2022 will go down as the year where some semblance of normality returned. Social distancing restrictions were gone, masks disappeared and we made travel plans unfettered by fear of positive lateral flow tests. These were truly precedented times.
Although there have still been a few surprises, with the death of Queen Elizabeth II and blazing heatwaves across the UK to name but two, it was a familiar year in the cyber security landscape.
Cyber criminals continued to wreak havoc, with the likes of Twitter, Uber and Neopets all reporting mammoth data breaches. In total, we have so far reported more than 1,000 data breaches in 2022, with almost half a billion breached records.
Meanwhile, GDPR (General Data Protection Regulation) enforcement continues apace. Google, Clearview AI, and Meta all receives hefty penalties in 2022, demonstrating the continued important of effective information security.
But these were far from the only notable cyber security headlines of the year. It’s been a year full of predictable and unpredictable incidents alike, and in this blog, we’ve compiled the most memorable stories of 2022.
January
For a certain sector of the population, 2022 was going to be the year of the NFT (non-fungible token). Despite the absurdity of the concept – people forking over significant sums of money to own a JPEG – tech utopiasts were certain that it would revolutionise online content creation.
But there is a crucial flaw in their reasoning, one that has been pointed out with increasing regularity: the value of an object is based on its scarcity, and you cannot stop people sharing copies of a digital file.
Plus – and here’s a more obvious problem – there is no physical asset that you possess, and if the digital copy is compromised, you own nothing.
These problems came into sharp focus in January, when an NFT trader had a public meltdown after being scammed out of 16 NFTs that were valued at $2.2 million (about £1.5 million at the time).
Todd Kramer, a New York-based art curator, said he was targeted by a cyber criminal who sent him an email that masqueraded as a contract.
The message appeared to come from a genuine source, but after Kramer provided his credentials, he learned that he’d given an unauthorised person access to his wallet and digital assets.
Kramer’s collection included images from the highly coveted ‘Bored Ape Yacht Club’.
“I been hacked,” Kramer wrote on Twitter. “All my apes gone. This just sold please help me.”
The tweet went viral almost immediately, and although many users were mocking (as you’d expect from Twitter), the volume of traffic caught the attention of the Bored Ape community, which helped Kramer retrieve some of his files.
It remains the most public incident demonstrating the cyber security risks of NFTs, and although this alone didn’t make people come to their senses, the discourse has evolved throughout the year, with the value of many NFTs cratering.
You can see more incidents from January in our list of data breaches and cyber attacks.
February
Tensions rose throughout February as the Russian military amassed across the Ukrainian border. Although Vladimir Putin and his sympathisers assured the world that they were simply conducting military exercises, the inevitable occurred on 24 February, when troops mobilised and war was declared.
The incursion was accompanied by a flurry of cyber attacks from hackers on both sides of the conflict. Some of those assaults were directly tied to ground operations, such as Russia’s malware attack on the Ukrainian military hours before it launched a full-scale invasion.
Other attacks had more broadly political motives. A group of Ukrainian hackers took the Moscow Stock Exchange offline on Monday, while the hacking collective Anonymous, which has declared “cyber war” against Russia, said it had taken down RT News, the Russian state-controlled television network.
Meanwhile, the EU responded to calls for help from Ukraine, and set up a cyber rapid-response team comprised of 12 volunteers tasked with helping cyber attack victims.
In the midst of all this, organisations across Europe reported delays as a result of alleged state-sponsored attacks – including Toyota’s Japanese plants and a kettle manufacturer in the Isle of Man.
You can see more incidents from February in our list of data breaches and cyber attacks.
March
The risks related to the war in Ukraine spilled over into domestic soil in March, with organisations in the UK being urged to bolster their cyber security defences in case Russia targets Ukrainian allies.
The UK’s NCSC (National Cyber Security Centre) warned businesses that they could be targeted either directly or as part of a criminal hacking initiative.
J. Michael Daniel, the head of Cyber Threat Alliance and former White House cyber coordinator for President Barack Obama, warned that sophisticated attacks, such as worms, could create spillover incidents that go beyond their intended target.
