2021 was a bad year for cybersecurity.
With uncertainty about the pandemic, a newly remote workforce, and a distinct lack of proper protections for thousands of businesses across the country, we had an environment that was ripe to be taken advantage of by malicious actors.
And cybercriminals did just that. Preying on people’s fears and anxieties, phishing attacks, ransomware, and other attack vectors that relied on social engineering increased significantly, in addition to other vectors like SQL injection, zero-day exploits, and denial of service (DDoS) attacks.
While it’s the big attacks that get more coverage, SMBs are being targeted with just as much frequency, and no business is too small to be a victim of cybercrime in today’s cybersecurity environment.
According to a 2020 report, 55% of SMBs have experienced a cyberattack.
Today, we’re going to be taking a look at some of the biggest data breaches of the year, what caused them to happen, and what we can learn from them.
The Good News
It would be remiss not to acknowledge that data breaches have actually decreased in 2021 compared to 2020, by 24%.
This doesn’t, however, mean that enough of an improvement has been made to stay safe from attack.
Employees going back to the office and an increase in cybersecurity investment are driving forces behind this improvement, but businesses should remain vigilant, and those that haven’t invested in their security protections should strongly consider getting a strategy in place, whether through an in-house team or by using an MSSP.
In the first half of 2021, there were 1,767 publicly reported breaches, exposing a total of 18.8 billion records.
Now, without further ado, let’s jump in!
T-Mobile
What happened?
On August 17th, telecommunications giant T-Mobile was subject to a cyberattack that compromised the sensitive data of more than 54 million people, including SSNs, names, addresses, birthdates, and driver’s license and ID numbers, as well as IMEI and IMSI numbers.
T-Mobile reacted quickly to the breach, shutting down their servers and launching a full-scale investigation.
How did it happen?
The hacker who claimed responsibility for the attack, 21-year-old John Binns, told the Wall Street Journal that he had gained access to T-Mobile’s internal infrastructure through an unsecured router, describing the company’s security as “awful”.
What did we learn?
This is not the first time T-Mobile has been the subject of a data breach, having previously been hacked in 2018, 2019, and 2020 in addition to this year.
The latest breach is the fifth in four years.
If Binns’ account of hacking an unsecured router is true, this is just another example of a business failing to properly identify and secure all their devices with endpoint protection.
Organizations should be sure to monitor and provision every device connected to their network, or else risk leaving a wide-open door for hackers to exploit as T-Mobile did.
SocialArks
What happened?
SocialArks is a Chinese-based platform used for managing social media data and campaigns.
In 2021, it suffered a massive data breach—over 300 million social media account records from platforms such as Facebook, Instagram, and LinkedIn were stolen.
A total of 400GB of private account data pertaining to more than 200 million social media users around the world was compromised.
How did it happen?
The SocialArks breach occurred because the ElasticSearch database they owned was misconfigured.
The sensitive data in the database had been “scraped” from social media sites and the server the data was housed in lacked proper security protocols, according to subsequent IP-address checks.
Access to the server lacked even password protections, meaning virtually anyone could access the massive amounts of personal data, which is how it was stolen.
What did we learn?
Many organizations that store consumer data do so in unsecured locations.
From a consumer point of view, they should be extremely careful with whom they are sharing and allowing access to their personal information.
For businesses, it’s important to recognize that protecting customer data in a responsible way is essential today—people will lose confidence very quickly if their unsecured data is stolen.
Because of this, it’s a good idea to ensure that the data centers being used are highly secure and have acceptable levels of redundancy, like Tier III- and Tier IV-rated data centers.
Volkswagen
What happened?
A data breach at a vendor of Volkswagen impacted more than 3.3 million customers in North America and came to light in May 2021.
More than 90,000 customers in the US and Canada had more sensitive data compromised, including information about loan eligibility, as well as date-of-birth records and Social Security numbers.
The hacker, identified by the alias “000”, wrote that they were looking to sell the contents of the database for around $5,000.
How did it happen?
A vendor of Volkswagen, unnamed by the company, left customer data spanning between the period 2014 to 2019 unprotected.
The vendor gathered customer information on behalf of Volkswagen to aid their sales and marketing initiatives.
Volkswagen has so far declined to comment on how exactly the vendor was hacked, saying only it was because “electronic data was left unsecured at some point between August 2019 and May 2021.”
