Data breaches in 2021: cases and takeaways
November 29, 2021 / Knowledge

Data breaches in 2021: cases and takeaways

Most of the year 2021 has passed. Even though companies had lots of time to adjust to the greatest enterprise challenge in Covid-19 times, remote work, many of them still failed to defend against data breaches. And although the spending on IT security is forecasted to increase to 72.5 billion U.S. dollars globally in 2021, seemingly, it is still not enough to prevent attacks from happening.

So what already happened, and what can you learn from the data breaches in 2021?

Data breaches in 2021 : general landscape companies operate in

Since the beginning of the global pandemic, 98% of all companies have experienced at least one cloud data breach. Mostly they were related to the suddenly emerging need to work remotely and provide employees with proper Identity and Access Management.

But there is more to it. Even at the midpoint of 2021, almost half of companies have confirmed that they are displeased with their cloud security posture. This shapes a perfect environment for hackers to commit most data breaches in 2021.

Analysis of 3 cases & takeaways

Bonobos

Date: January 2021

Number of records exposed: 7 million

Men’s clothing retailer Bonobos suffered from a massive data breach in January when 70GB worth of consumers data (SQL file) was stolen from their backup cloud. The information included personal addresses, phone numbers, mainly encrypted passwords, order information, and password history.

Although the passwords were encrypted with SHA-256 and SHA-512 hashing algorithms, 150,000 of them were protected with a weaker type of encryption that hackers successfully cracked. The retailer immediately notified its customers to reset passwords.

Takeaway: when you use a platform for storing sensitive information (such as critical passwords), always do the research to check the security principles and technologies the software incorporates. Look for only the newest encryption methods (AES-256 and RSA-4096), Zero-knowledge proof.

LinkedIn

Date: June 2021

Number of records exposed: 700 million

Almost 93% of LinkedIn users’ data was put up for sale on the dark web in June 2021. The collection of private data – full names, email addresses, phone numbers, and demographical information – was sold for 5,000 U.S. dollars.

LinkedIn officially claimed that “this is not a data breach” – the hacker simply exploited a vulnerability in LinkedIn API. Yet, considering the quantity and quality of publicly exposed data, most specialists classify it as precisely the one.

Takeaway: never reuse passwords, especially on the platforms that store personal data. In case of this data breach, a hacker could easily reuse your LinkedIn password on other platforms and crack that information too.

California State Controller’s Office (SCO)

Date: March 2021

Number of records exposed: at least 9,000 SCO workers

California State Controller’s Office, an agency handling more than $100 billion in public funds annually, suffered from a phishing attack. An employee from SCO clicked on a malicious link, logged into a fake website, and granted cybercriminal access to his email address. The perpetrator had access to the account for 24 hours.

During this time, intruders stole Social Security numbers and sensitive files on state workers, accessed the agency’s Microsoft Office 365 files. They then sent at least 9,000 malicious emails to the employee’s contacts.

Takeaway

According to a Verizon report, phishing attacks have increased from 25% to 36% this year. Therefore, it is essential to introduce company-wide training – simulating phishing emails, so that employees learn to recognize such social engineering tactics and not to respond.

The data breaches in 2021 clearly demonstrate that there are multiple strategies, used by cybercriminals to access enterprise data. You should be aware of all of them.

To name the most critical takeaways – cloud security, data encryption, and human error prevention should now be at your focus.

The next year awaits. Make sure to invest in cybersecurity so you can surely stay out of the headlines of “The full list of data breaches in 2021.” Take precautions today.