2020 in review: July to December

Welcome to the second part of our cyber security review of 2020, in which we look back at the biggest stories from July to December.

You can read the first part here >>


July

With COVID-19 under control, the UK government announced that lockdown measures would be eased from 4 July, with pubs, cafés, cinemas and museums allowed to reopen.

Unfortunately, there was a hitch, with the government forced to scrap its original track and trace app, pushing the launch date back by months.

That meant that anywhere that planned to reopen was required to collect customers’ names and contact details upon entry and store the data for 21 days.

Organisations had just ten days to prepare, and for many, the customer check-in requirement proved to be a major challenge.

Some pubs ignored the rules altogether, and others created half-hearted solutions, such as a sign-in sheet at the bar, which left people’s names and contact details visible for anyone to see.

Nonetheless, by the time the NHS track and trace app finally launched in September, there had been no publicly disclosed incidents of businesses being investigated for data protection violations.

You can see more incidents from July in our list of data breaches and cyber attacks.


August

In August, the travel exchange firm Travelex collapsed into administration following ongoing losses related to the ransomware attack it suffered on New Year’s Eve 2019.

The damage caused by the attack, combined with the effects of the COVID-19 pandemic, “acutely impacted the business,” according to PwC, Travelex’s administrator.

The firm announced that 1,309 people would lose their jobs, but 1,802 positions in the UK and 3,635 globally were saved.

Unfortunately, this was just the latest in a surge of ransomware attacks. Later in the year, educational institutes and non-profits across the UK, the US and Canada announced disruption after a third-party software provider, Blackbaud, was attacked.

But in a year filled with ransomware cases,  the worst was yet to come, with a criminal hacking group announcing in October that it had donated a portion of its gains to charity.

The DarkSide crooks said they wanted to “make the world a better place”, after posting receipts for $10,000 in Bitcoin donations to The Water Project and Children International.

The move dumbfounded the cyber security community, with the BBC describing it as a “strange and troubling development, both morally and legally”.

You can see more incidents from August in our list of data breaches and cyber attacks.


September

After six months of lockdown, the cyber security community got its first significant look at COVID-19’s effect on data protection with the release of Ponemon Institute’s Cost of a Data Breach Report 2020.

It revealed that organisations now spend $3.86 million (about £2.9 million) recovering from security incidents, which represents a slight decrease on 2019.

Ponemon’s researchers credit this to organisations doing a better job strengthening their cyber defences and incident response capabilities.

The report also highlighted the relationship between the cost of a data breach and the time it takes organisations to contain it – with the key time frame being 200 days.

Organisations that can detect and respond to an incident within this period save about $1 million (about £750,000).

You can see our list of incidents from September in our list of data breaches and cyber attacks.


October

An investigation published by the ICO (Information Commissioner’s Office) in October revealed that Experian had been selling millions of people’s personal information without their consent.

The credit reference agency sold personal data to political parties and organisations that used it to identify who could afford products and services.

Although Experian made efforts to better its practices, the ICO said further improvements are necessary, and has given the organisation nine months to make appropriate changes, with the threat of a GDPR (General Data Protection Regulation) penalty looming.

The ICO found that two other major credit reference agencies – Equifax and TransUnion – had committed similar violations, but they avoided further action because they adjusted their processes following a warning.

You can see more incidents from October in our list of data breaches and cyber attacks.


November

In November, security experts discovered a data breach at Spanish software firm Prestige Software. It meant that more than 10 million files that had been collected via hotel and travel services including Expedia, Booking.com and Hotels.com were leaked online.

This included guests’ full names, email addresses, phone numbers and credit card details.

The incident occurred after the firm failed to password-protect an AWS S3 bucket that held the personal details of hotel guests dating back to 2013.

Ray Walsh, a digital privacy expert at ProPrivacy, told the Independent: “Anybody who has made a hotel booking with these major hotel reservation platforms since 2013 is potentially at risk.

“The data that was left exposed could easily be used by cybercriminals to launch secondary phishing attacks, or to commit fraud or identity theft in the future.”

You can see more incidents from November in our list of data breaches and cyber attacks.


December

December is often a quiet time in the cyber security sector, with businesses winding down for Christmas.

Unfortunately, much like the rest of the year, there was an unwelcome surprise waiting, with the cyber security giant FireEye announcing that it had been targeted by a sophisticated cyber attack.

The attackers stole an arsenal of hacking tools that FireEye uses to test the defences of its clients, which include an array of government and US national security agencies.

These tools could cause untold damage in the wrong hands, which is why this incident is being described as “among the most significant breaches in recent memory”.

Matt Gorham, the FBI’s assistant director for the Cyber Division, said that, although the incident is still under investigation, preliminary indications show that the perpetrator’s methods were highly sophisticated and consistent with a nation state attacker.

A former Defense Department official familiar with the case said Russia was high on the list of suspects.

The good news is that there is no evidence so far that the tools have been used by malicious actors – but the way this year has been, perhaps there is one final blow to come.

Presuming that’s not the case, it brings us to the end of our cyber security review of 2020.

You will be able to find the full list of December’s data breaches and cyber attacks on this blog in January – make sure you subscribe to our Weekly Round-up to catch it.

The Weekly Round-up: subscribe now