Featured Article

It’s all in the (lack of) details: 2022’s badly handled data breaches

Comment

strips of yellow caution tape on a blue vignette background
Image Credits: Getty Images

Data breaches can be extremely harmful to organizations of all shapes and sizes — but it’s how these companies react to the incident that can deal their final blow. While we’ve seen some excellent examples of how companies should respond to data breaches over the past year — kudos to Red Cross and Amnesty for their transparency — 2022 has been a year-long lesson in how not to respond to a data breach.

Here is a look back at this year’s badly handled data breaches.

Nvidia

Chipmaker giant Nvidia confirmed it was investigating a so-called “cyber incident” in February, which it later confirmed was a data extortion event. The company refused to say much else about the incident, and, when pressed by TechCrunch, declined to say how it was compromised, what data was stolen, or how many customers or employees were impacted.

While Nvidia stayed tight-lipped, the now-notorious Lapsus$ gang quickly took responsibility for the breach and claimed it stole one terabyte of information, including “highly confidential” data and proprietary source code. According to data breach monitoring website Have I Been Pwned, the hackers stole the credentials of more than 71,000 Nvidia employees, including email addresses and Windows password hashes.

Nvidia says hackers are leaking company data after cyberattack attack

DoorDash

In August, DoorDash approached TechCrunch with an offer to exclusively report on a data breach that exposed DoorDash customers’ personal data. Not only is it unusual to be offered news of an undisclosed breach before it’s announced, it was even stranger to have the company decline to answer nearly every question about the news it wanted us to break.

The food delivery giant confirmed to TechCrunch that attackers accessed the names, email addresses, delivery addresses and phone numbers of DoorDash customers, along with partial payment card information for a smaller subset of users. It also confirmed that for DoorDash delivery drivers, or Dashers, hackers accessed data that “primarily included name and phone number or email address.”

But DoorDash declined to tell TechCrunch how many users were affected by the incident — or even how many users it currently has. DoorDash also said that the breach was caused by a third-party vendor, but declined to name the vendor when asked by TechCrunch, nor would it say when it discovered that it was compromised.

DoorDash hit by data breach linked to Twilio hackers

Samsung

Hours before a long July 4 holiday, Samsung quietly dropped notice that its U.S. systems were breached weeks earlier and that hackers had stolen customers’ personal information. In its bare-bones breach notice, Samsung confirmed unspecified “demographic” data, which likely included customers’ precise geolocation data, browsing and other device data from customers’ Samsung phones and smart TVs, was also taken.

Now at year’s end, Samsung still hasn’t said anything further about its hack. Instead of using the time to draft a blog post that says which, or even how many customers are affected, Samsung used the weeks prior to its disclosure to draw up and push out a new mandatory privacy policy on the very same day of its breach disclosure, allowing Samsung to use customers’ precise geolocation for advertising and marketing.

Because that was Samsung’s priority, obviously.

Parsing Samsung’s data breach notice

Revolut

Fintech startup Revolut in September confirmed it was hit by a “highly targeted cyberattack,” and told TechCrunch at the time that an “unauthorized third party” had obtained access to the details of a small percentage (0.16%) of customers “for a short period of time.”

However, Revolut wouldn’t say exactly how many customers were affected. Its website says the company has approximately 20 million customers; 0.16% would translate to about 32,000 customers. However, according to Revolut’s breach disclosure, the company says 50,150 customers were impacted by the breach, including 20,687 customers in the European Economic Area and 379 Lithuanian citizens.

The company also declined to say what types of data were accessed. In a message sent to affected customers, the company said that “no card details, PINs or passwords were accessed.” However, Revolut’s data breach disclosure states that hackers likely accessed partial card payment data, along with customers’ names, addresses, email addresses, and phone numbers.

Revolut confirms cyberattack exposed personal data of tens of thousands of users

NHS supplier Advanced

Advanced, an IT service provider for the U.K.’s NHS, confirmed in October that attackers stole data from its systems during an August ransomware attack. The incident downed a number of the organization’s services, including its Adastra patient management system, which helps non-emergency call handlers dispatch ambulances and helps doctors access patient records, and Carenotes, which is used by mental health trusts for patient information.

While Advanced shared with TechCrunch that its incident responders — Microsoft and Mandiant — had identified LockBit 3.0 as the malware used in the attack, the company declined to say whether patient data had been accessed. The company admitted that “some data” pertaining to over a dozen NHS trusts was “copied and exfiltrated,” but refused to say how many patients were potentially impacted or what types of data were stolen.

