February 23, 2022 • RBS

Categories: Security News

This article is derived from the 2021 Year End Data Breach QuickView Report:

This is the sixth Year End Data Breach QuickView Report I’ve had the honor of shepherding to publication. Over the years, those involved in developing this information have grown from a small group of analysts to a talented and creative team of researchers, data scientists, designers and editors. Long-time readers of the QuickView Reports will have noticed the many changes we’ve introduced over the years, including increasingly closer looks at the key trends influencing breach statistics as well as additional commentary on the more interesting incidents that surfaced during the year.

To that end, we’re checking in on the state of ransomware attacks – because what discussion of breach activity would be complete without it – and the vexing issue of delayed disclosures. We’ll also share the winners from our Cyber Risk Analytics researcher poll, in which our team was asked “which 2021 breaches stand out to you and why?”

Will Ransomware Ever Go Away?

Threat Actor

If I had been asked six years ago whether ransomware was a serious threat, I’m fairly certain I would have said no without much hesitation. Back in 2016 there were a handful of data breaches that included a ransomware component, but those amounted to fewer than 1% of the breaches reported that year. Fast forward to 2019, and ransomware-related incidents had become prominent enough (present in 11.5% of reported breaches) to be called out as a significant shift in the threat landscape. By the close of 2020, 17% of reported breaches involved ransomware, and in 2021, the percentage climbed to 21%.

In the 2021 Mid Year Report, we noted there were reasons to be hopeful that the tide was turning on ransomware operations. Thanks to a series of very public and very high profile attacks, significant resources flowed to combating the threat, which in turn led to several law enforcement successes. DarkSides’ public infrastructure was knocked offline and REvil/Sodinokibi was shut down for good. Unfortunately, the lull in activity didn’t last for long. In total, there were 874 breach events that included a ransomware component in 2021. 453 of those came to light in the first half of the year, 421 in the second half. As one operation shuts down, new groups emerge to take their place and keep the attacks flowing.

Better Late Than Never But Never Late is Better

In our 2018 Year End Report, we took a closer look at the average number of days between when a breach was discovered to when the breach was reported. We picked up on the topic because, after 3 years of closing the gap between discovery and disclosure, the number of days it took for organizations to go from knowing about the incident to reporting it was beginning to increase. That seemed unusual, especially with new regulatory emphasis being placed on timely reporting.

Since that time, the issue has only become more pronounced. In 2021, 15 breaches took more than 365 days – a full year – to go from discovery to the release of a formal breach notification letter. Another 169 events took six month or more. Broadening the scope to look at time of discovery to date of first disclosure (meaning an email, blog post, tweet, or some other form of communication about the event), 75 events took more than a year to go from discovery to first disclosure and another 207 breaches took six months or more to disclose. It would be easy to blame delays on the pandemic, but this trend started well before COVID became a household name. Complex incident investigations, weak enforcement, and a deliberate blindness to notification obligations appear to be at the root of the delays.

Notable & Newsworthy Breaches

The Cyber Risk Analytics research team analyzes thousands of breach events every year. With such a high volume of data, it takes a truly unique set of circumstances for an individual event to stand out from the crowd. We touched on the more notable breaches reported during the first six months of 2021 in our Mid Year Data Breach Report. For this Year End edition, we’re turning our attention to the breaches that caught our eye in the second half of the year.

The October ransomware attack targeting Sinclair Broadcast Group was one such noteworthy event. At first glance the incident appears to be a fairly typical event. A relatively new variant of WastedLocker ransomware dubbed Macaw was launched in Sinclair’s systems on October 16th. Unfortunately for Sinclair, the attackers hit a sweet spot in Sinclair’s operations leaving many local affiliates scrambling to fill air time. TV stations across the country were left unable to broadcast local news, access syndicated programming, or air local advertising. Even as programming came back on-line, local newscasters were left without access to the supporting tools used to create content. That led to journalists reading from paper copy, sports scores taped up on a wall, and one weatherman resorting to holding an umbrella and using a whiteboard-drawn map for the weather update. Other than the Colonial Pipeline incident, no other event this past year was so starkly put on public display.

It is tempting to see the Sinclair incident as representative of more sophisticated targeting by attackers. Not only are malicious actors seeking targets where downtime can result in significant financial losses, they are seemingly also keen on targeting organizations where the disruption cannot be shielded from public view. Case in point is the December attack on payroll services provider Kronos. The malware disabled the Kronos Private Cloud, which hosted data for clients of UKG Workforce Central, UKG TeleStaff, Healthcare Extensions and Banking Scheduling Solutions. As of this report, at least twenty five Kronos customers, including major U.S. cities and healthcare systems, were left resorting to manual workarounds in order to pay employees. Breach fatigue may leave many feeling indifferent to the latest attacks. By threatening the payroll of thousands of workers across the country, attackers were all but guaranteed to generate publicity for their actions.

Lastly, no discussion of 2021 breaches would be complete without a shoutout to one of the more entertaining events of the year. In early summer, Russia-based pizzeria franchiser Dodo Pizza had data on 584 franchisees shared on Github. Included in the mix were the URLs to access live security camera streams, displaying real-time pizza making operations across their various locations. Not only did it remind us of the near-universal appeal of a really good slice, it was charming to see the considerable care going into creating a pie in far flung locations like Kyrgyzstan.

Risk Based Security Data Breach Report

2021 Year End Data Breach QuickView Report

Powered by our product Cyber Risk Analytics, our QuickView Report provides deeper visibility into the data breach landscape, giving key insights for specific industries.

Our products
The Platform
Risk Based Intelligence
Learn more
Vulnerability Intelligence
Learn more
Cyber Risk Analytics
Threat Intelligence
Learn more
Risk Management
Learn more