Top 5 Data Breaches of 2022
This year has been host to millions of exposed sensitive data records through major data breaches. In fact, Statista reports that “approximately 15 million data records were exposed worldwide” from data breaches in 2022 Q3 alone, an increase of 37% from Q2. The number of worldwide data breaches has roughly grown along with the increase in technology usage over the past few decades, with a large spike in 2020.
Let’s review the five largest data breaches of 2022, what they could have done better, and how to prevent cyber criminals from breaching data with improved cybersecurity and data privacy measures.
Red Cross Data Breach | January 2022
The first major sensitive data breach of the year took place on Jan. 19, 2022, when the International Committee of the Red Cross, also known simply as the Red Cross, was the victim of a sophisticated and targeted attack on their servers in Switzerland. It was estimated that 515,000+ had their data breached in the attack, including “those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention,” according to the Red Cross’ news release. As a provider of humanitarian services, the organization was most concerned about the data of vulnerable people being exposed.
"An attack on the data of people who are missing makes the anguish and suffering for families even more difficult to endure," Robert Mardini, ICRC's director-general, said in the initial release. “We are all appalled and perplexed that this humanitarian information would be targeted and compromised.” The Red Cross made an appeal to speak with the attackers accessing data directly, but as of the end of 2022 the perpetrators had still not been identified.
Ronan Crypto Data Breach | March 2022
On March 23, 2022, Ronin Network, a cryptocurrency and NFT games company, was attacked when a hacker drained $540 million worth of cryptocurrency from users. The hacker found a security vulnerability that allowed the individual(s) to gain access and steal this money in the form of digital coins won by players of the network’s game Axie Infinity. Alarmingly, it took six days for Ronin Network to notice that the cryptocurrency was missing, and in that time, the value rose even higher to $615 million.
This hack is said to be the largest decentralized finance (DeFi) attack of all time. Thankfully, by the next month, customers were partially reimbursed with a cash injection from Binance, the world’s largest bitcoin and altcoin exchange by volume. In an April article, a Ronin Network spokeswoman said that they were working with law enforcement to identify the hacker(s) and recover the remaining crypto stolen, but the individual(s) were able to mask their identities by converting funds and using sanctioned privacy mixers.
Cash App Data Breach | April 2022
More than 8 million Cash App users were affected by a data breach announced on April 4, 2022 after it was discovered that a former Cash App employee downloaded sensitive information reports in December 2021. Although the data breach did not include usernames, passwords, or bank account information, the report did include other sensitive data like full names and brokerage account information, which were used to monitor and identify stock activity in the Investing feature of Cash App.
The breach was seemingly downplayed because the information stolen wasn’t very dangerous on its own, but the information could have been leveraged to target and attack specific users further. This data discovery resulted in a recently-filed class action lawsuit that accuses Cash App of negligence, citing that the breach occurred in December 2021 and wasn’t reported until four months later. The lawsuit also acknowledged Cash App’s security vulnerabilities, including the fact that an ex-employee still had access to records after he was no longer employed with Cash App.
Microsoft Data Breach | September 2022
On Sept. 24, 2022, a security threat intelligence firm SOCRadar notified tech giant Microsoft of a data leak that occurred because of a misconfigured Microsoft server. More than 65,000 companies from 111 countries had valuable data exposed, dated from 2017 to August 2022, such as names, email addresses, email content, company name, and phone numbers. According to the SOCRadata analysis, the security vulnerabilities exposed data included upwards of “335,000 emails, 133,000 projects, and 548,000 exposed users within the leaks so far.”
Microsoft informed affected users of the data loss, but it also condemned the decision of SOCRadar to set up an online portal that searches for data leaks across the web because of the impact it could have on Microsoft customer privacy. SOCRadar’s built-in Cloud Security Module regularly monitors public cloud buckets to search for and detect customer data breaches.
Shein Data Breach | Fined in October 2022
In 2018, Zoetop, the parent company of fast-fashion site Shein, was targeted by hackers and 39 million user accounts had their login details stolen. In October of 2022, Zoetop was fined $1.9 million due to the way it handled the critical data attack. Confidential information included names, email addresses, passwords, and credit card information, which was then sold online by the hackers.
Although Zoetop and Shein now claim that they have taken "significant steps" to improve their security measures to protect data, Zoetop lied about the number of accounts affected by the breach. Zoetop also initially notified only a small fraction of the customers who had their sensitive information hacked and stolen.
Several hundred thousand of the affected customers were New York residents, which resulted in a fine placed on Shein and Zoetop by New York Attorney General Letitia James. In an October 2022 statement, Shein said, “We have fully cooperated with the New York Attorney General and are pleased to have resolved this matter. Protecting our customers’ data and maintaining their trust is a top priority, especially with ongoing cyber threats posed to businesses around the world.”
How to Teach Data Privacy in the Workplace
If your company maintains any sensitive data for your customers or clients, it is important that your employees understand how to keep that information secure to prevent data breaches. Instill an understanding of data security in your workforce with EasyLlama’s high-quality and engaging training that explores key trends in data protection.
Our online Data Privacy And Cybersecurity suite of courses can help prepare employees to be more aware of online risks as well as essential security practices for protecting your organization’s data, with topics including HIPAA, Ransomware, GDPR, Social Engineering, CCPA, and much more. Sign up for your free preview today to learn more about our best-in-class, interactive courses.