The 10 Biggest Data Breaches Of 2021 (So Far)
More than 98.2 million individuals were impacted by the 10 biggest data breaches in the first half of 2021, with three of the 10 largest breaches occurring at technology companies.
More Breaches, Fewer Victims
See the latest entry: The 10 Biggest Data Breaches Of 2022
The number of people impacted by the rising number of data compromises is dropping at a rate that could result in the fewest number of victims since before 2015. In the first half of 2021, just 118.6 million people were impacted by data breaches, data exposures and data leaks, just 38 percent of 2020’s total figure out 310 million victims. That’s down sharply from a record 2.5 billion victims in 2016.
Cybercriminals have shifted their attacks to go after criminals and targets considered to be not as well defended in hopes of securing larger ransomware payments, according to the Identity Theft Resource Center (ITRC) , which tracks incidents where hackers steal sensitive customer and employee records containing Personally Identifiable Information such as social security numbers, driver’s license numbers, credit card numbers and medical records. As a result, professional services and manufacturing and utilities have seen the most significant rise in data compromises, while healthcare and retail are seeing data compromises drop.
More than 98.2 million individuals were impacted by the 10 biggest data breaches in the first half of 2021, according to information compiled by the ITRC and the U.S. Department of Health and Human Services. Three of the 10 largest breaches impacted technology companies, with two victims each in healthcare and professional services, and one victim each in financial services, retail and other.
Read on to learn how the biggest data breaches of 2021 (so far) transpired.
10. 20/20 Eye Care Network
Number Of Individuals Impacted: 3.25 Million
20/20 Eye Care Network discovered that data was removed from the S3 buckets hosted in its Amazon Web Services (AWS) environment and all the data in the S3 buckets was then deleted. Hackers might have gained access to the names, addresses, Social Security numbers, member identification numbers, dates of birth, and health insurance information for some or all of 20/20’s health plan members.
A cybersecurity firm investigated the breach for 20/20 and could not tell which files were seen or deleted by the unknown adversary. 20/20 doesn’t think there was any actual misuse of the personal or vision/hearing insurance information of its health plan members, but acknowledged it doesn’t know for sure.
Upon discovering the breach, 20/20 said it moved quickly to investigate and respond, assess the security of its systems, notify potentially affected individuals, and implement additional safeguards and training for its employees. 20/20 said it is also providing access to credit monitoring services at no cost for twelve months to individuals whose personal information was potentially compromised in the breach.
Number Of Individuals Impacted: 3.28 Million
A threat actor posted multiple databases claiming to originate from drivesure.com on a popular English-speaking dark web hacking forum, according to Risk Based Security. In a lengthy post to prove the databases’ high quality, the threat actor detailed the leaked files and the user information, with numerous backend files and folders leaked, Risk Based Security found.
One leaked folder exposed 91 sensitive databases containing detailed dealership and inventory information, revenue data, reports, claims, and client data. User data exposed in the compromised files includes: names; addresses; phone numbers; email addresses; IP addresses; automobile details; VIN numbers; car service records; damage claims; hashed passwords; text and email messages with clients.
The information leaked in these databases is prime for insurance scams, with criminals using personally identifiable information, damage claims, extended car details, and dealer and warranty information to target insurance companies and policyholders. User credentials can be leveraged by threat actors to break into other platforms such as bank accounts, personal email accounts, and corporate systems.
8. Volkswagen Group of America
Number Of Individuals Impacted: 3.3 Million
A third party obtained information received from or about United States and Canadian customers and interested buyers through a vendor used by Audi, Volkswagen and some deals, Volkswagen disclosed in June. The exposed information was gathered for sales and marketing purposes between 2014 and 2019 and was left unsecured by the vendor between August 2019 and May 2021, Volkswagen said.
Roughly 90,000 Audi customers or prospective buyers had their driver’s license numbers exposed, while a smaller number had additional sensitive information exposed such as date of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers. All these people will receive credit monitoring services, $1 million of insurance, and assistance in the event of identity theft.
For the remaining 97 percent of impacted individuals, the exposed information consists solely of contact and vehicle data. This could include the Audi customer or prospect’s: first and last name; home or business address; email address; phone number; Vehicle Identification Number (VIN); make; model; year; color; and trim packages, according to Volkswagen.
Number Of Individuals Impacted: 3.46 Million
Hackers in December 2020 chained together exploits for multiple zero-day vulnerabilities in the legacy Accellion File Transfer Appliance (FTA) product and exfiltrated data, demanding payment to ensure the return and deletion of the data. The data leak site of the Clop ransomware gang was used to publish some of the stolen data to encourage payment of the ransom, according to HIPAA Guide.
At least 9 healthcare organizations were known to have been affected by the Accellion data breach as of April. Those included: 1.47 million Kroger Pharmacy customers; 1.24 million Health Net members, 587,000 Trinity Health patients; 80,000 California Health & Wellness members; 50,000 Trillium Health Plan customers; and 29,000 Arizona Complete Health members, according to HIPAA Guide.
Stanford Medicine, University of Miami Health, and Centene Corp have also been affected by the breach, although the number of individuals affected at each of those organizations has not yet been confirmed. Information exposed in the breach included: names, Social Security Numbers, dates of birth, credit or bank account numbers, health insurance numbers, and/or and health-related information.
