The Biggest Data Breaches of 2022

The Biggest Data Breaches of 2022

The term ‘data breach’ has never been said so many times in Australia as it has the last few months. But it isn’t just Optus and Medibank, there have been quite a few data breaches in 2022 that you may, or may not, know about.

Data breaches are a big deal, but they’re more common than you may think. As former FBI Director Robert Mueller famously said:

“I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”

Just like we did last year, we thought we’d compile a little summary of the biggest data breaches of 2022.

Biggest data breaches of 2022

Some of these are Australian companies, some are international organisations with an Aussie customer base and some are local casualties of a larger, more global breach. Just a note: the date listed on a few occasions is when the breach was made public.

Shout out to Have I Been Pwned for help with filling in the blanks.

January

Bunnings

Cloud-based scheduling platform FlexBooker suffered a large data breach that affected some 3.7 million people. Caught up in this breach was Bunnings, the home of sausage sangas in Australia. FlexBooker sells an online scheduling tool that assists with setting up meetings, reservations, and appointments. It is understood Bunnings used this platform for help with its Drive & Collect service.

Crypto.com

The massive international cryptocurrency exchange Crypto.com finally confirmed that a hacker made off with $30 million-worth of cryptocurrency stolen from 483 users’ digital wallets. The company initially called the situation “an incident” and said that “no customer funds were lost.”

February

Nvidia

More than 71,000 employee credentials were stolen and some of them leaked online following a data breach suffered by US chipmaker giant Nvidia in February.

OpenSea

OpenSea, arguably the world’s largest NFT exchange, was caught up in a massive breach, with the source of the attack confirmed to be a phishing attack. It lost $US1.7 million after an employee of Customer.io, the company’s email delivery vendor, “misused their employee access to download and share email addresses provided by OpenSea users… with an unauthorised external party”.

Medlab Pathology

Medlab Pathology (owned by Australian Clinical Labs) experienced a cyber incident that involved some personal information of its patients and staff. It was advised of the breach by the Australian Cyber Security Centre in June. It began investigations but months later, October 27, actually.

April

E-Pal

A service dedicated to finding friends on Discord known as E-Pal disclosed a data breach in April. The compromised data included over 100,000 unique email addresses and usernames spanning approximately 1 million orders.

SuperVPN, GeckoVPN, ChatVPN

A breach involving a number of widely used VPN companies led to 21 million users having their information leaked on the dark web. Full names, usernames, country names, billing details, email addresses and randomly generated password strings were among the information available.

May

Amart Furniture

Australian retailer Amart Furniture advised that its warranty claims database hosted on Amazon Web Services had been the target of a cyberattack. It is believed around 108,940 records containing email and physical addresses, names, phone numbers and passwords stored as bcrypt hashes were exposed and shared online by the attacker.

July

Deakin University

The personal information of 46,980 current and past Deakin University students was leaked into the wild back in July. According to Deakin, the information was accessed via software the uni uses. A staff member’s username and password was ‘hacked’ and used by an unauthorised person to access information held by a third-party provider. The details breached included student name, student ID, student mobile number, Deakin email address and comments such as recent unit results.

Neopets

Neopets, the company that sells virtual pets to tweenagers (and also a weird amount of adults), suffered a pretty devastating data breach earlier this year. In July, the company announced that it had been hacked and that data on its members — believed to be about 69 million people — had potentially been accessed. In September, the company divulged new details about the incident, revealing that, among other things, the cybercriminals were able to linger inside its corporate IT systems for about 18 months.

American Airlines

American Airlines experienced a not-quite-big data breach of its customer and employee data in early July. The company announced the hack more than two months later in a letter to affected customers.

Cisco

Technology conglomerate Cisco confirmed that the Yanluowang ransomware gang had breached its corporate network after the group published data stolen online.

Plex

Streaming service Plex sent out emails notifying many of its customers that a serious security breach may have resulted in account information getting into the wrong hands. Plex stated that “all account passwords that could have been accessed were hashed and secured in accordance with best practices.”

August

University of Western Australia

The University of Western Australia fell victim to a data breach, with the personal information of current and past students accessed. The uni told Gizmodo Australia it had detected unauthorised login activity to Callista, the Student Information Management System used by the university and that the breach was limited to personal data belonging to students and alumni.

Twilio

Twilio first announced they had been attacked in August. The company provides communications tools and services to thousands of clients, including Facebook, Uber, Lyft, AirBnb, Twitter and DoorDash. According to Twilio, employees were targeted with a phishing link and message asking them to reset their log-in information. When some staff fell for the ploy, attackers were then able to use those employee credentials to access internal systems and customer data.

