Worst Worldwide Data Breaches of 2021

6 mins to read

One thing unifying the modern day world is the common experience of falling victim to cyberattacks. Institutions, businesses and governments worldwide face the increasing problem of successful data breaches. A data breach can happen to any organization anywhere. An attack is not the only way to experience a breach, oftentimes an organization’s own negligence or ineffective security policies are to blame for precious information finding its way toward external hands.

To put things in perspective, Gartner states that by 2025 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data. With such a staggering prediction, it is clear there is a lot to learn from previous mistakes. That’s why we’re collecting the top worldwide data breaches of 2021 in hopes of finding trends and raising awareness in the community.

To keep a tab on a complete list of organizations impacted by cloud data breaches, check out our Breach Watch. There you’ll find a complete list of organizations impacted by cloud data breaches this year, but for anyone who needs a refresher on how things have gone, here is a small list of 2021 data breaches affecting countries worldwide.

List of Worldwide Data Breaches

Organization: Facebook

Date: 4/9/21

Number affected: 553,000,000 accounts

Country: United States

What happened?  Security researcher Alon Gal discovered a leaked database belonging to Facebook, containing 533 million accounts.

Organization: Cognyte

Date: 6/20/21

Number affected: 5,085,132,102 records

Country: United States

What happened? Stored on an Elasticsearch cluster, the database was exposed for four days and contained 5,085,132,102 records. 

Organization: Bykea

Date: 1/28/2021

Number affected: 400,000,000

Country: Pakistan

What happened? An Elastic server publicly exposed all its production server information without password protection or encryption and allowed access to more than 200GB of data containing more than 400 million records. 

Organization: Brazilian Database 

Date: 2/3/21

Number affected: 223,000,000

Country: Brazil

What happened? The largest personal data breach in Brazilian history was discovered with databases including names, unique tax identifiers, facial images, addresses, phone numbers, email, credit score, salary and more.

Organization: Bitmart

Date reported: 12/10/21

Number affected: $200,000,000

Country: Cayman Islands

What happened? The incident was a ‘large-scale security breach‘. Stealing a single private key is all it took for cybercriminals to haul away a whopping USD 200 million worth of cryptocurrencies.

Organization: Raychat

Date reported: 5/3/21

Number affected: 150,000,000 records

Country: Iran

What happened? Iran business and social messaging applications suffered a large data breach. The company stored its user data on a misconfigured MongoDB database.

Organization: SocialArks

Due Date: 2/5/21

Number affected: 214,000,000

Country: United Kingdom

What happened? Server contained scrapped profiles of more than 214 million social media users, obtained from Facebook, Instagram and LinkedIn. The misconfigured database had more than 408GB of data and more than 318 million records.

Organization: Stripchat

Date reported:12/16/21

Number affected: 200,000,000 million

Country: United States

What happened? An Elasticsearch database containing 200 million records including 65 million user records was misconfigured.

Organization: Android

Date reported: 5/1/21

Number affected: 100,000,000 individuals

Country: United States

What happened? More than 100 million Android users were exposed due to several misconfigurations of cloud services.

Organization: Thailand Visitors

Date reported: 9/20/21

Number affected: 106,000,000 individuals

Country: Thailand

What happened? An unsecured database, which contained the personal information of millions of Thailand visitors, was in an unprotected Elasticsearch database dated back ten years and contained the personal information of more than 106 million international travelers.

Organization: Twitch

Date reported: 10/6/2021

Number of records: 128GB

Country: United States

What happened? Twitch exposed data to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.

Organization: Reserve Bank of New Zealand

Date reported: 1/10/21

Number of individuals affected: 3,000,000 individuals

Country: New Zealand

What happened? The Reserve Bank of New Zealand suffered a data breach after actors illegally accessed its information through one of the bank’s third-party file-sharing services.

Organization: SeniorAdvisor

Date reported: 8/6/21

Number of individuals affected: 3,000,000 individuals

Country: United States

What happened? A misconfigured Amazon S3 bucket exposed details of over 3 million senior citizens including individuals’ names, numbers, and email addresses.

Organization: Morgan Stanley

Date reported: 7/8/21

Number of individuals affected: 3,000,000 individuals

Country: United States

What happened? Personal data of some of its corporate clients was stolen in January in a data breach that involved a third-party vendor and bad actors accessed information, including social security numbers.

Organization: Neiman Marcus Group
Date reported: 9/9/21

Number affected: 4,350,000 customers

Country: United States

What happened? Neiman Marcus Group learned that unauthorized persons accessed the personal information of 4.35 million customers after an attack. According to the department store, approximately 3.1 million payment and virtual gift cards were affected, more than 85 percent of which are expired or invalid.

Organization: 20/20 Eye Care Network, Inc.

