79 million records compromised by cyber security incidents in August 2023

598 Views

IT Governance, the global provider of cyber risk and privacy management solutions, discovered that more than 79 million records were compromised in 73 publicly disclosed security incidents in August 2023.

These statistics show an 18% decrease against August 2022 and a 45% decrease from July 2023.

Three of the biggest data breaches impacted the UK Electoral Commission, Pôle Emploi, and the University of Minnesota.

On 8 August, the Electoral Commission reported a significant cyber-attack where unauthorised individuals gained access to the UK’s electoral registers, compromising the personal data of approximately 40 million people. This breach, discovered in October 2022, can be traced back to suspicious activities in August 2021.

The attackers managed to infiltrate Electoral Commission servers, gaining access to emails, control systems and reference copies of registers spanning 2014 to 2022, which also included overseas voters. The compromised email data encompassed names, addresses, phone numbers, as well as additional details submitted through webforms or emails.

In spite of the Commission’s initial claim of a “complex” attack, a whistleblower disclosed that the Commission failed a Cyber Essentials audit around the same time as the breach. While there is no direct evidence linking this failure to the attack, it raises significant concerns about the Commission’s security measures.

The security expert Kevin Beaumont highlighted that the Commission was also using an outdated and vulnerable version of Microsoft Exchange Server at the time of the incident.

The Cyber Essentials scheme, endorsed by the National Cyber Security Centre, outlines five crucial cyber security practices, including the regular updating of software and systems – a fundamental security measure every organisation should prioritise. As of now, the Commission has not yet attained compliance.

The French unemployment agency Pôle emploi has notified the CNIL (Commission nationale de l’informatique et des libertés) of a data breach thought to have affected 10 million people.

According to a press release published on its website on 23 August, job seekers registered in February 2022 and all former users of Pôle emploi are potentially affected, with their first and last names, and social security numbers compromised. Email addresses, phone numbers, passwords and bank details were unaffected.

The security firm Emsisoft listed Pôle emploi among the many victims of May’s MOVEit Transfer breach, in which the Russian Cl0p gang exploited a zero-day SQL injection vulnerability in Progress Software’s popular file transfer app MOVEit Transfer, but it has since removed it from its list of MOVEit victims.

If the breach is indeed part of the attack on MOVEit Transfer, it makes Pôle emploi the second largest victim in terms of individuals affected, behind the US government contractor Maximus, which saw 11 million data records compromised as a result of the breach.

Maximus features twice in this month’s list thanks to contracts with two organisations that reported data breaches in August.

Whether or not Pôle emploi can be added to the list of victims, the MOVEit Transfer breach is the largest of the year so far: more than 1,000 organisations are now known to have been caught up in the breach, with over 60 million individuals affected.

Several other organisations were found to have been affected by the MOVEit breach this month. These include the Colorado Department of Health Care Policy and Financing, Bank OZK, Unum Group, Indiana University Health, Missouri Department of Social Services, United Bank, UMass Chan Medical School, Data Media Associates, and Hillsborough County.

The University of Minnesota has confirmed a security breach where an unauthorised party gained access to its systems and extracted personal information. As reported by Security Week, the attacker claimed to have obtained 7 million distinct Social Security numbers. The university initiated an inquiry to validate these claims on 21 July and has verified that “the data at issue is from 2021 and earlier”. However, it has not disclosed the exact number of individuals affected yet.

The university assured Security Week that, “Our investigation is continuing, but our security professionals have not detected any system malware (including ‘ransomware’), encrypted files or fraudulent emails related to the incident. There have been no known disruptions to current University operations as a result of this data security incident.” Unfortunately, no details were provided regarding how the breach occurred.

Here is a condensed list of the four categories that IT Governance outlines as part of its monthly data breaches analysis:

  • Cyber attacks: The Electoral Commission, Discovery at Home, Health Employers Association of BC, NIDTA, Eastern Connecticut Health Network, Hospitality Staffing Solutions LLC, Omaha Health Insurance Company, Bank OZK, Hartford Life and Accident Insurance Company.

  • Ransomware: Crozer Health, Colorado Department of Higher Education, Jefferson County Health Center, Mayanei Hayeshua Medical Center, Oregon Sports Medicine, Alberta Dental Service Corporation, Levare International Ltd.

  • Data breaches: University of Minnesota, Cumbria police, United Bank, Department of Health Care Policy and Financing, Discord.io, Jefferson Health, Morris Hospital & Healthcare Centers, Tesla, Helsinki and Uusimaa Hospital District.

  • Malicious insiders and miscellaneous incidents: New Haven Public Schools.

The full list of incidents with further details is available here.

Alan Calder, Founder and Executive Chairman of IT Governance, commented:

“The growing frequency and severity of cyber breaches underline a critical truth – relying on technology alone is insufficient.

“Boards must step up and take ownership of cyber risk, recognising that while technology may introduce vulnerabilities, it’s human behaviour that often enables exploitation. This paradigm shift is gaining recognition, with governments and regulators implementing laws that require boards and senior management to assume responsibility for cyber risk.

“It’s imperative that they equip themselves with the necessary skills and competences to implement robust governance, risk, and compliance (GRC) strategies to fortify their organisations against evolving threats.

“Findings from Proofpoint’s recent report “Cybersecurity: The 2023 Board Perspective” show a concerning misalignment between UK boards and CISOs. While board members are less concerned about cyber risk, CISOs remain acutely aware of the looming threat. This disparity emphasises the pressing need for boards to re-evaluate their approach to cyber risk management.”

IT Governance is committed to helping organisations address the threat of cyber crime and other information security flaws. We provide a range of resources, including training courses, consultancy services and free guides, to help organisations understand and reduce dangers.