Here’s a staggering statistic: Cybercriminals can penetrate 93% of company networks. A pentesting study, conducted by Positive Technologies on various industries including financial, energy, government, IT and other sectors, found it takes just two days on average for a hacker to penetrate a company’s internal network. Once inside, data is stolen, systems are locked down, and, in the case of a ransomware attack, millions are requested in order to get the data back.
As technologies advance, and cybercriminals become more sophisticated, cybercrimes are rising to a near epidemic level, forcing security executives to dramatically increase security budgets and staff. Still, most infosec teams admit they are unprepared for the onslaught of cybercrimes predicted in the future.
For now, let’s take a look back on 2022. From Russia’s invasion of Ukraine to the aftermath of the pandemic, the threat landscape has grown, both in number of attacks and cost. In 2022, data breaches cost an average of $4.35 million—up from $4.24 million in 2021.
Here’s some of the more notable breaches from this year.
Third-Party and Fourth-Party Breaches
It is essential that vendor risk management be a critical component of every company’s security posture. Over 60% of security breaches are caused by third- and fourth-party vendors. Allowing third- and fourth-party vendors access to an organization’s environment is a must to keep business running smoothly. However, when there is a lack of security measures in place, hackers can easily infiltrate these external partners, which can grant them backdoor access into the organization’s systems. This is why it is important to not only monitor one’s security risks, but also their vendor’s risks. Here’s a few third- and fourth-party breaches from 2022 that may have been avoided with the right vendor risk management platform:
Date: February 2022
Impact: When Toyota’s third-party plastic supplier, Kojima, experienced a data breach, the auto manufacturer was forced to shut down all operations in Japan. Since Kojima had access to Toyota’s manufacturing plants, pausing production at the plant was necessary to protect their data. Unfortunately, the damage had been done, causing Toyota to lose approximately 13,000 cars of output.
Date: March 2022
Impact: When Quantum Group was attacked, exposing HighMark’s sensitive patient data, this healthcare company had to scramble to secure patient information. An example of a fourth-party attack, this breach resulted from Quantum Group receiving customer data from Webb Mason, HighMark’s marketing vendor.
Seattle Children’s Hospital
Date: June 2022
Impact: When third-party printing vendor Kaye-Smith suffered a ransomware attack, exposing the health information of 6,750 patients, Seattle Children’s had to inform a subset of its patients that their names, addresses, provider names, medical record numbers, visits, lab information and more had been compromised.
As attack methods evolve, ransomware is quickly becoming the worst type of security breach. In years past, hackers would encrypt stolen data and demand a fee for the decryption key. Now entire communication networks and even small devices are being hijack. This type of attack can be devasting to all types of businesses and could even turn life-threatening to individuals involved.
Bernalillo County, New Mexico
Date: January 2022
Impact: Computer systems and websites in the government offices were taken offline during a ransomware attack. A network shutdown of the Metropolitan Detention Center put prisoners in lockdown when security cameras and data systems were affected, and the automatic doors went offline.
Costa Rican Government
Date: April 2022
Impact: The country declared a national emergency when the ransomware attack impacted government services and the private sector engaged in import/export. Hackers demanded $10 million and later increased it to $20 million.
Date: October 2022
Impact: When the nation’s second-largest nonprofit hospital chain fell victim to a ransomware attack, appointments and surgeries were canceled at CommonSpirit hospitals across the country after more than a week of IT outages. When the attack was discovered, CommonSpirit was forced to take certain systems offline.
Yahoo’s data breach of 2013 is well known as one of the largest (if not the largest) data breach with more than three billion customer accounts leaked. Luckily, the stolen data did not include bank information or passwords.
Here’s a few data breaches worth mentioning from 2022:
SuperVPN, GeckoVPN, and ChatVPN
Date: May 2022
Impact: When these three Android VPNs were hacked, user credentials and device data were stolen from 21 million users and posted on a Telegram group, where it could be downloaded by anyone. This sensitive data included name, email, passwords, payment information and more.
Date: July 2022
Impact: Personal information (name, email, password, gender, and more) of 69 million users and 460 MB of source code was stolen from Neopets’ database. The hackers attempted to sell the data for bitcoin.
Los Angeles Unified School District
Date: September 2022
Impact: Half a terabyte of data was stolen from the Los Angeles Unified School District by the Russia-linked hacking group, Vice Society, and dumped on the dark web.
Get Ready for 2023
What cybersecurity challenges will the world face next year? The unpredictable political climate combined with supply chain issues can wreak havoc on businesses, and open doors for cybercriminals. It’s only a matter of time before most businesses suffer some type of breach. The key question to ask yourself is: How can my organization minimize the likelihood of a breach?
No longer can businesses ignore this threat or assume they are too small or insignificant to warrant a data breach. Budgets must be revamped, and dollars need to be carved out for two necessary components of any business’s security program: vendor risk management software and attack surface management software.
If you’d like to see exactly how a hacker views the gaps in your environment, fill out the below form to schedule a demo of ThreatScape—ProcessBolt’s attack surface management software, part of the ProcessBolt vendor risk management platform. After the demo, you’ll receive ThreatScape free for one month.