2021 cyber security review of the year

For many, 2021 was a year to forget. COVID-19 again dominated the news, with initial optimism over vaccine rollouts and the potential end of the pandemic making way for new variants and the return of social restrictions.

The cyber security landscape offered similarly familiar topics: there were huge data breaches at Facebook and LinkedIn, while the threat of ransomware reached catastrophic levels.

At the start of the year, the World Economic Forum listed cyber crime alongside COVID-19, climate change and the debt crisis as the biggest threats facing society in the next decade.

That statement was soon justified, with healthcare facilities and hospitals facing a barrage of attacks throughout the year.

However, it was the ransomware attack on Colonial Pipeline that brought mainstream attention to the real-life effects of ransomware. After the fuel supplier was forced to halt operations amid an attack, millions of Americans were left without access to petrol, leading to chaotic scenes.

You can read more about that attack, along with the year’s other biggest stories, in our 2021 cyber security review of the year.


2021 got off to an inauspicious start when cyber security researchers reported a huge leak of Brazilian residents’ data.

Almost the entire country was affected, with 220 million people’s names names, dates of birth and taxpayer registration numbers being leaked.

Another 104 million records related to residents’ cars was also leaked, including the car’s make and model, as well as licence plate numbers.

Initial reports suggested that Serasa Experian may have been responsible for the breach, as this is the sort of information a credit-scoring bureau would collect. However, the organisation denied that it had any links to the incident.

São Paulo state consumer rights foundation Procon described the company’s denial as “insufficient” and said it is likely that the incident was initiated in a corporate environment.

You can see more incidents from January in our list of data breaches and cyber attacks.


We got our first real glimpse of the havoc that ransomware would cause in February, when a pair of hospitals in France came under attack.

First, the Villefranche-sur-Saône hospital complex in eastern France was crippled by malware. Less than a week later, the Dax-Côte d’Argent hospital in the south of France was hit.

The hospital’s deputy director, Aline Gilet-Caubere, explained that although no data had been stolen, staff were unable to access patient data stored digitally, and were forced to keep paper records.

Meanwhile, a third hospital group – in Dordogne – narrowly avoided falling victim, after an IT supplier detected ransomware on the organisation’s servers.

Hugues Alegria, the director of computer systems at the hospital, said his team cut off the networks going to the supplier and immediately deactivated the backup servers to ensure they weren’t infected.

These incidents recall an incident at Dusseldorf University Hospital in Germany in 2020, when a patient died after being turned away by the hospital, which was under attack and unable to treat her.

Following the wave of attacks, French President Emmanuel Macron unveiled a plan to better protect the public sector against ransomware.

Macron spoke with officials and workers from some of the hospitals, noting the severity of the attacks and the threat to patients’ health.

You can see more incidents from February in our list of data breaches and cyber attacks.


Speaking of government intervention on cyber attacks, the US government was forced to intervene after state-sponsored attackers targeted Microsoft Exchange Server vulnerabilities in March.

The tech giant disclosed four zero-day bugs, which were being used to steal sensitive information, encrypt data for ransom and execute destructive attacks.

Although Microsoft released patches, its disclosure of the vulnerabilities drew the attention of cyber criminals who then targeted organisations that hadn’t yet updated the software.

Reported incidents of breaches spiralled, with more than 30,000 US organisations estimated to have been compromised.

That led to a White House National Security Council meeting to coordinate a response, followed by a Senate Intelligence Committee briefing with Microsoft.

The government had already announced earlier in the year that it would unveil an executive order on cyber security in the wake of 2020’s SolarWinds attack, which included a proposal to assign ratings to software vendors used by the federal government.

You can see more incidents from March in our list of data breaches and cyber attacks.


Spring brought with it a new wave of optimism. Vaccine rollouts were hitting their stride and for the first time in a long time, people began to consider that the “new normal” would soon make way for the “normal normal”.

But as is often the case, where anticipation and excitement can be found, so too can cyber crime. A Webroot report from April revealed that there had been a sharp increase in malicious web domains related to the word ‘travel’ in 2021.

Analysis from its real-time anti-phishing protection system found that cyber criminals increasingly targeted people who were searching for holidays and weekend breaks.

It’s a trend that was seen throughout the year, with people eager to find cheap deals as the demand for flights and accommodation pushed up prices.

Meanwhile, April also saw one of the biggest breach of the year, after 553 million Facebook users’ phone numbers and other personal details were leaked onto the web. However, although the sheer number of records affected is frightening, the severity of the breach was relatively low.

That’s because neither financial records nor login credentials (which could be used for financial gain) were compromised.

You can see more incidents from April in our list of data breaches and cyber attacks.


If the general public wasn’t aware of the damage ransomware could cause before, two separate incidents in May 2021 brought the threat to a global scale.

First came the Colonial Pipeline hack. The fuel supplier was forced to halt operations after being crippled by ransomware, which targeted the company’s business network. This included Colonial’s billing system, which meant it had no way to track fuel distribution or accurately bill its customers.

