The 10 Biggest Data Breaches of 2023 (So Far)
The 10 largest breaches during the first half of the year have impacted more than 100 million individuals, according to data from the Identity Theft Resource Center.
The Breaches Pile Up
For anyone in the world of cyber defense or incident response who was hoping to have a slow summer, it’s not looking good. As just one indicator, the number of victims of the MOVEit cyberattack campaign — in which the Russian-speaking cybercriminal group Clop has targeted organizations using Progress’ MOVEit file transfer tool — continues to grow by the day. And some of the confirmed attacks have been known to have a major impact on users’ personal data: Three of the data breaches associated with the MOVEit attacks rank among the 10 biggest data breaches from the first half of 2023, based on the number of impacted individuals in the breaches, according to the nonprofit Identity Theft Resource Center.
And this may only be the tip of the iceberg, since only 11 of the 148 affected organizations so far have actually disclosed the number of impacted individuals, according to Emsisoft threat analyst Brett Callow. In other words, there may be a lot more fallout to come.
In all, the 10 biggest data breaches from the first half of 2023 have impacted a combined 104 million individuals in total, according to data provided by the Identity Theft Resource Center to CRN. Notably, a number of high-profile breaches with broad impacts did not make the top 10, including the wave of attacks that exploited Fortra’s GoAnywhere file transfer platform earlier this year. For instance, the largest incident from the GoAnywhere campaign — the hack of healthcare benefits and technology firm NationsBenefits — did not rank among the 10 biggest data breaches of the first six months of the year despite the fact that 3 million members were impacted.
Clop has been behind both the GoAnywhere and MOVEit campaigns, security researchers say. And it’s no coincidence that both tools are used for managed file transfers. The technologies enable the ingestion of large volumes of data that can then be moved from point to point, making them an appealing target for data thieves, said Chris Pierson, CEO of BlackCloak and a former member of the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee .
The fact that the MOVEit campaign has not included encryption of data, as in traditional ransomware attacks, is another key development. As CrowdStrike Head of Intelligence Adam Meyers told CRN earlier this year, many cybercriminals are finding that data extortion attacks are easier and more profitable than ransomware. In the MOVEit campaign, victims are being pressured to pay the hackers in order to be spared from having their data leaked online — rather than to decrypt their data. While “extortion-only” attacks have been found to be less likely to impact smaller businesses, larger organizations should take note of the shift away from traditional ransomware attacks, since it means that simply having data backups may no longer suffice when dealing with cybercriminal groups such as Clop.
The Identity Theft Resource Center provided CRN with information on the 10 largest data breaches in 2023, as of June 26, by number of impacted individuals. (CRN has supplemented the findings with information from breaches that have come to light in recent days.)
What follows are the details on the 10 biggest data breaches of 2023 so far.
10. Oregon Department of Transportation
Number of individuals impacted: 3.5 million
One massive breach in connection with the MOVEit attacks impacted the Oregon Driver and Motor Vehicles division of the Oregon Department of Transportation, and an estimated 3.5 million Oregon residents. “On June 1, 2023 the Oregon Department of Transportation learned we were part of a global hack of the file transfer tool called MOVEit, which we use to send and receive data. We immediately secured our system,” the department said in an advisory. “However, we later learned that data records for Oregon driver’s licenses, permits and ID cards were accessed.”
“If you have an active Oregon driver’s license, permit, or ID card, you should assume your personal information was exposed,” the department said. “We don’t know exactly what data was accessed by the breach, or which individuals were affected, but you should be aware that the personal information that is typically associated with a DMV driver’s license, permit or ID card record—and thus, may have been exposed—would include: Name; Home and mailing address; License or ID number; Last four digits of Social Security number.”
9. Independent Living Systems, LLC
Number of individuals impacted: 4.2 million
Independent Living Systems — a provider of services to managed care organizations — disclosed the breach in March, though it actually occurred in mid-2022. “On July 5, 2022, we experienced an incident involving the inaccessibility of certain computer systems on our network,” the company said in its notification about the incident. “We responded to the incident immediately and began an investigation with the assistance of outside cybersecurity specialists. Through our response efforts, we learned that an unauthorized actor obtained access to certain ILS systems between June 30 and July 5, 2022. During that period, some information stored on the ILS network was acquired by the unauthorized actor, and other information was accessible and potentially viewed.”
A lengthy list of personal data may have been impacted in the breach, according to Independent Living Systems, including: “name, address, date of birth, driver’s license, state identification, Social Security number, financial account information, medical record number, Medicare or Medicaid identification, CIN#, mental or physical treatment/condition information, food delivery information, diagnosis code or diagnosis information, admission/discharge date, prescription information, billing/claims information, patient name, and health insurance information.”
The company has reportedly been facing at least five class-action lawsuits over the breach.
8. TMX Finance Corporate Services Inc.
Number of individuals impacted: 4.8 million
TMX Finance Corporate Services, which offers consumer lending services, disclosed in March that it had identified a breach in February, which may have begun as far back as December 2022. “The investigation confirmed that information may have been acquired between February 3, 2023 - February 14, 2023. We promptly began a review of potentially affected files to determine what information may have been involved in this incident,” the company said in a breach notification. Personal data that may have been impacted for TMX consumers includes name, date of birth, social security number, passport number, driver’s license number and tax ID number, according to the company.
