.svg)
.jpg)
Top 5 sensitive Data Breaches of 2024
National Public Data Breach
In April 2024, National Public Data (NPD) experienced a data breach that compromised personal data of 2.4bn people. This breach exposed the data of people living in the US, UK and Canada. The breach exposed sensitive information including names, addresses, Social Security numbers, dates of birth, and phone numbers. A hacker group called USDoD gained access to NPD's systems in December 2023 and leaked the data onto the dark web from April 2024. The group offered the data for sale for $3.5 million. The data included records for people in the US, UK, and Canada. Many of the consumers in NPD's databases did not consent to giving their data to the company. The data was publicly released in various locations, making it difficult to contain. Class-action lawsuits were filed against NPD, alleging that the company did not properly secure its collected information. NPD filed for Chapter 11 bankruptcy on October 2, 2024.
Compliance Tip: Organizations must carefully assess and manage the risks associated with third-party vendors and their access to sensitive data.
Source: Spycloud
Finastra Data Breach
In November 2024, Finastra, a leading financial technology provider, experienced a significant data breach. Attackers exploited compromised credentials to access Finastra's secure file transfer platform (SFTP), resulting in the exposure of sensitive data. Hackers gained unauthorized access to Finastra's SFTP system using stolen or weak credentials. The attackers successfully exfiltrated sensitive data, including financial records and customer information. The threat actors began selling the stolen data on the dark web, escalating the incident's severity. The breach tarnished Finastra's reputation and eroded customer trust. The company may face substantial financial penalties and legal ramifications.Customers of affected financial institutions may have experienced disruptions in their services.
Compliance Tip: Organizations must carefully assess and manage the risks associated with third-party vendors and their access to sensitive data.
Source: Forbes
Change Healthcare Data Breach
In February 2024, Change Healthcare, a major healthcare technology company, experienced a significant data breach. A ransomware attack by the BlackCat group compromised the company's systems and led to the exfiltration of sensitive patient data. Hackers exploited a vulnerability in Change Healthcare's systems, deploying ransomware that encrypted critical data and disrupted operations. The attackers exfiltrated up to 6 terabytes of sensitive patient data, including financial records and personal information. The breach affected millions of individuals and disrupted healthcare operations across the United States. The company faced significant financial and reputational losses due to the breach, including ransom payments and legal costs.
Compliance Tip: Update your cybersecurity systems to fend off ransomware attacks.
Source: TechCrunch
Fidelity Data Breach
In August 2024, Fidelity Investments, a leading financial services company, experienced a data breach that impacted approximately 77,099 customers. Attackers exploited vulnerabilities in Fidelity's systems to access and obtain sensitive customer information. Attackers gained unauthorized access to Fidelity's systems by creating fake customer accounts. The attackers exfiltrated sensitive customer data, including names, Social Security numbers, financial account data, and driver's license information. Fidelity notified affected customers of the breach and offered complimentary credit monitoring and identity restoration services.
Compliance Tip: Implement systems and practices that specialize in and are specifically designed to protest end-user personal data.
Source: Fox News
BSNL Data Breach
In 2024, Bharat Sanchar Nigam Limited (BSNL), a major state-owned telecommunications company in India, experienced a significant data breach. Attackers exploited vulnerabilities in BSNL's systems, compromising sensitive user data. The BSNL data breach reportedly involves critical data, including international Mobile Subscriber Identity (IMSI) numbers, SIM card information, Home Location Register (HLR) specifics, DP Card Data, and even snapshots of BSNL’s SOLARIS servers, which can be misused for SIM cloning. The threat actor posted this information on the data hack site BreachForums and shared samples of the breach to legitimize the claim. Overall, around 278GB of sensitive information was claimed to be compromised. The hacker also posted details of call log samples that leaked sensitive information like mobile numbers of users, the date and duration of calls, and the amount charged for the call in Indian Rupees. The call log samples were being leaked in two sets: one for the month of May 2024 and another from 2020. The threat actor was selling the alleged stolen data for $5,000.
Compliance Tip: Organizations must have a well-defined incident response plan that puts customer’s security and privacy at the forefront.
Source: The Cyber Express
Explore Leegality Consent Manager
We are pleased to invite and extend access to Leegality Consent Manager Sandbox. Discover how our Leegality Consent Manager can streamline your data protection processes and ensure compliance with the DPDP Act. Our Consent Manager offers:
- Compliant consent notices across all customer touchpoints
- Storage of verifiable and auditable records of each consent
- Dashboard for customers to change consent preferences and exercise data rights
- Oversight over the data practices of your third parties