Topics
Latest
AI
Amazon
Image Credits:Bryce Durbin / TechCrunch
Apps
Biotech & Health
clime
Image Credits:Bryce Durbin / TechCrunch
Cloud Computing
Commerce
Crypto
go-ahead
EVs
Fintech
fund-raise
Gadgets
back
Government & Policy
computer hardware
Layoffs
Media & Entertainment
Meta
Microsoft
Privacy
Robotics
Security
Social
Space
Startups
TikTok
Transportation
Venture
More from TechCrunch
Events
Startup Battlefield
StrictlyVC
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
Contact Us
For thepast few twelvemonth , TechCrunch haslooked backat some of the risky , poorly handled datum breaches and surety incidents in the Leslie Townes Hope — maybe ! — other corporate giants would take heed and forefend realise some of the same calamities of past times .
To utterly nobody ’s surprisal , here we are again this year listing much of the same spoilt behavior from an entirely new form of companies — plus , some incentive ( dis)honorable mentions from the yearthat you might ’ve miss .
23andMe blamed users for its massive data breach
Last year , genetical examination whale 23andMe miss the genetic and ancestry data on close to 7 million customers , thanks to a information falling out that saw hackers brute - force-out access to one thousand of accounts to scratch data on millions more . 23andMe belatedly rolled out multi - factor certification , a security characteristic that could have prevented the accounting hack .
Within days of the new class , 23andMe involve todeflecting the blamefor the massive data stealing onto the dupe , arrogate that its users did not sufficiently batten down their accounts . Lawyers representing the radical of hundreds of 23andMe exploiter who sued the companionship follow the literary hack said the digit - pointing was “ nonsensical . ” U.K. and Canadian bureau soon afterannounced a joint investigating into 23andMe ’s data point breachlast twelvemonth .
23andMe afterwards in the yearlaid off 40 % of its staffas the beleaguered company front an unsure financial future — as doesthe party ’s vast camber of its client ’ genic information .
Change Healthcare took months to confirm hackers stole most of America’s health data
Change Healthcare is a healthcare tech company few had heard about until this February when a cyberattack drive the party to shut down its full web , promptingimmediate and far-flung outagesacross the United States and craunch much of the U.S. healthcare system to a halt . Change , owned by wellness indemnity heavyweight UnitedHealth Group , manage charge and insurance policy for thou of healthcare provider and medical practice session across the U.S. , processing somewhere between one - third and half of all U.S. healthcare transactions each class .
The caller ’s treatment of the hack — triggered by a breach ofa canonical user accountwitha lack of multi - factor assay-mark — was criticized by Americans who could n’t get their medications filled or infirmary stays sanction , affected health care providers who were going broke as a result of the cyberattack , and lawmakers who grilled the company ’s chief administrator about the hack during a May congressional audition . modify Healthcarepaid the hackers a ransom of $ 22 million — which the feds have long discourage only help cybercriminals gain from cyberattacks — only to have topony up a fresh ransomto askanotherhacking grouping to blue-pencil its steal data point .
Join us at TechCrunch Sessions: AI
Exhibit at TechCrunch Sessions: AI
In the death , it took until October — some seven months subsequently — to reveal that 100 million - plus people had their individual wellness selective information steal in the cyberattack . Granted , it must have taken a while , since it was — by all accounts — thebiggest health care data severance of the year , if not ever .
Synnovis hack disrupted U.K. healthcare services for months
The NHS suffered months of interruption this class after Synnovis , a London - based supplier of pathology services , was hit by a ransomware attack in June . The attack , claimed by the Qilin ransomware group , left patient role in S - east London unable to get blood tests from their doctors for more than three calendar month , and led to the cancellation of thousands of outpatient appointments and more than 1,700 surgical procedures .
In light of the attack , whichexpertssay could have been keep if two - factor assay-mark had been in stead , Unite , the U.K. ’s leading trade wind union , announcedthat Synnovis stave will strike for five days in December . Unite said the incident had “ an alarming impingement on stave who have been forced to solve extra hours and without memory access to essential computer systems for months while the attack has been dealt with . ”
It remains unknown how many patients are affected by the incident . The Qilin ransomware group lay claim to have leak 400 GB of sore data allegedly slip from Synnovis , including patient epithet , wellness system enrolment numbers , and descriptions of blood line tests .
Snowflake customer hacks snowballed into major data breaches
Cloud computing hulk Snowflake find itself this year at the center of a series of aggregated hacks target its bodied customers , like AT&T , Ticketmaster , and Santander Bank . The hackers , who werelater reprehensively charged with the violation , broke in using login inside information slip by malware found on the computers of employee at companies that rely on Snowflake . Because of Snowflake ’s lack of mandate use of multi - factor security , the hacker were able to break into and steal vast camber ofdata hive away by hundreds of Snowflake customersand hold the data for ransom .
Snowflake , for its part , saidlittle about the incidents at the clip , but conceded that the severance were due to a “ aim campaign directed at users with single - factor authentication . ” snowbird subsequently rolled out multi - factor - by - default to its client with the hope of forefend a repeat incident .
Columbus, Ohio sued a security researcher for truthfully reporting on a ransomware attack
When the metropolis of Columbus , Ohio reported a cyberattack over the summer , the city ’s mayor Andrew Ginther moved to assure implicated residents that stolen city data was “ either encrypt or corrupted , ” and that it was unserviceable to the hacker who steal it . All the while , a security department investigator who track data point breaches on the the dark-skinned web for his business found evidence that the ransomware crewdid in fact have admission to residents ’ data — at least half a million people — include their Social Security issue and driver ’s licenses , as well as arrest records , entropy on minors , and survivors of domesticated violence . The research worker alert journalists to the data trove .
