Data breaches and security lapses have unfortunately become a regular occurrence, and 2023 was no exception.
This year witnessed some of the most significant incidents yet, from large-scale data leaks exposing personal details to sophisticated cyber-attacks on critical services
In this blog post, we’ll take a closer look at the biggest data and security breaches of 2023, exploring what happened in each case without diving into the lessons learned.
1. Real Estate Wealth Network
Number of records lost: 1,500,000,000
In December 2023, Real Estate Wealth Network, a prominent online real estate education platform based in New York, experienced a catastrophic data breach. Over 1.5 billion records were exposed due to an unsecured database containing 1.16 TB of data.
The leaked information included sensitive details such as names, addresses, contact information, and even mortgage and tax records of property owners, investors, and sellers, including high-profile individuals like celebrities and politicians.
The breach, which spanned from April to October 2023, was discovered by cybersecurity researcher Jeremy Fowler. He warned of the increased risk of real estate fraud due to the exposed ownership records.
This incident was caused by a lack of proper security measures on the database, leaving it vulnerable to unauthorized access. Real Estate Wealth Network has not disclosed how long the data was publicly accessible or whether it had been accessed by malicious actors.
In response, the company has secured the database and is cooperating with ongoing investigations by regulatory bodies.
2. X (formerly Twitter)
Number of records lost: 200,000,000
In January 2023, X (formerly Twitter) experienced a significant data breach where the email addresses of over 200 million users were exposed. This breach resulted from the exploitation of a vulnerability in X’s API, which allowed hackers to link email addresses and phone numbers to X IDs.
The vulnerability, discovered in 2021, was initially addressed by X, but not before massive amounts of data were scraped and sold on various hacker forums.
The leaked data, which includes email addresses, names, usernames, follow counts, and account creation dates, was published on a popular hacking forum for a nominal fee. The data was initially intended to be sold but eventually circulated for free, making it widely accessible and increasing the risk of phishing and other malicious activities.
X investigated the breach but claimed there was no evidence that the data originated from an exploitation of their systems. They suggested that the data might have been compiled from previously available public information.
Despite X’s statements, cybersecurity experts and researchers have confirmed the authenticity of the email addresses included in the leak.
3. MOVEit
Number of records lost: 62,000,000
The MOVEit cyberattack, orchestrated by the Clop ransomware group, began on May 27, 2023. This was when Clop exploited a zero-day vulnerability in MOVEit Transfer software, a tool used by numerous organizations for secure file transfers.
This SQL injection vulnerability allowed attackers to gain unauthorized access to MOVEit servers and deploy webshells, leading to extensive data exfiltration.
By October 2023, the breach had affected over 2,000 organizations and compromised the personal and financial data of approximately 62 million individuals. Notable victims included US federal agencies, the BBC, and British Airways. The financial impact of the breach is estimated to be around $9.93 billion.
Clop publicly claimed responsibility for the attacks on June 6, 2023, and began posting the names of compromised organizations on their dark website, urging victims to negotiate to prevent data leaks.
In response, Progress Software, the developer of MOVEit, released patches and advisories starting May 31, 2023.
Multiple threat intelligence firms, including Mandiant and Microsoft, attributed the attacks to Clop, and US authorities, including CISA and the FBI, issued joint advisories and offered a $10 million reward for information linking Clop to foreign governments.
4. UK Electoral Commission
Number of records lost: 40,000,000
In August 2023, the UK Electoral Commission revealed that it had been the target of a significant cyber-attack, which had been undetected for over a year. The breach initially occurred in August 2021, but it wasn’t discovered until October 2022.
During the attack, hackers gained access to reference copies of electoral registers, which contained the names and addresses of everyone registered to vote in the UK between 2014 and 2022, including overseas voters and voters in Northern Ireland for 2018.
These registers were used by the Commission for research and to check the permissibility of political donations.
The breach did not include sensitive personal information like dates of birth, national insurance numbers, or email addresses, and there was no evidence that the hackers accessed specific files or extracted data.
The attack highlighted vulnerabilities in the Commission’s cybersecurity defenses, prompting significant security improvements with the help of external experts and the National Cyber Security Centre (NCSC).
Despite the scale of the data accessed, the Commission emphasized that the democratic process in the UK, which relies heavily on paper-based voting, was not compromised.
In response to the breach, the Electoral Commission informed the Information Commissioner’s Office (ICO) within the required 72-hour timeframe, and an investigation was launched. The ICO’s inquiry is ongoing, with the aim of determining the full impact and any further necessary actions.
The Commission’s Chief Executive, Shaun McNally, issued an apology for the breach, acknowledging the concerns it raised and reaffirming the steps taken to enhance the security and resilience of their IT systems.
5. Indonesian Immigration Directorate
Number of records lost: 34,000,000
In July 2023, a significant data breach occurred at Indonesia’s Immigration Directorate General, compromising the personal information of over 34 million Indonesian passport holders. The breach was disclosed by cybersecurity researcher Teguh Aprianto, who revealed that a hacktivist named Bjorka was behind the attack.
The stolen data, which included full names, passport numbers, dates of issue, expiry dates, dates of birth, and gender, was reportedly offered for sale on a data leak site for $10,000.
