A royal baby, a fire at Notre-Dame, the highest grossing film of all time and more than 12 billion breached data records: 2019 has been quite a year.
IT Governance is closing out the year by rounding up 2019’s biggest information security stories. Part one covers January to June, while part two covers July to December.
Anyone doubting whether supervisory authorities would use the disciplinary measures imposed by the GPDR (General Data Protection Regulation) began the year with a jolt, as Google was fined €50 million (£44 million) by the CNIL, France’s data protection authority.
The penalty, which was by far the biggest GDPR fine in the eight months that the Regulation had been in effect, related to two violations: Google had failed to adequately explain to its users why it was collecting their data, and it didn’t document a legal basis for doing so.
Although two larger fines would be issued during the year, this penalty proved to be a landmark in demonstrating that regulators weren’t afraid to use their disciplinary powers.
Among other news:
- B&Q breached the personal data of 70,000 people who had been caught stealing products from its stores. Employees left a database containing the thieves’ names, the items they stole, the value of the goods and the stores they were taken from.
- More than 770 million people learned their email addresses had been made public in what would be known as the ‘Collection #1’ data breach.
- Sensitive data belonging to hundreds of German politicians and public figures was published online. The information included personal phone numbers and addresses, credit card details and instant message conversations.
- Victims of Equifax’s 2017 data breach were given the go-ahead to launch a class-action lawsuit.
- Singapore’s Integrated Health Information Systems sacked two managers and fined five senior staff, including CEO Bruce Liang, for their part in a data breach that affected 1.5 million people – just under a third of the country’s population.
- Countless office workers were forced to get back to their jobs after Reddit suspended a host of accounts in light of security concerns. The site’s security team suspected that users were being targeted in a credential-stuffing attack; this is where cyber criminals use a list of stolen usernames and passwords en masse to break into an account.
You can find more of January’s incidents in our list of data breaches and cyber attacks in January 2019.
Valentine’s Day 2019 proved to be particularly disheartening for many people, after rumours swirled that OkCupid users were being harassed by criminal hackers who had broken into their accounts.
The dating site denied that it had suffered a data breach, even though many users took to Twitter saying that someone had got into their account and changed their login credentials.
Worse, they changed the email address associated with the account, preventing them from resetting their password. At least one victim said that the “hacker started harassing him with strange text messages”.
Dating sites are popular targets for cyber crime, and OkCupid wouldn’t be the first to disclose an incident. Plenty of Fish, eHarmony, AdultFriendFinder, Zoosk and – famously – Ashley Madison – have all reported breaches.
The important thing is that organisations handle breaches responsibly, letting affected customers know promptly to give them a chance to respond appropriately. For example, customers might want to change passwords for other sites or check their bank account for signs of fraud.
Among other news:
- Lancashire-based Lad Media was wound up, and its director, Keith Hancock, was banned from forming or managing an organisation for four years, after the company was deemed to have violated the PECR (Privacy and Electronic Communications Regulations). The silver lining for Hancock was that the investigation began before the new PECR rules took effect, which would have given regulators the power to fine him, in addition to the organisation, up to £500,000.
- Video-sharing app TikTok agreed to a record $5.7 million (£4.2 million) fine with the US Federal Trade Commission after it was accused of illegally collecting minors’ personal data.
- Mumsnet disclosed a data breach affecting 4,000 people. A technical error that appeared during a software update meant that users who logged on simultaneously were directed to someone else’s account.
- More than a hundred bars, restaurants and cafés in the US were infected with malware. It was yet another case of point-of-sale vulnerabilities being exposed, as the US fails to expedite its transition to chip and PIN.
- California man Jay Brodsky brought a class-action suit against Apple, claiming that iPhone and Mac users are being forced into time-consuming two-factor authentication. Unsurprisingly, the judge dismissed the case.
- Toyota Australia was infected with malware, knocking out its website and other methods of communication. Many commenters were disappointed by the car manufacturer’s lack of transparency, as it refused to provide further details of the incident, including whether it was a ransomware attack.
You can find more of February’s incidents in our list of data breaches and cyber attacks in February 2019.
Persistent denials from Facebook about its inability to protect users’ personal data weren’t helped in March, when the social media giant leaked 600 million passwords.
Security researcher Brian Krebs explained that Facebook’s internal company servers contained passwords stored in plaintext. This meant they weren’t encrypted, making them freely accessible to as many as 20,000 employees, most of whom had no legitimate reason to access the information.
Facebook said that the breach was discovered in January 2019 as part of an internal security review. It was confident that the incident represents only a breach in confidentiality and that no information was misused.
Although this is obviously positive news, it doesn’t absolve Facebook of blame or make the breach any less serious. There are plenty of cases where the extent of a breach isn’t known until the information resurfaces years later (as you might recall from Yahoo’s security meltdown).
Among other news:
- Users of Pandora and Clifford car alarms learned that they were at risk of having their car stolen due to a security vulnerability. The alarm manufacturers provide an app – which they claimed was “unhackable” – that allows users to lock their cars using their smartphone. However, security researchers found that all hackers had to do to override the system was send a different user’s email address as a parameter to the organisations’ backend to initiate a password reset.
- Facebook was back in the news after it suffered a 14-hour disruption to all its products, leaving them mostly inaccessible across the globe.
- IT Governance released its final Weekly Podcast.
- The US Oversight and Reform Committee learned that Donald Trump’s son-in-law/senior adviser, Jared Kushner, was using WhatsApp to conduct government business. Meanwhile, former deputy National Security Adviser K.T. McFarland was doing the same with her AOL account.
You can find more of March’s incidents in our list of data breaches and cyber attacks in March 2019.
