2019 end-of-year review part 1: January to June

A royal baby, a fire at Notre-Dame, the highest grossing film of all time and more than 12 billion breached data records: 2019 has been quite a year.

IT Governance is closing out the year by rounding up 2019’s biggest information security stories. Part one covers January to June, while part two covers July to December.

January

Anyone doubting whether supervisory authorities would use the disciplinary measures imposed by the GPDR (General Data Protection Regulation) began the year with a jolt, as Google was fined €50 million (£44 million) by the CNIL, France’s data protection authority.

The penalty, which was by far the biggest GDPR fine in the eight months that the Regulation had been in effect, related to two violations: Google had failed to adequately explain to its users why it was collecting their data, and it didn’t document a legal basis for doing so.

Although two larger fines would be issued during the year, this penalty proved to be a landmark in demonstrating that regulators weren’t afraid to use their disciplinary powers.

Among other news:

You can find more of January’s incidents in our list of data breaches and cyber attacks in January 2019.

February

Valentine’s Day 2019 proved to be particularly disheartening for many people, after rumours swirled that OkCupid users were being harassed by criminal hackers who had broken into their accounts.

The dating site denied that it had suffered a data breach, even though many users took to Twitter saying that someone had got into their account and changed their login credentials.

Worse, they changed the email address associated with the account, preventing them from resetting their password. At least one victim said that the “hacker started harassing him with strange text messages”.

Dating sites are popular targets for cyber crime, and OkCupid wouldn’t be the first to disclose an incident. Plenty of Fish, eHarmony, AdultFriendFinder, Zoosk and – famously – Ashley Madison – have all reported breaches.

The important thing is that organisations handle breaches responsibly, letting affected customers know promptly to give them a chance to respond appropriately. For example, customers might want to change passwords for other sites or check their bank account for signs of fraud.

Among other news:

You can find more of February’s incidents in our list of data breaches and cyber attacks in February 2019.

March

Persistent denials from Facebook about its inability to protect users’ personal data weren’t helped in March, when the social media giant leaked 600 million passwords.

Security researcher Brian Krebs explained that Facebook’s internal company servers contained passwords stored in plaintext. This meant they weren’t encrypted, making them freely accessible to as many as 20,000 employees, most of whom had no legitimate reason to access the information.

Facebook said that the breach was discovered in January 2019 as part of an internal security review. It was confident that the incident represents only a breach in confidentiality and that no information was misused.

Although this is obviously positive news, it doesn’t absolve Facebook of blame or make the breach any less serious. There are plenty of cases where the extent of a breach isn’t known until the information resurfaces years later (as you might recall from Yahoo’s security meltdown).

Among other news:

You can find more of March’s incidents in our list of data breaches and cyber attacks in March 2019.

April

April was a month of mixed results in the UK. On the one hand, the 2019 SonicWall Threat Report found that the UK was one of the few countries that saw a year-on-year reduction in ransomware attacks.

But another survey found that millions of Britons use weak passwords such as ‘password’ and ‘qwerty’. The most common password by far is ‘123456’, which is used by 23.2 million people – more than a third of the entire population.

Among other news:

You can find more of April’s incidents in our list of data breaches and cyber attacks in April 2019.

May

This time a year ago, the GDPR was taking the public consciousness by storm, people’s inboxes were littered with privacy policy updates and the Internet was full of GDPR memes.

May 2019 was a slightly less frantic affair, summarised in our The GDPR: A year in review blog. We brought together a panel of experts to discuss their first-hand experience of the way organisations had approached the Regulation and what the future might have in store.

Some commenters, like Senior Consultancy Manager Nicky Whiting, found that organisations had become complacent about their GDPR compliance requirements.

“Organisations are not fully prepared, and still have a long way to go and a lot of work to do. This can be attributed to a lack of resource, Brexit distractions and a lack of buy-in from senior management,” she said.

“As media attention has waned, a lot of organisations have taken their eye off the ball. Many have concluded that the ICO [Information Commissioner’s Office] won’t be imposing fines, since there’s been little news coverage about enforcement action.”

Among other news:

You can find more of May’s incidents in our list of data breaches and cyber attacks in May 2019.

June

A ransomware epidemic in the US reached fever pitch in June, after three Florida cities were targeted within the space of a few weeks.

The first was Riviera Beach, a small city north of Miami. But despite – or perhaps because of – its size, the city felt compelled to pay the cyber criminals’ $600,000 (about £480,000) ransom after its systems had been shut down for three weeks.

The city had already set aside $1 million to buy new computers and hardware following the attack but decided it would be quicker and less expensive to simply pay up.

That was a disastrous decision, as it reinforced the precedent that if you infect local governments then they will pay up.

A week later, Lake City, a waypoint for tourists heading towards Orlando and southern Florida, caved to a $460,000 ransomware demand.

The following day Key Biscayne was infected, which would force the United States Conference of Mayors to meet to address the problem. You can find out what their proposed solution was by reading part two of our review of the year, which will be released later shortly.

Among other news:

You can find more of June’s incidents in our list of data breaches and cyber attacks in June 2019.

newsletter

No Responses