Rising rampage of data breaches: key findings, statistics and latest breaches

Despite the increase in available cybersecurity solutions, successful data breaches still continue to grow annually. Several factors might explain why, but major contributors are likely poor data encryption policies and insufficient anti-malware solutions. And Australians face these costly attacks every eight minutes, according to the Annual Cyber Threat Report 2022 (ACSC).

According to a study in the 2022 Cost of a Data Breach Report by IBM, organisations are experiencing a greater frequency of data breaches – and each breach is getting more expensive. Reaching an all-time high, the cost of a data breach averaged USD 4.35 million in 2022, representing a 2.6% increase from 2021. Some of the types of breaches experienced by organisations were due to ransomware attacks, supply chain attacks, human error, IT failure and other malicious software attacks.

Despite an estimated $150 billion spent in 2022, with projections of $1.75 trillion by 2025 in cyber security, cyber threats continue to rise. Crucially, the healthcare industry isn’t even among the top five industries most targeted. After the pandemic, organisations have introduced remote and hybrid work environments. Many processes and security practices have not been designed for this new digital landscape, making it harder for organisations to effectively scale protections against new cyber threats.

Scams and fraud have increased since December 2022, which includes cyber-crime like hacking, identity theft, phishing and more. As technology advances, cyber-criminals come up with new ways to infiltrate your network and security systems. As a result, data breaches will probably remain a risk for individuals and organisations throughout 2023 and beyond.

The Notifiable Data Breaches Report 2022 highlights that several large-scale data breaches impacted millions of Australians' personal information. There was also a 26% increase in breaches overall. This included information like individuals’ names, home addresses, phone numbers, email addresses and other sensitive data like passport details and driver’s licence details.

When it comes to mitigating the risk of harm stemming from a cyber attack, one of the most crucial factors is the time it takes for organisations to respond to a data breach. It’s best practice for organisations to monitor and promptly detect system faults, which can indicate hardware malfunctions or software settings errors.

Ransomware and associated extortion threats, espionage and fraud have become a significant threat to Australian organisations. Ransomware is one of the most common – and successful – types of attack, resulting in major risks to customer and business data.

Malicious or criminal attacks were the main source of data breaches across all industries mentioned above, followed by human error and system faults.

A zero-trust model is a security framework that assumes that every user, device, or application that requests access to a company's resources or data is a potential threat, and should not be automatically trusted. This model requires continuous verification of the identity and context of the user, device, or application before granting access, potentially protecting data and resources by limiting their accessibility and requiring context.

To combat data breaches caused by compromised login credentials, leaders can look to password policies that require complex passwords and regular updates, along with two-factor authentication (2FA) or multi factor authentication (MFA) to add an extra layer of security. Policies should also conduct regular audits for user accounts and account privileges.

Date of breach: 30 January 2023 Number of users affected: 10 million customers In an official statement released on 30 January, JD Sports were hit with a cyber attack that leaked 10 million customers’ personal data, including individual names, order details and contact information. According to the sports giant, the attack involved “unauthorised access” to a network that contained billing addresses, delivery addresses, email addresses, phone numbers and more. Chief financial officer Niel Greenhalgh said, “We want to apologise to those customers who may have been affected by this incident. We are continuing with a full review of our cybersecurity in partnership with external specialists following this incident.” At this point, the root cause of the JD Sports breach isn’t yet publicly available.

Date of breach: 3 February 2023 Number of users affected: To be confirmed Hitachi Energy has confirmed that it suffered a data breach after the famous Clop ransomware group stole sensitive data using a GoAnywhere vulnerability. In a press statement, Hitachi revealed that the company “recently learned that a third-party software provider, Fortra’s GoAnywhere MFT (managed file transfer), was the victim of an attack by the CLOP ransomware group that could have resulted in an unauthorised access to employee data in some countries.” GoAnywhere is a file-transferring platform used by organisations across Australia. Recently, a zero-day vulnerability was discovered in this software. This means that there is a security hole in the software that nobody knew about before – not even the developers who made the software. This security vulnerability could allow cyber-criminals to access sensitive information transferred through the software, like passwords or financial data.

