Weekly podcast: 2018 end-of-year roundup

This week, in our last podcast of the year, we revisit some of the biggest information security stories from the past 12 months.

Hello and welcome to the final IT Governance podcast of 2018.

As is now traditional, I’ve installed myself in the porter’s chair next to the fire in the library, ready to recap some of the year’s more newsworthy information security events. For more information on each story, simply follow the links in the transcript on our blog.

January

The year started with the revelation of Spectre and Meltdown – major security flaws affecting processors manufactured by Intel, ARM and AMD. The vulnerabilities affected almost every system, including desktops, laptops, servers and smartphones. Patches were rushed out, but many caused problems of their own.

Also in January, the ICO (Information Commissioner’s Office) fined Carphone Warehouse £400,000 – one of the largest fines it issued under the DPA (Data Protection Act) 1998 – for multiple security inadequacies that led to a 2015 data breach in which three million customers’ personal data was compromised.

And the World Economic Forum released its Global Risks Report 2018, which placed cyber attacks sixth in the top ten global risks by perceived impact – behind weapons of mass destruction, extreme weather events, natural disasters, failure of climate-change mitigation and adaptation, and water crises.

February

February saw a surge in surreptitious cryptomining or ‘cryptojacking’. Rather than dropping ransomware on victims’ machines and hoping they would pay to regain access to their files, cyber criminals were increasingly cutting out the middle man and infecting victims’ machines with software that used their spare processing power to mine for cryptocurrency.

Even government and public bodies’ websites – including, ironically, the ICO – were found to be running cryptomining software after a third-party plug-in was compromised, but it transpired that the crooks were only able to mine a paltry $24 – which Coinhive refused to pay out anyway.

Also in February, a cyber attack hit the Pyeongchang Winter Olympics, taking the games’ official website offline shortly before the opening ceremony. The Russian foreign ministry denied rumours of Muscovite involvement.

March

In March, it transpired that a further 2.4 million US customers had been affected by 2017’s Equifax breach, bringing the total number of victims to 147.9 million.

In more light-hearted news, Amazon’s Alexa voice assistant unsettled users by randomly laughing, which, somewhat unsurprisingly, caused many Twitter users to draw comparisons with HAL 9000 refusing to open the pod bay doors in 2001: A Space Odyssey. “I’m sorry, Dave. I’m afraid I can’t do that.”

And then there was the Cambridge Analytica scandal, which broke when the former employee and whistle-blower Christopher Wylie revealed to the Guardian that the political consulting firm had harvested 50 million Facebook users’ personal data and used it for political purposes.

April

In April, the UK’s NCSC (National Cyber Security Centre), the US Department of Homeland Security and the FBI issued a joint Technical Alert about malicious cyber activity carried out by the Russian government after multiple sources reported that “Russian state-sponsored actors [were] using compromised routers to conduct spoofing ‘man-in-the-middle’ attacks to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations”.

The ICO fined the Royal Borough of Kensington and Chelsea £120,000 for breaching the DPA 1998 when it accidentally identified 943 people who owned vacant properties in the borough, following the Grenfell Tower tragedy.

And NATO launched “the largest and most advanced international live-fire cyber defence exercise” to “practise protection of national IT systems and critical infrastructure under the intense pressure of a severe cyber attack”.

May

In May, the Department of Health and Social Care signed a deal with Microsoft to upgrade the NHS’s extensive IT estate to Windows 10 in an attempt to bolster its cyber resilience in the wake of 2017’s WannaCry ransomware outbreak.

Equifax issued its financial report for the first quarter of 2018, revealing that its huge 2017 data breach had so far cost it $242.7 million.

The NIS Directive was enacted in the UK as the NIS Regulations on 10 May.

And, of course, on 25 May the GDPR came into effect.

June

In June, the genealogy and DNA testing site MyHeritage announced that more than 92 million users’ credentials had been compromised in October 2017.