“You could take anything from emergency services, health care systems, or other things offline without meaning to. Which both has an immediate impact – you could hurt civilians inside Russia – and it could also inadvertently escalate things if the Russians perceive that as a direct order,” he said.
It later transpired that, prior to the NCSC’s warning, the UK Foreign Office had been hacked by a suspected nation state. Fortunately, this was the only major cyber attack against a UK-based organisation that was directly tied to Russia’s invasion of Ukraine.
Elsewhere in March, Meta – the parent company of Facebook – was handed a €17 million (about £14.2 million) fine for twelve breaches of the GDPR.
The Irish Data Protection Commission, which led the investigation, revealed that the tech giant breached Articles 5(1), 5(2), 24(1) and 32(1) of the Regulation.
Articles 5(1) and 5(2) state that personal data must be processed lawfully, fairly and in a transparent manner, and that the data controller must be able to demonstrate that it is doing so.
Articles 24(1) and 32(1) state that organisations must implement appropriate technical and organisational measures to protect personal data.
You can see more incidents from March in our list of data breaches and cyber attacks.
April
April saw a ransomware gang bucking the much-repeated advice given by cyber security researchers that criminal hackers target vulnerabilities rather than specific organisations.
Yet, in April, the Stormous ransomware gang announced that it had hacked Coca-Cola and stolen 161GB of data after polling the public on which organisation they should target next.
Source: Security Affairs
Coca-Cola received an overwhelming majority of the votes, beating out the toy maker Mattel, the online education platform Blackboard, the tech firm Danaher and General Electrics’ aviation subsidiary.
Cyber criminals rarely target specific organisations in this way, and unless the gang had already identified vulnerabilities in each of those organisations, they would be taking a risk in assuming that they would later find one.
The story only became more curious when the group put the information up for sale on the dark web for a little over $64,000 (about £51,000) in bitcoin. It’s a shockingly low sum given the amount of information reportedly stolen and the reputation of the victim.
By comparison, a report published last year found that US firms pay $6 million on average in ransomware demands.
Given the unusual nature of the attack, some experts doubted whether their group’s claim was genuine. Coca-Cola didn’t confirm that it had fallen victim, with a spokesperson saying: “We are aware of this matter and are investigating to determine the validity of the claim. We are coordinating with law enforcement.”
There usually isn’t much doubt about whether you’ve been hit by ransomware. Either your systems have been crippled and you’ve received an extortion demand or you haven’t.
Few details emerged after this initial comment, leaving us no closer to learning what actually happened. Was it a fake claim? Did anyone purchase the apparently stolen data? Did Coca-Cola quietly pay off the gang?
You can see more incidents from April in our list of data breaches and cyber attacks.
May
Russian-sponsored cyber attacks continued to dominate the headlines in May, with the Italian police force announcing that it thwarted a cyber attack on the Eurovision Song Contest.
The competition, which took place in Turin, is ostensibly an opportunity for European countries to demonstrate the best (or worst) of their nation’s singing talents.
However, over the years it’s faced criticism that votes are cast based on diplomatic allegiances rather than the quality of the contestants, and as many people predicted, Ukraine’s Kalush Orchestra eventually won the competition with the song “Stefania”.
The rap group gained an overwhelming majority of the public vote in what was likely as much a show of support for the nation’s plight as it was about the popularity of the song.
But the contest, which was watched by more than 200 million people, was nearly brought to a halt by cyber criminals, according to a Reuters report.
Throughout the semi-final and final, the Italian police force’s cyber security department blocked several attacks on the venue’s network infrastructure.
The attacks were traced to the Russian-based criminal hacking group Killnet and its affiliate Legion.
The group conducted a DDoS (distributed denial-of-service) attack aimed at network infrastructure during performances and voting in an attempt to disrupt proceedings.
However, thanks to the event organisers’ effective planning, the contest was largely unaffected.
