2023 is drawing to a close, and though it’s been a year of success for many, it’s witnessed other organisations facing a whole host of new cyber challenges.

Indeed, the last twelve months have found more large and small companies facing security breaches that caused severe repercussions.

However, we can learn a lot from these incidents to improve your organisation's defence against similar attacks. So, let's take a closer look at some of the most significant breaches that occurred in 2023.

Q1 2023: T-Mobile, Mailchimp, The NHS

T-Mobile

T-Mobile, the US wireless carrier, experienced its second data breach in under two years on January 5th, exposing the personal data of 37 million customers.

The breach followed T-Mobile's recent pledge to enhance data security. Although contained within a day, the incident cost the company heavily and eroded customer trust.

This marks T-Mobile's second breach, the prior one leading to a $350 million settlement in August 2021.

Two attacks in a short space of time is not uncommon, as once a company has been identified as susceptible expect even more activity from cybercriminals.

MailChimp

MailChimp experienced a data breach with over 133 users affected by a social engineering attack on an internal customer support tool.

Hackers gained unauthorised access to employee information and credentials, prompting MailChimp to identify and suspend compromised accounts.

This incident followed previous breaches in April and August 2022. The recurrence underscores the need for robust cybersecurity processes to prevent hacking attempts and protect sensitive information effectively.

NHS

A significant NHS data breach exposed the personal details of thousands of patients due to a phishing attack targeting an employee's email account.

The compromised information included patient names, addresses, phone numbers, medical details, diagnoses, and treatment specifics.

The attacker exploited this data for a subsequent spear-phishing assault on other NHS staff. NHS acknowledged the breach's impact on thousands of patients and is implementing preventive measures.

Regular reviews of security policies are crucial to minimising the risk of such errors and enhancing overall data protection.

Q2 2023: MOVEit, Capita, UoM

MOVEit

In June 2023, a significant data breach targeted the widely used file transfer tool MOVEit, impacting over 100 organisations globally.

With alleged ties to Russia, the Clop ransomware gang orchestrated the hacking campaign. Allegiant Air reported unauthorised access to the personal information of 1,405 individuals, while the NYC Department of Education confirmed the impact on 45,000 students and staff.

Manchester Law Firm vs. Capita

A significant data breach at UK-based company Capita led to a class-action lawsuit and potentially impacted millions.

Among the 90 affected organisations were Royal Mail and Axa.

Legal proceedings by Barings Law involved 250 individuals suspected of compromised personal data.

Home addresses, emails, phone numbers, and pension details were accessed by hackers, raising concerns about fraud and unauthorised account access.

University of Manchester

In June, the University of Manchester encountered a cyber-incident, resulting in unauthorised access to its systems and potential data copying, as disclosed in a statement on June 9, 2023.

The university's chief operating officer, Patrick Hackett, confirmed the breach, indicating that both internal and external experts were actively addressing the issue and assessing the extent of the data accessed.

Relevant authorities, including the Information Commissioner's Office and the National Cyber Security Centre, were duly notified.

Q3 2023: NI Police, Electoral Commission, Discord

Northern Ireland Police

On August 8th, the Northern Ireland Police experienced a significant data breach, revealing sensitive information.

Over a three-hour period, names, ranks, grades, work locations, and departments of nearly 10,000 PSNI staff were inadvertently made public due to human error, deemed "monumental" given the heightened terror threat level.

The fallout had massive implications for the safety of thousands of officers.

PSNI Assistant Chief Constable Chris Todd confirmed measures were identified to prevent similar errors.

Information Commissioner John Edwards stressed the incident's gravity, emphasising the substantial consequences of minor human errors.

The Electoral Commission

The Electoral Commission has acknowledged a security breach, originally occurring in 2021 but only disclosed ten months later.

Attributed to a hostile cyber attack, the breach remained undetected for a year, compromising data from 40 million votes, including names and addresses of registered voters spanning 2014 to 2022.

Discord.io Data

Discord.io, an online service offering custom links for Discord channels, experienced a data breach affecting around 760,000 users.

Sensitive information, including passwords, usernames, Discord IDs, and billing addresses, is believed to have been exposed.

The third-party service ceased operations following the breach's discovery, which occurred when a Discord user offered the data for sale on a hacking forum.

Although compromised passwords were encrypted to industry standards, users with non-unique passwords are advised to update them across other platforms.

Q4 2023: Air Europa, 23andMe, Sony

Air Europa

In October, Mallorca-based airline Air Europa experienced a data breach, compromising the private payment information of its customers.

Discovered on October 10th, the breach revealed unauthorised access to customer payment data, including credit card numbers, expiration dates, and CCV codes.

Alarmingly, the breach occurred 41 days earlier, on August 28, remaining undetected until suspicious activity was identified.

The exact number of affected individuals is undisclosed, but the exposure of CCV codes violates PCI DSS regulations, raising significant concerns.

Air Europa advised customers who used credit cards for flight payments to cancel their cards as a precaution against potential fraudulent activities.

23andMe

In a past incident, biotech company 23andMe experienced a significant data breach, involving a credential-stuffing attack that accessed customer accounts.

This resulted in the theft of genetic data, potentially compromising names, email addresses, birthdates, and genetic ancestry information.

Upon detecting the breach, 23andMe engaged digital forensics experts and law enforcement, implementing measures such as mandatory password resets.

This incident heightened existing worries about data privacy in genetic testing companies, as health privacy laws don't currently protect this data, and 23andMe's privacy policy allows for third-party data sharing.

Sony

In October, Sony disclosed a data breach affecting nearly 6,800 employees, connected to a prior security breach linked to the MOVEit transformation system.

Hackers gained unauthorised access to US-based employee data on Sony's servers.

Sony responded by providing credit monitoring services addressing the vulnerability to prevent future breaches.

What can we learn from the 2023 data breaches

From the cybersecurity breaches of 2023, there are several key lessons to guide companies in strengthening their defences for the upcoming year.

Cybersecurity culture

Creating an environment prioritising security awareness is essential throughout the organisation, whether in office or remote settings.

Regular assessments

Prioritise regular assessments to ensure that security protocols align with the current threats and keep defences up-to-date to stay ahead of emerging risks.

Third-party risk management

Emphasise third-party risk management to protect your company against vulnerabilities from external partners.

Compliance with standards

Maintain compliance with industry standards like PCI DSS. Adhering to established norms ensures a security baseline and can help reduce the consequences of a breach.

Proactive cybersecurity measures

Implement proactive cybersecurity measures and reporting protocols to anticipate and counter potential threats.

Employee training

Comprehensive training is important in every single organisation, irrespective of size, covering aspects from phishing attacks to social engineering tactics.

A well-informed workforce plays a key role in reducing cybersecurity risks and breaches.

How Bob’s Business can help your organisation in 2024 and beyond

We're Bob's Business, your go-to for engaging cybersecurity training. With over 15 years of experience, our training solutions are designed for all sectors and company sizes, making cybersecurity simple and effective.

Certified by top bodies like the NCSC and Crest, our courses are your shield against cyber threats. Let's build your team's defence together!

Get in touch today to strengthen your cybersecurity stance!