2019: A Cyberyear Review

If you thought 2018 was a bad year for Cyber Security, 2019 was equally as bad, if not worse !

The year started with the French Data protection Authority using the new powers they had from GDPR (EU General Data Protection Regulation) to fine Google €50 million (£44 million).
The penalty, which was by far the biggest GDPR fine since the introductiopn of GDPR in May 2018. The fine related to two violations: Google had failed to adequately explain to its users why it was collecting their data, and it didn’t document a legal basis for doing so.
Although two larger fines would be issued during the year, this penalty proved to be a landmark in demonstrating that regulators weren’t afraid to use their disciplinary powers.

In other news:
B&Q breached the personal data of 70,000 people who had been caught stealing products from its stores. Employees left a database containing the thieves’ names, the items they stole, the value of the goods and the stores they were taken from.
More than 770 million people learned their email addresses had been made public in what would be known as the ‘Collection #1’ data breach.
Victims of Equifax’s 2017 data breach were given the go-ahead to launch a class-action lawsuit.
Countless office workers were forced to get back to their jobs after Reddit suspended a host of accounts in light of security concerns. The site’s security team suspected that users were being targeted in a credential-stuffing attack; this is where cyber criminals use a list of stolen usernames and passwords en masse to break into an account.

Valentine’s Day 2019 proved to be particularly disheartening for many people, after rumours swirled that OkCupid users were being harassed by criminal hackers who had broken into their accounts.
The dating site denied that it had suffered a data breach, even though many users took to Twitter saying that someone had got into their account and changed their login credentials.
Worse, they changed the email address associated with the account, preventing them from resetting their password. At least one victim said that the “hacker started harassing him with strange text messages”.
Dating sites are popular targets for cyber crime, and OkCupid wouldn’t be the first to disclose an incident. Plenty of Fish, eHarmony, AdultFriendFinder, Zoosk and – famously – Ashley Madison – have all reported breaches.

In other news:
Lancashire-based Lad Media was wound up, and its director, Keith Hancock, was banned from forming or managing an organisation for four years, after the company was deemed to have violated the PECR (Privacy and Electronic Communications Regulations). The silver lining for Hancock was that the investigation began before the new PECR rules took effect, which would have given regulators the power to fine him, in addition to the organisation, up to £500,000.
Video-sharing app TikTok agreed to a record $5.7 million (£4.2 million) fine with the US Federal Trade Commission after it was accused of illegally collecting minors’ personal data.
Mumsnet disclosed a data breach affecting 4,000 people. A technical error that appeared during a software update meant that users who logged on simultaneously were directed to someone else’s account.
Toyota Australia was infected with malware, knocking out its website and other methods of communication. Many commenters were disappointed by the car manufacturer’s lack of transparency, as it refused to provide further details of the incident, including whether it was a ransomware attack.

Persistent denials from Facebook about its inability to protect users’ personal data weren’t helped in March, when the social media giant leaked 600 million passwords.
Security researcher Brian Krebs explained that Facebook’s internal company servers contained passwords stored in plaintext. This meant they weren’t encrypted, making them freely accessible to as many as 20,000 employees, most of whom had no legitimate reason to access the information.
Facebook said that the breach was discovered in January 2019 as part of an internal security review. It was confident that the incident represents only a breach in confidentiality and that no information was misused.
Although this is obviously positive news, it doesn’t absolve Facebook of blame or make the breach any less serious. There are plenty of cases where the extent of a breach isn’t known until the information resurfaces years later (as you might recall from Yahoo’s security meltdown).

In other news:
Users of Pandora and Clifford car alarms learned that they were at risk of having their car stolen due to a security vulnerability. The alarm manufacturers provide an app – which they claimed was “unhackable” – that allows users to lock their cars using their smartphone. However, security researchers found that all hackers had to do to override the system was send a different user’s email address as a parameter to the organisations’ backend to initiate a password reset.
Facebook was back in the news after it suffered a 14-hour disruption to all its products, leaving them mostly inaccessible across the globe.
The US Oversight and Reform Committee learned that Donald Trump’s son-in-law/senior adviser, Jared Kushner, was using WhatsApp to conduct government business. Meanwhile, former deputy National Security Adviser K.T. McFarland was doing the same with her AOL account.

April was a month of mixed results in the UK. On the one hand, the 2019 SonicWall Threat Report found that the UK was one of the few countries that saw a year-on-year reduction in ransomware attacks.
But another survey found that millions of Britons use weak passwords such as ‘password’ and ‘qwerty’. The most common password by far is ‘123456’, which is used by 23.2 million people – more than a third of the entire population.

