The Worst Hacks of 2021

If 2020 was the year of pandemic lockdown hacking, 2021 was open season for attackers around the world. Ransomware gangs were shockingly aggressive, targeting health care facilities, schools, and critical infrastructure at an alarming rate. And hackers continued to launch supply chain attacks with extensive fallout. With the pandemic still raging in the background, system administrators, incident responders, global law enforcement, and security practitioners of all sorts worked tirelessly to counter the barrage. And governments scrambled to take more concrete action against online threats. 

For now, though, the seemingly endless cat-and-mouse game continues. As John Scott-Railton, senior researcher at University of Toronto’s Citizen Lab, puts it, “2021 is the year where we’re realizing that the problems we chose not to solve years or decades ago are one by one coming back to haunt us.”

Here’s WIRED’s retrospective on the year’s worst breaches, leaks, data exposures, ransomware attacks, state-sponsored hacking campaigns, and digital mayhem. With no sign of a reprieve in 2022, watch your back and stay safe out there.

In early May, ransomware hit Colonial Pipeline, which operates a 5,500-mile pipeline that carries nearly half of the East Coast’s fuel—gasoline, diesel, and natural gas—from Texas all the way to New Jersey. As a result of the attack, the company shut down portions of the pipeline both to contain the malware and because the attack knocked its billing systems offline. As lines grew at gas stations through the southeastern US, the Department of Transportation released an emergency order to allow expanded fuel distribution by truck. The FBI also named the notorious Russia-linked ransomware gang DarkSide as the perpetrator of the attack. 

Colonial Pipelines paid a 75 bitcoin ransom—worth more than $4 million at the time—in an attempt to resolve the incident. Law enforcement was later able to recover some of the funds, and DarkSide went underground to avoid scrutiny. In November, the State Department announced a $10 million bounty for substantive information about the group’s ringleaders. The attack was one of the largest-ever disruptions of US critical infrastructure by hackers, and was part of a series of alarming hacks in 2021 that finally seem to have served as a wakeup call for the US government and its allies about the need to comprehensively address and deter ransomware attacks.

The SolarWinds hacking spree was the most memorable software supply chain attack of 2020 and 2021, but the compromise of IT management software company Kaseya was another prominent addition to the supply chain attack annals of this year. At the beginning of July, hackers associated with the Russia-based ransomware gang REvil exploited a flaw in Kaseya’s Virtual System Administrator tool. VSA is popular among managed service providers, companies that run IT infrastructure for organizations that don’t want to do it themselves. As a result of this interdependent ecosystem, attackers were able to exploit the flaw in VSA to infect as many as 1,500 organizations around the world with ransomware. REvil set ransoms of about $45,000 for many downstream victims and as much as $5 million for managed service providers themselves. The gang also offered to release a universal decryption tool for about $70 million. But then the ransomware gang disappeared, leaving everyone in the dark. At the end of July, Kaseya acquired a universal decryptor and began distributing it to targets. At the beginning of November, the US Justice Department announced that it had arrested one of the key alleged perpetrators of the Kaseya attack, a Ukrainian national who was apprehended in October and is currently awaiting extradition from Poland.

The live-streaming service Twitch, which is owned by Amazon, confirmed that it had been breached in October after an unknown entity released an 128 GB trove of proprietary data stolen from the company. The breach included Twitch’s complete source code. The company said at the time that the incident was the result of a “server configuration change that allowed improper access by an unauthorized third party.” Twitch denied that passwords were exposed in the breach, but acknowledged that information about individual streamers’ revenue was stolen. In addition to the source code itself and streamer payout data from as far back as 2019, the trove also contained information about internal Twitch Amazon Web Services systems and proprietary SDKs. 

