The worst breaches of 2024 according to the EFF

For this one, I think we’ll let the article by the EFF speak for itself. If I go on a Tyraid, its probably things I’ve said already, but we have not learned jack shit it seems.

It’s got a table of contents, and i’m sure that we talked about most of these breaches in this list.

The article starts:

Every year, countless emails hit our inboxes telling us that our personal information was accessed, shared, or stolen in a data breach. In many cases, there is little we can do. Most of us can assume that at least our phone numbers, emails, addresses, credit card numbers, and social security numbers are all available somewhere on the internet.

But some of these data breaches are more noteworthy than others, because they include novel information about us, are the result of particularly noteworthy security flaws, or are just so massive they’re impossible to ignore. For that reason, we are introducing the Breachies, a series of tongue-in-cheek “awards” for some of the most egregious data breaches of the year.

If these companies practiced a privacy first approach and focused on data minimization, only collecting and storing what they absolutely need to provide the services they promise, many data breaches would be far less harmful to the victims. But instead, companies gobble up as much as they can, store it for as long as possible, and inevitably at some point someone decides to poke in and steal that data.

Out of these paragraphs, stop me if I said something like the following paragraph either in writing or in actual podcasts.

Once again, that paragraph reads:

breaches would be far less harmful to the victims. But instead, companies gobble up as much as they can, store it for as long as possible, and inevitably at some point someone decides to poke in and steal that data.

Basicly, what its saying is … if you don’t need the data to do your job as a company, you don’t need to hang on to the data! Do you stupid fucks understand that yet? Probably not.

Here is the Table of Contents for the article.

• The Just Stop Using Tracking Tech Award: Kaiser Permanente
• The Most Impactful Data Breach for ’90s Kids Award: Hot Topic
• The Only Stalkers Allowed Award: mSpy
• The I Didn’t Even Know You Had My Information Award: Evolve Bank
• The We Told You So Award: AU10TIX
• The Why We’re Still Stuck on Unique Passwords Award: Roku
• The Listen, Security Researchers are Trying to Help Award: City of Columbus
• The Have I Been Pwned? Award: Spoutible
• The Reporting’s All Over the Place Award: National Public Data
• The Biggest Health Breach We’ve Ever Seen Award: Change Health
• The There’s No Such Thing As Backdoors for Only “Good Guys” Award: Salt Typhoon
• Breach of the Year (of the Decade?): Snowflake

Other headings:

• Tips to Protect Yourself
• (Dis)Honorable Mentions

There are only about one or two of these that we never heard of, but most of these we’ve covered in podcasts, write ups, and other podcasts along the network.

We really don’t know how bad AT&T really is, seeing that they are mentioned as part of Snowflake, and in the additional mentions awards section. But my bigger question is why the hell T-Mobile isn’t even mentioned with their 3 or 4 breaches this year with nothing than a fucking sorry attitude from the stupid fucks.

Kaiser Permanente

While tracking is not new, this was bound to happen at one point. I think this write up is perfect.

It says:

In one of the year’s most preventable breaches, the healthcare company Kaiser Permanente exposed 13 million patients’ information via tracking code embedded in its website and app. This tracking code transmitted potentially sensitive medical information to Google, Microsoft, and X (formerly known as Twitter). The exposed information included patients’ names, terms they searched in Kaiser’s Health Encyclopedia, and how they navigated within and interacted with Kaiser’s website or app.

The most troubling aspect of this breach is that medical information was exposed not by a sophisticated hack, but through widely used tracking technologies that Kaiser voluntarily placed on its website. Kaiser has since removed the problematic code, but tracking technologies are rampant across the internet and on other healthcare websites. A 2024 study found tracking technologies sharing information with third parties on 96% of hospital websites. Websites usually use tracking technologies to serve targeted ads. But these same technologies give advertisers, data brokers, and law enforcement easy access to details about your online activity.

While individuals can protect themselves from online tracking by using tools like EFF’s Privacy Badger, we need legislative action to make online privacy the norm for everyone. EFF advocates for a ban on online behavioral advertising to address the primary incentive for companies to use invasive tracking technology. Otherwise, we’ll continue to see companies voluntarily sharing your personal data, then apologizing when thieves inevitably exploit a vulnerability in these tracking systems.

So does this all mean that this breach was sophistocated and we just turn a blind eye to the stupidity of what they were trying to do?

Snowflake

This is still baffling. This stupid fucking company didn’t even come out to acknowledge the problem until after the fact. Not until half of the press and small fries like me pounced and linked to the stupidity and asked why they weren’t saying a fucking word.

Thieves compromised the corporate customer accounts for U.S. cloud analytics provider Snowflake. The corporate customers included AT&T, Ticketmaster, Santander, Neiman Marcus, and many others: 165 in total.

This led to a massive breach of billions of data records for individuals using these companies. A combination of infostealer malware infections on non-Snowflake machines as well as weak security used to protect the affected accounts allowed the hackers to gain access and extort the customers. At the time of the hack, April-July of this year, Snowflake was not requiring two-factor authentication, an account security measure which could have provided protection against the attacks. A number of arrests were made after security researchers uncovered the identities of several of the threat actors.

But what does Snowflake do? According to their website, Snowflake “is a cloud-based data platform that provides data storage, processing, and analytic solutions.” Essentially, they store and index troves of customer data for companies to look at. And the larger the amount of data stored, the bigger the target for malicious actors to use to put leverage on and extort those companies. The problem is the data is on all of us. In the case of Snowflake customer AT&T, this includes billions of call and text logs of its customers, putting individuals’ sensitive data at risk of exposure. A privacy-first approach would employ techniques such as data minimization and either not collect that data in the first place or shorten the retention period that the data is stored. Otherwise it just sits there waiting for the next breach.

In case you stupid fucks happen to read this, let me repeat the last paragraph we just posted.

But what does Snowflake do? According to their website, Snowflake “is a cloud-based data platform that provides data storage, processing, and analytic solutions.” Essentially, they store and index troves of customer data for companies to look at. And the larger the amount of data stored, the bigger the target for malicious actors to use to put leverage on and extort those companies. The problem is the data is on all of us. In the case of Snowflake customer AT&T, this includes billions of call and text logs of its customers, putting individuals’ sensitive data at risk of exposure. A privacy-first approach would employ techniques such as data minimization and either not collect that data in the first place or shorten the retention period that the data is stored. Otherwise it just sits there waiting for the next breach.

Does this sound familiar like the rest of the companies and what they do? If there’s a breach at one of my accounts I host, I’m on it trying to figure out what I can do to fix it and or adcise on what could have happened. That’s what I do.

The tips

The tips are straight forward and have been talked about time and time again on this fucking program and blog. It seems as though other podcasts that talk about these just talk about what happened, yet they do not have any possible solutions on how to tell users what they could do. How rediculous.

Read more from the EFF on all of these breaches: The Breachies 2024: The Worst, Weirdest, Most Impactful Data Breaches of the Year and have fun!