2021 Data Breaches in Review

  Want More?

Looking for more?

Watch our on-demand 2021 Data Breaches in Review webinar recap or schedule time to learn how Arctic Wolf can help keep your company off the list.


More Details

The Arctic Wolf annual recap of the most noteworthy, high-profile, and damaging data cybercrimes of the year.

2021’s Biggest Cyber Attacks

Last year was another record-breaking one for data breaches, with reports of massive hacks and huge ransomware demands dominating headlines. It’s a trend that does not seem to be slowing any time soon, either. Currently, there are thousands of vendors in the market, with over $130 billion spent annually on defense and yet, the number of breaches continues to rise.


Join us as we dive into the top 20 cyberattacks around the world from 2021.

Clear filters
No Results


KaseyaJuly 2021


  • ORIGIN: Originated in US; spanned over 5 continents
  • IMPACT: 1,500 Businesses
  • INDUSTRY: Technology
  • TYPE: Third-party software exploit

Coming in at number one on our list is the Fourth of July-weekend attack on Florida-based software provider Kaseya. The infamous REvil collective hit them with a ransomware attack, demanding $70 million in bitcoin.


This attack takes the top spot due to its impact on businesses across five continents—including shutting down public schools in New Zealand, closing a major grocery chain in Sweden, and disrupting operations for hundreds of businesses across the U.S.

Although Kaseya has said the attack impacted only 1% of its client base, those clients are largely managed service providers (MSPs), which means their clients were impacted in turn. That made for a vicious ripple effect, as up to 1,500 small- to mid-sized businesses found their operations offline in the middle of a holiday weekend, taxing tech support teams to their limit.


The attack’s timing may have magnified the problem considerably, since the threat actors targeted a management tool called a VSA Server. Kaseya contacted clients promptly and advised them to shut off their VSAs, but with many IT support staffers difficult to reach on a day off, the problem spread more widely than it otherwise might have. Kaseya has since patched the vulnerability that led to the breach. 


Microsoft ExchangeMarch 2021


  • ORIGIN: Originated in China; damage was global
  • IMPACT: 30,000 Organizations
  • INDUSTRY: Technology
  • TYPE: Remote access hijack, ransomware
Number two on our list is the wide-ranging breach of the Microsoft Exchange Server vulnerabilities. Ironically, the attack may have escalated by Microsoft attempting to prevent exactly this kind of cybercrime. On March 2, the company issued patches to address four known security gaps. Security observers say this kicked off a massive wave of activity for Hafnium as the hackers scrambled to attack as many still-unprotected systems as possible.

Hackers accessed emails of more than 30,000 organizations across the United States. Apparently launched by an elite Chinese hacking collective known as “Hafnium,” this attack compromised email communications for small businesses and municipalities across the U.S. and around the world. Worse yet, infected devices were seeded with password-protected tools that allow the hackers complete remote access to those systems.


The ultimate fallout of the Hafnium attack is uncertain, but a hack of this breadth and scale is likely to be felt for years to come. The backdoors installed by the attackers could be used to steal valuable data or install ransomware, and many affected organizations likely don’t even know they have been hacked.


SolarWindsDecember 2020, January 2021


  • IMPACT: 18,000 Clients
  • INDUSTRY: Government
  • TYPE: Malware
Before you come after us, yes, we’ll acknowledge the SolarWinds attacks started in December 2020, but the damage has been ongoing into January and 2021.

Russian cyberattacks on U.S. governmental institutions have been on the rise and one of the most catastrophic data breaches during all of 2020, foreign intelligence operatives took advantage of a compromised SolarWinds program and invaded an estimated 18,000 private and government-affiliated networks. These data breaches granted attackers access to an abundance of identifiable information, including financial information, source code, passwords, and usernames.


Federal workers in the Cybersecurity Infrastructure and Security Agency (CISA) department had to work endlessly to restore security and defeat this “grave risk.” Officials warned that if they could not get the matter under control —in part, by updating their systems with Orion’s 2020.2.1HF2 —by the year’s end, they may be forced to take the systems offline entirely. Additional vulnerabilities and supporting patches were released in February 2021.


