The end of the year is always a great time to reflect. In IT security, it’s a great time to look back at the biggest data breaches of 2023 to glean some learnings for 2024.
The examples below come from the top ten major data breaches of 2023 and include some huge names, but don’t let the big corporation breaches deceive you. In fact, 46% of all cyber breaches impact businesses with fewer than 1,000 employees.
Let’s look at these breaches to understand how they happened and what you can do to better protect your business, clients, and employees in 2024.
Top 10 Breaches of 2023
T-Mobile
Over two months, hackers used API to steal data. They ended up with the names, emails, and birthdays of 37 million T-Mobile customers. It cost T-Mobile millions of dollars to remediate.
MailChimp
Hackers used social engineering to access an internal customer support feature, exposing employee information and credentials.
ChatGPT
In March, the AI giant experienced a breach where hackers exposed users’ first and last names, email addresses, payment addresses, and the last four digits of subscribers’ credit cards.
MOVEit
A MOVEit data breach impacted seventeen million individuals and 200 organizations. The breach affected major corporations like Shell and government agencies like the Department of Health and Human Services. Russian hackers took credit for the breach and even threatened to sell PII on the dark web.
YUM! Brands (KFC, Taco Bell and Pizza Hut)
YUM! Brands is the parent company of KFC, Taco Bell, and Pizza Hut. In April, the parent company revealed a cyberattack, initially discovered in January 2023, that exposed some employee data. Unfortunately, YUM! Brands had to close 300 restaurants.
Did You Know?
95% of cybersecurity incidents at SMBs cost between $826 and $653,587!
MCNA Insurance
MCNA is the Managed Care of North America Insurance Company, and they announced a significant data breach that exposed nearly 9 million customers’ PII. PII breached by hackers included full names, date of birth, emails, and even driver’s license numbers and social security numbers.
Activision
A hacker texted an HR employee, leading to a phishing website. The hacker accessed employee emails, phone numbers, salary details, and work locations. It took weeks for Activision to learn about the extent of the breach.
Google Fi
This Google hack is, unfortunately, tied to the T-Mobile hack. Since Google doesn’t manage or operate a wireless network but relies upon T-Mobile’s infrastructure, Google Fi customers were exposed to an SMS phishing attack.
Chick-fil-A
In early 2023, Chick-fil-A notified customers of a data breach that occurred via the chain’s mobile app. Although only 2% of the mobile app users were impacted, the breach potentially caused unauthorized transactions for users.
PharMerica
PharMerica is one of the largest pharmacy services providers in the U.S. In one of the most significant healthcare data breaches reported by a HIPAA-covered company, 5.8 million individuals had their names, addresses, dates of birth, social security numbers, and even medications exposed by a ransomware group.
What Can You Learn from These Breaches?
As a business owner or IT Director, the three main takeaways from these significant data breaches are that even small to mid-sized businesses come under attack, that you need tools, and that you need a cybersecurity plan. It’s estimated that 43% or more of all companies will become the target of a data breach.
A solid tech stack and a cybersecurity plan can help protect your business and help prevent many of the data breaches that occurred to the larger enterprises mentioned above. Here’s a breakdown of a solid cybersecurity tech stack:
NOC Services: covering altering and monitoring all assets, including windows and third-party patching.
Endpoint Detection and Response (EDR): combined with 24/7 SOC services that collect and analyze data in real-time and offer advanced response and remediation.
Password Management: a solid password management tool will generate strong passwords and allow you to securely share credentials plus track and record to help meet compliance requirements.
DNS Filtering: will catch social engineering schemes and block malicious sites and attacks that bypass your firewall!
Security Awareness Training: should be fun and always exciting. An excellent security awareness training program should be interactive and cover general cybersecurity knowledge, phishing awareness, password hygiene, and more.
Cybersecurity Plan: when creating a cybersecurity strategy, consider the following areas: data security policies, workstation policies, acceptable use policies, clean desk policies, remote access policies, and natural disaster policies.
Avoid Breaches in 2024!
Still have questions. We’ve got answers and love educating others on IT security.
Set up a time to discuss your 2024 plan with a rep today!