Understanding the Top Data Breaches of 2021
This post will examine some of the top data breaches of 2021. As there can be some overlap in the definition of data breaches and ransomware events, we have adopted the one used by Verizon in its Data Breach Investigations Report(DBIR) series.
For the DBIR series, Verizon defines a data breach as, “an incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.” The report continues, “while many people think that traditional ransomware attacks are data breaches, DBIR classifies them as cyber incidents. That’s because the data is encrypted, not stolen and disclosed. A ransomware attack only becomes a data breach when the victim’s data is dumped publicly, sold illegally or used to steal credentials.”
In its 2021 DBIR report, the company noted an increase in events that combine breach and ransomware elements, stating, “This upward move was influenced by new tactics, where some ransomware now steals the data as they encrypt it.” For this post, we are examining major events of the year involving the exposure of personally identifiable information (PII) that created a significant corporate legal liability.
We have not included some of the high profile events of the year, such as the Facebook and Linkedin data exposures, as these fall in the category of scraping. In arguing that scraping does not represent a breach, LinkedIn stated, “Scraping does not mean an attacker has been able to get inside secure systems, subvert firewalls or access protected network information. Unauthorized scraping can mean that bad actors can collect a lot of data and use it in ways that you didn’t expect.”
For each of the top breaches covered, we examine details addressing the following elements:
- Date Announced
- Method of Attack
- Type of Data Compromised
- Individuals Impacted
- Number Affected
Finally, a review is provided of several of the major lawsuit settlements reached in 2021 for past breach events involving PII.
Profiles of Top Data Breaches of 2021
Date Announced: January 20
Method of attack: ShinyHunters exploited a MeetMindful server vulnerability.
Type of Data Compromised: Personal information including email addresses.
Individuals Impacted: Registered MeetMindful users.
Number Affected: 2.3 million
The prolific hacker group ShinyHunters posted the data stolen from the online dating platform MeetMindful on a publicly accessible hacking forum. MeetMindfull reported that the following information was compromised:
First names (in some cases last names) and emails.
Encrypted passwords and other credentials (these were protected by encryption and therefore were not able to be accessed). No passwords, photos, conversations, matches, credit card data, or other financial information were accessed.
Other basic account details (including city and state, account creation and last-active dates, and in some cases, birthdays).
Email and other notification preferences.
MeetMindful encouraged users to reset their passwords. ZDNet’s reporting indicated a more extensive compromise, including in some cases items such as marital status, dating preferences, and Facebook user IDs.
Date Announced: January 25
Attacker: Hacker group UNC2546 (with ties to CLoP and FIN11).
Method of attack: Zero-day vulnerabilities in Accellion’s legacy file-transfer service application (FTA), a cloud-based file sharing and storage product, allowed the attacker to gain control and send malicious updates to FTA customers.
Type of Data Compromised: Personal information including Social Security numbers.
Individuals Impacted: Accellion’s customers including banks, universities, health care providers, and government agencies and their customers, clients, and patients.
Number Affected: 7 million individuals; 100 Accellion customers.
Accellion delivered patches within 72 hours and the company hired cybersecurity firm Mandiant to provide a report on the incident. Accellion announced the End of Life for its 20-year-old legacy FTA software with no customers allowed to renew after April 30. Accellion was in the midst of a three-year program to move customers to its current generation Kiteworks platform.
Victims of data exfiltration as a result of the breach encompassed a wide variety of company and organization types, including Shell Oil, the Reserve Bank of New Zealand, supermarket company Kroger, the University of California, and the U.S. Department of Health and Human Services.
The Morgan Stanley breach offers an example of the ripple effect that an original breach can have along a supply chain. Accellion customer Guidehouse, a third-party vendor that provides account maintenance services to Morgan Stanley, revealed that attackers hacked its Accellion FTA server to steal information belonging to Morgan Stanley stock plan participants. Information included names, dates of birth, and Social Security numbers but did not include password information or credentials.
Infinity Insurance Company
Date Revealed: March 16
The Attacker: Not identified.
Method of Attack: Unauthorized user access to the company’s servers.
