Cybersecurity in 2023: What can we expect?
It's a new year, but how will the infosec industry respond with cyberattacks on the rise?
The year 2022 is over, and it's time to learn from what happened in cybersecurity. Cyberattacks were on the rise, and not even some of the biggest companies in the world could escape. The FBI estimated that internet crime cost $6.9 billion just last year. With a record of ransomware attacks, predictions for 2023 already anticipate that this malicious threat is not going anywhere, as it is likely to grow and diversify with ever more sophisticated attacks targeting all kinds of organisations.
First, let's take a look at some of the most significant cyberattacks of 2022:
A mega-breach exposed the data of 9.7 million people when Australian healthcare and insurance provider Medibank announced some "unusual activity" on its internal systems. The company refused to pay a US$10m ransom and, given Australia's population, close to a third could have been affected. The leak exposed confidential and personally-identifying information on medical procedures and records related to claims on chronic conditions, mental health conditions, infections and more. In November, the cybercriminals behind the attack claimed the case was closed after posting on the dark web what could be the total amount of information the hackers had access to.
Microsoft Thwarts Hack Attempt by Lapsus$ Group
Last year the notorious hacking group, Lapsus$, also targeted Microsoft. They used Telegram to brag about their success hacking Microsoft and compromising Cortana, Bing, and a few other products. The hackers managed to snag some material from Microsoft, but by March 22, Microsoft announced that they had swiftly thwarted the hacking attempt, and only one account had been compromised. The company also assured that no customer data had been stolen, with an effective security response. The Lapsus$ group had previously targeted Nvidia, Samsung, and many other companies, so Microsoft's security team was well-prepared.
GiveSendGo Data Breach Caused by Political Hack
GiveSendGo, a Christian fundraising site favoured by Canadian truckers participating in the Freedom Convoy protests against COVID rules, suffered a devastating data breach. The hack was carried out by a political hacker who claimed responsibility for previous attacks on far-right social media networks.
In a classic case of a Distributed Denial of Service (DDoS) attack, the hacker redirected GiveSendGo's website to a page condemning the Freedom Convoy protests. However, the real damage was done when the hacker published the personal information of the 90,000 contributors to the Freedom Convoy through GiveSendGo.
This incident is a stark reminder that political hackers can target companies with no financial motive, highlighting the importance of strong security measures to protect against such attacks.
Crypto.com: Massive Cryptocurrency Wallet Hack Results in Millions in Losses
A significant attack on cryptocurrency wallets targeted nearly 500 individuals. The hackers bypassed two-factor authentication and gained access to users' wallets, stealing approximately $18 million worth of Bitcoin and $15 million of Ethereum and other cryptocurrencies.
This loss highlights the importance of using a password manager to protect against such attacks. Crypto.com initially referred to the attack as an "incident" but later confirmed that money had been stolen and affected users had been reimbursed. The company also announced auditions of its systems and improved its security posture in the wake of the attack.
Businesses should be aware of the risks associated with cryptocurrency theft and take steps to ensure that all sensitive data is encrypted to protect against fraud.
Credit Suisse Data Leak Exposes High-Risk Clients' Information
Credit Suisse made headlines when an anonymous whistleblower leaked data from over 30,000 clients, revealing the beneficiaries of nearly $100 billion. The data leak unmasked numerous high-risk clients worldwide, with their information being published by news outlets.
While the motivations behind the leak are worth considering, the magnitude of this internal event should be noticed. The whistleblower had access to many client records and successfully exported and shared them externally. This situation helps us to remind the importance of maintaining secure internal systems to protect sensitive client information.
Twitter Data of 5.4 Million Users Exposed in Hack Exploiting Known Vulnerability
On July 21, 2022, a hacker posted the personal data of 5.4 million Twitter users for sale, capitalising on a known vulnerability first identified in January. Despite Twitter's efforts to patch the vulnerability, the malicious actor was able to exploit it before they could take protective measures.
In August, the former head of security made public allegations against Twitter, filing a 200-page complaint with the SEC that accused the company of "egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy."
What can we expect for cybersecurity in 2023?
Yes, 2022 was a lot to the infosec industry. No business is entirely safe from an attack, but with the right technology we can minimise the consequences of a leak. Let's look at trends to keep an eye on in 2023 and keep our data safe:
Companies will embrace innovative encryption technologies
Privacy Enhancing Technologies (PETs), including homomorphic and searchable encryption as well as innovative approaches like data-in-use encryption, will gain more traction, with larger investments in the field and broader market adoption. As our Co-Founder and CEO Ryan Lasmaili told VMBlog:
"The most effective option for CISOs to prevent data leaks, is to leverage modern PETs in the form of a practical, performant, applicable, nimble and simple toolkit like the one Vaultree has developed. With data in a persistent state of encryption - even when breaches happen and firewalls and other tools in the first line of defence fail - leaked data is undecipherable and therefore useless to hackers".
Focus on Customers and Data Privacy
Data privacy and compliance will remain a hot topic. The connection between data protection and consumer trust will continue to influence how organisations approach business practices in the new year. It is predicted that the trending lack of consumer trust in 2022 will continue into 2023, along with increased attention to data provenance. Customers are becoming increasingly aware and worried about how companies use their data. It's time for organisations to consider how data compliance and ongoing data management are critical to their business and data strategy. Privacy regulations are expected to remain in place and many countries are about to adopt stricter regulations. Instead of continuing to exploit datasets to the maximum, often without proper knowledge, consent, or understanding from their customers, organisations are predicted to embrace this unique opportunity before their competition.
Data Protection: A Growing Concern
Another predicted outcome for 2023 will be a heightened focus on encryption. With the emphasis on ensuring that personal information remains confidential, encryption is the only solution that can guarantee data protection while complying with various global regulations like GDPR and CCPA.
There are good things on the horizon. The Post-Quantum Cryptography (PQC) Initiative by CISA and The Executive Order on Improving the Nation's Cybersecurity are on the move, and they will undoubtedly pave the way to stronger regulations regarding encryption and authentication.
With cyberattacks hitting all kinds of businesses and even governments, it's clear those with an antiquated infrastructure will suffer the consequences.
The Domino Effect of Data Protection Regulations
It is predicted that the determination of whether the United Kingdom (U.K.) will retain its European Union (E.U.) adequacy decisions will remain unresolved. However, if the U.K. loses that status, it will quickly become evident how challenging it is to trade, communicate, and interact with other nations.
It is expected that we will see a snowball effect of countries, whose data laws are outdated, beginning to review and update them to meet, at least at the conceptual level, the high bar set by the General Data Protection Regulation (GDPR).
While many questions cannot be accurately predicted, 2023 will be an interesting year for data protection.
At Vaultree, we're looking forward to partnering with organisations building a security strategy based on a fully encrypted environment. Always encrypted is our motto, and we're ready to unlock the potential of encrypted data.
More from our blog
What are privacy-enhancing technologies and how do they work?
How innovative encryption technologies will gain traction to keep businesses safe from data leaks
The world’s first Fully Functional Data-In-Use Encryption solution is now generally available
How Vaultree makes CISOs' lives easier