It’s all in the (lack of) details: 2022’s badly handled data breaches
Data breaches can be extremely harmful to organizations of all shapes and sizes — but it’s how these companies react to the incident that can deal their final blow. While we’ve seen some excellent examples of how companies should respond to data breaches over the past year — kudos to Red Cross and Amnesty for their transparency — 2022 has been a year-long lesson in how not to respond to a data breach.
Here is a look back at this year’s badly handled data breaches.
Chipmaker giant Nvidia confirmed it was investigating a so-called “cyber incident” in February, which it later confirmed was a data extortion event. The company refused to say much else about the incident, and, when pressed by TechCrunch, declined to say how it was compromised, what data was stolen, or how many customers or employees were impacted.
While Nvidia stayed tight-lipped, the now-notorious Lapsus$ gang quickly took responsibility for the breach and claimed it stole one terabyte of information, including “highly confidential” data and proprietary source code. According to data breach monitoring website Have I Been Pwned, the hackers stole the credentials of more than 71,000 Nvidia employees, including email addresses and Windows password hashes.
In August, DoorDash approached TechCrunch with an offer to exclusively report on a data breach that exposed DoorDash customers’ personal data. Not only is it unusual to be offered news of an undisclosed breach before it’s announced, it was even stranger to have the company decline to answer nearly every question about the news it wanted us to break.
The food delivery giant confirmed to TechCrunch that attackers accessed the names, email addresses, delivery addresses and phone numbers of DoorDash customers, along with partial payment card information for a smaller subset of users. It also confirmed that for DoorDash delivery drivers, or Dashers, hackers accessed data that “primarily included name and phone number or email address.”
But DoorDash declined to tell TechCrunch how many users were affected by the incident — or even how many users it currently has. DoorDash also said that the breach was caused by a third-party vendor, but declined to name the vendor when asked by TechCrunch, nor would it say when it discovered that it was compromised.
Hours before a long July 4 holiday, Samsung quietly dropped notice that its U.S. systems were breached weeks earlier and that hackers had stolen customers’ personal information. In its bare-bones breach notice, Samsung confirmed unspecified “demographic” data, which likely included customers’ precise geolocation data, browsing and other device data from customers’ Samsung phones and smart TVs, was also taken.
Because that was Samsung’s priority, obviously.
Fintech startup Revolut in September confirmed it was hit by a “highly targeted cyberattack,” and told TechCrunch at the time that an “unauthorized third party” had obtained access to the details of a small percentage (0.16%) of customers “for a short period of time.”
However, Revolut wouldn’t say exactly how many customers were affected. Its website says the company has approximately 20 million customers; 0.16% would translate to about 32,000 customers. However, according to Revolut’s breach disclosure, the company says 50,150 customers were impacted by the breach, including 20,687 customers in the European Economic Area and 379 Lithuanian citizens.
The company also declined to say what types of data were accessed. In a message sent to affected customers, the company said that “no card details, PINs or passwords were accessed.” However, Revolut’s data breach disclosure states that hackers likely accessed partial card payment data, along with customers’ names, addresses, email addresses, and phone numbers.
NHS supplier Advanced
Advanced, an IT service provider for the U.K.’s NHS, confirmed in October that attackers stole data from its systems during an August ransomware attack. The incident downed a number of the organization’s services, including its Adastra patient management system, which helps non-emergency call handlers dispatch ambulances and helps doctors access patient records, and Carenotes, which is used by mental health trusts for patient information.
While Advanced shared with TechCrunch that its incident responders — Microsoft and Mandiant — had identified LockBit 3.0 as the malware used in the attack, the company declined to say whether patient data had been accessed. The company admitted that “some data” pertaining to over a dozen NHS trusts was “copied and exfiltrated,” but refused to say how many patients were potentially impacted or what types of data were stolen.
Advanced said there is “no evidence” to suggest that the data in question exists elsewhere outside our control and “the likelihood of harm to individuals is low.” When reached by TechCrunch, Advanced chief operating officer Simon Short declined to say if patient data is affected or whether Advanced has the technical means, such as logs, to detect if data was exfiltrated.
In October, U.S. messaging giant Twilio confirmed it was hit by a second breach that saw cybercriminals access customer contact information. News of the breach, which was carried out by the same “0ktapus” hackers that compromised Twilio in August, was buried in an update to a lengthy incident report and contained few details about the nature of the breach and the impact on customers.
Twilio spokesperson Laurelle Remzi declined to confirm the number of customers impacted by the June breach or share a copy of the notice that the company claims to have sent to those affected. Remzi also declined to say why Twilio took four months to publicly disclose the incident.
Enterprise cloud computing giant Rackspace was hit by a ransomware attack on December 2, leaving thousands of customers worldwide without access to their data, including archived email, contacts and calendar items. Rackspace received widespread criticism over its response for saying little about the incident or its efforts to restore the data.
In one of the company’s first updates, published on December 6, Rackspace said that it had not yet determined “what, if any, data was affected,” adding that if sensitive information was affected, it would “notify customers as appropriate.” We’re now at the end of December and customers are in the dark about whether their sensitive information was stolen.
And finally, but by no means the least: The beleaguered password manager giant LastPass confirmed three days before Christmas that hackers had stolen the keys to its kingdom and exfiltrated customers’ encrypted password vaults weeks earlier. The breach is about as damaging as it gets for the 33 million customers who use LastPass, whose encrypted password vaults are only as secure as the customer master passwords used to lock them.
But LastPass’ handling of the breach drew a swift rebuke and fierce criticism from the security community, not least because LastPass said that there was no action for customers to take. Yet, based on a parsed read of its data breach notice, LastPass knew that customers’ encrypted password vaults could have been stolen as early as November after the company confirmed its cloud storage was accessed using a set of employee’s cloud storage keys stolen during an earlier breach in August but which the company hadn’t revoked.
The fault and blame is squarely with LastPass for its breach, but its handling was egregiously bad form. Will the company survive? Maybe. But in its atrocious handling of its data breach, LastPass has sealed its reputation.
I’m a journalist who specializes in investigative reporting and writing. I have written for the New York Times and other publications.