.svg)
.svg){kind=small}
It’s not if they get in, it’s when.
While cyber criminals continue to devise ever more creative ways to get into corporate systems, the outcomes of these attacks keep repeating like a broken record: stolen data and lost money. It happened in again and again this year, but our #1 pick proves the stakes are only getting higher with time. We'll explain the logic behind the list, impacts felt, and key takeaways.
Cliff's Notes
Let's skip right to the "lessons learned" for those of you with short attention spans:
- "Private" doesn't mean secure.
- Layered security still matters.
- Keep sensitive data out of systems not designed to store it.
- Consumers aren't forgiving data security negligence anymore.
Now, let's dive in.
Factors Considered in This Year's List
Breach impact was a major consideration in what's considered a telling breach. We're used to run-of-the-mill phishing attacks or insurance fraud schemes. We think this list is a bit more exciting.
The Criteria
We've chosen this year's list of biggest breaches based on four key components–
- value of the data stolen
- value of lessons learned
- level of public outrage...and...
- the illustrative importance of learning from others' mistakes.
This year's list includes nation state activity.
Cyber attacks on public entities (and this list includes a few) have higher stakes for breach victims, including threats to national security, criminal justice, and often the physical safety of government personnel. Two-thirds of this list reference public agencies. Unsurprisingly, both were 3rd-party vulnerabilities.
7. The Piggyback Attack: Ivanti VPNs Used to Compromise Numerous Victims
Most people assume their VPNs to be fully secure and protected from outside view or traffic. That isn’t necessarily true, though. In fact experienced white hat hackers will tell you that the danger of VPNs lies in these very assumptions that all activity and data is kept private. Attackers can compromise VPNs unseen, undetected, and often without the end user taking any additional precautions. Typically, this occurs when attackers compromise individual servers that VPN vendors use as “hops” around the globe, a technique that obscures the end user’s real location. As the user’s VPN session takes them through these “hop” servers, the attacker quietly “piggybacks” the session. In this case, however, attackers found another way in.
What Happened
In January 2024, threat actors exploited two zero-day vulnerabilities in Ivanti Connect Secure VPNs, compromising thousands of devices, including those of widely recognized cyber-PSA organizations like CISA and Mitre. Ivanti is widely used by federal employees, the logical reason it was targeted.
Breach Impact
The Chinese espionage group UNC5221 began exploiting these VPNs as early as December 2023. In addition to lateral movement, the threat actors were observed exfiltrating files, creating a memory dump of the LSASS process using Windows Task Manager (Taskmgr.exe), and deleting logs to cover their tracks [1]. The situation became so critical that CISA issued an emergency directive requiring federal agencies to disconnect their Ivanti VPNs within 48 hours - an unusually drastic measure. This incident just goes to show how VPN systems, despite their intended security use, can actually become points of vulnerability– one more way for attackers to get into your systems.
The Lesson
Don't assume that just because employees are using a private VPN the data they share is secure. Layered security still matters. Using a VPN that leverages intranet–not internet-facing servers–is the only way to be fairly confident that servers haven't been breached by attackers ready and waiting to piggyback traffic.
6. The Doozy: Change Health Discloses the Biggest Data Breach Ever Reported
Ransomware is typically thought of as an attack where cybercriminals encrypt one’s data and require the victim to pay a ransom to have their systems restored. However, last year, malicious actors seemed more focused on stealing data while in victims’ systems in extortionware and leak schemes than just encrypting systems.
What Happened
The massive breach of UnitedHealth-owned Change Health care exposed the data of 100 million people, making it the largest data breach ever reported to federal regulators [2].
Breach Impact
Change Health is a service provider whose solutions drive efficiency in healthcare, which largely boils down to managing revenue streams and customer accounts. They also offer analytics and software development services to healthcare providers in the UnitedHealth ecosystem. As a target, it's fairly brilliant. Why breach each organization's corporate networks to search for sensitive data when you can just go straight to their analytics provider? They're likely performing analytics on all their clients' most sensitive data, meaning all the gems are grouped together in one location for an easier theft.
Breach notification letters, regulatory fines, and lost brand trust notwithstanding, the real issue here is whether or not their software development and production environments were compromised, giving attackers the ability to lift IP and corrupt code. Details released did not address this issue, so we're left to wonder.
The Lesson
All this trouble Stemmed from lowly compromised credentials.
Given the number of patients and medical records touched by Change Health's services, their failure to properly protect passwords and implement MFA could be considered criminally negligent.
