Reflecting on the 2021 cybersecurity landscape

2021 was typified by numerous Covid-related challenges, including of course the continued need to offer home- and hybrid-working, which in many cases has exacerbated the challenge of maintaining good cybersecurity. This has led to an extensive list of published cybersecurity breaches for 2021, which may indicate a massive uptick in cybersecurity incidents, or more likely, a significant increase in the reporting of breaches, as mandated by a number of new national and international laws.

The most common type of security incident in 2021 was digital, with phishing scams and malware (particularly ransomware) among the most common types of cyberattack detected. Despite the obvious reporting improvements, as highlighted by the number of incidents listed in the National Cyber Security Centre (NCSC) Annual Review, it has rarely been disclosed how businesses and individuals fell victim, or the true extent and cost of many of the breaches.

From January to June 2021, the public sector suffered the most security incidents, but from July onwards the private healthcare and health sciences sector accounted for a significant number of cases. These two sectors are by far the worst offenders when it comes to effective security, closely followed of course by schools and education establishments. Researchers believe this is due strains these sectors have been under this year, and the cuts to funding in favour of immediate Covid-19 support measures, resulting in weakened defences and easy targets.

Reflecting back

January 2021: kicking the year off to a negative start, January was classed as a “quiet” month, when compared to the heights reached in 2020, but still saw 878 million records breached. Top stories included the continuation of the SolarWinds network issue, the end of Emotet Botnet through combined systematic activities from law enforcement agencies, and the obsoletion of Adobe Flashplayer. Breaches also affected Hackney Council, a school in Leicestershire, and the Mensa website among others. Read the round up +
February 2021: drawing significant public attention to the risk posed to national utilities, for the first time, February saw a hacker attempt to poison Florida City’s water, by gaining access to the water treatment plant and manipulating the levels of sodium hydroxide in the water. Little came close to the fear this sparked, but February also saw breaches at nPower and Total Fitness, an attempted hack of the University of Oxford department responsible for a Covid-19 vaccine, and zero-day warnings from Google among others. Read the round up +
March 2021: the month was typified by a high number of breaches, but a low number of breached records, not because the attacks were small, but because the victim companies weren’t able to quantify the number of breached records. Microsoft Exchange Server hacks were the major story for the month, alongside a PCI compliance issue at FatFace, warnings from the FBI, and the breaking story that the Head of the NHS lost access to their Twitter, and subsequently money to the hackers. It was also the month however that the government announced the new UK ‘cyber corridor’ and UK National Cyber Force (NCF), boosting the country’s defences. Read the round up +
April 2021: As well as seeing more than 1 billion data records breached in a single month, April was the month of governments around the world issuing sage and updated advice. From the “Think before you link” MI5 warning on LinkedIn scams, to the National Cyber Security Centre encouraging better password hygiene, and the Ransomware Taskforce issuing a new threat framework. HMRC suffered a data breach due to a software glitch, while DHL became embroiled in a text message scam, and the University of Portsmouth was forced to close due to ransomware. Read the full round up +
May 2021: In the second major attack against utilities, the breaking story from May was the hack on the Colonial Pipeline, forcing the 5,500-mile pipeline offline, and contingency deliveries being made by truck. The intention was mass disruption and only a significant ransom payment got the pipeline working again. May also saw the Irish Health Service brought to a halt by the Conti ransomware, and thousands of police database records accidentally deleted on an outdated software programme. Read the full round up +
June 2021: By this halfway point of the year, more than 3.9 billion records had been breached in just six months, in 729 separate incidents. June also saw CCTV of the Matt Hancock scandal leaked, although it isn’t clear how, and Ikea was fined €1million by a French court, after it was found guilty of spying on staff. Several car chains and medical facilities were hit in a variety of ransomware attacks, but in more positive news, the majority of the ransom paid out in the Colonial Pipeline attack was recovered by official US government bodies. Read the full round up +
July 2021: Gun shops, convenience stores and local Councils were the victims in July. Oxford City Council issued letters to residents, containing personal details and rent information for other residents, affecting 7,800 Council homes. Digital breaches affected the National Lottery Community Fund, e-learning site New Skills Academy, Spanish telecom giant MasMovil, Swedish Coop stores, and the guntrader.uk website. Covid-19 scams really started to come into their own, and REvil ransomware was also dominating the headlines. The biggest risk factor came from Microsoft, who identified a vulnerability with the Windows Print Spooler Service, ultimately dubbed PrintNightmare. Read the full round up +
August 2021: Arguably a ‘quieter’ month in terms of the number of separate incidents, August none-the-less smashed records thanks to telecom giant T-Mobile, who suffered their sixth major breach in four years. The attack in August compromised 53 million customer records, calling into question the security reliability of the organisation, and resulting in a number of customers suing the group. A $600 million (£433m) crypto-heist also dominated the headlines, with much of the money returned in the ensuing weeks, when the hacker in question highlighted that their intention was to spotlight system vulnerabilities and security flaws, not steal all the money. Hospitals, schools and educational centres remained a primary target for hackers too. Read the full round up +
September 2021: In one of the single biggest breaches of the year, 61 million records were compromised in the Get Health Fitness Tracker breach. Get Health, a New York company that syncs data from numerous IOT health and fitness trackers, including FitBits and Apple’s Healthkit, exposed user data through an unsecured database. Thankfully, the issue was identified by Website Planet who advised Get Health of the issue, enabling them to rectify it. Covid-19 data became a hot topic as databases of patient test results and vaccination status were stolen, including the names, social security numbers, contact information and results. Read the full round up +
October 2021: Putting a nation on the map for all the wrong reasons, October 2021 saw a hacker breach the government IT database in Argentina, stealing ID card details for the entire population. The breach was discovered when the details of 44 national celebrities, including the President, and Argentinian footballers Lionel Messi and Sergio Aguero, were published on a newly formed Twitter account. In other top stories, there was a data leak via an unsecured online database at The Telegraph, an attempted hack of Tesco, and long-term disruption to the manufacture of Walkers Crisps after an IT upgrade. Read the full round up +
November 2021: Dominating the November headlines was the Labour Party, after an ‘event’ via a third-party firm that handled membership data on its behalf made “a significant quantity” of party data inaccessible on their systems. The extent of the breach was initially unclear, and many details remain fuzzy. In other news, an attack on school data files in Kent was dubbed ‘highly sophisticated’ after data was found on the dark web, domain and web giant GoDaddy was part of a 1.2 million record data breach, and the fishing retailer Angling Giant was forced to take their website offline after an attack. Read the full round up +
December 2021: The single most pressing story for December was announced on 9 December when a new zero-day vulnerability was identified in Java. The Log4J library vulnerability affects hundreds of thousands of businesses worldwide, including UniFi, Apple, Tesla, Twitter, and Minecraft. It was scored 10 out of 10 on the vulnerability scale, i.e. the very worst it can get. By now, businesses should have updated to the released patch and full details of the issue are available here. Just when it felt that things couldn’t get worse for the telecom giant, T-Mobile suffered another major cyberattack, it’s seventh in just four years, and its second one this year (see August 2021). This time, the breach was less severe, affecting fewer customers; that said, many were subject to SIM swapping, which enables the bypassing of two-factor authentication. December also saw the UK government fined £500,000 following the New Year’s Honours breach, when the names and addresses of 1,000 recipients were accidentally published online. Read the full round up +

