The 10 Biggest Data Breaches Of 2022

Data breaches continued to be a considerable threat in the last year.

While 2022 has so far seen 1,291 reported breaches, down from 1862 breaches in 2021, the breaches themselves are getting bigger—this year may have seen the biggest data breach in history.

There have also been some definite trends. According to Verizon’s Data Breach Investigations Report (DBIR), 2022 was a big year for ransomware, state-sponsored actors, and human error, which was present in 82% of breaches.

Many of those trends are reflected in the breaches below, particularly the human element: 2022’s most notable breaches include a social engineering teenager from England, misconfigured servers, a drunk government contractor in Japan, and an angry U.S. insider who had recently been fired. Read on for the 10 biggest and most notable breaches in 2022.

Crypto.com

In January 2022, Crypto.com, one of the largest cryptocurrency exchanges in the world became aware of a series of unauthorized transactions impacting 483 users. Cybercriminals bypassed 2-factor authentication (2FA) to withdraw $34 million in funds from users’ digital wallets. The users were reimbursed and Crypto.com moved from 2FA to Multi-Factor Authentication (MFA).

The Red Cross

The International Committee for the Red Cross (ICRC) disclosed in January that it had been attacked. The network intrusion led to the theft of the personal records of more than 500,000 people receiving assistance from the group. The criminal who hacked the group is suspected to be a state-sponsored bad actor from Iran.

PayHere

In March, Sri Lankan fintech company PayHere suffered a 65GB data breach exposing more than 1.5 million users’ data. The exposed data includes email addresses, IP and physical addresses, names, phone numbers, purchase histories and partially obfuscated credit card data.

CDEK

This is an unverified breach. In March, the Russian courier service CDEK was allegedly hacked by Ukrainian hacker group "IT Army" exposing 19 million unique email addresses as well as names and phone numbers.

Cash App

In April, Cash App reported that a former employee had downloaded reports containing the personal information of U.S. users, potentially exposing the information of more than 8 million users of the mobile payment app. The data downloaded included full names and brokerage account numbers for Cash App users. The former employee downloaded the information in December as revenge for having been fired.

City of Amagasaki, Japan

In June, the personal information of every one of Amagaski’s 500,000 citizens was exposed when a government contractor lost his bag after a night of drinking. The contractor passed out in the street and when he awoke, the bag was gone. It contained a USB stick with names, birth dates, addresses, tax details, banking information, and social security records for city residents. The USB stick was encrypted and passworded, and was later recovered by the police.

The Shanghai Police

This is potentially one of the largest data breaches in history, although details are unconfirmed due to the Chinese media’s censorship and repression of online discussion of the breach. In July, a database containing records of more than a billion Chinese civilians was allegedly stolen from the Shanghai Police. The database allegedly included addresses, police records and national ID numbers.

Plex

15 million Plex users’ usernames, passwords, and email addresses were compromised in August 2022 as part of a hack on the video streaming service.

Microsoft

In September, a server misconfiguration at Microsoft inadvertently exposed the information of more than 65,000 organizations in 111 countries. The exposure consists of 2.4 terabytes of companies’ data, including invoices, product orders, signed customer documents and partner ecosystem details, according to SOCRadar, the company that detected the breach.

Uber

In September, a social engineering campaign against Uber workers and contractors led to a network intrusion and a takeover of Uber’s internal systems, including AWS, Google Drive, Slack, and other tools. A 17-year-old hacker from the United Kingdom convinced an Uber contractor to disclose login credentials. The teenage hacker has been arrested.

Cyber threats are a considerable risk to your organization. Schedule a demo now and assess your company’s cyber risk for 2023.

About the Author

Daniel Young

Founder & Chief Innovation Officer

Daniel has been a security and risk advisor for more than 10 years, and is passionate about helping companies to better understand their risks to undesirable events on a daily basis. Dan previously served as the Regional Bioterrorism Coordinator for District 1 in Michigan, where he was instrumental in preparing communities for catastrophic incidents. He has also acted as the Private Security Liaison for the City of Lansing’s Critical Infrastructure Team, which identified and documented deficiencies in the city’s critical infrastructure.

He is a Co-Founder of the CSO Risk Council, a think tank of seasoned security professionals and thought leaders with extensive experience in managing the physical security and risks of large enterprises consisting of multiple sites and whose mission is to create a better process to develop and share innovative solutions and pertinent information with organizations to improve safety and security risk by providing a forum to discuss best practices and recommendations for specific risk scenarios and to network with other enterprise security professionals.