IT Governance’s research found the following for December 2023:
- 1,351 publicly disclosed security incidents.
- 2,241,916,765 records known to be breached.
Both these figures are a significant increase on what we found for November 2023: 470 incidents and 519,111,354 records – 187% and 332% increases respectively.
This is in spite of a drop in supply chain attacks: 160 incidents (12%) originated from the supply chain this month. In November 2023, this was 227 incidents (48%).
Why such a steep increase?
This month, we have found several ‘group’ incidents. For instance, a two-month Europol action (revealed to the public on 22 December) discovered that 443 organisations had suffered data breaches – specifically, their customers’ payment card data had been compromised. These breaches likely occurred over a longer time span than just one month, but our research methodology records incidents by the month that they are first publicly disclosed, since we have no way of consistently finding out when they actually occurred.
Another noteworthy incident, a JavaScript web injection malware campaign affecting more than 40 organisations at once,* was uncovered by security researchers. Their report was also published this December, though the attacks themselves likely occurred much earlier in the year.
These are only two examples, but combined already account for 484 incidents: 36% of this month’s total.
*We log this as 41 incidents.
Free PDF download: Data Breach Dashboard
For a quick, one-page overview of this month’s findings, please use our Data Breach Dashboard:
You can also download this and previous months’ Dashboards as free PDFs here.
This blog provides analysis of the data we’ve collected.
Data breaches and cyber attacks in 2023
In 2023, we identified 1,351 incidents, affecting 2,241,916,765 breached records. We discuss the year’s biggest breaches in our 2023 overview of publicly disclosed data breaches and cyber attacks, where you can learn about the year’s top ten incidents and find links to each month’s round-up.
High-level overview
Of December’s 1,351 incidents, we know the following:
Data breached
- 75% of breached organisations are known to have had data breached – an increase on last month’s 68%.
- An additional 25% may have had data breached – not too different from last month’s 24%.
Data exfiltration
- In 73% of incidents this month, we know that data has also been exfiltrated – another increase on last month’s 54%.
- In a further 25% of incidents this month, data may have been exfiltrated – a decrease on last month’s 45%.
- Interestingly, when we add these numbers up for each month, they both amount to 99% of incidents where data was or may have been exfiltrated.
Remediation
- 37% of breached organisations reported taking, or are known to have taken, remedial action this month – a noticeably lower percentage than last month’s 48%.
Note 1: Reported remediation typically includes conducting a forensic analysis to establish exactly what happened (often by engaging a third-party specialist). It often also involves temporarily taking down systems to limit the impact of the security breach.
Note 2: In the case of DoS (denial-of-service) attacks, where a website had been taken down by a threat actor and is live again at the time of writing, we assume that the attacked organisation has taken remedial action, even if that organisation hasn’t publicly acknowledged the attack or the remediation.
Notification
- 57% of breached organisations notified a regulator, or the incident involved a regulator or equivalent authority. This is a sharp increase on last month’s 32%, but has also been skewed by incidents such as the Europol action mentioned earlier.
- 18% notified affected individuals – a sharp contrast to the 57% on regulator notification, and a significant decrease on last month’s 31%. That said, this number has also been skewed by the Europol action.
Top 10 biggest breaches
| # | Organisation name | Known data breached |
| 1 | Real Estate Wealth Network | 1,523,776,691 |
| 2 | TuneFab | >151,000,000 |
| 3 | Dori Media Group | >100 TB |
| 4 | Organisations with DICOM server | >59,000,000 |
| 5 | Rosvodokanal | 50 TB |
| 6 | Comcast Cable Communications, LLC (Xfinity) | 35,879,455 |
| 7 | Tecnoquadri Srl | 33,000,000 |
| 8 | Asia Insurance Co. (AIC) | 26,000,000 |
| 9 | Snappfood | >20,000,000 |
| 10 | Alborz Insurance Company | 19,500,000 |
Note 1: Where ‘around’, ‘about’, etc. is reported, we record the rounded number. Where ‘more than’, ‘at least’, etc. is reported, we record the rounded number plus one. Where ‘up to’, etc. is reported, we record the rounded number minus one.
Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (for instance, pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.
This month, we’ve seen a lot of big breaches – we’ve found 14 organisations that are known to have at least 10 million records breached. To put this into perspective: last month, there were 5 breaches of this magnitude; the month before, there were 4.
Even finding 3 incidents where at least 100 million records were breached is extraordinary – in both October and November, we only had 1 of each.
However, the major outlier this month was Real Estate Wealth Network in the US. This real estate training and tool provider left a database containing more than 1.5 billion records unprotected, as discovered by a security researcher. The exposed data included, according to the researcher, information on property owners, sellers, investors, internal user logging data, and more. This is the second-largest breach of the year, with only DarkBeam suffering a bigger one.