6. Florida Healthy Kids Corporation
Number Of Individuals Impacted: 3.5 Million
The web platform used to host the Florida Healthy Kids website - Jelly Bean Communications Design – was hacked, meaning that personal information supplied by Florida families who completed the organization’s online Florida KidCare Application between November 2013 and December 2020 could have been exposed to hackers.
Personal information that could have been exposed, used, or accessed by the hackers includes: full names; dates of birth; email addresses; telephone numbers; physical addresses and mailing addresses; Social Security numbers; financial Information such as wages, alimony, child support, royalties, and tax deductions; secondary insurance information; and family relationships among applicants.
The organization discovered that several thousand Florida KidCare applicant addresses had been inappropriately accessed, tampered with, and altered by the hackers. Cybersecurity experts discovered that Jelly Bean Communications Design had failed to apply security patches to its software, thereby exposing the website to vulnerabilities that were ultimately exploited by the hackers.
5. Infinity Insurance Company
Number Of Individuals Impacted: 5.72 Million
Infinity Insurance Company revealed in March that there had been brief, unauthorized access to files on servers in the Infinity network on two days in December 2020. Infinity conducted a comprehensive review of the files saved to the servers that were accessed, and found that some Social Security numbers or driver‘s license numbers were contained in the files.
This breach also affected current or former Infinity employees, where the exposed information included employees‘ names, Social Security numbers, and/or in limited cases medical information in connection with medical leave or workers compensation claims. Impacted employees and customers will receive a complimentary one-year credit monitoring service membership.
To reduce the risk of a similar breach in the future, Infinity said it’s continuing to review its cybersecurity program and will use information from the investigation to identify additional measures to further enhance the security of its network. “We understand the importance of protecting personal information and we sincerely apologize for the inconvenience,” the company wrote in a letter to employees.
Number Of Individuals Impacted: 9.05 Million
Workout tracking app Jefit in March discovered a data breach due to a security bug that impacted client accounts registered before Sept. 20, 2020. The perpetrator gained access to some or possibly all the following: Jefit account username; email address associated with the account; encrypted password; and IP address when creating the account. Jefit keeps IP addresses for anti-bot purposes and to register abusive accounts.
The company said it took immediate action to secure its servers and the impacted accounts, identified the root cause of the data breach, and confirmed that other Jefit systems were unaffected. Jefit said it’s taken security measures to strengthen its network against similar breaches in the future, and is also adopting a much stronger password policy on its product to further protect user accounts in the future.
Jefit said there’s no sensitive financial data involved since the company never stored customer’s payment information. All the payment process was directly handled by the Google Play Store, Apple App Store, or directly processed by the payment gateway company when customers purchase products on Jefit’s website.
Number Of Individuals Impacted: 15.7 Million
ClearVoice learned in April that an unauthorized user had posted a database online containing profile information of survey participants from August and September 2015 and was offering information to the public for purchase. The accessible data included contact information, passwords, and responses to questions users answered about health condition, political affiliation, and ethnicity.
The data sets could be misused by bad actors, resulting in survey participants getting contacted for purposes such as advertising, ClearVoice said. In addition, the accessible information might be used to prepare personal profiles, which could be used in a commercial or political context, according to ClearVoice.
Within an hour of receiving the email from the unauthorized user, ClearVoice said it located the backup file, secured it, and eliminated any further exposure to the file in the cloud service. ClearVoice also forced a password reset for all members whose information was potentially exposed, and implemented security measures to prevent a recurrence of such an incident and protect the privacy of member data.
Number Of Individuals Impacted: 21 Million
ParkMobile became aware of a cybersecurity incident in March linked to a vulnerability in a third-party software that the company uses. In response, the company immediately launched an investigation, and found that basic user information – license plate numbers, email addresses, phone numbers, and vehicle nicknames – was accessed. In a small percentage of cases, mailing addresses were also accessed.
The company additionally found that encrypted passwords were accessed, but not the encryption keys required to read them. ParkMobile said it protects user passwords by encrypting them with advanced hashing and salting technologies. As an added precaution, ParkMobile said users may consider changing their passwords.
No credit cards or parking transaction history were accessed, and ParkMobile said it doesn’t collect Social Security numbers, driver’s license numbers, or dates of birth. “As the largest parking app in the U.S., the trust of our users is our top priority,” ParkMobile said. “Please rest assured we take seriously our responsibility to safeguard the security of our users’ information.”
1. Astoria Company
Number Of Individuals Impacted: 30 Million
Night Lion Security’s threat intelligence team became aware in January of several new breached databases being sold on the dark web by hacking group Shiny Hunters, including 40 million U.S. Social Security numbers belonging to the Astoria Company (these numbers were inflated). Night Lion reported the problem to Astoria, who was unaware their data had been listed for sale on a dark web marketplace.
Night Lion’s analysis of the data found that 10 million Astoria customers had their Social Security numbers, bank accounts, and drivers license numbers exposed. In addition, more than 10 million Astoria customers had information from other fields exposed in the breach such as credit history, medical data, home, and vehicle information.
The leaked Astoria data also contained email transaction logs showing sensitive user information being transferred, unencrypted, via email, according to Night Lion. The thousands of emails contained in this log file included similar sensitive information sent to a number of different domains, Night Lion said.