Log4jDecember 2021


  • ORIGIN: Global
  • IMPACT: 35,000 Java packages
  • INDUSTRY: Software Technology
  • TYPE: Software Vulnerability Exploit Vulnerability, allowing unauthenticated remote code execution
2021 closed out with the revelation of a zero-day threat that created massive waves in the cybersecurity industry.

On Thursday, December 9, security researchers published a proof-of-concept critical exploit for a remote code execution vulnerability in Log4j, a Java logging library used in a significant number of internet applications.

In the weeks following, businesses worldwide worked frantically to identify and mitigate the impact of the exploit, while security pros and experts released patches and scanning tools, and guided organizations on how to best protect themselves from attack.


While security researchers and experts continue to unpack the total impact of this threat, attackers are rapidly crafting new obfuscation tactics, making it difficult to nail down indicators and signatures as these new attack tactics are created just as quickly.


JBSMay 2021


  • ORIGIN: Originated in US; some plant closures in CAN & Australia.
  • IMPACT: $11,000,000 in Ransomware
  • INDUSTRY: Technology
  • TYPE: Remote access hijack, ransomware

May was an intense month for cybersecurity attacks. And while much of the spotlight was on the Colonial Pipeline attack (see #6), the late May attack on JBS was arguably even bigger.


Reportedly engineered by Russia’s REvil hacker collective, the ransomware attack on JBS servers halted meatpacking operations at multiple plants for upwards of five days. This disrupted meat production and distribution across the country and deprived many non-union employees of several days’ wages.

It has not yet been disclosed how the hackers gained access to the JBS system, but in a statement JBS indicated that, while it was able to get most of its systems operational without REvil’s help, it chose to pay $11 million in ransomware to keep the files safe.


Colonial PipelineMay 2021


  • ORIGIN: Originated in US with East coast feeling the most significant impacts.
  • IMPACT: $4,400,000 Ransomware
  • INDUSTRY: Energy Infrastructure
  • TYPE: Remote access hijack, ransomware

The hack that made “ransomware” a household word. In early May, a suspected Russian hacking group took Colonial Pipeline offline for more than three days.


As Colonial provides 45% of the East Coast’s supply of gasoline, diesel fuel, and jet fuel, this was a major blow. Gas prices spiked across the country, some gas stations ran out of fuel, over-the-road deliveries were delayed, and there were even reports of gasoline hoarding.

Many of the details are still under wraps, but it appears that it was facilitated via a malicious email or a third-party application. Russia’s DarkSide collective was quick to take credit for the attack and reportedly received around $5 million in ransom (part of which was later recovered), although there was some initial dispute about the amount—or whether Colonial paid at all.


In the wake of the attack, Congress moved quickly to pass new cybersecurity standards for pipelines, but the damage has already been done.


SocialArksJanuary 2021


  • ORIGIN: Originated in China; damage was global
  • IMPACT: 214,000,000 people
  • INDUSTRY: Social Media Marketing
  • TYPE: Data Breach

In early January, hackers breached the defenses of SocialArks—a Chinese data-management startup with shockingly lax security policies—and exposed the personal information of around 214 million social media users, many of whom had no idea the company even existed.


SocialArks initially scraped the contact information from leading social sites such as Facebook, LinkedIn, and Instagram, and did little to protect it.

Their Elasticsearch database was reportedly left almost completely unprotected, without encryption or even password protection. Even more disturbing, this is the second time that SocialArks has suffered a leak of this kind, suggesting that the company is not especially quick to learn its lesson. Among the more than 400GB of stolen data is contact information that is not usually exposed in a public profile, including the personally identifiable information of several celebrities and prominent online personalities.


T-MobileAugust 2021


  • ORIGIN: Originated in and impacted US
  • IMPACT: 50,000,000 People
  • INDUSTRY: Telecommunications
  • TYPE: Data Breach via router exploit
August saw the fourth known breach at T-Mobile since 2018, and by far the largest. More than 50 million current, former, and even prospective T-Mobile customers had their personal information—including names, birthdates, social security numbers, and ID numbers—pilfered, with about 850,000 others also having their PINs and phone numbers exposed.
A month later, 21-year-old hacker John Binns took credit for the attack. Binns, an American expat currently living in Turkey, claims he was able to breach T-Mobile’s system via an unprotected router and a flaw in the company’s internet addresses.


