MOVEit, Capita, CitrixBleed and more: The biggest data breaches of 2023
This year, 2023, was a hell of a year for data breaches, much like the year before it (and the year before that, etc.). Over the past 12 months, we’ve seen hackers ramp up their exploitation of bugs in popular file-transfer tools to compromise thousands of organizations, ransomware gangs adopt aggressive new tactics aimed at extorting their victims and attackers continue to target under-resourced organizations, such as hospitals, to exfiltrate highly sensitive data, like patients’ healthcare information and insurance details.
In fact, according to October data from the U.S. Department of Health and Human Services (HHS), healthcare breaches affected more than 88 million individuals, up by 60% compared to last year. And that doesn’t even account for the last two months of the year.
We’ve rounded up the most devastating data breaches of 2023. Here’s hoping we don’t have to update this list before the year is out…
Fortra GoAnywhere
Just weeks into 2023, hackers exploited a zero-day vulnerability affecting Fortra’s GoAnywhere managed file-transfer software, allowing the mass hacking of more than 130 companies. This vulnerability, tracked as CVE-2023-0669, was known as a zero-day because it was actively exploited before Fortra had time to release a patch.
The mass hacks exploiting this critical remote injection flaw were quickly claimed by the notorious Clop ransomware and extortion gang, which stole data from more than 130 victim organizations. Some of those affected included NationBenefits, a Florida-based technology company that offers supplementary benefits to its 20 million-plus members across the United States; Brightline, a virtual coaching and therapy provider for children; Canadian financing giant Investissement Québec; Switzerland-based Hitachi Energy; and the City of Toronto, to name just a few.
As revealed by TechCrunch in March, two months after news of the mass hacks first came to light, some victim organizations only learned that data had been exfiltrated from their GoAnywhere systems after they each received a ransom demand. Fortra, the company that developed the GoAnywhere tool, previously told these organizations that their data was unaffected by the incident.
Royal Mail
January was a busy month for cyberattacks, as it also saw U.K. postal giant Royal Mail confirm that it had been the victim of a ransomware attack.
This cyberattack, first confirmed by Royal Mail on January 17, caused months of disruption, leaving the British postal giant unable to process or dispatch any letters or parcels to destinations outside of the United Kingdom. The incident, which was claimed by the Russia-linked LockBit ransomware gang, also saw the theft of sensitive data, which the hacker group posted to its dark web leak site. This data included technical information, human resource and staff disciplinary records, details of salaries and overtime payments, and even one staff member’s COVID-19 vaccination records.
The full scale of the data breach remains unknown.
3CX
Software-based phone system maker 3CX is used by more than 600,000 organizations worldwide with more than 12 million active daily users. But in March, the company was compromised by hackers looking to target its downstream customers by planting malware in the 3CX client software while it was in development. This intrusion was attributed to Labyrinth Chollima, a subunit of the notorious Lazarus Group, the North Korean government hacking unit known for stealthy hacks targeting cryptocurrency exchanges.
To this day, it’s unknown how many 3CX customers were targeted by this brazen supply-chain attack. We do know, however, that another supply-chain attack caused the breach. As per Google Cloud-owned Mandiant, attackers compromised 3CX by way of a malware-tainted version of the X_Trader financial software found on a 3CX employee’s laptop.
Capita
April saw hackers compromise U.K. outsourcing giant Capita, whose customers include the National Health Service and the U.K. Department for Work and Pensions. The fallout from this hack spanned months as more Capita customers learned that sensitive data had been stolen, many weeks after the compromise had first taken place. The Universities Superannuation Scheme, the U.K.’s largest private pension provider, was among those affected, confirming in May that the personal details of 470,000 members was likely accessed.
This was just the first cybersecurity incident to hit Capita this year. Not long after Capita’s huge data breach, TechCrunch learned that the outsourcing giant left thousands of files, totaling 655 gigabytes in size, exposed to the internet since 2016.
MOVEit Transfer
The mass exploitation of MOVEit Transfer, another popular file-transfer tool used by enterprises to securely share files, remains the largest and most damaging breach of 2023. The fallout from this incident — which continues to roll in — began in May when Progress Software disclosed a critical-rated zero-day vulnerability in MOVEit Transfer. This flaw allowed the Clop gang to carry out a second round of mass hacks this year to steal the sensitive data of thousands of MOVEit Transfer customers.
According to the most up-to-date statistics, the MOVEit Transfer breach has so far claimed more than 2,600 victim organizations, with hackers accessing the personal data of almost 84 million individuals. That includes the Oregon Department of Transportation (3.5 million records stolen), the Colorado Department of Health Care Policy and Financing (four million) and U.S. government services contracting giant Maximus (11 million).
Microsoft
In September, China-backed hackers obtained a highly sensitive Microsoft email signing key, which allowed the hackers to stealthily break into dozens of email inboxes, including those belonging to several federal government agencies. These hackers, which Microsoft claims belonged to a newly discovered espionage group tracked as Storm-0558, exfiltrated unclassified email data from these email accounts, according to U.S. cybersecurity agency CISA.
In a post-mortem, Microsoft said that it still does not have concrete evidence (or want to share) how these attackers initially broke in and allowed the hackers to steal its skeleton key for accessing email accounts. The tech giant has since faced considerable scrutiny for its handling of the incident, which is thought to be the biggest breach of unclassified government data since the Russian espionage campaign that hacked SolarWinds in 2020.
CitrixBleed
And then it was October, and cue yet another wave of mass hacks, this time exploiting a critical-rated vulnerability in Citrix NetScaler systems. Security researchers say they observed attackers exploiting this flaw, now known as “CitrixBleed,” to break into organizations across the world spanning retail, healthcare and manufacturing.
The full impact of these mass hacks continues to develop. But LockBit, the ransomware gang responsible for the attacks, claims to have compromised big-name firms by exploiting the flaw. The CitrixBleed bug allowed the Russia-linked gang to extract sensitive information, such as session cookies, usernames and passwords, from affected Citrix NetScaler systems, granting the hackers deeper access to vulnerable networks. This includes known victims like aerospace giant Boeing, law firm Allen & Overy and the Industrial and Commercial Bank of China.
23andMe
In December, DNA testing company 23andMe confirmed that hackers had stolen the ancestry data of half of its customers, some 7 million people. However, this admission came weeks after it was first revealed in October that user and genetic data had been taken after a hacker published a portion of the stolen profile and DNA information of 23andMe users on a well-known hacking forum.
23andMe initially said that hackers had accessed user accounts by using stolen user passwords that were already made public from other data breaches, but later admitted that the breach had also affected those who opted into its DNA Relatives feature, which matches users with their genetic relatives.
After revealing the full extent of the data breach, 23andMe changed its terms of service to make it more difficult for breach victims to file legal claims against the company. Lawyers described some of these changes as “cynical” and “self-serving.” If the breach did one good thing, it’s that it prompted other DNA and genetic testing companies to beef up their user account security in light of the 23andMe data breach.