The 10 Biggest Data Breaches Of 2021
Nearly 215.4 million individuals were impacted by the 10 biggest data breaches of 2021, with three of the 10 largest breaches occurring at technology companies and four involving the exposure of sensitive records.
Making Up For Lost Time
See the latest entry: The 10 Biggest Data Breaches of 2022
The number of individuals impacted by a data compromise in the third quarter of 2021 surpassed the total number of victims in the first half of the year due to 26 instances where cloud databases were not secured. Data exposures due to a system or human error are generally lower risk because there is no indication the information was accessed, copied or removed from the exposed database, experts say.
In the first nine months of 2021, 281.5 million people were impacted by data breaches, data exposures and data leaks, more than 90 percent of 2020’s total figure of 310.1 million victims, according to the Identity Theft Resource Center (ITRC). Adjusting for the large increase in victims of data exposures and unsecured cloud database attacks, 13 million people were impacted by other forms of data compromise.
Nearly 215.4 million individuals were impacted by the 10 biggest data breaches of 2021, according to information compiled by the ITRC. Three of the 10 largest breaches impacted technology companies, with two victims each in financial services and other, and one victim each in manufacturing and utilities, professional services and retail, according to ITRC classifications. Sensitive records were exposed in four of the 10 largest data breaches.
Read on to learn how the biggest data breaches of 2021 transpired.
10. Neiman Marcus Group
Number Of Individuals Impacted: 4.35 million
Luxury department store chain Neiman Marcus revealed in September that an unauthorized party had in May 2020 obtained personal information associated with customers‘ online accounts. The company said it notified law enforcement of the breach and is working closely with Mandiant to investigate.
The compromised information may have included names and contact details; payment card numbers and expiration dates; Neiman Marcus virtual gift card numbers; and usernames, passwords, and security questions and answers associated with online accounts. Approximately 3.1 million payment and virtual gift cards were affected, more than 85 percent of which were expired or invalid, Neiman Marcus said.
In response, Neiman Marcus said it required an online account password reset for affected customers who had not changed their password since May 2020. In addition, the company said affected customers should change their credentials for any other online account if they used credentials that are the same as or similar to those used for their Neiman Marcus account.
9. Infinity Insurance Company
Number Of Individuals Impacted: 5.72 million
Infinity Insurance Company revealed in March that there had been brief, unauthorized access to files on servers in the Infinity network on two days in December 2020. Infinity conducted a comprehensive review of the files saved to the servers that were accessed, and found that some Social Security numbers or driver‘s license numbers were contained in the files.
This breach also affected current or former Infinity employees, where the exposed information included employees‘ names, Social Security numbers, and/or in limited cases medical information in connection with medical leave or worker compensation claims. Impacted employees and customers will receive a complimentary one-year credit monitoring service membership.
To reduce the risk of a similar breach in the future, Infinity said it’s continuing to review its cybersecurity program and will use information from the investigation to identify additional measures to further enhance the security of its network. “We understand the importance of protecting personal information and we sincerely apologize for the inconvenience,” the company wrote in a letter to employees.
8. Accellion
Number Of Individuals Impacted: 6.76 million
Hackers in December 2020 chained together exploits for multiple zero-day vulnerabilities in the legacy Accellion File Transfer Appliance (FTA) product and exfiltrated data, demanding payment to ensure the return and deletion of the data. The data leak site of the Clop ransomware gang was used to publish some of the stolen data to encourage payment of the ransom, according to HIPAA Guide.
At least nine health-care organizations were known to have been affected by the Accellion data breach as of April. Those included 1.47 million Kroger Pharmacy customers; 1.24 million Health Net members, 587,000 Trinity Health patients; 80,000 California Health & Wellness members; 50,000 Trillium Health Plan customers; and 29,000 Arizona Complete Health members, according to HIPAA Guide.
Stanford Medicine, University of Miami Health and Centene Corp also were affected by the breach, although the number of individuals affected at each of those organizations has not yet been confirmed. Information exposed in the breach included: names, Social Security Numbers, dates of birth, credit or bank account numbers, health insurance numbers, and/or and health-related information.
7. Robinhood
Number Of Individuals Impacted: 7 million
Electronic training platform Robinhood disclosed Nov. 8 that an unauthorized party had five days earlier impersonated a customer support employee by phone and obtained access to customer support systems. As a result of the trickery, Robinhood said the hacker obtained a list of email addresses for approximately 5 million people, and full names for a different group of roughly 2 million people.
Several thousand entries in the list of 7 million records contain phone numbers, and the list also contains other text entries that Robinhood said it is continuing to analyze, the company wrote in a Nov. 16 update. For approximately 310 people, Robinhood said names, dates of birth, and ZIP codes were exposed, with a subset of approximately 10 customers having more extensive account details revealed.
After containing the intrusion, Robinhood said the hackers demanded an extortion payment. The company said it promptly informed law enforcement and is continuing to investigate the incident with the help of Mandiant.
