2019 has been a huge year for cyber security, with over 4 BILLION records exposed by data breaches in the first six months ALONE. Here we look back at just some of the key occurrences that took place each month during that period…
January
The start of the year saw Google hit with a €50 million fine from French watchdog CNIL, in accordance with GDPR, for not obtaining user consent for the processing of data for advertising personalisation.
The fine followed complaints lodged back in May 2018 by None of Your Business (NOYB) and La Quadrature du Net (LQDN), who claimed that Google did not have a valid legal basis for processing user data in order to produce personalised ads.
CNIL carried out an online investigation which culminated in the decision that Google had violated two GDPR provisions by not obtaining user consent to process data for ads personalisation legally, and by not providing easy access to essential information about its services to its users.
‘Mini Top Tip’: Remember, if you need help and guidance with GDPR, CRIBB Cyber Security – part of theICEway ecosystem – can help with our ‘Data Protection Officer as a Service’ offering…
February
February saw the release of research revealing that as many as EIGHT airlines were not encrypting their e-ticketing booking systems – meaning that personal data was effectively ‘up for grabs’…
Who were these airlines?
Southwest, Air France, KLM, Vueling, Jetstar, Thomas Cook, Transavia, and Air Europa. The airlines were all found to have sent unencrypted check-in links to their customers, which effectively meant that full names, confirmation numbers and more personal data were at the mercy of potential hackers. All were notified of the findings but only Thomas Cook and Transavia responded – here’s hoping that future research discovers ALL eight have embraced encryption, but it just goes to show how even some of the so-called ‘big boys’ of the travel industry neglect to place sufficient importance on cyber security.
March
In March the UN released a report detailing how North Korean-backed hacking groups were behind cyber-attacks totalling $571 million during the previous year. A panel of experts for the UN Security Council noted that hackers sponsored by the DPRK government targeted financial institutions and cryptocurrency exchanges between January and September 2018, in yet another example of the sheer scale of the issues facing cyber security experts today.
April
In April, Microsoft contacted some of their users to notify them that unknown hackers had gained access to their information including their email address and the addresses of people they were in contact with. One user posted the email on Reddit, in which they were warned that they may receive spam and phishing emails; one might say that Microsoft were quick to act on the incident and right to reiterate their commitment to protecting their users and the data of their users, but it is certainly another indication of just how savvy cyber criminals have become.
May
At the end of May a team of researchers discovered that an unsecured database of major hotels – including Marriott – had exposed 85.4 GB of sensitive data belonging to the security systems of hotels including Marriott property Aloft Sarasota. Information including passwords, device names, malware alerts, login attempt records and malware infection logs were all included, and it was found that the exposure went back to April 19th 2019 – again, some might say that the response time could have been far worse but the numbers and organisations involved are significant enough to encourage anyone to take another look at their own cyber security status.
June
A survey of cyber security professionals released in June revealed that they are under growing pressure protecting organisations against cyber threats – pressure which is beginning to take a much larger toll on them. More than 3,000 CISOs and senior cyber security decision makers from across the UK, France and Germany were consulted, with over 60% confirming that they had either considered leaving their jobs or the industry entirely. Given that there is already a shortage in skill in the industry and that cyber-attacks are becoming increasingly more advanced, it is easy to see why this is causing much anxiety – CRIBB Cyber Security’s very own Patrick Carolan had this to say about the situation:
“Cyber security is a high-pressure area and in recent years the advances being made in technology have only served to heighten that pressure. This survey didn’t hold many surprises, although quitting has never been something that I have personally thought about. I find it invigorating that the challenges are getting bigger. I definitely have to work harder now to stay on top of everything but that’s what you come to expect when you work in cyber security, a constant battle to keep one step ahead of the many risks involved to organisations large and small”.
We’ll look back at the last 6 months next week, a period that saw a growth in ‘Spearphone’ Eavesdropping and the signing of a $700 million deal to settle data breach lawsuits – and that was just in July…
Glossary
CNIL – Commission Nationale de l’informatique et des Libertés; an independent French administrative regulatory body with the goal of ensuring that data privacy law is applied to the use, storage and collection of personal data.
GDPR – General Data Protection Legislation; a data protection and privacy regulation in EU law for all citizens of the EU and European Economic Area.
Jetstar – A low-cost airline based in Australia.
Transavia – A Dutch low-cost airline that is part of the Air France–KLM group.
DPRK – Democratic People’s Republic of Korea government; North Korea, a socialist state under the rule of the Workers’ Party of Korea.
Phishing emails – Emails sent fraudulently in an attempt to gain sensitive information (usernames and passwords, for example).
Malware – Any software that is intentionally designed to cause damage to a computer network, server, computer or client.
CISO – A Chief Information Security Officer; a senior-level executive within an organisation who is responsible for ensuring that information assets and technology are both protected.
‘Spearphone’ Eavesdropping – An attack against mobile phones in which Android devices’ on-board motion sensors are used to infer speech from the devices’ speakers, thus allowing the attacker to eavesdrop on people’s calls.
Top Tip
If you are keen to see which stories we pick from the latter half of 2019 then watch this space, and if you need any advice on cyber security in the meantime do feel free to get in touch with our team of experts!