In today's digital economy, data flows seamlessly across companies, geographies and networks. Technology has reduced business friction and created once-unthinkable economies of scale. But it has also given rise to new threats that can put our most sensitive data at risk.
Data breaches are costly. IBM reports that the global average cost of a data breach has risen 15% over the least three years, hitting $4.45 million in 2023.
Every organisation—no matter its size, location or industry—is a potential target. And while no one wants to be the next headline, studying real-world data breaches can help us understand their root causes and how to prevent the next one.
This post highlights a few recent data leaks to help jump-start your learning.
Understanding data breaches
Before we dive into our data breach examples, let’s define what a data breach is. It’s an information security incident, intentional or accidental, in which a company’s data is stolen or disclosed to an unauthorised third party. Data breaches can result from:
- External threats, such as a cyber criminal exploiting a vulnerability in software or stealing an employee’s credentials to gain access to company systems and data. The latest Data Breach Investigations Report from Verizon notes that 83% of breaches involve external actors. And the primary driver for most attacks—95%—is financial.
- Insider threats, such as a malicious user who steals confidential data from the company for personal gain, to cause damage to the business (or both). Careless employees are considered insider threats, too. So are those whose credentials have been compromised by attackers.
A quick recap of four recent data breaches in 2023
The list of recent data breaches in 2023 is long—and no doubt will keep growing. It includes businesses of all types and sizes across industries. Many firms have experienced more than one major data breach in recent years. Some have reported multiple incidents within just the past year.
Here’s a quick overview of four recent data breaches from 2023 (or near) and earlier, some much larger than others. For more real-life accounts of data breaches—and what we can learn from them—download our e-book The Data Breach is Coming from Inside the House.
1. Progress Software, a provider of business software products
The attack: This mass exploit, which began in May 2023, was still in motion at the start of August. The Russia-linked cyber crime group Clop claimed responsibility for exploiting a security flaw in Progress Software’s MOVEit Transfer enterprise tool, which is used to share large files over the internet. The SQL injection vulnerability let the attackers access MOVEit Transfer’s database from its web app without authenticating.
Data compromised: As of mid-August, the MOVEIt incident has touched more than 600 companies and government agencies and at least 40 million people across several countries. Clop has been posting the growing list of victims on a dark web leak site. The group is also threatening to publish sensitive data if victims do not pay a ransom for it. Data exposed in the attack runs the gamut—everything from pension information to billing data to medical records.
The response: After discovering the attack, Progress Software alerted customers and advised customers on how to limit the damage. It also moved swiftly to develop a security patch. In June, the company announced another vulnerability that could lead to unauthorised access. (The company has set up a page on its website for updates.)
2. T-Mobile, a wireless telecom services provider
The attack: A threat actor exploited a flaw in one of the company’s APIs and gained access to the personal information within 37 million customer accounts.
Data compromised: Customers’ names, email addresses, phone numbers, billing addresses, dates of birth, account numbers, and service plan details
The response: Once T-Mobile detected the breach in January, it tracked down the source and contained the incident within a day. The company alerted affected customers by letter, reset their account PINs, and offered two years of free credit monitoring and identity theft detection services. When this data breach hit, T-Mobile was already working to shore up its digital security and data defences in the wake of a class action lawsuit related to another data breach in 2021.
3. Airline recruitment website
The attack: In June, bad actors stole sensitive information from a database maintained by a third party, Pilot Credentials, which was providing recruiting services to both airlines at the time. (The airlines’ internal systems and networks were not compromised in the attack.)
Data compromised: personal information, such as Social Security numbers, passport numbers and Airman Certificate numbers in job applications and credentials for 8,000 pilots and cadets
The response: The airlines alerted regulators and everyone affected by the breach. They are working with law enforcement investigating the incident. The airlines have said they will now direct all pilot and cadet applicants to self-managed internal portals. One of the affected airlines also offered to cover two years of identity theft detection services for anyone affected.
4. PharMerica, U.S. pharmacy network
The attack: The Money Message ransomware group breached the computer systems of PharMerica and its parent company, BrightSpring Health Service, and exfiltrated databases with more than 4.7 TB of data. The attackers took credit for the attack in March and posted stolen data on the group’s website. PharMerica has not shared details about how the attackers got access.
Data compromised: internal business documents, including balance sheets, as well as the names and contract information, Social Security numbers, prescription details and health insurance information for more than 6 million patients.