Type of Data Compromised: Social Security numbers, driver’s license numbers, medical leave information, and worker’s compensation claim information.
Individuals Impacted: Infinity customers and employees.
Number Affected: 6.1 million
On December 1, Infinity’s parent company Kemper Corp. announced a settlement in the class-action lawsuit brought against the company as a result of the breach. Eligible class members can receive:
- Up to $10,000 for out-of-pocket expenses.
- Three hours of lost time at a rate of $18 per hour spent dealing with issues related to the breaches or at a rate of up to $50 per hour if lost time at work was involved.
- $50 if a California resident at the time of the data breaches.
Date: March 26
Attacker: Unauthorized third party.
Method of Attack: The attacker exploited a vulnerability in a third-party software program used by Park Mobile.
Type of Data Compromised: License plate numbers, email addresses, and phone numbers.
Individuals Impacted: Park Mobile users.
Number Affected: 21 million
The breach of the mobile parking app provider became known when the threat advisory firm Gemini Advisory shared a screenshot of the stolen data on a Russian-language crime forum. A Park Mobile’s Security Notification stated that:
- The investigation confirmed that no credit card information was accessed.
- No data related to a user’s parking transaction history was accessed.
- Only basic user information was accessed. This includes license plate numbers, as well as email addresses, phone numbers, and vehicle nicknames, if provided by the user. In a small percentage of cases, mailing addresses were also affected.
- Encrypted passwords were accessed, but not the encryption keys required to read them. We protect user passwords by encrypting them with advanced hashing and salting technologies.
Date Revealed: May 7
Attacker: Hacker group Darkside.
Method of Attack: The hackers gained entry to the Colonial Pipeline network through a virtual private network using an employee remote access account that was inactive. The account’s password had been obtained on the dark web.
Type of Data Compromised: Personal data and 100G of corporate data.
Individuals Impacted: Current and former Colonial Pipeline employees.
Number Affected: 5,810
The Darkside (now rebranded BlackMatter) attack had ransomware and data breach components. The ransomware element crippled a billing-related system that tracked fuel usage, causing the company to shut down its pipeline. The data breach consisted of two parts: the theft of 100G of corporate data and the exposure of the personal data of 5,810 individuals.
Darkside threatened to release the corporate data if the ransom was not paid. Colonial Pipeline paid a $4.4 million ransom, 2.3 million of which was recovered by the Justice Department. This breach was one of the motivating factors for the Biden’s administration’s taking a more aggressive stance on strengthening the nation’s cybersecurity posture.
The breach notification letter from Colonial Pipeline informed affected individuals that, “The affected records contained certain personal information, such as name, contact information, date of birth, government-issued ID (such as Social Security, military ID, tax ID and driver’s license numbers) and health-related information (including health insurance information). Not all of this information was affected for each impacted individual.”
Colonial Pipeline offered two years of identity restoration and credit monitoring services at no cost to impacted individuals.
Date Announced: June 11
Attacker: Only identified as an unauthorized third party.
Method of Attack: The third party stole the data from an exposed Microsoft Azure storage account.
Type of Data Compromised: First and last name, personal or business mailing address, email address, or phone number. For 90,000 of the affected individuals, the data also included more sensitive information, which was mainly driver’s license numbers but also included a very small number of dates of birth, Social Security or social insurance numbers.
Individuals Impacted: Volkswagen and Audi customers and interested buyers in the United States and Canada.
Number Affected: 3.3 million.
The Azure storage account was maintained by an associate vendor that provides marketing services to the automaker. IDX, a provider of data breach response services, handled the breach notification responsibilities. Volkswagen and Audi offered 24 months of credit protection services at no charge to individuals whose exposed information included the following: driver’s license number; date of birth; Social Security or social insurance number; account or loan number; or tax identification number.
Date Announced: August 16
Attacker: Individual hacker, possibly supported by others.
Method of Attack: Infiltration of T-Mobile’s systems after identifying an internet-exposed router with a security vulnerability.
Type of Data Compromised: Social Security numbers, name, address, date of birth and driver’s license/ID information.
