November 2023 - Looking Back at 2023

Security professionals have plenty to keep their eyes on each year, and 2023 has been no exception.

As 2023 comes to a close, it’s time to look back at some of the most notable stories and developments to come out of the privacy and security space.

From ransomware attacks targeting major casino chains to data breaches affecting millions of people, 2023 had no shortage of developments security professionals to handle.

While cyberthreats never stay static, it’s helpful to remember how these situations were handled, with the hope that the lessons learned from the events can help mitigate the risk of similar attacks in the future.

Ransomware Groups Behind Casino Attacks, MOVEit Breach

MGM Resorts and Caesars Entertainment both became victims of the Scattered Spider ransomware group in September, and the attacks highlighted the different avenues organizations can take when faced with the same challenge.

Caesars decided to pay the ransom to the tune of a $15 million payout, while MGM did not pay the attackers, eventually recovering its operations after nearly two weeks of outages.

Even though they didn’t pay Scattered Spider, MGM still lost millions of dollars following the attack, showcasing the difficult choices security professionals must face when staring down a major cyberattack.

But perhaps no breach affected more organizations, and people, around the world than the MOVEit breach.

A zero-day vulnerability was discovered within the managed file transfer software, which is used by thousands of entities around the world to send and receive information.

It’s estimated that 2,620 organizations were impacted by the breach, 78% of which are based in the U.S., according to Emsisoft. As of November 20, 2023, at least 77 million people were affected by the breach.

The MOVEit breach affected entities such as British Airways and the BBC. The vulnerability was exploited by bad actors to break into systems operated by IBM to expose the data of 4 million Colorado patients.

A similar event affected the U.S. government contractor Maximus, as cybercriminals exploited the flaw to access the health data belonging to 8 to 11 million citizens.

Even organizations such as PokerStars were impacted by the MOVEit breach, as 110,000 customers had their personal information exposed, including Social Security numbers.

And similar to the attack against MGM and Caesars, a ransomware group was behind the attack, with the Cl0P group claiming responsibility for the attack.

Ransomware continued to be a major issue facing security professionals in 2023, and it should continue to be a threat in the year ahead.

23andMe Breach Concerns Go Beyond Money

The genetic testing company 23andMe faced its own data breach in October. Malicious actors were able to use previously leaked login credentials to gather information.

What makes this breach particularly concerning is that the data belonging to nearly one million Ashkenazi Jewish users has been shared on dark web forums.

Data breaches can be damaging in many different ways, and the 23andMe breach is one such example, as legitimate fears emerged that the data could be used to target, and potentially harm, people of different ethnicities.

Regulation Moves Forward

A slate of new laws made headlines this year, and while a federal U.S. privacy law remains elusive, several states have passed their own consumer privacy laws, including Florida, Tennessee, Texas, Indiana, Iowa, Oregon, Montana and Delaware.

The SEC was busy amending a pair of forms that require registrants to disclose materials to cybersecurity incidents and proposing changes to data breach notification rights and expanding the definition of “customer information.”

California added another privacy bill to its ranks after Governor Gavin Newsom signed the Delete Act into law, which will give state residents a one-stop shop to request data brokers to delete their information starting in 2026.

A federal privacy law is still elusive, and it will be one of many stories security professionals will continue to monitor in the year ahead.

Come back next month and BlackCloak will look at some of the trends we will be monitoring in 2024.