For the past few years, TechCrunch has looked back at some of the worst, badly handled data breaches and security incidents in the hope — maybe! — other corporate giants would take heed and avoid making some of the same calamities of yesteryear. To absolutely nobody’s surprise, here we are again this year listing much of the same bad behavior from an entirely new class of companies.
Last year, genetic testing giant 23andMe lost the genetic and ancestry data on close to 7 million customers, thanks to a data breach that saw hackers brute-force access to thousands of accounts to scrape data on millions more. 23andMe belatedly rolled out multi-factor authentication, a security feature that could have prevented the account hacks.
Within days of the new year, 23andMe took to deflecting the blame for the massive data theft onto the victims, claiming that its users did not sufficiently secure their accounts. Lawyers representing the group of hundreds of 23andMe users who sued the company following the hack said the finger-pointing was “nonsensical.” U.K. and Canadian authorities soon after announced a joint investigation into 23andMe’s data breach last year.
23andMe later in the year laid off 40% of its staff as the beleaguered company faces an uncertain financial future — as does the company’s vast bank of its customers’ genetic data.
Change Healthcare is a healthcare tech company few had heard about until this February when a cyberattack forced the company to shut down its entire network, prompting immediate and widespread outages across the United States and grinding much of the U.S. healthcare system to a halt. Change, owned by health insurance giant UnitedHealth Group, handles billing and insurance for thousands of healthcare providers and medical practices across the U.S., processing somewhere between one-third and half of all U.S. healthcare transactions each year.
The company’s handling of the hack — caused by a breach of a basic user account with a lack of multi-factor authentication — was criticized by Americans who couldn’t get their medications filled or hospital stays approved; affected healthcare providers who were going broke as a result of the cyberattack, and lawmakers who grilled the company’s chief executive about the hack during a May congressional hearing. Change Healthcare paid the hackers a ransom of $22 million — which the feds have long warned only helps cybercriminals profit from cyberattacks — only to have to pony up a fresh ransom to ask another hacking group to delete its stolen data.
In the end, it took until October — some seven months later — to reveal that 100 million-plus people had their private health information stolen in the cyberattack. Granted, it must have taken a while, since it was — by all accounts — the biggest healthcare data breach of the year, if not ever.
The NHS suffered months of disruption this year after Synnovis, a London-based provider of pathology services, was hit by a ransomware attack in June. The attack, claimed by the Qilin ransomware group, left patients in south-east London unable to get blood tests from their doctors for more than three months, and led to the cancellation of thousands of outpatient appointments and more than 1,700 surgical procedures.
In light of the attack, which experts say could have been prevented if two-factor authentication had been in place, Unite, the U.K.’s leading trade union, announced that Synnovis staff will strike for five days in December. Unite said the incident had “an alarming impact on staff who have been forced to work additional hours and without access to essential computer systems for months while the attack has been dealt with.”
It remains unknown how many patients are affected by the incident. The Qilin ransomware group claims to have leaked 400 gigabytes of sensitive data allegedly stolen from Synnovis, including patient names, health system registration numbers, and descriptions of blood tests.
Cloud computing giant Snowflake found itself this year at the center of a series of mass hacks targeting its corporate customers, like AT&T, Ticketmaster and Santander Bank. The hackers, who were later criminally charged with the intrusions, broke in using login details stolen by malware found on the computers of employees at companies that rely on Snowflake. Because of Snowflake’s lack of mandated use of multi-factor security, the hackers were able to break into and steal vast banks of data stored by hundreds of Snowflake customers and hold the data for ransom.
Snowflake, for its part, said little about the incidents at the time, but conceded that the breaches were caused by a “targeted campaign directed at users with single-factor authentication.” Snowflake later rolled out multi-factor-by-default to its customers with the hope of avoiding a repeat incident.
When the city of Columbus, Ohio reported a cyberattack over the summer, the city’s mayor Andrew Ginther moved to reassure concerned residents that stolen city data was “either encrypted or corrupted,” and that it was unusable to the hackers who stole it. All the while, a security researcher who tracks data breaches on the the dark web for his job found evidence that the ransomware crew did in fact have access to residents’ data — at least half a million people — including their Social Security numbers and driver’s licenses, as well as arrest records, information on minors, and survivors of domestic violence. The researcher alerted journalists to the data trove.
The city successfully obtained an injunction against the researcher from sharing evidence that he found of the breach, a move seen as an effort by the city to silence the security researcher than remediate the breach. The city later dropped its lawsuit.
A 30-year-old backdoor law came back to bite this year after hackers, dubbed Salt Typhoon — one of several China-backed hacking groups laying the digital groundwork for a possible conflict with the United States — were discovered in the networks of some of the largest U.S. phone and internet companies. The hackers were found accessing the real-time calls, messages and communications metadata of senior U.S. politicians and high-ranking officials, including presidential candidates.
The hackers reportedly broke into some of the companies’ wiretap systems, which the telcos were required to set up following the passing of the law, dubbed CALEA, in 1994. Now, thanks to the ongoing access to these systems — and the data that telecom companies store on Americans — the U.S. government is now advising U.S. citizens and senior Americans to use end-to-end encrypted messaging apps so that nobody, not even the Chinese hackers, can access their private communications.
MoneyGram, the U.S. money transfer giant with more than 50 million customers, was hit by hackers in September. The company confirmed the incident more than a week later after customers experienced days of unexplained outages, disclosing only an unspecified “cybersecurity issue.” MoneyGram didn’t say whether customer data had been taken, but the U.K.’s data protection watchdog told TechCrunch in late September that it had received a data breach report from the U.S.-based company, indicating that customer data had been stolen.
Weeks later, MoneyGram admitted that hackers had swiped customer data during the cyberattack, including Social Security numbers and government identification documents, as well as transaction information, such as dates and the amounts of each transaction. The company admitted that the hackers also stole criminal investigation information on “a limited number” of customers. MoneyGram still hasn’t said how many customers had data stolen, or how many customers it had directly notified.
With 57 million customers affected, the October breach of U.S. retail giant Hot Topic goes down as one of the largest-ever breaches of retail data. However, despite the massive scale of the breach, Hot Topic has not publicly confirmed the incident, nor has it alerted customers or state offices of attorneys general about the data breach. The retailer also ignored TechCrunch’s multiple requests for comment.
Breach notification site Have I Been Pwned, which obtained a copy of the breached data, alerted close to 57 million affected customers that the stolen data includes their email addresses, physical addresses, phone numbers, purchases, their gender, and date of birth. The data also included partial credit card data, including credit card type, expiry dates, and the last four digits of the card number.
