Worst Data Breaches of 2021 (what you need to know, and do)

Category: Security

Ransomware-related data breaches have doubled two years in a row. Identify theft and related fraud is rampant. Those are the takeaways from reports by the Identity Theft Resource Center and Spanning, a cloud security firm. Read on for details on some of the worst recent data breaches, what type of information was exposed, and what you need to know about protecting yourself in the age of vanishing privacy...

The Biggest Data Breaches of All Time

Spanning's recent webinar Lessons from Top Cybersecurity Incidents in 2021 gives details on some of the worst incidents from 2021. Topping the list was the May 2021 Colonial Pipeline cyber attack, in which Russian hackers targeted the firm's billing and internal business network, and disrupted East Coast gas supplies for a week. The company paid a $4.4 million ransom, which was later recovered by FBI.

CNA Financial was hacked that same month, exposing the names, personal identification and Social Security numbers of 75,000 employees, contractors and policyholders. The attack shut down the company's website and locked out adminstrators. CNA paid $40 million to the Russian cybercrime syndicate known as Evil Corp.

Brenntag North America, a subsidiary of the German chemical distributor, suffered a cyber attack last April in which 150 GB of data was stolen. The DarkSide hacker group (also based in Russia) demanded $7.5M in bitcoin to prevent the release of customer information which included accounting records, chemical formulas, and employee birthdates, driver’s license numbers, medical records, and social security numbers. The company paid a negotiated ransom of $4.4 million.

JBS, one of the biggest meat processing firms, was hacked in May by the Russian hacker gang REvil. (Are we seeing a pattern here?) Meat processing plants in the U.S. and Australia were temporarily shut down, resulting in supply chain issues. An $11 million ransom was paid.

The Worst Data Breaches (what you need to know and do)

Those are just a few of the high-profile cyber attacks of 2021. Spanning says that 91% of attacks like these are initiated via phishing campaigns, using tailored email templates that look exactly like the company's password reset emails. They recommend updating outdated software, enabling multifactor authentication, and training to help people recognize bogus emails.

Researchers at Spanning analyzed data from the Identity Theft Resource Center, the Federal Trade Commission, and news reports from the past 7 years. Their findings indicate that over that time period, social media companies such as Facebook and Yahoo have been the most vulnerable to data breaches resulting from hacking and accidental exposure of customer databases. But more recently, the Business and Healthcare sectors have had the most breaches.

Their list of the The Largest Data Breaches in U.S. Historyis ordered from smaller to the larger, with details on what specific types of personal data points were compromised. Some of most impactful attacks targeted First American Corporation (885 million records including bank account numbers, bank statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images); Marriott International (500 million records including customer name, mailing address, phone number, email, passport number, date of birth, gender); and Facebook (419 million phone numbers belonging to Facebook users).

Daniel Markuson, a digital privacy expert at NordVPN NordVPN, says that hackers do more than just hack — they also collect billions of consumer records from breaches and leaks and package them up for sale. “With so many breaches and leaks... it’s possible that your email address or other details ended up in the wrong hands,” says Markuson. To me, it seems more like probable than possible. But there are several online resources that can help you determine if any of your login credentials have been compromised.

What Should You Do?

The non-profit Identity Theft Resource Center offers some excellent tips on preventing and recovering from identity theft. Later in the first quarter of 2022, the ITRC will launch a free alert service where individuals can create a list of companies with which they do business. If an organization on the list is compromised, the subscriber will receive an email alert. ITRC also offers free support from knowledgeable advisors by by phone or live chat.

The Federal Trade Commission has tips on Limiting Unwanted Calls & Emails, Online Security, Protecting Kids Online, and Preventing Identity Theft. The FTC's Identity Theft Awareness Week runs from January 31 to February 4, featuring a series of free events focused on trending issues in identity theft.

You can check to see if your email address was leaked in a data breach by visiting Have I Been Pwned. Enter your email address and this site will tell you if it has been compromised at any time in the past. (The term "pwned" is geekspeak for "owned," or "defeated.")

NordPass is a free service that lets you anonymously measure the strength (hackability) of your password, and will tell you if your password was exposed to any known data breaches.

Now that the number of leaked records (usernames, passwords, phone numbers, social security numbers, credit card info, and other personal data) reaches into the billions, and new data breaches are announced like clockwork, how should you respond? My advice is to assume that at least some of your personal info HAS been compromised. Here's what I recommend:

* Change your passwords, and use a password manager to create strong passwords going forward.
* Use two-factor authentication to protect your online accounts (even if your password is stolen)
* Consider using disposable email addresses
* Keep tabs on your credit reports (see sidebar above)

Have you been affected by a data breach? What steps did you take as a result? Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

 
  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 25 Jan 2022


For Fun: Buy Bob a Snickers.