Colonial also shut down its operational technology network, which controls the pipeline, to prevent further spread of ransomware.

That was probably a wise move, given the way ransomware spreads through organisations’ systems, but it only increased the pressure to resolve the issue promptly.

And with news stories of petrol stations running low on petrol and people hoarding supplies – often in buckets, plastic bags and other unsafe materials – the crisis deepened.

After initially stating that it wouldn’t negotiate with the attackers, Colonial eventually relented. Initial reports claimed that the organisation paid $5 million in bitcoin, but the Colonial’s CEO Joseph Blount later confirmed that the fee was $4.4 million (about £3.3 million).

However, it would be a pyrrhic victory for the attackers, because its servers were seized and its cryptocurrency account drained almost immediately after payment was received.

Just over a week later, Ireland’s health service was targeted, affecting services across a range of hospitals.  

The HSE’s chief executive, Paul Reid, described the attack as “significant and serious”, adding that the HSE has taken all precautionary measures to shut down its major systems.

“We are working with all of our major IT security providers and the national security cyber team are involved and being alerted, so that would be the major state supports including gardai, the defences forces and third party support teams,” he said.

You can see more incidents from May in our list of data breaches and cyber attacks.


The discovery of a cyber attack can often be chaotic experience for those affected, as it’s not always obvious how the disruption occurred. However, by the time the incident is publicly disclosed, a clear picture has emerged.

That wasn’t the case when a major Internet outage knocked dozens of websites offline in June.

Amazon, Reddit and Twitch were all affected, as were the Guardian, the New York Times and the Financial Times.

Additionally, the UK government website crashed – on the day that Britons aged 25–29 were invited to book their COVID-19 vaccines.

Despite initial speculation that the outage was the result of a cyber attack – with ‘#cyberattack’ trending on Twitter – the true cause of the incident was less sensational, although nonetheless concerning.

Within a few minutes, the Cloud computing provider Fastly acknowledged that it was responsible for the problem.

The organisation said there had been a configuration error in its global CDN (content delivery network).

Its Edge Cloud system, which is designed to help websites speed up load times, prevent denial of service attacks and prevent network traffic jams, had a bug that was triggered when one of its customers changed their settings.

Thankfully, Fastly was able to identify the problem and restore its systems in under an hour.

You can see more incidents from June in our list of data breaches and cyber attacks.

If you find yourself facing a cyber security disaster, IT Governance is here to help. Our Cyber Incident Response service provides the help you need to deal with the threat, as our experts guide you through the recovery process.

They’ll review the breach, mitigate the damage and ensure that you are up and running again as soon as possible.


We saw a record GDPR (General Data Protection Regulation) fine in July, after Amazon was hit with a €746 million penalty (about £630 million at the time).

Few details emerged about what Amazon’s GDPR fine relates to. The investigation began following a complaint in May 2018 – the month that the GDPR took effect – from La Quadrature du Net.

The French advocacy group, representing 10,000 people, claimed that Amazon’s advertising system isn’t based on “free consent”.

That is to say, the GDPR requires that consent must be sought using clear, plain language containing specific details about what the information will be used for.

Moreover, organisations cannot rely on inactivity as a means of consent, and they must ensure that there are no negative effects on the user if they refuse to provide consent.

It’s not clear which of these rules, if any, Amazon is alleged to have violated, with a spokesperson for the Luxembourg data protection regulator saying that “professional secrecy” laws in the country mean details can’t be published until an appeal process has been completed.

Amazon responded by saying: “There has been no data breach, and no customer data has been exposed to any third party”. It confirmed that it will be appealing the penalty.

As many predicted, Amazon appealed the fine in October, and a result is forthcoming.

You can see more incidents from July in our list of data breaches and cyber attacks.


T-Mobile announced a data breach in August that demonstrated the problems of downplaying the severity of a cyber attack.

The mobile phone operator announced on 18 August that the personal data of 7.8 million existing customers and 40 million prospective customers had been compromised.

In a statement, it said that the stolen data included US customers’ full names, dates of birth, Social Security numbers and ID information.

Additionally, approximately 850,000 active T-Mobile prepaid customers’ phone numbers and account PINs were compromised.

After disclosing the breach, T-Mobile said it was “confident” that it had shut down the point of entry used by the attackers.

It added that it was conducting a “deep technical review of the situation across [its] systems” to identify the full extent of the attack.

Unfortunately, two days later it added that an internal investigation revealed that an additional 5.3 million customers were affected.

Organisations are bound to suffer reputational damage when they disclose a data breach, so the last thing they need is to prolong the story and announce that it’s even worse than they initially thought.

Additionally, one of the ways that organisations can mitigate negative press following a breach disclosure is to demonstrate that they have strong cyber security measures in place and that the attack was not a result of negligence.

But by rushing to downplay an incident only to have to go back on your word will test customers’ trust in your capabilities.

You can see more incidents from August in our list of data breaches and cyber attacks.


