2022 saw a slew of high-profile security breaches resulting in the theft of large amounts of confidential user data and unauthorized access to intellectual property. The security breaches impacted a wide range of organizations from various industries. In the wake of the data breaches, the affected companies had to scramble to manage the damage to their brand.

Data breaches are costly not only in terms of brand image damage but also in terms of financial expenses. According to a report by IBM Security, the average total cost of a data breach in 2022 was $4.35 million.

In this blog post, we look at some of the most significant data breaches of 2022 and try to find patterns and common causes, so that we can learn to better protect our customers.

5 Of The Biggest Data Breaches Of 2022

Here’s a list of the 5 biggest data breaches of 2022:

1. LastPass Data Breach

2. Okta Data Breach

3. Microsoft Data Breach

4. Uber Data Breach

5. Twilio Data Breach

We will discuss each security breach in the following sections.

In 2022, LastPass, the password manager company suffered not one but two security breaches.

On August 25, 2022, LastPass notified its customers via their blog that a threat actor compromised a developer account and gained access to parts of their development environment, source code, and technical information. Again in November, LastPass shared updates on the security breach, stating that the third party also gained access to some customer data.

In December, LastPass shared another report that the threat actor used the information stolen in August to access a copy of the backup of customer data and password databases (vault). The customer data accessed included names, email addresses, phone numbers, billing addresses, IP addresses, and partial credit card numbers.

Nevertheless, LastPass assured that the stolen data did not include the user's master password required to access the encrypted portions of the customer’s vault data and the passwords stored with LastPass are still secure since the encryption and decryption of passwords take place on the user’s device.

However, LastPass did warn its customers that the threat actors may use brute force attacks as well as social engineering and phishing to guess the master passwords and decrypt the stolen copies of vault data. So the security of the stored passwords depends on the strength of the customer’s master password.

You can read about the notice of security incidents provided by LastPass here: Notice of Recent Security Incident - The LastPass Blog

Cause Of The LastPass Breach

As per the information shared, the breach was caused by a single compromised developer account. How was the account compromised? It is likely that social engineering techniques combined with phishing were used, but we do not know for certain. What we do know is that the compromised account was used to steal source code and technical information, which enabled the threat actor to target an employee and gain access to credentials and keys to LastPass’ third-party cloud storage service.

Okta, an identity and access management company, also suffered two separate security breaches in 2022.

First, in January, a cybercriminal hacking group known as Lapsus$ breached Okta’s security systems by gaining remote access to a device belonging to an employee of Sitel, Okta’s subcontractor. While in active control of the compromised device, the threat actor was able to access two active customer tenants, see information in other applications like Slack and Jira. However, the threat actor was not able to perform any password resets or configuration changes.

The second breach occurred in December when Okta’s private GitHub repositories were hacked and Okta’s source code was stolen. However, Okta assured that its service and customer data were not compromised.

You can read more about Okta’s report into the incident here: Okta Concludes its Investigation Into the January 2022 Compromise

Cause Of The Okta Breach

Okta works with contractors to effectively manage many aspects of its business. To enable the contractors to perform their jobs, they are given some administrative privileges. The hackers targeted one such contractor who had privileges to reset passwords and reset multifactor authentication. And using the access, the threat actor was able to copy Okta code repositories.

Microsoft is another large enterprise that suffered two major breaches in 2022.

In March, the hacker group Lapsus$ struck again, claiming to have breached Microsoft and shared screenshots taken within Azure DevOps, Microsoft’s collaboration software. Microsoft confirmed this hack and revealed that hackers had gained limited access to its systems through a compromised employee account and that allowed the hackers to steal the company’s source code.

In September, security researchers at SOCRadar alerted Microsoft that a misconfigured Microsoft endpoint had left its customer data exposed and accessible over the internet. Microsoft asserted that the issue arose not because of a security vulnerability, but due to unintentional misconfiguration on an endpoint, which is not in use across the Microsoft ecosystem. It further went on to say that there was no indication that customer accounts or systems were compromised but were only exposed.

However, security researchers claimed that the issue exposed 2.4 terabytes of data pertaining to over 65,000 companies and 548,000 users. The leaked data include names, email addresses, email content, company names, phone numbers, as well as files.

You can read more about Microsoft’s March 2022 breach here: DEV-0537 criminal actor targeting organizations for data exfiltration and destruction - Microsoft Security Blog

And about the September breach here: Investigation Regarding Misconfigured Microsoft Storage Location

Cause Of The Microsoft Breach

The hacker group Lapsus$ has been known to exploit insider threats and encourage tech workers to compromise their employers. In their blog, Microsoft mentioned the use of “social engineering and identity-centric tactics” by hackers. So it appears that some social engineering tactics were involved in the account compromise.

