The 13 Biggest Data Breaches of 2023

The average cost of a data breach rose again in 2023, reaching a record $4.45 million worldwide. This number was an astronomical $9.44 million in the US, the highest of any country, according to IBM. The largest data breaches of 2023 affected some of the biggest companies in technology, healthcare, and even information security.

At Nira, we document these data breaches weekly, to learn from their patterns, and understand how to better protect customer and company data.

Here are the 13 largest data breaches of 2023:

1. MOVEit cyberattacks: the biggest hack of 2023

The mass exploitation of MOVEit file transfer servers was the largest hack of 2023. Threat actors attacked more than 2,500 organizations, with data theft affecting more than 91 million people, according to a running tally from Emsisoft.

Details at a glance:

MOVEit is a file transfer platform used by thousands of governments, financial institutions, and other public and private sector bodies worldwide.
In late May 2023, MOVEit was hacked by a ransomware operation called Cl0p.
Cl0p’s attack stole data from government, public, and business organizations worldwide, including New York City’s public school system and a UK-based HR solutions and payroll company with clients like British Airways and BBC.
The effects of the MOVEit cyberattack are still being felt, with more affected parties coming to light.

Learn more here.

2. Okta breach linked to employee’s personal Google account

Okta confirmed the root cause of its October 2023 breach was likely an employee storing company credentials in a private Google account.

“During our investigation, Okta Security identified that an employee had signed in to their personal Google profile on the Chrome browser of their Okta-managed laptop. The username and password of the service account had been saved into the employee’s personal Google account,” said David Bradbury, Okta’s Chief Security Officer.

Details at a glance:

Okta, a company that provides identity tools like multi-factor authentication and single sign-on, suffered a security breach involving a compromise of its customer support unit.
The company discovered that the threat actors who breached its network stole information on all users of its customer support system—a scope greater than the 1% of customers the company had previously said were affected.
According to the company, attackers also stole some Okta employee information.

Read more here.

3. Microsoft confirmed DDoS attacks in June

Microsoft confirmed in a blog post that hacking group Anonymous Sudan’s DDoS attacks “temporarily impacted the availability” of Azure, Teams, Outlook, and other services in June 2023. The company had been investigating an ongoing outage that prevented OneDrive customers from accessing the cloud file hosting service worldwide.

Details at a glance:

Microsoft said there was no evidence that the attackers accessed or compromised any customer data, according to the Associated Press.
A company spokesperson confirmed that Anonymous Sudan was behind the attacks. The hacking group had claimed responsibility on its Telegram social media channel.
Security professionals said DDoS can disrupt the work of millions if they interrupt the services of a software service giant like Microsoft on which global commerce depends, AP reported.

Learn more here.

4. Leak of US defense papers on Discord led to national security crisis

In April 2023, the US Justice Department and Pentagon began investigating online leaks of sensitive documents. The classified documents started circulating on Twitter, Telegram, and 4chan after a member of the Massachusetts Air National Guard allegedly uploaded photographed printouts of the documents to Discord.

Details at a glance:

According to The Guardian, the disclosure of the highly classified material represented Washington’s “worst national security breach” in years.
The documents appeared to detail events and offer an analysis of Russia’s invasion of Ukraine up until March 2023. The majority of the posted content concerned the Russo-Ukrainian War, but there was also information related to North Korea, China, Iran, and the United Arab Emirates.
The US attempted to mend ties after some of the leaked documents claimed the US had been spying on allied countries including South Korea and Israel, according to The Guardian.
On April 13, the US Federal Bureau of Investigation arrested a 21-year-old member of the Massachusetts Air National Guard in connection with the leaked documents.

For information about how the documents circulated online, read here.

5. Atlassian and Envoy blamed each other for Atlassian data breach

On February 16, 2023, Atlassian confirmed that the hacking group SiegedSec breached it the day before. However, the company initially blamed Envoy—a third-party application Atlassian uses to coordinate in-office resources—for the incident.

Representatives from Envoy were quick to respond, telling TechCrunch that the startup was “not aware of any compromise to our systems.” After an initial search, Envoy found that the threat actor “gained access to an Atlassian employee’s valid credentials to pivot and access the Atlassian employee directory and office floor plans held within Envoy’s app.”

