2019 has been a huge year for cyber security. Over 4 BILLION records were exposed by data breaches in the first six months ALONE. ‘Cyber security in 2019’ looks back at some of the key occurrences that took place each month.

January

The start of the year saw Google hit with a €50 million fine from French watchdog CNIL. This was in accordance with GDPR, for not obtaining user consent for the processing of data for advertising personalisation.

The fine followed complaints lodged back in May 2018 by None of Your Business (NOYB) and La Quadrature du Net (LQDN). They claimed that Google did not have a valid legal basis for processing user data in order to produce personalised ads.

CNIL carried out an online investigation which culminated in the decision that Google had violated two GDPR provisions. They had not obtained user consent to process data for ads personalisation legally. Neither had they provided easy access to essential information about services to users.

‘Mini Top Tip’

If you need guidance with GDPR, CRIBB Cyber Security can help with our ‘Data Protection Officer as a Service’ offering.

February

February saw the release of research revealing that as many as EIGHT airlines were not encrypting their e-ticketing booking systems. This meant that personal data was effectively ‘up for grabs’…

Who were these airlines?

Southwest, Air France, KLM, Vueling, Jetstar, Thomas Cook, Transavia, and Air Europa. The airlines were all found to have sent unencrypted check-in links to their customers. This effectively meant that full names, confirmation numbers and additional personal data were at the mercy of potential hackers. All were notified of the findings but only Thomas Cook and Transavia responded. Here’s hoping that future research discovers ALL eight have embraced encryption. It just goes to show that even the ‘big boys’ in travel fail to place sufficient importance on cyber security.

March

In March, the UN released a report showing that North Korean-backed hackers were behind cyber-attacks totalling $571 million in 2018. A panel of experts for the UN Security Council noted that hackers sponsored by the DPRK government targeted financial institutions and cryptocurrency exchanges. This occurred between Jan and Sep 2018, in yet another example of what cyber security experts today must face.

Cyber security in 2019: April

In April, Microsoft contacted some of their users to notify them that unknown hackers had gained access to their information. This included email addresses and the addresses of people they were in contact with. One user posted the email on Reddit, in which they were warned that they may receive spam and phishing emails. One might say that Microsoft were quick to act on the incident and right to reiterate their commitment to protecting users and data. However, it is certainly another indication of just how savvy cyber criminals have become.

May

A team of researchers discovered that an unsecured database of major hotels including Marriott had been compromised. 85.4 GB of sensitive data belonging to the security systems of hotels including Marriott property Aloft Sarasota was exposed. Information including passwords, device names, malware alerts, login attempt records and malware infection logs were all included. It was found that the exposure went back to April 19th 2019. Again, some might say that the response time could have been far worse. The numbers and organisations involved are significant enough though to encourage anyone to look again at their own cyber security status.

June

A survey of cyber security professionals revealed that they were under growing pressure protecting organisations against cyber threats. The pressure was beginning to take a much larger toll on them, too. More than 3,000 CISOs and senior cyber security decision makers from across the UK, France and Germany were consulted. Over 60% confirmed that they had either considered leaving their jobs or the industry entirely. Given the shortage in skill in the industry and that cyber-attacks are becoming more advanced, it is easy to see why this is anxiety-inducing. CRIBB Cyber Security’s very own Patrick Carolan had this to say about the situation:

“Cyber security is a high-pressure area. In recent years, the advances being made in technology have only served to heighten that pressure. This survey didn’t hold many surprises, although quitting has never been something that I have personally thought about. I find it invigorating that the challenges are getting bigger. I definitely have to work harder now to stay on top of everything but that’s what you come to expect when you work in cyber security. It is a constant battle to keep one step ahead of the many risks involved to organisations large and small”.

We’ll look back at the last 6 months next week. That period saw a growth in ‘Spearphone’ Eavesdropping. It also marked the signing of a $700 million deal to settle data breach lawsuits.

Glossary

CNIL – Commission Nationale de l’informatique et des Libertés (an independent French administrative regulatory body. CNIL ensures that data privacy law is applied to the use, storage and collection of personal data)

GDPR – General Data Protection Legislation (a data protection and privacy regulation in EU law for all citizens of the EU and European Economic Area)

Jetstar – A low-cost airline based in Australia.

Transavia – A Dutch low-cost airline that is part of the Air France–KLM group.

DPRK – Democratic People’s Republic of Korea government (North Korea, a socialist state under the rule of the Workers’ Party of Korea)

Phishing emails – Emails sent fraudulently in an attempt to gain sensitive information (usernames and passwords, for example).

Malware – Any software that is intentionally designed to cause damage to a computer network, server, computer or client.

CISO – A Chief Information Security Officer (a senior-level executive within an organisation who is responsible for ensuring that information assets and technology are both protected)

‘Spearphone’ Eavesdropping – An attack against mobile phones in which Android devices’ on-board motion sensors are used to infer speech from the devices’ speakers, thus allowing the attacker to eavesdrop on people’s calls.

Top Tip

Keen to see which stories we pick in part 2 of ‘Cyber security in 2019’? Then watch this space. If you need any advice on cyber security, then get in touch with our team of experts!