The State of Data Security: All the Ways Organizations Lost their Data in 2024

Introduction

2024 was another banner year for cybercriminals. Ransomware in particular continued to wreak havoc across critical sectors and the numbers are startling. According to The State of Ransomware 2024 report from Sophos, 59% of organizations were hit by ransomware attacks in the last year. And while 98% of targets were able to recover their data, they faced serious disruptions and costs. The average initial ransom demand was $2 million. Added to that was the cost of recovery, which was $2.73 million on average.

Last year, hackers caused operational paralysis, data loss, and financial penalty to some of the world’s largest organizations and governmental bodies. What’s more, many of these incidents could have been mitigated or avoided entirely with a simple countermeasure. Let’s take a tour through some of 2024’s most destructive ransomware events.

Healthcare provider

One of the largest healthcare providers in the United States was hit with a ransomware attack in early 2024. The result was a data breach that compromised the records of 131 million patients. The leak encompassed personal health information (PHI), payment records, patients’ social security numbers, and personally identifiable information (PII). The provider then faced a slew of regulatory consequences for this breach.

The attack forced the company to shut down healthcare software applications, such as those that fulfill prescriptions. It also caused the company to switch off its payment services, dental, and medical records applications—disrupting care and potentially affecting patients’ health.

The problem

The breach was possible because the attackers were able to use stolen credentials to access the company’s networks and data assets. This mode of attack is actually quite common. According to the Sophos report, 29% of ransomware attacks are based on compromised credentials. A lack of multi-factor authentication (MFA) enabled the attackers to exploit stolen credentials to penetrate the healthcare provider’s networks. Without the ability to authenticate users and their devices, the company was vulnerable to attackers impersonating legitimate users. There was no way to prevent the intrusion.

The solution

MFA could have done a lot to stop the attack. By requiring a user to confirm receipt of a unique code, usually sent by text message or email, before permitting network access, MFA blocks the use of stolen credentials. Newer modes of MFA, such as those that use mobile apps, offer a more robust solution that avoids the risk of intercepting SMS messages through mobile device spoofing. Multi-user authentication (MUA) is potentially an even stronger authentication countermeasure. By requiring more than one user to confirm an action, such as deleting or encrypting data or modifying or deleting an account, MUA can mitigate some of the worst impacts of a ransomware attack even if your systems have been breached.

National government

A ransomware attack affected over 200 government agencies in one of the world’s most populous countries in 2024. The attack disrupted airport operations and immigration processing, among many other essential government functions. The government refused to pay the attacker’s multi-million-dollar ransom demand and has been able to decrypt its data to recover from the attack. However, the process delayed the resumption of many government services, negatively affecting governance and citizens’ lives.

The problem

What went wrong? It turns out that this country did not have a backup policy that worked across its many agencies. This may seem hard to believe, but anyone who has worked in government IT will understand that it is challenging to define, enforce, and verify a backup policy across 200 different agencies. That said, it’s essential to understand how important backups can be to recovering from ransomware attacks. Safely restoring backed up data enables an enterprise to outsmart the attacker and avoid paying the ransom.

The solution

It’s an accepted security best practice to establish a regular schedule of backups. The best results may come from using a dedicated backup provider. However, the “best” ransomware attackers also target backups. Indeed, as the Sophos reports explained, 94% of victims said attackers targeted their backups, and for good reason. By encrypting the original data set and the backed-up copy, the attacker gives the target few choices other than to pay the ransom. There is a way to mitigate this risk, however. With an immutable backup it is impossible for an attacker to encrypt or delete backed up data even if he can access it.

Major transportation hub

In the fall of 2024, a ransomware attacker targeted one the busiest and most economically significant transportation hubs in the United States. The attacker compromised several systems and encrypted their data, impairing the functioning of a major airport and marine shipping facilities. The authority that runs the port refused to pay the ransom. They were able to restore the data and systemic functionality, however the process took longer than anyone expected and resulted in inconvenience for travelers and shipping companies.

The problem

The port did have reliable backups and a viable backup strategy in place. Yet, it still experienced downtime and loss of business. The difficulty came from inefficient backup and restoration processes. It simply took a long time, and a lot of administrative processes, to recover from the effects of the attack. In addition, the port had to pay egress costs to pull their backed-up data out of cloud storage volumes.

The solution

It’s a wise practice to think through recovery time objective (RTO) windows when selecting a backup solution. A ransomware attack is already a major incident to handle. If it then takes extra hours or even days to restore data, that will compound the impact of the attack. Additionally, a backup service without egress and API fees will save on the costs of restoration.

Major cloud services provider

Hackers breached a major cloud services provider and accessed a large amount of data housed there by a data analytics software platform. The data belonged to numerous large companies, including banks and entertainment venues. The attack was not a ransomware attack, but rather a variant on the approach, wherein the hackers exfiltrated valuable data and attempted to sell it on the dark web. Banks’ customer records were offered for sale, along with credit card account information, and more.

The problem

The attack was very sophisticated, with the hackers first stealing login credentials from customers’ personal devices and then breaching the data analytics platform using those stolen credentials. They were able to exfiltrate data without anyone at the cloud provider being aware. By the time the provider became aware of the breach, the attacker had already exfiltrated reams of sensitive data. This is actually quite common and, in this case, extremely damaging.

The solution

Egress alerts notify storage admins of any data retrieval from their account. If enabled, this feature could have helped to reduce the impact of this attack. If the cloud provider had set up egress alerts, its admins would have received notifications when data was being exfiltrated from the storage environment, alerting them to the breach much sooner than they had been and potentially mitigating the data that was leaked online.

Conclusion

The four attacks discussed in this article represent some of the more serious cybersecurity incidents in a year that saw thousands of such events. Ransomware caused disruption and expense in healthcare, transportation, and government, and successfully stole data from major corporations. The probability and impact of these attacks could have been reduced through the right countermeasures. With consistent backups, meaningful RTPs, MFA, immutable backups, and egress alerts, there is less risk of suffering a ransomware attack or data breach.