Key Takeaways from the 2021 Year End Data Breach Report

March 31, 2022

More than 22 billion records were breached in 2021. While this figure represents a significant decrease from the record-breaking number in 2020 (37.5 billion records), it is still a staggering figure. Especially when you consider that the average per-record cost of a breach to businesses was $161 in 2021.  

There’s a lot businesses can learn by studying data breach reports. We’ve reviewed the annual report by Flashpoint and listed the key takeaways for businesses to consider: 

Key Takeaways from Flashpoint’s 2021 Data Breach Report

Publishing, sharing, or offering open access to data online resulted in the most records being exposed. 

In 2021, 19.8 billion records were breached as a result of their (often accidental) publication on the web. In fact, the largest breach to date (the FBS breach) occurred in 2021 – where 20 terabytes of data, containing 16 billion records, was exposed online on an unsecured server. The personally identifiable information that was exposed, as a result of an unsecured server, included usernames, IP addresses, email addresses, phone numbers, billing address, time zone, passport details, mobile device and operating systems, social media IDs, and copies of identity verification documents, including driver licenses, birth certificates, utility bills, and credit cards. 

Human error is the predominant driver behind this type of breach. This is significant because the risk human error poses to an organization can be reduced through privacy and cybersecurity training and robust privacy processes and policies.


Email is now ranked among the top 5 types of breach

135 breaches were attributed to email in 2021, behind 197 web breaches, 221 breaches caused by viruses, 342 with unknown causes, and 2761 breaches that were attributed to hackers. While the number of email breaches is small when compared to those attributed to hackers, it is the first time that email has ranked amongst the top five breach types. 

An email breach typically occurs when an email containing sensitive or personal data is erroneously sent. Again, human error is the driving force behind this type of breach – which means that training and processes can be put in place to reduce the risk of this type of breach occurring at your company. 


Social security number breaches on the rise – indicating that the type of data you collect matters

Social security numbers (or their foreign equivalent) were compromised in more than 40% of breaches, while credit and payment card information was only compromised in 3% of reported breaches. These findings suggest that hackers are likely branching away from targeting credit card details, and instead seeking information that would facilitate phishing attacks, credit card fraud, and identity theft. 

What this means for US companies is that data minimization remains a strong strategy for reducing both the reputational risk your company faces and the risk your users face when submitting information to you. 

A data minimization strategy revolves around collecting only the data necessary to achieve specific purposes. This key strategy is often overlooked by companies that elect to collect and store data for potential future purposes. Reducing the amount of data you collect and store can, in turn, reduce the amount you prudently need to spend on cyber security, as well as the potential costs of data breach notifications and/or regulator penalties.


If you need assistance developing your company’s data privacy and cybersecurity, reach out. Our privacy and cybersecurity attorneys would love to assist.


The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you