Security breaches wreak havoc, not just for businesses, but for their customers. So far in 2024, around 20 major breaches have already occurred, all attributed to cyber attacks. Hitting major businesses, healthcare, and infrastructure across North America, Europe, and Japan, these cyber attacks have incredible reach.
What country is the biggest cybersecurity threat?
Cyber attacks don’t just have a target. The origin of the attacks is also significant. Data breaches and denial of service attacks are launched from some of the world’s most powerful countries.
Research from CyberProof demonstrates that 10 countries originated the most cyber attacks in 2021:
- China: 18.83%
- United States: 17.05%
- Brazil: 5.63%
- India: 5.33%
- Germany: 5.10%
- Vietnam: 4.23%
- Thailand: 2.51%
- Russia: 2.46%
- Indonesia: 2.41%
Based on this data, China is the biggest cybersecurity threat. The assumption is that the USA’s place on the list is due to organized crime on American soil. However, IP obfuscation cannot be ruled out – it is possible the figure for China could in reality be higher.
More recent research (2024) from Oxford University has been compiled into a Cybercrime Index. This uses a World Cybercrime Index (WCI) score, and reveals a top 10 of:
- Russia: 58.39
- Ukraine: 36.44
- China: 27.86
- United States: 25.01
- Nigeria: 21.28
- Romania: 14.83
- North Korea: 10.61
- United Kingdom: 9.01
- Brazil: 8.93
- India: 6.13
(The WCI figure is a threat level based on research from cybercrime experts.)
While it would be difficult to establish any direct correlation between these figures, China dominates as the prime cybersecurity threat.
What are the main causes of data breaches?
When private data is observed by a third party, it can be designated as a breach. Small breaches can usually be easily dealt with. Larger breaches that make headlines are another matter.
Data breaches typically rely on:
- Lost or stolen devices
- Insider with malicious intent
- Hackers employing cyber attack vectors
Based on the events of 2024 so far, the majority of data breaches are the result of cyber attacks. Stolen devices and insider activity may play a role, but breaches are almost always remotely coordinated.
All businesses and organizations should ensure:
- All devices are correctly managed
- Colleague access is routinely monitored
- Security software and operating systems are regularly updated
The best examples of 2024’s cyber attacks and data breaches will illustrate why.
1. UnitedHealth’s $872 Million Cyberattack
Be in no doubt that ransomware continues to be a massive problem. A Q1 financial report from UnitedHealth Group in April 2024 revealed a massive $872 million loss attributable to ransomware.
The report states: "Cash flows from operations from the first quarter 2024 were $1.1 billion and were affected by approximately $3 billion due to the company's cyberattack response actions, including funding acceleration to care providers, and were additionally impacted due to the timing of public sector cash receipts."
UnitedHealth’s ChangeHealthcare platform was impacted by the attack. This payment platform handles transactions between doctors, pharmacies, and healthcare professionals across the USA. The attack resulted in the ChangeHealthcare platform being suspended, with the BlackCat/ALPHV group claiming it stole 6 TB of data.
The attack is currently believed to have been executed via a vulnerable Citrix portal.
At a federal hearing in May 2024, UnitedHealth Group CEO Andrew Witty estimated one-third of Americans had been affected by the attack.
2. IMF
No one is safe from cyberattacks, not even the International Monetary Fund. The IMF has 190 member countries and works to improve growth and prosperity around the world.
The organization has 2,400 employees, and in February 2024 it announced that 11 email accounts had been compromised. This discovery was made during investigations into a cyber incident. While there is no indication of any financial attack or loss, the official line is interesting.
Microsoft Office 365 accounts were targeted by a Russia-linked intelligence organization in January 2024. However, the IMF has stated that the “incident does not appear to be part of Microsoft targeting."
All of which suggests a targeted attack on individuals at the IMF.
(The IMF was also the target of a hacking incident in 2011, as reported by the New York Times.)
3. England and Wales Cricket Board Coaching Platform
Grassroots sport is an unlikely target for hackers. But wherever there is data, so there is potential profit. In March 2024, the England and Wales Cricket Board (ECB) reported that a cyber attack affected 40,000 people.