In the wake of Russia’s SolarWinds digital espionage spree, the Chinese state-backed hacking group known as Hafnium went on a tear. By exploiting a group of vulnerabilities in Microsoft’s Exchange Server software, they compromised targets’ email inboxes and their organizations more broadly. The attacks impacted tens of thousands of entities across the United States beginning in January and with particular intensity in the first days of March. The hacks hit an array of victims, including small businesses and local governments. And the campaign affected a significant number of organizations outside the US as well, like Norway’s Parliament and the European Banking Authority. Microsoft issued emergency patches on March 2 to address the vulnerabilities, but the hacking spree was already in motion and many organizations took days or weeks to install the fixes, if they did it at all.

The Israeli spyware developer NSO Group has increasingly become the face of the targeted surveillance industry, as its hacking tools are used by more and more autocratic customers around the world. The communications platform WhatsApp sued NSO in 2019 and Apple followed suit this year in November, after a string of revelations that NSO created tools to infect iOS targets with its flagship Pegasus spyware by exploiting flaws in Apple’s iMessage communication platform. In July, an international group of researchers and journalists from Amnesty International, Forbidden Stories, and more than a dozen other organizations published forensic evidence that a number of governments worldwide—including Hungary, India, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates—might be NSO customers. The researchers studied a leaked list of 50,000 phone numbers associated with activists, journalists, executives, and politicians who were all potential surveillance targets. NSO Group has refuted those claims. In December, Google researchers concluded that NSO malware’s sophistication was on par with elite nation state hackers. 

JBS SA, the world’s largest meat processing company, suffered a major ransomware attack at the end of May. Its subsidiary JBS USA said in a statement at the beginning of June that “it was the target of an organized cybersecurity attack, affecting some of the servers supporting its North American and Australian IT systems.” JBS is headquartered in Brazil and has roughly a quarter million employees around the world. Though its backups were intact, JBS USA was forced to take impacted systems offline and worked frantically with law enforcement and an outside incident response firm to right the ship. JBS facilities in Australia, the US, and Canada faced disruptions, and the attack caused a cascade of impacts across the meat industry leading to plant shutdowns, employees who were sent home, and livestock that had to be returned to farmers. The incident came just a couple of weeks after the Colonial Pipeline attack, underscoring the fragility of critical infrastructure and vital global supply chains.

Firewall vendor Accellion released a patch in late December, and then more fixes in January, to address a group of vulnerabilities in one of its network equipment offerings. The patches didn’t come or get installed quickly enough for dozens of organizations worldwide, though. Many suffered data breaches and faced extortion attempts as a result of the vulnerabilities. The hackers behind the spree appeared to have connections to the financial crimes group FIN11 and the ransomware gang Clop. Victims included the Reserve Bank of New Zealand, the state of Washington, the Australian Securities and Investments Commission, cybersecurity firm Qualys, the Singaporean telecom Singtel, the high-profile law firm Jones Day, the grocery store chain Kroger, and the University of Colorado.

Everything that’s old was new again in 2021, as a number of companies that are already notorious for past data breaches suffered fresh ones this year. Wireless carrier T-Mobile admitted in August that data from more than 48 million people had been compromised in a breach that month. Of those, more than 40 million victims weren’t even current T-Mobile subscribers, but rather former or prospective customers who had applied for credit with the company. The rest were mostly active “postpaid” customers who get billed at the end of each cycle instead of the beginning. Victims had their names, dates of birth, social security numbers, and driver’s license details stolen. Additionally, 850,000 customers on prepaid plans had their names, phone numbers, and PINs taken in the breach. The situation was particularly absurd, because T-Mobile had two breaches in 2020, one in 2019, and another in 2018.

Another repeat offender was the department store chain Neiman Marcus, which had data from roughly 4.6 million customers stolen in a May 2020 breach. The company disclosed the incident in October, which exposed victims names, addresses, and other contact information, plus login credentials and security questions/answers from online Neiman Marcus accounts, credit card numbers and expiration dates, and gift card numbers. Neiman Marcus famously suffered a data breach in 2014 during which attackers stole credit card data from 1.1 million customers over three months.

More Great WIRED Stories