Top 5 worst data breaches of 2021

By the end of this September, the total number of publicly reported breaches in 2020 was already exceeded by 17%, according to the Identity Theft Resource Center. This year, businesses big and small were affected by data breaches, leaving them grappling with reputational and fiscal losses.

Below are the 5 of the worst data leaks of 2021.

#1 SocialArks (January)

400GB of data containing 318 million records of 214 million users across Facebook, Instagram, and LinkedIn social media platforms - that's the cost of an unprotected database of SocialArks, a social media management company in China.

Among the data leaked were personal and business email addresses, names, profile links, mobile numbers, locations, job roles, URLs of the social media profiles, company names, account names, and more.

The threat actors gained access via a misconfigured ElasticSearch database. In reality, they didn't have to work hard for it - the breached server was exposed to the internet unprotected by usernames or passwords.

#2 Android (May)

Data of more than 100 million Android users were exposed due to misconfigured cloud services this May.

Cybersecurity researchers unveiled that a total of 23 apps were using unsecured real-time databases, leaving their users exposed. The affected apps were downloaded anywhere from 10.000 to 10 million times.

The exposed data consisted of the users’ names, dates of birth, email addresses, genders, photos, phone numbers, even passwords and payments details. The sensitive information was public in 13 of the 23 affected apps.

“In cases like this, it is nearly impossible to determine the exact scope of the leaks,” said Juta Gurinaviciute, Chief Technology Officer at NordLayer. “Unfortunately, it is not uncommon for app developers to treat fundamental security standards while integrating third-party cloud services into their applications as an afterthought. In reality, these things are of utmost importance, and failure to do so can lead to devastating circumstances - both for developers and users.”

#3 LinkedIn (April and June)

Data scraped from hundreds of millions of LinkedIn users appeared on sale twice this year.

At first - in April - an offer to buy data of 500 million LinkedIn users appeared on the dark web. Later, in June, another database went on sale. This time, it consisted of the information of about 700 million LinkedIn’s users. At the time, this affected around 92% of the professional social network’s user base.

The database included full names, email addresses, physical addresses, phone numbers, LinkedIn usernames and URLs, professional backgrounds, and more.

Although LinkedIn wasn’t technically breached, the scraped data could be used for several malignant purposes and is as dangerous. The data was allegedly scraped by exploiting Linkedin’s API.

#4 Audi & Volkswagen (June)

A breach of an unnamed marketing service provider for the German automakers Audi and Volkswagen led to personally identifiable information of 3.3 million customers in Canada and the United States being taken. The data, regrettably, was taken from an unsecured file.

At least 90,000 of the affected people had their particularly sensitive information leaked - including but not limited to tax id numbers and account figures.
Among the data leaked, there were names, driver’s license numbers, social insurance information, dates of birth, loan numbers, emails, addresses, phone numbers, vehicle reference numbers, and other information regarding the vehicles consumers bought or inquired about, such as colors, types, and years.

“For global market leaders like Audi and Volkswagen, the cost of such incidents can get very steep,” said the NordLayer CTO. “Other businesses should learn from incidents like this and make sure every third-party service provider they are partnering with has secure information management processes in place. In the current cybersecurity climate, it is not enough to protect your databases - third-party vendors must be vetted thoroughly.”

#5 Twitch (October)

The U.S.-based video game streaming platform has suffered a data breach this October.

During the breach, more than 100 gigabytes of data was leaked, including the entirety of Twitch’s source code, software development kits used by Twitch, streamers’ revenue reports, information on other Twitch holdings, information on Vapor from Amazon Game Studios, an unreleased competitor to gaming platform Steam, console, mobile, and desktop Twitch clients, among other data.

Twitch claimed that “the incident was a result of a server configuration change that allowed improper access by an unauthorized third party.”

Luckily for the company and its users, no passwords, login credentials, credit card numbers, or bank information have been exposed.

Corporate security challenges

According to IBM's annual Cost of a Data Breach Report, compromised credentials and phishing were the most common breach causes in 2021.

"People, not software or network architecture, remain the weakest link in cybersecurity," added the NordLayer expert. "This is exactly why legacy, perimeter defense-oriented security systems are being replaced by Zero Trust security, in which every user in the network can only access resources essential to their task. In the Zero Trust paradigm, even if threat actors manage to gain access via phishing or stolen credentials, their opportunities are limited."

The aforementioned report supports the supremacy of Zero Trust security with numbers. A data breach for organizations with fully deployed Zero Trust costs $3.28 million on average, compared to $5.04 million for those not using the security model.

More information: laurynas.cesnys@nordsec.com

NordLayer is an adaptive network access security solution for modern businesses — formerly NordVPN Teams; NordLayer helps organizations of all sizes to fulfill scaling and integration challenges when building a modern secure remote access solution. Moving towards an ever-evolving SASE framework, NordLayer's solutions are quick and easy to implement with existing infrastructure, hardware-free, and designed with ease of scale in mind. NordLayer meets the varying growth pace and ad-hoc cybersecurity requirements of agile businesses and distributed workforces today. More information: www.nordlayer.com

This release was published on openPR.