The Italian authorities said that more than 100 police officers monitored the event, enabling them to spot and respond to the attacks promptly. They also had support from Eurovision TV and the IT firm ICT Rai.
You can see more incidents from May in our list of data breaches and cyber attacks.
June
The midpoint of the year was a wheely bad month for cyber security in the UK, with the delivery firm Yodel and the food provider Meals on Wheels confirming data breaches.
Wiltshire Farm Foods – whose parent company Apetito produces and delivers 900,000 meals and pudding a week in the UK – announced that it had been crippled by a cyber attack that was thought to be ransomware.
In a statement, the Trowbridge-based organisation said it was “currently experiencing severe difficulties” with its IT network.
Commenting on the incident, cyber security researcher Kevin Beaumont said: “They’re not saying it, but [it’s] ransomware.”
“The new trend in ransomware is not talking about it, which will surely help matters,” he added, noting his sarcasm.
Meanwhile, Yodel customers – who are no strangers to waiting weeks for their packages – were told to expect delays after the delivery firm suffered a cyber attack.
In an message posted on its website, Yodel said: “We are working to restore our operations as quickly as possible but for now, order tracking remains unavailable and parcels may arrive later than expected.”
As with Wiltshire Farm Foods, Yodel did not say how it was attacked but it had all the hallmarks of ransomware. Notably, the damage was primarily related to service disruption, as opposed to the exfiltration of personal data.
Although it offered few specific details about the nature of the attack, Yodel’s response was exemplary. On its website, it wrote: “As soon as we detected the incident, we launched an investigation, led by our internal IT division and supported by a digital forensics group.
“We are deploying all efforts to resolve the situation as quickly as possible and continue to work closely with authorities and law enforcement.”
You can see more incidents from June in our list of data breaches and cyber attacks.
July
The second half of the year kicked off with a data breach at the virtual pet website Neopets. The attack occurred after a criminal hacker compromised the organisation’s systems and stole source code and the personal data of 69 million members.
The stolen information includes members’ usernames, names, email addresses, zip codes, dates of birth, gender and other information related to their gaming activity.
At the time of writing, it’s the largest confirmed data breach of 2022.
There was initially scepticism regarding the veracity of the cyber criminals’ claim. However, the owner of the Breached.co hacking forum verified the hacker’s claims by registering an account on Neopets.com and being sent their newly created record from the database.
“Vouch, I registered an account on the website and he sent the full entry,” pompompurin posted to the Breached.co forums.
This confirmation also revealed that the criminal hacker continued to have access to the Neopets’ internal systems even as they began selling the stolen data.
You can see more incidents from July in our list of data breaches and cyber attacks.
August
Throughout this summer, the UK continued to record high temperatures amid a months-long drought. Hardly a good time for South Staffordshire Water, which services approximately 1.3 million people, to announce that it had fallen victim to a cyber attack.
The criminal hackers claimed to have access to the organisation’s SCADA systems, which control industrial processes at treatment plants.
“It would be easy to change chemical composition for their water but it is important to note we are not interested in causing harm to people,” the group said.
South Staffordshire Water confirmed the breach in a statement but rebuffed the criminals’ claims that it could poison water supplies, insisting that it is “still supplying safe water to all of our Cambridge Water and South Staffs Water customers”.
The incident occurred a week after the UK Environment Minister, George Eustice, told water companies last week to take precautions to protect supplies.
He highlighted the need to fix leaking pipes, with the country losing almost 2.4 billion litres of water per day due to leaks.
“I have urged them to take any precautionary steps needed to protect essential supplies as we go into a likely very dry autumn,” Eustice said in a statement. He added: “All water companies have reassured me that water supplies remain resilient across the country.”
It’s therefore clear to see why a water supplier would make an excellent target for a cyber attack. South Staffordshire Water was reportedly infected with ransomware, which is a type of malware that encrypts the victim’s files and essentially locks them out of their systems.
You can see more incidents from August in our list of data breaches and cyber attacks.
September
Revolut became the latest high-profile fintech firm to suffer a cyber attack, after confirming in September that it had fallen victim to a “highly targeted” social engineering attack.