The icoachcricket platform was the target, an online coaching tool hosted and run by a third party.
It was later established that the IntelBroker criminal operation was the likely culprit. Leaked data was uploaded to the BreachedForums, and comprises data of icoachcricket users who registered between 2014 and 2021. Email addresses, hashed passwords, backup password information, and other registration details are in the leaked database. Some accounts claim that details of significant ECB personnel are included in the breach, along with those coaching children.
4. Cannes Hospital
Healthcare providers are increasingly targets of cybercrime. On April 16, 2024, staff at the Hospital Simone Veil in Cannes reverted to pen and paper following a cyberattack.
As a major hospital in the region, Simone Veil handles 150,000 outpatient appointments and 50,000 emergencies a year. While the majority of services were able to continue, communication and data handling were limited to legacy methods.
While initially suspected to be a ransomware attack, several weeks passed before clarification was issued. On April 30, the hospital confirmed the LockBit 3.0 ransomware group was attempting to extort the establishment.
However, Hospital Simone Veil has refused to pay, stating:
“In the event of a data release potentially belonging to the hospital, we will communicate to our patients and stakeholders, after a detailed review of the files that may have been exfiltrated, about the nature of the stolen information.”
It appears attempts are being made to decrypt the targeted data.
5. Cencora
Corporate IT systems at Cencora (formerly AmerisourceBergen) were targeted according to an SEC filing (Securities and Exchange Commission) on February 21, 2024. Cencora is a pharmaceutical services company, providing distribution services for healthcare operations.
“[...]data from its information systems had been exfiltrated, some of which may contain personal information. As of the date of this filing, the incident has not had a material impact on the Company’s operations, and its information systems continue to be operational. The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.”
Cencora states that it took steps to contain the attack, with an investigation launched with law enforcement and cybersecurity experts. No information has yet been released confirming a ransomware incident. Similarly, the stolen data does not yet seem to have been leaked.
Significantly, Cencora has stated that it doesn’t believe the attack is related to the UnitedHealth Group attack. It seems multiple actors are targeting the healthcare sector.
6. Spoutible
Twitter alternative Spoutible was launched in February 2023 with over 150,000 users and various security issues. By June 2023, the user count was around 240,000 users as the service launched Android and iOS apps.
Security researcher Troy Hunt was contacted in January 2024 with information concerning an API exploit, which he then investigated. The simple exploit, which involved using an API URL and adding a Spoutible username to return account information, apparently affected 207,000 records.
Along with email address and profile information, the API hack enabled the retrieval of bcrypt hashed passwords. As Hunt explains: “I cannot think of any reason ever to return any user's hashed password to any interface […] There is never a good reason to do this. And even though bcrypt is the accepted algorithm of choice for storing passwords these days, it's far from uncrackable”
Spoutible CEO Christopher Bouzy has apologized and referred the breach to the FBI.
7. Tangerine Telecom
Australian ISP Tangerine was breached on February 18, 2024, with over 200,000 records stolen by hackers. Full personal information (names, date of birth, phone numbers, and email addresses) was taken; bank and password details were not.
This doesn’t seem to be the usual external cyberattack attempt, however. Instead, it seems to have been traced to either a known individual or someone with their credentials. “We know that the unauthorized disclosure relates to a legacy customer database and has been traced back to the login credentials of a single user engaged by Tangerine on a contract basis.”
Tangerine has informed the relevant authorities of the breach, along with all of the affected customers. It seems likely that leaked emails will be targeted by phishing operations.
8. Trello
Online project management and collaboration tool Trello was targeted in January 2024, resulting in 15 million accounts being leaked.
Trello owner Atlassian claimed that the leak was not due to unauthorized access. While accurate, the leak can still be attributed to poor Trello security. The hacker apparently employed a public API to match an existing database of 50 million emails with Trello accounts.
