Looking back at the data breaches of 2021

2021 was a year like no other. Emerging from the previous year’s COVID-related madness, remote work environments became the new normal and global teams embraced digital collaboration in whole new ways. With it all came a record wave of data breaches spread far and wide as more sensitive data flowed through cloud systems than ever before.

Spirion’s new report, PII for Sale: A Definitive Guide to Sensitive Data Breaches, takes an in-depth look at America’s top leaks, cyberattacks and insider hacks of 2021. The comprehensive report analyzes the year’s biggest sensitive data breaches, how individual industries were impacted differently, and how organizations can learn from these incidents to better mitigate the potential damages caused by a data breach. Here are some key findings of the report.

The main target: sensitive data

Digital transformation continued to be at the forefront of 2021’s business agendas. Whether scaling up operations to reach new territories or giving employees the ability to work in a more flexible manner, one thing is certain: data is at the center of it all. But not all data is created equally. Some data is extremely sensitive, and, if in the wrong hands, can become financial liabilities to both individuals and organizations.

Sensitive data includes:

  • Social security numbers
  • Personal Health Information
  • Credit Card Information
  • Driver License Numbers
  • Bank account information
  • Email and password

Sensitive data, particularly personally identifiable information (PII), can be used for malicious purposes like identity theft and credit card fraud—making it a prime target for malicious actors looking to exploit security gaps. Hackers can compromise entire swathes of sensitive data through organizational data breaches that can cost millions of dollars in damages, bad press, and regulatory fines.

While we have seen significant sensitive data targeting in previous years, a combination of the steady state of remote work and increased sophistication in attack methodologies caused sensitive data attacks to skyrocket during 2021. Of the 1,862 total data incidents reported for the year by the Identity Theft Resource Center, 83% involved sensitive data that left more than 150 million people compromised.

In 2021, the sensitive data of over 150 million people was compromised.

“The number of breaches in 2021 was alarming. Many of the cyberattacks committed were highly sophisticated and complex, requiring aggressive defenses to prevent them.”
Eva Velasquez, President and CEO, Identity Theft Resource Center

Attack vectors kept organizations on their toes

As the technology to prevent attackers from breaking into private systems evolved, so did the sophistication with which attackers engineered new vectors to break into those systems. In particular, supply chain attacks and ransomware were prevalent methods used in 2021.

The data breaches of 2021 utilized a variety of strategies, including:

  • Third-party and supply chain vulnerabilities
  • Phishing/smishing
  • Ransomware
  • Malware
  • Non-secured cloud environments

These breaches often went undetected for months, compounding the damage they incurred on both organizations and individuals. Naturally, some breaches were harder to detect than others, especially when caused by human error. For instance, sensitive data breaches caused by misconfigured firewalls took the longest time to detect and contain, averaging 375 days.

From initial detection to breach containment, the average sensitive data breach took 112 days to resolve, while a non-sensitive data breach only took 52 days.

Undetected attacks can have major consequences. One of the biggest ransomware breaches of 2021 was at a healthcare organization that did not identify the breach for six months—giving attackers plenty of time to steal the sensitive data of 1.4 million patients. Similarly, a T-Mobile breach went undetected for 5 months but had much more severe consequences: driver licenses, social security numbers, addresses, and phone numbers of 47 million current and former customers were compromised. Worse still, Syniverse revealed a 5-year long breach that compromised the credentials of 235 corporate customers across the globe.

Top 5 breached industry sectors in 2021

While every industry includes organizations that collect and store sensitive data, some sectors are responsible for monitoring substantially more sensitive data. These industries often experience larger data compromises that impact a greater number of individuals. These sectors experienced sensitive data incidents that compromised the most people’s personal data in 2021:

  1. Professional services
  2. Telecommunications
  3. Healthcare
  4. Retail
  5. Financial Services

Multiple breaches, one company

Organizations experiencing multiple breaches in one year is an unsettling, emerging trend as a result of the increasing push towards more remote work that invariably puts greater amounts of data at risk than ever before. Experts predict this trend will continue in 2022 and beyond.

“A shift anticipated to occur in 2022 is not if or when an organization will experience a data incident, but how often. In 2022, organizations will begin planning to minimize the costs and business impacts as though they expect to experience three or four significant events a year vs. a singular ‘black swan’ type event.”
Kevin Coppins
CEO, Spirion

Unfortunately, some companies will risk reputational damage in favor of not reporting or underreporting data breaches. Although individual states require companies to notify customers of a breach, currently there are no blanket federal U.S. laws dictating that companies must report every data compromise.

Despite more organizations experiencing data compromises, the ITRC reported that 34% of organizations underreported data breaches in 2021.

Attack awareness leads to better protection

Last year clearly demonstrated that despite monitoring and preparations to avoid cyberattacks, bad actors will continue to innovate clever new ways to access and leverage attack vectors, both within and beyond your organization’s purview. The persistence of data attacks means that if there’s one thing businesses can count on, it’s a data breach.

Only a proactive solution that discovers, classifies, and remediates sensitive data can mitigate the effects of today’s relentless pace of data breaches. Strengthening data discovery, classification, and remediation practices through automation plays a significant role in remaining compliant, detecting breaches early, and keeping the enterprise secure.

Understanding our past vulnerabilities helps us make better decisions for the future. Download our new report, PII for Sale: A Definitive Guide to Sensitive Data Breaches, to learn more about the record number of sensitive data breaches of 2021, including:

  • The top sensitive data compromises of 2021
  • Emerging trends in cyberattacks
  • Most common PII data exfiltrated
  • Lifecycles of sensitive data breaches
  • Industry-breakdown of 2021’s events
  • In-depth look at the impact of each major attack vector

And discover how Spirion can help mitigate damages caused by data breaches.

Want to dig deeper?

Understanding the most common (and successful) attack vectors is essential to devising and executing a comprehensive plan to protect your most valuable data. Download the report today to see the full extent of 2021’s cyberattacks and start thinking about how to protect your sensitive data from attack in 2022 and beyond.

Download now