98 million records compromised by cybersecurity breaches

IT Governance, the global provider of cyber risk and privacy management solutions, discovered that in May 2023, more than 98 million records were compromised by cyber attacks worldwide as a result of 98 publicly disclosed security incidents. These statistics show a 97% increase against May 2022 and a 2,156% increase from April 2023.  

Three of the biggest data breaches impacted Luxottica, MCNA Insurance and PharMerica. 

Late last year, rumours surfaced about Luxottica being the subject of a cyber attack. The major eyewear company, which produces brands including Oakley and Ray-Ban, had experienced security incidents before. More than 800,000 patients of EyeMed and Lenscrafters were impacted by a data breach in August 2020, and operations were disrupted in Italy and China the following month by a ransomware attack. 

At first, it was thought that the most recent data breach might be related to these occurrences. But cyber security expert Andrea Draghetti found that the data was exfiltrated on 16 March 2021, pointing to a different, undisclosed breach. The 305 lines of stolen information contain 74.4 million distinct email addresses and 2.6 million distinct domain email addresses. 

The stolen data was initially offered for sale on the Breached hacking forum but was later leaked in its entirety for free. The database, according to the seller, contained the full names, email addresses, home addresses and dates of birth of customers. Luxottica notified the FBI and the Italian police, and an investigation is ongoing. The website holding the material has been taken down, and its proprietor is in custody. 

MCNA Insurance, also known as MCNA Dental, experienced a cyber incident that affected 112 covered entities. The organisation made the breach public the Friday before the US’s Memorial Day weekend at the end of May. Among the leaked data were patients’ first and last names, home addresses, dates of birth, phone numbers, email addresses, Social Security numbers, driver’s licence numbers, and other government-issued IDs – all of which varied depending on the individual. 
In addition, the attackers gained information about health insurance plans, insurance providers, member numbers, Medicaid-Medicare ID numbers, the services that patients received, their invoices, and insurance claims. 

Some 8,923,662 people were impacted by the breach, which was the result of a ransomware attack, according to MCNA Insurance. The incident occurred between 27 February and 7 March and the material was leaked on the dark web by the attackers in April, but the organisation didn’t disclose the incident until 26 May. 

Meanwhile, in May, US pharmacy network PharMerica disclosed a data breach affecting 5.8 million patients that occurred earlier this year. The network informed the Maine Attorney General’s Office that between 12 and 13 March attackers gained unauthorised access to its computer systems. 

The compromised personal data included patients’ names, addresses, dates of birth, Social Security numbers, health insurance information and medical data. PharMerica has recommended executors or surviving family members to get in touch with national credit reporting agencies to report the breach because the stolen data in certain cases relates to people who have died. 

PharMerica did not specify how the incident occurred, although there are rumours that a ransomware attack may have been the cause. One criminal gang claimed responsibility for targeting the organisation and encrypting its systems, but PharMerica has not mentioned ransomware in its public statements or breach disclosure. 

Here is a condensed list of the four categories that IT Governance outlines as part of its monthly data breaches analysis, which this month includes the following organisations: 

• Cyber attacks – Luxottica Group, NextGen, United States Postal Service, Credit Control Corporation, US Transportation Department, Charter Foods, OT&P Healthcare, Bristol Community College, The Metropolitan Opera, ASAS Health, WhizComms, PillPack, Fontainebleau Florida Hotel. 
• Ransomware – MCNA Insurance, PharMerica, Enzo Biochem, Apria Healthcare, Brightline, Buckley King, Whitworth University, McPherson Hospital, Crown Princess Mary Cancer Centre. 
• Data breaches – Toyota, Indiana University, NT Health, New Mexico Department of Health, South Africa’s Department of Justice, the NHS. 
• Malicious insiders and miscellaneous incidents – the NHS. 

The full list of incidents with further details is available here. 

Alan Calder, Founder and Executive Chairman of IT Governance, commented: “The breaches at Luxottica, MCNA Insurance and PharMerica in May 2023 highlight the expanding threats companies face from cyber attacks. 

“Luxottica’s security breach serves as a reminder of the value of preventive security measures. To reduce the danger of undetected breaches and data exfiltration, organisations must conduct thorough risk assessments and prioritise the adoption of strong security policies. 

“Attacks using ransomware, like the one that affected MCNA Insurance, continue to be a serious concern. Organisations should use a multi-layered approach to security, including frequent backups, network segmentation and strict access controls, to safeguard themselves. Employee phishing awareness training and the adoption of advanced threat detection technologies can also help detect and mitigate such attacks before they cause substantial harm. 

“The data breach at PharMerica demonstrates the importance of prompt notification. Organisations should have an incident response strategy in place to quickly identify and respond to breaches, working in tandem with law enforcement. Sensitive data can be further protected by using encryption and data anonymisation techniques, which can also lessen the effects of unauthorised access. 

“Organisations must approach cyber security in a proactive and comprehensive manner. This entails conducting frequent security audits, offering training to employees and keeping up with the most recent security procedures. Organisations may better secure their sensitive data and reduce the risk of falling victim to increasingly complex cyber threats by investing in strong security measures and building a culture of cyber security awareness.” 

IT Governance is committed to helping organisations address the threat of cyber crime and other information security flaws. We provide a range of resources, including training courses, consultancy services and free guides, to help organisations understand and reduce dangers.