October 11, 2021

Monthly Breach Report: October 2021 Edition


In September, personal data found in incidents discovered worldwide—some taking advantage of the most vulnerable communities and individuals—was found, posted, and made available for sale seemingly in every region. Conservatively calculated, hundreds of millions of people’s personal information was exposed. It’s impossible to even report on the totality of the month’s personal data loss in one post. Here’s a quick summary.


This tech giant has been in the news recently for other serious data misusage charges around the world as well as operational allegations. Relating specifically to personal data being distributed without the individuals knowing, September unfurled a messy set of reports on an incident with ever-changing circumstances and facts. The story continues to unfold. It is not expected that any breach was needed to obtain personal data of 1.5 billion Facebook users, amass it, and put it up for illegal sale.

According to TechRepublic, “The fact that the data stolen and for sale is publicly available shouldn’t ease anyone’s fears: That data can still be used to compromise users’ security and privacy. In particular, the stolen data contains names, email addresses, locations, gender, phone numbers and Facebook User ID information. Each bit of that data could clue an attacker into password challenge answers, allow them to intercept one-time login codes, [or] phish . . .”


106 Million Visitors’ Personal Data

A misconfigured ElasticSearch server is being blamed for leaking the data of at least 106 million of Thailand’s visitors during the pandemic. An outsourced IT company is deemed responsible for leaving the server exposed.

Thailand is a favorite vacationing destination for millions of people and a major basis for the country’s economy. It should be expected people’s personal data would be effectively protected by the country by using top-rated technology and practices. Not so. Data exposed by the publicly accessible server database includes:

  • Date of arrival in Thailand
  • Full name
  • Gender
  • Passport number
  • Residency status
  • Visa type
  • Thai arrival card number

Fortunately, no financial data was discovered leaked, and it’s hoped no truly harmful activity will result.

Thai authorities received the incident reported by the British cybersecurity research company, Comparitech, and initiated quick actions to correct the exposure. Comparitech even connected the server to a honeypot, collecting any attempts to access it and returning a message that the visitor’s IP address has been collected.


Hacker Exposes Personal Data of Two Million

Just before elections held on September 8, 2021, over 2 million people of the Kingdom of Morocco had personal data exposed by a malicious “black hat” hacker. The heist included names, email addresses, professional positions, and companies, data likely from an earlier LinkedIn scrape openly posted in free cloud spaces. Timing of the breach stirs grave concern. Beyond the usual worries of personal data exposure, the use of this data in political campaigns became critically alarming.

A second concurrent leak in Morocco—still unknown how it was achieved—came from a data breakin at the highly regarded Mohammad V University. The data in that set includes the postal addresses, photographs, and electronic addresses of students in electrical, civil, and industrial engineering, computer science, mechanics, computer modeling, and telecommunications. More than 2,000 students’ personal data sets have been released.


Tracking Apps

In Jakarta, Indonesia, officials are investigating a flaw that left 1.3 million people’s health status and personal information exposed by a test and trace app that was reportedly breached. The Indonesia Health Alert Card (eHAC) system was likely exposed due to a lack of protective protocols. PeduliLindungi, another government developed app, was reported to have been hacked in parallel. It’s not yet known the number of personal data sets exposed in that leak. A cybersecurity researcher tweeted out the Republic of Indonesia’s president’s vaccination certificate, though the information source for that was not reported. It seems in PeduliLindungi, it is straightforward for anyone to find another person’s National identification number and other personal information, including vaccination information.

This incident follows others earlier in 2021 and prompts further cybersecurity infrastructure investigation. Privacy activists are investigating and reporting on developments. The government accepts responsibility for the eHAC leak, but not the PeduiLindungi personal data exposure.


African Bank’s Debt-IN

A debt recovery partner of African Bank, Debt-IN, suffered a data breach in which sensitive, personal information was accessed and stolen. The files and data accessed included individual consumers’ data and voice recordings of financial services customers on calls with the company’s debt recovery agents. Over 1.4 million banking customers are anticipated to have had personal data stolen when the data was accessed from servers earlier this year.

Debt-IN and African Bank are implementing a robust mitigation effort and claim to have stemmed the flow from the reported breach.



The PORTpass proof of vaccination mobile app—available on Apple Store and Google play as well as the portpassportal.com web app and accessed by over 650,000 users in Canada—had to be taken down September 28, 2021, after media reporters convinced the company CEO there was verifiable personal data being openly leaked.

Those media outlets received a tip and verified that email addresses, names, blood types, phone numbers, birthdays, and links to photos of identification like driver’s licenses and passports were readily viewable. It is yet to be determined precisely which and how many users are affected.

The developer company CEO reportedly worked to downplay the incident, even making claims the exposure was only for minutes, while those investigating could access the data for more than an hour. PORTpass notified authorities of the incident. The Calgary police cybersecurity team is currently actively investigating the incident.


Paris Region COVID Test Results

The French Ministry of Health confirmed mid-September that approximately 1.4 million people’s personal and health data was stolen. Identities, Social Security numbers, contact details, and test results were hacked in addition to the identities and contact details of the health professionals involved in testing.

The discovery was made by a patient trying to retrieve their results and finding open source data through WordPress. The patient realized they “could access files containing patient information via the URL tree and even create an account without being a pharmacist,” according to Connexion France.

The data was extracted while it was being transferred from privately run pharmacies on the Francetest platform to the government’s databases. Early in the pandemic, it became painfully clear through personal data leaks that the public sector was not equipped to maintain legally protected personal privacy. Many in the EU are furious that a rush to turn over the responsibilities to private companies left personal and health-related sensitive data at further risk. The European Parliament is formalizing queries and challenges for member countries to shore up their practices to avoid infractions relative to EU privacy laws.


Potentially Lethal Personal Data Leak

Lives of dozens of Afghan interpreters working for British forces are imperiled due to their personal information and data being exposed by the UK’s Ministry of Defense. After the Taliban takeover, more than 250 Afghanis who requested help in leaving their country were identified by name and email address, some with photos, in an email from the Ministry by the British team responsible for working with the interpreters requesting help. In the email, the Ministry promised to assist them.

“We told the Afghans who helped our British forces that we would keep them safe, but this data breach has needlessly put lives at risk. Ministers must now urgently step up efforts to get these Afghans safely to the UK.” Tweeted John Healey, a British lawmaker and UK shadow defense secretary.



Protect your company and its data from becoming a future data breach headline. PK Protect is purpose built to find and secure sensitive data wherever it lives and moves across your enterprise. See how we can help safeguard your data by requesting a free personalized demo.

Share on social media
  • Apr'24 Breach Report-01
    PKWARE April 17, 2024
  • Data Retention: Aligning Data Protection Strategies with Compliance Requirements
    Ben Meyers March 13, 2024
  • Data Breach Report: March 2024
    PKWARE March 8, 2024
  • PCI DSS 4.0 Compliance: Safeguarding the Future of Payment Security
    PKWARE February 22, 2024