In other news:
The Supreme Court gave Morrisons permission to appeal a ruling that found the supermarket liable for a data breach caused by a malicious insider. Morrisons previously lost two cases related to its March 2014 data breach, in which Andrew Skelton, a senior internal auditor at the supermarket’s Bradford office, leaked the payroll data of 99,998 employees. The supreme court is expected to make its decision in 2020.
The software-as-a-service offering Land Lordz helped scammers trick travellers looking for accommodation on Airbnb. The program automates the creation of fake adverts and sends messages to advertise the fraudulent listings. Airbnb scams had been somewhat common before this, with many victims turning up to an address they’d booked on the site only to learn that the occupier had no idea that their property was being advertised. The number of scams eventually led to Airbnb launching a policy requiring hosts to verify their listings.
US food giant Mondelez sued insurance company Zurich American for denying a $100 million (£77 million) claim filed after the NotPetya attack. The confectioner, which owns Cadbury and Oreo, says it lost 1,700 servers and 24,000 laptopsas the ransomware swept through its systems, but Zurich American argued the damage was the result of an “an act of war” and therefore isn’t covered in its policy.
A fraudster posed as Hollywood actor Jason Statham in a catfishing scam targeting a woman whose fiancé and mother had both recently passed away. The victim said that “Statham” had sent her a Facebook message after she’d commented on a page dedicated to the actor. The two corresponded over the next few months, with the scammer eventually tricking her into transferring her money to help with an apparent cashflow problem.

This time a year ago, the GDPR was taking the public consciousness by storm, people’s inboxes were littered with privacy policy updates and the Internet was full of GDPR memes.
Some commenters, like Senior Consultancy Manager Nicky Whiting, found that organisations had become complacent about their GDPR compliance requirements.
“Organisations are not fully prepared, and still have a long way to go and a lot of work to do. This can be attributed to a lack of resource, Brexit distractions and a lack of buy-in from senior management,” she said.
“As media attention has waned, a lot of organisations have taken their eye off the ball. Many have concluded that the ICO [Information Commissioner’s Office] won’t be imposing fines, since there’s been little news coverage about enforcement action.”

In other news:
Tensions between the UK and China grew amid suggestions that Chinese tech giant Huawei would be prohibited from supplying core parts of the UK’s 5G phone network. Many people speculated that Huawei’s close ties with the Chinese government presented security risks, and thus the organisation should only be used for “non-core” parts of the system.
GlaxoSmithKline and AstraZeneca warned job hunters about recruitment scams that imitated the pharmaceutical giants. Fraudsters were creating fake job adverts that were designed to steal people’s personal and financial details.
One of the world’s largest cryptocurrency exchanges, Binance, was breached, with criminal hackers stealing 7,000 bitcoins (about £38 million at the time).
WhatsApp urged users to update their software after it learned that cyber criminals were exploiting a vulnerability in its voice call function. The flaw allowed crooks to plant spyware on phones, giving them access to the device’s cameras and microphones, as well as users’ emails, instant messages and location data.
For the second time this year, a story surfaced of teenagers hacking into their school’s email systems to notify staff and students about a ‘mandatory penis inspection’.
HM Revenue and Customs was forced to delete more than five million people’s voice records after it learned that the way the information was collected breached the GDPR.

A ransomware epidemic in the US reached fever pitch in June, after three Florida cities were targeted within the space of a few weeks.
The first was Riviera Beach, a small city north of Miami. But despite – or perhaps because of – its size, the city felt compelled to pay the cyber criminals’ $600,000 (about £480,000) ransom after its systems had been shut down for three weeks.
The city had already set aside $1 million to buy new computers and hardware following the attack but decided it would be quicker and less expensive to simply pay up.
That was a disastrous decision, as it reinforced the precedent that if you infect local governments then they will pay up.
A week later, Lake City, a waypoint for tourists heading towards Orlando and southern Florida, caved to a $460,000 ransomware demand.
The following day Key Biscayne was infected, which would force the United States Conference of Mayors to meet to address the problem.

In other news:
Leicester City FC announced that a cyber criminal broke into the club’s online shop and stole fans’ financial details.
OGusers, a popular forum among cyber criminals, was raided by a rival group. The incident exposed the email addresses, hashed passwords, IP addresses and private messages of nearly 113,000 members of the online criminal hacking community. However, the damage was mitigated because the site’s administrator restored a backup from January 2019.
The ICO admitted that its website’s cookie policy didn’t comply with the GDPR. The mobile version of the data protection authority’s site failed to get visitors’ approval before tracking cookies, instead relying on implied consent – a legal basis for processing that was scrapped with the introduction of the GDPR.
A US medical bill and debt collection agency filed for Chapter 11 bankruptcy protection after suffering a data breach that exposed the sensitive personal data of at least 20 million people. RMCB (the Retrieval-Masters Creditors Bureau), the parent company of AMCA (the American Medical Collection Agency), spent more than $3.8 million (about £3 million) on notifying individuals that their personal data had potentially been compromised – $2.5 million of which the organisation’s CEO, Russell H. Fuchs, loaned the company himself.

