41.9 million records compromised in cyber attacks in March 2023
April 11, 2023 |
Estimating the number of records accessed or otherwise compromised by data breaches is a fraught business. In the United States, Canada, the United Kingdom, Europe and Australia with mandatory data breach notification laws and a media which has a interest in data breaches it is possible to assemble some reasonable statistics about cyber attacks. There is some data available from Latin America and more advanced economies of Asia, the Middle East and Africa. As for the rest information is spotty and often unreliable. Itgovernance has calculated that in March alone there were 100 publicly disclosed cyber attacks in March which affected 41,970,182 records. These figures should be regarded as an understatement as to the worldwide number of breaches in March. Given the volume of data breaches it is also fair to surmise that the reported breaches to the Australian Information Commissioner is also an understatement of the number and extent of those breaches.
According to itgovernance the biggest of these data breaches were:
- Latitude Financial
The largest confirmed data breach of March 2023 occurred at Latitude Financial, with more than 14 million records being compromised.
The Melbourne-based company, which provides personal loans and credit cards to people in Australia and New Zealand, reported that cyber criminals had captured several different types of data.
Almost 8 million drivers licences were stolen, along with 53,000 of passport numbers and dozens of monthly financial statements.
An additional 6 million records dating back to “at least 2005” were also compromised in the attack, the source of which is not yet known.
The most concerning aspect of this breach is that Latitude Financial originally reported that only 300,000 people had been affected. This suggests that it had a poor understanding of the attack and rushed to disclose the breach.
Having to then update its estimate invites further public scrutiny of the attack and could see customers lose faith in the company.
Most of us are aware by now that data breaches can occur anywhere, so falling victim to an attack isn’t necessarily a sign of ineffective security measures. However, a mismanaged response suggests that an organisation isn’t prepared for an attack, and it bodes poorly for ongoing remediation efforts.
- GoAnywhere
A vulnerability in the file transfer service GoAnywhere has enabled cyber criminals to exploit dozens of organisations that use the tech. Details of the sprawling attack continue to emerge, with some reports estimating that as many as 130 organisations have been targeted.
Until recently, these details were coming from GoAnywhere or its parent company, Fortra, but individual victims.
Organisations that are confirmed to have been targeted include Hatch Bank, the City of Toronto, the cyber security company Rubrik and Hitachi Energy. In each case, the victim has reported that it was breached through the GoAnywhere MFT remote code execution vulnerability.
The attacks have been attributed to the Clop ransomware gang, but coverage of their activity is not consistent with traditional ransomware attacks. Reports suggest that the group is stealing the data rather than encrypting the organisations’ systems and holding them to ransom.
Regardless of the specific techniques being used, it’s likely that millions of sensitive data records have been compromised – although few victims have listed specific figures.
- AT&T
AT&T has notified approximately 9 million customers that their personal data has been exposed in a data breach.
The telecoms giant said that the breached records include people’s names, wireless account numbers, phone numbers and email addresses. It’s confident that more sensitive data, such as payment card numbers, Social Security numbers and passwords, have not been affected.
However, AT&T conceded that, in a “a small percentage” of cases, customers’ rate plan name, past due amounts, monthly payment amounts and other account data was affected, although it said that the information was “several years old”.
AT&T was eager to note that the breach related to a vendor and that it’s own systems had not been compromised. It didn’t name the vendor.