Advanced said there is “no evidence” to suggest that the data in question exists elsewhere outside our control and “the likelihood of harm to individuals is low.” When reached by TechCrunch, Advanced chief operating officer Simon Short declined to say if patient data is affected or whether Advanced has the technical means, such as logs, to detect if data was exfiltrated.

NHS vendor Advanced won’t say if patient data was stolen during ransomware attack

Twilio

In October, U.S. messaging giant Twilio confirmed it was hit by a second breach that saw cybercriminals access customer contact information. News of the breach, which was carried out by the same “0ktapus” hackers that compromised Twilio in August, was buried in an update to a lengthy incident report and contained few details about the nature of the breach and the impact on customers.

Twilio spokesperson Laurelle Remzi declined to confirm the number of customers impacted by the June breach or share a copy of the notice that the company claims to have sent to those affected. Remzi also declined to say why Twilio took four months to publicly disclose the incident.

Twilio hack investigation reveals second breach, as the number of affected customers rises

Rackspace

Enterprise cloud computing giant Rackspace was hit by a ransomware attack on December 2, leaving thousands of customers worldwide without access to their data, including archived email, contacts and calendar items. Rackspace received widespread criticism over its response for saying little about the incident or its efforts to restore the data.

In one of the company’s first updates, published on December 6, Rackspace said that it had not yet determined “what, if any, data was affected,” adding that if sensitive information was affected, it would “notify customers as appropriate.” We’re now at the end of December and customers are in the dark about whether their sensitive information was stolen.

Rackspace blames ransomware attack for ongoing Exchange outage

LastPass

And finally, but by no means the least: The beleaguered password manager giant LastPass confirmed three days before Christmas that hackers had stolen the keys to its kingdom and exfiltrated customers’ encrypted password vaults weeks earlier. The breach is about as damaging as it gets for the 33 million customers who use LastPass, whose encrypted password vaults are only as secure as the customer master passwords used to lock them.

But LastPass’ handling of the breach drew a swift rebuke and fierce criticism from the security community, not least because LastPass said that there was no action for customers to take. Yet, based on a parsed read of its data breach notice, LastPass knew that customers’ encrypted password vaults could have been stolen as early as November after the company confirmed its cloud storage was accessed using a set of employee’s cloud storage keys stolen during an earlier breach in August but which the company hadn’t revoked.

The fault and blame is squarely with LastPass for its breach, but its handling was egregiously bad form. Will the company survive? Maybe. But in its atrocious handling of its data breach, LastPass has sealed its reputation.

Parsing LastPass’ data breach notice

More TechCrunch

Welcome back to TechCrunch’s Week in Review. This week had two major events from OpenAI and Google. OpenAI’s spring update event saw the reveal of its new model, GPT-4o, which…

OpenAI and Google lay out their competing AI visions

Expedia says Rathi Murthy and Sreenivas Rachamadugu, respectively its CTO and senior vice president of core services product & engineering, are no longer employed at the travel booking company. In…

Expedia says two execs dismissed after ‘violation of company policy’

When Jeffrey Wang posted to X asking if anyone wanted to go in on an order of fancy-but-affordable office nap pods, he didn’t expect the post to go viral.

With AI startups booming, nap pods and Silicon Valley hustle culture are back

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

A new crop of early-stage startups — along with some recent VC investments — illustrates a niche emerging in the autonomous vehicle technology sector. Unlike the companies bringing robotaxis to…

VCs and the military are fueling self-driving startups that don’t need roads

When the founders of Sagetap, Sahil Khanna and Kevin Hughes, started working at early-stage enterprise software startups, they were surprised to find that the companies they worked at were trying…

Deal Dive: Sagetap looks to bring enterprise software sales into the 21st century

Keeping up with an industry as fast-moving as AI is a tall order. So until an AI can do it for you, here’s a handy roundup of recent stories in the world…

This Week in AI: OpenAI moves away from safety

After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta — an app 10 years in the making — hit the top of the…

Adobe comes after indie game emulator Delta for copying its logo

Meta is once again taking on its competitors by developing a feature that borrows concepts from others — in this case, BeReal and Snapchat. The company is developing a feature…

Meta’s latest experiment borrows from BeReal’s and Snapchat’s core ideas

Welcome to Startups Weekly! We’ve been drowning in AI news this week, with Google’s I/O setting the pace. And Elon Musk rages against the machine.

