As consumers stepped up online shopping in the second half of 2023 ahead of the holiday season, cyberattacks and malware reports by businesses were trending down. KonBriefing Research, which collects information on the threats from businesses worldwide reported fewer affected industries in fewer countries in the fall after a peak in May 2023.

Still, the costs of data breaches — to businesses and individuals — continues to rise. According to Statista, that total was $4.45 million U.S. dollars in 2023, with the healthcare sector showing the highest average cost of a data breach.

NordLayer delved into that data to count the 11 most significant breaches of 2023.

In January, MailChimp lost records of 133 business clients. The attack was tracked to social engineering of employees. In short, an internal user’s credentials were compromised, allowing the bad actor access to customer service and account management data. MailChimp told users that while email addresses were compromised, no credit card or password information was.

In February, videogame maker Activision reported an SMS phishing attack that exposed employee names, emails and information like salaries, along with sneak peeks at plans for the Call of Duty Modern Warfare II franchise.

In March, a vulnerability in the open-source code required a temporary shutdown of popular AI chatbot ChatGPT.

In April, Shields Healthcare Group based in Massachusetts reported data leaked on 2.3 million clients across 56 facilities. Healthcare information is considered especially vulnerable to exploitation because it can include personal identifying information like Social Security numbers and dates of birth, financial data — billing and credit cards — and medical information about diagnoses, conditions, and treatment plans.

In May, MOVEit, a software company that supports file transfer, reported an attack on its servers that leaked information on clients that range from New York public school students to Louisiana drivers to California retirees and government agencies in the United States and elsewhere.

In June, JumpCloud, reported a spear-fishing attack that targeted “a small and specific set of customers.” The company blamed a nation-state actor for the breach.

Indonesia’s migration department lost almost 35 million records — passports and citizens identification — in July. Passport data later appeared for sale on the dark web.

The elections regulation body of the United Kingdom lost 40 million records — names and addresses of registered voters — in August. That attack was blamed on malicious code inserted into the agency computer systems.

In September, cellular carrier T-Mobile reported two leaks. First, the compromise of account information for employees, including email addresses and partial Social Security numbers, and later in the month, the release payment data for fewer than 100 customers.

23andMe, the genetic testing company, lost more than 4 million customer records in October when hackers blasted combinations of user names and passwords from elsewhere on the internet to access the company’s systems.

In November, a nuclear energy testing lab in Idaho lost data for hundreds of thousands of users. According to the company, the leaked data included sensitive personal information like Social Security numbers, bank account and routing numbers, health care details, marital status, and account types for current, former and retired employees.