It took only nine months for 2021 to bypass 2020 in publicly reported data breaches. By the end of September, the total number of publicly reported breaches in 2020 was already exceeded by 17%, according to the Identity Theft Resource Center. This year, businesses big and small were affected by data breaches, leaving them grappling with reputational and fiscal losses.
Below are the five of the worst data leaks of 2021 so far.
1. SocialArks (January)
400GB of data containing 318 million records of 214 million users across Facebook, Instagram and LinkedIn social media platforms: That’s the cost of an unprotected database of SocialArks, a social media management company in China.
Among the data leaked were personal and business email addresses, names, profile links, mobile numbers, locations, job roles, URLs of the social media profiles, company names, account names and more.
The threat actors gained access via a misconfigured ElasticSearch database. In reality, they didn’t have to work hard for it. The breached server was exposed to the internet unprotected by usernames or passwords.
2. Android (May)
Data of more than 100 million Android users were exposed due to misconfigured cloud services this May.
Cybersecurity researchers unveiled that a total of 23 apps were using unsecured real-time databases, leaving their users exposed. The affected apps were downloaded anywhere from 10,000 to 10 million times.
The exposed data consisted of the users’ names, dates of birth, email addresses, genders, photos, phone numbers, even passwords and payments details. The sensitive information was public in 13 of the 23 affected apps.
“In cases like this, it is nearly impossible to determine the exact scope of the leaks,” said Juta Gurinaviciute, Chief Technology Officer at NordLayer. “Unfortunately, it is not uncommon for app developers to treat fundamental security standards while integrating third-party cloud services into their applications as an afterthought. In reality, these things are of utmost importance, and failure to do so can lead to devastating circumstances — both for developers and users.”
3. LinkedIn (April and June)
Data scraped from hundreds of millions of LinkedIn users appeared on sale twice this year.
At first, in April, an offer to buy data of 500 million LinkedIn users appeared on the dark web. Later, in June, another database went on sale. This time, it consisted of the information of about 700 million LinkedIn’s users. At the time, this affected around 92% of the professional social network’s user base.
The database included full names, email addresses, physical addresses, phone numbers, LinkedIn usernames and URLs, professional backgrounds and more.
Although LinkedIn wasn’t technically breached, the scraped data could be used for several malignant purposes. The data was allegedly scraped by exploiting Linkedin’s API.
4. Audi & Volkswagen (June)
A breach of an unnamed marketing service provider for the German automakers Audi and Volkswagen led to the personally identifiable information of 3.3 million customers in Canada and the United States being taken. The data, regrettably, was taken from an unsecured file.
At least 90,000 of the affected people had their particularly sensitive information leaked, including but not limited to tax ID numbers and account figures.
Among the data leaked, there were names, driver’s license numbers, social insurance information, dates of birth, loan numbers, emails, addresses, phone numbers, vehicle reference numbers and other information regarding the vehicles consumers bought or inquired about, such as colors, types and years.
“For global market leaders like Audi and Volkswagen, the cost of such incidents can get very steep,” Gurinaviciute said. “Other businesses should learn from incidents like this and make sure every third-party service provider they are partnering with has secure information management processes in place. In the current cybersecurity climate, it is not enough to protect your databases — third-party vendors must be vetted thoroughly.”
5. Twitch (October)
The U.S.-based video game streaming platform suffered a data breach this October.
During the breach, more than 100 gigabytes of data was leaked, including the entirety of Twitch’s source code; software development kits used by Twitch; streamers’ revenue reports; information on other Twitch holdings; information on Vapor from Amazon Game Studios, an unreleased competitor to gaming platform Steam; and console, mobile and desktop Twitch clients, among other data.
Twitch claimed that “the incident was a result of a server configuration change that allowed improper access by an unauthorized third party.”
Luckily for the company and its users, no passwords, login credentials, credit card numbers or bank information was exposed.
Security challenges with data breaches
According to IBM’s annual Cost of a Data Breach Report, compromised credentials and phishing were the most common breach causes in 2021.
“People, not software or network architecture, remain the weakest link in cybersecurity,” added the NordLayer expert. “This is exactly why legacy, perimeter defense-oriented security systems are being replaced by zero-trust security, in which every user in the network can only access resources essential to their task. In the zero-trust paradigm, even if threat actors manage to gain access via phishing or stolen credentials, their opportunities are limited.”
The aforementioned report supports the supremacy of zero-trust security with numbers. Data breaches for organizations with fully deployed zero trust cost $3.28 million on average, compared to $5.04 million for those not using the security model.