Signal

About 1,900 users of Signal, the messaging app often considered the gold standard of privacy, may have had their phone numbers or text verification codes accessed by hackers. The breach was part of the aforementioned phishing attack on Twilio, which provides Signal’s SMS verification service.

LastPass

LastPass, a popular password management service used by many to achieve cybersecurity nirvana, confirmed some of its internal source code had been stolen in a ‘security incident’ experienced back in August.

Twitter

A vulnerability in Twitter’s platform allowed an attacker to build a database of the email addresses and phone numbers of millions of users. It wasn’t until August (when Twitter published a disclosure notice) that users were told. The impacted data included either email address or phone number alongside other public information including the username, display name, bio, location and profile photo. The data included 6.7 million unique email addresses across both active and suspended accounts.

September

TikTok

Rumours started circulating that TikTok had been breached after a Twitter user claimed to have stolen the social media site’s internal backend source code. However, it’s been determined a breach was “inconclusive”, and TikTok has denied it.

The North Face

Outdoor apparel brand The North Face was targeted in a large-scale credential stuffing attack that resulted in the hacking of 194,905 accounts on the thenorthface.com website.

Uber 

Uber, the ride-sharing app used by nearly everyone you know, suffered a major data breach in September. Uber’s computer network had been breached, with several engineering and comms systems taken offline. Uber employees found out their systems had been breached after the hacker broke into a staff member’s slack account and sent out messages confirming they’d successfully compromised their network.

Rockstar 

Games company behind Grand Theft Auto, Rockstar, was the victim of a hack which saw footage of its unreleased Grand Theft Auto VI game leaked by the hacker. In addition, the hacker also claimed to have the game’s source code. While no customer data was affected, this breach is a pretty big deal.

Optus

Needing no introduction is the Optus data breach that saw the personal data of thousands of people leak into the wild. One of the biggest data breaches of 2022, at least as far as interest is concerned.

Get Revenge On Your Ex

The revenge website Get Revenge On Your Ex suffered a data breach that exposed almost 80k unique email addresses. The data spanned both customers and victims including names, IP and physical addresses, phone numbers, purchase histories and plain text passwords.

October

Telstra

In early October, Telstra admitted a third party it uses for its staff rewards program had suffered a breach, with “limited” Telstra employee information from 2017 (around 30,000) affected by the incident.

MyDeal

Woolworths Group confirmed that 2.2 million customer records had been accessed after a compromised credential was used to trawl the MyDeal system. MyDeal, if you’re unfamiliar, is an online retail marketplace that provides customers with “quality products from a curated selection of trusted retailers”. It has been a publicly listed company on the ASX since October 2020, but, Woolworths Group completed the acquisition of approximately 80 per cent of MyDeal on 23 September 2022.

Vinomofo

Wine dealer Vinomofo in October suffered a cyberattack, with names, dates of birth, addresses, email addresses, phone numbers and genders of customers at risk as a result. The Guardian notes Vinomofo as having about 500,000 people on its books, but it’s not clear if all were exposed.

Medibank

The private health insurer told shareholders on October 12 it had fallen victim to a ‘cyber incident’. But, the incident is far worse than first thought with Medibank confirming by the end of the month that every one of its customers had their data breached – the organisation has 3.9 million customers, which makes this one of the biggest data breaches of 2022.

Doomworld

Doomworld, one of the oldest unofficial news websites dedicated to the Doom games, suffered a data breach that exposed a little under 34,000 member records. The data included email and IP addresses, usernames and bcrypt password hashes.

Australian Defence

Detail emerged that a communications platform used by Australian Defence – ForceNet – was yet another victim of a ransomware attack. It is believed around 30,000 to 40,000 records are at risk.

November

Harcourts

Reports were emerging last night from customers of Aussie real estate group Harcourts that the company is the latest victim of a data breach. Breached data includes full legal name, email, addresses, phone number, copy of a signature, bank details and photo ID. Renters, rental providers and tradespeople are the customers at risk.

Abandonia

The gaming website dedicated to classic DOS games Abandonia suffered a data breach resulting in the exposure of 920k unique user records. This breach was in addition to another one 7 years earlier in 2015. The data contained email and IP addresses, usernames and salted MD5 hashes of passwords.

LJ Hooker

A ransomware gang claims to have stolen 375 gigabytes worth of employee and customer data from a franchise of the Australian real estate giant, LJ Hooker, including passport scans, credit card details, and loans data. Per a report from VICE Au, LJ Hooker was added to the victim list of Russia-linked ransomware gang, ALPHV, also known as “BlackCat”, on November 30.

There you have it.

Here’s hoping we don’t need to update this list with any more big data breaches before 2022 is over.

This article has been updated since it was first published.


The Cheapest NBN 50 Plans

It’s the most popular NBN speed in Australia for a reason. Here are the cheapest plans available.

At Gizmodo, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.