April was a month of mixed results in the UK. On the one hand, the 2019 SonicWall Threat Report found that the UK was one of the few countries that saw a year-on-year reduction in ransomware attacks.
But another survey found that millions of Britons use weak passwords such as ‘password’ and ‘qwerty’. The most common password by far is ‘123456’, which is used by 23.2 million people – more than a third of the entire population.
Among other news:
- The Supreme Court gave Morrisons permission to appeal a ruling that found the supermarket liable for a data breach caused by a malicious insider. Morrisons previously lost two cases related to its March 2014 data breach, in which Andrew Skelton, a senior internal auditor at the supermarket’s Bradford office, leaked the payroll data of 99,998 employees. The supreme court is expected to make its decision in 2020.
- The software-as-a-service offering Land Lordz helped scammers trick travellers looking for accommodation on Airbnb. The program automates the creation of fake adverts and sends messages to advertise the fraudulent listings. Airbnb scams had been somewhat common before this, with many victims turning up to an address they’d booked on the site only to learn that the occupier had no idea that their property was being advertised. The number of scams eventually led to Airbnb launching a policy requiring hosts to verify their listings.
- US food giant Mondelez sued insurance company Zurich American for denying a $100 million (£77 million) claim filed after the NotPetya attack. The confectioner, which owns Cadbury and Oreo, says it lost 1,700 servers and 24,000 laptopsas the ransomware swept through its systems, but Zurich American argued the damage was the result of an “an act of war” and therefore isn’t covered in its policy.
- A fraudster posed as Hollywood actor Jason Statham in a catfishing scam targeting a woman whose fiancé and mother had both recently passed away. The victim said that “Statham” had sent her a Facebook message after she’d commented on a page dedicated to the actor. The two corresponded over the next few months, with the scammer eventually tricking her into transferring her money to help with an apparent cashflow problem.
You can find more of April’s incidents in our list of data breaches and cyber attacks in April 2019.
May 2019 was a slightly less frantic affair, summarised in our The GDPR: A year in review blog. We brought together a panel of experts to discuss their first-hand experience of the way organisations had approached the Regulation and what the future might have in store.
Some commenters, like Senior Consultancy Manager Nicky Whiting, found that organisations had become complacent about their GDPR compliance requirements.
“Organisations are not fully prepared, and still have a long way to go and a lot of work to do. This can be attributed to a lack of resource, Brexit distractions and a lack of buy-in from senior management,” she said.
“As media attention has waned, a lot of organisations have taken their eye off the ball. Many have concluded that the ICO [Information Commissioner’s Office] won’t be imposing fines, since there’s been little news coverage about enforcement action.”
Among other news:
- Tensions between the UK and China grew amid suggestions that Chinese tech giant Huawei would be prohibited from supplying core parts of the UK’s 5G phone network. Many people speculated that Huawei’s close ties with the Chinese government presented security risks, and thus the organisation should only be used for “non-core” parts of the system.
- GlaxoSmithKline and AstraZeneca warned job hunters about recruitment scams that imitated the pharmaceutical giants. Fraudsters were creating fake job adverts that were designed to steal people’s personal and financial details.
- One of the world’s largest cryptocurrency exchanges, Binance, was breached, with criminal hackers stealing 7,000 bitcoins (about £38 million at the time).
- WhatsApp urged users to update their software after it learned that cyber criminals were exploiting a vulnerability in its voice call function. The flaw allowed crooks to plant spyware on phones, giving them access to the device’s cameras and microphones, as well as users’ emails, instant messages and location data.
- For the second time this year, a story surfaced of teenagers hacking into their school’s email systems to notify staff and students about a ‘mandatory penis inspection’.
- HM Revenue and Customs was forced to delete more than five million people’s voice records after it learned that the way the information was collected breached the GDPR.
You can find more of May’s incidents in our list of data breaches and cyber attacks in May 2019.
A ransomware epidemic in the US reached fever pitch in June, after three Florida cities were targeted within the space of a few weeks.
The first was Riviera Beach, a small city north of Miami. But despite – or perhaps because of – its size, the city felt compelled to pay the cyber criminals’ $600,000 (about £480,000) ransom after its systems had been shut down for three weeks.
The city had already set aside $1 million to buy new computers and hardware following the attack but decided it would be quicker and less expensive to simply pay up.
That was a disastrous decision, as it reinforced the precedent that if you infect local governments then they will pay up.
A week later, Lake City, a waypoint for tourists heading towards Orlando and southern Florida, caved to a $460,000 ransomware demand.
The following day Key Biscayne was infected, which would force the United States Conference of Mayors to meet to address the problem. You can find out what their proposed solution was by reading part two of our review of the year, which will be released later shortly.
Among other news:
- Leicester City FC announced that a cyber criminal broke into the club’s online shop and stole fans’ financial details.
- OGusers, a popular forum among cyber criminals, was raided by a rival group. The incident exposed the email addresses, hashed passwords, IP addresses and private messages of nearly 113,000 members of the online criminal hacking community. However, the damage was mitigated because the site’s administrator restored a backup from January 2019.
- A US medical bill and debt collection agency filed for Chapter 11 bankruptcy protection after suffering a data breach that exposed the sensitive personal data of at least 20 million people. RMCB (the Retrieval-Masters Creditors Bureau), the parent company of AMCA (the American Medical Collection Agency), spent more than $3.8 million (about £3 million) on notifying individuals that their personal data had potentially been compromised – $2.5 million of which the organisation’s CEO, Russell H. Fuchs, loaned the company himself.
You can find more of June’s incidents in our list of data breaches and cyber attacks in June 2019.