The response: PharMerica detected suspicious activity on its network two days after the attackers gained access to it. The company notified the affected customers by email. PharMerica has offered victims a year of identity protection services.
Lessons learned from these recent data leaks
So, what can cybersecurity leaders glean from these incidents? Here are some key takeaways:
- The software supply chain presents major risk.
- Malicious actors will seek out and exploit any vulnerability to gain an inroad to company systems and data.
- Companies cannot assume the third parties they work with have strong security defences and are vigilant about protecting the data shared with them.
- Stealing high-value and marketable information about people, from dates of birth to bank account information, is a top aim for most data thieves.
- Swift and clear communication to those affected is essential.
Data loss prevention: strategies for success
To effectively manage data loss and insider threats, security teams must become adept at preventing, detecting and responding to them. Those that can do all three in a coordinated and streamlined way stand the best chance of decreasing their risk.
Here are the basic capabilities every DLP and ITM programme should have:
Prevention
This is the ability to stop a user from accidentally or intentionally violating security policy using user education, real-time reminders and blocking when necessary. You’ve heard the phrase “an ounce of prevention is worth a pound of cure”. This is never truer than with DLP.
Detection
This is the ability to detect, in as close to real-time as possible, when a user takes a risky action or data is potentially exposed—even if it doesn’t reach the level of a full-blown “incident”. Your detection efforts must strike the right balance between timely, actionable alerts and the risk of alert fatigue. Your programme should fine-tune its alerts by using a mix of real-world risk indicators and alerts specific to your organisation.
Analytics
This is the ability to analyse trends in user behaviour and hunt for threats. It combines activities from multiple channels and helps you determine user risk and identify risky behaviour. While it can be done automatically, analysts being able to dig deep into the data itself is critical for success.
Response
This is the ability to investigate and respond to incidents quickly and efficiently. The longer an insider threat persists, the more damage it can do to your brand and bottom line. Also, it’s important to work on a coordinated response with teams across your organisation. That includes security and IT to compliance, legal, HR, C-suite and more.
Tools to prevent data breaches
The recent data breaches in 2023 shared in this post help to highlight how many factors can lead to a major data loss event—a motivated cyber criminal, an unpatched system, a careless insider, the list goes on. Remember: data doesn’t lose itself—people lose it.
People-centric security means having complete visibility and context into how users are interacting with sensitive data and assets. Security is no longer about just monitoring technology usage or the network perimeter—which for most organisations no longer exists.
Here are some key data-loss channels and how to safeguard them:
At its most basic level, an email security solution should provide some level of protection against spam, phishing, malware and data loss for all your users. More advanced capabilities should include business email compromise (BEC) protection and seamless yet robust email encryption for partners and others you share sensitive data with.
Cloud
A cloud access security broker (CASB) provides you with visibility and control of the software-as-a-service (SaaS) apps and file-sharing services used by your workforce—no matter where they're accessing them. Ideally, a CASB solution should be integrated into an information protection platform and include robust DLP tools. This way, it can discover and remediate excessive file sharing of sensitive data in cloud repositories. More advanced CASB tools can also identify highly attacked people and users recently exposed to phishing attacks.
Endpoint
Modern endpoint protection should extend beyond basic malware protection to include data activity monitoring for all users. Security teams should also be able to monitor for risky behaviours and manage insider threats for specific business purposes.
Web
A cloud framework is critical to ensure users stay safe while browsing the web—and that attackers don't compromise your critical data and assets. Modern web security services will give you granular controls. And it allows you to inspect all traffic (including encrypted traffic) for threats and data loss prevention.
Integrations
A modern enterprise DLP platform should seamlessly integrate with third-party solutions and custom applications and work across cloud, on-premises infrastructure and remote devices. It should include advanced analytics for deep insights into threats across email and cloud. And it should provide context for user behaviour and data usage. To help the right users get the right training, it should have built-in interactive security awareness training modules that reduce user friction. Ideally, your security team should have a unified admin console that streamlines day-to-day tasks and speeds its response.
Next steps
As the industry’s fastest-growing information protection platform, our solution protects against data loss, malicious acts and brand damage caused by users. We can help you connect the dots between user activity and data movement so that security teams can quickly respond to insider-led breaches in near real time.
Download the Proofpoint Enterprise DLP data sheet to learn more.