According to the Identity Theft Resource Center’s Q3 2023 Data Breach Report, there were 2116 reported US data breaches and leaks in the first nine months of 2023, already beating out previous all-time high of 1862 for the year set in 2021, with a whole quarter left to go.
The record figure is despite a 22% decline in Q3 from the previous quarter. Also, the ITRC counted an estimated 234 million victims from these breaches, 45% less than the 425 million individuals impacted by incidents last year.
Also notable, Zero-day attacks trended up 1620% in the first three quarters of 2023 versus the whole of 2022 and, due to the global MOVEit software attack campaign, supply chain attacks also remained a major threat in Q3, with 1321 organizations reporting breaches due to attacks on 87 third parties. 4 of the top 10 compromises in Q3 were caused by the MOVEit campaign.
A persistent concern is the lack of transparency from breached organizations with 53% of reported breaches not offering any explanation about the initial attack vector.
Craig Harber, Security Evangelist: Open Systems had this comment:
“The rise in cyber breaches and the lack of transparency from impacted companies is not surprising. Frankly, most do not see the point because the attacks are predominantly generated from overseas and it is unlikely that law enforcement will offer any significant assistance to restore operations or prevent stolen data from switching hands. As a result, organizations focus their limited resources towards correcting internal deficiencies, ensuring that this doesn’t happen again, and fulfilling their legal obligations of notifying affected parties and regulators.
“The new cyber incident reporting laws announced in recent years act on the long-held view that information sharing is vital to national security and private sector cyber-readiness. It is a major step forward from what has traditionally been ad hoc, industry-specific guidance for voluntary disclosures by companies that have experienced cyberattacks.
“The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was signed into law last year. It required the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA. These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.
“In addition, the Securities and Exchange Commission (SEC) established cybersecurity risk management, governance, and incident reporting requirements. These new requirements will apply to foreign private issuers and U.S. public companies with compliance deadlines starting at the end of this year.”
Paul Valente, CEO & Co-Founder, VISO Trust follows with this:
“The Q3 2023 Data Breach Report by the Identity Theft Resource Center highlights a growing threat to CISOs and businesses. With 2116 data breaches in the first three quarters of 2023, exceeding the 2021 record, it’s imperative to focus on third-party risk management and adapt to evolving attack surfaces.
“The rise in zero-day attacks and supply chain vulnerabilities, as exemplified by the MOVEit software campaign, underscores the growing urgency for robust cybersecurity measures. Organizations should also prioritize transparency, as 53% of breaches lack explanations about the initial attack vectors.”
This is really bad and shows that everyone needs to buckle down on making sure that environments are as secure as possible. And organizations who get pwned need to own up to it rather than hide it. Period.
500k Shadow PC users warned of breach as the threat actor behind the breach puts the stolen data up for sale
Posted in Commentary with tags Hacked on October 14, 2023 by itnerdShadow PC started warning over 500,000 customers of a data breach that exposed their private information, following a successful social engineering attack targeting its employees and as a threat actor claims to be selling the stolen data.
Shadow is a cloud gaming service allowing users with high-end Windows PCs to run demanding AAA games on a virtual computer.
“This highly sophisticated attack began on the Discord platform with the downloading of malware under cover of a game on the Steam platform, proposed by an acquaintance of our employee, himself a victim of the same attack,” reads the notice.
Based on the description of the attack, the downloaded malware stole an authentication cookie that provided the hackers access to the management interface of one of the company’s SaaS providers. The attacker then abused the API to extract customers’ full names, email addresses, dates of birth, billing addresses, and credit card expiration dates.
“After an attempt at amicable settlement, which they deliberately ignored, I decided to put the database up for sale,” said the threat actor on a hacking forum Wednesday night.
Emily Phelps, Director, Cyware:
“While advanced security solutions are imperative for safeguarding digital assets, human-centric training is also crucial to address social engineering attacks. All organizations, regardless of their sector or size, should invest in continuous cyber-awareness training across the organization. This incident serves as a reminder that even the most sophisticated technology platforms are not immune to the age-old tactics of manipulation and exploitation.”
When you use a third party service, you have to trust that said service is secure. This clearly wasn’t the case here, and it looks like a half million customers will now pay the price.
1 Comment »