Christmas is just around the corner and we’re officially tying up the loose ends of 2019 – and what better way to send the year off than to look back at the data breaches which made the headlines? Very festive, don’t you think?
Across the year, the average cost of a data breach has grown to nearly £2.7 million, according to IBM research. And while GDPR fines alone are nothing to sniff at, the additional reputational harm can be incalculable. While 2018 was most notably marked by Bupa incurring a hefty fine after the personal data of 500,000 customers was offered for sale on the dark web, 2019 has well and truly topped the charts. Here’s a month-by-month breakdown:
Kicking off the year was the Collection #1 data breach – the largest ever discovered. This data dump featured more than 770 million people’s sensitive information, all decrypted, catalogued, and up for grabs online. This digital directory was composed of information pulled together from numerous data breaches and leaks, and contained email addresses and passwords. Although most of the login information was a couple years out of date, this didn’t stop nefarious parties from running a phishing scam that made them a whole lot of money.
February saw parenting site Mumsnet report itself to the UK’s data protection watchdog following an unfortunate upgrade that allowed users to view each other’s accounts, including their email address, account details, posting history, and personal messages. The bug affected a total of 46 users before the update was reversed and Mumsnet forced all users to log out in order to rectify the problem.
Meanwhile, there was no love lost between mobile network operator EE and one of their former employees. Francesca Bonafede, endured a horrific stalking experience when her ex-boyfriend accessed her personal data while working at EE. He switched her telephone number to a new handset, and also got hold of her bank details and new address. Once the company was made aware of this, his contract was promptly terminated.
Moving into Spring, we were alerted to the existence of a Facebook Messenger website bug that made it possible for hackers to see who you’d been talking to. This could be done by exploiting the site’s use of iFrames to peek at private conversations. Imperva’s Ron Masas was the first to discover the flaw, having previously spotted other Facebook privacy issues, such as a bug that allowed unauthorised sites to view users’ location histories, likes and interests
April saw more bad news for Facebook users, as a cyber security firm found that two different third-party Facebook apps – Cultura Colectiva and At The Pool – had left millions of records containing user information sitting unprotected on Amazon’s servers. In terms of Facebook data exposure, this was a case of history repeating itself, as the company had previously hit headlines for not being able to control their data during the Cambridge Analytica scandal. Unfortunately for Facebook, this would not be the only strike against their name this year.
The US Customs and Border Protection body has come under fire for neglecting basic security safeguards, which resulted in hackers stealing a database of traveller photos. This all came about when a subcontractor with the company was given improper access and sensitive information that they shouldn’t have been able to send in the first place was hit with a vicious cyber-attack. As a result, countless licence plates and personal photos are now in the hands of hackers, and with the rise of biometric authentication and deepfakes, this is a real worry.
WhatsApp also suffered at the hands of hackers in May. The messaging app discovered a vulnerability that allowed attackers to install malicious code in the form of surveillance software on mobile phones, simply by calling a target device. WhatsApp rushed to fix this vicious attack, but were forced to alert officials, and encourage users to update immediately, no doubt causing a decline in trust.
June was a bad month for the healthcare industry, as human error lead to sensitive patient information being exposed in two different, but equally avoidable ways. First, a list with the names and details of 33 patients from Letterkenny General Hospital was found dumped in a nearby bin, which was quite the breach of patient confidentiality. Secondly, in the Highlands, the email addresses of almost 40 HIV patients were made public due to a simple email mistake. In both instances, the hospitals apologised, so here’s hoping that in 2020, they invest in staff training to avoid human error mistakes like this.
Just as the academic year is wrapping up for a lot of students, the University of York was hit with a vicious cyber-attack. Information on thousands of students was downloaded in a malicious data breach which included 88 full administrative records, and other basic data on a further 4,400 students. The students affected were contacted, and the university also reported the breach to the National Crime Agency.