6. Jefit
Number Of Individuals Impacted: 9.05 million
Workout tracking app Jefit in March discovered a data breach due to a security bug that impacted client accounts registered before Sept. 20, 2020. The perpetrator gained access to the following: Jefit account username; email address associated with the account; encrypted password; and IP address when creating the account. Jefit keeps IP addresses for anti-bot purposes and to register abusive accounts.
The company said it took immediate action to secure its servers and the impacted accounts, identified the root cause of the data breach, and confirmed that other Jefit systems were unaffected. Jefit said it has taken security measures to strengthen its network against similar breaches in the future, and is adopting a much stronger password policy on its product to further protect user accounts in the future.
Jefit said there’s no sensitive financial data involved since the company never stored customers’ payment information. All of the payment processes were directly handled by the Google Play Store, Apple App Store or directly processed by the payment gateway company when customers purchase products on Jefit’s website.
5. ClearVoiceResearch.com
Number Of Individuals Impacted: 15.7 million
ClearVoice learned in April that an unauthorized user had posted a database online containing profile information of survey participants from August and September 2015 and was offering information to the public for purchase. The accessible data included contact information, passwords, and responses to questions users answered about health condition, political affiliation and ethnicity.
The data sets could be misused by bad actors, resulting in survey participants getting contacted for purposes such as advertising, ClearVoice said. In addition, the accessible information might be used to prepare personal profiles, which could be used in a commercial or political context, according to ClearVoice.
Within an hour of receiving the email from the unauthorized user, ClearVoice said it located the backup file, secured it, and eliminated any further exposure to the file in the cloud service. ClearVoice also forced a password reset for all members whose information was potentially exposed, and implemented security measures to prevent a recurrence of such an incident and protect the privacy of member data.
4. ParkMobile
Number Of Individuals Impacted: 21 million
ParkMobile became aware of a cybersecurity incident in March linked to a vulnerability in a third-party software that the company uses. In response, the company immediately launched an investigation and found that basic user information—license plate numbers, email addresses, phone numbers and vehicle nicknames—was accessed. In a small percentage of cases, mailing addresses were also accessed.
The company also found that encrypted passwords were accessed but not the encryption keys required to read them. ParkMobile said it protects user passwords by encrypting them with advanced hashing and salting technologies. As an added precaution, ParkMobile said users may consider changing their passwords.
No credit cards or parking transaction history were accessed, and ParkMobile said it doesn’t collect Social Security numbers, driver’s license numbers or dates of birth. “As the largest parking app in the U.S., the trust of our users is our top priority,” ParkMobile said. “Please rest assured we take seriously our responsibility to safeguard the security of our users’ information.”
3. Unknown Marketing Database
Number Of Individuals Impacted: 35 Million
A mysterious marketing database containing the personal details of an estimated 35 million people was exposed on the web without a password, Comparitech researchers reported July 29. The database included names, contact information, home addresses, ethnicities, and a wealth of demographic information ranging from hobbies and interests to shopping habits and media consumption.
The sample of files viewed by Comparitech researchers indicated most of the records pertained to residents of Metro Chicago, Los Angeles and San Diego. The database could be accessed in full by anyone with a web browser and an internet connection, and the information contained within could be used for targeted spam and scam campaigns and phishing, according to Comparitech.
Comparitech’s cybersecurity research team discovered the database on June 26 and was unable to identify the database’s owner despite expending all means at its disposal. The company contacted Amazon Web Services, which hosted the database’s server, to request it be taken down. The data was accessible until July 27.
2. T-Mobile
Number Of Individuals Impacted: 47.8 Million
T-Mobile confirmed Aug. 17 that its systems had on March 18 been subject to a criminal cyberattack that compromised data from millions of customers, former customers and prospective customers. The compromised information included names, driver’s licenses, government identification numbers, Social Security numbers, dates of birth, T-Mobile prepaid PINs, addresses and phone numbers, T-Mobile said.
T-Mobile said the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to company testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data. T-Mobile said it figured out how the bad actor illegally gained entry to its servers and closed those access points.
The company said it is offering two years of free identity protection services with McAfee’s ID Theft Protection Service to all persons who may have been affected. In addition, T-Mobile said it has made Account Takeover Protection available for postpaid customers, which the company said makes it more difficult for customer accounts to be fraudulently ported out and stolen.
1. OneMoreLead
Number Of Individuals Impacted: 63 Million
vpnMentor’s research team discovered in August that B2B marketing company OneMoreLead was storing the private data of at least 63 million Americans on an unsecured database, which the company had left completely open. As a result, names, email addresses and workplace information were exposed to anyone with a web browser, according to vpnMentor.
OneMoreLead used the exposed database to store the personal and professional information belonging to at least 63 million people, which most likely would have been offered to clients or customers signing up for its B2B marketing service. The database contained basic personally identifiable information data for each person listed, as well as similar data and information about their job and employer.
vpnMentor viewed numerous .gov and New York Police Department email addresses in the database, which could allow hackers to infiltrate otherwise secure, high-level government agencies. Private data from members of the government and police are a goldmine for criminal hackers, and can result in major national security breaches and devastating loss of trust in the government, vpnMentor said.