Dixons Carphone admitted suffering a major data breach in July 2017, involving 5.9 million payment cards and 1.2 million personal data records, and a second breach, in which customers’ names, addresses and email addresses were accessed. However, by the time it concluded its investigation into the incident in August, it had found that as many as 10 million customers could have been affected rather than the 1.2 million it initially estimated.

Exactis, a Florida-based marketing and data aggregation company, reportedly exposed a database containing 340 million very detailed data records via a publicly accessible server.

And the ticket sales and distribution company Ticketmaster notified the users of its UK site that their personal information could have been compromised after a malware infection on a support product hosted by Inbenta Technologies was found to be exfiltrating data – including payment information – to the Magecart group. Inbenta, however, said that Ticketmaster had used Inbenta JavaScript code on its payments page of its own volition, and without notifying Inbenta. Ticketmaster denies responsibility.

July

July saw NHS Digital blame a third-party coding error for a data breach in which the confidential health information of 150,000 patients was shared against their will. Patients who registered what were known as type 2 opt-outs at GP surgeries that used TPP’s SystmOne software after 31 March 2015 nevertheless had their confidential health information shared by NHS Digital for use in clinical research because their objections to its being used for anything other than their own care were not passed on.

The ICO issued an interim report on its investigation into the Cambridge Analytica scandal, and the Information Commissioner stated her intention to fine Facebook £500,000 for two breaches of the DPA 1998 – the maximum penalty applicable under the law that was in force at the time of the breaches. (It was estimated that it would take the social media giant about five and a half minutes to generate enough revenue to pay for the fine.)

Google released version 68 of its Chrome browser and, with it, started marking all websites that use HTTP as ‘not secure’ in a move to nudge site owners towards using HTTPS.

And security researchers from UpGuard discovered ten years’ worth of sensitive documents from more than 100 manufacturing companies exposed on a publicly accessible rsync server belonging to the engineering firm Level One Robotics. Among the companies affected were divisions of Volkswagen, Chrysler, Ford, Toyota, General Motors and Tesla.

August

In August, Yale University announced that it had discovered a log revealing a ten-year-old data breach on its systems, in which personal information relating to people affiliated with the university before February 2009 was compromised. 119,000 individuals were affected.

And Reddit revealed that in June it had suffered a data breach after an attacker compromised some staff accounts by intercepting SMS two-factor authentication codes, and gained access to logs containing Redditors’ usernames and email addresses. An unspecified amount of corporate data, including “source code, internal logs, configuration files and other employee workspace files”, was also compromised. Reddit didn’t disclose how many users might have been affected, nor did it say it was going to notify those whose current email addresses and usernames had been accessed. Users were encouraged to change their passwords.

September

In September, the broadband provider Plusnet migrated to a new customer billing system, and – as befalls so many companies during large-scale system upgrades – suffered a data breach in the process. Some customer accounts showed the wrong names and addresses, former and existing customers reported receiving incorrect payment notifications, and customers were unable to access their accounts at all because of an extended maintenance period.

The ICO fined Equifax £500,000 for failing to protect the personal information of up to 15 million UK citizens, who were affected by the 2017 data breach that compromised a total of 147.9 million customers worldwide. This was the maximum penalty available under the DPA 1998 and was the largest fine the ICO had issued to date – although it had, of course, announced its intention to fine Facebook the same amount following the Cambridge Analytica scandal.

British Airways apologised after 380,000 customers’ personal and financial information was compromised as a result of a “malicious attack”.

And the controversial ride-sharing company Uber agreed to pay a $148 million settlement in connection with its attempt to cover up a data breach in 2016, in which some 57 million customers’ and drivers’ data – including names, email addresses, mobile phone numbers and driving licence details – was exposed.

