Arctic Wolf Presents 2023 Breaches in Review
Our annual recap of the most noteworthy, high-profile, and damaging cybercrimes of the year.
It was another record-breaking year for cybercrime, as social engineering tactics halted operations at multiple corporations, the personally identifiable information (PII) of millions of individuals ended up for sale on the dark web, and ransomware-as-a-service (RaaS) continued to gain momentum. The major breaches of 2023 highlighted how the institutions we trust may lack the foundations of a comprehensive cybersecurity strategy — and that, even with the most advanced security, they are still susceptible. If organisations want to shore up their defences and reduce risk in 2024, they can’t focus only on the future of technology, they need to also examine the building blocks of their own cybersecurity architecture.
Top Breaches of 2023
Our team picked nine breaches that exemplify what the year looked like on the cybercrime battlefield. From healthcare to education, from North America to Australia, here's who was breached, and how, in 2023.
Breach Victim:
University of Manchester
Data Breach At A Glance
Location:United Kingdom
Industry Impacted:Education / Healthcare
Attack Type:Ransomware
Month Breached:June
University of Manchester
Location:
United Kingdom
Industry Impacted:
Education / Healthcare
Attack Type:
Ransomware
Month Breached:
June
Breach Recap
With complex environments and often under-staffed IT departments, educational institutions are quickly becoming a favorite of threat actors, and was the case in the U.K., where a ransomware attack on the University of Manchester resulted in the exfiltration of PII for staff, alumni, and students, plus a 250GB data set that contained the health records of 1.1 million NHS patients.
The university did not initially pay the ransom, and as a result the threat actors deployed a triple-extortion technique, not only encrypting the breached systems, and extorting the university to post the breached data unless they paid the ransom, but also contacting individuals whose data was compromised, containing a warning that the data was going to be released the dark web.
While the details are still unknown, it appears the breach was the result of a VPN exploit, as the university removed access to their GlobalProtect VPN shortly after the incident occurred. The university had health records, including patient data of major trauma patients and terror attack victims, for research purposes.
As of 18 December, the university is still investigating the breach and its origins, as well as the extent of data exfiltrated.
The NHS has been a frequent target of cybercriminals in recent years, as have educational institutions. According to an audit by the National Cyber Security Centre (NCSC) and the National Grid for Learning, 78% of educational organisations in the U.K. experienced a cyber attack, with more than 50% of those qualifying as ransomware attacks.
Sources
Breach Victim:
23andMe
Data Breach At A Glance
Location:North America
Industry Impacted:Healthcare (DNA Testing)
Attack Type:Credential Stuffing
Month Breached:October
23andMe
Location:
North America
Industry Impacted:
Healthcare (DNA Testing)
Attack Type:
Credential Stuffing
Month Breached:
October
Breach Recap
Through a simple credential stuffing attack, threat actors were able to expose 14,000 accounts of the popular genetic data gathering and sharing organisation. The hackers achieved this by utilising the access these accounts granted, particularly a feature within the application called “DNA relatives” to exfiltrate user data and publish it on the dark web. 23andMe confirmed that the data over 6.9 million user accounts was taken during the breach, including names, birth years, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported locations.
The initial data leak showed threat actors offered to sell data profiles in bulk for $1-$10 USD per 23andMe account, depending on how many were purchased.
23andMe did not acknowledge the breach until two days after the dark web posting appeared, and even then, offered limited information. While the motivations of the threat actors remain unknown, there was a pattern in the data taken — over 2 million Ashkenazi Jew records and hundreds of thousands of Chinese ancestry records were stolen — which led to accusations and demands for answers from the Connecticut Attorney General.
While credential stuffing has varying rates of success, this breach attempt worked because 23andMe did not require multi-factor authentication (MFA) for users and there were no access controls in place between the main interface and the “DNA relatives” feature.
Sources
Breach Victim:
Clorox
Data Breach At A Glance
Location:North America
Industry Impacted:Manufacturing
Attack Type:Unknown, indications of ransomware
Month Breached:August
Clorox
Location:
North America
Industry Impacted:
Manufacturing
Attack Type:
Unknown, indications of ransomware
Month Breached:
August
Breach Recap
Like many breaches aimed at infrastructure, this ransomware attack sought and succeeded in disrupting operations of a major American goods manufacturer. According to an SEC filing by Clorox, the attack took many of its automated systems offline, including those by which large retailers such as Walmart and Target order products, highlighting how the breach of one organisation can disrupt an entire supply chain. While Clorox never confirmed if the attack was ransomware, the fallout, particularly the operational downtime, is consistent with other ransomware attacks.