The urban center successfullyobtained an injunctionagainst the researcher from sharing grounds that he found of the breach , a move picture as an travail by the city to hush the security investigator rather than remediate the breach . The city laterdropped its causa .
Salt Typhoon hacked phone and internet providers, thanks to a U.S. backdoor law
A 30 - year - oldbackdoor law total back to bitethis year after hackers , dubbed Salt Typhoon — one of several China - backed hacking groupslaying the digital groundwork for a possible difference of opinion with the United States — were discovered in the networks of some of the largest U.S. phone and net companies . The hackers were find accessing the real - time call , messages , and communication metadata of senior U.S. politicians and high - ranking officials , includingpresidential candidates .
The hackers reportedly broke into some of the companies ’ wiretap systems , which the telcos were required to set up following the passing of the law , dub CALEA , in 1994 . Now , thanks to the on-going access to these systems — and the data that telecommunication society stash away on Americans — the U.S. government isadvising U.S. citizensand senior Americansto use ending - to - end inscribe messaging appsso that nobody , not even the Chinese hack , can get at their private communications .
Moneygram still hasn’t said how many people had transaction data stolen in a data breach
MoneyGram , the U.S. money transfer giant with more than 50 million customers , was come to by hackers in September . The companyconfirmedthe incident more than a week later after customers experience day of unexplained outage , disclosing only an unspecified “ cybersecurity issue . ” MoneyGram did n’t say whether client data had been taken , but the U.K. ’s datum protection watchdogtold TechCrunchin late September that it had received a data breach report from the U.S.-based ship’s company , indicating that client information had been stolen .
Weeks later , MoneyGramadmitted that hackershad swiped customer data during the cyberattack , including Social Security numbers and government identification documents , as well as transaction information , such as dates and the amounts of each transaction . The company admitted that the hackers also stole reprehensible investigating information on “ a modified number ” of customers . MoneyGram still has n’t read how many client had data stolen , or how many customers it had directly notified .
Hot Topic stays mum after 57 million customer records spill online
With57 million client affected , the October falling out of U.S. retail colossus Hot Topic goes down as one of the largest - ever breaches of retail datum . However , despite the massive scale leaf of the breach , Hot Topic has not publicly support the incident , nor has it alert customers or country spot of attorney oecumenical about the information breach . The retailer also neglect TechCrunch ’s multiple asking for remark .
Breach notification siteHave I Been Pwned , which obtained a copy of the breached information , alarm closely to 57 million affected customers that the stolen datum let in their electronic mail addresses , physical addresses , telephone numbers , purchases , their gender , and date of birth . The data also included fond credit card data , including credit carte du jour eccentric , expiry date , and the last four finger of the circuit card numeral .
Bonus dis(honorable) mentions:
AT&T denied a massive data breach — until it couldn’t
AT&T’sfirstdata breach of the class view more than 73 million client record dumped online , three years after a hacker posted a little sampling on a have it away cybercrime assembly . AT&Tpersistently denied the cachebelonged to the fellowship , saying it had no evidence of a datum breach . That was until a security researcher discover that some of the encipher data point found in the dataset was easy to decipher . Those unscrambled records turned out to be account passcodes , which could be used to get at AT&T customer accounts . The researcher alert TechCrunch , and we in turn alerted AT&T , prompting the phone gargantuan tomass - reset the report passcodes of some 7.6 million current customersandnotify X of millions more .
SEC fines four cyber companies for downplaying theirownbreaches
Not even cybersecurity companies are resistant from breaches , but how four firms handled their cybersecurity scandal this yearprompted governor to impose rare fine for their misconduct . The fellowship , Avaya , Check Point , Mimecast , and Unisys paid a corporate $ 6.9 million in mulct for a kitchen range of violations that include “ negligently ” downplaying and minimizing the damage of their own breaches stem from the 2019 SolarWinds espionage attack , per the U.S. Securities and Exchange Commission .
pcTattletale spyware owner deleted victim’s data instead of notifying them of breach
In May , a spyware app calledpcTattletale was hack and its site defacedwith downloadable links to archive of datum steal from the company ’s servers , exposing data on some 138,000 customer who signed up to habituate the surveillance service . rather of notify unnatural person of the falling out — and those whose twist were compromised without their noesis — the companionship ’s founding father say TechCrunch that he “ deleted everything because the data breach could have exposed my customers . ” pcTattletale , whichsubsequently close down following the breach , is the latest ina long tilt of stalkerware and spyware makersthat have lost or expose datum on spyware victims in late years .
Brainstack outed its involvement with mSpy after breach
Another fertile spyware , mSpy , alsohad a major data breach this yearthat scupper emails institutionalise to and from the customer support email system dating back to 2014 . The electronic mail also exposed the real - domain Ukrainian ship’s company , Brainstack , that was secretly behind the operation . The company did not dispute the claim when meet by TechCrunch . week later , Brainstack supply a takedown notification to the hosting supplier of DDoSecrets , a transparence collective that hosts a copy of the leaked mSpy data point , demanding that the entanglement host takes down the site for host “ secret corporate data belonging to MSpy , a brand of our company . ” The web host , FlokiNET , denied the request andinstead published the takedown card , which confirmed that Brainstack was behind mSpy ’s operation as the prior evidence suggested .
