2021 in Review – Five of the Most Expensive Data Breaches

2021 saw a continued increase in the number of cyberattacks on businesses. According to Accenture, organisations experienced a 125% rise in incident rate year-on-year, a trend that has been continuing for several years and shows little sign of slowing down.

While typical methods used by malicious actors, such as phishing, continued to grow in frequency, the year also contained some more idiosyncratic attack vectors used to gain unauthorised access to corporate data. The continued transition to remote working environments was partly responsible for an increase in security breaches, while there were also a record number of zero-day exploits, taking advantage of unpatched software exploits unknown to developers, most recently in Apache Log4j.

Among the security breaches which businesses fell victim to were an attack on a US oil pipeline that caused a State of Emergency, and potentially the largest ransom ever paid out to cybercriminals. Read on for more about five of the biggest attacks this year – and how they could have been prevented.

Colonial Pipeline

Impact: £3.3 million ransom payment, total shutdown, US state of emergency declared
Method: Compromised credentials of orphan VPN account
Downtime: Six days

In the highest profile attack of 2021, Colonial Pipeline, a US oil pipeline system originating in Houston, Texas, were forced to halt all activity as a result of a cyberattack. The attack caused President Joe Biden and Georgia Governor Brian Kemp to declare a state of emergency, and ultimately pay the requested ransom of 75 Bitcoin (£3.3million at time of payment) within hours of the attack. The decryption tool provided by the hackers was so slow, however, that pipeline operations did not restart until after a six-day shutdown. The FBI were able to trace the attack to a group believed to operate in Eastern Europe. The source of the attack was an out-of-use VPN account which had its credentials compromised and leaked on the dark web, allowing the attackers to remotely access Colonial Pipeline’s systems.

The FBI were eventually able to recover a significant portion of the money lost, but the attack will still go down as one of the most costly and disruptive of the year, due to the severe impact on the fuel supply chain in the southern United States, as well as the decision to pay a hefty ransom.

JBS

Impact: £8.3 million ransom payment, significant disruption to operations and US supply chains
Method: Undisclosed
Downtime: 3-4 days, varying across facilities

Brazil-based JBS, the world’s largest meat processing company, faced a serious ransomware attack in June, shutting down operations in the US, Canada and Australia. Multiple slaughterhouses were brought to a halt, and with the company supplying almost a fifth of the world’s meat supply, the attack also prevented the U.S. Department of Agriculture from offering wholesale prices for beef and pork for an entire day.

In order to regain access to their systems and protect customers, JBS ultimately negotiated and paid a ransom in Bitcoin totalling £8.3 million at the time. The FBI attributed the attack to an operation based in Russia, although the group did not publicly claim responsibility. JBS did not disclose the method by which the attackers were able to gain access to their systems.

Brenntag

Impact: £3.8 million ransom payment, total shutdown of affected systems, 150GB of unencrypted data stolen
Method: Compromised credentials
Downtime: Ten days

In May, the North America branch of the chemicals giant Brenntag suffered an attack which encrypted devices on its network and stole over 150GB of unencrypted data. Brenntag eventually paid a £3.8 million ransom to prevent the data being leaked publicly.

The same group who carried out the Colonial Pipeline attack were revealed to be the perpetrators of the breach. As part of the ransom negotiations, the attackers also disclosed that they were able to gain access to the network through stolen credentials available on the dark web, and even advised Brenntag to use multi-factor authentication to prevent any future attacks.

Irish Health Service Executive

Impact: Significant disruption to health services, claimed total costs in excess of £85 million
Method: Penetration testing tool used to deploy Conti ransomware
Downtime: 95% of devices and systems restored within four months

In May, the Health Service Executive (HSE) in Ireland experienced a major ransomware attack, the largest known against a health service computer system at the time. Occurring during the COVID-19 pandemic, the HSE were forced to shut down all systems including the close contact referral system, forcing individuals who had vaccination appointments to attend walk-in sites instead. Many hospitals were also forced to cancel routine appointments for other illnesses.

Several sources reported that a £15 million ransom demand was made in order to decrypt data and not to publish any stolen unencrypted data, although the HSE refused to pay. However, the HSE’s chief executive, Paul Reid, later claimed the costs of the breach could exceed £85 million.

CNA

Impact: Significant disruption to operations, loss of company website, reported £30 million ransom
Method: Malware, compromised credentials
Downtime: Two weeks

In March, CNA, the sixth-largest commercial insurance company in the US, suffered a ransomware attack which brought down its website and impacted a number of systems, including corporate email. The attackers first gained access through a malicious browser update, before gaining access to credentials providing privileged access through undisclosed ‘additional malicious activity.’ Remote workers’ devices who were logged on via a VPN were also encrypted during the attack.

CNA did not disclose details of the ransom negotiations, although Bloomberg reported that the company paid £30 million to regain access to networks, which would make it the largest known ransom paid of all time.

In a rare interview with The Record, a member of the group responsible stated that companies offering cyber insurance were valuable targets for hackers, as their clients are more likely to pay a ransom, which is frequently covered by the insurer.

Mitigating the risk of cyberattacks

While the attack vectors used in the incidents varied, a common theme was the use of passwords, present in the Colonial Pipeline, Brenntag, and CNA attacks. For Colonial Pipeline, a failure to deprovision a former user led to an out-of-use VPN account remaining active, which had its credentials compromised on the dark web, likely reused for another account. The same method was used to gain access to Brenntag’s systems, and the CNA attackers also exploited password-based authentication to access a privileged account, although the exact method was not disclosed.

Passwords remain the most common cause of data breaches, with 61% of all successful cyberattacks leveraging credentials in some way, according to Verizon’s 2021 Data Breach Investigation Report. By adopting an Identity and Access Management solution, organisations can address the root cause of the problem, take passwords out of the hands of end users and put the business back in control. If password management is taken out of the hands of users or replaced altogether by passwordless authentication, credentials cannot be phished, stolen, or made available for sale on the dark web – a factor which would have prevented many of the biggest data breaches seen in 2021.

Find out about how your organisation can transition to passwordless authentication.