The breach also cost Clorox $356 million USD due to a 20% decline in sales, based on lower production volumes due to the attack. This is in addition to a steep drop in stock price and the $25 million Clorox spent securing their systems post-breach.
It took Clorox over a month to contain the breach, and the reason the public knows so many details about this particular hack is that Clorox is one of the first public companies to comply with the new SEC Cyber Disclosure Rules.
Sources
- https://www.industryweek.com/technology-and-iiot/article/21274431/the-clorox-co-recovers-from-severe-cyberattack
- https://www.sec.gov/ix?doc=/Archives/edgar/data/0000021076/000120677423000969/clx4231381-8k.htm
- https://www.fastcompany.com/90967250/how-old-fashioned-hacking-may-have-taken-clorox-off-store-shelves-for-months
Breach Victim:
Dish Network
Data Breach At A Glance
Location:North America
Industry Impacted:Telecommunications
Attack Type:Ransomware
Month Breached:February
Dish Network
Location:
North America
Industry Impacted:
Telecommunications
Attack Type:
Ransomware
Month Breached:
February
Breach Recap
The Russian-backed ransomware group Black Basta was behind this breach of a telecommunications giant’s IT environment. With the group “first breaching Boost Mobile and then the Dish corporate network,” according to Bleeping Computer. Attackers first compromised the company’s Windows domain controllers before encrypting VMware ESXi servers and data backups.
Dish Network paid the ransom, which resulted in Black Basta deleting the originally exfiltrated data, which included 296,851 employee-related records. There are multiple class-action lawsuits active against Dish, and the telecommunications organisation is providing two years of identity monitoring to impacted individuals.
As for the financial impact, following the announcement of the data breach, Dish Network’s stock price fell $0.79 USD per share, or 6.48%, to close at $11.41 per share on February 28, 2023, according to one class action court filing. It is currently unknown how much Dish Networks paid in ransom or the cost of the offered credit monitoring.
Sources
Breach Victim:
Insomniac Games
Data Breach At A Glance
Location:North America
Industry Impacted:Gaming
Attack Type:Ransomware
Month Breached:December
Insomniac Games
Location:
North America
Industry Impacted:
Gaming
Attack Type:
Ransomware
Month Breached:
December
Breach Recap
Insomniac Games, a Sony subsidiary, found themselves in notorious ransomware gang Rhysida’s crosshairs at the end of 2023. The ransomware group, after asking for an initial ransom of $2 million USD, released troves of data — 1.3 million files to be exact — onto the dark web. This data included both in development materials for upcoming games (like Wolverine), and employee information such as passport scans, recorded video meetings, and more.
While Sony is still investigating the cause of this breach, Rhysida has been observed using VPN’s to connect to internal companies networks in the past, and that appears to be the case here, as Rhysida posted that, “we were able to get the domain administrator within 20–25 minutes of hacking the network.”
Sources
Breach Victim:
Latitude
Data Breach At A Glance
Location:Australia/New Zealand
Industry Impacted:Financial Services
Attack Type:Third-party credential compromise
Month Breached:March
Latitude
Location:
Australia/New Zealand
Industry Impacted:
Financial Services
Attack Type:
Third-Party Credential Compromise
Month Breached:
March
Breach Recap
Threat actors are making big moves down under, as the Latitude incident is the third large data breach in under two years for the region. The breach, which exposed the PII of 14 million customers, was the fallout of a breach of a third-party system, which used the third-party employee’s login for the Latitude VPN. The still unknown group then launched an extortion ransomware attack, threatening to release the exfiltrated data onto the dark web unless ransom was paid. It was not, and as a result, including 7.9 million Australian and New Zealand driver license numbers, 6.1 million customer records also include customers’ full names, addresses, telephone numbers, and dates of birth, plus an unknown number of passport numbers and financial records.
There have been multiple class action lawsuits filed, and customers affected are angered that Latitude kept unnecessary records for such a long time — millions were over a decade old — thereby amplifying risk.
According to statements by Latitude, the incident cost the organisation $76 million USD, including a spend of $53 million to resolve the incident.
