Largest third-party data breaches of 2021
With 2021 coming to an end, it is time to look back at what kind of third party data breaches have shaped the information security landscape. In 2021 hackers were on top of their game again to go after people's data and successfully hacked their way into both governmental institutions and private companies. Here are the largest third-party data breaches of this year.
Kaseya
Without any doubt, the Kesaya attack was the most impactful data breach of this year. It is estimated to have affected up to 2000 global organisations. The group REvil has claimed responsibility for the attack.
Kaseya is a software provider for remote computer management, with over 2000 organizations among their user base using vulnerability CVE-2021-30116 It took 9 days before a patch was made available for their SaaS customers and on July 22nd Kaseya acquired a universal decryption key for affected customers. The attack had a very big impact on all customers of Kesaya, as they were unable to work for weeks due to the nature of the tool and the attack.
Yet, it is still very difficult to estimate the real impact of the data breach. Kaseya disclosed that only a dozen customers were really affected by the breach, but these were all customers that serve other customers causing a chain of affected organizations. A good example of this is Coop, the second-largest supermarket chain in Sweden, who had to shut down nearly 800 stores across the country after one of its contractors (they didn’t name which) was hit by ransomware in the aftermath of the Kaseya security incident on friday.
Bonobos
Bonobos is a men’s clothing retailer that has been subject to a data breach impacting its backups that were hosted online in the cloud. Names and telephone numbers of up to 7 million customers or orders were leaked. 3.5 million customers had their last four digits of the credit card and encrypted password (using the SHA-256 and SHA-512 hashing algorithms) leaked.
The data goes back multiple years, as far as 2014. It is unclear why Bonobos kept their backups for such a long time. It was reported that someone already decrypted more than 150.000 passwords that were encrypted with SHA-256 without hashing and salting them.
Bonobos has confirmed that the data was genuine, but that it was taken from a cloud service and not from their own network. They found no evidence of unauthorized access to their own network. The hosting provider responsible for the data was informed as soon as they noticed.
Socialarks
High-flying and rapidly growing Chinese social media management company Socialarks has suffered a huge data leak, leading to the exposure of over 400GB of personal data including several high-profile celebrities and social media influencers. This 400GB of data included more than 318 million records in total. Given the size of the leak, it is difficult to estimate the impact of the breach.
Socialarks used an insecure elastic search database that contained personal data of at least 2014 million social media users from around that world, from platforms such as Facebook, Instagram and Linkedin.
The data was found to be publicly exposed without password protection or encryption. This meant that anyone in possession of the server's IP address could have had access to the database.
It should also be noted that this is not their first data breach. In august 2020 more than 150 million records were also exposed in a similar manner.
Israeli Likud Party
In March of this year, the people of Israel voted for their next president. This time, they decided to use an elector app which has been found to have leaks before.To their surprise however, 6.5 million voters have had their data exposed via a database linked to the elector app.
Two days before the election, journalists in Israel were notified by hackers that the data was breached. The message included encrypted links and codes to access two databases, one of which contains the full voter registry, including names and ballot numbers of all 6,528,565 eligible voters. The other includes up-to-date names, addresses, ID numbers, and more details.
A flaw in the app’s web interface gave “admin access” to the entire database, allowing anybody to access and copy the Israeli voter registry, along with additional information gathered by Likud about hundreds of thousands of voters.
The exposed database included the full name, sex, home address, and, in many cases, cellphone number and responses to political polling for 6.5 million Israeli adults.
Morgan Stanley
On July 8th of this year, Morgan Stanley reported a breach after hackers stole personal data belonging to their customers, by hacking their third party called ‘Accellion FTA’ who hosts servers for them. Encrypted files were stolen together with the encryption key.
Morgan Stanley says that the documents stolen during this incident contained: stock plan participants' names, addresses, dates of birth, social security numbers and company names.
Accellion has said that roughly 300 customers used the 20-year-old legacy FTA software, with less than 100 of them being breached in these attacks. So far, these threat actors have hit energy giant Shell, cybersecurity firm Qualys, the Reserve Bank of New Zealand, Singtel, supermarket giant Kroger, the Office of the Washington State Auditor ("SAO"), the Australian Securities and Investments Commission (ASIC), multiple universities and other organizations.
Takeaways
With organizations leveraging more third-parties to provide their services, hackers find more avenues to breach organizations. Managing third-parties is, for this reason, becoming more and more important.
Getting control of your suppliers and partners ('processors' in the privacy realm) is crucial these days. At Riskly, we recommend setting up and fine tuning a third-party management process to manage third-parties. This process should be based on the importance of your vendors to your organization. While setting this up, consider the onboarding process, the monitoring of their performance, and make sure you have an adequate off-boarding process.
For some useful recommendations to set up and optimize such a process, feel free to read our guide Six recommendations to manage your third-parties successfully.