2019 end-of-year review part 2: July to December

Welcome to the second part of our round-up of 2019’s information security stories.

You can read the first part here >>


The second half of the year began with major data privacy news: the UK’s data protection authority, the ICO (Information Commissioner’s Office), announced its intention to fine British Airways and Marriott International a combined £282.6 million for breaching the GDPR (General Data Protection Regulation). Each company is appealing its respective fine.

Although the GDPR prescribes a penalty regime of fines up to the greater of 4% of annual global turnover or €20 million (about £17 million), the scale of these first fines – and the extent to which the ICO clearly intends to crack down on organisations that fail to properly secure the personal data they process – took most organisations by surprise.

Among other news:

You can find more of July’s incidents in our list of data breaches and cyber attacks in July 2019.


In August, IBM and Ponemon Institute released their annual Cost of a Data Breach Report. The 2019 study found that the average total cost of a data breach was $3.92 million (£2.99 million), a 1.5% increase from 2018.

The majority of that cost came from lost business. Moreover, the financial impact of a data breach isn’t a short-term concern: about a third of costs occurred more than a year after the breach occurred.

The report also found that an average of 25,575 data records were compromised per incident and that the average time to identify and contain a breach was an alarming 279 days.

Among other news:

You can find more of August’s incidents in our list of data breaches and cyber attacks in August 2019.


September’s highlight was undoubtedly the security incident in which the personal data of almost every Ecuadorian resident was compromised.

According to vpnMentor, which discovered the data, an unsecured server belonging to the Ecuadorian company Novaestrat exposed around 18GB of data relating to 20 million individuals, including their name, gender, date of birth, physical and email addresses, phone numbers, financial information, employment information and other identifiers.

Many data records related to deceased Ecuadorian citizens.

The breach, which vpnMentor said could have been prevented with basic security measures, was closed on 11 September 2019 and Ecuador’s government fast-tracked a draft privacy law through congress in response.

Among other news:

You can find more of September’s incidents in our list of data breaches and cyber attacks in September 2019.


On 30 October, the Japanese media giant Nikkei revealed that, in late September, an employee of its American subsidiary, Nikkei America, fell victim to a scam that cost the company $29 million (about £22 million).

Nikkei disclosed little information about the incident, but confirmed that a fraudster emailed the employee posing as an executive. In other words, it was a form of BEC (business email compromise).

BEC attacks begin with a spear phishing attack sent to someone in the organisation who handles payments. Once the scammer gains access, they’ll monitor the victim’s email account, learning about suppliers and projects, seeking an opportunity to set their trap.

This often involves sending a fraudulent invoice that requests payment to a bank account that the criminal controls.

BEC scams have been on the rise in the past year, according to the FBI’s Internet Crime Complaint Center, which identified a 100% increase in financial losses between May 2018 and June 2019.

Among other news:

You can find more of October’s incidents in our list of data breaches and cyber attacks in October 2019.


November saw the usual annual increase in phishing scams as attackers sought to take advantage of the seasonal spike in online shopping: the cyber security company ZeroFOX reported that it detected 61,305 potential scams in the weeks leading up to the Black Friday/Cyber Monday weekend.

However, the most common type of scam this year didn’t involve online-only retailers like Amazon but high-street shops. This was probably because more people would be shopping offline than online, so scams imitating well-known chains would have a greater chance of success.

Read more about seasonal phishing scams >>

Among other news:

You can find more of November’s incidents in our List of data breaches and cyber attacks in November 2019.


On 13 December, New Orleans declared a state of emergency after its digital infrastructure was crippled by a ransomware attack. Nola.com reported that city agencies had to resort to pen and paper.

A spokesperson for the Mayor of New Orleans declined to answer questions about the attack but, according to Bleeping Computer, the Ryuk ransomware was to blame. Ryuk has been involved in numerous campaigns this year and is often distributed by the Emotet Trojan alongside the TrickBot information-stealing Trojan.

Read the NCSC (National Cyber Security Centre) advisory about Ryuk >>

New Orleans wasn’t the only US city to fall victim to ransomware in December: Pensacola, Florida; Galt, California; and St Lucie, Florida were also attacked.

Among other news:

Barring any major incidents between this blog’s writing and its publication, that should be it for 2019. You can, of course, find our full list of December 2019’s data breaches and cyber attacks on this blog in January.


No Responses