IT Governance, the global provider of cyber risk and privacy management solutions, discovered that more than 867 million records were compromised in 114 publicly disclosed security incidents in October 2023.
The number of records compromised in October shows a staggering 8,578% increase against October 2022 and only a 77% decrease in contrast to September 2023.
Three of the biggest data breaches impacted the ICMR (Indian Council of Medical Research), 23andMe, and Redcliffe Labs.
On 9 October, the cyber security company Resecurity discovered a listing on the dark web that offered to sell data exfiltrated from the ICMR.
The data reportedly comprised the personal information of 815 million Indian residents, believed to have been extracted from the ICMR’s COVID-testing database. According to Resecurity, the exposed data included sensitive details such as names, ages, genders, addresses, passport numbers and Aadhaar numbers (a 12-digit government identification number)
On 2 October, a criminal hacker called ‘Golem’ leaked the data of 1 million Ashkenazi Jews, stolen from the consumer genetics and research company 23andMe. Later in the month, they released a further 4.1 million genetic data profiles of people in the UK and Germany. According to 23andMe, the data was accessed via a credential-stuffing attack, in which the attacker used weak passwords or credentials stolen in other data breaches to gain access to the organisation’s database.
‘Golem’ claims to have exfiltrated 20 million 23andMe data records, which suggests further data leaks are a possibility.On 25 October, the cyber security researcher Jeremiah Fowler discovered an unsecured database containing 12,347,297 data records belonging to Redcliffe Labs, a medical diagnostic company in India.
Fowler immediately notified Redcliffe Labs, which took action to restrict access to the database on the same day. It is not known how long the database was exposed, or whether it was accessed by criminals.
Alan Calder, the founder and executive chairman of IT Governance, said, “These recent breaches highlight the urgency for organisations, especially those handling sensitive medical and genetic data, to ramp up their cyber security measures. The significant increase in compromised records compared to last year indicates a rise in sophisticated cyber threats.
“It’s important to recognise that relying solely on technology is not the solution. Organisations should implement a defence-in-depth approach to cyber security, which encompasses robust access controls, encryption, regular audits and thorough employee training.
“Boards and senior management must shoulder their responsibilities. Governments and regulators are reinforcing this message through laws compelling ownership of cyber risk. This includes gaining the necessary skills and competencies to implement effective GRC (governance, risk management and compliance) strategies.
“Ultimately, cyber security requires an ongoing and dynamic effort. Organisations must remain vigilant, adapt to emerging threats and implement best practices to protect sensitive data.”