Data Breaches of 2021
By Tanunnut Suebsang
October 29, 2021
Data breaches are nothing new in the online world. Feeling unsafe online is, unfortunately, the norm for most. While a company’s reputation may be ruined for the time being, the most important thing is that people’s personal information is put at risk because of the trust they place in companies. In just the second quarter of 2021, data breaches have increased by 38 percent compared to the first quarter. With this in mind, let’s take a look at a few data breaches that have happened this past year.
T-Mobile is an American wireless network operator providing wireless voice, messaging and data services with 104.8 million subscribers by the end of 2021’s second quarter.
On August 17, 2021, T-Mobile confirmed that they were conducting an investigation of a data breach that had compromised the data of millions of users. This began when someone claimed on a dark web forum that they have obtained the data of 100 million T-Mobile users and would be selling the data. What makes this data breach more dangerous than others is that the data contains sensitive information like social security numbers (SSN), unique identifiers, pins and the like. Additionally, the seller also says that they have downloaded the data and stored it in multiple places despite being kicked out of the servers. For those who think they have been impacted, you can access T-mobile’s updates on the situation here.
CVS Health is an American pharmacy and healthcare company that boasts 9,968 chains in the US, making it USA’s largest pharmacy chain.
Independent cybersecurity specialist, Jeremiah Fowler, discovered 1 billion CVS Health search records that had been accidentally posted during late March by a third-party vendor. When Fowler discovered this he alerted CVS and the database was quickly taken down. The search data was from both CVS.com and CVSHealth.com and primarily contained information about medication and Covid-19 vaccinations not linked to specific people. However, the database also contained several email addresses which might have been due to people mistaking the search bar for the login. Because the database was not password protected it could also allow for phishing attacks. While CVS did announce that this data breach did not contain personal information, it is important to note that Fowler did not download the entire database. However, in small sample sizes, he found that there were emails from all major email providers. Given the size of the breach, this is something to be concerned about.
Facebook is a social networking site that ranks the highest in number of active users as of July 2021 with 2.85 billion monthly active users.
Facebook is controversial. In our previous article on social media data breaches, Facebook was one of the contenders, affecting nearly 2 billion users from 2018-2019. Ever since the 2019 breach that exposed user’s phone numbers, Facebook has claimed they have patched it up. However, Business Insider’s article published on April 3, 2021 covers how there has been another data breach that has in turn exposed 533 million users’ phone numbers and personal information. This data breach was discovered by cybersecurity specialist, Alon Gal, who found exposed numbers on a hacking forum. While Gal says from a security standpoint there’s not much Facebook can do since the data is out in the open, Facebook still holds the responsibility of notifying users about the data breach which they haven’t properly done.
California Department of Motor Vehicles (CA DMV) is a state agency which issues licenses and registers motor vehicles in California and has handled around 84 million transactions.
On February 17, 2021 CA DMV alerted drivers of a security breach which can be found here. After a billing contractor, Seattle-based Automatic Funds Transfer Services (AFTS), was hit with a ransomware attack in February. The breach has been said to have compromised approximately 38 million records. This data includes registration records dating back to at least August 2019. Fortunately, AFTS did not have access to SSNs, birthdates, voter registration, immigration status or driver’s license information. Since then the DMV has stopped sharing data with AFTS and The Federal Bureau of Investigation (FBI) has been informed.
Microsoft Corporation produces software technology and generated 46.2 billion US dollars in revenue by the second quarter of 2021.
A cybersecurity firm, UpGuard, revealed on August 23, 2021, that Microsoft PowerApps was responsible for multiple companies’ data leaks over the past months. Because Microsoft PowerApps is used by businesses to create apps allowing internal and external users access, there is both public and private information. However, due to a misconfiguration, data that should be private had potential to be publicly accessible. Since it was only a possibility, Microsoft closed UpGuard’s vulnerability report and did not take action. UpGuard had to contact 47 individual entities, such as American Airlines, New York City, Maryland’s health department, J.B. Hunt and others, as a precautionary warning. It was eventually revealed that there were leaks that exposed 38 million records from governmental bodies and private companies, with records containing information such as SSNs, vaccination records, employee IDs, and more. Microsoft has now made changes to the PowerApps portals where table permissions are enabled by default.
Staying Safe Online
What to do after a data breach
Companies should follow The Federal Trade Commission’s guidelines on what to do after a data breach. However, customers may feel overwhelmed and confused at how to proceed if they feel like they are a victim of a data breach. Here are some suggestions that people could take into consideration:
- Contact the company to confirm the breach and find out what data was compromised. Also, check if the company has any offers to help repair damage.
- Change passwords, logins, and security questions immediately and try to avoid using something similar or repetitive. Adding additional layers of protection, such as two-factor authentication, could also be beneficial.
- Initiate a fraud alert which will ensure verification of identity in cases that identity theft may be an issue if your SSN was compromised.
- Turn on transaction alerts to know what you are being charged for.
- Beware of phishing scams, once criminals have access to your email or phone number they may demand money, send cryptic messages or blackmail you. Always reconfirm with a company by calling them and keep in mind that government agencies will never request payment through the phone.
How companies should protect users
In both Best Ways to Prevent Data Loss and Top Four Ways to Protect User Privacy we go over what companies should consider ahead of time:
- Review guidelines/policies: While this may seem obvious, companies should always be aware of the protocol they have to follow according to the government. This will allow companies to understand how to best abide by the law, prioritize their users, and gain valuable information regarding user privacy.
- Support and training: All companies should have a strong support system. While this may be costly, the financial repercussions that come due to negligence may be even costlier. Training will ensure that there are more well-informed employees that can better support the system as well as the customers.
- Minimization and privacy priority: Trust and compliance between companies and users need to go hand in hand. Companies should minimize their data collection to only what is specifically necessary for their services. In doing so, there should also be limited access to user’s information, ensuring that only authorized users have access to sensitive information.
- Transparency: Transparency builds trust, an essential part of building a good reputation for any company. This can range from publishing clear, comprehensive policies to keeping consumers notified of what is going on.
- Single Sign-On (SSO): To protect sensitive information companies should consider using stronger protection methods like SSOs that are able to prevent bots from accessing user information, such as humanID. A one-click anonymous login mechanism that creates an irreversible hash after the user inputs their phone number. The hash function creates a random identifier which then deletes the user’s phone number after verification. This not only will be more efficient as the user does not have to create and remember multiple passwords, but it also makes companies less vulnerable to cyberattacks.