We’re almost at the end of 2024, a year that will go down as having seen some of the biggest, most damaging data breaches in recent history. And just when you think that some of these hacks can’t get any worse, they do.
From huge stores of customers’ personal information getting scraped, stolen and posted online, to reams of medical data covering most people in the United States getting stolen, the worst data breaches of 2024 have surpassed the 1 billion stolen records and rising. These breaches not only affect the individuals whose data was irretrievably exposed, but also embolden the criminals who profit from their malicious cyberattacks.
Travel with us to the not-so-distant past to look at how some of the biggest security incidents of 2024 went down, their impact and, in some cases, how they could have been stopped.
AT&T’s data breaches affect “nearly all” of its customers, and many more non-customers
For AT&T, 2024 has been a very bad year for data security. The telecoms giant confirmed not one, but two separate data breaches just months apart.
In July, AT&T said cybercriminals had stolen a cache of data that contained phone numbers and call records of “nearly all” of its customers, or around 110 million people, over a six-month period in 2022 and in some cases longer. The data wasn’t stolen directly from AT&T’s systems, but from an account it had with data giant Snowflake (more on that later).
Although the stolen AT&T data isn’t public (and one report suggests AT&T paid a ransom for the hackers to delete the stolen data) and the data itself does not contain the contents of calls or text messages, the “metadata” still reveals who called who and when, and in some cases the data can be used to infer approximate locations. Worse, the data includes phone numbers of non-customers who were called by AT&T customers during that time. That data becoming public could be dangerous for higher-risk individuals, such as domestic abuse survivors.
That was AT&T’s second data breach this year. Earlier in March, a data breach broker dumped online a full cache of 73 million customer records to a known cybercrime forum for anyone to see, some three years after a much smaller sample was teased online.
The published data included customers’ personal information, including names, phone numbers and postal addresses, with some customers confirming their data was accurate.
But it wasn’t until a security researcher discovered that the exposed data contained encrypted passcodes used for accessing a customer’s AT&T account that the telecoms giant took action. The security researcher told TechCrunch at the time that the encrypted passcodes could be easily unscrambled, putting some 7.6 million existing AT&T customer accounts at risk of hijacks. AT&T force-reset its customers’ account passcodes after TechCrunch alerted the company to the researcher’s findings.
One big mystery remains: AT&T still doesn’t know how the data leaked or where it came from.
Change Healthcare hackers stole medical data on “substantial proportion” of people in America
In 2022, the U.S. Justice Department sued health insurance giant UnitedHealth Group to block its attempted acquisition of health tech giant Change Healthcare, fearing that the deal would give the healthcare conglomerate broad access to about “half of all Americans’ health insurance claims” each year. The bid to block the deal ultimately failed. Then, two years later, something far worse happened: Change Healthcare was hacked by a prolific ransomware gang; its almighty banks of sensitive health data were stolen because one of the company’s critical systems was not protected with multi-factor authentication.
The lengthy downtime caused by the cyberattack dragged on for weeks, causing widespread outages at hospitals, pharmacies and healthcare practices across the United States. But the aftermath of the data breach has yet to be fully realized, though the consequences for those affected are likely to be irreversible. UnitedHealth says the stolen data — which it paid the hackers to obtain a copy — includes the personal, medical and billing information on a “substantial proportion” of people in the United States.
UnitedHealth has yet to attach a number to how many individuals were affected by the breach. The health giant’s chief executive, Andrew Witty, told lawmakers that the breach may affect around one-third of Americans, and potentially more. For now, it’s a question of just how many hundreds of millions of people in the U.S. are affected.
Synnovis ransomware attack sparked widespread outages at hospitals across London
A June cyberattack on U.K. pathology lab Synnovis — a blood and tissue testing lab for hospitals and health services across the U.K. capital — caused ongoing widespread disruption to patient services for weeks. The local National Health Service trusts that rely on the lab postponed thousands of operations and procedures following the hack, prompting the declaration of a critical incident across the U.K. health sector.
A Russia-based ransomware gang was blamed for the cyberattack, which saw the theft of data related to some 300 million patient interactions dating back a “significant number” of years. Much like the data breach at Change Healthcare, the ramifications for those affected are likely to be significant and life-lasting.
