Here are the biggest data breaches as Meta and Apple fall victim to hackers again
Data breaches are becoming more frequent as people knowingly and unknowingly give away their personal data. Even the biggest companies are not immune to data breaches, as the recent breach of Meta and Apple showed.
Apple Inc. and Meta Platforms Inc., formerly Facebook, were misled to think law enforcement officials were asking for customer data. Instead, they were hackers pretending to represent law enforcement, according to three insiders cited by Bloomberg in an article, published on March 30.
Meta and Apple provided customers’ phone numbers and physical and IP addresses last year in response to the forged “emergency data requests.” Usually, an entity must present a subpoena or search warrant when making such a request.
Researchers believe some of the hackers might be minors living in the U.S. and the U.K. One of them is thought to be behind Lapsus$, a cybercrime organization that hacked corporations like Samsung, Microsoft and Nvidia.
Meta spokesman Andy Stone commented on the event:
We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse. We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.
How was the data used?
The information obtained was used to facilitate financial fraud schemes and perpetrate harassment campaigns. The hackers could use the victim’s data to bypass account security.
The companies were duped by the seeming legitimacy of the forged requests. In some cases, they contained the signatures of real or fictional law enforcement staff. It’s possible that the criminals used genuine requests and doctored them after breaching law enforcement email systems.
Cybersecurity expert and CRO of Unit 221B Allison Nixon weighed in on the matter:
In every instance where these companies messed up, at the core of it there was a person trying to do the right thing. I can’t tell you how many times trust and safety teams have quietly saved lives because employees had the legal flexibility to rapidly respond to a tragic situation unfolding for a user.
5 biggest data breaches in 2021
The victims of the five biggest breaches last year were Microsoft, Facebook (again), Colonial Pipeline, JBS, and Kaseya.
1. Chinese group hacked Microsoft
Hafnium, a Chinese cybercrime group, attacked Microsoft in March last year. This impacted tens of thousands of organizations across the U.S. The criminals exploited vulnerabilities on Microsoft Exchange combined with stolen passwords, gaining full administrative rights. Then, they used the details to log in and install malware that created command-and-control functions for their benefit.
2. 533M Facebook users’ data exposed
In a data breach in April, hackers gained access to more than 533 million Facebook users’ personal information, such as name, city, date of birth, and posts. A white hat security organization detected the vulnerability, which had gone unnoticed since 2019.
3. Ransomware attack on Colonial Pipeline
U.S.-based gas supplier Colonial Pipeline suffered a breach through a VPN account. A single compromised password was all it took as the company didn’t use multi-factor authentication. The attacker accessed the network on April 29. The company suspended fuel flow, resulting in fuel shortages nationwide.
The criminals demanded a ransom of $5 million in Bitcoin, threatening further attacks.
4. Ransomware attack on JBS
JBS, the third-biggest meat processor worldwide, fell victim to ransomware after malware entered a server through a phishing email. There were Trojan viruses in the emails. After staff mistakenly opened them, they latched onto weaknesses within the IT system. The attackers gained full access. Hundreds of meat processing plants across four continents were down as a result. The company paid a ransom of $11 million to remedy things.
5. Ransomware attack on Kaseya
In July last year, IT company Kaseya’s network was accessed by unknown assailants, who sent several managed service providers (MSPs) files with encrypted ransomware. It affected different systems, which employees could not use after the attack.
When an MSP is compromised, the criminal can access any of the company’s clients. Both on-premise and cloud-based customers were impacted in this case. Fortunately, less than 0.1% of the company’s clients were affected, but they still numbered around 1,500.
Industries hit hardest by data breaches
In 2021 global average cost of a data breach was 4.24 million U.S. dollars. The healthcare sector suffered the greatest breach at 9.23 million U.S. dollars.
Concerns about data control by country
According to a 2021 survey, 66% of respondents felt that tech companies hold too much control over their personal data. The highest levels of concern came from consumers based in Spain, the United Kingdom and the United States.
According to a poll by Amnesty International, consumers from Brazil, Denmark, Egypt, France, Germany, India, Norway, South Africa, and the U.S. felt the most concerned about tech companies using their data.
The poll also showed that, on average, 73% of people in these countries wanted their governments to take more serious measures to regulate tech company activity. More than seven of ten people expressed concern about how tech companies collected and used their information.