Top 3 Data Breaches of 2023, and What Lies Ahead in 2024
Dark Reading: In 2023, a series of major data breaches highlighted the critical challenges of securing data in the era of cloud computing and artificial intelligence. The MOVEit breach, impacting over 62 million individuals and numerous organizations led to widespread damage with an estimated cost of $10 billion. This breach demonstrated the global consequences of a flaw in a single software system. The Indian Council of Medical Research experienced India’s largest data breach, with the exposure of personal and COVID-19 related data of 81.5 million citizens. This incident underscored the risks associated with managing large-scale sensitive databases. Additionally, 23andMe suffered a significant breach where 9 million user accounts were compromised through credential-stuffing attacks, putting sensitive genetic information at risk. These breaches emphasized the importance of robust data security protocols and the growing urgency to protect sensitive information in a rapidly evolving digital landscape.
SolarWinds calls SEC charges unfounded and inexplicable, files for dismissal
CSO Online: SolarWinds is seeking to dismiss charges by the US Securities and Exchange Commission (SEC) related to the 2020 Sunburst cyberattack. The SEC accuses SolarWinds and its CISO, Timothy G. Brown, of failing to disclose cybersecurity risks adequately. The company is arguing that the SEC is trying to “revictimize the victim” and is stepping outside its expertise by trying to regulate cybersecurity controls without proper authority. SolarWinds is challenging the SEC’s allegations, claiming they are unfounded and lack material evidence. The company insists it warned stakeholders about system vulnerabilities and argues that the SEC’s demand for detailed vulnerability information in SEC filings is unrealistic and dangerous, as it could guide attackers. This case is significant as it’s the first time a CISO has been named in SEC charges for non-disclosure, potentially setting new precedents for cybersecurity disclosure and the scrutiny of the CISO role. SolarWinds’ CEO, Sudhakar Ramakrishna, also responded to the SEC filing, calling the charges misguided and counterproductive to industry progress.
Ransomware payments drop to record low as victims refuse to pay
Bleeping Computer: According to a new report, the rate of ransomware victims paying demands fell to a record low of 29% in 2023. This decline, which started in mid-2021, can be attributed to factors such as improved organizational preparedness, distrust towards cybercriminals, and legal restrictions in some areas against paying ransoms. Even with data theft during cyberattacks, the payment rate was just 26% in the final quarter of the year. Ransom payments also saw a decrease, with the average amount dropping to $568,705, a 33% reduction from the previous quarter, and a median payment of $200,000. There was a noticeable shift in targeting, with attackers focusing on larger companies for higher payouts. The report also touches on the potential consequences of banning ransom payments, suggesting it might lead to underreporting and the growth of an illegal negotiation market. Despite ransomware remaining a significant threat in 2024, the decline in ransom payments signifies positive progress in tackling these cyberattacks.
82% of companies have reported a widening gap between security exposures and their ability to manage them. (source)
In 2023, the cybersecurity sector saw 40% more funding rounds and M&A deals compared to 2022, with 346 rounds and 91 transactions. However, the total investment dropped by 40% to $8.7bn from the previous year’s $14.5bn. (source)
(source)