2021 has been an interesting year for the information security community. According to the Identity Theft Research Center, the total privacy and data breaches recorded in the third quarter of 2021 have already surpassed those recorded in the whole of 2020. Specifically, the publicly reported breaches as of 30th September 2021 have increased by 17% compared to the total events reported in 2020. Notably, cybersecurity experts blame the COVID-19 pandemic as the leading cause of the significant rise of privacy breaches. The following statistics provide an overview of the state of privacy breaches in 2021.
Privacy breaches surged in the healthcare sector: The healthcare sector recorded a 44% rise in privacy breaches in 2021. In particular, healthcare providers have reported at least 38 healthcare privacy breaches involving at least 5,120,289 patient records. Also, an overwhelming number of attacks, including phishing attacks, spoofing incidents, unauthorized email access, and data breaches, have enabled attackers to breach the privacy of millions of patients.
Increased privacy breaches from remote working: Expectedly, a significant number of organizations have shifted to remote working strategies. Recent estimates reveal that 25%-30% of all employees will be working from home by the end of 2021. On the other hand, 58% of organizations worldwide believe that adopting work from home strategies will increase exposure to privacy breaches compared to 44% in 2018. Various factors contribute to the increased risk of privacy breaches in a remote working arrangement, including a lack of sufficient cybersecurity awareness and insecure devices used to access corporate networks.
Increased use of stolen credentials in privacy breaches: A 2021 research done through a collaboration of the Ponemon Institute and IBM found that compromised credentials were among the most popular methods used to execute attacks. According to the research, 44% of attacks, data breaches, and privacy breaches resulted from stolen credentials. Furthermore, the study found that breaches targeting passwords and usernames will continue increasing as attackers seek to use them in future cyber-attacks. Stolen credentials enable hackers to breach the privacy of various individuals by breaching data like email addresses, financial records, personal information, and health data.
The Largest Privacy Breaches of 2021
1. State-Sponsored Attack on Microsoft
Microsoft released a statement on 2nd March 2021 reporting a state-sponsored incident that affected more than 30,000 organizations in the private and public sectors. According to Microsoft, Hafnium, a Chinese state-sponsored cybercrime group, targeted various entities within the US with the aim of exfiltration sensitive data, including personal and business information. The breach occurred after the hackers involved in the attack targeted zero-day exploits in hundreds of thousands of servers running the Microsoft Exchange software. The cybercrime syndicate used stolen credentials and exploited undetected vulnerabilities, and exfiltrated data to a remote server. Since the Microsoft Exchange Server manages email communications, the attackers accessed thousands of sensitive email communications belonging to government agencies and private entities, resulting in a serious privacy breach.
2. 243 Million Personal Records Exposed Online
Personal information belonging to at least 243 million Brazilians was found online, a number large than the entire Brazilian population. According to the Brazilian publication Estadão, the massive leak contained the personal information of everyone registered using Sistema Único de Saúde (SUS), which is Brazil's national health management system. Specifically, the data types exposed in the leak included telephone numbers, home addresses, and official names, among others. The country's Ministry of Health website stored the databases' access credentials in an encoded format in its source code. However, Base64, the method used to encode the passwords and login information, can be decoded easily. Thus, most security experts concluded that the attackers that perpetrated the incident decoded the access credentials and leaked the database online.
3. Accellion Data Breach Affects 17 Organizations
Malicious actors used SQL injection attacks to deploy a web shell on Accellion's FTA system running on the company's servers. The web shell enabled the attackers to steal highly sensitive information and hide their traces from the system logs. Before the attack occurred, Accellion had discovered a zero-day vulnerability in its FTA system and released a series of security patches to address it. However, 17 of Accellion's customers were yet to apply the patch when the cybercrime group FIN11 and ransomware group Clop exploited the vulnerabilities and gained access to confidential data. The affected organizations included HealthNet, the University of California, and the US Department of Health and Human Services.
Best Practices for Preventing Privacy Breaches
As remote working becomes mainstream, technological adoption rates will continue soaring. In turn, attackers will continue targeting vulnerable individuals and organizations to breach their privacy. The following best practices can prevent a privacy breach and help you maintain a robust level of privacy protection.
Data encryption: The need for data encryption cannot be stressed enough. Encrypting data prevents malicious actors from accessing it even after they manage to breach your network. In addition, implementing complex encryption schemes protects your privacy by preserving data integrity and confidentiality.
Patching and updating: Had the seventeen entities affected in the Accellion data breach installed the available patches on time, they would have prevented the attacks. Timely installation of security patches and consistent updating of applications and devices can protect against most common privacy breaches.
Robust password security and management: Undoubtedly, compromised passwords provide the easiest way of breaching a user's privacy. Therefore, it is necessary to develop robust password management policies to ensure employees and all users create strong passwords, store them securely, and change them often to reduce the risk of an attack. Also, multi-factor authentication should be enabled across all services to complement passwords used to deter unauthorized access.
Cybersecurity education and awareness: Ignorance and user errors cause the highest number of cyber-attacks. For example, a single click on a malicious email attachment can result in large-scale data breaches that can potentially compromise the privacy of millions. That said, it is pertinent for employers to identify and implement appropriate cybersecurity training sessions to ensure their employees understand the nature of current cyber threats and how to prevent them.
We can help!
Are you looking for ongoing advisory services to assist in identifying vulnerabilities and security policies that should be in place and help improve your security posture? The team at Inception Security™ has been leveraged to enhance the security posture of fortune 100 companies, small and medium-sized businesses. Our team has a depth of knowledge in the cybersecurity industry and will be able to provide value to your business right away.
Contact Inception Security if your company is looking for advisory services.