The January 2022 International Committee of the Red Cross (ICRC) data breach was caused by an unpatched critical vulnerability in the Single Signe-In tool developed by Zoho, a business software development company. After exploiting the vulnerability (tracked as CVE-2021-40539), the cybercriminals deployed offensive security tools to help gain access to ICRC's contact database, resulting in the compromise of more than 515,000 globally.
The Kasya ransomware attack occurred through the exploitation of CVE 2021-30116, an authentication bypass vulnerability within Kaseya VSA servers. This allowed the hackers to circumvent authentication controls and executive commands via SQL injection, giving them all the control they needed to deploy their ransomware payload and encrypt a segment of Kaseya's internal data.
Few companies expect to be at the center of a newsworthy data breach incident. However, according to some sources, cybercriminals can access 93% of businesses in an average of two days. Around 150 million data records were compromised in the third quarter of 2022 alone. Businesses are increasingly reliant on data systems such as cloud computing and remote working to compete in the modern workplace.
As we enter 2023, we look back at the past year in cybersecurity and make predictions for next year. We saw the rapid transformation of digital initiatives and policies that either saw businesses rise above and adapt or fail to react in time to protect themselves. Industries such as healthcare and education were hit hard by cyber attacks and are at risk of experiencing continued assaults on critical data. What will the world of cybersecurity look like in 2023?
In 2022, cyber incidents in businesses and organizations worldwide have skyrocketed, with data breaches being one of the main concerns. Almost 109 million personal accounts and emails were compromised in Q3 2022 — a 70% increase compared to Q2. Particularly, Australia has seen a significant rise in data breaches, especially in its financial services and healthcare sectors.
The HIPAA 1996 (Health Insurance Portability and Accountability Act) is a federal law enacted by the U.S. Congress that regulates how healthcare organizations handle PHI (protected health information) and ePHI (electronic protected health information). This includes complex and extensive rules for protecting critical medical data and sensitive patient information, so HIPAA non-compliance is often met with severe penalties.
The System and Organization Controls, or SOC (sometimes referred to as service organizations controls), are the required security control procedures set as non-mandatory, internationally-recognized standards that help businesses measure how SaaS companies and service organizations manage data and sensitive information. Organizations or businesses that have successfully passed the SOC auditing process can attest to the quality of their security controls for regulating customer data.
The California Privacy Rights Act (CPRA) is a privacy law that was passed in California in 2020. It strengthens the security standards of the California Consumer Privacy Act (CCPA), making California's consumer privacy laws more aligned with the General Data Protection Regulation (GDPR). The CCPA gives California residents the right to know what personal data is being collected by companies and whether it will be sold or disclosed to other parties.