The second half of the year began with major data privacy news: the UK’s data protection authority, the ICO (Information Commissioner’s Office), announced its intention to fine British Airways and Marriott International a combined £282.6 million for breaching the GDPR (General Data Protection Regulation). Each company is appealing its respective fine.
Although the GDPR prescribes a penalty regime of fines up to the greater of 4% of annual global turnover or €20 million (about £17 million), the scale of these first fines – and the extent to which the ICO clearly intends to crack down on organisations that fail to properly secure the personal data they process – took most organisations by surprise.

In other news:
The ICO began an investigation into how the TikTok video-sharing app handles children’s personal data. This follows on from the US FTC (Federal Trade Commission) issuing TikTok a $5.7 million (£4.2 million at the time) fine for violating the US Children’s Online Privacy Protection Act in February.
The NHS was criticised for signing a deal with Amazon that allowed patients to access their health information via its Alexa voice assistant – potentially granting the online retail giant access to vast amounts of sensitive personal data.
Laxman Muthiyah, a security researcher, was awarded a $30,000 (£24,000) bug bounty after discovering a vulnerability that could have led to Instagram accounts being hacked in ten minutes.
The US FTC approved a $5 billion (£4 billion) fine for Facebook to settle an investigation into data privacy violations as part of the Cambridge Analytica scandal.
Equifax agreed to pay up to $700 million (£561 million) as part of a settlement with the FTC over its 2017 data breach.

In August, IBM and Ponemon Institute released their annual Cost of a Data Breach Report. The 2019 study found that the average total cost of a data breach was $3.92 million (£2.99 million), a 1.5% increase from 2018.
The majority of that cost came from lost business. Moreover, the financial impact of a data breach isn’t a short-term concern: about a third of costs occurred more than a year after the breach occurred.
The report also found that an average of 25,575 data records were compromised per incident and that the average time to identify and contain a breach was an alarming 279 days.

In other news:
US federal prosecutors charged a Seattle resident, Paige A Thompson, with stealing data related to more than 100 million Capital One credit applications.
Digital bank Monzo told 480,000 customers to change their PINs after a data security incident.
Suprema, a biometric security firm, was found to have exposed more than one million fingerprints and other sensitive data. The company’s BioStar 2 tool is used by thousands of companies worldwide, including the Metropolitan Police.
A security researcher found that 40% of organisations respond to bogus DSARs (data subject access requests), breaching the GDPR in their attempts to comply with it.
The European Central Bank shut down one of its websites after suffering a malware infection. Personal data, including names and email addresses, was compromised.
The Swedish data protection authority, Datainspektionen, fined a local authority 200,000 Swedish Krona (£16,800) for unlawfully trialling a facial recognition programme at a high school – its first fine under the GDPR.
Laxman Muthiyah, the security researcher who won a $30,000 bug bounty from Instagram in July, was awarded a further $10,000 (£8,200) after identifying another vulnerability.

September’s highlight was undoubtedly the security incident in which the personal data of almost every Ecuadorian resident was compromised.
According to vpnMentor, which discovered the data, an unsecured server belonging to the Ecuadorian company Novaestrat exposed around 18GB of data relating to 20 million individuals, including their name, gender, date of birth, physical and email addresses, phone numbers, financial information, employment information and other identifiers.
Many data records related to deceased Ecuadorian citizens.
The breach, which vpnMentor said could have been prevented with basic security measures, was closed on 11 September 2019 and Ecuador’s government fast-tracked a draft privacy law through congress in response.

In other news:
The US FTC fined YouTube $170 million (£136 million) for collecting children’s personal data without their parents’ consent.
Facebook confirmed that 419 million users’ phone numbers were exposed in an unsecured online database.
The Emotet malware saw a resurgence, four months after its command and control servers were shut down. In 2018, US-CERT called the Trojan: “among the most costly and destructive [types of] malware” currently affecting organisations.
An NHS clinic accidentally disclosed the email addresses of 2,000 transgender patients when it used the ‘Cc’ instead of ‘Bcc’ field in an email.
Game developer Zynga announced that more than 200 million Words with Friends and Draw Something players may have had their login information illegally accessed.
The European Court of Justice ruled that Google doesn’t have to apply the right to be forgotten globally.
GandCrab – a notorious criminal hacking group responsible for innumerable high-profile cyber attacks – has returned to action after apparently retiring in May.
Scammers targeted holidaymakers affected by Thomas Cook’s collapse, claiming to offer refunds in return for customers’ credit card details.