How did the threat actors behind the attack gain access to Change Health’s systems in order to deliver their ransomware? Stolen credentials of existing employees, naturally. Andrew Witty, CEO of UnitedHealth, testified before the U.S. House Energy and Commerce committee that the attackers obtained initial entry into systems via compromised login credentials for a Citrix remote access portal that lacked multi-factor authentication (MFA) [3]. This reiterates the need for layered approach to securing user credentials, including 1) the use of data detection and response (DDR) tools to keep them out of vulnerable cloud locations and 2) MFA and other zero-trust measures that make lifted passwords more difficult to use.
5. The Predictable Pundit: Microsoft Called Out for Vulnerabilities That Enabled the Compromise of Government Agency Email Accounts
What Happened
In an April 2024 report, the DHS Cyber Safety Review Board severely criticized Microsoft for multiple security failures that enabled Chinese state hackers (Storm-0558) to compromise the email accounts at 25 organizations during the previous year [4]. The attackers accessed Exchange Online and Outlook.com by forging authentication tokens with a stolen Microsoft signing key. Once in, threat actors had access to sensitive, espionage-worthy data within emails.
While this incident actually occurred in 2023, fallout and publicity came in 2024–often the case for high-profile breaches. However, the scathing report was released shortly after Microsoft's January 2024 disclosure of another breach, where Russian state group Midnight Blizzard infiltrated Microsoft's network through password spraying a legacy test account lacking multi-factor authentication. Perhaps it was simply a bridge too far, since numerous U.S. government agencies were impacted.
Breach Impact
Nation state hacks have higher stakes than a breach that just includes a data dump of customer names, credit card information, and birth dates. At least citizens can set up routine background checks and credit monitoring to mitigate risk associated with social engineering attacks, financial fraud, and identity theft that can occur when personal data is compromised. Exposed government employees are at much higher risk.
The Lesson
The CSRB declared the breach preventable, citing Microsoft's "inadequate" security culture and noting that the U.S. State Department, not Microsoft, first detected the intrusion. Given the well-known Shared Responsibility Model espoused by Microsoft since the advent of the cloud, infrastructure and SaaS provided by the tech giant is to be secured by them, and the data within–plus access to–these cloud locations is to be secured by the organizations who use them. In this case, Microsoft violated its own commitments to end-users by failing to secure its email infrastructure.
4. The Dark Horse: Hacker Group Dark Angels Are $75 million Richer Now
2024 was a rough year (again) for the healthcare industry.
What Happened
According to Bloomberg, the Dark Angels were rewarded with a $75 million extortion payment after compromising pharmaceutical giant Cencora in February [5]. Personal data stolen by the group included private health information such as names, physical addresses, dates of birth, diagnoses, prescriptions, and medications of patients. It’s safe to say that PII and PHI remain juicy targets for attackers, as this data was deemed worthy of the largest known extortion fee paid to a ransomware group yet. Of course, there is no way to be sure Dark Horse will not choose to release the information anyway at some later date, but it seems to be settled for the time being.
Breach Impact
Was the financial loss painful enough to force change? Debatable.
While the Office of Civil Rights (OCR) seems to level the highest fines in U.S. breaches, incidents in health systems have such widespread fallout that the question has to be raised–will the U.S. ever follow the EU's lead on protecting individuals' private data? Until we start seeing massive fines like those handed out in the EU for GDPR violations, chances are annual breach statistics will continue to feature PHI–arguably the most sensitive customer data type–at the top of the list in major data breaches.
The Lesson
Cybersecurity incidents involving big pharma and enterprise healthcare companies hold a lesson for all of us: protect customer records and all the secrets that can allow attackers to access them. Period. There is no organization too big or too small to escape being a target.
3. Operation Espionage: Chinese Nation-State Threat Actors Compromise FBI Wiretap Systems
While this breach may not be the largest, it highlights the vulnerability of third-party communication tools–cell phones in this case. It made the #2 spot for two reasons: 1) the irony of a security intelligence agency's compromise and 2) it's one more cyber incident where sensitive information was being transmitted across an unsecured channel. This is a habit even the most secure organizations still need to help end users break.
What Happened
In November 2024, CISA and the FBI acknowledged the compromise of numerous U.S. telecom providers, seeming to confirm Wall Street Journal reports that Chinese hackers had access to the U.S. wiretap system. The statement explained the actors had obtained unauthorized access to “a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders” [6].
Breach Impact
The FBI's sole purpose is to collect, understand, and act on information that allows them to better secure a nation and its citizens. They monitor people who they believe could be connected to serious crimes, which may include everything from unknown associations to terrorism, espionage, cyber crime, and more.
Any way you look at it, compromised national intelligence in the wrong hands could put people’s physical security at risk. The FBI doesn't just monitor government employees for no reason–it's typically because they are suspected of a criminal act or have associations who are. While we don't know how many clandestine operations may have been compromised by the breached wiretaps, one is too many when it comes to human safety.