In September of 2022, an alleged teenage threat actor was able to bypass Uber’s security systems and gain access to confidential user data. The threat actor posted a message on the company’s Slack announcing the breach.

The attacker claimed to have found PowerShell scripts with admin credentials that allowed him to gain access to Uber’s AWS, Slack, Google Cloud Platform, and some other applications. But more importantly, the hacker allegedly accessed Uber’s bug bounty reports containing details of security vulnerabilities that are yet to be remediated.

Uber shared information about the security breach in its September security update and confirmed that the attacker accessed several internal systems. Despite the threat actor gaining such a deep level of compromise, there was no evidence of customer data theft.

You can read more about Uber’s security breach here: Security update | Uber Newsroom

 Cause Of The Uber Breach

The Uber breach was a result of stolen credentials and social engineering. It began with the threat actor purchasing an Uber employee’s stolen credentials from a marketplace on the dark web. When the hacker tried to access Uber’s network, they failed since the account had Multi-factor Authentication (MFA) enabled.

To bypass this obstacle, the hacker targeted the Uber employee with a tech support scam and succeeded in convincing the user into accepting an MFA prompt that enabled the hacker to register their own device. This ultimately allowed the hacker to access Uber’s network and confidential information.

Twilio, a programmable communication tools company, also suffered two major breaches, both allegedly carried out by the “0ktapus” hacker group.

In June, attackers targeted an employee with social engineering to trick them into divulging their corporate credentials. Using the stolen credentials, the attacker gained access to the contact information of some customers. While in August, a threat actor was again able to convince multiple Twilio employees into sharing their credentials, giving the hacker access to the company’s internal systems.

Using the compromised credentials, the attackers were able to access the data of 209 Twilio customers and 93 Authy end users. However, the company claims that there is no evidence that the hackers accessed its customers’ console account credentials, authentication tokens, or API keys.

You can read more about Twilio’s data breach here: Incident Report: Employee and Customer Account Compromise - August 4, 2022

Cause Of The Twilio Breach

The June breach started with a vishing attack while the August breach began with a smishing attack. In both instances, the attackers reached out to Twilio employees impersonating the company’s IT department. In the first attack, they were able to convince an employee to divulge their credential over a phone call, and in the second attack, they deceived multiple employees into logging in to a spoofed web address controlled by the attacker.

Lessons From These Data Breaches

A common theme in all of these breaches is the use of social engineering including phishing, vishing, and smishing. Even organizations with robust security systems suffered breaches because the attackers targeted the most vulnerable part of the system, i.e. the end-users.

While these breaches may have been the result of targeted attacks that elicited sensitive information from employees or contractors, the presence of insider threats cannot be completely discounted. It is also worth noting that vulnerabilities exist not only in an organization’s systems but also in its supply chain and service providers.

Therefore, to be effective cyber defenses need to take into account not just the technical aspects but also the human elements. Organizations also need to have similar security protocols for their vendors and service providers so that the security of the entire supply chain is adequately addressed.

Here are three important steps you can take to reduce the risk of data breaches in your organization.

1. Regular Cybersecurity Awareness Training

Technology alone is not sufficient to protect your business from cyberattacks. As we have seen in the above breaches, even the most robust security systems can be bypassed. Effective cyber defense must include creating a security-conscious culture and regular cybersecurity awareness training for employees.

2. Insider Threat Management

Insider threats cannot completely be eliminated but can be effectively managed by putting in place security measures that mitigate the risks posed by insiders. A robust insider threat management system consists of technical controls such as Identity and Access Management (IAM), Network Access List (NAC), etc. as well as non-technical controls such as policies and procedures.

3. Third-Party Risk Management

Effective third-party risk management is necessary for preventing unauthorized access to your internal systems and data caused by a breach in the security of your vendors or service providers. In addition to conducting screening, due diligence, and thorough onboarding, it is necessary to have an effective vendor management program.

Compliance certification such as System and Organizational Control 2 (SOC 2) ensures that your organization will have not just a robust vendor management program but also regulatory oversight, internal governance, and risk management policies and practices, all of which contribute to the security, integrity, and privacy of your organization’s data.

Conclusion

2022 was a busy year for cybersecurity professionals. The data breaches shared above are only a few of the thousands of security breaches and millions of security incidents that have collectively cost businesses billions in damages.

Most businesses have security controls that are capable of stopping common cyberattacks. The majority of the security breaches that do occur are preventable. They are mostly caused by preventable mistakes, lapses, and a lack of awareness.

Is your business adequately prepared for cyberattacks? Are your employees able to clearly identify social engineering attacks like vishing, smishing, and phishing? If your answer is “no” or if you are unsure, reach out to us by clicking the button below to learn how we can help you secure your data and systems.

If you liked the blog, please share it with your friends