Details at a glance:

SiegedSec leaked the data on Telegram; the stolen information included the names, emails, work departments, and phone numbers of close to 13,200 Atlassian employees. It also included the floor plans for Atlassian offices in Sydney and San Francisco.
After first blaming Envoy, Atlassian changed its update. According to the company, an internal investigation revealed that threat actors had compromised Atlassian data from the Envoy app “using an Atlassian employee’s credentials that had been mistakenly posted in a public repository by the employee.”
Envoy ruled out a breach on its end. According to the company, it found evidence confirming that “the hackers obtained valid user credentials from an Atlassian employee account and used that access to download the affected data from Envoy’s app.”

Read more here.

6. Tesla claimed breach due to ‘insider wrongdoing’

In May 2023, a German media outlet received 100GB of information from a whistleblower at Tesla. This data included 23,000 internal files from 2015 to 2022 concerning Tesla allegedly receiving almost 4,000 reports of self-acceleration and brake-function issues, according to Dark Reading.

In August, Tesla said in a filing with Maine’s attorney general that the data breach affected over 75,000 people and was due to “insider wrongdoing.” What’s more, the company was suing two former employees, claiming these employees “misappropriated the information in violation of Tesla’s IT security and data protection policies and shared it with the media outlet.”

Details at a glance:

The German outlet, Handelsbatt, did not publish the compromised data, nor is it legally allowed to.
The breach showed Tesla did not have the right controls in place to prevent this type of breach, according to Lior Yaari of Grip Security. “It is actually more common than people think to have former employees’ access to systems remain active after they have left the company,” Yaari said.
The company provided credit monitoring through Experian’s IdentityWorks for those affected by the breach.
In December 2023, Tesla recalled more than 2 million vehicles to update software and fix a defective system that was meant to ensure drivers are paying attention when using Autopilot, according to the Associated Press.

Read more here.

7. Nearly 9 million patients’ records compromised in record breach

A cyberattack on a medical transcription company compromised highly sensitive health data belonging to nearly four million patients at Northwell Health, New York’s largest healthcare provider and private employer. The breach also impacted Cook County Health, a healthcare system in Illinois, affecting 1.2 million of its patients. An additional 4 million patients in undisclosed locations were further impacted, writes The Record.

The attack was one of the worst medical data breaches in recent years, based on data from the U.S. Department of Health and Human Services.

Details at a glance:

Perry Johnson & Associates, a Nevada-based transcription company, disclosed the breach in November 2023 in a legally required filing.
The filing revealed that the breach began as early as March 2023, although the company did not start to notify affected patients until the end of September.
The stolen data included personally identifiable information (PII) like patient names and addresses, but also admission diagnoses, Social Security numbers, and laboratory and diagnostic testing results.

Read more here.

8. Security firm Rubrik affected by GoAnywhere vulnerability

On March 14, 2023, data security company Rubrik experienced a network intrusion made possible by a zero-day vulnerability in a product it used called GoAnywhere.

The threat actors gained access to internal sales information, including company names and contact information, as well as purchase orders from Rubrik distributors, according to CISO Michael Mestrovich in a public advisory.

Details at a glance:

Threat actors continue to exploit the vulnerability, known as CVE-2023-0669.
Ransomware group Cl0p has taken credit for attacks on more than 130 companies through the vulnerability, including Hitachi Energy, Proctor and Gamble, and Rubrik.
Rubrik did not comment on whether the incident involved ransomware. However, Cl0p published data belonging to the company on its dark web blog, appearing to include details of partner and customer business names, contact information, and purchase orders.

Read more here.

9. Twitter sought parties responsible for leaking source code on GitHub

In 2023, Twitter’s source code was leaked on GitHub, and Twitter executives alleged that a former employee could be responsible. The company filed a DMCA request to have the code removed and asked a court to order GitHub to identify the person and to get information on any other GitHub users who may have downloaded the data.

