The 6 Biggest Cybersecurity Moments of 2022
2022 was a significant year for cybersecurity, as the industry dealt with the aftermath of Log4Shell, and companies were hit with massive fines and lawsuits. Healthcare and nation-state attacks were also on the rise, and the term “Zero Trust” became the data security phrase of the year as the U.S. government worked to implement Zero-Trust strategies.
At Nira, we chronicle data breaches and information security incidents weekly to learn from their patterns. We want to understand how to keep customer and company data safe by paying attention to the largest data breaches, the latest strategies, and the best security responses.
Here are the top six biggest cybersecurity moments we identified in 2022:
1. One year after Log4Shell, most organizations are still exposed to potential attacks
Near the end of 2021, the infamous Log4Shell incident occurred. Although the Log4j vulnerability had fewer repercussions in 2022 than initially feared, companies have felt its effects more than a year later.
Details at a glance:
- According to Dark Reading, the Log4j flaw (CVE-2021-44228) exists in Log4j’s Java Naming and Directory Interface (JNDI) function for data storage and retrieval.
- Security researchers consider it “one of the most significant vulnerabilities in recent years” due to its ubiquity and the ease with which it can be exploited.
- In 2022, the actual number of publicly reported compromises involving Log4j remained “comparatively low.” However, research states that “72% of organizations remain vulnerable.”
- The U.S. Department of Homeland Security review board noted that “Log4j is an endemic security risk” that may affect organizations for years.
Learn more here.
2. Nation-state attacks affected countries around the world
Several countries were targeted by criminal hacking groups in 2022, including Costa Rica, Albania, Montenegro, and Vanuatu, whose residents were knocked offline for more than a month after a cyberattack on the Pacific-Island nation. Threat actors were allegedly backed by various nation-states in 2022 including Russia, Iran, and North Korea, as governments utilized cyberattacks to aid with political tactics.
Details at a glance:
- Russia launched its war on Ukraine in February 2022, however, the country had been using cybersecurity tactics against Ukraine for years, escalating its cyberattacks in 2022.
- According to European Parliament, Russian cyberattacks have “undermined the distribution of medicines, food, and relief supplies” as well as prevented access to basic services and expanded data theft and disinformation, including through the use of deep-fake technology.
- In November 2022, the FBI and CISA revealed that an unnamed Iranian-state-backed hacking group breached a U.S. governmental department using the Log4j vulnerability.
- “By exploiting Log4shell, the actors gained access to a VMWare account with administrator and system level access,” according to the advisory.
- North Korean government-backed actors known as APT37 were attributed with targeting South Koreans with malware after a Halloween tragedy in Seoul.
- After a tragic crowd surge killed more than 150 people, the North Korean group distributed a corrupted Microsoft Word document that appeared to be an official press release from South Korea’s Ministry of Interior and Safety. When opened, the document downloaded another file that attempted to deploy malware onto users’ devices.
Read more here.
3. Healthcare breach costs hit a record-breaking high
The healthcare industry continued to be the industry with the highest average cost of a data breach, according to IBM’s annual report. In 2022, healthcare breach costs hit an all-time high, as the average breach cost increased by almost $1 million to reach a record-breaking $10.1 million.
Details at a glance:
- Healthcare breach costs have been the most expensive industry for 12 years and counting, increasing by 41.6% in 2022 from 2020.
- According to Netwrix, the healthcare industry continuously dealt with cyberattacks on their cloud infrastructure; 61% of respondents in the healthcare industry had a cloud infrastructure attack within the last year, compared to 53% for other verticals.
- Notable healthcare breaches included Massachusetts-based Shields Health Care Group, which affected two million individuals and Novant Health, an organization that informed 1.3 million patients that “a misconfiguration in Meta pixel code” might have led to “the unauthorized disclosure of protected health information” (PHI).
4. OMB revealed details of the U.S. government’s Zero Trust strategy
The data security phrase for 2022 should be “Zero Trust,” as the U.S. federal government got on board with incorporating the cybersecurity architecture. Zero Trust endorsement officially began in May 2021, after President Biden signed an executive order “to improve the nation’s cybersecurity and protect federal government networks.”
An initial draft of how this strategy would be implemented was released in September 2021 and then finalized in January 2022. This first draft was open to public comment and received additional feedback from “cybersecurity professionals, non-profit organizations, and private industry that helped inform the final strategy.”
Details at a glance:
- In January 2022, the Office of Management and Budget released the final memo with more concrete details about the “Federal Strategy to Move the U.S. Government Towards a Zero Trust Architecture.”
- According to the memo, agencies had 30 days from the publication of the memorandum “to designate and identify a zero trust strategy implementation lead for their organization.”
- In November 2022, the U.S. Department of Defense released its Zero Trust Strategy and Roadmap.
- The U.S. government will continue to promote Zero Trust architecture and requires that “agencies achieve specific zero trust security goals by the end of Fiscal Year (FY) 2024.”
Read the January 2022 memo here.
5. The FTC took action against Drizly and its CEO in rare order
On Oct. 24, the Federal Trade Commission announced it was taking action against alcohol delivery company Drizly and its CEO James Cory Rellas for a 2020 data breach that exposed the information of over 2.5 million people.
The order will follow Rellas when he conducts future business and required that he implement a security program at any organization he’s in charge of that handles the data of more than 25,000 people. The order also had implications for Drizly itself, which is now a subsidiary of Uber.
Details at a glance:
- In 2020, Drizly acknowledged that a threat actor acquired some customer data, including emails, date-of-birth information, passwords, and addresses.
- The FTC claimed that both Drizly and Rellas were aware for two years of the problems that led to the 2020 breach, but “failed to take steps to protect consumers’ data from hackers.”
- It’s incredibly rare for the FTC to target an individual in data security and privacy cases. And especially rare for a CEO to be targeted. This case could have future implications for how top executives handle data breaches and leaks.
- According to the FTC, this order was part of its “aggressive efforts to ensure that companies are protecting consumers’ data and that careless CEOs learn from their data security failures.”
Read more here.
6. Meta fined nearly $700 million by Data Protection Commission
In November 2022, Ireland’s Data Protection Commission (DPC) fined Meta a whopping $276 million after a Facebook data leak in April 2021 exposed the information of more than 533 million users. This was the third fine that the DPC had given Meta in 2022.
They previously fined the company in March after a series of data breaches in 2018 that exposed 30 million Facebook users, and again in September, after an investigation into how Instagram handles teenagers’ data.
Details at a glance:
- The Facebook user data was posted to a hacking forum, and according to the Verge, it included sensitive information like names, phone numbers, and locations of users from 2018 to 2019.
- Meta was fined nearly $700 million by the DPC in 2022 alone.
- Meta-owned messaging service WhatsApp was also fined $267 million in 2022 for violation of Europe’s data privacy laws.
Learn more here.
As information security professionals embrace new challenges in 2023, it’s useful to reflect on the biggest cybersecurity moments of the past year.
Many of 2022’s issues won’t be going away anytime soon. Government legislation and legal cases will still have effects on IT/Security teams; vulnerabilities will still threaten organizations. Threat actors will continue to target governments and healthcare entities. Major tech corporations will be fined over their handling of customer data.
We pay attention to these past moments to understand how to best protect essential information in the future. Learn more about protecting company and customer data here.