2022: A Bad Year for Breaches

2022: A Bad Year for Breaches

We discuss the themes and events that defined the year

For many, 2022 will be a year remembered for all the wrong reasons. We witnessed a continual flow of breaches, that spanned multiple sectors, and impacted millions globally — sometimes with devastating consequences. Rarely did a week pass by without another reminder of the threats that our information faces daily, and the poor job undertaken by many organisations to secure our data.

In this article, we look back at some of the key themes and events that defined 2022. Next week, we will provide our take on the trends that are likely to shape the future of data privacy and protection.

1. Increasing cyber threats pose a risk to everyone

+38% increase in global cyberattacks in 2022 (Check Point Research)

The numerous breaches in 2022 demonstrated that we are all at risk. Whether a large corporation or a small start-up, a government or even a charity, there is a very material risk that your organisation will experience a breach, irrespective of how technologically mature your business is.

According to Check Point Research, the global volume of cyber attacks increased by 38% during the year, reaching an all-time high in Q4 with an average of 1,168 weekly attacks per organisation.

The health, government, and education & research sectors were hit the hardest, particularly by ransomware, as hackers targeted organisations handling high volumes of sensitive data and those with weaker defences. However, attacks were not limited to these sectors and even global technology businesses were hit hard, while incidents at Medibank and the Red Cross highlight that cybercriminals have few moral boundaries. There are few targets they won’t attack and few organisations that remain impenetrable.

To name a few:

  • In healthcare: The Medibank breach was arguably the year’s biggest news. With suspected links to Russian group REvil, ransomware hackers accrued 10 million records and began publishing individual medical details while demanding a $10 million (USD) payment. The published data included a ‘naughty’ list of individuals that had received treatment for abortions and drug addiction, and when Medibank ultimately refused to pay up they appear to have published the full dataset online.
  • In government: Costa Rica was the first country to declare a state of emergency in response to a cyber attack, with businesses, government and public services all facing disruption for months. The ransom attack, which at this scale amounts to cyber terrorism, is estimated to have cost the country $30m daily. Vanuatu suffered a similar fate shortly afterwards; the tiny Pacific Ocean island was brought to a standstill, as government services went offline and officials resorted to personal computers and pen and paper.
  • In education: An attack on an LA school district saw over 500 GB of data released, including information on previous convictions and psychological assessments of students. Similar incidents occurred in Australia and the UK, with the personal details of students, parents and teachers released.
  • In technology: There was particular embarrassment for Uber, Twitter, and LastPass, as reports of multiple recent breaches surfaced. Over 200 million Twitter account details were published online, relating to a breach from 2021. For LastPass, the event was particularly damaging as the password management provider admitted that entire user password vaults had been exposed, including encrypted user details and passwords. Only the master password in each instance stands between the attackers and the customer’s entire collection of passwords.
  • In conflict: It was impossible to miss the impact of the Russian — Ukrainian conflict. While troops and artillery attacked on the ground, the war also took place online through misinformation and cyber attacks on critical infrastructure. A successful attack by Russia on the satellite technology of Viasat demonstrated that cyber warfare now even poses a threat in space. These events encouraged a resurgence in hacktivism, as groups formed to support both sides of the conflict.
  • Charities: The Red Cross was hacked in January, exposing data on more than 500k vulnerable people, with experts believing the incident was the work of a state sponsored, Advanced Persistent Threat (APT) group.

2. Ransomware becomes increasingly sophisticated

Ransomware-as-a-service kits are available for as little as $40 per month (Crowdstrike)

Ransom attacks were a common theme amongst some of the most significant incidents already referenced, such as Medibank, the Costa Rican government and the LA Unified School District. Although ransomware is not new, the threat rises as attacks become increasingly sophisticated and more easily implemented.

The growth in ransomware-as-a-service and lower unit costs has enabled these changes. Marketplaces on the dark web, such as Genesis, have grown and enabled broad access to sophisticated hacking tools, previously only accessible to large, organised crime groups. Some services are available for as little as $40 per month, while a successful attack can reap millions of dollars in reward.

Double extortion tactics have become the standard. Historically, attackers encrypted the victim’s data and charged for the decryption key. However, attackers now aim for more substantial leverage and rewards as they harvest the data and threaten to release the information online.

