8 of the most important data breaches of 2021 (so far)
We’re at the halfway point of 2021, and it’s already been another big year for data breaches. In this article, we’ll take a look at eight of the most significant data breaches of 2021 so far. We’ll focus on data breaches that both affected a large number of people — and that tell us something about the current cybersecurity threat landscape.
The COMB data breach
The breach: The Compilation of Many Breaches (COMB) data breach hit in February, and has been the biggest (by the numbers) data breach of 2021 so far. COMB comprised credentials from over 3.2 billion users. As the name implies, COMB wasn’t a single data breach, but a compilation of numerous data breaches from past years. The difference is that now these breached records are available to the bad guys as a single, searchable database.
The takeaway: The COMB breach highlights the long-term nature of the data breach threat, as well as the way that the underground hacking “economy” works. What’s noteworthy here is the way that older breaches can gain new life as they’re compiled, traded, or sold on hacking forums and the dark web. For this reason, if you haven’t updated your passwords in a while, or if you’re still not using two-factor authentication (2FA), there’s no time like the present to strengthen your defenses!
The Facebook data breach (2021)
The breach: In April, security researchers discovered a trove of Facebook user data being shared in an online hacking forum. The breach exposed the personal information of over 500 million Facebook users worldwide. As with COMB, the original data in this breach was actually leaked years ago (in 2019). But the fact that it was compiled into a single database and shared online this year is why this one makes the list of data breaches in 2021.
The takeaway: The personal information in the 2021 Facebook data breach was scraped by exploiting a vulnerability — one that Facebook patched some time ago. As it turns out, some of the most sensitive items in this breach were the phone numbers linked to Facebook accounts. And the irony is that users weren’t even required to give this information to the social media giant in the first place!
The lesson here is that even the largest, most technically sophisticated companies can experience vulnerabilities that expose your data to the bad guys. For this reason, never share more information with a website or app than you have to. If they ask for your phone number, contacts, or home address during signup, and you don’t absolutely have to provide it … don’t give that information away. After all, they can’t leak what they don’t have!
The ParkMobile data breach
The breach: In April, security researchers discovered that someone was selling customer information for more than 21 million users of the ParkMobile mobile parking app. The data included email addresses and phone numbers, personally identifiable information (PII), license plate numbers, hashed passwords, and more. The ultimate cause of the breach was third-party software used by ParkMobile.
The takeaway: Technology has become complex, and app developers often rely on other people’s software and tools in order to build their own applications. Unfortunately, as in the case of ParkMobile, sometimes those third-party components have security issues. In other words, even if you’ve researched the developers of a website or app that you use, and you’re satisfied that they practice secure development, you should be aware that their own vendors may have security vulnerabilities. It’s also noteworthy that ParkMobile was storing user passwords securely (using one of the most robust password hashing algorithms available). That would make it difficult, perhaps even unfeasible, for an attacker with that data to figure out an actual user password — provided that the original password was sufficiently complex and randomly created. For this reason, it’s essential to use strong, unique passwords for all of your accounts.
The SocialArks data breach
The breach: SocialArks is a Chinese social media management company. The startup says that it offers “brand-building, marketing, and social customer management” solutions for “China’s foreign trade industry”. Unfortunately, SocialArks’ strategy involved building a massive database of social media profile information scraped from platforms like Facebook, LinkedIn, and Instagram. A cloud storage misconfiguration then exposed 318 million of these records, affecting over 214 million social media users worldwide.
The takeaway: There are actually two big takeaways from this one!
First, it’s important to realize that a growing number of companies — including companies that you, personally, have nothing to do with — want to collect your information to build up their own databases. We’ve seen this with Clearview AI, a facial recognition startup that was collecting biometric data on millions of social media users without their consent. Because of this, it’s more important than ever to lock down your social media accounts so that only family, friends, and acquaintances can see your profile.
Secondly, the SocialArk data breach goes to show that cloud security is still a challenge for many companies. While experts say that the cloud can be just as secure as traditional data storage solutions — they caution that companies still have to take the time to think through their cloud strategy and implement it with care. But since many companies don’t seem to take cloud security seriously, we can expect to see more incidents like the SocialArk data breach or the Hobby Lobby data breach from earlier this year.
