As Data Breach Reports Surge, Healthcare Is Most Hit Sector2023 Set to Break Multiple Breach Records; MOVEit Attack Claims 320 Organizations
As many as 320 businesses, schools and public agencies are reeling from the Clop ransomware group's supply chain attacks exploiting MOVEit file transfer software. Most of those breaches have only come to light in the past two weeks, and it appears, based on data breach notifications issued in the first half of this year, 2023 looks set to break multiple records.
In the first half of 2023, 1,393 organizations issued data breach notifications, collectively reporting that 157 million individuals' personal details were exposed, the Identity Theft Resource Center, a nonprofit organization devoted to assisting victims of U.S. data breaches, reported.
If the second half of this year follows suit, the total number of breaches for 2023 will exceed the current annual record of 1,862 notifications issued in 2021.
So far this year, the industries reporting the most data breaches were healthcare, with 379 incidents - including at Managed Care of North America and PharMerica - followed by financial services, with 241 incidents (see: Midyear Health Data Breach Analysis: The Top Culprits).
Online attacks accounted for about 75% of all breaches so far this year, and most of the rest were related to system or human errors. Many breach notifications tied to supply chain attacks, and 108 different breaches affected a total of 402 organizations.
Comparing the first half of 2023 with the first half of 2022, the number of reported ransomware attacks held steady, while malware jumped 89% as a cause.
Largest Known Data Breaches in 2023, So Far
|Zacks Investment Research
|Louisiana Office of Motor Vehicles
|TMX Finance Corporate Services
|PBI Research Services/Berwyn Group
The count of data breach victims and causes isn't definitive. Many organizations don't detail how many individuals were affected, or if they do, they may not publicly update these numbers based on their investigators' latest findings.
For the first half of this year, the ITRC said that 40% of all breach notifications failed to specify the cause of the breach. James E. Lee, COO of the ITRC, has criticized this "very concerning" lack of transparency, saying it does a disservice not only to breach victims but to other organizations criminals might target. "We do need to work to improve the amount of information that's actually being distributed to individuals and organizations so they can better protect themselves," he recently told Information Security Media Group.
More MOVEit Fallout
The second quarter of this year has been especially notable on the data breach front due to the campaign targeting Progress Software's MOVEit file transfer software. The Clop ransomware group has claimed credit for the attacks, which largely appeared to occur on May 30 and May 31. The group's campaign resulted in numerous data breaches, not all of which yet appear to have come to light.
Progress Software patched the zero-day flaw exploited by Clop on May 31. The MOVEit maker already faces a proposed class action lawsuit. Another two proposed class action lawsuits have been filed against Johns Hopkins University and its Johns Hopkins Health System following breaches of their MOVEit software.
As of Friday, cybersecurity research firm KonBriefing counted nearly 320 total known organizations affected by MOVEit breaches worldwide, either because those organizations use the software or because they contract with an organization that uses it. Victims that have recently come to light include photography site Shutterfly; Loyola University Chicago; the universities of Delaware, Oklahoma and Stony Brook; South African pharmacy chain Clicks; and also apparently Deutsche Bank AG, which is one of the world's largest public banks.
This year, a record number of organizations could be forced to issue a data breach notification due to a security incident at a contractor or service provider. Already, multiple organizations have reported being hit in that way by MOVEit attacks, including PBI Research Services, which helps financial services firms identify policyholders who have died and locates beneficiaries. In addition to Berwyn Group, affected PBI customers include Genworth Financial, which reported that attackers had stolen from PBI personal information for up to 2.7 million of its customers, Wilton Reassurance Co. - 1.5 million customers affected, and the California Public Employees' Retirement System - 770,000 members affected.
Separately, 62 clients of Big Four accounting firm Ernst & Young have been listed on the data leak site of the Clop group, which has dumped about 3 terabytes of stolen EY data. Affected clients include a swatch of mostly Canadian firms, including Air Canada, Constellation Software, Laurentian Bank of Canada, Mary's General Hospital Surgical Services Review, Staples Canada, Sun Life Assurance of Canada and United Parcel Service Canada.
The U.S. Department of Health and Human Services last month notified Congress that information pertaining to at least 100,000 individuals had been compromised via MOVEit attacks against HHS contractors.
California's private Western University of Health Sciences reported that not one but two different service providers - National Student Clearinghouse and Teachers Insurance and Annuity Association - had notified it that the MOVEit breach resulted in the theft of WesternU data.
Colorado State University's data breach notification on Wednesday trumps that, reporting that not just TIAA and NSC had alerted it to the theft of CSU individuals' data, but also Corebridge Financial, Genworth Financial, Sunlife and The Hartford.
Rutgers on Thursday reported that it may also be one of many more universities affected by the NSC breach. "The NSC works with 3,600 colleges and universities, including Rutgers, to gather student data required by the U.S. Department of Education," Rutgers' breach notification says. "At this time, the impact on Rutgers information is unclear."
Some organizations have been compromised by MOVEit attacks not just through their own service provider but through their service provider's service provider. A data breach notification issued July 7 by financial services firm Pear Tree Advisors to at least 6,792 affected individuals in the U.S. reported that Pear Tree had received a breach notification from Envision Financial Systems, which provides its investor management software. Envision's breach notification reported that its subcontractor, Integrated Systems Corp., had suffered a data breach due to attackers exploiting the vulnerability in MOVEit to access ISCorp's "private cloud environment."
Based on the latest listings to Clop's data leak site and victims' breach notifications, Clop stole personal identifying information for at least 18.2 million individuals, reported Brett Callow, a threat analyst at Emsisoft. The number of victims of the MOVEit campaign who paid a ransom to the extortionists in exchange for a promise to not be listed on Clop's data leak site remains unclear.
With MOVEit breach investigations continuing and the Clop group potentially naming more victims and leaking additional data, observers say to expect the count of 2023 data breach victims and affected individuals to rise, likely to record-setting levels.