All signs pointed to a senior employee being tricked by a spear phishing or whaling scam.
These are types of social engineering attacks in which a fraudster targets a high-level employee, with a tailored message based on information they can find online. The attacker might, for example, search social media to find the name, email address and job title of a company director.
According to the breach disclosure to the State Data Protection Inspectorate in Lithuania – where Revolut has a banking licence – 50,150 customers were affected.
The information is thought to include customers’ full names, email addresses, postal addresses, phone numbers and account details.
Despite the scale of the breach, Revolut has downplayed the damage. A spokesperson said:
“We immediately identified and isolated the attack to effectively limit its impact and have contacted those customers affected. Customers who have not received an email have not been impacted.”
Initial reports suggested that some customers’ payment card data was also compromised, but Revolut has since denied this. “Our customers’ money is safe – as it has always been. All customers can continue to use their cards and accounts as normal,” the spokesperson added.
To compound matters, Revolut customers later reporting that they were being sent suspicious text messages.
Cyber security researcher Graham Cluley shared several of the messages that he received, which claimed that his account had been frozen.
Source: Graham Cluley
Cluley was sent several messages encouraging him to follow a link to ‘https://frozen-revolut.com’. The texts said that he must follow the instructions on that page to avoid restrictions, and in one message, because his identity was no longer verified.
It’s likely that the messages are a direct result of the recent data breach, with the attackers using the compromised personal details to target Revolut customers.
You can see more incidents from September in our list of data breaches and cyber attacks.
October
In yet another case of cyber criminals pouncing on the uncertainty caused by a developing news story, a phishing campaign emerged in October that took advantage of Twitter’s plans to overhaul its verification process.
The so-called ‘blue tick’ (actually a white tick on a blue badge) was previously a currently a free feature used on approximately 300,000 accounts – most of which are associated with celebrities, brands and other notable figures.
But after Elon Musk purchased the social media giant, he floated plans to charge users a monthly subscription fee to retain their verified status.
Days later, TechCrunch reporter Zack Whittaker shared an email he received supposedly confirming the decision, with the missive claiming that he would be able to retain his blue-badge status for free if he followed an attached link.
Fortunately, as Whittaker notes, the message itself is “crude” and should be easily detectable by anyone who is on their guard. It uses all the classic techniques of a phishing scam, with the most notable being the request for users to follow a link and provide their personal information.
Moreover, the email introduces a sense of urgency and exclusivity, claiming that if the recipient doesn’t provide their details in the next two days, they will no longer be able to verify their account for free.
The message reads: “The verification badge will be $19.99 per month for some users after November 2, 2022. […] To receive the verification badge for free and permanently, please confirm that you are a well-known person. If you don’t provide verification, you will pay $19.99 every month like other users to get the verification badge.”
This is an attempt to get the recipient to act rashly. Scammers know that without a deadline, users are likely to put off the task, which may mean they’ll reconsider the message and realise that something is amiss – or that they will tell someone about the offer and learn that it isn’t genuine.
You can see more incidents from October in our list of data breaches and cyber attacks.
November
If October was a bad month for the users of the cryptocurrency exchange platform FTX – having spiralled into bankruptcy amid financial mismanagement – then November was a catastrophe.
They were justifiably furious that their investments had been wiped, while the organisation’s founder Sam Bankman-Fried had bafflingly not yet been arrested under investigation for fraud.
Then something strange happened. A video emerged on Twitter that appeared to show Bankman-Fried offering an opportunity for users to recoup their losses.
In reality, it was a deepfake designed to trick people into handing over even more of their money.
“Hello everyone. As you know our FTX exchange is going bankrupt,” the deepfake Bankman-Fried said.
“But I hasten to inform all users that you should not panic. As compensation for the loss we have prepared a giveaway for you in which you can double your cryptocurrency. To do this, just go to the site ftxcompensation.com.”
Users who followed the link were redirected to a website that reads: “Biggest giveaway crypto of $100,000,000.