Some material arrests, such as against REvil in January, Lapsus$ in October, while a breach of Conti’s own data in response to their support for Russian activity in the Ukrainian conflict led to their supposed closure. Despite these arrests, we can be confident that new threat actors will appear in their place, and individuals will move on to other organisations. For example, Black Basta is believed to already include previous REvil and Conti members.

3. A very bad year for Australians

An average of 22 accounts were hacked every minute in Q3 in Australia (Surfshark)

2022 was a truly terrible year for data breaches in Australia. Rarely did a week go by without news of another incident, exposing the personal details of Australians and placing their details at the mercy of professional cyber criminals. It got so bad that Australia ranked as the worst country worldwide for breaches from July to September.

Significant factors in the poor performance were large-scale events at Optus and Medibank, with each incident exposing an estimated 10 million records — accounting for nearly 40% of the Australian population. Many unlucky individuals will therefore have been caught up in both events.

These two events alone would constitute a bad year, but it did not stop there. Further large-scale incidents at leading brands, including Mydeal (a Woolworths subsidiary), Telstra, Bunnings and Vinomofo exposed millions more records. They increased the likelihood that everyday customers will be the target of attackers and fraud victims over the coming years.

Customers are rightfully outraged. A survey by Nature demonstrated that two-thirds of Australians (64%) now lack confidence in the ability of large organisations to keep their data safe, with consumers now thinking twice about what data they share, and whom they trust.

4. Governments are (slowly) addressing the need to legislate data privacy

Privacy penalties in Australia are increasing from $2.2m to a minimum of $50m, or 30% of turnover in the relevant period

In some better news, various governments took action to pass improved privacy legislation. Although the laws remain a work in progress in many cases, slowly inching towards a more secure future, it represents progress nonetheless.

Following the national incidents, the Australian government promptly passed the Privacy Legislation Amendment Bill, introducing tougher penalties for breaches, with a minimum value of $50m (AUD) or 30% of turnover for the relevant period. The punishments aim to deter poor practices and ensure companies (finally) get the message that data security is not optional. For many Australian customers, though, it was already too late, as the damage of 2022 had been done.

In the US, there were steps towards introducing federal privacy legislation that would introduce coverage across all states with the American Data Privacy and Protection Act (ADPPA). The bill includes national standards for companies handling data and limited redress for consumers. However, it still faces some material hurdles — particularly from California, which has led the way in introducing privacy laws.

Whilst the wait for federal legislation continues, individual states introduced their own legislation. For example, Connecticut and Utah passed laws that will come into effect during 2023, joining California, Colorado and Virginia. California also passed the California Age-Appropriate Design Code Act, which provides an online safety bill for children.

There were also legislative movements in other regions of the world. For example, the EU and US agreed on a new data transfer process (the Trans-Atlantic Data Privacy Framework), replacing the Privacy Shield arrangements that expired in 2020. In addition, Canada introduced the Digital Charter Implementation Act, which includes provisions to address AI technology. Indonesia passed the Personal Data Protection Bill, and India proposed the Digital Personal Data Protection Bill.

4. European regulators continued to wield the powers bestowed by GDPR

Meta received €747 million in GDPR related fines during 2022

Regulators in Europe demonstrated a continued willingness to impose fines for breaches of GDPR. During the year, the Data Protection Commission issued the second and third-largest fines for non-compliance. The penalties, both to Meta organisations, amounted to €670m: €405 million for Instagram violating children’s privacy and €265 million for Facebook’s data-scraping policies. These added to an additional €77 million in other fines to Meta during the year for Facebook’s cookie consent and prior breaches.

There were additional hefty fines along the way, with Clearview AI accounting for many of them. The facial recognition firm, which has proved controversial due to scraping images and personal data off the internet to fuel AI identification services, incurred €20 million fines in each of France, Italy and Greece, along with a £7.5m fine in the UK.

Additional fines for Google, Interserve, and Vodafone suggest that European companies cannot assume that they will evade the sights of the regulatory authorities — although many of the penalties will face a legal dispute.

It’s been a big year for data privacy, with some much needed progress but also staggering loss that will no doubt continue to impact individuals for years to come.

If you would like to learn more about what we are building at Onqlave to help protect sensitive data, follow our updates via LinkedIn, sign up to our newsletter or feel free to get in touch with any of our team.