Multiple investigations have since been launched and Volkswagen is the subject of a class action lawsuit filed in June 2021.
What did we learn?
Many businesses outsource several aspects of their operations, including marketing services.
Before partnering with a vendor, organizations should be confident that they will protect the data they are being entrusted with, particularly if it pertains to customer personal identifiable information (PII).
For businesses that operate in industries with strict compliance regulations, like healthcare, they should be doubly careful about whom they partner with for services.
Kaseya
What happened?
In July 2021, software company Kaseya discovered that a number of managed service providers and their customers were being targeted with ransomware affecting Kaseya’s remote monitoring and management (RMM) solution.
Kaseya stated that between 800 and 1,500 businesses using their software were affected in the attack, with the hackers demanding a ransom of $70 million for the encrypted data to be returned to the MSPs.
Kaseya responded by shutting down systems before providing users with a compromise detection tool, helping them determine whether they had been affected.
They stated no ransom had been paid to the hackers.
How did it happen?
Hackers used a zero-day exploit to bypass authentication protocols and run arbitrary command execution in Kaseya’s VSA remote monitoring product.
This allowed them to push updates containing malware to Kaseya’s MSP customers, infecting them with ransomware.
What did we learn?
Zero-day exploits, which refer to taking advantage of new vulnerabilities before they are patched and updated, continue to be an issue in cybersecurity.
2021 was the biggest year on record for the exploitation of zero-day vulnerabilities.
Zero-day attacks represent the continuing game of whack-a-mole that engineers play with hackers in an effort to prevent these vulnerabilities.
Newer security techniques, particularly those that utilize behavioral patterns and machine learning to determine threats, will be essential going forward to stop zero-day attacks.
Businesses that haven’t done so already should consider investing in threat hunting technologies to actively protect their systems with advanced proactive cybersecurity tools.
Ubiquiti
What happened?
Ubiquiti is a manufacturer of high-end consumer tech, including routers, security cameras, and other Internet of Things (IoT) devices, with an emphasis on security.
In January 2021, the company advised users to reset their passwords after suffering a breach that involved a third-party cloud provider.
Ubiquiti later told customers that names, email addresses, hashed credentials, and phone numbers had been compromised, but didn’t elaborate on how many customers had been affected.
The apparent routine security incident gained substantial prominence when a whistleblower claimed at the end of March 2021 that the incident had been downplayed and was in fact “catastrophic”.
How did it happen?
Rather than the fault of a third-party vendor, the whistleblower claimed that Ubiquiti in actual fact hosted the data on Amazon’s AWS platform.
Hackers apparently gained admin access to databases via stolen LastPass credentials.
After the data was stolen, the hackers demanded 50 Bitcoin (BTC) (about $2–3 million) from Ubiquiti, who didn’t engage with them.
As a result of the breach and the confused communication and messaging to customers, Ubiquiti’s stock price fell 25% and is yet to recover.
What did we learn?
Access controls and policies for third-party software within organizations should be monitored and maintained.
Who has access to what and why? This is a question businesses ask themselves far too infrequently, and it often leads to increased numbers of attack vectors for cybercriminals.
Additionally, in many of these cases, multifactor authentication was not employed—in this case, a simple password was required, which the hackers had gained access to.
Had they also been required to authenticate via the employee’s phone, the attack would have been stopped dead in its tracks.
Otherwise, Ubiquiti’s breach demonstrates the need for companies to be completely upfront with attacks, as the reputation harm that can come from incidents such as whistleblowers going public can be devastating—always be clear and disclose to customers exactly what they need to know; it’s their data and they deserve nothing less.
Bottom Line
We’ve taken a look at a number of 2021’s biggest data breaches.
As you can see, data breaches can occur because of a wide variety of attack vectors, and each of them is extremely dangerous to business operations.
Each of the breaches we looked at today was preventable, and there are solutions that can put a business in a great position to fend off attacks.
Organizations that are uncertain of their cybersecurity profile should consider having a risk assessment conducted so they can get a clear idea of what solutions they need to implement so as not to fall victim like these companies did in 2021.
If you need cybersecurity but are unsure where to start, consider having a risk audit done by Impact. Get in touch today to get the ball rolling on securing your future.