Startups Weekly: It’s the dawning of the age of AI — plus,  Musk is raging against the machine

IndieBio’s Bay Area incubator is about to debut its 15th cohort of biotech startups. We took special note of a few, which were making some major, bordering on ludicrous, claims…

IndieBio’s SF incubator lineup is making some wild biotech promises

YouTube TV has announced that its multiview feature for watching four streams at once is now available on Android phones and tablets. The Android launch comes two months after YouTube…

YouTube TV’s ‘multiview’ feature is now available on Android phones and tablets

Featured Article

Two Santa Cruz students uncover security bug that could let millions do their laundry for free

CSC ServiceWorks provides laundry machines to thousands of residential homes and universities, but the company ignored requests to fix a security bug.

2 days ago
Two Santa Cruz students uncover security bug that could let millions do their laundry for free

TechCrunch Disrupt 2024 is just around the corner, and the buzz is palpable. But what if we told you there’s a chance for you to not just attend, but also…

Harness the TechCrunch Effect: Host a Side Event at Disrupt 2024

Decks are all about telling a compelling story and Goodcarbon does a good job on that front. But there’s important information missing too.

Pitch Deck Teardown: Goodcarbon’s $5.5M seed deck

Slack is making it difficult for its customers if they want the company to stop using its data for model training.

Slack under attack over sneaky AI training policy

A Texas-based company that provides health insurance and benefit plans disclosed a data breach affecting almost 2.5 million people, some of whom had their Social Security number stolen. WebTPA said…

Healthcare company WebTPA discloses breach affecting 2.5 million people

Featured Article

Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Microsoft won’t be facing antitrust scrutiny in the U.K. over its recent investment into French AI startup Mistral AI.

2 days ago
Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Ember has partnered with HSBC in the U.K. so that the bank’s business customers can access Ember’s services from their online accounts.

Embedded finance is still trendy as accounting automation startup Ember partners with HSBC UK

Kudos uses AI to figure out consumer spending habits so it can then provide more personalized financial advice, like maximizing rewards and utilizing credit effectively.

Kudos lands $10M for an AI smart wallet that picks the best credit card for purchases

The EU’s warning comes after Microsoft failed to respond to a legally binding request for information that focused on its generative AI tools.

EU warns Microsoft it could be fined billions over missing GenAI risk info

The prospects for troubled banking-as-a-service startup Synapse have gone from bad to worse this week after a United States Trustee filed an emergency motion on Wednesday.  The trustee is asking…

A US Trustee wants troubled fintech Synapse to be liquidated via Chapter 7 bankruptcy, cites ‘gross mismanagement’

U.K.-based Seraphim Space is spinning up its 13th accelerator program, with nine participating companies working on a range of tech from propulsion to in-space manufacturing and space situational awareness. The…

Seraphim’s latest space accelerator welcomes nine companies

OpenAI has reached a deal with Reddit to use the social news site’s data for training AI models. In a blog post on OpenAI’s press relations site, the company said…

OpenAI inks deal to train AI on Reddit data

X users will now be able to discover posts from new Communities that are trending directly from an Explore tab within the section.

X pushes more users to Communities

For Mark Zuckerberg’s 40th birthday, his wife got him a photoshoot. Zuckerberg gives the camera a sly smile as he sits amid a carefully crafted re-creation of his childhood bedroom.…

Mark Zuckerberg’s makeover: Midlife crisis or carefully crafted rebrand?

Strava announced a slew of features, including AI to weed out leaderboard cheats, a new ‘family’ subscription plan, dark mode and more.

Strava taps AI to weed out leaderboard cheats, unveils ‘family’ plan, dark mode and more

We all fall down sometimes. Astronauts are no exception. You need to be in peak physical condition for space travel, but bulky space suits and lower gravity levels can be…

Astronauts fall over. Robotic limbs can help them back up.

Microsoft will launch its custom Cobalt 100 chips to customers as a public preview at its Build conference next week, TechCrunch has learned. In an analyst briefing ahead of Build,…

Microsoft’s custom Cobalt chips will come to Azure next week

What a wild week for transportation news! It was a smorgasbord of news that seemed to touch every sector and theme in transportation.

Tesla keeps cutting jobs and the feds probe Waymo