Date of breach: 23 February 2023 Number of users affected: 1.5 million customers The Good Guys has said it only recently became aware of the data breach, which is believed to have occurred back in August 2021. The February breach stems from the third-party provider Pegasus Group Australia, also known as My Rewards. Since the breach, The Good Guys emphasised that it no longer uses the services of Pegasus Group. They revealed that 1.5 million “Concierge” members – who were part of The Good Guys rewards systems – had their data exposed, including names, addresses, phone numbers and email addresses.

Date of breach: 16 March 2023 Number of users affected: 14 million customers The Australian financial services giant Latitude Financial suffered a large-scale data breach that affected more than 14 million customers. The breach occurred after a malicious attack originating from a vendor used by Latitude Financial. Malicious actors have stolen the confidential information of 328,000 customers, including confirmed copies of passports, passport numbers and Medicare numbers. Latitude first discovered the breach when they detected unusual activity on the company’s network systems. This malicious intrusion resulted in data theft affecting past and present customers across Australia and New Zealand. The cyber attack was reported and investigated by the Australian Federal Police (AFP), though details about the extent of the attack are still being revealed as of the publication of this article. In April 2023, the business received a ransom demand but has stated it will not pay due to a lack of assurances and a reticence toward incentivising future ransomware attacks.

Date of breach: 20 March 2023 Number of users affected: 3,700 customers Service NSW experienced technical issues that led to the unintentional exposure of users' data. The software bug resulted in the “My Services” dashboard temporarily allowing users to view confidential data, such as driver’s licences, vehicle registration, various vouchers, senior cards and conveyancing licences. A Service NSW spokesperson said, “We believe that any personal information available through your linked services was only available to other logged-in users for a short period and was not searchable.” Software bugs can occur for several reasons such as human error from software developers, miscommunication from programmers, and hardware or environmental issues. This type of breach illustrates that not all data exposure comes from coordinated malicious attacks – even old-fashioned human error can compromise data confidentiality.

Date of the breach: 23 March 2023 Number of users affected: Estimated 1,000,000 employees Much like the Hitachi Energy data breach, the Rio Tinto stolen data incident relates to an attack on GoAnywhere, a managed file transfer (MFT) software. And, similar to the Optus and Medibank data breaches, cyber-criminals are known to use data theft of these organisations to continue to conduct further criminal activities. The information stolen from Rio Tinto included payroll information like payslips and overpayment letters of a small amount of staff affected. According to Rio Tinto, their secure cyber networks were breached via a cloud-based supplier. As we’ve seen from recent cyber-crime statistics, ransomware attacks have been growing in scale and frequency. One of the most noteworthy types of malicious software in recent years has been the Clop ransomware. This ransomware was responsible for the cyberattack on the Accellion file transfer application, which had a far-reaching impact across the world. It affected organisations such as NSW Health, the Australian Securities and Investments Commission, the law firm Allens, and the Reserve Bank of New Zealand.

Date of the breach: 13 March 2023 Number of users affected: Small portion of individuals IPH Limited, an international intellectual property services group, announced on Monday that it had discovered unauthorized access to a segment of its IT environment. The exposed documents contained data pertaining to a limited number of clients of Spruson & Ferguson Lawyers, as well as some historical financial and corporate information. A thorough forensic investigation, carried out by cybersecurity and forensic IT advisors, revealed that the data breach occurred when scammers gained entry into the document management system via third-party systems. These systems involved Spruson & Ferguson (Australia) and Griffith Hack, along with the practice management systems (PMS). As a result of this incident, the Sydney-based firm estimates incurring non-underlying costs of approximately A$2 million to A$2.5 million for the year 2023. Since the occurrence of the breach on April 17, 2023, the company has implemented new network infrastructure following a meticulous restoration process.

Date of breach: 2 April 2023 Number of users affected:  Yet to be confirmed On Good Friday of 2023, the Tasmanian government reported 16,000 documents had been compromised online after cyber-criminals gained access to data from the Department of Education, Children and Young People through the third-party file transfer service GoAnywhere MFT. Much like the Hitachi Energy data breach, the cyber attack happened through the same vector. The information revealed included the names of children, addresses, invoices, bank account numbers and service providers. Unfortunately, the documents were revealed on the dark web, according to The Guardian. Madeleine Oglivie, Minister for Science and Technology continues to provide further updates on the cyber investigation.

