2024 was a brutal year for data security, with some of the world’s biggest companies suffering breaches that exposed millions of sensitive records.
The attacks were carried out by well-known cybercriminal groups, including Alphv/BlackCat, Qilin, and Rhysida, and shone a light on the ongoing vulnerabilities the industry faces every day – cloud platforms, financial institutions, healthcare systems – no one is safe.
Here’s Arctic Wolf’s breakdown of the most significant breaches of the year and recommendations to avoid similar incidents in the future.
Ransomware Attack Impacts a Third of the US Population
An affiliate of Alphv/BlackCat targeted Change Healthcare in February. The attackers gained access through compromised credentials from a Telegram group and breached the network via a remote access service lacking MFA.
They remained inside for nine days, moving laterally and exfiltrating data before encrypting systems and stealing the personal, health, and financial information of around 100 million people.
A $22 million ransom was paid, but Alphv/BlackCat faked a takedown while keeping the money. Meanwhile, the total financial and reputational damage has reached nearly $2.5 billion.
Arctic Wolf Labs found that 46.3% of non-BEC attacks stem from compromised credentials, with 7.3% involving historically compromised credentials. Organizations must implement and enforce modern MFA, particularly passwordless FIDO2-based authentication.
Accidental Insider
In April, the threat actor USDoD attempted to sell data stolen from consumer data broker National Public Data (NPD). Investigations revealed that up to 2.9 billion records, including names, contact details, and Social Security numbers, were exposed.
The breach affected between 170 million and over 1 billion people, including 85% of US lawmakers. USDoD denied executing the attack, claiming they only obtained and sold the data.
Cybersecurity journalists found that an NPD-affiliated broker had accidentally exposed database passwords in a publicly accessible file. In August, NPD users sued parent company Jerico Pictures, alleging negligence. Three months later, Jerico declared bankruptcy. While USDoD was arrested, the actual hackers remain unidentified.
Insiders often pose a greater cybersecurity risk than external attackers. Careless employees can expose data through weak security practices, phishing scams, or misconfigurations. A strong security awareness program—emphasizing human behavior, company culture, and proactive risk reduction—helps prevent accidental insider threats, protects credentials, and strengthens defenses against social engineering.
Third-Party Cloud Data Breach Affects 160+ Organizations
Compromised credentials allowed cybercriminals to launch infostealer malware on a cloud service provider, accessing data from over 160 organizations.
In one of the largest breaches of the year, attackers purchased stolen credentials from the dark web, logging into Snowflake instances and stealing data. Snowflake, a cloud data storage company, wasn’t breached; malefactors exploited compromised credentials from infected devices, affecting entities such as AT&T, Santander Bank, and Ticketmaster.
The US government arrested two attackers in November, which was linked to the breach and the theft of records from a major telecom company, reportedly AT&T. However, AT&T has not confirmed the breach.
The breach illustrates the importance of MFA and password hygiene. According to the 2024 Arctic Wolf Labs Threat Report, 47.3% of non-BEC incidents involved attackers exploiting weak credentials. Implementing strong MFA, securing Active Directory, training staff, and 24/7 monitoring can reduce these risks.
Blacksuit Ransomware Gang Causes $600M+ Damage
In June, Blacksuit, formerly Royal, struck CDK Global, a cloud-based provider for 15,000 US car dealerships.
The ransomware gang exfiltrated data and encrypted systems, demanding a ransom of $25 million. The attack caused widespread disruption, with some dealerships using pen and paper. Total damages, including business disruption, surpassed $1 billion.
Blacksuit has a history of double extortion, and ransomware is 15x more likely than BEC to trigger incident response engagements. The speed of response can reduce costs significantly, with up to a 15% faster resolution, cutting downtime and losses.
Alphv/BlackCat Hits Mortgage Giant loanDepot
In January, Alphv/BlackCat targeted mortgage lender loanDepot, disrupting operations and exposing 17 million customer records, including Social Security numbers and financial account details.
The breach prevented loan processing and account access, leading to 20 class-action lawsuits. The company reported $41.6 million in costs, including $25 million for litigation.
Despite stringent financial regulations, compliance gaps persist. Strengthening security frameworks like those outlined in the FFIEC Information Security Booklet can reduce risks and enhance resilience.
Rhysida Ransomware Disrupts US Port and Airport
In August, Rhysida ransomware struck the Seattle-Tacoma (Sea-Tac) airport and its overseeing port, disrupting passenger check-in, ticketing, and terminal systems. Over 1,400 daily travelers experienced delays.
The attackers demanded a $6 million ransom, which the Port of Seattle refused to pay. As a result, stolen data may surface on the dark web.
Critical infrastructure remains a prime target due to its low downtime tolerance. To mitigate risks, organizations must adopt 24/7 security monitoring, risk-based vulnerability management, and incident response solutions.
Ransomware Gangs Continue Their Assault on the NHS
In June, Russian ransomware group Qilin attacked Synnovis, a pathology services provider for London hospitals. The breach compromised 300 million patient interactions, including test results for HIV, STDs, and cancer.
The attack disrupted seven hospitals, canceling over 1,100 surgeries, 2,200 outpatient visits, and 18 organ transplants. Blood test services were reduced by 90%.
Qilin demanded a $50 million ransom, which Synnovis refused to pay. In retaliation, 400GB of sensitive NHS patient data was leaked on the dark web. Organizations must strengthen vulnerability management and proactive cybersecurity strategies.
Unpatched Vulnerability Enables Massive Data Breach in Helsinki
In May, a cyberattack on the City of Helsinki Education Division stole 80,000 student, guardian, and staff records. The breach was enabled by an unpatched vulnerability in remote server settings.
Chief Digital Officer Hannu Heikkinen admitted a fix had been available but was not applied. The incident prompted major cybersecurity improvements across the city’s education sector.
IBM reports that data breaches took an average of 194 days to detect in 2024. With nearly 60% of incidents exploiting vulnerabilities from 2022 or earlier, timely patching remains a fundamental cybersecurity measure.
Ransomware Attack Exposes 12.9 Million Australians’ Data
In April, a cyberattack on MediSecure, an Australian digital prescription provider, stole 6.5TB of data, exposing 12.9 million Australians’ personal and health information.
The breach forced month-long system outages, leading MediSecure into liquidation after the government declined financial assistance. Due to data complexity and financial constraints, the company was unable to notify affected individuals.
Verizon’s 2024 DBIR found that 80% of breaches involve compromised identity. Weak IAM controls, including unsecured VPN credentials, remain a critical attack vector. Implementing MFA, zero-trust security, and identity protection measures is essential to preventing future breaches.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.