Cybercrime is expected to become a $10-trillion-a-year industry by 2025, and the outgoing year proved to be another bumper crop year for cyberattacks, hacks, and data breaches.
Red Cross Hack Attack
In mid-January, the International Committee of the Red Cross discovered that it had suffered a massive data breach affecting some 515,000 people across dozens of Red Cross and Red Crescent societies. The attackers targeted a Swiss company contracted to store the data. ICRC data protection chief Massimo Marelli said the attack, which was actually carried out in late 2021, was sophisticated enough to have been carried out by a state or “state-like” actor, but did not elaborate. Nearly a year on, no motive for the hack attack has been given, and it is unknown whether any of the hacked data has been publicly leaked.
Credit Suisse Data Security Full of Holes
In February, a whistleblower leaked info related to the accounts of over 18,000 clients of Swiss banking giant Credit Suisse online, exposing suspected money laundering and other illegal activities by politicians, businessmen, and criminal gangs. The incident exposed damaging information which Credit Suisse would otherwise have liked to keep under wraps. The bank denied any and all “allegations and inferences about” its purportedly illegal business practices.
Lapsus$ Rears Its Ugly Head
After its first successful foray into malicious hacking via the 2021 breach of Brazil’s Ministry of Health, international extortion-focused hacking group Lapsus$ began making global headlines in 2022, starting off with the breach of video card maker NVidia in March. Hackers made off with info on over 71,000 employees, and a terabyte of data on advanced graphical processors, software certificates, and source code.
The NVidia hack was just the start, and Lapsus$ would continue to terrorize the business world throughout the rest of the year, launching a string of attacks targeting Samsung, Apple, Ubisoft, T-Mobile, Microsoft, Uber, and Rockstar Games. The last of the attacks was alleged to have led to the leaking of footage and game source code on the company’s upcoming iteration of Grand Theft Auto – the popular open-world crime simulator. T0xic, the alias of the hacker believed responsible for the GTA hack, got busted by UK police in October.
Government Records Stolen
In late March, the Texas Department of Insurance was subjected to a “data security event” which saw the pilfering of the data of over 1.8 million people – including names, addresses, birthdays, telephone numbers, social security numbers, and other information. In March, the Department of Education revealed that the information of 820,000 students had been pilfered by hackers. Texas’ Department of Transportation suffered a smaller breach in May, suffering the leak of the personal info of 7,000 people.
Big Data, Big Breach
Also in late March, US media revealed that US tech giants Apple and Meta* had somehow provided user data to hackers posing as law enforcement officials. The embarrassing incidents reportedly occurred after hackers forged emergency data requests, prompting the companies to hand over users’ IP addresses, home addresses, and telephone numbers. The hack was thought to have been carried out by a group of cybercriminals going by the handle Recursion Team, with members based in the UK and the US.
Cash App
8.2 million US customers of the mobile payment service Cash App got a rude surprise in April after the company informed them that it had been hacked and their private data breached.
What Did Costa Rica Ever Do to You?
In mid-April, the Costa Rican government was subjected to a hellish hack attack targeting everything from the Ministry of Finance and social security fund to the national meteorological institute and the administrative board of the municipal electricity service of Cartago. Over two dozen organizations were targeted in all, with the infamous ransomware hacker group Conti demanding $10 million in exchange for keeping the info private. Hive Ransomware Group, another criminal hacking operation, piled onto the hack attack in May. The cyberattacks led authorities to declare a national emergency, and wreaked havoc on the country’s administration and economy, with authorities unable to determine proper taxation, customs, the execution of the budget, payments of salaries, etc. The chaos, which left some government employees unpaid, sparked protests, with Conti adding fuel to the fire by encouraging Costa Ricans to overthrow their government.
Vulnerable VPNs
In May, major companies providing virtual private network services reported that they had been breached, with hackers stealing information on some 21 million users and leaking it online. The affected services included ChatVPN, GeckoVPN, and SuperVPN.
Big Risk, Tiny Reward
The same month, hackers announced that they had made off with a 160 GB database containing the personal information of over 22.5 million Malaysians. Their demand? A paltry $10,000 in Bitcoin. Why such a small amount? Did the Malaysian government pay? We may never know.
Shields Down
In June, it emerged that US medical products, MRI diagnostic imaging, radiation oncology, and insurance provider Shields Healthcare had been hacked, with cybercriminals making off with the sensitive data of over two million customers, and experts expressing concerns that the information would be sold and used for extortion, phishing, scamming, and other schemes. The company is now facing a class action lawsuit for its alleged negligence in the security of the information.