October

In October, Facebook admitted that the accounts of nearly 50 million users had been exposed by a vulnerability in its “View as” function – a feature that lets users see how other people view their profiles. The security flaw allowed attackers to steal access tokens (digital keys that keep people logged into Facebook), which they could then use to take over accounts – and third-party platforms that used Facebook logins. The number of victims was subsequently revised downward to 30 million.

Google revealed that as many as 438 third-party apps were potentially able to access the data of up to 500,000 Google+ account holders without their permission because of a vulnerability in one of its APIs. It had discovered and fixed the flaw in March 2018 as part of an audit, but opted not to disclose it at the time. It also announced in the same blog that it would be shutting down the consumer version of Google+ by next August.

The ICO fined Heathrow Airport Limited £120,000 under the DPA 1998 “for failing to ensure that the personal data held on its network was properly secured” when, in October 2017, an airport employee lost a USB memory stick containing more than 1,000 unencrypted files. A member of the public found the memory stick, viewed its contents (it wasn’t password protected either), and then passed it to the Sunday Mirror.

It was revealed that the US Department of Defense was investigating a major third-party data breach in which the travel records of military and civilian personnel – which included their personal information and credit card data – were compromised. According to an anonymous official interviewed by the Associated Press, “the breach could have affected as many as 30,000 workers, but that number may grow as the investigation continues”.

The ICO fined Facebook £500,000 for its part in the Cambridge Analytica scandal – as it had said it was going to in July – and, as a result of the same investigation into data analytics for political purposes, issued its first GDPR enforcement notice, to AggregateIQ Data Services.

And the Court of Appeal upheld the High Court’s ruling that the supermarket Morrisons was vicariously liable for the actions of a rogue employee who compromised 99,998 staff members’ personal data in 2013 – even though Morrisons was compliant with data protection law and was the victim of the data breach itself. It intends to take the case to the Supreme Court.

November

In November, HSBC’s US division reported that it had suffered a data breach in which unauthorised users accessed customers’ names, addresses, phone numbers, email addresses, dates of birth, account numbers, balances, transaction histories, payee account information and statement histories.

A report issued by the US Government Accountability Office found that the Office of Personnel Management had failed to comply with 28 of the 80 recommendations made in the aftermath of its massive 2015 data breach.

The ICO fined Uber £350,000 and the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens, fined it €600,000 for the data breach it tried to cover up in 2016.

Consumer agencies in seven EU countries filed complaints against Google with their national data protection authorities for tracking users who have switched off their location history – in breach of the GDPR.

And City of York Council reported a RapidSpike developer to the police for informing it of a security vulnerability in a council app, in line with its own responsible disclosure guidelines. When RapidSpike expressed its bafflement and North Yorkshire Police said the researcher had “acted correctly”, the council relented and thanked them – although it fell short of apologising.

December

In December, the hotel group Marriott International announced a data breach that potentially affected as many as 500 million customers. According to Marriott, the guest reservation list of its Starwood division had been compromised by an unauthorised third party, who had accessed it since 2014.

The question and answer site Quora suffered a breach affecting approximately 100 million users. Information including their names, email addresses, and encrypted passwords may have been compromised.

And Google announced another bug in a Google+ API, affecting 52.5 million account holders. Having announced in October that it would be shutting down the consumer version of the social network by next August, Google has now brought the date forward, saying it will now “accelerate the sunsetting of consumer Google+ from August 2019 to April 2019”. Google+ APIs will be – as the company phrases it – “sunset” within 90 days.

Consumers are unlikely to mourn its loss: the company admitted in October that 90% of user sessions are less than 5 seconds.

And that brings us to now. December obviously isn’t over yet – and there could well be more incidents over the holiday season – but by our estimation 1,842,325,964 data records were found to have been compromised in data breaches in the first 11 months of the year. So, let’s stick our necks out and call it 2 billion by the end of the year. (For reference, there are currently about 4.2 billion Internet users in the world.)

Well, that’ll do for 2018. Here’s hoping we all fare better in 2019. We’ll be back in the second week of January, but until then you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.