Access to Trello is largely via private and corporate email addresses. Exposing access to the service potentially offers a Trello-themed attack vector for a phishing operation. Leaked data – totaling 15,115,516 entries - was offered for sale on a hacking forum, supposedly containing “emails, usernames, full names and other account info.”
Since learning of the background of this data leak, Trello’s public APIs have been hardened and now require authentication. This incident followed the November 2023 discovery of a zero-day vulnerability in Atlassian’s Confluence suite.
9. VARTA
A cyber attack on February 12th, 2024 caused German battery manufacturer VARTA to halt production. Affecting IT systems and related production equipment, the attack resulted in five plants closing.
VARTA produces batteries for EVs and ICE vehicles, as well as domestic batteries and industrial cells.
VARTA’s response to the attack is short on information, and doesn’t mention if any data was stolen:
“It is now clear that the cyberattack was carried out by an organized group of hackers who managed to break through the high-security standards of VARTA's IT systems with a high level of criminal energy. [...] The amount of the possible damage and the extent to which it is covered by insurance is part of the ongoing investigation.”
Given the lack of information and stolen data, it is difficult to say what the aims of the cyber attack were. Two likely possibilities are that the incursion was a failed ransomware attempt, or a targeted denial of service (DOS) attack.
10. Omni Hotels
Not for profit development and research management company MITRE published details of a cyberattack that began in January 2024. Detection of the attack’s evolution didn’t occur until April. This targeted its collaboration platform, Networked Experimentation, Research, and Virtualization Environment (NERVE), which is used for R&D and prototyping.
“Suspicious activity” was detected on NERVE, with a foreign-nation state threat actor confirmed as the culprit.
MITRE’s initial reaction was to take NERVE offline temporarily, before contracting Digital Forensics Incident Response personnel.
No details of the event’s outcome have been shared publicly. However, MITRE has revealed the attack vector. This involved multiple steps, including Ivanti zero-day vulnerabilities, a compromised administrator account, and establishing backdoors to “harvest credentials.”
Given the use of backdoors and credential theft, it seems likely a sizable amount of data was acquired by the hacker.
12. EquiLend
While attacks on healthcare providers and suppliers might be surprising, attacks on financial technology institutions are not. Securities lending infrastructure platform EquiLend was disrupted by unauthorized access on January 22, 2024.
It was established and revealed relatively quickly that this was a ransomware incident. The immediate response was to take some services offline, with the platform returning to action by January 30.
The LockBit group claimed responsibility for the attack, although no data has been offered as proof. Indeed, as full data has not been shared on any of the usual forums, it is possible EquiLend paid the ransom.
While transaction and customer data was not acquired in the leak, it did include employee data. EquiLend issued a letter to affected personnel, with the offer of complimentary identity theft protection.
“[...] as a precaution, we are offering complimentary identity theft protection services through a two-year membership with Identity Theft Guard Solutions, Inc. (IDX).”
Names, DOBs, and Social Security numbers were included in the leak.
13. KryptonZombie Attacks Cutout.Pro
If you’ve ever uploaded an image to AI photo and video platform Cutout.Pro, your details could have been included in a 5.93 GB leak. On February 27, 2024, a CSV file of the data was shared on BreachForums, comprising almost 20 million unique records.
The file is also believed to be distributed via Telegram.
Data including email addresses, names, IP addresses, and hashed and salted passwords were in the database of 19,972,829 people. That might seem like a lot of information for an AI photo editing service, but it offers free and premium tools. It seems the victims of the leaks paid for the honor.
Cutout.Pro’s response has been muted. Refusing initial requests for confirmation from specialists, they eventually replied to one website with a denial. “[We have] never received any emails from users stating that their accounts have been hacked or their information leaked,” Cutout.Pro users are likely to be the targets of phishing and other email-based scams.
14. Frontier
On April 15 2024, Frontier Communications (known for phone, internet, and TV services) filed a report with the SEC. This covered the details of a recent incident, detected the previous day, which resulted in portions of the company’s systems being taken offline.
The report states “Based on the Company’s investigation, it has determined that the third party was likely a cybercrime group, which gained access to, among other information, personally identifiable information.”