Big Bank Breach
Also in June, Flagstar Bank, a Michigan-headquartered banking group priding itself as one of the largest residential mortgage services in the United States, informed customers that as many as 1.5 million of them had had their private information leaked online. The company assured that it “promptly took steps to secure its environment and investigate the incident,” and apologized to customers “for any inconvenience this may have caused you.” Clients apparently didn’t think an apology was sufficient, and have filed two lawsuits in connection with the incident.
Really Private Data
In July, Infinity Rehab and Avamere Health Services – a pair of Oregon-based health service providers, informed the US Department of Health and Human Services that nearly 400,000 of their patients’ records had been stolen in a hack attack. The breach, which impacted nearly 100 healthcare providers, sparked a class action lawsuit.
Neopets Hacked, But Who Cares?
The same month, Neopets, a popular virtual pet website, had the data of some 69 million of its users put on sale on a hackers’ forum. The data included email addresses, passwords, zip codes, and other personal information, and the hacker offered to sell it for four bitcoins (about $90,000 at the time). The utility of the personal information of 69 million Neopets users is difficult to fathom.
Twitter Thwumped
Before the drama surrounding Twitter’s takeover by Elon Musk took over media headlines in the fall, the main story about the social media giant in 2022 was related to the breach and leak of the information of over 5.4 million user accounts, including private phone numbers and email addresses. The data had been painstakingly collected over months and put on sale on a forum, and included details of celebrities, companies, and other high profile individuals and organizations.
Uber Boob-er
In late July 2022, rideshare giant Uber was revealed to have paid hackers $100,000 to cover up a data breach which affected over 57 million riders and drivers way back in 2016. The company took flak for its actions, and for sitting on the information about the payoff for so many years, but has not faced any legal repercussions thus far.
Student Loan Info Breach
In late August, cyber bandits made off with the private information of 2.5 million student loan applicants after breaching Nelnet, a tech company servicing EdFinancial and the Oklahoma Student Loan Authority. Hackers got their hands on clients’ full names, addresses, emails, phone numbers, and social security numbers, but not account numbers or payment information. Lawyers are mulling a class action lawsuit.
FishPig Server Breach
In mid-September, UK-based e-commerce software maker FishPig, used by over 200,000 websites, urgently asked customers to immediately update their extensions after discovering a massive exploit in its distribution server – which allowed hackers backdoor entry into websites and other systems. It’s unclear how many users have been affected.
Largest Hack in Australian History
Also in September, Australian telecommunications company Optus reported a data breach of an unprecedented scale, and fears that a state actor may have been involved in the hacking of the data of nearly 11 million customers. A hacker published samples of the stolen data on a forum and demanded $1 million US in cryptocurrency, threatening to sell the data off in chunks if snubbed.
Data of Shopaholics, Alcoholics Breached
In less than two weeks in mid-to-late October, media reports revealed that the customer data of major Australian online marketplace MyDeal, wine dealer Vinomofo, and health insurance company Medibank had been breached, with the attacks affecting 2.2 million, 500,000, and 9.7 million accounts, respectively.
Air Asia Fiasco
In November, Malaysian low-cost airline AirAsia suffered a ransomware attack, with the personal info of five million people, including passengers and employees, pilfered. Malaysian authorities have launched an investigation into the incident.
Twitter, Again?
Last week, a Telegram forum user named Ryushi claimed to have “scraped” the private data of over 400 million Twitter accounts, including email and phone numbers, via a vulnerability, and demanded $200,000 for the info, pointing out that the payoff would be just a drop in the bucket compared to the $276 million the company would have to pay European regulators as a fine for the breach. To prove they were serious, the hacker included the private data of over three dozen celebrities, including Donald Trump Jr., Alexandria Ocasio-Cortez, and journalist Piers Morgan.
Tech outlets and cyber security specialists have verified that at least some of the claims made by Ryushi seem to be legitimate and the threats credible. If the hacker’s demands aren’t met, the massive trove of information may be sold for use in phishing, crypto scam, and doxxing.
25 December 2022, 08:35 GMT
Cyberwarfare Accompanying Real-World Warfare
Throughout the past year, Russian state institutions, corporations, and media have reported an unprecedented uptick in attempted hacks, DDOS attacks, and other forms of cyber malevolence from Ukraine, its allies, and "hacktivists." Russian hackers have given back as good as Russia’s gotten, leaking the personal data of Lockheed Martin employees, revealing US involvement in suspected war crimes, and unmasking Ukrainian cyber warriors’ personal info. However, the Russian state maintains that it has no plans to become involved in the cyber-mischief, with the Kremlin saying in March that unlike Western countries, Moscow “does not engage in banditry at the state level.”
* Meta (Facebook and Instagram) is designated as an extremist organization in Russia and banned.