7. PBI Research Services/Berwyn Group - MOVEit Transfer
Number of individuals impacted: 4.92 million
Four major MOVEit-related breaches have stemmed from the hack of third-party vendor PBI Research Services so far. The breaches have affected a total of nearly 5 million individuals so far who are served by two pension systems — the California Public Employees’ Retirement System (CalPERS) and the Tennessee Consolidated Retirement System — and by two insurers, Genworth and Wilton Re.
CalPERS, which is the largest public pension fund in the U.S., disclosed in a news release that the data of 769,000 retirees was compromised. In a quote included in the release, CalPERS CEO Marcie Frost called the PBI breach “inexcusable.” The Tennessee Consolidated Retirement System reported that 171,836 retirees and/or beneficiaries were impacted.
Meanwhile, Wilton Re disclosed in a breach notification that nearly 1.5 million individuals were impacted in the hack of PBI. And in the largest of the three PBI-related breaches from MOVEit, Genworth reported that the breach “included personal information for approximately ~2.5-2.7 million individuals who are either customers or insurance agents.”
6. PharMerica Corporation
Number of individuals impacted: 5.8 million
PharMerica, a provider of pharmacy services across the U.S., disclosed in May that it had been impacted by a breach in March. “The investigation determined that an unknown third party accessed our computer systems from March 12-13, 2023, and that certain personal information may have been obtained from our systems as a part of the incident,” the company said in a breach notification. “On March 21, 2023, we determined that the data contained personal information that included the above-referenced person’s name, address, date of birth, Social Security number, medications and health insurance information.”
5. Louisiana Office of Motor Vehicles - MOVEit Transfer
Number of individuals impacted: 6 million
Another DMV breach in connection with the MOVEit attacks impacted the Louisiana Office of Motor Vehicles and up to 6 million Louisiana residents (it was not immediately known whether there were victim duplicates, the Identity Theft Resource Center noted). In mid-June, the Louisiana governor’s office said in a news release that it “believes that all Louisianans with a state-issued driver’s license, ID, or car registration have likely had the following data exposed to the cyber attackers: Name, Address, Social Security Number, Birthdate, Height, Eye Color, Driver’s License Number, Vehicle Registration Information, Handicap Placard Information.” Clop has claimed that it has deleted government data that was stolen, and the Louisiana governor’s office noted that “the cyber attackers have not contacted state government” adding that “there is no indication at this time that cyber attackers who breached MOVEit have sold, used, shared or released the OMV data obtained from the MOVEit attack.”
4. MCNA Insurance Company
Number of individuals impacted: 8.92 million
Managed Care of North America (MCNA) Insurance Company disclosed in May it became aware that it had been impacted by a breach in March. “Through its investigation, MCNA determined that an unauthorized third party was able to access certain systems and remove copies of some personal information between February 26, 2023 and March 7, 2023,” the company said in a breach notification.
“Personal information that may have been involved included: (1) demographic information to identify and contact you, such as full name, date of birth, address, telephone and email; (2) Social Security number; (3) driver’s license number or government-issued identification number; (4) health insurance information, such as name of plan/insurer/government payor, member/Medicaid/Medicare ID number, plan and/or group number; and (5) information regarding dental/orthodontic care,” the company said.
3. Zacks Investment Research, Inc.
Number of individuals impacted: 8.93 million
Zacks Investment Research disclosed a breach in January impacting 820,000 customers, which reportedly occurred between November 2021 and August 2022. “The specific customer information we believe to have been accessed is limited to name, address, phone number and email address/user name, as well as passwords used from an older database of customers who had signed up for the Zacks Elite product between November 1999 through February 2005. This product was phased out by 2011,” Zacks said in a notification on its site.
However, in June, breach database and notification service Have I Been Pwned said it received a database of information belonging to 8.9 million Zacks users from a breach in 2020. In June, Zacks said in an updated notification that “we have confirmed that in association with the prior data breach disclosed by Zacks below, which relates to a smaller subset of customers whose unencrypted passwords were compromised, the unauthorized third parties also gained access to encrypted passwords of zacks.com customers. We have no reason to believe any customer credit card information or any other customer financial information was accessed for any Zacks customer at any time.”
2. PeopleConnect, Inc. - Instant Checkmate & Truthfinder
Number of individuals impacted: 20.2 million
PeopleConnect disclosed in February that a breach impacted its background check services, Instant Checkmate and Truthfinder. “We learned recently that a list, including name, email, telephone number in some instances, as well as securely encrypted passwords and expired and inactive password reset tokens, of TruthFinder subscribers was being discussed and made available in an online forum,” the PeopleConnect said in its initial advisories about the breach.
In an update in March, the company said that “Password field was not in readable form, and these were hashed and encrypted using the ‘scrypt’ algorithm.” Additionally, “the data was stolen or acquired from a cloud storage location maintained and used only by a former service provider with whom we worked during 2019.”
Number of individuals impacted: 37 million
Wireless giant T-Mobile revealed in January that it was actively investigating a data breach that has potentially affected 37 million user accounts. The company said it first identified malicious activity on January 5 when it noticed that a “bad actor” obtained data through a single API without authorization. The breach was contained within a day and no sensitive data, such as customer financial information, was compromised, according to T-Mobile in a filing with the U.S. Securities and Exchange Commission.
The breach, which the company believed began on or around November 25, did surface some “basic customer information,” including names, billing addresses, emails and phone numbers, according to T-Mobile. The carrier added that its systems and policies prevented the most sensitive types of customer information from being accessed.
“No information was obtained for impacted customers that would compromise the safety of customer accounts or finances,” T-Mobile said in the filing.