Welcome to the second part of our round-up of 2019’s information security stories.
The second half of the year began with major data privacy news: the UK’s data protection authority, the ICO (Information Commissioner’s Office), announced its intention to fine British Airways and Marriott International a combined £282.6 million for breaching the GDPR (General Data Protection Regulation). Each company is appealing its respective fine.
Although the GDPR prescribes a penalty regime of fines up to the greater of 4% of annual global turnover or €20 million (about £17 million), the scale of these first fines – and the extent to which the ICO clearly intends to crack down on organisations that fail to properly secure the personal data they process – took most organisations by surprise.
Among other news:
- The ICO began an investigation into how the TikTok video-sharing app handles children’s personal data. This follows on from the US FTC (Federal Trade Commission) issuing TikTok a $5.7 million (£4.2 million at the time) fine for violating the US Children’s Online Privacy Protection Act in February.
- The NHS was criticised for signing a deal with Amazon that allowed patients to access their health information via its Alexa voice assistant – potentially granting the online retail giant access to vast amounts of sensitive personal data.
- Laxman Muthiyah, a security researcher, was awarded a $30,000 (£24,000) bug bounty after discovering a vulnerability that could have led to Instagram accounts being hacked in ten minutes.
- The US FTC approved a $5 billion (£4 billion) fine for Facebook to settle an investigation into data privacy violations as part of the Cambridge Analytica scandal.
- Equifax agreed to pay up to $700 million (£561 million) as part of a settlement with the FTC over its 2017 data breach.
- The Chinese smart home vendor Orvibo leaked more than two billion user logs containing sensitive personal data such as names, email addresses, passwords and locations.
- After a series of ransomware attacks on US local governments, a group of more than 1,400 US municipal officials vowed not to pay any more ransomware attackers.
You can find more of July’s incidents in our list of data breaches and cyber attacks in July 2019.
In August, IBM and Ponemon Institute released their annual Cost of a Data Breach Report. The 2019 study found that the average total cost of a data breach was $3.92 million (£2.99 million), a 1.5% increase from 2018.
The majority of that cost came from lost business. Moreover, the financial impact of a data breach isn’t a short-term concern: about a third of costs occurred more than a year after the breach occurred.
The report also found that an average of 25,575 data records were compromised per incident and that the average time to identify and contain a breach was an alarming 279 days.
Among other news:
- US federal prosecutors charged a Seattle resident, Paige A Thompson, with stealing data related to more than 100 million Capital One credit applications.
- Digital bank Monzo told 480,000 customers to change their PINs after a data security incident.
- Suprema, a biometric security firm, was found to have exposed more than one million fingerprints and other sensitive data. The company’s BioStar 2 tool is used by thousands of companies worldwide, including the Metropolitan Police.
- A security researcher found that 40% of organisations respond to bogus DSARs (data subject access requests), breaching the GDPR in their attempts to comply with it.
- The European Central Bank shut down one of its websites after suffering a malware infection. Personal data, including names and email addresses, was compromised.
- The Swedish data protection authority, Datainspektionen, fined a local authority 200,000 Swedish Krona (£16,800) for unlawfully trialling a facial recognition programme at a high school – its first fine under the GDPR.
- Laxman Muthiyah, the security researcher who won a $30,000 bug bounty from Instagram in July, was awarded a further $10,000 (£8,200) after identifying another vulnerability.
You can find more of August’s incidents in our list of data breaches and cyber attacks in August 2019.
September’s highlight was undoubtedly the security incident in which the personal data of almost every Ecuadorian resident was compromised.
According to vpnMentor, which discovered the data, an unsecured server belonging to the Ecuadorian company Novaestrat exposed around 18GB of data relating to 20 million individuals, including their name, gender, date of birth, physical and email addresses, phone numbers, financial information, employment information and other identifiers.
Many data records related to deceased Ecuadorian citizens.
The breach, which vpnMentor said could have been prevented with basic security measures, was closed on 11 September 2019 and Ecuador’s government fast-tracked a draft privacy law through congress in response.
Among other news:
- The US FTC fined YouTube $170 million (£136 million) for collecting children’s personal data without their parents’ consent.
- Facebook confirmed that 419 million users’ phone numbers were exposed in an unsecured online database.
- The Emotet malware saw a resurgence, four months after its command and control servers were shut down. In 2018, US-CERT called the Trojan: “among the most costly and destructive [types of] malware” currently affecting organisations.
- An NHS clinic accidentally disclosed the email addresses of 2,000 transgender patients when it used the ‘Cc’ instead of ‘Bcc’ field in an email.
- Game developer Zynga announced that more than 200 million Words with Friends and Draw Something players may have had their login information illegally accessed.
- The European Court of Justice ruled that Google doesn’t have to apply the right to be forgotten globally.
- GandCrab – a notorious criminal hacking group responsible for innumerable high-profile cyber attacks – has returned to action after apparently retiring in May.