RobinhoodNovember 2021


  • ORIGIN: Originated in and impacted US
  • IMPACT: 5,000,000 People
  • INDUSTRY: Financial Technology
  • TYPE: Vishing Attack

Robinhood, the online investment platform where regular people can more easily navigate the stock market, had a rough year. From the Gamestop fiasco to a lackluster market debut, they closed out 2021 with a data breach facilitated by a bad actor posing as a customer service rep who conned their way into accessing the company’s customer support system.


Known as a vishing (phone or voice message) attack, this gave the hacker access to a database of email addresses, names, and phone numbers for millions of Robinhood customers.

Robinhood issued a statement within a week of the breach and has continued to update users about potential data exposures. While the company does not believe the thieves were able to obtain banking information or social security numbers, the risk remains high that the stolen materials may be used for future misdeeds such as targeted phishing attacks.


Town of Peterborough, New HampshireAugust 2021


  • ORIGIN: Originated in and impacted US
  • IMPACT: $2,300,000 Stolen
  • INDUSTRY: Municipal Government
  • TYPE: Business Email Compromise

In August, the small town of Peterborough, New Hampshire suffered an unexpected and devastating financial downturn as it was exploited in an email scam.


By the time the spoofing was exposed, $2.3 million of taxpayer money was in the pockets of cybercriminals.

By the time the spoofing was exposed, $2.3 million of taxpayer money was in the pockets of cybercriminals. The commissioner of the state’s Department of Information Technology expressed little surprise concerning the theft. Dennis Goulet told the Concord Monitor, “Ransomware is getting all the news, but there is still the risk of business email compromise—BEC—which is really focusing around this type of activity.”


GoDaddyNovember 2021


  • ORIGIN: Originated in US; damage was global.
  • IMPACT: 1,200,000 People
  • INDUSTRY: Communications and Technology
  • TYPE: Data breach via stolen password

The trouble with being the biggest in your industry is that you’re also the biggest target. That’s a lesson GoDaddy—the leading domain registrar in the world—has had to learn several times over.


In the fifth major attack against GoDaddy in the past three years, hackers used a stolen password to access the emails and customer data of more than 1.2 million users, as well as file transfer credentials and SSL keys used for website authentication.

Even more concerning, further exploration showed that GoDaddy’s Managed WordPress branch was also affected, endangering customers using third-party website management tools.


GoDaddy was quick to address the breach, resetting passwords and private keys, and issuing new SSL certificates to affected customers. Meanwhile, more than a million website owners found themselves at greater risk of phishing attacks and other varieties of cybercrime. It’s a frustrating situation all around—both for a company who keeps having to deal with these kinds of attacks, and the customers who keep paying the consequences.


ParkMobileApril 2021


  • ORIGIN: Originated in and impacted US.
  • IMPACT: 21,000,000 People
  • INDUSTRY: Small Businesses, municipalities, public services
  • TYPE: Third-party software exploit

American cities experienced a whole new level of street parking misery in April, as a breach of third-party software company ParkMobile exposed personal information stored on more than a dozen cities’ parking apps to unknown hackers.


While the cities have assured residents that their credit card and payment information remain secure, the attack is thought to have exposed data including phone numbers, email addresses, and license plate numbers.

What’s more, after the cyber thieves failed to find a buyer for that data, they apparently posted it online for free, exposing all impacted records to any other bad actor who wants them.


Although the damage is not as severe as it could have been if financial data had been compromised, parking app users in New York City, Houston, Philadelphia, Minneapolis, Milwaukee, and a number of other urban centers were advised to change their passwords as a security precaution.


