacy network PharMerica began notifying 5.8 million patients in May that it had suffered a data breach earlier this year.

In a disclosure notice to the Maine Attorney General’s Office, the organisation explained that an unauthorised party had compromised its computer systems between 12 March and 13 March.

Personal information compromised during the incident includes patients’ names, addresses, dates of birth, Social Security numbers, health insurance data and medical data.

In some instances, the stolen data belongs to deceased individuals, and PharMerica has encouraged executors or surviving family members to contact the national credit reporting agencies to notify them of the breach.

The organisation did not explain how the intrusion occurred, although some reports speculate that it was a ransomware attack. One criminal gang said that it had targeted the organisation and encrypted its systems.

However, PharMerica has made no mention of ransomware in neither public statements nor its breach disclosure.


See the full list of data breaches for May 2023


April

Our research identified 120 publicly disclosed security incidents during April, accounting for 4,353,257 breached records.

The biggest data breaches in April 2023 were:

1. Shields Health Care Group

The largest data breach of April 2023 was at the Shields Health Care Group, a Massachusetts-based medical services provider. Reports emerged near the end of the month that a cyber criminal had gained unauthorised access to the organisation’s systems and had stolen the personal data of 2.3 million people.

In a letter sent to affected individuals, Shields said that the incident dates to March 2022, when it first identified suspicious activity on its internal network.

The breach had been speculated about at the time, but the firm’s investigation concluded last month and revealed that the scale of the damage.

The crooks reportedly had access to sensitive data for two weeks and that information included patients’ Social Security numbers, dates of birth, home addresses, healthcare provider information and healthcare history.

Additionally, billing information, insurance numbers and other financial details were stolen in the attack.

In a statement, Shields said that it “takes the confidentiality, privacy, and security of information in our care seriously. Upon discovery, we took steps to secure our systems, including rebuilding certain systems, and conducted a thorough investigation to confirm the nature and scope of the activity and to determine who may be affected.

“Additionally, while we have safeguards in place to protect data in our care, we continue to review and further enhance these protections as part of our ongoing commitment to data security.”

2. NCB Management

NCB Management learned last month that a cyber criminal infiltrated its systems and stole almost one million financial records.

An internal investigation from the debt collection services provider found that criminal hacker first accessed NCB Management’s systems on 1 February 2023, but it’s unclear how long they remained in its systems.

What is apparent is that the crook accessed credit card data for consumers’ Bank of America past-due accounts.

The accounts were already closed, but the attacker would have had access to a gamut of information, including people’s first and last names, address, phone number, email address, date of birth, employment position, pay amount, driver’s licence number, Social Security number, account number, credit card number, routing number, account balance and/or account status.

When combined with the knowledge that these people had been pursued by a debt collection agency, it creates the possibility for a variety of scams.

The incident was reported to the relevant authorities by Bank of America, but it’s unclear what part the bank had to play in the breach beyond the fact that its customers were affected.

3. Kodi

The open-source media player Kodi reported last month that an unauthorised actor compromised its MyBB forum database and stole personal data belonging to 400,635 users.

“MyBB admin logs show the account of a trusted but currently inactive member of the forum admin team was used to access the web-based MyBB admin console twice: on 16 February and again on 21 February,” Kodi said in a statement.

The crooks were able to download nightly backups of the complete database, which contained all public forum posts, team forum posts and direct messages. More worryingly, the same database contained usernames, email addresses and encrypted passwords.

Fortunately for Kodi, its team said that there was no evidence that the criminal hackers gained access to the underlying server hosting the MyBB software.


See the full list of data breaches for April 2023


March

Our research identified exactly 100 publicly disclosed incidents in March, accounting for 41,970,182 breached records.

The three biggest data breaches in March 2023 were:

1. Latitude Financial

The largest confirmed data breach of March 2023 occurred at Latitude Financial, with more than 14 million records being compromised.

The Melbourne-based company, which provides personal loans and credit cards to people in Australia and New Zealand, reported that cyber criminals had captured several different types of data.

Almost 8 million drivers’ licences were stolen, along with 53,000 of passport numbers and dozens of monthly financial statements.

An additional 6 million records dating back to “at least 2005” were also compromised in the attack, the source of which is not yet known.

The most concerning aspect of this breach is that Latitude Financial originally reported that only 300,000 people had been affected. This suggests that it had a poor understanding of the attack and rushed to disclose the breach.

Having to then update its estimate invites further public scrutiny of the attack and could see customers lose faith in the company.

Most of us are aware by now that data breaches can occur anywhere, so falling victim to an attack isn’t necessarily a sign of ineffective security measures. However, a mismanaged response suggests that an organisation isn’t prepared for an attack, and it bodes poorly for ongoing remediation efforts.

2. GoAnywhere

A vulnerability in the file transfer service GoAnywhere has enabled cyber criminals to exploit dozens of organisations that use the tech. Details of the sprawling attack continue to emerge, with some reports estimating that as many as 130 organisations have been targeted.

Until recently, these details were coming from GoAnywhere or its parent company, Fortra, but individual victims.

Organisations that are confirmed to have been targeted include Hatch Bank, the City of Toronto, the cyber security company Rubrik and Hitachi Energy. In each case, the victim has reported that it was breached through the GoAnywhere MFT remote code execution vulnerability.

The attacks have been attributed to the Clop ransomware gang, but coverage of their activity is not consistent with traditional ransomware attacks. Reports suggest that the group is stealing the data rather than encrypting the organisations’ systems and holding them to ransom.

Regardless of the specific techniques being used, it’s likely that millions of sensitive data records have been compromised – although few victims have listed specific figures.

3. AT&T

AT&T has notified approximately 9 million customers that their personal data has been exposed in a data breach.

The telecoms giant said that the breached records include people’s names, wireless account numbers, phone numbers and email addresses. It’s confident that more sensitive data, such as payment card numbers, Social Security numbers and passwords, have not been affected.

However, AT&T conceded that, in a “a small percentage” of cases, customers’ rate plan name, past due amounts, monthly payment amounts and other account data was affected, although it said that the information was “several years old”.

AT&T was eager to note that the breach related to a vendor and that its own systems had not been compromised. It didn’t name the vendor.


See the full list of data breaches for March 2023


February

Our research identified 106 publicly disclosed incidents in February, accounting for 29,582,356 breached records.


See the full list of data breaches for February 2023


January

Our research discovered 104 publicly disclosed security incidents, which accounted for 277,618,767 leaked records.

That’s more breached records than we found in any calendar month last year, and it’s among the most incidents we’ve ever seen.


See the full list of data breaches for January 2023

The post List of Data Breaches and Cyber Attacks in 2023 appeared first on IT Governance UK Blog.