Data breaches in 2021 set a new record with 5.9 billion accounts affected by digital thieves, according to a new report by a VPN provider.
The biggest breach of the period was actually a combination of several cyber smash-and-grab operations during a five-year span that contained 3.2 billion unique email and password combinations from Netflix, LinkedIn and other online outfits, reported AtlasVPN, which compiled its statistics from a number of publicly-available sources.
The massive data haul was offered for sale on the dark web for US$2, the report noted.
Other large breaches identified in the report and listed in order of magnitude included:
- In June, records of 700 million LinkedIn users were offered for sale on the hacker underground. The leaked data included user email addresses, full names, phone numbers, physical addresses, geolocation records, genders, personal and professional experience, and more. LinkedIn noted that the data wasn’t acquired from an actual breach of its systems, but from “data scraping” of its internet-facing API.
- In April, information from 533 million users in 106 countries was scraped from Facebook and published on a hacking forum. The leaked information included phone numbers, full names, locations, email addresses, and users’ biographical information. Facebook claims the data leak is a result of an old vulnerability that was patched in 2019.
- In January, data on 220 million Brazilians was discovered on a dark web forum. The data cache contained names, unique tax identifiers, facial images, addresses, phone numbers, email, credit score, salary, and other information.
- Also in January, a cloud misconfiguration — a common way data is exposed on the internet — by Chinese social media agency SocialArks, resulted in a data leak of 400 GB of personal data on about 214 million Facebook, Instagram, and LinkedIn users. The data included names, country of residence, contact information, the position of work, subscriber data, and profile links.
“Even with data breaches becoming a growing threat, it seems organizations are still not putting enough effort in protecting the personal information of their users,” Atlas VPN writer and researcher Ruta Cizinauskaite said in a news release.
“One of the first things every organization should do is evaluate the amount of sensitive user data it collects — the less sensitive data is stored, the less the risk of it being leaked,” she observed.
Breaches Growing Rapidly
Chris Olson, CEO of The Media Trust, a website and mobile application security company in McLean, Va. noted that data breaches have been increasing across every level of analysis since 2020, from the likelihood of a breach, to the number of publicly reported breaches, to the number of exposed records.
“While all the data is not in yet,” he told bluehillco, “some back of the envelope calculations suggest size has increased based on the number of records exposed divided by the number of breaches per year.”
He calculated that in 2020, there were 1001 breaches and 155.8 million exposed records — an average of about 155,000 records per breach. In 2021, he continued, there were 1291 breaches affecting 281.5 million records. That comes to about 218,000 records per breach — an increase of more than 70 percent.
Breaches grew rapidly in 2021, noted Lucas Budman, founder and CEO of TruU, a multifactor authentication company in Palo Alto, Calif. “We exceeded the number of breach events in 2020 by the third quarter of 2021,” he told bluehillco.
A number of factors have been contributing to that increase, he added. “The ever-increasing sophistication of threat actors, a greater number of connected IoT devices, and the protracted shortage of skilled security talent all play a role in increased breach activity,” he said.
Budman also maintained that Covid-19 has contributed to growing data breach numbers. “Data shows that the surge in remote and hybrid work and other factors resulting from the Covid-19 pandemic have fueled the rise of cybercrime by 600 percent or more,” he said.
Kevin Novak, managing director of cybersecurity consulting at Breakwater Solutions, a risk mitigation, data management and analytics company in Austin, Texas explained that shifts from a predominantly captive workplace to a predominantly remote one, as a result of the pandemic, have been a driving force behind shifts in how attackers have pursued their targets.
“Since an exceedingly large percentage of attacks focus on the end-user, this move to remote has proven very fruitful for attackers,” he told bluehillco.
“Similarly,” he continued, “the pandemic has dramatically changed the way goods and services are manufactured, dispatched and consumed. These changes acted as an unnatural tailwind that has driven enterprises to rapidly adopt a new digital persona.”
“The pace and newness of this adoption have created a more fertile and consolidated attack surface for attackers who will leverage enterprise misconfigurations until they’ve learned how to manage these new platform paradigms.”
“The scale, complexity, and cost of breaches increased dramatically in 2021,” he added.
“Though we certainly saw our share of low-hanging-fruit attacks, we also saw some of the most sophisticated and impactful breaches of all time,” he said.
Kevin Dunne, president of Pathlock, a unified access orchestration provider in Flemington, N.J. explained that companies are becoming overwhelmed by the number of cyberattacks and data breaches they are facing, as cyberattackers get more courageous and exploit the increasing shift to cloud applications and infrastructure.
“For now, many of the attacks come without consequence, and the cost to prevent the attacks seems to outweigh the cost of a data breach,” he told bluehillco.
“However,” he continued, “that dynamic is beginning to change, as ransomware attacks are beginning to cause multimillion-dollar disruptions to businesses.”
“Additionally, privacy regulations, such as GDPR and CCPA, are starting to result in government agencies handing out significant, multimillion-dollar fines for non-compliance,” he said.
While the number of breaches and stolen records is on the rise, there’s an even more disturbing trend in the data breach landscape. “The quality of information stolen is much higher,” observed Sanjay Raja, vice president of Gurucul, a threat intelligence company in El Segundo, Calif.
“It used to be about gathering as much personal information as possible, but more targeted attacks have seen intellectual property theft exceed that of personal data theft,” he told bluehillco.
“In addition,” he continued, “as threat actors remain hidden in an environment longer — dwell time has gone up in recent years — they are able to probe and find higher quality data.”