Details in the report (and since) are scant in regard to the suspected attacker (beyond “cybercrime group”) and the data loss. No information has been offered as to whether employee data was taken, or customer data. Given the initial impact and response, the loss of customer data seems more likely.
15. ThyssenKrupp
German steel giant ThyssenKrupp AG was targeted by hackers in February 2024, resulting in its automotive division shutting down its IT systems. Automotive Body Solutions, the specific target, halted production when the intrusion was detected.
“The IT security team at Automotive Body Solutions recognized the incident at an early stage and has since worked with the ThyssenKrupp Group's IT security team to contain the threat,” reported a spokesperson. ThyssenKrupp reports that the event did not impact the supply chain.
No indication has been given as to whether the attack was espionage, intentional disruption, theft, or ransomware. Similarly, no statement indicating the culprit or type of threat actor has been made.
ThyssenKrupp has been the victim of previous cyber incidents. Notable attacks came in 2013, 2016, 2020, and 2022.
16. United Nations Development Programme
Proving that cybercriminals are not afraid to go big, the 8Base ransomware gang hit the UNDP in March 2024. Based on details uploaded to the hackers’ leak site, the breach resulted in sensitive data being stolen. This included personal data, certificates, contracts, invoices, receipts, and more.
Disclosing the event on April 16, 2024, the UNDP stated it had “received a threat intelligence notification that a data-extortion actor had stolen data which included certain human resources and procurement information.”
While it seems the ransom was not paid, it is believed the disclosure underplayed the volume of data involved. Other United Nations agencies are not thought to have been affected.
8Base is known to use a variant of the Phobos ransomware and appears to be prolific at hacking. It lists over 350 victims on its website.
17. US Local Governments
Local governments and associations around the world are routinely victims of cyberattacks. Often the fallout impacts taxpayers and the people who use the services provided.
So far in 2024, three US county departments have been hit: Robeson County (NC), Hernando County (Fla), and Jackson County (MO). In addition, the city of Wichita, Kansas, has been hit. All appear to be coordinated ransomware attacks, confirmed within days of each other.
In Robeson County, a data security breach reported on April 18, 2024, resulted in online services being inaccessible to the public. An official response stated (WPDE) that the county administrators were: “engaging the assistance of the North Carolina Joint Cybersecurity Task Force, the North Carolina National Guard cyber unit, as well as federal and state law enforcement agencies.”
To date, no further information has been divulged, and emergency dispatch services were not affected.
A ransomware attack hit Hernando County government infrastructure, an event that was confirmed on April 4, 2024. By April 12, the event was confirmed as a ransomware attack that knocked public and internal-facing services offline. Officials announced that “The County is cooperating with state and federal law enforcement and a team of cybersecurity experts to investigate the claims and the full nature and scope of the incident.” Unfortunately, this confirmation doesn’t extend to any real details about the attack.
Jackson County, meanwhile, released news of an attack on April 2, 2024, and announced a state of emergency. The county administration confirmed it had “identified significant disruptions within its IT systems, potentially attributable to a ransomware attack.”
In Wichita, a ransomware attack on May 5, 2024, resulted in the city shutting down parts of its network. This included online payment networks for utilities, transport tickets, and other items. No information about the ransomware attack’s scale, or the suspected attacker, has been released.
With regard to the impact on resident’s data, only the following has been confirmed: “We are completing a thorough review and assessment of this matter, including the potential impact on data. Detailed assessments of these types of incidents take time. We thank you for your patience, understanding, and respect for the integrity of this review process.”
At the time of writing, no further details have been announced about any of these cyberattacks.
A 2023 study by Sophos revealed an increase from 58% to 69% in local government-targeted cyberattacks and incidents.
18. Fujitsu
On March 15, 2024, the world’s sixth-largest IT services provider, Fujitsu confirmed that it had been the target of a cyberattack. The Japanese conglomerate, which has 124,000 employees worldwide, announced the event following a report to Japan’s Personal Information Protection Commission. Such a report would indicate that Fujitsu believes personal information may have been stolen in the breach.
