As 2023 comes to an end, one thing is certain: cyber security is still a prime concern for most companies. While industries like healthcare and retail are still more heavily impacted than any other, a concerning trend has emerged in regard to the variety of organizations being targeted by cyber criminals.

This variety accounted for a staggering 20% increase in data breaches compared to 2022. More importantly, almost all these breaches happened through fairly well-known methods like phishing and ransomware attacks.

Several of the year’s biggest breaches happened to large, reputable organizations with ample technical cyber security measures. However, hackers relentlessly look for the one individual or situation they can exploit, highlighting the dire need for cyber security awareness training.

This article will provide an overview of the five biggest data breaches of the year, look at the biggest cyber security trends to look out for in 2024 and share tips to keep your workforce protected.

The Biggest Breaches of 2023

Well-established tech companies and government institutions were targeted this year, but the goal seems to remain the same across all attacks: Consumer information.

Identity theft has become far too simple in our interconnected world, and it is being driven by the relatively easy access to personal data afforded by this type of cyber attack.

1. Mailchimp Data Breach

Popular marketing email platform Mailchimp experienced a breach caused by a social engineering attack allowing hackers to access the company’s internal customer support and administration tool.

While the breach only affected 133 customers, it launched a third-party support crisis when companies like WooCommerce, who in turn have thousands of clients, were affected by the attack. This type of breach underlines how even relatively minor, well-contained breaches can still have far-reaching impacts.

2. UK Electoral Commission

The UK electoral commission overseeing all voter data for the country announced it had been breached in October. The data contained in electoral registers is minimal, but governmental sources usually have higher overall data quality, which can increase the impact of later identity theft attempts.

The breach first happened in 2021 and took over a year and a half to identify, pointing to a malware infection slowly stealing data records to evade detection.

3. Discord’s Third-Party Support Attack

Tech support for digital platforms like the popular messaging tool Discord can be very difficult to scale. This situation often leads to companies seeking third-party help in this matter.

One of these tech support agents saw his account maliciously accessed, giving away his support queue to hackers along with personal user information like names and email addresses.

Discord’s data breach once again highlights the importance of third-party security audits and regular collaboration with suppliers to improve overall cyber security measures.

4. 23andMe Credential Stuffing

Genetics and DNA testing company 23andMe experienced a data breach leading to the leak of 4 million customer records.

The breach occurred through a brute force technique known as credential stuffing. This method relies on the usage of information acquired through previous data breaches to guess customers’ login credentials.

5. Indonesian Immigration Directorate General

The Indonesian government reported the leak of over 34 million passports through a cyber attack stemming from unauthorized access to their databases. While the specific type of attack was not disclosed, it is likely to be a fairly sophisticated one to thwart the defenses of a nation.

The leaked data was later found for sale on the dark web for $10,000.

Phishing Still King

A returning trend for cyber security concerns, phishing and social engineering remain the leading attack types by a landslide. These cyber threats are easy to execute, require virtually no technical knowledge to be successful, and can have very high returns.

While phishing is still mostly done via email, the increasing number of communication platforms used by workers daily is impacting the overall success of phishing attacks.

Templated emails replicating common emails like support tickets can be hard to detect, particularly when users see dozens or hundreds daily.

If your workforce uses various communication methods, it’s crucial to implement customized training to help them detect common issues within the parameters they regularly work in.

Zero Trust Network Architecture May Be the Answer

As evidenced by the UK electoral commission breach, malware is still a popular cyber threat and can still have devastating effects if not discovered early on. For this reason, Zero Trust Network architecture is increasingly becoming a standard cyber security measure.

A technology and a cyber security framework, this method isolates every network user to limit their access to only what is specifically required for them to perform their duties. In the event of a cyber attack, malware is limited to low-impact data and can easily be quarantined before any significant data leak.

Generative AI on the Rise

Not only has the popular generative AI tool ChatGPT experienced a breach this year, but this technology is already affecting how cyber threats evolve. The accuracy and customizable nature of generative AI are skyrocketing the scale that can be applied to threats like phishing and social engineering.

It has never been easier to create believable work emails at a frightening rate, and this trend will only grow as generative AI tools get perfected. These technologies can also be trained to become better and replicate specific tones—a trend hackers are already picking up on.

Cyber Security Awareness Training Required

The overarching theme for recent cyber threats is that no target is too big or too small, and the scale of cyber attacks is expanding. Phishing messages are becoming more sophisticated, and malware can remain hidden in an infected system for years.

This worrying trend highlights the urgent need for a cyber security-aware culture. Training on cyber threats is a good start, but it must also be embedded in the everyday work habits of your staff to be truly efficient.

Data Security in 2024

As seen in the Mailchimp and Discord breaches, hackers have become adept at accessing internal tools by replicating common support tickets and internal communications. 2024 will be the year of customization in cyber security training.

The scale of threats like phishing is bound to explode in coming years, and with the messages becoming more and more accurate, proper training on the other signs of these attacks will be crucial in a cyber security strategy.

 


 

Let’s all put our best foot forward for 2024

Get a free trial of Terranova Security’s robust phishing simulation.