News & Analysis

2023: A Cybercrime Report

A year that saw global acceptance getting juxtaposed with self denial in India, even as data protection took over center stage

Statistics seldom tell us the entire story and so it was with reference to cyber crime in 2023. Total instances of cybercrime was the highest in 2023, but so was in 2022 and the year before. Besides proving the fact that cybercriminals remained a step ahead of cyber security, these numbers have little or no relevance in the battle against organized crime. 

Barring of course, the growing awareness globally that any significant step towards digital transformation needs to build in cyber security as a fundamental building block. Even as hackers ramped up their abilities to exploit bugs in file-transfer tools and go aggressive with their ransomware extortion tactics, there was a section of folks that preferred to snooze. 

Mostly in the higher echelons of power in India where denial of cyber attacks continued unabated in spite of evidence that things weren’t hunky dory with citizens’ data. While taking a look at some such instances that played out over 2023, we thought it might be of relevance to bring up the Indian context first before taking a global perspective. So, here goes:

One noteworthy trend adopted by cyber criminals over the past 12 months related to an extra focus on under-resourced organizations such as hospitals or government-controlled agencies. In fact, some of the biggest data breaches were reported in the healthcare sector followed by highly sensitive government security areas. 

The Aadhar Data Breach

A US cybersecurity company Resecurity claimed in October that they had personal data of as many as 815 million Indian citizens that included Aadhar and passport details. The threat actors refused to specify how they got access to the data, which led the law enforcement agencies in India to largely ignore the report. 

Of course, amidst all the denials from official sources, the one thing that was conveniently swept under the rug was the report that the Comptroller and Auditor General (CAG) had conducted review of the Aadhar database and reported that the UIDAI hadn’t effectively regulated its client vendors or safeguarded the security of their data vaults. The red flag was raised in April 2022. 

The Byju’s Data Breach

India’s beleaguered ed-tech sector took a hard knock when it was reported that the bellwether Byju’s had inadvertently let out sensitive student data through a technical glitch. A news report claimed that a server-side misconfiguration could have exposed data related to loans, payouts, and identity documents of its students.  

It said that the volumes of sensitive data released could be in the millions, though the company itself denies this. However, it does confirm a security lapse but suggests that no data or information was exposed or compromised during the week that the servers were exposed. The data exposure was first reported by search engine Shodan on August 15, which was promptly brought to the notice of Byju’s on August 22. 

Hackers go after WordPress Sites 

Back in 2021, reports emanated of how over a million websites running on the popular content management system WordPress got hacked, thanks to a breach that hit the world’s largest web hosting provider GoDaddy. A similar attack surfaced in 2023 though the scale was much smaller and the flaw was injected via Linux backdoors onto websites. 

This time the number was 17,000 and the flaws existed in some premium theme plugins that WordPress shares with its users. The attack injected the flaws that redirected visitors to fake tech support pages, phony lottery winnings and some push-notification scams. The irony though was that these attacks were reportedly active since 2017 and could’ve affected 2 million WordPress websites over six waves.

Government Data is in Demand 

Earlier this year, there were reports of major security breaches around railway ticketing platform RailYatri, though technically this took place at the fag end of 2022. The company confirmed the breach after the government ministry first denied that any breach was made or that any data was sold on the dark web. 

Then there was the alleged breach around the CoWIN portal, created originally to track the Covid-19 vaccination process. The breach was a result of a bot via messaging platform Telegram that was returning personal data including Aadhar and passport details. Once again the Health Ministry denied the breach but a month later two arrests were made from Bihar. 

The global scenario was worse

At a global level we had major data breaches reported from the US Department of Health that impacted over 88 million individuals as well as cyber attacks on Boeing, Microsoft and some other big names in the industry. While there were several instances, we chose just a couple to present the challenges that the industry is facing and will face in 2024. 

  • The MOVEit File Transfer Scam – This was by and large the most damaging breach of 2023 where this file-transfer tool used by enterprises to securely share files got hit by a vicious attack in May and whose impact is felt even now. The flow allowed criminals to carry out a second round of mass hacks this year to steal sensitive data from thousands of MOVEit customers. Data suggests that the breach has impacted more than 2500 organizations with hackers accessing data of over 84 million individuals. 
  • When Microsoft lost its key – On the one hand Microsoft was busy connecting AI to its product suite (via OpenAI), while on the other it went and lost an email signing key that allowed China-backed hackers to break into thousands of email inboxes, including those of federal government agencies. Of course, Microsoft sought to smudge the entire issue and gathered more flak for its efforts there than on the actual missing key. 

As we move into the New Year, it may be worth mentioning what a recent IBM study revealed. The average average cost of data breach is now at an all-time high of $4.45 million. If you thought that’s astounding, sample this: Hardly 50% of the companies breached have plans to enhance their security budgets to reduce the risk of data breaches going forward. 

If you read that last paragraph and didn’t go WTF, well, we can only say cybersecurity needs an intervention from God as cybercrime is definitely under Satan’s control!!!