Cryptocurrency reached a new level of popularity in 2021, but it wasn’t all good news for Coinbase, the world’s largest cryptocurrency exchange platform.

The organisation warned users in September that more than 6,000 customers were victims of “a third-party campaign” that gained access to their accounts and removed funds.

The perpetrators most likely used phishing attacks to gain access to victims’ email accounts and personal data, which they then used to attempt to sign in to the targeted Coinbase accounts.

Coinbase accounts are secured by 2FA (two-factor authentication), so even with all this information the attackers should have been unable to sign in.

However, Coinbase admits that there was a flaw in its SMS Account Recovery process, which enabled the attackers to receive the 2FA token intended for the victim, giving them access to the accounts instead.

The attackers were then able to transfer funds from victims’ Coinbase wallets.

As soon as Coinbase learned of the compromise, it updated its SMS Account Recovery process and began reimbursing those who had been affected. It has not disclosed how much cryptocurrency the thieves stole.

You can see more incidents from September in our list of data breaches and cyber attacks.


A report emerged in October that criminal hackers had been hijacking high-profile YouTube channels in phishing scams designed to capture their cookies.

According to a report by Google, which owns YouTube, more than 4,000 accounts were compromise d, with attackers either selling the login details or using the channel to broadcast cryptocurrency scams.

The attack started with a phishing email that appeared to be from a legitimate service offering to sponsor their content.

These included VPNs, photo editing apps and antivirus software, which are all common, and often lucrative, sponsors for YouTube channels.

It’s therefore understandable that a victim who receives an offer like this might jump at the opportunity.

Those who agree to the offer were sent an attachment that claimed to be the product in question. However, the file in fact contains malware that infects the victim’s computer with malware, which is designed to steal cookies and passwords.

Google found more than 1,000 domains that were created to target YouTubers, although it suspects that the scale of the attack was actually much larger.

Its research uncovered 15,000 email accounts associated with the attackers and more than a million messages.

You can see more incidents from October in our list of data breaches and cyber attacks.


The stock trading app Robinhood was in the news for all the wrong reasons in 2021. It first came under fire for stymying a surge in investments into GameStop, citing its inability to cover regulatory requirements.

Several months later, it was targeted by cyber criminals in an attack that may be linked to the backlash it caused.

In a statement, Robinhood confirmed that a fraudster had breached its systems in a phishing attack.

Robinhood said the attackers requested a ransom for the safe return of the information. The organisation rejected the demand and is contacting affected users, but that wasn’t necessarily the end of the threat.

The attackers may well use the compromised information to launch follow-up attacks on customers directly. Common scams include bogus emails supposedly from the compromised organization asking recipients to change their password for security reasons.

You can see more incidents from November in our list of data breaches and cyber attacks.


2021 ended in a familiar sense of chaos, after cyber security researchers disclosed a zero-day exploit that was so serious that some experts said it had ‘set the Internet on fire’ and ‘will haunt us for years’.

The vulnerability, dubbed Log4Shell, is a remote code execution exploit that’s found in versions of log4j, the popular open-source Java logging library.

At the time of writing, security teams around the world are still scrambling to fix the issue, which affects a huge number of software products, online systems and Internet-connected devices.

Apple, Amazon, Baidu, Google, IBM, Tesla, Twitter and Steam are among those affected.

The vulnerability is tracked as CVE-2021-44228 and has been given the maximum 10.0 severity rating. That means attackers can take full control of a vulnerable system over the Internet without any interaction from the victim.

What’s more, it doesn’t take much skill to execute. This, combined with the ubiquity of the vulnerability, means that exploits are being seen all over the Internet, with criminal hackers planting malware, installing ransomware, cryptomining code and stealing personal data.

You can see more incidents from December in our list of data breaches and cyber attacks.

What can we expect in 2022?

There’s room for optimism in the cyber security landscape. We’ve seen a clear link between COVID-19 restrictions and data breaches, in part because of the risks associated with remote working, and you can’t understate the damage caused by a tired and weary workforce.

It’s no surprise that employees who are stuck inside, fearing for the health of themselves and their loved ones, weren’t always at their best. It’s contributed to internal error, scams, misconfigurations and improperly stored data.

However, as restrictions eased in the second half of 2021, we saw a decrease in publicly disclosed data breaches. With the success of the booster jab rollout and speculation that the pandemic could be all but over by March, now is the time to reflect on what life after COVID-19 might look like.

Organisations should take the chance to review how your organisation has changed in the past two years, and consider what changes they must make to ensure that you continue to function safely though 2022 and beyond.

For example, the threat of ransomware isn’t going away, so business continuity planning should be among your top priorities.

Whatever challenges you wish you address, IT Governance is here to help. That includes supporting those seeking Cyber Essentials certification or implementing an ISMS (information security management system).

We also have have a selection of staff awareness e-learning coursesdocumentation toolkitssecurity testing solutions and consultancy packages to help organisations succeed no matter what challenges await.