Coming back to December, the second-largest breach of the month was suffered by TuneFab, a Hong-Kong based platform that converts music from popular streaming platforms – including Spotify, Apple Music, YouTube and Audible – to other formats. TuneFab also left a large database exposed, containing more than 151 million data records, which a different security researcher discovered.
Sector overview
For our monthly analyses, we look at the top 3 most-breached sectors by number of incidents and by known number of records breached.
We’ll provide a full sector breakdown in our quarterly report published later this month.
Top 3 most-breached sectors (by number of incidents)
| # | Sector | Incidents | |
| 1 | Finance | 179 | 13% |
| 2 | Manufacturing | 113 | 8% |
| 3 | Healthcare | 93 | 7% |
Note: Technically, ‘unknown’ was the most-breached sector at 448 incidents publicly disclosed in December 2023 – 33% of this month’s total – but we excluded it to make this analysis as informative as possible. It’s also worth noting that 443 of those incidents were, again, from the Europol action reported this month.
In the past two months, the finance sector suffered relatively few incidents, at 3% and 4% of October’s and November’s total respectively. This month, the numbers look very different, at 179 incidents – 13% of this month’s total. In absolute terms, this is a 795% increase on November’s 20 incidents in the sector.
In part, this number is so high due to the JavaScript web injection malware campaign uncovered by researchers that we mentioned earlier, which affected more than 40 banks.* Another noteworthy incident in the sector was the supply chain attack via Ongoing Operations, LLC in the USA, affecting 60 credit unions.
Nevertheless, if we exclude the web injection malware campaign and all third-party attacks, this still leaves 67 incidents in the finance sector this month – a worrying number of organisations to be affected, particularly if you consider how important this sector is to businesses and society as a whole. This is part of the reason regulations such as DORA (Digital Operational Resilience Act) are being introduced.
The manufacturing sector suffered an impressive 113 incidents this month, with only 6 of them originating from the supply chain. The healthcare sector, on the other hand, suffered 24 third-party attacks, 21 of which came from the MOVEit Transfer breach.
*We recorded this as 41 incidents. The true number may be higher.
Top 3 most-breached sectors (by number of records)
| # | Sector | Known number of records breached |
| 1 | Construction/real estate | 1,524,857,965 |
| 2 | IT services/software | 181,695,450 |
| 3 | Insurance | 162,789,861 |
Interestingly, this top 3 has no overlap at all with the top 3 most-breached sectors by number of incidents.
The construction and real estate sector had this month, by far, the highest number of records known to be breached, even though it only suffered 2% of this month’s incidents. The total number of records is so high due to the Real Estate Wealth Network breach discussed earlier.
The IT services and software sector suffered more incidents (5% of the month’s total), but had relatively many known records breached. However, 94% of them came from just 2 incidents: the TuneFab one discussed earlier, and Iranian online food ordering platform SnappFood, which suffered a breach claimed by hacktivist group KromSec. The gang alleges that it has stolen data from more than 20 million users. SnappFood has released a statement confirming that it suffered a cyber attack.
Iran also significantly suffered in the insurance sector this month. A supply chain attack on Fanavaran resulted in 162,600,000 records to be breached across 23 Iranian insurance companies.
Other noteworthy findings
More than one in four incidents were ransomware attacks
It has been another big month for ransomware: 390 attacks (29% of all incidents this month). These accounted for more than 175 million records known to be breached – 175,574,086 records, to be exact.
For Q4 2023 (October – December 2023), 26% of all incidents were ransomware attacks. We’ll elaborate on this in our upcoming quarterly report.
More than 1.7 billion records breached due to misconfigurations
A stunning 1,739,974,467 records were known to be breached this month due to misconfigurations – 78% of the month’s total. This is in spite of only 19 incidents (1% of the month’s total) being caused by a misconfiguration. However, this number is so large due to outliers like Real Estate Wealth Network and TuneFab, as discussed earlier.
More than 361 million records breached through supply chain attacks
Although, as mentioned earlier, there were fewer supply chain attacks this month (12% of this month’s incidents) than in November 2023, they still led to 361,895,893 records known to be breached.
That’s 24% more than records known to be breached as a result of external attacks, even though 86% of this month’s incidents originated externally. This shows how important it is to secure your supply chain.
North America was the worst-hit region (again)
As we find virtually every month, North America – particularly the US – has once again suffered more incidents than any other region – at least 461 incidents in North America, or 34% of the month’s total. For the US, this was 443 incidents (33% of the month’s total).
The true figures are higher due to the Europol action in 17 countries, including the US, but we don’t know how many of the 443 organisations are in the US, which is why we haven’t attributed them to a specific country. We will update this if more information on the Europol action is released.
More unusually, North America was also the region to have the highest number of known records breached by far: 1,624,909,783 records – 72% of the month’s total. This was largely due to the Real Estate Wealth Network breach.
Next week, we’ll publish our report on US incidents publicly disclosed in December, so keep an eye on our US blog.