The breach’s impact is profound, potentially leading to widespread identity theft and fraud, as passport data can be used to fabricate counterfeit documents and open bank accounts.
Indonesian authorities, including the Ministry of Communications and Information Technology and the National Cyber and Encryption Agency (BSSN), are actively investigating the incident.
The government has urged data processors to comply with the Personal Data Protection (PDP) law to enhance security and prevent future breaches.
This incident is part of a broader pattern of cyberattacks in Indonesia, which has experienced over 90 data breaches in four years, many targeting government organizations. The Indonesian government has faced criticism for its cybersecurity posture, ranking 84th on the National Cyber Security Index (NCSI)
6. HCA Healthcare
Number of records lost: 11,000,000
In July 2023, HCA Healthcare, one of the largest healthcare providers in the U.S., disclosed a data breach affecting approximately 11 million patients. The breach involved the theft of data from an external storage location used for formatting patient email messages.
The stolen data, posted on a hacking forum, included patient names, contact information, dates of birth, gender, and appointment details, but did not contain clinical or payment information.
This incident led to a class-action lawsuit filed by two patients in the U.S. District Court for the Middle District of Tennessee. The plaintiffs alleged that HCA Healthcare failed to implement reasonable security measures, such as encrypting the data or deleting it when no longer needed.
They claimed HCA should have been aware of the risks given the rise in healthcare industry cyberattacks. The lawsuit seeks monetary damages and injunctive relief.
HCA Healthcare responded by disabling access to the breached storage location, engaging third-party investigators, and notifying law enforcement. The company assured that the incident did not disrupt patient care and services.
HCA also committed to contacting affected patients and offering credit monitoring and identity protection services as appropriate.
7. 23andMe
Number of records lost: 6,900,000
In December 2023, genetic testing company 23andMe confirmed a significant data breach impacting 6.9 million users. The breach, which began in October 2023, involved hackers using credential-stuffing techniques to access user accounts.
Credential stuffing occurs when hackers use stolen login information from one account to gain access to other accounts with the same credentials.
Initially, the hackers accessed about 14,000 accounts, but due to the interconnected nature of 23andMe’s DNA Relatives feature, they could access a broader set of profiles containing sensitive ancestry and health information.
The stolen data included users’ names, birth years, geographic locations, and genetic ancestry results. Notably, the hackers targeted specific ethnic groups, particularly Ashkenazi Jewish and Chinese users, and posted the information on the dark web.
This raised significant concerns about potential discrimination and misuse of the data by employers, insurance companies, or other malicious actors.
In response, 23andMe launched an investigation and took measures such as temporarily disabling some features of the DNA Relatives tool, reaching out to customers to reset passwords, and urging the use of multi-factor authentication.
8. PharMerica
Number of records lost: 5,800,000
PharMerica, a major provider of pharmacy services, experienced a significant data breach in March 2023, which came to public attention later that month. This breach involved unauthorized access to the personal information of nearly 6 million individuals, making it one of the largest health data breaches in the first quarter of 2023.
The compromised data included sensitive personal and medical information such as names, Social Security numbers, dates of birth, medications, and health insurance information.
This breach was attributed to a sophisticated cyber-attack, although specific details regarding the attack vector were not disclosed.
Upon discovering the breach, PharMerica swiftly initiated an investigation with the help of third-party cybersecurity experts. The company also notified affected individuals and offered them complimentary credit monitoring and identity protection services.
In response to the breach, PharMerica enhanced its cybersecurity measures, including strengthening its network defenses and employee training programs to prevent future incidents.
9. Duolingo
Number of records lost: 2,600,000
In August 2023, Duolingo faced a significant data breach where the personal information of 2.6 million users was exposed on a hacking forum. The leaked data included a mix of public information, such as usernames and real names, and private details, like email addresses.
This breach stemmed from an exposed application programming interface (API) that had been openly available since at least March 2023. This API allowed anyone to input a username and retrieve public profile data, but it also enabled the verification of email addresses against Duolingo accounts, contributing to the data compilation.
Initially, the data was sold for $1,500 in January 2023 on the now-defunct Breached hacking forum. However, in August 2023, the data was released almost for free on another hacking forum.
Despite being informed about the API vulnerability earlier in the year, Duolingo did not take sufficient measures to secure it, leading to the current data leak.
In response to the incident, Duolingo confirmed that they were investigating the misuse of their API and considering additional precautions. However, as of the latest updates, the problematic API was still accessible.
10. Topgolf Callaway Brands
Number of records lost: 1,100,000
Callaway Golf Company faced a significant data breach that exposed the personal information of approximately 1.1 million customers.
The compromised data included names, email addresses, shipping addresses, phone numbers, order histories, account passwords, and security question answers.
Although payment card details and government IDs were not affected, the breach posed serious risks due to the sensitive nature of the exposed information.
The breach was identified following unusual activity on Callaway’s e-commerce website, prompting an internal investigation. It was determined that unauthorized access had occurred between March and August 2023.
The company responded by temporarily shutting down the affected systems, implementing enhanced security protocols, and mandating password resets for all impacted accounts.
Callaway also offered free credit monitoring services to affected individuals to mitigate potential identity theft and fraud risks.