Organizations of all shapes and sizes can be affected by a data breach, but how these companies react to the incident can be the difference between life and death. Over the past year, we have seen some excellent examples of how companies should respond to data breeches, but in the end, we have learned how not to.
This year has been a bad one for data breeches.
The chipmaker said it was investigating a cyber incident in February and later said it was a data extortion event. The company wouldn't say how it was compromised, what data was stolen, or how many customers or employees were impacted, but they wouldn't say how many employees were affected.
The now-notorious Lapsus$ gang quickly took responsibility for the breach and claimed it stole one Terabyte of information. According to Have I Been Pwned, the hackers stole the credentials of more than 71,000 Nvidia employees.
Nvidia says hackers are leaking company data after cyberattack attack
In August, DoorDash approached TechCrunch with an offer to exclusively report on a data hack that exposed DoorDash customers' personal data. It was strange to have the company decline to answer nearly every question we had about the news it wanted us to break.
The names, email addresses, delivery addresses and phone numbers of DoorDash customers were accessed by attackers, along with partial payment card information for a small group of users. The data that was accessed for DoorDash delivery drivers was mostly name and phone number or email address.
DoorDash wouldn't say how many users were affected or how many users it has. DoorDash wouldn't say when it discovered that it was compromised, but it did say that it was caused by a third party.
DoorDash hit by data breach linked to Twilio hackers
Hours before the July 4th holiday, the Korean electronics giant dropped a bombshell, saying that its U.S. systems had been hacked and that customers' personal information had been stolen. The data that was taken included customers' precise geolocation data, browsing and other device data from their phones and TVs.
At the end of the year, the company still hasn't commented on the hack. Instead of using the time to write a post about how many customers are affected,Samsung used the weeks prior to its disclosure to draw up and push out a new privacy policy on the very same day.
That was the main priority of the company.
Parsing Samsung’s data breach notice
In September, the startup said that it had been hit by a cyberattack, and that an unauthorized third party had obtained access to a small percentage of customers.
It wasn't clear how many customers were affected. According to the company's website, the company has 20 million customers. According to the disclosure, 50,150 customers were impacted by the breach, including 20,687 customers in the European Economic Area.
The company wouldn't say what type of data was accessed. No card details, PINs or passwords were accessed in the message. According to the data breach disclosure, hackers probably accessed partial card payment data, along with customers' names, addresses, email addresses, and phone numbers.
Revolut confirms cyberattack exposed personal data of tens of thousands of users
Advanced, an IT service provider for the U.K.'s National Health Service, confirmed in October that attackers stole data from its systems. A number of the organization's services were disrupted, including its patient management system, which helps non- emergency call handlers dispatch ambulances, and Carenotes, which is used by mental health trusts for patient information.
According to Advanced, Microsoft and Mandiant identified LockBit 3.0 as the malicious software used in the attack, but the company wouldn't say if patient data had been accessed. The company refused to say how many patients were potentially impacted or what types of data were stolen, but admitted that some data wascopied and exfiltrated.
The likelihood of harm to individuals is low and there is no evidence to suggest that the data in question is outside of our control. Simon Short, Advanced's chief operating officer, wouldn't say if patient data is affected or if Advanced has the means to detect if data was stolen.
NHS vendor Advanced won’t say if patient data was stolen during ransomware attack
In October, U.S. messaging giant Twilio confirmed it was hit by a second hack. The update to the incident report contained little information about the nature of the breach or the impact on customers.
A copy of the notice that the company claims to have sent to those affected by the June breach was not shared with the public. Remzi wouldn't say why Twilio took four months to reveal the incident.
Twilio hack investigation reveals second breach, as the number of affected customers rises
Thousands of customers worldwide were left without access to their data, including archived email, contacts and calendar items, after a ransomware attack on December 2nd. Rackspace was criticized for not saying much about the incident or restoring the data.
In one of the company's first updates, published on December 6, it said that if sensitive information was affected, it would "notify customers as appropriate." At the end of December, customers are not sure if their sensitive information was stolen.
Rackspace blames ransomware attack for ongoing Exchange outage
Three days before Christmas, the password manager LastPass confirmed that it had been hacked and the keys to its password vaults had been stolen. The 33 million customers of LastPass, whose password vaults are only as secure as the customer master passwords used to lock them, will be unaffected by the incident.
The security community criticized LastPass because they said there was no action for customers to take. Based on a read of the data breach, LastPass knew that customers' password vaults could have been stolen as early as November after the company confirmed its cloud storage was accessed using a set of employee's cloud storage keys.
The fault is with LastPass, but its handling was terrible. Is the company still alive? It might be possible. LastPass has sealed its reputation due to its terrible handling of its data breach.
Parsing LastPass’ data breach notice