Date reported: 5/24/2021

Number of individuals affected: 3,253,822

Country: United States

What happened? The eye care network 20/20, which provides eye and ear care services and administration, discovered suspicious activity in its Amazon Web Services environment. After an investigation, it determined that data had been potentially removed, possibly including personal information. Later 20/20 faced a lawsuit over the breach.

Organization: Forefront Dermatology

Date reported: 7/8/2021

Number of individuals affected: 2,413,553

Country: United States

What happened? The Wisconsin-based organization, which has locations in 21 states and the District of Columbia, reported that an intrusion resulted in unauthorized access to certain files on Forefront’s IT system containing patient and employee information. 

Organization: PeopleGIS

Date reported: 7/22/21

Number of individuals affected: 1,000GB with more than 1,600,000 files

Country: United States

What happened? Mapsonline.net, provided by an American company named PeopleGIS stored data of US municipalities in several misconfigured Amazon S3 buckets.

Organization: NEC Networks, LLC

Date reported: 5/5/2021

Number of individuals affected: 1,656,569

Country: United States

What happened? NEC, which does business as CaptureRx, said it became aware of “unusual activity” involving some electronic files. An investigation determined that the relevant files contained the first name, last name, date of birth, and prescription information.  

Organization: Eskenazi Health

Date reported: 10/01/2021

Number of individuals affected: 1,515,918

Country: United States

What happened? The Indiana-based health system said cybercriminals had gained access to their network for nearly three months. Eskenazi Health did not make a ransom payment, and the criminals released some of the stolen data on the dark web.  

Organization: The Kroger Co.

Date reported: 2/19/2021

Number of individuals affected: 1,474,284

Country: United States

What happened? The Midwest grocery chain was affected by a data security incident affecting Accellion, a file-sharing company. Clinic customer information was found to be at risk, including pharmacy records.  

Organization: St. Joseph’s/Candler Health System, Inc.

Date reported: 8/10/2021

Number of individuals affected: 1,400,000

Country: United States

What happened? The ransomware incident took the Georgia health system offline for multiple days. The unauthorized party had been able to access the network for six months.   

Organization: Robinhood

Date Reported: 11/1/2021

Number affected: Millions of users

Country: United States

What happened? The trading platform said an “unauthorized third party” managed to get their hands on PII of five million people or more.

Organization: Ghana National Service Secretariate

Date reported: 12/22/21

Number of individuals affected: 700,000 individuals

Country: Ghana

What happened? Ghana’s National Service Secretariate – NSS – exposed 55GB worth of citizens’ data when an AWS S3 bucket used by the Secretariate suffered misconfiguration.

Organization: Premier Diagnostics

Date reported: 1/25/21

Number of individuals affected: 50,000 patients

Country: United States

What happened? Premier Diagnostics Utah COVID-19 testing service exposed thousands of ID scans, including driver’s licenses, medical insurance cards, passports, and other IDs, on the web without a password or any other authentication required to access it.

Organization: Cosmology Kozmetik

Date reported: 6/17/2021

Number of individuals affected: 20GB with 567,000 unique individuals

Country: Turkey

What happened? Famous Turkish beauty brand, Cosmolog Kozmetik, suffered a leak in its Amazon S3 bucket. Thousands of Excel spreadsheets of unique individuals who made purchases from the supplier across numerous e-commerce platforms. 

Organization: Sega

Date reported: 12/16/21

Number of individuals affected: 250,000 customers

Country: Europe

What happened?  A misconfigured Amazon Web Services S3 bucket contained sensitive information which allowed researchers to arbitrarily upload files to a huge swath of Sega-owned domains, as well credentials to abuse a 250,000-user email list.

Organization: Sennheiser

Date reported: 12/16/21

Number of individuals affected: 28,000 customers

Country: Germany

What happened?  The AWS S3 bucket had not been used since 2018, but over 28,000 Sennheiser customers had their data leaked. 

Organization: Reindeer

Date reported: 8/3/21

Number of individuals affected: 32 GB

Country: United States

What happened?  Reindeer, which was out of business, left its Amazon S3 bucket open to the public, leading to the catastrophic leak of 50,000 files totaling 32 GB. The leak impacted 306,000 people.

Organization: American Express

Date reported: 1/5/21

Number of individuals affected: 10,000 individuals

Country: Mexico

What happened? A hacker posted data of 10,000 Mexico-based American Express card users on a forum for free. The information included full credit card numbers and personal information such as emails and addresses but did not contain passwords or expiration dates. In the forum post, the hacker also claimed to have more data information from Mexican bank customers of Santander, American Express, and Banamex.

Again, to keep a tab on a more thorough list of organizations impacted by cloud data breaches worldwide, check out our Breach Watch. Interested in how Sonrai Security is striving to better protect organizations from troublesome breaches? Explore our solutions today.