Last year, we put it together A list of the most poorly handled data breaches in 2022, given the bad behavior of giant companies when faced with hacks and breaches. This included everything from underestimating the real-world impact of personal information leaks to failing to answer basic questions.
This year has shown that many organizations continue to make the same mistakes. Here’s this year’s file on how not to respond to security incidents.
The Electoral Commission hid the details of a massive hack for a year, but remains tight-lipped
The Electoral Commission, the watchdog responsible for overseeing elections in the UK, confirmed in August that it had been targeted by “hostile actors” who had accessed personal details – including full names, email addresses, home addresses, phone numbers and any photos. a personality. Sent to the committee – on up to 40 million voters in the UK.
While it may appear that the Electoral Commission has been upfront about the cyberattack and its impact, the incident occurred in August 2021 – about two years ago – when hackers first gained access to the Commission’s systems. It took another year for the commission to catch the hackers red-handed. The BBC reported the following month That the watchdog had failed a basic cybersecurity test at around the same time the hackers gained entry into the organisation. It has not yet been revealed who carried out the intrusion – or if it is known – and how the committee was hacked.
Samsung will not say how many customers suffered a data breach for a year
Samsung has once again been successful in being included in the list of poorly handled breaches. The electronics giant once again took its usual approach of silence when faced with questions about a year-long breach of its systems that gave hackers access to the personal data of its UK-based customers. In a letter sent to affected customers in March, Samsung admitted that attackers exploited a vulnerability in an unnamed third-party business app to access de-identified personal information of customers who made purchases at its UK store between July 2019 and June 2020.
In the letter, Samsung admitted that it did not discover the settlement until more than three years later in November 2023. When asked by TechCrunch, the tech giant declined to answer further questions about the incident, such as how many customers were affected or how the hackers gained access to its internal systems.
Hackers stole Shadow’s data, and Shadow remained silent
French cloud gaming provider Shadow is a company that lives up to its name, with the company’s October hack still shrouded in mystery. The breach saw attackers carry out an “advanced social engineering attack” against a Shadow employee that allowed access to customers’ private data, according to an email sent to affected Shadow customers.
However, the full impact of the accident remains unknown. TechCrunch obtained a sample of data believed to have been stolen from the company that contained 10,000 unique records, which included private API keys corresponding to customer accounts. When asked by TechCrunch, the company declined to comment, and did not say whether it had notified the French data protection regulator, CNIL, of the breach as required under European law. The company also failed to spread news of the breach beyond emails sent to affected customers.
Lyca Mobile declined to specify what type of cyberattack occurred
Lyca Mobile, the UK-based mobile virtual network operator, said in October that it was the target of a cyberattack that caused widespread disruption to millions of its customers. Lyca Mobile later admitted that a data breach had occurred, with unspecified attackers accessing “at least some of the personal information in our system” during the breach.
It’s now been more than two months, and Lyca Mobile has yet to say what data was stolen from its systems (although sensitive personal information was stored, such as copies of ID cards and financial data), or how many of its 16 million customers were affected by the breach. Despite repeated requests from TechCrunch, the company also declined to comment on the nature of the incident, though the incident was presented as ransomware.
MGM Resorts has not yet said how many customers had their data stolen after the hack
The MGM Resorts hackathon is one of the most memorable events of 2022; The incident saw hackers linked to a gang known as Scattered Spider infiltrate the company’s systems to cause weeks of disruption across MGM hotels and casinos in Las Vegas. MGM said the disruption would cost the company at least $100 million.
MGM first revealed that it had been targeted by hackers on September 11. But it wasn’t until October that the company confirmed in a regulatory filing that the attackers obtained some of the personal information of customers who dealt with MGM resorts before March 2019. This includes customer names, contact information, gender, dates of birth, driver’s license numbers, Social Security numbers and passport checks for some customers.
It’s now been more than three months and we still don’t know how many MGM customers have been affected. MGM spokespeople repeatedly declined to answer TechCrunch’s questions about the incident.
A dish breach could affect millions, perhaps many more
Last February, satellite TV giant Dish confirmed in a public filing that a ransomware attack was to blame for the ongoing outages, and warned that hackers had leaked data from its systems that may have included customers’ personal information. However, Dish hasn’t provided a substantive update since then, and customers still don’t know if their personal information was at risk.
Despite the company’s silence, the impact of the hack could extend far beyond Dish’s 10 million or so customers, TechCrunch has learned. A former Dish retailer told TechCrunch that Dish keeps a large amount of customer information on its servers, including customer names, dates of birth, email addresses, phone numbers, Social Security numbers, and credit card information. That information is kept indefinitely, even for potential customers who don’t pass Dish’s initial credit check, that person said.
CommScope was late in telling its employees that their data had been stolen
TechCrunch heard from CommScope employees who said they knew nothing about a data breach at the company that affected their personal information. The North Carolina-based company, which designs and manufactures network infrastructure products for a range of clients, was targeted by the Vice Society ransomware gang in April. The data leaked by the gang, and reviewed by TechCrunch, included the personal data of thousands of CommScope employees, including full names, postal addresses, email addresses, personal numbers, Social Security numbers, passport scans, and bank account information.
CommScope refused to answer our questions about the leaked employee data, and also failed to respond to those affected. Multiple employees told TechCrunch at the time that CommScope executives remained tight-lipped about the hack, saying they had “no evidence” to suggest employee data was involved.