2021: The biggest data leaks - over 6 billion data records leaked

29 December 2021
| Ein Kommentar
B2B Cyber ​​Security ShortNews

Share post

The year 2021 was marked by data leaks and cybersecurity breaches, but some stood out from the crowd. Here are the top 5 with more than 6 billion records leaked.

The year 2021 sets records, albeit not in a positive way. According to a study by the Identity Theft Resource Center (ITRC), the number of data protection breaches on September 30, 2021 was 17 percent higher than the total number of events in 2020. While there were a total of 1.108 breaches last year, up to the deadline of the investigation in 2021 1.291 violations counted.
The manufacturing and utilities sector was particularly hard hit with 48 incidents and a total of 48.294.629 victims.

17 percent more data leaks than in 2020

In the health sector, the number of incidents was significantly higher at 78, but with around 7 million victims, significantly fewer people were affected. Other sectors with more than 1 million victims were financial services (1,6 million victims), governments (1,4 million victims) and professional services (1,5 million victims). But even with the sheer volume of attacks, data leaks, and security breaches, some incidents stand out.

Here are the top 5 cyber incidents in 2021 as a countdown!

5. The “Brazilian Database” – 327 million records

In January 2021, the largest data leak in Brazilian history to date was discovered. In freely accessible databases in a Darknet forum, the names, tax numbers, portrait photos, contact details and information on creditworthiness and salary of 223 million people were available free of charge, including the data of several million people who had already died. In addition, 104 million vehicle records were available. Typically, such data is used and analyzed by credit bureaus, so it is believed that the data could have come from a data breach by Serasa Experian, the leading Brazilian credit rating agency.

4. Bykea – 400 million records

During a routine check of the IP addresses, security researchers from Safety Detectives discovered a vulnerability on a certain port on the Elastic Server. This server contained API logs from Bykea, a transportation, logistics, and cash on delivery company based in Karachi, Pakistan.

Closer investigation revealed that Bykea had apparently made all of its production server information publicly available without password protection or encryption and allowed access to more than 200 GB of data containing more than 400 million records. The records contained full names, locations, and other personal information that hackers could potentially use to cause financial and reputational damage.
The company didn't seem too concerned about these facts, however, as the Bykea CEO described the incident as "nothing out of the ordinary." It also remains unclear whether this latest breach was related to a previous hack in which attackers reportedly wiped the company's entire customer database

3. Facebook – 533 million records

Even the largest companies in the tech industry are not immune to data leaks. This year, security researcher Alon Gal discovered a leaked Facebook database with the data of 533 million users.

The data discovered appears to have been looted prior to 2019 and included the personal data of Facebook users from 106 countries, including more than 32 million records on users in the US, 11 million on users in the UK and 6 million on users in India. The data records also contained the telephone numbers and email addresses of the users concerned. Security researchers therefore warn that criminals could use this information for social engineering attacks or even identity theft.

It is not entirely clear where the data came from. Facebook reported that they were presumably scraped through a security hole that the company closed in 2019.

2. LinkedIn – 700 million records

In June, a huge data breach on LinkedIn became known. With 700 million victims, almost 93 percent of all users of the network were affected. Worse still, the leaked data also appeared to be fairly up-to-date. Affected was personal data that could enable criminals to commit identity theft.

However, the company itself denies that the data sets are up-to-date and therefore come from the years 2020 and 2021. In particular, salary and address did not come from LinkedIn, according to a spokesman. Overall, the data are not the result of an attack, but the work of a data collector who retrieves and collates publicly available information. This practice is also called scraping.

1. Cognite - 5 billion records

Ironically, a company that specializes in cybersecurity analysis was responsible for the biggest data breach this year. Comparitech security researchers discovered a huge database with more than 5 billion data records freely on the Internet, without protection by a password or any other authentication method. It is owned by Cognite, which stored data from previous security incidents as part of its cyber intelligence service to warn customers of third-party security risks. The database was backed up three days after the security researchers warned the company.

Nevertheless, it is a serious incident because all or at least some of the data sets contained the name, email address, password and the data source, i.e. the leak from which the data set originated. Although the data was previously compromised, it could have presented end-users at risk if accessed by cyber criminals.

Many risks from laziness and a lack of specialist knowledge

In the last example in particular, we can see that data protection violations do not always result from an attack, but can also simply be the result of a suboptimal, careless or even sloppy approach by a company. However, that doesn't make them any less dangerous for those affected. It is all the more important that companies take the protection of the data entrusted to them seriously and do everything possible to prevent unauthorized access.

More at 8com.de

 

About 8com

The 8com Cyber ​​Defense Center effectively protects the digital infrastructures of 8coms customers from cyber attacks. It includes security information and event management (SIEM), vulnerability management and professional penetration tests. It also offers the setup and integration of an Information Security Management System (ISMS) including certification according to current standards. Awareness measures, security training and incident response management round off the offer.

 

Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

BSI sets minimum standards for web browsers

The BSI has revised the minimum standard for web browsers for administration and published version 3.0. You can remember that ➡ Read more

Stealth malware targets European companies

Hackers are attacking many companies across Europe with stealth malware. ESET researchers have reported a dramatic increase in so-called AceCryptor attacks via ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Test: Security software for endpoints and individual PCs

The latest test results from the AV-TEST laboratory show very good performance of 16 established protection solutions for Windows ➡ Read more

FBI: Internet Crime Report counts $12,5 billion in damage 

The FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which includes information from over 880.000 ➡ Read more

HeadCrab 2.0 discovered

The HeadCrab campaign against Redis servers, which has been active since 2021, continues to successfully infect targets with the new version. The criminals' mini-blog ➡ Read more

Short news
, , , ,