In the fourth quarter of 2022, 108.9 million accounts were breached. This was a 70% rise from the previous quarter. With the average global cost of a data breach hitting $4.35 million in 2022 and the frequency of cyber security attacks showing no signs of slowing, data breaches will become more relevant for organizations. This article explores the costliest and most impactful data breaches and record leaks of 2022.
January – Red Cross
In January, servers containing personal information on more than 515,000 accounts were compromised. The data originated from 60 Red Cross and Red Crescent National Societies globally. They involved highly vulnerable people, including missing persons, people in detention, and those separated by war, violence, migration, and other causes.
In February, an unauthorized third-party accessed several computers in this US-based union consisting of property maintenance workers, window cleaners, and food service workers globally. As a result, files containing addresses, names, and Social Security numbers of up to 230,487 people were stolen.
March – NYC Department of Education
On March 20th, the New York City Department of Education revealed that hackers had accessed the names, academic schedules, birthdays, and special-education statuses of 820,000 current and former New York City K-12 public school students. The hackers targeted the widely-used online grading and attendance software Illuminate Education. Despite the incident occurring in January, Illuminate informed the Department of Education in March.
April – CashApp
8.2 million users
On April 4th, Block, a financial service company that owns CashApp, announced a former employee downloaded reports containing customer information. The breach involved the full names, brokerage account numbers, portfolio values, and other financial information of up to 8.2 million CashApp users.
21 million users
In May, databases for three different Android VPN service providers were for sale on a widely-used dark web forum. Between SuperVPN, GeckoVPN, and ChatVPN, there were 21 million user records for sale. Among the private information were user credentials, billing details, email addresses, and more. While cybersecurity incidents involving VPNs continuously made headlines this year, this was the most significant VPN data breach in 2022.
June – Nelnet Servicing
2.5 million students
A data breach on student loan servicer Nelnet Servicing involved the confidential information of more than 2.5 million loan borrowers in the United States. On August 17, an investigation performed by a third-party cybersecurity company concluded that names, email addresses, social security numbers, and more private information were accessible to an unknown third party between June and July 22.
July – Neopets
69 million accounts
In July, a Neopets spokesperson announced on Twitter that the company had been hacked. It later emerged that 69 million Neopets accounts might have been compromised. The company learned about the breach after a hacker tried selling a Neopets database for four bitcoins. Among the stolen data were usernames, emails and passwords, dates of birth, zip codes, and more. After the investigation, the company revealed that the hackers were inside its IT systems for 18 months (January 3, 2021, until July 19, 2022).
August – Twitter
5.4 million users
In January 2022, Twitter fixed an API vulnerability in its platform. Before Twitter patched the vulnerability, an attacker was able to build a database of email addresses and phone numbers of more than 5.4 million Twitter users. In July 2022, the data was for sale for $30,000 on a dark web forum. The post read, “Hello, today I present you data collected on multiple users who use Twitter via a vulnerability (5485636 users to be exact)”. On August 5, Twitter publicly disclosed the breach.
September – Uber
57 million people
On September 15, Uber disclosed that the personal information of up to 57 million customers and drivers had been stolen. The attacker, an affiliate of the Lapsus$ hacking group, was able to gain admin access to several of Uber’s internal tools, such as Amazon Web Services, Google Drive, Slack, and SentinelOne. Uber identified the breach after a threat actor hacked into an employee’s Slack account and sent messages confirming they had compromised Uber’s network.
October – Medibank
9.7 million people
On October 13, Medibank, the largest private healthcare insurance provider in Australia, disclosed it had fallen victim to a cybersecurity incident. An investigation uncovered that the hackers accessed the names, dates of birth, addresses, phone numbers, and email address of 9.7 million existing and previous customers. In November, a ransomware group with ties to the REvil gang began publishing the stolen records after Medibank refused to pay the ransom demands.
November – WhatsApp
487 million accounts
On November 16, a user on a popular hacking forum posted an advertisement for 487 million WhatsApp accounts. The accounts spanned 84 countries, with 44.8 million numbers from Egypt, 35.5 million from Italy, and 32.3 million from the United States. When this article was written, it was still undetermined how the attacker gained access to this information.
December – Social Blade
5.6 million records
On December 12, a threat actor began selling stolen data from Social Blade, a social media analytics platform providing statistical graphs to YouTube, Twitter, Twitch, Daily Motion, Mixer, and Instagram. In the post, the hacker claimed to have exfiltrated 5.6 million records in September and shared data samples containing IP addresses, emails, database structures, and more sensitive information.
Looking Forward in 2023
Unfortunately, compiling a list of highly impactful data breaches gets easier year after year. This list shows that no organization is immune to cybersecurity attacks – regardless of size, industry, or geographic location. In a world where all companies are at risk, what is yours doing to safeguard information?