Prev Article:
Will This App Get Your Traffic Ticket Dismissed?

The Top Twenty
Next Article:
Geekly Update - 26 January 2022

Most recent comments on "Worst Data Breaches of 2021 (what you need to know, and do)"

Posted by:

Ryan James
25 Jan 2022

If you are hacked or a company has a data breach, you can change passwords, credit card numbers, and such, but you cannot change your date of birth or Social Security number.


Posted by:

Jim M
25 Jan 2022

I used the Have I Been Pwned website and it showed my email address had been stolen. Now I get junk emails showing they come from Facebook. Emails are blank so I have no idea what they are supposed to accomplish and they show to be going to someone else. Changing email address is a more of a hassle than I want to deal with at the present. Thus far all accounts involving money seem ok.


Posted by:

Bob Kinsler
25 Jan 2022

The best way to avoid hacking and ransom-ware is - - PCMATIC.


Posted by:

Charley
25 Jan 2022

My email address is definitely out there. So I get a lot of spam. I have had the same email for almost 30 years and I don't want to change it. I am very careful about checking my emails to make sure they are legitimate, not spam or phishing, etc. I don't click on links in emails, with only a few exceptions when I am 100% sure the email and link are legitimate.


Posted by:

Charley
25 Jan 2022

Bob, you may not know but Breach Alarm is gone.
"After over ten years, we regret to inform you that BreachAlarm has been discontinued."

EDITOR'S NOTE: Thanks, that's too bad.


Posted by:

Alois M.
25 Jan 2022

Banks are especially concerned about their customers' security. Like U.S. Bank, and others. (Or at least they say that.) When using their website, they log you off automatically after 8 minutes of inactivity (even though a warning note says 15 minutes).

How is that protecting me? If I use a library computer and walk away while still logged in, that may protect me (although that's 100% preventable and no sane person would use a library computer for confidential work). If I'm home and get a glass of water, when I get back to the computer, I have to log in again. I hate that.

I have complained to a number of companies about this same idiocy but nothing ever changes. Yet they themselves get hacked as noted in Bob's article. Who runs these companies' IT departments?


Posted by:

Bev
25 Jan 2022

You have had wonderful support, I have had your lifetime virus protection since around 2012..


Posted by:

Ernest N. Wilcox Jr.
26 Jan 2022

I use LastPass to store/generate long, strong passwords. I have registered my two email accounts for notifications from Have I Been Pwned in the event they are included in a breach. One of my emails has been included in a breach. When I was notified, I immediately changed my password and verified that my account recovery information had not been changed, then I changed it, just to be safe. In my case, I had to choose three questions from lists and provide answers that were pertinent to me. The entire process took perhaps five minutes, but the reward for that short time is knowing that by changing my password and my recovery questions/answers, my email account is now once again secure. I have sine enabled 2FA on that account as well.

I think that it is very important to note that when you learn that an email account has been compromised, you immediately take these steps:
1. Change your password.
2. Update/change your recovery information.
3. Consider enabling 2FA for this account.

If you fail to perform at least the first two steps, your email account remains compromised. Even though you may have changed your password, if you do not also change your recovery information, a Cracker can 'recover' your email account for him/herself using the recovery information you failed to change. At that point, it belongs to the Cracker (especially if (s)he changes the account's recovery information AND its password). While you are at it (if you have not already), enable 2FA for that account. This step alone will increase your email account's security more than anything else you can do.

Even if none of your email accounts have been compromised, I strongly recommend that you enable 2FA on them ASAP, then even if your account (and its associated information) is compromised in a data breach, the attackers will be unable to access your account, or make changes to it because they cannot authenticate using 2FA (they don't have your second authentication element - in my case Microsoft Authenticator on my phone). There are other authenticator apps and devices (YubiKey for one) you can get to implement 2FA, choose the one you prefer.

I chose the Microsoft Authenticator app because I use Windows 10/11 on my PCs. I also use Windows Defender as my primary Antimalware suite. Since I trust Microsoft to provide and secure my OS, it makes sense to me that I also trust them to provide my 2FA authentication services.

These are the things I do to secure my email (and other) accounts.

I hope this information helps someone,

Ernie


Posted by:

Peter Oh
26 Jan 2022

Ernest's recommended procedure may have taken him only 5 minutes but I can guess how long it might take me.
I also use LastPass but find it slow, awkward, & a continual irritation in practical use.
I can't remember any of my passwords so this means even posting a comment on YouTube (say)involves opening LastPass, only (generally) to find it difficult to find the password I want. I seem to spend more & more time changing or locating PWs & some can't be done quickly.
Using 2 factor authentication is OK but you need your phone to hand which is not always convenient.


