If you didn’t know already, now you do – it’s Data Privacy Week (January 27th to 31st)! The brainchild of the National Cybersecurity Alliance, it aims to arm you with everything you need to spot and avoid the biggest risks to your data privacy and “Take control of your data”.
Personal information, by definition, is meant to stay private. It’s a concept so deeply ingrained in our collective psyche that saying it out loud feels almost redundant. Yet, in those rare and baffling moments when it is said – like when the SEC reminded Ticketmaster of this fundamental truth during their lawsuit – it feels almost surreal.
But here’s the thing: breaches and leaks still happen. From the trivial – like granting a social media app access to your microphone, only to find yourself swamped with weight-loss training videos suspiciously similar to that Saturday brunch conversation with a friend – to the blockbuster-scale (online) heist where 560 million people’s private data spilled into the public domain. It’s clear that privacy is still under siege.
It’s proof that privacy, while essential, is far from guaranteed. So, to honor Data Privacy Week, I’ll be diving into some of the biggest privacy scandals of the past year, examining how they happened and the lasting impact they had on the lives of those affected.
1. Ticketmaster data breach
On May 20, 2024, Ticketmaster flagged "unauthorized activity" in a third-party database, later revealed to be Snowflake. Initially, it seemed like a minor breach – or at least, it was presented that way – but Ticketmaster's 8-K filing with the SEC painted a much different picture. This wasn’t just a minor issue – it was massive.
Hacker group ShinyHunters infiltrated Ticketmaster’s (third-party) database, obtaining 1.3 terabytes of personal information from 560 million users. The compromised data included payment details, names, email addresses, phone numbers, event details, and even partial payment card data.
By May 27, 2024, the hacker group offered the stolen user data for sale on the dark web for $500,000. Ticketmaster and Snowflake confirmed the breach and notified affected individuals. They also alerted law enforcement and began cooperating in the ongoing investigation. But they couldn't dodge the inevitable lawsuit.
This breach led to four class-action lawsuits against Ticketmaster and its parent company, Live Nation Entertainment Inc., alongside their ongoing antitrust lawsuit. While unfortunate, at least for those whose privacy was affected by the provider's (in)action, this event serves as a reminder of the risks to our personal data, even in trusted systems.
2. AT&T data breach
In 2022, AT&T was caught up in a massive data breach, with the telecom giant admitting that "tens of millions" of customers had been affected. It was later revealed that the data stolen was from an AT&T workspace and downloaded through an unsecured third-party cloud vendor.
While the contents of personal calls and texts were, thankfully, excluded from the breach, the exposed data still revealed an alarming amount of sensitive information.
The breach consisted primarily of call and text records from millions of AT&T customers, with details about who they had been in contact with, how long those interactions lasted, and how frequently they occurred. While user names or social security numbers remained unexposed, the nature of such data made it a target of interest for cybercriminals.
Cases of identity theft are always in the news, but have you ever wondered what's involved? Check out our guide to what really happens when your identity is stolen.
Hackers could leverage the information to build a detailed profile of affected customers – who they communicate with, when, and how often – providing ample opportunity for fraud and scams.
In a twist that only adds fuel to the fire, AT&T reportedly paid the hacker group, ShinyHunters, (sounds familiar?) a staggering $370,000 in Bitcoin to delete the stolen data.
We can only speculate whether this was a brilliant, selfless act or a desperate plea to ensure the breach wouldn’t cause more harm. Yet, here comes another plot twist: the video evidence of data deletion was hardly conclusive. Copies of the stolen data could still be circulating on the dark web.
The breach’s aftermath? AT&T was confronted with a class-action lawsuit, and customers sought compensation for the distress and potential risks of identity theft. In response, AT&T tried to reassure the public that the breach was under control.
Still, despite this common courtesy, this case remains a chilling reminder that even the giants aren’t immune to mishandling personal data.
3. Roku cyberattack
In April 2024, Roku, a popular TV streaming service, confirmed two major cyber attacks: one affected 15,000 customers, while the other compromised around 576,000 accounts. The breaches were caused by credential stuffing, a form of a cyberattack in which hackers used stolen login credentials from other breaches to access Roku accounts.
Roku clarified that its systems were not breached, and no sensitive financial data, such as full credit card numbers, was exposed. However, in fewer than 400 cases, unauthorized purchases were made using stored payment information.
Roku responded by resetting passwords, implementing mandatory multi-factor authentication (MFA) for all users, and offering refunds for affected accounts.
The company expressed regret for the incidents and emphasized its commitment to improving security.
4. Change Health ransomware attack
In February 2024, Change Healthcare, one of the largest payment processor companies in the world and a major subsidiary of UnitedHealth Group, was hit by a massive ransomware attack that compromised the personal and healthcare data of 190 million individuals.
The attack, attributed to the BlackCat ransomware group, exploited a vulnerability in the company’s Citrix remote access service, which lacked multi-factor authentication.
As a result of this massive oversight, hackers gained access to sensitive data, including health insurance member IDs, medical records, and personal identifiers, and stole about six terabytes of information.
The ransomware attack compromised the healthcare data of 190 million individuals
This caused significant distress across the entire US healthcare system, which was expected given the nature of the attack. The cyberattack also affected Change Healthcare’s processing network. Consequently, prescription processing was delayed, and pharmacies were forced to charge full prices instead of discount cards. The breach also caused widespread system outages, with many login pages remaining offline for days.
In an attempt to recover the stolen data, UnitedHealth paid a $22 million ransom. But, as one can imagine, given the narrative of this article, the attackers executed an exit scam, seizing the ransom payment before partnering with another group, RansomHub.
The situation quickly went from bad to worse when some compromised data was leaked online. Meanwhile, the BlackCat group demanded additional payments for the remaining stolen information.
The breach resulted in an estimated $2 billion in losses for UnitedHealth and raised serious concerns about cybersecurity vulnerabilities within the healthcare industry.
5. Salt Typhoon operation
The Salt Typhoon operation, uncovered in early 2024, stands as one of the most alarming privacy scandals of the year, revealing the vulnerabilities of national security and private data.
Salt Typhoon, the group widely believed to have strong ties to the Chinese government, launched sophisticated attacks targeting critical infrastructure across several countries, including the US, in which eight telecoms were compromised.
In an operation that lasted for years, as later revealed, cybercriminals have attempted to steal sensitive personal and business data, including financial records, intellectual property, and government communications. By exploiting weak points in industrial control systems, the attackers infiltrated private networks with alarming ease.
Malware can be hard to spot – especially if it's a new strain. So, be sure to check out our guide to spotting malware (and what to do if you're infected).
To make the situation even worse, they utilized advanced malware and phishing tactics, making detection and containment incredibly difficult.
This security breach affected thousands of individuals, organizations, and telecommunications companies, including Verizon, Lumen Technologies, T-Mobile, and (wouldn't you know) AT&T.
Following a barrage of attacks, Salt Typhoon stole highly sensitive data critical to national security, raising serious questions about the potential long-term consequences.
In response to this "unprecedented cyberattack," the US cybersecurity watchdog, CISA, urges citizens to use only secure, end-to-end encrypted messaging apps like Signal to safeguard their mobile communications.
Experts also advise regularly updating operating systems across any and all devices to eliminate security vulnerabilities and warn against using unsecured virtual private network (VPN) providers with questionable security and privacy policies. Instead, you're better off sticking to today's most secure VPNs.
