It’s all in the (lack of) details: 2022’s badly handled data breaches
Data breach can cause serious damage to organizations of all sizes. But it’s how they react to the incident which can make the difference. While we’ve seen some excellent examples of how companies should respond to data breaches over the past year — kudos to Red Cross and Amnesty for their transparency — 2022 has been a year-long lesson in how not to respond to a data breach.
Here’s a look back at the worst data breaches of this year.
Chipmaker giant Nvidia confirmed it was investigating a so-called “cyber incident” in February, which it later confirmed was a data extortion event. TechCrunch pressed Nvidia for more information about the incident. The company declined to disclose any details, including how it was compromised or what data was stolen.
While Nvidia was tight-lipped about the breach, the now-notorious Lapsus$ group quickly claimed responsibility and claimed it had stolen one terabyte worth of information. This included “highly confidential” data as well as proprietary source code. According to data breach monitoring website Have I Been Pwned, the hackers stole the credentials of more than 71,000 Nvidia employees, including email addresses and Windows password hashes.
In August DoorDash approached TechCrunch to offer to report exclusively on a data security breach that exposed DoorDash customers personal data . It is not common to be notified of an undisclosed breach prior to it being announced. However, it was a strange thing to have the company decline almost all questions about the news.
The food delivery company confirmed to TechCrunch the fact that hackers had accessed the names, addresses, and phone numbers of DoorDash customers along with partial payment card information. It also confirmed that for DoorDash delivery drivers, or Dashers, hackers accessed data that “primarily included name and phone number or email address.”
However, DoorDash declined the opportunity to tell TechCrunch how many users were impacted by the incident or how many it has. TechCrunch also asked DoorDash if it believed the breach was caused or caused by a third party vendor. However, it declined to name the vendor and did not say when it discovered it was compromised.
Hours before a long July 4 holiday, Samsung quietly dropped notice that its U.S. systems were breached weeks earlier and that hackers had stolen customers’ personal information. Samsung’s bare-bones breach notice confirmed that unspecified “demographic data” was also stolen. This likely included customers’ exact geolocation data and browsing data from their Samsung phones and smart TVs.
Because that was Samsung’s priority, obviously.
Fintech startup Revolut in September confirmed it was hit by a “highly targeted cyberattack,” and told TechCrunch at the time that an “unauthorized third party” had obtained access to the details of a small percentage (0. 16%) of customers “for a short period of time.”
However, Revolut wouldn’t say exactly how many customers were affected. Its website says the company has approximately 20 million customers; 0. 16% would translate to about 32,000 customers. However, according to Revolut’s breach disclosure, the company says 50,150 customers were impacted by the breach, including 20,687 customers in the European Economic Area and 379 Lithuanian citizens.
The company declined to disclose the types of data that were accessed.
The company also declined to say what types of data were accessed.
NHS supplier Advanced
Advanced, an IT service provider for the U.K.’s NHS, confirmed in October that attackers stole data from its systems during an August ransomware attack. The ransomware attack in August caused the downtime of many services at the organization, including Adastra, which aids non-emergency call handlers to dispatch ambulances and allows doctors to access patient records. Carenotes is used by mental healthcare trusts for patient information.
While Advanced shared with TechCrunch that its incident responders — Microsoft and Mandiant — had identified LockBit 3.0 as the malware used in the attack, the company declined to say whether patient data had been accessed. Although Advanced acknowledged that some data relating to more than a dozen NHS trusts had been “copied and exfiltrated”, the company refused to give details about how many patients could have been affected or what data types were stolen.
Advanced said there is “no evidence” to suggest that the data in question exists elsewhere outside our control and “the likelihood of harm to individuals is low.” When reached by TechCrunch, Advanced chief operating officer Simon Short declined to say if patient data is affected or whether Advanced has the technical means, such as logs, to detect if data was exfiltrated.
In October, U.S. messaging giant Twilio confirmed it was hit by a second breach that saw cybercriminals access customer contact information. News of the breach, which was carried out by the same “0ktapus” hackers that compromised Twilio in August, was buried in an update to a lengthy incident report and contained few details about the nature of the breach and the impact on customers.
Laurelle Remzi, spokesperson for
Twilio, declined to confirm the number customers affected by the June breach and share a copy the notice the company claims it sent to those affected. Remzi declined to comment on why Twilio took so long to disclose the incident.
Enterprise cloud computing giant Rackspace was hit by a ransomware attack on December 2, leaving thousands of customers worldwide without access to their data, including archived email, contacts and calendar items. Rackspace was widely criticized for its lack of information and failure to address the issue.
In one of Rackspace’s first updates published on December 6, Rackspace stated that it was still not certain “what, if anything, was affected” and that it would notify customers if it did.
And finally, but by no means the least: The beleaguered password manager giant LastPass confirmed three days before Christmas that hackers had stolen the keys to its kingdom and exfiltrated customers’ encrypted password vaults weeks earlier. The breach is about as damaging as it gets for the 33 million customers who use LastPass, whose encrypted password vaults are only as secure as the customer master passwords used to lock them.
But LastPass’ handling of the breach drew a swift rebuke and fierce criticism from the security community, not least because LastPass said that there was no action for customers to take. Yet, based on a parsed read of its data breach notice, LastPass knew that customers’ encrypted password vaults could have been stolen as early as November after the company confirmed its cloud storage was accessed using a set of employee’s cloud storage keys stolen during an earlier breach in August but which the company hadn’t revoked.
The fault and blame is squarely with LastPass for its breach, but its handling was egregiously bad form. Will the company survive? Maybe. LastPass’s atrocious handling regarding its data breach has cemented its reputation.
I’m a journalist who specializes in investigative reporting and writing. I have written for the New York Times and other publications.