Security Disasters of 2023: Lessons Learned

Security Disasters of 2023: Lessons Learned

Last year, companies made headlines every week for data breaches and ransomware attacks that left their employees and their customers victim to personal data loss. In fact, 2023 saw over 8 million records breached, with the average cost of a data breach steadily rising, reaching almost $7 million in Canada. According to Statista, the financial, energy and healthcare sectors saw the highest average cost of a data breach, and subsequently were the most targeted sectors. 

There were too many cybersecurity breaches in 2023 to analyze all of them in one article, but this blog post will take a look at some of the major security disasters that happened in 2023, and what we can learn from them going forward. It is important to remember that even though it is often enterprise businesses that make headlines for losing customer data, data breaches happen to companies of all sizes and in all sectors. Staying vigilant with cybersecurity measures, best practices and compliance is the best way to prepare for potential cybersecurity attacks.

Security Disasters

Southern Ontario Hospital Breaches

Some of the most notable breaches in Canada in 2023 were hospitals targeted across Southern Ontario. One major cybersecurity attack targeted five hospitals across southwestern Ontario. These hospitals were impacted by a sophisticated cyberattack in October 2023 and had to completely rebuild their networks. The hospitals affected by this security disaster were Windsor Regional Hospital, Hotel-Dieu Grace Healthcare, Erie Shores HealthCare, Bluewater Health and Chatham-Kent Health Alliance. 

This data breach resulted in one of the hospital’s patients launching a potential $480-million class action lawsuit after at least 270,000 patients in the region had their personal data stolen and reportedly sold on the dark web. The lawsuit claims that the hospitals did not employ adequate or effective cyber security measures resulting in the attackers gaining access to their computer network, data, digital storage, digital files and computers. The information stolen by hackers included personal health information, names, addresses, phone numbers, dates of birth and social insurance numbers among other information. Any patient who registered for treatment after February 24, 1992 was compromised. 

In November, the hospitals acknowledged that the information had been published on the dark web after they had refused to accept the ransom demands from the hackers, a number purported to be in the millions. This data breach coincides with healthcare being one of the most-targeted industries for cyberattacks for five years in a row, with unauthorized access in hospitals being up 162% since 2019.

MOVEit Data Breach

MOVEit Transfer software, a file transfer tool developed by Progress Software, transfers large amounts of often-sensitive data over the internet. It’s employed by organizations worldwide to manage file transfers, including pension information, social security numbers, medical records, and billing data. The MOVEit data breach of May 2023 was a significant security disaster that affected a number of companies, both in Canada and the USA. The breach involved a zero-day vulnerability in MOVEit Transfer. This vulnerability allowed ransomware attackers to raid MOVEit Transfer servers and steal customer data stored within. The attackers exploited the  MOVEit software vulnerability starting in May 2023, and as of August 2023 had stolen data from over 1000 organizations and 60 million individuals.

Of the 1000 companies that  were affected by this breach some notable ones include the French government’s unemployment agency Pôle emploi, multiple federal agencies, and U.S. state departments. Almost one third of the hosts running vulnerable MOVEit servers belonged to financial, government, healthcare and military sectors. 

The estimated total cost of the MOVEit mass-attacks so far is about $9.9 billion, based on the average cost of data breaches and the number of individuals affected. This figure could potentially scale to at least $65 billion depending on the results of related lawsuits. 

Progress Software acknowledged the cyber-attack and focused on supporting its customers. They issued a patch to fix the vulnerability and alerted users to the issue. Not all organizations could deploy the patch in time, resulting in varying levels of data compromise.

Suncor Energy Cybersecurity Attack

Calgary-based Suncor Energy reported experiencing a cyber attack in June 2023. The attack occurred on June 21st, 2023 and was reported by Suncor on June 25th. It was first revealed when social media users reported an inability to use credit or debit cards at the company’s chain of Petro-Canada gas stations, as well as difficulties accessing the company’s car wash services. Officials later confirmed that Petro-Canada customer rewards data had been breached, however, Suncor field operations were not impacted. Suncor is facing litigation from customers whose data was breached in this incident.

In Canada, there hasn’t been a large-scale, successful cyberattack on a domestic oil and gas company. However, cybersecurity experts have warned for years that this country’s energy industry is an attractive target for cybercriminals. That includes both financially motivated cybercriminals, such as ransomware attackers, as well as state-sponsored hackers seeking to create geopolitical mayhem. This is one security disaster that was dealt with rather quickly and effectively by the team at Suncor Energy. They were able to mitigate most of the damage by quick acting and effective disaster recovery.

Lessons Learned

Patch Vulnerabilities

One thing we can take away from these security disasters is that cyber threats are constantly evolving, and organizations need to stay vigilant. In the example of the MOVEit vulnerability, companies could have potentially prevented significant data loss by regularly updating and patching software. Many breaches, similar to the MOVEit vulnerability, occur through vulnerabilities in third-party systems or services. It is essential to assess and manage the security risks associated with third-party vendors and partners. 

Cybersecurity Awareness Training is Essential

In the case of the Southwestern hospital breaches, human error caused the ransomware attack that affected all of the hospitals. Human error is a common factor in over 90% of security disasters. Organizations who invest in cybersecurity training and awareness programs for employees to recognize and avoid potential threats, such as phishing attacks, will suffer far less data breaches than those without any cybersecurity awareness training.

Continuously Monitor Networks

Companies that continuously monitor their networks for signs of a data breach were able to detect and respond to the breach much more quickly, and as a result, prevent severe damages and data loss. Suncor was able to contain the breach within hours and prevent significant losses. 

Have an Incident Response Plan

Having a well-defined incident response plan is crucial for minimizing the impact of a cybersecurity disaster. In all of these cases, the companies that experienced a cybersecurity breach had to respond quickly and efficiently in order to prevent damages. In the case of Suncor, who had a robust incident response plan, they were able to quickly contain the breach, respond, and make adjustments to prevent further damages. It is essential to have an Disaster Recovery Plan and Incident Response Plan that is regularly tested and updated to ensure they are effective.

Encrypt Data

Encrypting sensitive data both in transit and at rest is essential. This adds an extra layer of protection, making it more challenging for attackers to access and misuse information even if they gain unauthorized access. In the case of the Southwestern Ontario Hospitals, data encryption could have potentially prevented the loss of over 250,000 patient data files and reduced the impact of the cybersecurity disaster. 

Wrapping Up

It’s essential to stay informed about the latest cybersecurity developments and adapt strategies accordingly. These data breaches from 2023 can hopefully provide an example for companies to learn and adapt to prevent similar breaches from occurring in 2024. 

Subscribe to Updates

Get latest IT trends and best practices