Featuring the Most Expensive and Disruptive Cybersecurity Attacks This Year
Cybercriminals have become so bold — and so skilled — that not even well-funded household names are safe from attack. IBM’s Cost of a Data Breach Report puts a $4.24 million price tag on the average data breach in 2021 worldwide, up from $3.86 million in 2020. A mega breach — a loss of one million records or more — can cost up to $400 million.
Even a compromised business email — the most common attack vector — can wring your company’s wallet dry, costing an average of $5.01 million. When compliance failures lead to a breach, it hurts even more, at an average cost of $5.65 million. Though companies don’t typically share the financial tolls of their cybersecurity woes, they can be estimated based on IBM’s report. And that doesn’t include the long-term impact of reputational damage.
Below, our round-up of the nine most expensive and disruptive cybersecurity fails in 2021. Take notes — and learn from them.
1. Kroger: 1.47 million records breached. Cost: $5 million.
Though Kroger stated that fewer than 1% of its customers were affected when hackers breached their third-party cloud provider Accellion, that’s still over a million customers’ sensitive information, including names, home addresses, and pharmacy records. The company agreed to pay $5 million to resolve related claims. Wonder how many customers switched pharmacies based on that news?
2. Colonial Pipeline: Business network held hostage by ransomware. Cost: $2.7 million.
A hacking group gained access to Colonial’s network with a single compromised password and stole 100 gigabytes of sensitive data, which they threatened to release on the internet. Considering that his company transports roughly 100 million gallons of fuel a day, Colonial Pipeline CEO Joseph Blount made a ransom payment of 75 Bitcoin (about $5 million) in order to restore operations as quickly as possible. Although the Justice Department was able to recover $2.3 million, it didn’t undo the chaos and hardship put on gas stations, airports, and countless citizens during the fuel shortage.
3. Volkswagen and Audi: 3.3 million records breached. Estimated cost: $6.9 million.
Early in 2021, five years’ worth of data regarding sales and inquiries, including Social Security numbers, tax IDs, loan numbers, and driver’s license numbers of Volkswagen and Audi customers in the U.S. and Canada were stolen via a marketing services company.
4. Bonobos: 7 million records breached. Estimated cost: $14.6 million.
Bonobos, the popular men’s retailer bought by Walmart in 2017 for $300 million, was the target of a substantial data breach — at the hands of a black-hat hacker group by the name of ShinyHunters. The hackers made off with PII of 7 million Bonobos customers, including 3.5 million partial credit card numbers, and shared it on a hacker forum. The 70 gigabytes of data had been stored in a backup file hosted in an external cloud environment.
5. SocialArks: 214 million records breached. Estimated cost: $1.5 billion.
A data-management firm based in China suffered a massive breach exposing 408 gigabytes’ worth of PII from social media users around the world. SocialArks’s cybersecurity team determined that the information had been scraped from user profiles on Instagram, LinkedIn, and Facebook.
6. JBS Foods: Operations halted by ransomware. Cost: $11 million.
The world’s largest meat processing company was forced to shut down plants in North America and Australia due to a cyberattack, rendering them unable to slaughter livestock. Executives reluctantly paid about $11 million in Bitcoin to their attacker in order to keep business running and prevent risks to their employees and customers. How the hackers were able to infiltrate JBS’s IT system has not been made public.
7. CNA Insurance: 75,000 employees’ information stolen and operations halted by ransomware. Cost: $40 million.
One of the largest insurance firms in the U.S. fell victim to a cryptolocker attack — where ransomware encrypts files on infected machines and demands payment for the key to unlock them. Hackers appended the .phoenix extension to thousands of files — encrypting files on 15,000 devices and compromising PII of about 75,000 employees, disrupting business for the attack’s duration. CNA paid the hefty ransom, but only after sharing information with the FBI and the Treasury Department’s Office of Foreign Assets Control to avoid sanction risks.
8. Brenntag: Operations halted by ransomware. Cost: $4.4 million.
Around the same time Colonial Pipeline was infiltrated, the German-based chemical distribution company Brenntag was attacked by the same cybercriminal hacking group, the DarkSide. They lost 150 gigabytes of data — and were threatened with a $7.5 million ransom. Brenntag negotiated the ransom down to $4.4 million, the cost of recovering encrypted files and keeping stolen data from being leaked.
9. Facebook: 533 million records breached. Estimated cost: $3.7 billion.
2021 was not a great year for the social media giant, at least from a PR perspective. When a vulnerability in a retired feature was exploited in 2019, hackers scraped personal information of more than half a million Facebook users — a data breach that only came to light this year when their PII was shared for free on a hacker forum.. Not included in the nearly $4 billion estimate? The payouts Facebook may face in a potential mass lawsuit.
Don’t Let It Happen to You
Though cyberattacks are inevitable, there are ways to safeguard against the most common methods — there’s really no excuse to fall for email phishing or have a lax attitude toward security compliance. Safeguard your data, safeguard your business.