On 30 October, the Japanese media giant Nikkei revealed that, in late September, an employee of its American subsidiary, Nikkei America, fell victim to a scam that cost the company $29 million (about £22 million).
Nikkei disclosed little information about the incident, but confirmed that a fraudster emailed the employee posing as an executive. In other words, it was a form of BEC (business email compromise).
BEC attacks begin with a spear phishing attack sent to someone in the organisation who handles payments. Once the scammer gains access, they’ll monitor the victim’s email account, learning about suppliers and projects, seeking an opportunity to set their trap.
This often involves sending a fraudulent invoice that requests payment to a bank account that the criminal controls.
BEC scams have been on the rise in the past year, according to the FBI’s Internet Crime Complaint Center, which identified a 100% increase in financial losses between May 2018 and June 2019.

In other news:
Three US and seven Australian hospitals were forced to close following a ransomware infection.
The customer support ticket platform Zendesk disclosed a 2016 security breach that allowed a criminal hacker to access account holders’ personal data. Approximately 10,000 customers are thought to have been affected.
TOMS Shoes’s mailing list was hacked. However, instead of stealing data or infecting the company with malware, he emailed its customers to tell them to step away from their screens and stop missing out on the world.
Twitter was criticised for profiting from personal data after using 14.1 million customers’ email addresses to sell personalised advertising.
The High Court granted a group litigation order against British Airways in connection with its 2018 data breach, effectively giving the go-ahead to mass legal action from 500,000 customers.
The Newcastle-based housing association Home Group suffered a data breach in which about 4,000 individuals’ personal data was compromised.

November saw the usual annual increase in phishing scams as attackers sought to take advantage of the seasonal spike in online shopping: the cyber security company ZeroFOX reported that it detected 61,305 potential scams in the weeks leading up to the Black Friday/Cyber Monday weekend.
However, the most common type of scam this year didn’t involve online-only retailers like Amazon but high-street shops. This was probably because more people would be shopping offline than online, so scams imitating well-known chains would have a greater chance of success.

In other news:
The Labour Party suffered what it described as two “sophisticated and large-scale” cyber attacks on its campaign website. In fact, they were DDoS (distributed denial-of-service) attacks, which use botnets to flood their targets with traffic, causing them to crash under the weight of requests.
The cyber security company Trend Micro proved that no organisation is immune from data breaches when a malicious employee sold personal information relating to 70,000 customers to a third party.
T-Mobile confirmed that the personal data of more than one million US customers had been stolen. Compromised information included customer names, addresses and phone numbers.
Thousands of Disney+ customers’ account details were hacked and put up for sale on hacking forums just hours after the streaming service was launched. Legitimate users then found themselves signed out of their accounts.
Facebook and Twitter warned that hundreds of users’ personal data could have been exposed via third-party Android apps downloaded from the Google Play store.
A new report into AggregateIQ, the Canadian data company with links to Cambridge Analytica, found that the organisation did not have appropriate consent for the Facebook campaigns it carried out on behalf of the Brexit campaign group Vote Leave. According to the Office of the Information and Privacy Commissioner for British Columbia and the Office of the Privacy Commissioner of Canada, AggregateIQ also did not properly secure the data it misused. (AggregateIQ has the dubious honour of being the recipient of the ICO’s first enforcement notice issued under the GDPR.)

On 13 December, New Orleans declared a state of emergency after its digital infrastructure was crippled by a ransomware attack. Nola.com reported that city agencies had to resort to pen and paper.
A spokesperson for the Mayor of New Orleans declined to answer questions about the attack but, according to Bleeping Computer, the Ryuk ransomware was to blame. Ryuk has been involved in numerous campaigns this year and is often distributed by the Emotet Trojan alongside the TrickBot information-stealing Trojan.
New Orleans wasn’t the only US city to fall victim to ransomware in December: Pensacola, Florida; Galt, California; and St Lucie, Florida were also attacked.

In other news:
The South African IT company Conor suffered a data breach when an unsecured database containing more than one million “highly sensitive and private” web browsing records was discovered by security researchers from vpnMonitor.
The German Internet service provider 1&1 Telcom GmbH was fined nearly €10 million (£8.5 million) by Germany’s BfDO (Federal Commissioner for Data Protection and Freedom of Information) for breaching the GDPR by not implementing appropriate technical and organisational security measures to prevent unauthorised access to personal data.
Iran claimed to have defended itself from a state-sponsored cyber attack on its national infrastructure.