- Scammers targeted holidaymakers affected by Thomas Cook’s collapse, claiming to offer refunds in return for customers’ credit card details.
You can find more of September’s incidents in our list of data breaches and cyber attacks in September 2019.
On 30 October, the Japanese media giant Nikkei revealed that, in late September, an employee of its American subsidiary, Nikkei America, fell victim to a scam that cost the company $29 million (about £22 million).
Nikkei disclosed little information about the incident, but confirmed that a fraudster emailed the employee posing as an executive. In other words, it was a form of BEC (business email compromise).
BEC attacks begin with a spear phishing attack sent to someone in the organisation who handles payments. Once the scammer gains access, they’ll monitor the victim’s email account, learning about suppliers and projects, seeking an opportunity to set their trap.
This often involves sending a fraudulent invoice that requests payment to a bank account that the criminal controls.
BEC scams have been on the rise in the past year, according to the FBI’s Internet Crime Complaint Center, which identified a 100% increase in financial losses between May 2018 and June 2019.
Among other news:
- Three US and seven Australian hospitals were forced to close following a ransomware infection.
- The customer support ticket platform Zendesk disclosed a 2016 security breach that allowed a criminal hacker to access account holders’ personal data. Approximately 10,000 customers are thought to have been affected.
- TOMS Shoes’s mailing list was hacked. However, instead of stealing data or infecting the company with malware, he emailed its customers to tell them to step away from their screens and stop missing out on the world.
- Twitter was criticised for profiting from personal data after using 14.1 million customers’ email addresses to sell personalised advertising.
- The High Court granted a group litigation order against British Airways in connection with its 2018 data breach, effectively giving the go-ahead to mass legal action from 500,000 customers.
- The Newcastle-based housing association Home Group suffered a data breach in which about 4,000 individuals’ personal data was compromised.
You can find more of October’s incidents in our list of data breaches and cyber attacks in October 2019.
November saw the usual annual increase in phishing scams as attackers sought to take advantage of the seasonal spike in online shopping: the cyber security company ZeroFOX reported that it detected 61,305 potential scams in the weeks leading up to the Black Friday/Cyber Monday weekend.
However, the most common type of scam this year didn’t involve online-only retailers like Amazon but high-street shops. This was probably because more people would be shopping offline than online, so scams imitating well-known chains would have a greater chance of success.
Among other news:
- The Labour Party suffered what it described as two “sophisticated and large-scale” cyber attacks on its campaign website. In fact, they were DDoS (distributed denial-of-service) attacks, which use botnets to flood their targets with traffic, causing them to crash under the weight of requests.
- The cyber security company Trend Micro proved that no organisation is immune from data breaches when a malicious employee sold personal information relating to 70,000 customers to a third party.
- T-Mobile confirmed that the personal data of more than one million US customers had been stolen. Compromised information included customer names, addresses and phone numbers.
- The Mexican oil company Pemex suffered a ransomware attack that demanded US$4.9 million (£3.82 million) to decrypt files.
- Thousands of Disney+ customers’ account details were hacked and put up for sale on hacking forums just hours after the streaming service was launched. Legitimate users then found themselves signed out of their accounts.
- Facebook and Twitter warned that hundreds of users’ personal data could have been exposed via third-party Android apps downloaded from the Google Play store.
- A new report into AggregateIQ, the Canadian data company with links to Cambridge Analytica, found that the organisation did not have appropriate consent for the Facebook campaigns it carried out on behalf of the Brexit campaign group Vote Leave. According to the Office of the Information and Privacy Commissioner for British Columbia and the Office of the Privacy Commissioner of Canada, AggregateIQ also did not properly secure the data it misused. (AggregateIQ has the dubious honour of being the recipient of the ICO’s first enforcement notice issued under the GDPR.)
You can find more of November’s incidents in our List of data breaches and cyber attacks in November 2019.
On 13 December, New Orleans declared a state of emergency after its digital infrastructure was crippled by a ransomware attack. Nola.com reported that city agencies had to resort to pen and paper.
A spokesperson for the Mayor of New Orleans declined to answer questions about the attack but, according to Bleeping Computer, the Ryuk ransomware was to blame. Ryuk has been involved in numerous campaigns this year and is often distributed by the Emotet Trojan alongside the TrickBot information-stealing Trojan.
Among other news:
- The South African IT company Conor suffered a data breach when an unsecured database containing more than one million “highly sensitive and private” web browsing records was discovered by security researchers from vpnMonitor.
- The German Internet service provider 1&1 Telcom GmbH was fined nearly €10 million (£8.5 million) by Germany’s BfDO (Federal Commissioner for Data Protection and Freedom of Information) for breaching the GDPR by not implementing appropriate technical and organisational security measures to prevent unauthorised access to personal data.
- Iran claimed to have defended itself from a state-sponsored cyber attack on its national infrastructure.
Barring any major incidents between this blog’s writing and its publication, that should be it for 2019. You can, of course, find our full list of December 2019’s data breaches and cyber attacks on this blog in January.