Anika Begay
We’re more than halfway through 2024, and already this year we’ve seen some of the largest and most damaging data breaches in recent memory. And just when you think some of these attacks can’t get any worse, they do.
From massive archives of customer personal information being scraped, stolen, and posted online, to reams of medical data covering the majority of people in the United States being stolen, the worst data breaches of 2024 to date have already surpassed at least 1 billion stolen records and counting. These breaches not only impact the individuals whose data has been irreparably exposed, but they also embolden criminals who profit from their malicious cyberattacks.
Travel with us into the not-so-distant past to discover how some of the biggest security incidents of 2024 unfolded, their impact, and in some cases, how they could have been stopped.
AT&T Data Breaches Affect ‘Nearly All’ of Its Customers and Many More Non-Customers
AT&T has had a terrible year in data security in 2024. The telecommunications giant confirmed not one, but two separate data breaches within months of each other.
In July, AT&T said that cybercriminals had stolen a cache of data containing phone numbers and call logs for “nearly all” of its customers, or about 110 million people, over a six-month period in 2022 and in some cases longer. The data wasn’t stolen directly from AT&T’s systems, but from an account it had with data giant Snowflake (more on that later).
While the stolen AT&T data is not public (and one report suggests AT&T paid a ransom to hackers to delete the stolen data) and the data itself does not contain the contents of calls or text messages, the “metadata” still reveals who called who and when, and in some cases the data can be used to infer approximate locations. Worse, the data includes phone numbers of non-customers who were called by AT&T customers during that time. Such data becoming public could be dangerous to high-risk individuals, such as survivors of domestic abuse.
This was AT&T’s second data breach this year. In early March, a data breach broker dumped an entire cache of 73 million customer records online for anyone to see on a popular cybercrime forum, nearly three years after a much smaller sample was leaked online.
The data released included customers’ personal information, including names, phone numbers, and postal addresses; some customers confirmed that their data was accurate.
But it wasn’t until a security researcher discovered that the exposed data contained encrypted passcodes used to access a customer’s AT&T account that the telecom giant took action. The security researcher told TechCrunch at the time that the encrypted passcodes could be easily cracked, putting approximately 7.6 million existing AT&T customer accounts at risk of hijacking. AT&T forced a reset of its customers’ account passcodes after TechCrunch alerted the company to the researcher’s findings.
One big mystery remains: AT&T still doesn’t know how the data leaked or where it came from.
Change Healthcare Hackers Stole Medical Data on a “Substantial Portion” of People in America
In 2022, the U.S. Department of Justice sued health insurance giant UnitedHealth Group to block its attempted acquisition of health technology giant Change Healthcare, fearing that the deal would give the healthcare conglomerate broad access to about “half of all Americans’ health insurance claims” each year. The attempt to block the deal ultimately failed. Then, two years later, something far worse happened: Change Healthcare was hacked by a prolific ransomware gang; its powerful banks of sensitive health data were stolen because one of the company’s critical systems wasn’t protected with multifactor authentication.
The extended downtime caused by the cyberattack stretched for weeks, causing widespread disruptions at hospitals, pharmacies and health care practices across the United States. But the full consequences of the data breach have yet to be realized, although the consequences for those affected are likely to be irreversible. UnitedHealth says the stolen data, which it paid hackers to obtain a copy of, includes personal, medical and billing information for a “substantial percentage” of people in the United States.
UnitedHealth has yet to determine how many individuals were affected by the breach. The healthcare giant’s CEO, Andrew Witty, told lawmakers that the breach could affect about a third of Americans, and potentially more. For now, it’s just a matter of how many hundreds of millions of people in the United States are affected.
Synnovis ransomware attack causes widespread disruption to London hospitals
A June cyber attack on British pathology lab Synnovis, a blood and tissue testing lab for hospitals and healthcare services in the UK capital, caused widespread and ongoing disruption to patient services for weeks. Local National Health Service trusts that rely on the lab postponed thousands of operations and procedures following the attack, prompting a critical incident declaration across the UK healthcare sector.
A Russian-based ransomware gang has been blamed for the cyberattack, which saw the theft of data relating to around 300 million patient interactions dating back a “significant number” of years. Much like the data breach at Change Healthcare, the ramifications for those affected are likely to be significant and long-lasting.
Some of the data had already been published online in an attempt to extort a ransom from the lab. Synnovis reportedly refused to pay the hackers’ $50 million ransom, preventing the gang from profiting from the hack but leaving the UK government scrambling for a plan if the hackers published millions of medical records online.
One of the NHS trusts that runs five London hospitals affected by the outages reportedly failed to meet data security standards required by the UK health service in the years leading up to the June cyberattack on Synnovis.
Ticketmaster reportedly had 560 million records stolen in Snowflake hack
A series of data thefts by cloud data giant Snowflake has quickly become one of the largest breaches of the year, thanks to the massive amount of data stolen from its enterprise customers.
Cybercriminals stole hundreds of millions of customer records from some of the world’s largest companies, including an alleged 560 million records from Ticketmaster, 79 million records from Advance Auto Parts, and nearly 30 million records from TEG, using stolen credentials from data engineers with access to their employer’s Snowflake environments. For its part, Snowflake doesn’t require (or force) its customers to use the security feature, which protects against intrusions that rely on stolen or reused passwords.
Incident response firm Mandiant said about 165 Snowflake customers had their accounts stolen, in some cases a “significant volume of customer data.” Only a handful of the 165 companies have so far confirmed their environments were compromised, including tens of thousands of employee records from Neiman Marcus and Santander Bank and millions of student records from the Los Angeles Unified School District. Many Snowflake customers are expected to come forward.
(Dis)honorable mentions
Cencora Notifies Over One Million People That Their Data Has Been Lost:
U.S. pharmaceutical giant Cencora has disclosed a data breach in February that involved the compromise of patient health data, information Cencora obtained through its partnerships with drugmakers. Cencora has flatly refused to say how many people have been affected, but a TechCrunch tally shows that well over a million people have been notified so far. Cencora says it has served more than 18 million patients to date.
MediSecure data breach affects half of Australia:
About 13 million people in Australia, or about half the country’s population, had their personal and health data stolen in a ransomware attack on prescription provider MediSecure in April. MediSecure, which dispensed prescriptions to most Australians until the end of 2023, filed for insolvency shortly after the mass theft of customer data.
Kaiser shared health data of millions of patients with advertisers:
US health insurance giant Kaiser disclosed a data breach in April after it inadvertently shared the private health information of 13.4 million patients, specifically website search terms for diagnoses and medications, with technology companies and advertisers. Kaiser said it used its own tracking code to analyze websites. The health insurance provider disclosed the incident on the heels of several other telemedicine startups, including Cerebral, Monument and Tempest, admitting they also shared data with advertisers.
USPS also shared its mailing address with the tech giants:
And then it was the U.S. Postal Service’s turn, which was caught sharing registered users’ mailing addresses with advertisers like Meta, LinkedIn, and Snap, using a similar tracking code provided by the companies. The USPS removed the tracking code from its website after TechCrunch alerted the Postal Service in July of the improper data sharing, but the agency would not say how many individuals had collected the data. The USPS has over 62 million Informed Delivery users as of March 2024.
Evolve Bank Data Breach Hits Fintech, Startup Customers:
A ransomware attack targeting Evolve Bank saw the personal data of more than 7.6 million people stolen by cybercriminals in July. Evolve is a banking-as-a-service giant that primarily serves fintech companies and startups, such as Affirm and Mercury. As a result, many of the individuals notified of the data breach had never heard of Evolve Bank, much less had a relationship with the company, prior to its cyberattack.