Posted by:

Ernest N. Wilcox Jr.
26 Jan 2022

Peter,

When I use my web browser, if I don't already know the url of a site I want to go to, I use my browser's search function to get the url, then go there. For me, the great thing about LastPass is that if I have an account on the site, I am logged in automatically when I get there. I can simply start doing what I went there to do.

When I set up an app that wants to log me into my account on a web-based service (such as Spotify, etc.), I open my LastPass vault and use the search bar (Search My Vault) near the top of the LastPass window (in the red area) to search for the launcher. Then I click the wrench icon to access the launcher's settings and click the eye icon to show the password text (not stars) so I can copy it to my clipboard. I then switch back to the app, and enter my username and password to finish setting up the app. For me, this is much easier than any other method I can think of to manage my passwords (I have a lot of them). I do have a fairly fast computer and a very fast Internet connection. That may improve my experience when compared to yours. That is something I cannot know. The one thing I do know is that my Internet activity is much more secure than it would be otherwise because I use LastPass to generate long, strong, and unique passwords for each of my Internet accounts, and I use it to access those websites to simplify my day-to-day Internet activity.

It works for me, but your milage may vary,

Ernie


Posted by:

Ernest N. Wilcox Jr.
26 Jan 2022

Peter,

I'm sorry, I didn't read your comment carefully enough. Again, I'm sorry if your experience using LastPass does not match mine, but even if it takes you longer than five minutes to follow my three-step procedure to regain control over (and re-securing) a compromised Internet account, isn't it worth the time and effort when compared to what you may have to endure if you don't do so? Our information should always be safe on the Internet, but it's not. The best we can hope for is that if we take steps to protect ourselves as much as possible, our information will remain as safe as possible. I agree that this is a bother but doing nothing helps nothing.

My2Cents,

Ernie


Posted by:

Therrito
26 Jan 2022

When was the Facebook breach?
Have I Been Pwned and NordPass are good tools.


Posted by:

Frances
26 Jan 2022

The trouble with 2FA is that it mostly requires a cellphone. Which I do not have. Or else, it requires that I answer a call on my landline. Which is across the room from my computer and requires me to hold the phone to my right (good) ear while simultaneously writing down the code (impossible). The result is that I have 2 bank accounts that I have great difficulty accessing and I'm actually thinking of closing because of this. I'm also locked out of my PayPal account and online access to my investment account (I get paper reports). I wish that the people who set up these systems would remember us seniors - we have different abilities and different requirements.


Posted by:

Mike C.
27 Jan 2022

I receive fraudulent emails daily from "bank presidents", well-known fund managers etc. advising I am the recipient of millions. These generous individuals do not know my name, just my email address. I have no idea how these scammers got it but they evade my ISP's scam software. When I see an email sent to undisclosed recipients, I know I am one of many "winner". Very annoying. I am speculating an old, perhaps defunct website was hacked and email addresses were taken.


Posted by:

Ernest N. Wilcox Jr.
27 Jan 2022

Frances,

You can get a free cellphone (aka an Obama phone) and service for free. I had one of the free cellphones, then replaced it with one I bought online from Amazon using part of the stimulus money we all received because of the pandemic. As long as your income meets the government guidelines, you should qualify. The advantage of having a cellphone is when your home phone is not working (e.g.: due to a power failure, etc.), you can still communicate because you have the cellphone. A cellphone is also handy when you are out driving to the store (or what not), and your vehicle breaks down or you are in an accident. You can get help without having to leave your car, and, of course, you can then download an authenticator app to your phone, making it much easier to enable 2FA, etc.

Just trying to help,

Ernie


Posted by:

Mike L
31 Jan 2022

Data breaches of any government entity (or firms doing business with them) should be classified as espionage, and as such could subject the offender to the death penalty under federal law.


Posted by:

Karen S
31 Jan 2022

I have read many times not to use personal information for recovery purposes, i.e. mother's maiden name, what school you went to, first car. So I figure it's safer to make something up for those answers such as first car = blue dune buggy, not Chevy (not my first car); mother's maiden name = Thingamajig; etc.


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.


Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy     RSS/XML


Article information: AskBobRankin -- Worst Data Breaches of 2021 (what you need to know, and do) (Posted: 25 Jan 2022)
Source: https://askbobrankin.com/worst_data_breaches_of_2021_what_you_need_to_know_and_do.html
Copyright © 2005 - Bob Rankin - All Rights Reserved