“We confirmed the presence of malware on several of our company's work computers, and as a result of an internal investigation, it was discovered that files containing personal information and customer information could be illegally taken out.” (Fujitsu statement translated from Japanese).
Interestingly, Fujitsu has yet to file similar reports in the USA, UK, or with any other government.
Fujitsu is in a privileged position, as it provides IT services (mainly database and cloud) to government and 1private sector operations worldwide.
19. Prudential Financial
Fortune 500 company Prudential Financial detected a breach on February 5, 2024, a day after suspected cybercriminals accessed company and employee data.
The SEC filing outlines the details.
"As of the date of this Report, we believe that the threat actor, who we suspect to be a cybercrime group, accessed Company administrative and user data from certain information technology systems and a small percentage of Company user accounts associated with employees and contractors."
Originally, there was no indication that customer or client data was taken. However, a subsequent filing revealed that 36,545 people had been affected. Names, addresses, driving license numbers, and other ID were taken in the data breach.
The ALPHV ransomware group claimed responsibility for the attack and uploaded data to its dark web portal.
20. Octapharma Plasma
As of April 18, 2024, it appears that the blood plasma provider was subjected to a ransomware attack. The immediate response was to close its 150-plus US-based centers, but suspicions remain that the parent company, Octapharma AG, may also have been hit.
If true, this would have ramifications for its European operations.
A source knowledgeable about the incident claims that BlackSuit ransomware was to blame. This malware doesn’t just encrypt the data it targets, it also makes an unencrypted copy for the cyber attacker. This can then be distributed as the attacker feels necessary.
BlackSuit posted details of the data it stole, which includes donor information, lab data, business-sensitive information, and employee details. Currently, the organization has refused to publicly confirm details of the cyber attack.
21. LoanDepot
On January 8, 2024, loan and mortgage company LoanDepot announced it was dealing with a cyber incident. This was later confirmed to involve the theft of data pertaining to 16.6 million customers.
While the company was coy about the details of the cyberattack, its regulatory post-attack filing revealed more. “LoanDepot […] recently identified a cybersecurity incident affecting certain of the Company’s systems. Upon detecting unauthorized activity, the Company promptly took steps to contain and respond to the incident, including launching an investigation with assistance from leading cybersecurity experts, and began the process of notifying applicable regulators and law enforcement.”
It also indicated that the attack was ransomware. “[...]the unauthorized third party activity included access to certain Company systems and the encryption of data.” (Our emphasis.)
Though our investigation is ongoing, at this time, the Company has determined that the unauthorized third-party activity included access to certain Company systems and the encryption of data. In response, the Company shut down certain systems and continues to implement measures to secure its business operations, bring systems back online, and respond to the incident.
How does 2024 compare so far with other years?
Approaching the midway point of 2024, it is difficult to state with any certainty whether it is worse than 2023. What we can say is that things appear to be increasingly challenging.
The IMF, itself a target of cyberattacks in 2024, has declared that “the risk of extreme losses from cyber incidents is increasing.” Its Global Financial Stability Report features a look at Financial Vulnerabilities and Risks and demonstrates an uptick in cyber incidents in 2023. Meanwhile, estimated losses increased from $0.5 billion in 2017 to almost $2.5 billion in 2021.
There is no reason to expect this figure to have declined significantly.
What happens to data leaked in breaches?
If cyberattacks result in data being stolen, it typically ends up being available to buy on the dark web.
Sometimes, the data is available to multiple buyers; on other occasions, it is up for sale to the highest bidder. The value of data depends on what information is included, and how recent it is. So, data with new email addresses and bank details will be more valuable than a leak of older data.
Because data leaks resulting from cyberattacks and other malicious actions aren’t always reported, the impact can be difficult to judge. Using a resource like haveibeenpwned.com is a good way to check if your details have been leaked. This website, maintained by Troy Hunt, is a searchable record of leaked data. Email addresses and passwords can be checked, and it displays which leak resulted in the data being made public.