Some of the data was already published online in an effort to extort the lab into paying a ransom. Synnovis reportedly refused to pay the hackers’ $50 million ransom, preventing the gang from profiting from the hack but leaving the U.K. government scrambling for a plan in case the hackers posted millions of health records online.
One of the NHS trusts that runs five hospitals across London affected by the outages reportedly failed to meet the data security standards as required by the U.K. health service in the years that ran up to the June cyberattack on Synnovis.
Ticketmaster had an alleged 560 million records stolen in the Snowflake hack
A series of data thefts from cloud data giant Snowflake quickly snowballed into one of the biggest breaches of the year, thanks to the vast amounts of data stolen from its corporate customers.
Cybercriminals swiped hundreds of millions of customer data from some of the world’s biggest companies — including an alleged 560 million records from Ticketmaster, 79 million records from Advance Auto Parts and some 30 million records from TEG — by using stolen credentials of data engineers with access to their employer’s Snowflake environments. For its part, Snowflake does not require (or enforce) its customers to use the security feature, which protects against intrusions that rely on stolen or reused passwords.
Incident response firm Mandiant said around 165 Snowflake customers had data stolen from their accounts, in some cases a “significant volume of customer data.” Only a handful of the 165 companies have so far confirmed their environments were compromised, which also includes tens of thousands of employee records from Neiman Marcus and Santander Bank, and millions of records of students at Los Angeles Unified School District. Expect many Snowflake customers to come forward.
(Dis)honorable mentions
Cencora notifies over a million and counting that it lost their data:
U.S. pharma giant Cencora disclosed a February data breach involving the compromise of patients’ health data, information that Cencora obtained through its partnerships with drug makers. Cencora has steadfastly refused to say how many people are affected, but a count by TechCrunch shows well over a million people have been notified so far. Cencora says it’s served more than 18 million patients to date.
MediSecure data breach affects half of Australia:
Close to 13 million people in Australia — roughly half of the country’s population — had personal and health data stolen in a ransomware attack on prescriptions provider MediSecure in April. MediSecure, which distributed prescriptions for most Australians until late 2023, declared insolvency soon after the mass theft of customer data.
Kaiser shared health data on millions of patients with advertisers:
U.S. health insurance giant Kaiser disclosed a data breach in April after inadvertently sharing the private health information of 13.4 million patients, specifically website search terms about diagnoses and medications, with tech companies and advertisers. Kaiser said it used their tracking code for website analytics. The health insurance provider disclosed the incident in the wake of several other telehealth startups, like Cerebral, Monument and Tempest, admitting they too shared data with advertisers.
USPS shared postal address with tech giants, too:
And then it was the turn of the U.S. Postal Service caught sharing postal addresses of logged-in users with advertisers like Meta, LinkedIn and Snap, using a similar tracking code provided by the companies. USPS removed the tracking code from its website after TechCrunch notified the postal service in July of the improper data sharing, but the agency wouldn’t say how many individuals had data collected. USPS has over 62 million Informed Delivery users as of March 2024.
Evolve Bank data breach affected fintech and startup customers:
A ransomware attack targeting Evolve Bank saw the personal information of more than 7.6 million people stolen by cybercriminals in July. Evolve is a banking-as-a-service giant serving mostly fintech companies and startups, like Affirm and Mercury. As a result, many of the individuals notified of the data breach had never heard of Evolve Bank, let alone have a relationship with the firm, prior to its cyberattack.
National Public Data goes broke after millions of SSNs stolen
The company behind the data broker National Public Data filed for Chapter 11 bankruptcy protection in October, months after a massive data breach exposed some three billion records affecting around 270 million individuals, according to various analyses by security researchers. The data broker allowed its paying customers access to its vast databases of names, dates of birth, email and postal addresses, phone numbers, and Social Security numbers (even if not all of the data was accurate). The company said it had to file for bankruptcy as it can no longer generate the revenue to address the deluge of class-action lawsuits and mounting liability from state and federal regulators.
First published on June 28 and updated on October 14.