Data breaches can be very damaging to organizations of all types and sizes, but it is how these companies react to the incident that can deal the final blow. While we saw some great examples of how companies should respond to data breaches last year – kudos to the Red Cross and Amnesty for their transparency – 2022 has been a year of lessons on how not to respond to a data breach.
Here's a look back at this year's mishandled data breaches.
Nvidia
The chip manufacturing giant Nvidia confirmed that it was investigating an alleged "cyber incident" in February, which it later confirmed to be data extortion.
While Nvidia was tight-lipped, the now notorious Lapsus$ gang quickly claimed responsibility for the leak, claiming to have stolen a terabyte of information, including "highly sensitive" data and proprietary source code. According to the Have I Been Pwned website, the hackers stole the credentials of more than 71.000 Nvidia employees, including email addresses and Windows passwords.
Doordash
The food delivery giant confirmed that the attackers accessed the names, email addresses, delivery addresses and phone numbers of customers of Doordash, along with partial payment card information from a smaller subset of users. He also confirmed that for DoorDash delivery drivers, or Dashers, the hackers accessed data that "mostly included name and phone number or email address."
But DoorDash declined to say how many users were affected by the incident – or even how many users it currently has. DoorDash also said that the breach was caused by a third-party provider.
Samsung
Hours before the long holiday of the 4th of July, Samsung quietly communicated that its US systems had been breached weeks earlier and that hackers had stolen personal information from its customers. In its terse notice, Samsung confirmed that unspecified "demographic" data had also been stolen, which likely included precise geolocation, navigation, and other data from customers' Samsung phones and smart TVs.
As of the end of the year, Samsung still hasn't said anything more about the hack. Rather than use the time to write a blog post outlining which, or even how many, customers are affected, Samsung used the weeks leading up to its disclosure to write and publish a new mandatory privacy policy the same day it was released. the disclosure of its leak, which allows Samsung to use the precise geolocation of customers for advertising and marketing. Because that was Samsung's priority, obviously.
Revolut
The fintech startup Revolut confirmed in September that it had been the victim of a "highly targeted cyberattack," saying at the time that an "unauthorized third party" had gained access to the data of a small percentage (0,16%) of customers "for a short period of time." of time".
However, Revolut would not say exactly how many customers were affected. Its website says that the company has approximately 20 million customers; 0,16% would translate into about 32.000 customers. However, according to Revolut's statement on the breach, the company claims that 50.150 customers were affected by the breach, including 20.687 customers from the European Economic Area and 379 Lithuanian citizens.
The company has not specified what type of data has been accessed either. In a message sent to affected customers, the company said that "no card, PIN or password data was accessed." However, the Revolut data breach disclosure claims that hackers likely accessed partial card payment data, along with customer names, addresses, email addresses, and phone numbers.
