When a data breach strikes, it can leave an organisation's reputation in tatters. Cybercriminals that gain access to a company’s sensitive data often sell that data on the dark web or to third parties, putting its employees, customers and clients at risk of phishing attacks and further malicious activity down the line.
Despite efforts to improve cybersecurity defences, data breaches have been on the rise year after year – and 2023 is no exception. The UK government’s 2023 cyber security breaches survey estimated that across all UK businesses, approximately 2.39 million instances of cybercrime and around 49,000 instances of fraud occurred this year alone.
Of all the data breaches that have occurred over the last 9 months, however, a handful of incidents stand out for their impact on the companies involved, notoriety and scale
In this list, we’re counting down the ten biggest data breaches of data of 2023, exploring how they happened, their impact, and the number of individuals impacted.
PayPal - 35,000 users
At the start of the year, PayPal was forced to send out data breach notifications to just under 35,000 users after hackers gained access to their personal accounts. The breach, which took place between 6-8 December 2022, involved hackers gaining unauthorised access to user accounts using a technique known as credential stuffing. This involved using to login credentials collected from a breach from a separate service provider to log into a different service and access the accounts.
Although PayPal itself wasn't breached, as an online payment system, the consequences of a breached account were catastrophic. Information including, full names, email addresses and PayPal account passwords were stolen, leaving affected users at extreme risk of fraud. Luckily, PayPal was quick to reset the passwords of the affected accounts and notify users of the breach and is investigating the incident to find ways to improve its security measures. The company is also working with law enforcement to identify and apprehend the perpetrators of the breach, who are yet to be found.
Yum! Brands - 100,000+ employees
On January 8th, Yum! Brands – the parent company of KFC, Pizza Hut, and Taco Bell – were at the receiving end of a cyber attack. They were forced to close over 300 UK restaurants in order to contain the incident, which involved a threat actor gaining unauthorised access to Yum! Brands’ network. At the time, they claimed that there was no evidence of identity theft or fraud, but then made everyone involved aware that they could have been subject to the loss of information such as names, driver’s licence numbers, ID numbers, and other personal identifiers.
A filing with the Maine Attorney General’s Office later revealed that employee’s personal data was indeed compromised. This data is typically traded or shared on underground hacker portals and ultimately used in phishing and other types of attacks. The actual number of people’s data compromised by the breach has not yet been disclosed, but it is expected to be in the hundreds of thousands.
ChatGPT - 1.2 million users
In March of this year, OpenAI was forced to take its explosive AI chatbot ChatGPT offline after a bug in an open-source library which allows some users to see titles from another active users chat history. The bug, which was quickly discovered by the research company, also allowed the unintentional visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window. With 100 million ChatGPT subscribers worldwide, this means that anywhere up to 1.2 million usrs may have had their payment information exposed.
In the hours before it took ChatGPT offline it was also possible for some users to see another active user’s first and last name, email address, payment address, credit card type and the last four digits (only) of a credit card number, and credit card expiration date. OpenAI said The breach happened due to a bug in the open-source code that created an error where if you canceled a request within a very specific timeframe, the system would get confused, and decide to deliver information to the next user who made a similar request. OpenAI was quick to reach out to notify affected users that their payment information may have been exposed, but it was confident that there is no ongoing risk to users’ data.
University of Manchester - up to 2.2 million people
In June 2023, the University of Manchester (UoM) announced that it had suffered a major data breach after hackers gained access to its systems thorough a website vulnerability. The hackers copied the sensitive data of up to 1.1 million students, staff, and alumni, exposing a variety of data including full names, dates of birth, email addresses, phone numbers, and student ID numbers.
To make matters worse, it was later discovered that the breach may have also exposed the personal data of a further 1.1 million NHS patients across 200 hospitals stored within the UoM’s internal systems. The exposed details include patients’ NHS numbers and the first three letters of their postcodes, and records of major trauma patients treated after terror attacks – which were collected by the university for research. Dating back to 2012, patients will not know if they are on the database or not as they did not give their consent to be recorded on it.