Details at a glance:

The New York Times reported that the source code might have been public for several months before someone removed it from GitHub.
Twitter submitted a court filing in California seeking to identify the individual accountable for the data breach.
The company also requested information about other users who may have accessed the data. The court filing included a request for GitHub to disclose the identities, addresses, phone numbers, email addresses, social media profiles, and IP addresses of these users, according to Bloomberg.
Although Twitter executives seemed to suspect a former employee, this provided little insight into the true culprit, considering Twitter terminated thousands of employees in 2023.

Read more here.

10. ChatGPT data breach confirmed as security firm warned of vulnerable component exploitation

Two incidents involving ChatGPT were reported at the end of March 2023. First, OpenAI confirmed a data breach related to ChatGPT’s use of “Redis-py, an open-source Redis client library,” that was introduced by a change made on March 20, according to SecurityWeek. Second, GreyNoise, a threat intelligence company, reported seeing the use of a ChatGPT component affected by an exploited vulnerability.

Details at a glance:

OpenAI introduced a bug that exposed chat data belonging to other users, revealing the titles of active users’ chat history and the first message of a newly created conversation.
The bug also exposed payment-related information belonging to 1.2% of ChatGPT Plus subscribers, including name, email, payment address, payment card expiration date, and the last four digits of the customer’s card number.
In a separate issue, GreyNoise issued a warning about a new ChatGPT feature that used plugins to expand the chatbot’s data-collecting capabilities.
SecurityWeek noted that the docker image version used in OpenAI’s example “is affected by CVE-2023-28432, a potentially serious information disclosure vulnerability.”
Exploiting this security flaw could lead to the disclosure of secret keys and root passwords, and GreyNoise has already observed attempts to exploit the vulnerability in the real world.

Read more here.

11. T-Mobile breached twice in 2023

In 2023, T-Mobile reported that threat actors leaked data from 37 million accounts between November 2022 and January 2023. On April 28th, the company revealed that attackers had breached it for the second time that year.

Details at a glance:

Threat actors gained access to the personal information of hundreds of account holders between late February and March 2023.
The attackers accessed sensitive data including names, addresses, government IDs, social security numbers, and T-Mobile account pins.
The breach impacted approximately 836 customers before T-Mobile discovered it on March 27.

Learn more here.

12. Cyberattack disrupted healthcare operations in five states

A cyberattack on a California-based healthcare provider forced the shutdown of emergency rooms and the diversion of ambulances in five states.

The ransomware attack in early August 2023 affected healthcare services in Connecticut, Pennsylvania, Rhode Island, and Texas. Prospect Medical Holdings was the Los Angeles healthcare provider at the heart of the incident.

Details at a glance:

Prospect Medical Holdings said it took its systems offline “to protect them and launched an investigation with the help of third-party cybersecurity specialists.”
The FBI confirmed that it has also launched an investigation into the breach.
According to CBS, “all Prospect Medical-owned health care facilities ‘are experiencing IT complications’ and many services including elective surgeries and urgent care have been closed.” Podiatry, wound care, women’s wellness, and gastroenterology services were also suspended.
“For the 13th straight year, the health care industry has reported the most expensive breaches of any field, averaging $11 million each,” said CBS News, based on data from IBM.

Learn more here.

13. MailChimp suffered its third breach in less than a year

On January 13, 2023, email marketing and newsletter service MailChimp disclosed a recent security incident—its third in nine months.

According to the company, “an unauthorized actor conducted a social engineering attack on MailChimp employees and contractors, and obtained access to select MailChimp accounts using employee credentials compromised in that attack.”

Details at a glance:

MailChimp discovered the unauthorized threat actor accessing their support tools on January 11, 2023.
The criminal hacker was able to access the data of 133 customers but did not compromise customers’ credit card or password information, according to the company.
MailChimp said it had already reached out to those affected but urged concerned customers to send an email to ciso@mailchimp.com if they had any questions.

Read more here.

The global average cost of a breach continues to rise, increasing 15% over the last three years. Data breaches affect companies of all sizes, and in every industry, and security professionals are aware there is no way to fully eliminate risk. However, practical measures, employee-focused training, and security tooling can help. You can learn more about protecting company and customer data here.