Individuals Impacted: T-Mobile customers, former customers, and prospective customers.
Number Affected: 50 million
In August, wireless service provider T-Mobile, a subsidiary of the German telecommunications company Deutsche Telekom, reported that its systems had been attacked. The attacker used prospective client and former customer databases as an entry point to hack into the cellphone carrier’s data center outside East Wenatchee in Washington state.
Mike Sievert, CEO of T-Mobile, described the attack in the following terms:
“What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.”
Sievert emphasized that the breach did not expose any customer financial information, credit card information, debit or other payment information.
The breach caused T-Mobile to enter into long-term relationships with cybersecurity experts Mandiant and the consulting firm KPMG. These initiatives are described as a substantial multi-year investment to adopt best-in-class practices. For affected individuals, T-Mobile offered two years of free identity protection services with McAfee’s ID Theft Protection Service.
Date Announced: September 30
Attacker: Only described by Neiman Marcus as an “unauthorized party.”
Method of attack: No information or report to date.
Type of Data Compromised: Contact information and credit card numbers.
Individuals Impacted: Neiman Marcus customers.
Number Affected: 4.6 million
On September 30, Neiman Marcus reported that it had learned that in May 2020 an unauthorized party obtained personal information associated with certain customers’ online accounts.
The personal information for affected customers included:
- Contact information
- Card numbers and expiration dates (without CVV number)
- Neiman Marcus virtual gift card number (without PIN)
- Username, password, and security questions and answers associated with Neiman Marcus online accounts
Neiman Marcus required an online account password reset for affected customers who had not changed their password since May 2020.
The company’s 2020 bankruptcy proceedings also began in May and may have had a role in the slow reporting. While Mandicant has been hired to develop a report on the breach, the amount of evidence that has been lost will make the forensic analysis challenging.
Date Announced: November 8
Attacker: Unauthorized third party.
Method of Attack: The attack started with a social engineering call to customer service to convince a Robinhood employee to allow access to some of the trading platform’s customer support systems.
Type of Data Compromised: Email addresses and full names.
Individuals Impacted: Robinhood customers.
Number Affected: 7 million
Robinhood, the stock market trading platform provider, revealed that a list of email addresses for approximately five million people and full names for a different group of approximately two million people were involved. Robinhood also stated that for approximately 300 individuals, personal information, including name, date of birth, and zip code, was exposed.
Robinhood says that the attacker immediately attempted to extort them after gaining access, at which time they retained security firm Mandiant to assist with remediation. The trading platform also said that law enforcement had been involved.
Significant Data Breach Class-Action Lawsuits Settling in 2021
Several of the larger data breach class-action lawsuits that were settled in 2021 are described below:
In June, a final settlement was announced for the more than 300 class action suits filed against Equifax following the company’s 2017 data breach, which affected approximately 147 million Americans. The breach compromised the names, dates of birth, and Social Security numbers of Equifax customers. The terms of the settlement included the creation of a $380 million fund by Equifax to benefit consumer class members, representing the largest breach settlement in U.S. history.
In December, Capitol One agreed to pay $190 million to settle a lawsuit that was filed by customers of the bank after a breach affecting more than 98 million people in 2019. The settlement releases Capital One and its cloud services provider, Amazon Web Services, from claims the pair were negligent with customer data.
Kroger was a user of the Accellion file-transfer application described above and suffered a breach affecting 3.8 million. In December, $5 million settlement, individuals are eligible for a payment of up to $5,000.
Adding settlement costs to the notification, credit monitoring, identity restoration, forensic investigation, and event remediation expenses that accompany data breach events, reveals the need to carry adequate cyber insurance to minimize the financial impact of a breach event on business operations.
In 2021, we witnessed the number and cost of data breaches continue to rise, the ongoing evolution of the tactics employed by cyber attackers, and the widespread impact a single breach can have across a supply chain ecosystem. Companies can meet this multifaceted challenge through the maintenance of a sound defensive posture by embracing business continuity planning, deploying cybersecurity best practices for both cloud deployments and private networks, including backup solutions, and conducting periodic reviews of cyber insurance coverage.