Sources
Breach Victim:
MCNA Dental
Data Breach At A Glance
Location:North America
Industry Impacted:Healthcare (Dental Insurance)
Attack Type:Ransomware
Month Breached:February
MCNA Dental
Location:
North America
Industry Impacted:
Healthcare (Dental Insurance)
Attack Type:
Ransomware
Month Breached:
February
Breach Recap
Highly active ransomware group LockBit was behind this attack on a United States dental insurance company. According to reports, the group was able to be in MCNA Dental’s system for 10 days before the organisation noticed, and used that time to exfiltrate 700GB of data, including personal identifying information (PII) of MCNA’s clients, with a ransom set at $10 million USD.
LockBit ultimately published the exfiltrated data on the dark web, which contained PII for 8.9 million individuals. As a result, 11 lawsuits have been filed across multiple states, accusing MCNA Dental of not properly protecting client data. MCNA Dental is the country’s largest dental insurer for Medicaid and Children’s Health Insurance Programs (CHIP), so it’s likely much of the PII exfiltrated belonged to minors.
The culprits, LockBit, have been increasingly active in 2023, with Arctic Wolf research noting that their dark web postings have increased 17% in the first half of 2023 compared to 2022, making them, by far, the most active ransomware group operating today.
Sources
Breach Victim:
MGM
Data Breach At A Glance
Location:North America
Industry Impacted:Gaming (Casino and Hotel)
Attack Type:Social Engineering and Ransomware
Month Breached:September
MGM
Location:
North America
Industry Impacted:
Gaming (Casino and Hotel Chain)
Attack Type:
Social Engineering and Ransomware
Month Breached:
September
Breach Recap
The news spread faster and louder than someone winning the jackpot at a slot machine when MGM Resorts suffered a social engineering attack that brought down systems across the hotels and casinos of the Las Vegas strip. All it took was one phone call to a third-party IT helpdesk by a member of the ransomware gang Scattered Spider (using ransomware from ALPHV and BlackCat) and suddenly a major American resort had 100 ESXi hypervisors encrypted and was unable to continue basic functions such as checking in guests, running casino operations, and more. In addition to the operational issues, the group was able to extract PII of customers, including names, phone numbers, email addresses, postal addresses, genders, dates of birth and driver’s license numbers, and for a limited number, social security numbers, according to MGM’s SEC filing.
MGM Resorts lost $100 million USD due to canceled bookings, in addition to “$10 million in one-time expenses in the third quarter related to the cybersecurity issue, which consisted of technology consulting services, legal fees and expenses of other third-party advisors,” per the filing.
This breach not only highlights the damage a simple social engineering ploy can cause — and how effective social engineering still is — but the rampant nature of RaaS gangs, who were responsible for several high profile and costly breaches this year.
Sources
Breach Victim:
Okta
Data Breach At A Glance
Location:North America
Industry Impacted:Technology (identity security)
Attack Type:Credential compromise and session jacking
Month Breached:September
Okta
Location:
North America
Industry Impacted:
Technology (identity security)
Attack Type:
Credential compromise and session jacking
Month Breached:
September
Breach Recap
Even employees of one of the largest identity security companies aren’t immune from making a password-related mistake. The organisation’s massive data breach was the result of an employee signing into their personal Google account on their work device. The username and password of a customer service account was then, presumably accidentally, saved onto their private Google account, which hackers were able to access by hacking into the employee’s personal device or Google account.
While initially Okta thought the breach only affected about 1% of customers, it was determined that threat actors were able to exfiltrate full names and email addresses for every client that uses their customer support system — every single one. This could lead to a wave of future attacks like social engineering or phishing on those clients.
The breach had a massive financial fallout, with Okta’s market valuation dropping by over $2 billion USD.
This is not the first time the cybersecurity giant has been the target of a data breach, having made headlines twice in 2022 for large-scale incidents. This continued successful targeting of Okta highlights how a strong cybersecurity strategy is a comprehensive one that covers every base to both prevent incidents and limit their scope.
Sources
Reinforce Your Foundation. Amplify Your Resilience.
2023 Most Exploited Vulnerabilities
2024 Arctic Wolf Labs Threat Report
Available For Download
2023 Breaches In Review Infographic
What did our annual recap of the most note-worthy, high-profile and damaging data breaches tell us about the state of cybercrime?