As if that wasn’t enough, 2021 also saw a significant rise in “double extortion” cases, where attacks exploit victims after the initial breach, for example by demanding a ransom, and then follow through on the threat after the ransom is paid, in a bid to extort yet more money. It has led to many national agencies, including the FBI and the UK’s NCSC issuing requests that law enforcement be notified of any attacks, and that no payment is made. 2021 also saw a sharp and continued increase in the cost of ransomware cases, after data revealed that on average in 2019, ransom payments made by organisations were just over $115k, rising more than 171% to $312k in 2020. The highest ransom paid also doubled: $10 million in 2020 compared with $5 million in 2019, and cybercriminals upped their demands, with the highest request rising from $15 million in 2019 to $30 million in 2020.

Looking ahead

Taking a peak at the first month of the year, January 2022 highlighted much of the same, with just under 66 million individual records being breached in a single month. Schools and educational facilities were some of the top targets, alongside medical and hospital records too. Both of these are targeted due to the challenge of underfunding and skills shortage, leaving these databases more vulnerable, and more lucrative than most.

This suggests that 2022 will see much of the same as 2021. Billions of records breached in cyber attacks, growing profit in launching these attacks, more state actors involved too, and a somewhat bleak landscape. However, just as the criminals get smarter and more effective, so too are the defences. Knowledge sharing between antivirus companies is on the rise, and so too are the links between national law enforcement agencies, who are working cross-border, just like their criminal counterparts. Individuals and businesses are also becoming more aware, and there has been some good progress in shoring up these defences as well.

According to security experts, attacks on the cloud will become more frequent as more businesses transition to online and more smart devices become connected, and at the same time ransomware attacks are expected to continue to rise, becoming more targeted to systems where they can make the biggest impact and therefore financial gains. In digital terms ransomware is relatively new, and it therefore follows that many companies have yet to take even the most basic precautions. 50% of SME businesses for example admitted that they have never offered cyber training to their team, at the same time as it was revealed two thirds of SME businesses have noticed a significant increase in cyber threats.

Cryptocurrency and crypto wallets are likely to become prime targets in 2022, as they become easier to navigate and therefore more adoptable. While blockchain, the technology that underpins most cryptocurrencies, is considered secure and helps to ensure transparency and proof of ownership, it is not infallible to theft by transfer, thanks to the anonymity afforded to cryptocurrency accounts, among other issues. They are also of course the payment of choice for most criminals, thanks to this same level of anonymity, making them a highly desirable currency.

Misinformation campaigns are also going to continue to trend in 2022. Throughout 2021, misinformation was spread about the COVID-19 pandemic and vaccination information, and criminals used this to capitalise and victimise individuals who feel for related scams. The black market for fake vaccine certificates expanded globally, now selling fakes from an estimated 29 countries at circa. $100-120 per certificate. In fact, according to the National Cyber Security Centre, they dealt with 777 major incidents last year of which 20% were vaccine related, and they received 7.25 million reports from the public, resulting in 60,000 scams being taken down.

Reflecting on the 2021 cybersecurity landscape

Reflecting back

Looking ahead

We’re here to help