The Breaches Pile Up

For anyone in the world of cyber defense or incident response who was hoping to have a slow summer, it’s not looking good. As just one indicator, the number of victims of the MOVEit cyberattack campaign — in which the Russian-speaking cybercriminal group Clop has targeted organizations using Progress’ MOVEit file transfer tool — continues to grow by the day. And some of the confirmed attacks have been known to have a major impact on users’ personal data: Three of the data breaches associated with the MOVEit attacks rank among the 10 biggest data breaches from the first half of 2023, based on the number of impacted individuals in the breaches, according to the nonprofit Identity Theft Resource Center.

[Related: 8 Tech And IT Companies Targeted In The MOVEit Attacks]

And this may only be the tip of the iceberg, since only 11 of the 148 affected organizations so far have actually disclosed the number of impacted individuals, according to Emsisoft threat analyst Brett Callow. In other words, there may be a lot more fallout to come.

In all, the 10 biggest data breaches from the first half of 2023 have impacted a combined 104 million individuals in total, according to data provided by the Identity Theft Resource Center to CRN. Notably, a number of high-profile breaches with broad impacts did not make the top 10, including the wave of attacks that exploited Fortra’s GoAnywhere file transfer platform earlier this year. For instance, the largest incident from the GoAnywhere campaign — the hack of healthcare benefits and technology firm NationsBenefits — did not rank among the 10 biggest data breaches of the first six months of the year despite the fact that 3 million members were impacted.

Clop has been behind both the GoAnywhere and MOVEit campaigns, security researchers say. And it’s no coincidence that both tools are used for managed file transfers. The technologies enable the ingestion of large volumes of data that can then be moved from point to point, making them an appealing target for data thieves, said Chris Pierson, CEO of BlackCloak and a former member of the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee .

The fact that the MOVEit campaign has not included encryption of data, as in traditional ransomware attacks, is another key development. As CrowdStrike Head of Intelligence Adam Meyers told CRN earlier this year, many cybercriminals are finding that data extortion attacks are easier and more profitable than ransomware. In the MOVEit campaign, victims are being pressured to pay the hackers in order to be spared from having their data leaked online — rather than to decrypt their data. While “extortion-only” attacks have been found to be less likely to impact smaller businesses, larger organizations should take note of the shift away from traditional ransomware attacks, since it means that simply having data backups may no longer suffice when dealing with cybercriminal groups such as Clop.

The Identity Theft Resource Center provided CRN with information on the 10 largest data breaches in 2023, as of June 26, by number of impacted individuals. (CRN has supplemented the findings with information from breaches that have come to light in recent days.)

What follows are the details on the 10 biggest data breaches of 2023 so far.