20/20 Eye CareJune 2021


  • ORIGIN: Originated in and impacted US
  • IMPACT: 3,300,000 People
  • INDUSTRY: Healthcare
  • TYPE: Amazon Web Services Breach
The 20/20 Eye Care and Hearing Network provides hearing and vision services for employee health plans. So, when they suffered a breach of Amazon Web Services, it led to a staggering violation of its confidential healthcare records. Hackers broke into the AWS buckets of this Florida-based company in a breach that potentially impacted over 3.2 million health plan members.

Even more troubling than the size of the breach was its apparent maliciousness. Not only did the unknown hackers access confidential patient information—including names, Social Security numbers, and insurance data—they also deleted much of that material from 20/20 Network’s AWS S3 cloud buckets.


The company is being sued by at least one former patient who maintains that the company took insufficient measures to protect their personally identifiable information. The complaint also contends that company officials were aware of the breach in mid-February but did not inform affected patients until May 28.


Insight GlobalApril 2021


  • ORIGIN: Originated in and impacted US
  • IMPACT: 72,000 People
  • INDUSTRY: Public Health
  • TYPE: None known, but strong vulnerability

In a late April incident, a third-party vendor put the personal information of thousands of Pennsylvania residents at risk while attempting to improve public safety.


The Pennsylvania Department of Health tapped Insight Global, a Georgia-based IT services contractor, to assist with COVID-19 contact tracing efforts, a standard arrangement for state health departments that lack resources to handle all COVID activities unassisted.

The trouble began when a group of Insight Global employees took it upon themselves to expedite their work by setting up Google accounts to more quickly share their findings internally. That action went against all protocols for both Insight Global and the Pennsylvania Department of Health, as the Google accounts were not secure and thus easily vulnerable to attacks.


While it appears that Insight’s administrators were able to shut down the exchange before any data was stolen, a health department spokesperson acknowledged that the error put at risk the private information of around 72,000 Pennsylvanians, including “phone numbers, emails, genders, ages, sexual orientations, and COVID-19 diagnoses and exposure status.”


KrogerJanuary 2021


  • ORIGIN: Originated in and impacted US
  • IMPACT: 2,000 Locations
  • INDUSTRY: Retail
  • TYPE: Third-party FTA exploit

A late January attack on the national grocery chain Kroger saw hackers make off with potentially sensitive data from pharmacy and clinic customers, as well as that of current and former employees.


The attack, which was made public in early February, exploited an Accellion File Transfer Appliance (FTA) that was nearing its end of lifespan. In late 2020, Accellion advised users to upgrade to a newer technology, but Kroger had yet to do so.

The stolen data included personally identifiable information such as social security numbers, medical histories, and insurance information, as well as some Kroger personnel files. The silver lining is the hack may have only impacted customers using the chain’s Health and Money Services program, which is less than one percent of Kroger’s total customer base. Even so, for a chain with 2,200 pharmacies operating nationwide, that is a significant number of customers.


This is just the latest fallout from a large-scale December exploit of Accellion’s outdated FTA tool, which has also impacted the Washington State auditor’s office, the prestigious Jones Day law firm, the Reserve Bank of New Zealand, Australia’s financial regulation office, and the University of Colorado.


Electronic ArtsJune 2021


  • ORIGIN: Originated in and impacted US
  • IMPACT: 780 GB Source Code
  • INDUSTRY: Video Gaming
  • TYPE: Unknown data breach

Electronic Arts—one of the biggest names in video games—suffered a major breach that left the company scrambling to safeguard its intellectual property.


The stolen data included source code for the company’s Frostbite engine, which powers flagship franchises such as Battlefield and Star Wars; source code for the 2021 installment of the hugely popular FIFA series; API keys for FIFA 22 and several other keys and debug tools.

It didn’t take long for the thieves to put that material up for sale on an underground hacking forum, offering about 780 GB of EA tools and data to the highest bidder. While the direct impact on EA’s business will probably be minimal, the theft sets a concerning precedent, especially since cybercriminals could use the stolen materials in future exploits of EA games and systems. One security expert has even raised the idea that the breached tools and resources could be valuable for unscrupulous competitors looking to cut into EA’s business.