July wasn’t a great month for the financial industry either, as one of its biggest giants, Capital One, experienced a huge data breach. A hacker exploited a misconfigured firewall and gained access to data on over 100 million credit card customers. The compromised information included names, addresses, phone numbers, DOB, social security numbers, bank account details, credit scores, and transaction data. Capital One insisted that no credit card account numbers or login credentials were compromised, but customer trust in the company was massively eroded.
A website owned by the European Central Bank was hacked in August. By hacking into the bank’s Integrated Reporting Dictionary website, it was possible to breach the names, email addresses, and position titles of almost 500 subscribers to the website’s newsletter. The malicious actors found a way into the website by injecting malware into the server of the external provider that hosted the site.
This month also featured news that a biometric security firm’s software had leaked a million fingerprints. Biometric technology was a huge talking point throughout 2019, and this trend is set to continue into the new year. Confidence in this technology was thoroughly knocked when a cyber security firm revealed they were able to access data from the Biostar 2 security tool. This tool is used by thousands of companies worldwide, including our own Metropolitan Police. Researchers were able to find photographs, facial recognition data, names, addresses, passwords, employment history, and records when they gained access to supposedly secure areas.
Facebook users had more reasons to be concerned in September, when it was revealed that a huge database of their phone numbers was found online. A server containing more than 419 million records, across geographies (133 million US users, 18 million UK users, and 50 million Vietnamese users) was found online, with no password protection, meaning anyone could access it. Each record featured a user’s phone number and unique Facebook ID – which can easily be used to find their username/real name.
Teletext Holidays also lost consumer trust, when it experienced a major security breach that exposed over 200,000 customers’ personal details. Although Teletext advertises its holidays online, customers must call in order to book, and these calls are recorded. These audio files were unsecured, leaving customers’ names, email addresses, home addresses, phone numbers, DOB, and even credit card details exposed.
When it comes to looking for love online, many of us are careful to guard our hearts – but we might be better placed guarding our data. In September, several tech giants in the mobile app dating space, such as Grindr, Recon, and Romeo, all suffered serious online privacy issues. As a result, their users’ pictures, birthdays, conversations, and even locations were exposed. In the midst of dating sites struggling to keep data private, we asked, is it time for a love lockdown?
On a much more serious note, October saw the Indian government confirm a cyber-attack on its newest nuclear power plant. Given that this is one of the country’s most critical sectors, finding that it was vulnerable to cyber espionage was a major concern for everybody. The Kudankulam power plant was hacked using data extracting malware, by perpetrators that have ties to North Korea. Thankfully the malware was identified and isolated from the internal network, but some security experts still had their concerns.
It wasn’t all doom and gloom in October however, as this month also saw a Philadelphia student hack into their school district system, for the nefarious purpose of… winning a water fight. The hacker gained access to the student portal via a teacher’s login in an account takeover attack, which led to dozens of students’ information being breached. This was all because one student wanted to gain information on their opponents for a competitive advantage in a water gun fight.
November was not a great month for the Labour party, as it suffered two sophisticated large-scale cyber attacks in as many days. Hackers attempted to infiltrate Labour’s digital platforms via a DDoS attack, which floods a computer server with huge amounts of internet traffic in a bid to overwhelm it and force a complete software crash. Some campaign activities were slowed down, but overall the attack failed due to the party’s robust security systems.
Rounding off a year of big cyber incidents was the report that the New Orleans government was shut down by a massive cyber-attack. The city declared a state of emergency after falling victim to a large scale hack that resulted in a complete shut down of all its government computers. Ransomware and phishing attempts were detected, so the city decided to exercise caution and insisted all staff turned off their computers, unplug devices, and disconnect from WiFi.
Malicious actors have definitely been busy this past year. Serious cyber incidents have brought down government departments, large scale corporations, and unsuspecting individuals alike. The best way to avoid falling victim to a hacking attempt or experiencing a data breach is robust cyber security technology, strong identity and access management, plus a well-trained team that are fully clued up on the latest information security methods.
If you’d like to improve your security measures, train staff, and learn more about identity and access management, please contact a member of our dedicated team.