JD Sports - 10 million customers
At the end of January, sportswear retailer JD Sports fell victim to one of the first major cyber incidents of the year when hackers exposed the sensitive data of around 10 million customers. The sports retailer revealed that information such as full names, billing and delivery addresses and phone numbers were exposed, as well as order details, and the last 4 digits of customers' card details.
The attack also targeted the purchases from their partner companies including Size?, Blacks, Scotts, and Millets. JD Sports quickly notified the Information Commissioner's Office (ICO), the UK's data protection authority, of the data breach. The company also launched an investigation into the incident and is working with cybersecurity experts to improve its security measures.
Pôle Emploi - 10 million individuals
In February 2023, Pôle emploi, the French government agency that helps people find jobs, suffered a data breach that exposed the personal information of over 10 million people. The exposed information included full names and social security numbers, which were leaked following a cyber attack on one of Pole Emploi’s service providers.
The data that was compromised in the breach includes the full names and social security numbers of 10 million individuals who registered with Pôle emploi until February 2023. Other personal information, such as email addresses, phone numbers, passwords, and bank credentials were not affected. Pôle emploi quickly notified the French data protection authority, the CNIL, of the data breach, and filed a complaint with the judicial authorities. The agency is advising affected individuals to be cautious with incoming communications and has set up a dedicated phone support line to address any questions or concerns.
T-Mobile - 37 million individuals
In January 2023, T-Mobile announced that it had suffered a data breach that impacted 37 million customers. The breach exposed a variety of sensitive information, including names, dates of birth, Social Security numbers, driver's license numbers, phone numbers, email addresses, and account PINs. T-Mobile has not released many details about how the breach happened, but it is believed that hackers gained access to the company's systems through a vulnerability in its application programming interface which allowed them to access customer data.
T-Mobile said that the attackers did not gain access to call records or personal financial account information. However, the exposed PII is still highly sensitive and could be used for identity theft and targetted phishing attacks, leaving many customers still at risk of future attacks.
UK Electoral Commission - 40 million individuals
Last month, the UK Electoral Commission announced that it had suffered a data breach that affected approximately 40 million individuals. The breach occurred between August 2021 and October 2022 and involved unauthorised access to reference copies of the electoral registers. Threat actors were able to gain access to information including full names, dates of birth and home addresses on displayed these reference copies, leaving those affected at risk of phishing scams and fraud.
The Electoral Commission notified the Information Commissioner's Office (ICO), the UK's data protection authority, of the data breach and launched an investigation into the incident and is working with cybersecurity experts to improve its security measures. It also set up a dedicated webpage with information about the breach and how people can protect themselves if their data is stolen.
Twitter - 235 million accounts
Starting off the new year the wrong way was Twitter. On January 5th, the email addresses tied to over 235 million accounts – almost half of Twitter’s user base – were posted to an online hacking forum. The threat actor was able to access the data by exploting a bug in Twitters API, allowing it to submit contact information like email addresses and receive the associated Twitter account in return. hile the bug didn't allow hackers to access passwords or other sensitive information like DMs, it did expose the connection between Twitter accounts, which are often pseudonymous, and the email addresses and phone numbers linked to them, potentially identifying users.
While it was live, the vulnerability was seemingly exploited by multiple actors to build different collections of data. One that has been circulating in criminal forums since the summer included the email addresses and phone numbers of about 5.4 million Twitter users. When the 2023 data was exposed, Twitter shifted the blame for the leaked data and claimed that the data was from the previously leaked data in August 2022. But, while some of the data matches previous breaches, cybersecurity researchers revealed that the majority of the data was new and did in fact originate from their own servers.
MOVEit vulnerability - 2182 organisations and counting
In May 2023, Progress Software disclosed a zero-day vulnerability in its MOVEit Transfer file transfer software that allowed attackers to gain access to MOVEit servers and steal customer data. In the months that followed, the vulnerability was exploited by a number of hacker groups, including the notorious Cl0p ransomware gang. The Clop gang targeted a wide range of organizations, including multiple government agencies, healthcare providers and businesses including British AIrways, Boots and the BBC.
By September, the MOVEit data breach had affected over 2000 organisations and exposed the data of 60 million millions people – but this number continues to grow. The breach is considered to be one of the largest and most damaging data breaches in history, not only due to the number of individuals impacted, but also its financial damages and long-lasting impact.