Sinclair Broadcast GroupOctober 2021


  • ORIGIN: Originated in and impacted US
  • IMPACT: 185 Local TV Stations
  • INDUSTRY: Telecommunications
  • TYPE: Ransomware

In October, media giant Sinclair Broadcast Group found themselves the victim of a ransomware attack that bore the fingerprints of a well-known Russian cybercrime collective.


Sinclair, which owns or operates 185 local TV stations across 86 U.S. markets, reported that internal functions like email, phone systems, and data networks had to be shut down following the breach.

The full impact was even more severe: it took much of the company’s programming offline, including broadcasts of some of its 21 regional sports networks.


The use of Macaw ransomware used in the attack points to the infamous Russian collective known as Evil Corp. That gang and its WastedLocker malware earned a sanction from the U.S. State Department in 2019, and some security experts believe that the Sinclair breach is Evil Corp’s attempt at getting around the sanctions by effectively re-branding—Macaw appears to be a new variant of WastedLocker, and made its public debut with the Sinclair attack.


TwitchOctober 2021


  • ORIGIN: Originated in US
  • IMPACT: 125 GB of Data
  • INDUSTRY: Technology and Entertainment
  • TYPE: Amazon Web Services server exploit

Amazon’s massively popular Twitch streaming platform suffered a major data breach in early October, as a threat actor took advantage of information exposed during a server configuration change.


While Twitch was quick to reassure users that no personally identifiable information was had been compromised, the 125GB of stolen data included elements of Twitch’s source code and, more embarrassingly, data on the incomes of the streaming platform’s leading game streamers.

Those materials quickly turned up on the notorious 4chan forum, where streamers’ earnings—some in the seven-figure range—quickly became a hot topic among posters.


The unidentified hacker was reportedly motivated not by money, but by a mission to create “disruption” and expose the Twitch community as what they deemed “a disgusting toxic cesspool.” Regardless of the actual information exposed, the fallout for Twitch was swift and damaging.


Reports emerged that the company had ignored several past security threats in the interest of profits while online debates erupted about perceived disparities in the platform’s payment structure.


In the end, Twitch reset all its stream keys as a precaution despite repeated assurances that users’ personal data had not been compromised.


Howard UniversitySeptember 2021


  • ORIGIN: Originated in US
  • IMPACT: 1 Day of Classes
  • INDUSTRY: Higher education
  • TYPE: Ransomware

U.S. holidays have emerged in recent years as prime time for cyber attacks (see our pick for #1). This year’s Labor Day weekend was yet another case in point, when Howard University in Washington, D.C.—the nation’s oldest Historically Black University—fell victim to a ransomware attack.


The disruption shut down both in-person and online classes for several days while Howard struggled to restore access to its Wi-Fi network.

When the school eventually reopened, it did so only gradually, with the school issuing detailed instructions to students on how to access email and wi-fi while also protecting personal and encrypted data.


There were rumors that the breach originated with the school’s email system. However, the perpetrator of the attack, the terms of the ransom, and whether Howard University paid the ransom remain unclear.


MediaMarktNovember 2021


  • ORIGIN: Originated in Germany; impacted stores across Netherlands, Belgium and Germany
  • IMPACT: $50 million in Bitcoins
  • INDUSTRY: Electronics Retailer
  • TYPE: Ransomware

Europe’s largest consumer electronics retailer, MediaMarkt, boasts over 1,000 stores in 13 countries. In November, the Hive group struck with a ransomware attack that encrypted MediaMarkt’s servers.


The attack caused their IT systems to shut down and store operations to be disrupted in both the Netherlands and Germany.

While the reported initial demand of $240 million was later reduced to $50 million in bitcoin according to retail news site RetailDetail, that will be cold comfort for the company as—according to Yahoo Finance—Hive’s ransomware method involves also deleting backups to prevent the target from being able to recover their data.

2021 was another record-breaking year for cyberattacks.

If tools alone were enough to solve the problem, they would have by now.

This is an operational problem that needs to be solved, and that’s what Arctic Wolf delivers. Learn more about our unique approach to cybersecurity and why Arctic Wolf has emerged as a leader in the industry.