“Send the desired number of coins to the special address below. Once we receive your transaction, we will immediately send the requested amount back to you. You can only take part in our giveaway once. Hurry up!”
To compound matters, the video was posted from a Twitter account that fully replicated Bankman-Fried’s, thanks to the site’s recent blue-checkmark fiasco which allowed anyone to verify themselves if they paid a subscription fee.
The account, which belongs to the now-suspended Twitter user “s4ge_ETH”, was verified, had Bankman-Fried’s handle “SBF” and his Twitter avatar.
The video directed viewers to visit a website where they could enter a giveaway to win cryptocurrency. These are common scams and are often run using accounts that impersonate celebrities – although the use of deepfake footage takes this to another level.
You can see more incidents from November in our list of data breaches and cyber attacks.
December
The final month of the year is usually the busiest for retailers, but it was disastrous for Intersport as it fell victim to a ransomware attack.
a malware intrusion froze cash registers across its French stores, leaving customers unable to make purchases or use loyalty cards and gift vouchers.
Employees scrambled to keep shoppers informed of the disruption, with a spokesperson for the organisation saying (via machine translation): “We work with manual checkouts, we have to note everything by hand to ensure that the stocks follow, which sometimes causes a bit of a wait.”
Intersport was initially confident that the attackers didn’t access customer data, but a Tech Monitor report claims that the Hive ransomware gang posted the information online weeks after the attack.
This incident is the perfect demonstration of the way ransomware attacks have evolved in 2022. Traditional extortion attempts involve the primary intrusion, in which the victims’ systems are crippled, accompanied by a ransom demand in order to decrypt the compromised systems.
That technique was hugely successful, but a shift in the cyber security landscape has resulted in fraudsters leveraging their position in what has come to be known as ‘double extortion’. Not only do they cripple organisations’ systems but they also threaten to publish stolen data.
The victim can now not simply rebuff the ransom demand, a practice that became more common as organisations realised the futility of negotiating with attackers. They learned that even if they paid up, there was no guarantee that the criminals would keep their word.
That the ransomware gang published the stolen data two weeks after the organisation was infected suggests that Intersport was threatened with the possibility of customers’ data being posted online and that it refused to negotiate.
Whether you consider that a positive outcome depends on your stance on negotiating with cyber criminals. Most experts urge organisations not to pay up, and would commend Intersport’s decision – even though it is now dealing with a very public PR incident.
Keep an eye out on our website for our list of data breaches and cyber attacks from December.
What can we expect in 2023?
2022 was supposed to be the year when things returned to normal, but the cyber security sector and the world at large has defied those expectations.
As much as we talk of the end of ‘unprecedented times’, organisations must realise that the way business is done has changed forever, and risks will continue to evolve in a post-COVID landscape.
According to Cisco’s 2022 Cybersecurity Almanac, the amount of money organisations spend recovering from cyber attacks is expected to increase by 75% in the five-year period from 2021 to 2025, reaching as much as $10.5 trillion (about £8.9 trillion).
Meanwhile, global spending to prevent cyber attacks is predicted to increase by the same percentage during that period.
Organisations are continually urged to invest more in defences – whether it’s technological solutions, staff awareness training or revamped compliance practices – but if those solutions aren’t part of a cohesive strategy, the benefits will be minimal.
It’s why many experts recommend taking a defence-in-depth approach to cyber security.
The framework consists of five interrelated stages (or ‘layers’) to mitigate the risk of data breaches: detection, protection, management, response and recovery.
Even if one of these defensive layers is breached, the next works to further contain the damage.
Whatever your resources or expertise, a defence-in-depth approach to cyber security will give you the best chance of mitigating the cyber security risks your organisation faces, so you can focus on your core business objectives without having to worry about coming under attack.
You can find out more about defence in depth, and the ways IT Governance can help, by getting in touch with us today.
We also have webinars on each of the five stages of defence in depth, hosted by IT Governance’s founder and executive chairman, Alan Calder. You can watch each of these presentations for free on our website.
