Skip to Content

Backup And Disaster Recovery

Infographic: The Biggest Cybersecurity Breaches In 2021

January 14, 2022

4 minutes

The Biggest Cybersecurity Breaches In 2021 | Close-up of someone typing on a backlit keyboard in a blue ambient light

Cybersecurity data breaches are as severe as they have ever been, and 2021 further illustrated the importance of organizations to ensure their networks are safeguarded against modern threats.

In this infographic blog, we'll be taking a look at some of the biggest data breaches to affect businesses in 2021; how many records and what information was exposed, and what the causes were.

For organizations that have yet to invest in a strategy for their cybersecurity, we hope this infographic will serve as an insight into how data breaches can affect even the biggest corporations in the country. For more information, read on below the infographic and learn more about the breaches.

The Biggest Cybersecurity Breaches In 2021 | Infographic depicting the biggest breaches in the cybersecurity world in 2021

Astoria

What happened?

In January 2021, marketing solutions provider Astoria Company LLC experienced a breach where two hackers gained access to highly sensitive information, including customer names, emails, addresses, phone numbers, and IP addresses.

Astoria informed its customers in full about the incident in November 2021, and has since faced a class-action lawsuit for the breach.

How did it happen?

According to Astoria's own account of the breach, an alleged security researcher, in addition to an associate, gained unauthorized access to an Astoria system containing a database of individuals' personally identifiable information (PII).

Astoria became aware of the attack in February 2021 and told customers over eight months later.

What did we learn?

The Astoria data breach was the result of an insider hack from an employee or contractor.

The prevalence of insider attacks rose by roughly 50% in the years 2018 to 2020 and will continue to be a cause for concern among businesses today.

To avoid these incidents, businesses should ensure that their access control policy is correctly enforced. In other words, do the right employees have access to the right materials, or are there employees who are by default given unnecessary access to sensitive information?

ParkMobile

What happened?

ParkMobile is a company that provides a cashless parking app that is used in Baltimore, among other cities.

In March 2021, the company was the victim of a breach that led to 21 million users having their data compromised.

The company communicated details of the breach to its customers after a tech journalist reported that millions of individuals' personal data was being sold by Russian hackers.

How did it happen?

ParkMobile has yet to disclose how the breach occurred, aside from an initial notice to customers that it was linked to a "vulnerability in a third-party software that we use."

A class action has since been filed against the company, which seeks unspecified damages and a "full and accurate" disclosure by ParkMobile of the compromised information.

What did we learn?

Organizations should be clear in their policy for reporting data breaches and ensure they are abiding by every relevant law in the disclosure of breaches.

In the case of ParkMobile, only when an article from a journalist came to light did they report on the breach. Companies should be careful not to undermine themselves and ensure they have a clear communication strategy with their customers in the event of a major incident.

ClearVoice Research

What happened?

ClearVoice Research reported that an unauthorized user sent them an email, stating he had accessed a backup file containing database information of survey participants from August and September of 2015.

The database was later found being offered for sale online.

How did it happen?

The unauthorized user gained access to the database, which was located in an under-secured cloud location.

What did we learn?

Poor user controls for cloud databases can leave organizations susceptible to attack if they do not have a clear understanding of who has access to what.

This can be more problematic as data and information volumes increase in companies, leading to many—as with ClearVoice—having less-than-ideal oversight over sensitive files.

Jefit

What happened?

Jefit is a workout tracking app that suffered a data breach in August 2020. The company reported the incident to its users in March 2021. The breach leaked around 9 million email and IP addresses, usernames, and passwords.

How did it happen?

As of January 2022, Jefit has yet to disclose exactly what the cause of the incident was, aside from stating that the breach was due to "a security bug".

Given they also stated that they took measures to better secure their servers and adopt a stronger password policy, it's highly likely that the cause of the incident was due to lacking access controls.

What did we learn?

This is another example where a lack of access controls can be extremely problematic for modern organizations that host much of their data in the cloud.

Just as a business would not allow anyone working for them access to a filing cabinet containing sensitive data, they should similarly not allow anyone access to information in the cloud—situations like these often arise from keeping default settings applied to folders and files kept in cloud storage solutions.

Infinity Insurance

What happened?

In December 2020 and March 2021, customers of Infinity Insurance were subject to two separate security incidents which resulted in unauthorized users gaining access to computer systems containing information pertaining to 6 million individuals.

How did it happen?

An unauthorized party gained access to Infinity Insurance's servers, compromising PII including names, addresses, and Social Security numbers.

What did we learn?

Again, access controls are the message of the day. Infinity Insurance is just the latest in a long line of organizations that failed to adequately ensure their systems were protected from unauthorized access.

20/20 EyeCare Network

What happened?

In January 2021, 20/20 EyeCare noted abnormal activity recognized in their Amazon Web Services (AWS) account.

They further concluded that data relating to over 3 million people had been stolen by unauthorized actors.

How did it happen?

AWS offers cloud storage solutions for users, and 20/20 EyeCare's systems were compromised, allowing an unauthorized user to gain access to their servers and information.

A follow-up letter sent to affected users indicated that they were unable to tell which files were seen or deleted by the hacker.

The company said they had begun reviewing their security policies and procedures in order to strengthen them.

What did we learn?

Again, access controls are the message of the day. Infinity Insurance is just the latest in a long line of organizations that failed to adequately ensure their systems were protected from unauthorized access.

Volkswagen

What happened?

A data breach at a vendor of Volkswagen impacted around 3.3 million customers in North America and came to light in May 2021.

More than 90,000 customers in the US and Canada had more sensitive data compromised, including information about loan eligibility, as well as date-of-birth records and Social Security numbers.

The hacker, identified by the alias “000”, wrote that they were looking to sell the contents of the database for around $5,000.

How did it happen?

A vendor of Volkswagen, unnamed by the company, left customer data spanning between the period 2014 to 2019 unprotected.

The vendor gathered customer information on behalf of Volkswagen to aid their sales and marketing initiatives.

Volkswagen has so far declined to comment on how exactly the vendor was hacked, saying only it was because “electronic data was left unsecured at some point between August 2019 and May 2021.”

Multiple investigations have since been launched and Volkswagen is the subject of a class action lawsuit filed in June 2021.

What did we learn?

Many businesses outsource several aspects of their operations, including marketing services.

Before partnering with a vendor, organizations should be confident that third-parties will protect the data they are being entrusted with, particularly if it pertains to customer personal identifiable information (PII).

For businesses that operate in industries with strict compliance regulations, like healthcare, they should be doubly careful about whom they partner with for services.

Bottom Line

If there is one message that businesses should be taking away from some of the biggest data breaches of 2021, it's that it is absolutely crucial for organizations to have a clear understanding of what their cybersecurity profile is and what they should be doing to shore-up their security protections.

Above all, they should be ensuring that their access controls to sensitive data—particularly information regarding customers and clients—are well established and according to best practices outlined in, for example, the NIST security standards framework.

For organizations that are unsure of their cybersecurity standing, we recommend having a security risk assessment and gap analysis conducted, which will give them a full understanding of what they are lacking and what they need to do to fully protect their information. Contact DOT Security to learn more.