The Rising Tide of Cyber Threats
The cyber threat landscape of 2023 was notably fierce, with the global average cost of a data breach escalating to $4.45 million (£3.5m), a 15% increase over the past three years. The number of cyber breaches also saw a dramatic rise, leaping from 1,063 last year to over 1,400 before the year’s end. The year witnessed nearly 6 billion breached records, with 3.8 billion resulting from one breach alone. One billion email accounts were exposed, affecting one in every five internet users.
UK Businesses Under Siege
By 2023, approximately 2.39 million cases of cyber-crime had affected UK businesses, with the average cost rising 8.1% to £4.56m. A report revealed that 90% of UK organisations encountered a greater risk of exposure to cybersecurity threats due to the increased use of digital technology over the past two years. The Joint Committee on the National Security Strategy (JCNSS) warned that the UK Government is at “high risk” of a catastrophic cyber-attack “at any moment.”
A Month-by-Month Recap of Notable Breaches
Here’s a look back at some of the most significant breaches from each month of the year.
January: Twitter and JD Sports
The year kicked off with the email addresses associated with 235 million Twitter accounts being shared online in a hacking forum. Meanwhile, sports clothing retailer JD Sports suffered a breach affecting about 10 million customers, exposing billing and delivery addresses, phone numbers, order details and the final four digits of payment cards.
February: T-Mobile and PeopleConnect
T-Mobile disclosed that 37 million prepaid and post-paid accounts were exposed in a breach. In the same month, background check services organisation PeopleConnect confirmed a data breach affecting 20 million people.
March: City of London Traders and Royal Mail
LockBit, a Russian-linked ransomware gang, attacked software provider Ion Group, affecting 42 clients and leading to a knock-on effect on other trade processing systems. The same group also targeted the Royal Mail, resulting in disruption to 11,500 Post Office branches.
April: Latitude Financial and ChatGPT
Latitude Financial experienced a significant breach, with over 14 million records compromised. Meanwhile, ChatGPT, one of 2023’s most prolific websites, suffered a breach exposing the payment-related information of 1.2% of ChatGPT Plus subscribers.
May: Capita and Shields Health Care Group
Capita, one of the UK’s largest business processing outsourcing companies, was hit by a ransomware attack, affecting around 90 organisations. Shields Health Care Group in the US had the personal data of 2.3 million people accessed by a cyber-criminal.
June: Yum! Brands and MSI
Yum! Brands, which represents KFC, Taco Bell, and Pizza Hut, suffered a cyber-attack affecting both corporate and employee data. Computer hardware company MSI confirmed a ransomware attack resulting in the theft of 1.5TB of company data.
July: Discord and US Government
The popular messaging platform Discord notified its users of a data breach when a third-party support agent’s account was compromised. The US Government also experienced a breach affecting roughly 237,000 employees.
August: Sony and MOVEit
Sony revealed a zero-day exploit carried out by the Clop ransomware group, exposing the data of 6,791 current and former Sony employees. The Clop ransomware gang also exploited a zero-day bug in the MOVEit enterprise file transfer tool, leading to data thefts affecting more than 62 million people.
September: UK Universities and Reddit
A risk monitoring platform discovered that 2.2 million breached credentials were found on the dark web for the UK’s top 100 universities. Reddit also faced threats from hackers who stole 80GB of confidential data from its servers.
October: Tigo and Roblox
Chinese video chat platform Tigo leaked more than 700,000 people’s personal data online. Roblox also suffered a data leak, with about 4,000 members in its developer community having their data exposed.
November: Indonesian Immigration Directorate General and UK Electoral Commission
The Immigration Directorate General of Indonesia was breached by a hacktivist who lifted the passport data of more than 34 million Indonesians. The UK Electoral Commission also reported a “complex cyber-attack” where hostile actors gained access to the UK’s electoral registers.
December: Northern Ireland Police and Duolingo
The Police Services of Northern Ireland suffered an attack that led to the breach of personal details of 10,000 staff. Language education app Duolingo also experienced a data breach, with the data of 2.6 million users leaked.
Unfortunate Events: DarkBeam, MGM Resorts International, and 23andMe
DarkBeam, a cyber-vulnerability and threat management provider, accidentally exposed over 3 billion records due to human error. MGM Resorts International reported a cyber-attack resulting in over £89 million in costs. Genetic testing platform 23andMe was involved in a data breach where around 14,000 accounts were exposed.
Recent Breaches: Indian Council of Medical Research, Air Europa, and Kid Security
The Indian Council of Medical Research had the Covid test and health data of approximately 815 million Indian citizens exposed. Spanish airline Air Europa had to tell all their customers to cancel credit cards after a data breach. Parental control app Kid Security exposed more than 300 million data records.
Latest Updates: Samsung UK and Toyota Financial Services
Samsung UK experienced a data breach due to an attack on a third-party business application, exposing customer data. Toyota Financial Services, a subsidiary of Toyota Motor Corporation, recently issued a warning about a significant data breach following unauthorised access detected in some of its European and African systems.