Date of breach: 4 April 2023 Number of users affected: 2,224 students TAFE SA has revealed a data breach that was discovered when SA police found scanned copies of student identification forms in an unrelated operation. A total of 2,224 records were exposed, including the TAFE SA student ID number, course details, full names, date of birth, physical addresses and copies of driver’s licences and passports. It is still unclear who is behind the data breach. After the breach occurred, TAFE SA emailed all impacted students to notify them of the incident and advised the support available. For more information about the breach, visit the TAFE SA data breach webpage.

Fully deployed security AI and automation refers to using advanced technology to improve the security measures of a company. This includes using algorithms and automation to analyse large amounts of data and identify potential security threats. By doing this, IT teams can focus on more complex issues, which ultimately helps the company respond more quickly and effectively to security incidents.

According to the IBM study, it took organisations with XDR technologies 29 days to identify and contain a data breach, faster than those without XDR. XDR, known as extended detection and response, is a SaaS-based security threat detection and incident response solution that collects threat data from previously siloed security tools across an organisation’s technology stack.

In the 2023 Cybersecurity Outlook research, more than half of organisation leaders in industries that provide or make heavy use of technology services reported they have the skills needed today. In contrast, those that were missing critical people and skills noted that they were lacking specialised skills in critical infrastructure.

It’s critical to the organisation’s success in cybersecurity that senior leaders take a proactive approach to cyber disruption. Taking a proactive approach allows organisations to protect themselves against financial loss, maintain business continuity and enhance their cybersecurity posture. By continually identifying and mitigating cyber risks, businesses are much more efficient in mitigating the risk.

Globally, organisations have started to pay more attention to their cybersecurity due to the significant growth in cybercrime. The rise of cyber-crime has led to an increase in the frequency and severity of cyber attacks, which can cause significant financial losses, disrupt business operations, and damage the reputation of the organisation.

One of the primary responsibilities of a Chief Information Security Officer (CISO) is to effectively communicate the potential business impact of a security breach and emphasise the importance of prioritising cybersecurity throughout the organisation. This requires strong communication skills and the ability to convey complex technical information in a way that’s easily understood by stakeholders.

Both Australia and South Korea excel in providing training to all employees within their organisations, surpassing the global average. However, since cyber-criminals are constantly seeking new ways to infiltrate targeted organisations, it’s important that every employee participates in ongoing, periodic security awareness programs.

Two third-party Facebook app developers found the records sitting in Amazon Web Services and posted them on a hacker site. These records were stored by Facebook partners and didn’t contain any sensitive information.

Yahoo affirmed that two major data breaches revealed in 2016 exposed sensitive information such as phone numbers, security question answers and hashed passwords. Yahoo faced a number of class action lawsuits and Congressional investigations following these data breaches.

Equifax was slammed for an allegedly poor security posture and incident response following the breach. They also faced heavy criticism and accusations after a number of executives sold Equifax stock.

A sample of the data was posted on an unnamed internet forum with a price of $5,000 for the full dataset. The company said, "this was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed". Data-impacting incidents still, however, pose a real and serious risk. Stolen data can be used to commit further fraudulent activities from cyber-criminals.

As one of the top hotel providers for the US government and military, Marriott’s data breach posed considerable security risks – customer movements around the world could be tracked for criminal activity. While the breach occurred in 2014, it wasn’t discovered until 2018 and resulted in Marriott getting slapped with a $24 million fine.

Personal information such as email addresses, names and passwords were all compromised. Passwords stolen were all hashed with the BCrypt Algorithm, widely considered to be the most secure hashing algorithm. However, Canva still encouraged all users to reset their passwords as a precaution.

Two hackers accessed a private coding site used by Uber software engineers and used it to obtain login credentials, allowing them to find an archive of driver and rider data. After the information was stolen, the hackers then asked Uber for a ransom to which $100,000 was paid.

Marketed as an “extramarital” website, the consequences of Ashley Madison’s breach were catastrophic. Details of US military and government personnel were among those that were leaked on the dark web. Suicides were also reported.