Top ten biggest security incidents of 2023


Threat actors have thrived in this year’s environment of ongoing cyberwars and economic and geopolitical uncertainty, committing all their tools and ingenuity. Let’s look at the ten high-profile cybersecurity incidents that scarred 2023 the most, chosen by ESET researchers.

Most of these incidents were caused by well-established threat actors specializing in ransomware or data theft. Occasionally, human error or a malicious insider was the cause.

External actors are responsible for the vast majority (83%) of breaches, and financial gain accounts for almost all (95%) breaches, as revealed by Verizon's Data Breach Investigations Report.

Here are ESET’s picks for the ten biggest cyber attacks of 2023, in no particular order.

1. MOVEit

What appears as a basic strategy caused one of the largest cyber incidents in years. The Russia-linked ransomware syndicate Cl0p used a zero-day vulnerability in a popular software product to gain access to customer environments. It then exfiltrated as much data as possible to hold for ransom. Some estimates suggest that more than 2,600 organizations and in excess of 83 million individuals were affected.

Organizations use the MOVEit service to send and receive files from their clients using secure channels, giving the attackers access to extremely sensitive data. The fact that many of these organizations were themselves suppliers or service providers to others has only added to the downstream impact.

MOVEit deployed a patch on May 31, the same day the vulnerability was disclosed.

The US government is now offering a $10 million reward for information linking to the Cl0p ransomware gang.

2. The UK Electoral Commission

The UK Electoral Commission disclosed a data breach that exposed the personal details of anybody who was registered to vote in the country between 2014 and 2022. Threat actors stole personal information on an estimated 40 million voters on the electoral register.

While a “complex” cyberattack was blamed for the incident, later reports suggested the Commission’s security posture was poor – the organization had failed a Cyber Essentials baseline security audit.

A Microsoft Exchange server was left unpatched, and it took the Commission ten months to notify the public. According to ESET, there are claims that threat actors may have been probing its network since August 2021.

3. The Police Service of Northern Ireland (PSNI)

The PSNI announced in August that an employee accidentally posted sensitive internal data to the WhatDoTheyKnow website in response to a Freedom of Information (FOI) request. The information included the names, ranks, and departments of about 10,000 officers and civilian staff, including those working in surveillance and intelligence.

Although it was only available for two hours before being taken down, that was enough time for the information to circulate among Irish republican dissidents, who further disseminated it. The Officers’ trade union said the breach caused “incalculable damage.”

This is an incident that falls into the category of both an insider breach and one with a relatively small number of victims who may suffer an outsized impact.

4. DarkBeam

The biggest data breach of the year saw 3.8 billion records exposed by digital risk platform DarkBeam after it misconfigured an Elasticsearch and Kibana data visualization interface. The leaked logins presented cybercriminals with almost limitless attack capabilities, Cybernews was first to report.

Security researchers noticed the privacy snafu and notified the firm, which corrected the issue quickly.

“It’s unclear how long the data had been exposed for or if anyone had accessed it previously with nefarious intent. Ironically, the data haul contained emails and passwords from both previously reported and unreported data breaches. It’s another example of the need to closely and continuously monitor systems for misconfiguration,” ESET writes.

5. Indian Council of Medical Research (ICMR)

Another mega-breach, one of India’s biggest, was revealed in October, after a threat actor put the personal information of 815 million residents up for sale for $80,000. Allegedly, the data was exfiltrated from the ICMR’s COVID-testing database and included name, age, gender, address, passport number, and Aadhaar (government ID number). That’s particularly damaging as it could give cybercriminals all they need to attempt a range of identity fraud attacks. Aadhaar can be used in India as a digital ID and for bill payments and Know Your Customer checks.

6. 23andMe

A threat actor under the alias Golem claimed to have stolen 20 million pieces of data from the US-based genetics and research company. The classic credential stuffing technique was used to access user accounts by recycling previously leaked credentials on 23andMe.

For those users who had opted into the DNA Relatives service on the site, the threat actor was then able to access and scrape many more data points from potential relatives. Among the information listed in the data dump were things like profile photo, gender, birth year, location, and genetic ancestry results, ESET noted.

7. Rapid Reset DDoS attacks

A zero-day vulnerability in the HTTP/2 protocol, which was disclosed in October, enabled threat actors to launch some of the biggest DDoS attacks ever seen. Google said these reached a peak of 398 million requests per second (rps) versus the previous largest rate of 46 million rps. The good news is that internet giants like Google and Cloudflare have patched the bug, but firms that manage their own internet presence were urged to follow suit immediately.

8. T-Mobile

The US wireless carrier has suffered many security breaches over recent years, but the one it revealed in January was one of its biggest to date. It impacted 37 million customers, with customer addresses, phone numbers, and dates of birth stolen by a threat actor.

A second incident disclosed in April impacted just 800-odd customers but included many more data points, including T-Mobile account PINs, social security numbers, government ID details, dates of birth, and internal codes that the firm uses to service customer accounts.

9. MGM International/Cesars

Two of the biggest names in Las Vegas were hit within days of each other by the same ALPHV/BlackCat ransomware affiliate known as Scattered Spider. In the case of MGM, they managed to gain network access simply via some LinkedIn research and then a vishing attack on the individual in which they impersonated the IT department and asked for their credentials. Yet the compromise took a major financial toll on the firm. It was forced to shut down major IT systems, which disrupted slot machines, restaurant management systems, and even room key cards for days. The firm estimated a $100M cost. The cost to Cesars is unclear, although the firm admitted paying its extorters $15M.

10. The Pentagon Leaks

A 21-year-old member of the intelligence wing of the Massachusetts Air National Guard, Jack Teixeira, leaked highly sensitive military documents to gain bragging rights with his Discord community.

These documents were subsequently shared on other platforms and reposted by Russians tracking the war in Ukraine. They gave Russia a treasure trove of military intelligence for its war in Ukraine and undermined America’s relationship with its allies. Incredibly, Teixeira was able to print out and take top-secret documents home with him to photograph and subsequently upload.