The SITA data breach
The breach: In March, SITA, an IT company that serves over 90% of the world’s airlines, suffered a data breach. The full extent of the breach is still unknown, as the company will not release the data of all of the affected airlines publicly while an investigation is pending. But so far, we know that millions of passengers were involved. The leaked data includes passenger names, personally identifiable information, payment details, travel details, and frequent flyer information.
The takeaway: The SITA data breach underscores the way in which a seemingly harmless action — for example, joining an airline’s rewards program — can put your data at risk. For this reason, we recommend that you use caution when signing up for a customer loyalty program. Take a moment to ask yourself if it’s really worth putting your data on a company’s servers in order to save a few dollars here or there. In some cases, the financial benefits may truly outweigh the risks, which is fine! But you can still limit the information that you give out. For example, you might create a dedicated email account that you only use to sign up for such programs — but which is not connected to anything else in your online or offline life. You can also avoid having credit card details leaked (in some cases, anyway) by using a digital wallet service like Apple Pay to make purchases.
The Descomplica data breach
The breach: Descomplica is an education technology (EdTech) platform used in Brazil. In March, Descomplica suffered a breach that exposed the personal data of its users. The data included around 5 million email addresses, names, password hashes, and partial credit card data. This wasn’t one the bigger data breaches of 2021, but as we’ll see, it points to a disturbing trend.
The takeaway: Educational institutions are using EdTech software more and more these days — and this has only increased over the past year, when COVID-19 forced most students to learn from home. The upshot is that schools and universities now manage a huge amount of their students’ personal data … and yet they’re often poorly equipped to defend against cyberthreats. Unfortunately, the bad guys know this, which is why attacks on schools and school districts are increasing. If you’re the parent of a school-aged child, or simply a concerned member of the community, you may want to learn about what you can do to help improve cybersecurity in our schools.
The Parler data breach
The breach: Parler is a social media service that is similar to Twitter in terms of functionality. In late 2020, it became popular with far-right figures who had been banned from mainstream social platforms like Facebook and Twitter. It had around 15 million active users at its peak. Because of concerns over the kind of material disseminated on the platform, and reports that the app was used to coordinate the January 6 attack on the United States Capitol, other tech companies suspended services for the platform. Apple and Google both pulled the parler app from their app marketplaces, and Amazon Web Services canceled hosting services for Parler.
However, before Parler went offline, a security researcher exploited a flaw in the platform’s API that allowed her to scrape and archive massive amounts of data from the site. This data included user account information, posts and deleted posts, and video posts with GPS location metadata. The researcher says that her intention was to preserve incriminating evidence that could be used to prosecute crimes committed during the January 6 Capitol riot.
The takeaway: The lesson from the Parler data breach (other than the obvious “don’t use social media apps to commit federal crimes”) is that fast-growing apps and websites often lag behind when it comes to security. As one professor of communications remarked, “Parler seems like an issue of getting too big, too fast and not having the ability or technical know-how to actually prepare for that.” Another analyst was somewhat less diplomatic, citing “gross incompetence on the part of Parler” as the cause of the breach. For this reason, be careful when trying out popular new social media apps like Clubhouse, as they may have security and privacy bugs. In addition, take extra precautions when using services that are experiencing rapid growth (as, for example, Zoom did in 2020).
The California DMV data breach
The breach: The last entry on our data breaches of 2021 list is the only one to involve a government agency. In February, a billing contractor for the California Department of Motor Vehicles was hit by a cyberattack. According to a public statement from the DMV, the incident could have exposed “the last 20 months of California vehicle registration records that contain names, addresses, license plate numbers and vehicle identification numbers.” Over 38 million records may have been affected.
The takeaway: Notable in this data breach is the fact that data belonging to a government agency was leaked indirectly — through a compromise of one of the DMV’s outside vendors. We know that attacks on both local and federal government agencies are on the rise. And because governments are increasingly partnering with third-party technology companies, threat actors have a greater “attack surface” available to them. In some cases, as with the SolarWinds hack, this can have dramatic and widespread repercussions. Incidents like the California DMV data breach should serve as a wake-up call to citizens — and a reason to demand accountability and better cybersecurity from our elected representatives.
Further Reading
If you’d like to learn more about data breaches — and about what you can do to protect yourself from them — check out the following articles: