Here we go again: 2023’s badly handled data breaches
Last year, we compiled a list of 2022’s most poorly handled data breaches, looking back at the bad behavior of corporate giants when faced with hacks and breaches. That included everything from downplaying the real-world impact of spills of personal information to failing to answer basic questions.
Turns out this year, many organizations continue to make the same mistakes. Here’s this year’s dossier on how not to respond to security incidents.
Electoral Commission hid details of a huge hack for a year, yet still tight-lipped
The Electoral Commission, the watchdog responsible for overseeing elections in the United Kingdom, confirmed in August that it had been targeted by “hostile actors” that accessed the personal details — including full names, email addresses, home addresses, phone numbers and any personal images sent to the Commission — on as many as 40 million U.K. voters.
While it may sound like the Electoral Commission was upfront about the cyberattack and its impact, the incident occurred in August 2021 — some two years ago — when hackers first gained access to the Commission’s systems. It took another year for the Commission to catch the hackers in the act. The BBC reported the following month that the watchdog had failed a basic cybersecurity test around the same time hackers gained entry to the organization. It has not yet been revealed who carried out the intrusion — or if it is known — and how the Commission was breached.
Samsung won’t say how many customers hit by year-long data breach
Samsung has once again made it onto our badly handled breaches list. The electronics giant once again took its typical tight-lipped approach when faced with questions about a year-long breach of its systems that gave hackers access to the personal data of its U.K.-based customers. In a letter sent to affected customers in March, Samsung admitted that attackers exploited a vulnerability in an unnamed third-party business application to access the unspecified personal information of customers who made purchases at its U.K. store between July 2019 and June 2020.
In the letter, Samsung admitted that it didn’t discover the compromise until more than three years later in November 2023. When asked by TechCrunch, the tech giant refused to answer further questions about the incident, such as how many customers were affected or how hackers were able to gain access to its internal systems.
Hackers stole Shadow data, and Shadow went silent
French cloud gaming provider Shadow is a company that lives up to its name, as an October breach at the company remains shrouded in mystery. The breach saw attackers carry out an “advanced social engineering attack” against one of Shadow’s employees that allowed access to customers’ private data, according to an email sent to affected Shadow customers.
However, the full impact of the incident remains unknown. TechCrunch obtained a sample of data believed to be stolen from the company that contained 10,000 unique records, which included private API keys that correspond with customer accounts. When asked by TechCrunch, the company refused to comment, and would not say whether it had informed France’s data protection regulator, CNIL, of the breach as required under European law. The company also failed to make news of the breach public outside of the emails sent to affected customers.
Lyca Mobile refused to say what kind of cyberattack hit
Lyca Mobile, the U.K.-headquartered mobile virtual network operator, said in October that it had been the target of a cyberattack that caused widespread disruption for millions of its customers. Lyca Mobile later admitted a data breach, in which unnamed attackers had accessed “at least some of the personal information held in our system” during the hack.
It’s now more than two months later, and Lyca Mobile has still not said what data was stolen from its systems (despite storing sensitive personal information, such as copies of identity cards and financial data), or how many of its 16 million customers were impacted by the breach. Despite repeated requests by TechCrunch, the company has also refused to comment on the nature of the incident, despite the incident presenting as ransomware.
MGM Resorts still hasn’t said how many customers had data stolen after hack
The breach of MGM Resorts is one of the most memorable of 2022; the incident saw hackers associated with a gang known as Scattered Spider compromise the company’s systems to cause weeks of disruption across MGM’s Las Vegas hotels and casinos. MGM said that the disruption will cost the company at least $100 million.
MGM first disclosed that it had been targeted by hackers on September 11. But it wasn’t until October that the company confirmed in a regulatory filing that the attackers had obtained some personal information belonging to customers who transacted with MGM Resorts prior to March 2019. That includes customer names, contact information, gender, dates of birth, driver license numbers, Social Security numbers and passport scans for some customers.
It’s now more than three months later and we still don’t know how many MGM customers were affected. MGM spokespeople have repeatedly declined to answer TechCrunch’s questions about the incident.
Dish breach may affect millions — potentially a lot more
Back in February, satellite TV giant Dish confirmed in a public filing that a ransomware attack was to blame for an ongoing outage and warned that hackers exfiltrated data from its systems that may have included customers’ personal information. However, Dish hasn’t provided a substantive update since, and customers still don’t know if their personal information is at risk.
TechCrunch learned that, despite the company’s silence, the impact of the breach could extend far beyond Dish’s 10 million or so customers. A former Dish retailer told TechCrunch that Dish retains a wealth of customer information on its servers, including customer names, dates of birth, email addresses, telephone numbers, Social Security numbers and credit card information. The person said that this information is retained indefinitely, even for prospective customers who didn’t pass Dish’s initial credit check.
CommScope late to tell its own employees that their data was stolen
TechCrunch heard from CommScope employees who say they were left in the dark about a data breach at the company affecting their personal information. The North Carolina-based company, which designs and manufactures network infrastructure products for a range of customers, was targeted by the Vice Society ransomware gang in April. Data leaked by the gang, and reviewed by TechCrunch, included the personal data of thousands of CommScope employees, including full names, postal addresses, email addresses, personal numbers, Social Security numbers, passport scans and bank account information.
CommScope declined to answer our questions related to the leaked employee data, and it also failed to answer those affected. Several employees told TechCrunch at the time that CommScope executives remained tight-lipped about the breach, saying little beyond it does “not have evidence” to suggest employee data was involved.