The Lesson
Private does not mean secure. Period. Telecom lines can be breached just like any other unsecured communication channel. This incident just goes to reiterate the need to "assume breach"–remember that attackers will always find a way in. The smart move is to just make sure there's nothing there for them to steal when they do.
What's interesting here is that a security organization did not anticipate the need to develop technology that masks their activity and protects phone lines of tap targets. The good news for the rest of us who are just run-of-the-mill corporate types is that we have simple ways at our disposal to keep sensitive information out of unsecured communication channels free.
2. Slack Attack: Disney Loses 1 TB of Corporate Secrets
We covered this massive data breach in more detail just after it was made public, but the Disney breach is indicative of what we’ve seen this year and expect in the year to come.
What Happened
In short, attackers compromised the creative giant’s Slack server, which apparently contained a trove of data gems shared by Disney employees during ongoing collaborations [7].
Breach Impact
The threat actors leaked one terabyte of data, including computer code and intellectual property, like information on unreleased projects, stolen from Disney’s Slack channels. The data also contained “discussions on managing Disney’s corporate website, software development, and job applicant evaluations,” as reported by the Wall Street Journal. This kind of competitive intelligence can do serious damage to creative projects and business development, with damage going far beyond the average cost of a breach ($9.36 million in the U.S.).
The Lesson
The reason Disney's Slack hack came in at number one is because we feel this is a reflection of where most organizations are experiencing vulnerabilities– in their SaaS. All external threat actors have to do is pop in and take what they find.
Slack becomes a logical, accidental repository for sensitive data over time, as employees tend to interpret its invitation-only account access as making it “private” and secure. Of course, no one thinks of Slack as cloud storage, but if secrets shared in the app are not removed from message threads, they are stored there by default, just waiting for an attacker to find and lift them in a security breach.
1. The Bankrupter: 899 Million Unencrypted, Un-redacted SSNs Stolen from National Public Data
What Happened: Unprotected sensitive data was stolen from systems.
When a company goes from booming enterprise to bankrupt within 12 months it’s time to take notice. In August 2024, enterprise background check provider National Public Data confirmed that sensitive data exposed on dark web marketplaces in April 2024 and throughout the summer months originated from a security breach that occurred in late December 2023 [8]. The compromised information included residents' personal details such as full names,Social Security numbers, contact information, physical addresses, and birthdates. Experts estimate 899 million unique SSNs ofU.S. citizens were exposed by the hacker group “USDoD” after posting the exfiltrated database [9].
Breach Impact: NPD declared bankruptcy just two months after the admission.
With between 50-99 creditors across nearly all 50 U.S. states, as well as the American Samoa, the District of Columbia, Guam, the North Mariana Islands, Puerto Rico, and the Virgin Islands, the breach and public fallout have devastated NPD's client base. Further, they are facing scores of class action lawsuits from individuals whose data was leaked during the attack, and the Federal Trade Commission has intimated they will level fines as well.
The massive backlash marks the first time regulators, states, and individual consumers have taken serious action in response to a breach. Despite the scale of the Equifax and Yahoo breaches in years past, consumers and regulators didn't react the same way. Many people just shrugged with helpless frustration, accepted free credit monitoring as settlement, and moved on. The Yahoo breach was talked about, but since Verizon acquired them shortly thereafter, most consumers assumed their security protocols would vastly improve and let it go.
The Lesson: A younger, more modern consumer base is so over it.
Today's consumers and professionals are younger and better educated about data security. With Baby Boomers cycling out, tech native Gen Z has now entered the workforce–and they care a lot. Studies show Gen Z is very concerned about how their personal data is used / misused, in contrast with older generations who may not comprehend the personal impact data leaks can have on them [10]. Millennials are also paying attention, though a bit less passionately with "67% are concerned that their personal financial information will be hacked."
Researchers have also documented Gen Z's pervasive feeling about brands they mistrust–noting they are ready to walk away for what they believe, and there's not much better way to communicate untrustworthiness than leaving sensitive personal data unprotected in systems [11]. So, consumer pressure on corporations to take data security seriously is much higher than in previous years.
We may be watching a major cultural shift here, which is why this hack is our #1.
A solution: How can you share sensitive data securely?
VPNs are not reliably secure.
Many organizations rely on what they believe to be “secure” VPNs, or virtual private networks, to protect communications end-to-end. However, aVPNs are vulnerable to cyber threats in ways their users are often unaware of, such as the practice of piggy-backing traffic when unsuspecting VPN users pass through compromised servers during the location obscuring process, as explained above.
