\n<\/p>\n
Last year, we compiled<\/span> a list of 2022\u2019s most poorly handled data breaches<\/a> looking back at the bad behavior of corporate giants when faced with hacks and breaches. That included everything from downplaying the real-world impact of spills of personal information and failing to answer basic questions.<\/p>\n Turns out this year, many organizations continue to make the same mistakes. Here\u2019s this year\u2019s dossier on how not to respond to security incidents.<\/p>\n The Electoral Commission, the watchdog responsible for overseeing elections in the United Kingdom, confirmed in August<\/a> that it had been targeted by \u201chostile actors\u201d that accessed the personal details \u2014 including full names, email addresses, home addresses, phone numbers and any personal images sent to the Commission \u2014 on as many as 40 million U.K. voters.<\/p>\n While it may sound like the Electoral Commission was upfront about the cyberattack and its impact, the incident occurred in August 2021 \u2014 some two years ago \u2014 when hackers first gained access to the Commission\u2019s systems. It took another year for the Commission to catch the hackers in the act. The BBC reported the following month<\/a> that the watchdog had failed a basic cybersecurity test around the same time hackers gained entry to the organization. It has not yet been revealed who carried out the intrusion \u2014 or if it is known \u2014 and how the Commission was breached.<\/p>\n Samsung has once again made it onto our badly handled breaches list. The electronics giant once again took its typical tight-lipped approach when faced with questions about a year-long breach of its systems that gave hackers access to the personal data of its U.K.-based customers. In a letter sent to affected customers in March, Samsung admitted that attackers exploited a vulnerability in an unnamed third-party business application to access the unspecified personal information of customers who made purchases at its U.K. store between July 2019 and June 2020.<\/p>\n In the letter, Samsung admitted that it didn\u2019t discover the compromise until more than three years later<\/a> in November 2023. When asked by TechCrunch, the tech giant refused to answer further questions about the incident, such as how many customers were affected or how hackers were able to gain access to its internal systems.<\/p>\n French cloud gaming provider Shadow is a company that lives up to its name, as an October breach at the company remains shrouded in mystery<\/a>. The breach saw attackers carry out an \u201cadvanced social engineering attack\u201d against one of Shadow\u2019s employees that allowed access to customers\u2019 private data, according to an email sent to affected Shadow customers.<\/p>\n However, the full impact of the incident remains unknown. TechCrunch obtained a sample of data believed to be stolen from the company that contained 10,000 unique records<\/a>, which included private API keys that correspond with customer accounts. When asked by TechCrunch, the company refused to comment, and would not say whether it had informed France\u2019s data protection regulator, CNIL, of the breach as required under European law. The company also failed to make news of the breach public outside of the emails sent to affected customers.<\/p>\n Lyca Mobile, the U.K.-headquartered mobile virtual network operator, said in October that it had been the target of a cyberattack that caused widespread disruption<\/a> for millions of its customers. Lyca Mobile later admitted a data breach<\/a>, in which unnamed attackers had accessed \u201cat least some of the personal information held in our system\u201d during the hack.<\/p>\n It\u2019s now more than two months later, and Lyca Mobile has still not said what data was stolen from its systems (despite storing sensitive personal information, such as copies of identity cards and financial data), or how many of its 16 million customers were impacted by the breach. Despite repeated requests by TechCrunch, the company has also refused to comment on the nature of the incident, despite the incident presenting as ransomware.<\/p>\n The breach of MGM Resorts is one of the most memorable of 2022; the incident saw hackers associated with a gang known as Scattered Spider compromise the company\u2019s systems to cause weeks of disruption across MGM\u2019s Las Vegas hotels and casinos<\/a>. MGM said that the disruption will cost the company at least $100 million.<\/p>\n MGM first disclosed that it had been targeted by hackers on September 11. But it wasn\u2019t until October that the company confirmed in a regulatory filing that the attackers had obtained some personal information belonging to customers<\/a> who transacted with MGM Resorts prior to March 2019. That includes customer names, contact information, gender, dates of birth, driver license numbers, and Social Security numbers and passport scans for some customers.<\/p>\n It\u2019s now more than three months later, and we still don\u2019t know how many MGM customers were affected. MGM spokespeople have repeatedly declined to answer TechCrunch\u2019s questions about the incident.<\/p>\n Back in February, satellite TV giant Dish confirmed in a public filing that a ransomware attack was to blame for an ongoing outage and warned that hackers exfiltrated data from its systems that may have included customers\u2019 personal information<\/a>. However, Dish hasn\u2019t provided a substantive update since, and customers still don\u2019t know if their personal information is at risk.<\/p>\n TechCrunch learned that, despite the company\u2019s silence, the impact of the breach could extend far beyond Dish\u2019s 10 million or so customers. A former Dish retailer told TechCrunch that Dish retains a wealth of customer information on its servers<\/a>, including customer names, dates of birth, email addresses, telephone numbers, Social Security numbers and credit card information. The person said that this information is retained indefinitely, even for prospective customers who didn\u2019t pass Dish\u2019s initial credit check.<\/p>\n TechCrunch heard from CommScope employees who say they were left in the dark about a data breach<\/a> at the company affecting their personal information. The North Carolina-based company, which designs and manufactures network infrastructure products for a range of customers, was targeted by the Vice Society ransomware gang in April. Data leaked by the gang, and reviewed by TechCrunch<\/a>, included the personal data of thousands of CommScope employees, including full names, postal addresses, email addresses, personal numbers, Social Security numbers, passport scans and bank account information.<\/p>\n CommScope declined to answer our questions related to the leaked employee data, and it also failed to answer those affected. Several employees told TechCrunch at the time that CommScope executives remained tight-lipped about the breach<\/a>, saying little beyond it does \u201cnot have evidence\u201d to suggest employee data was involved.<\/p>\n<\/p><\/div>\nElectoral Commission hid details of a huge hack for a year, yet still tight-lipped<\/h2>\n
Samsung won\u2019t say how many customers hit by year-long data breach<\/h2>\n
Hackers stole Shadow data, and Shadow went silent<\/h2>\n
Lyca Mobile refused to say what kind of cyberattack hit<\/h2>\n
MGM Resorts still hasn\u2019t said how many customers had data stolen after hack<\/h2>\n
Dish breach may affect millions \u2014 potentially a lot more<\/h2>\n
CommScope late to tell its own employees that their data was stolen<\/h2>\n