When a user connects to a VPN server that has been compromised, the attacker can join the encrypted tunnel, since they control the server endpoint. This access enables them to view all traffic passing through that server in real-time, modify or inject malicious content into the data stream, launch ransomware attacks, capture credentials, session tokens, and other sensitive data transmitted during the session.
SaaS apps are not secure.
Does it need to be said? Messaging and collaboration apps are not a reliable location to store sensitive data about secret creative projects, access codes, or any other information that needs to be protected.
Any threat actor who knows how to use the Slack search function is likely to turn up damaging corporate information they can use to extort money from, publicly damage, or otherwise hurt their intended victims. Cleaning up secret sprawl and preventing it going forward is no longer just a best practice; it’s become an act of survival in today’s threat landscape. The lesson is not to ditch your favorite apps. The lesson is to secure your data and stop the spread of corporate secrets to unprotected locations.
As seen in the Disney breach, messaging and collaboration apps make juicy targets for attackers. Sharing passwords, API keys, source code, social security numbers, and intellectual property should not be done through a direct message (DM) or help desk ticket. So, if the information needs to be shared to move a project forward, what can you do?
Organizations Need Outbound Email Security & Encryption Solutions
Encrypted email, a tried-and-true method, can be a more secure way to transmit sensitive information between two users. Solutions that leverage military-grade encryption and are not only easy for users to leverage during routine daily workflows, but don’t require the use of separate logins and portals, can ensure that data intended to stay private and secure between sender and recipient remains so. While most email security solutions focus on inspecting inbound traffic, the need to secure outgoing sensitive emails is critical.
Learn More About Nightfall AI
Nightfall AI provides next-gen DLP across your environment, with a special focus on your "hardest to reach" areas, namely your cloud-based SaaS applications and workspaces. Our philosophy is simple: create the most powerful AI detection engine on the market, and empower employees to be part of the solution.
See Nightfall in action by scheduling your own custom demo today.
Sources:
[1] Palo Alto Networks. (2024). Ivanti VPN vulnerability: Mitigation strategies, incident response, and defense. https://www.paloaltonetworks.com/cyberpedia/ivanti-VPN-vulnerability-what-you-need-to-know
[2] U.S. Department of Health and Human Services Office for Civil Rights. (2024). Breach portal: Notice to the Secretary of HHS breach of unsecured protected health information. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
[3] Witty, A. (2024, May 1). Examining the Change Healthcare cyberattack [Testimony before the House Energy and Commerce Committee Subcommittee on Oversight and Investigations]. https://d1dth6e84htgma.cloudfront.net/Witty_Testimony_OI_Hearing_05_01_24_5ff52a2d11.pdf
[4] Cyber Safety Review Board. (2024, March 20). Review of the Summer 2023 Microsoft Exchange Online intrusion. Cybersecurity & Infrastructure Security Agency. https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf
[5] Manson, K. (2024, September 18). Hackers got record ransom of $75 million for Cencora breach. Bloomberg. https://www.bloomberg.com/news/articles/2024-09-18/gang-got-75-million-for-cencora-hack-in-largest-known-ransom
[6] Federal Bureau of Investigation & Cybersecurity and Infrastructure Security Agency. (2024, November 13). Joint statement from FBI and CISA on the People's Republic of China (PRC) targeting of commercial telecommunications infrastructure. CISA. https://www.cisa.gov/news-events/news/joint-statement-fbi-and-cisa-peoples-republic-china-prc-targeting-commercial-telecommunications
[7] Abrams, L. (2024, September 20). Disney ditching Slack after massive July data breach. Bleeping Computer. https://www.bleepingcomputer.com/news/security/disney-ditching-slack-after-massive-july-data-breach/
[8] Greig, J. (2024, October 11). National Public Data files for bankruptcy, citing fallout from cyberattack. The Record. https://therecord.media/national-public-data-bankruptcy-cyberattack
[9] Hunt, T. (2024, August 14). Inside the "3 billion people" National Public Data breach. https://www.troyhunt.com/inside-the-3-billion-people-national-public-data-breach/
[10] Hanson, J. (2022, June 13). Gen Z will walk away from brands that don't share their values – Now retailers have an easy way to keep them buying. Forbes. https://www.forbes.com/sites/janehanson/2022/06/13/gen-z-will-walk-away-from-brands-that-dont-share-their-values--now-retailers-have-an-easy-way-to-keep-them-buying/
[11] Chaduneli, M., & Saxena, R. (2023, January 27). Do digital natives value their online privacy? Portulans Institute. https://networkreadinessindex.org/do-digital-natives-value-their-online-privacy/
.svg)
.svg)
.svg)
.svg){kind=small}
.svg){kind=small}
