In 2020 we’ve been bombarded by near constant news of data breaches across nearly all sectors. During the Covid-19 lockdown we saw a rise in phishing emails targeting the uncertainty of the situation, and the rise of homeworking and video conferencing increased the risk of a security breach.
The Verizon Data Breach Investigation Report logged a record total of 157,525 incidents and 3,950 breaches over the last year. It shows that phishing was the top threat action in breaches and 45% of breaches featured hacking.
The report also shows that security incidents are more likely to be carried out by someone outside of your organisation than by someone within it. However, the number of incidents occurring from inside businesses is also increasing.
As part of Cyber Security Awareness Month, I’ve looked back over the events of the past year and pulled out a selection of notable attacks and breaches.
Written by Laurie Graham, Cyber Intelligence Director
October 2019, healthcare: Canadian medical testing company, LifeLabs was hacked in the biggest data breach in Canadian history. The personal data of 15 million LifeLabs customers was obtained by hackers in a malware attack. Lifelabs paid a ransom to resecure the data.
November 2019, hospitality: The Gekko Group, as subsidiary of AccorHotels, confirmed that it leaked over a terabyte of personal data belonging to customers clients and partners. The data includes names and addresses, passwords, invoices and unencrypted payment data.
December 2019, IT: Citrix announced that it had found critical vulnerability in its Application Delivery Controller and Citrix Gateway. If a malicious actor had made use of the vulnerability, they would have been able to access the local networks of over 80,000 businesses and manipulate their coding.
January 2020, UK government: The Department of Education let an education and training provider use its Learning Records Service database. The training provider then broke their agreement by giving another company access to the database, which contained the personal details of 28 million children. Betting companies then used that data to target children and increase the number of young people who gamble online.
April 2020, video conferencing: With the rise of home working, Zoom quickly became a target for cyber criminals. Over half a million personal and business account login details, meeting URLs and host keys were stollen through a credential stuffing attack and quickly appeared on the dark web.
July 2020, social media: In a coordinated phishing attack, hackers were able to gain access to high-profile and verified twitter accounts. They then posted tweets that promised to return double the value of Bitcoin sent to an address included in the tweet. Over $100,000 worth of Bitcoin was sent to the address in nearly 300 transactions.
February 2020, hospitality: MGM Resorts reported that they had suffered a data breach in 2019 and that the personal details of 10.6 million hotel guests, including myself, had been posted on a hacking forum. But by July 2020 the details of 142 million MGM Resorts guests were for sale on the dark web.
May 2020, hospitality: Marriott suffered a breach involving 5.2 million guests. Later in the year, we worked with Which? and found 497 vulnerabilities with Marriott-run websites. Three critical vulnerabilities were found on a website of one of Marriott’s hotel chains that involved errors in the software used to run the website. This could potentially mean an attacker could target the site’s users and their data.
August 2020, social media: Researchers discovered an unsecured database belonging to the defunct social media data broker, Deep Social. 235 million Instagram, TikTok, and YouTube user profiles were exposed online. The scraped profile information included names, ages, genders, profile photos, account descriptions and statistics about follower engagement and demographics.
March 2020, pharmaceuticals: ExecuPharm was hit by a ransomware attack that accessed customers’ social security numbers, financial information, driving licences and passport numbers. The hackers then went on to publish the stolen information.
June 2020, marketing: Social media marketing company, Preen.Me suffered a ransom attack where the personal information of over 100,000 affiliated social media influencers was compromised and started being gradually released onto the dark web. The details of over 250,000 more users of Preen.Me’s app were then also leaked in full.
September 2020, credit bureau: Following an event in August, where information relating to 24 million people and nearly 800,000 businesses was stollen from Experion SA, it was found that some of the information was still available on public websites. The data includes phone numbers, addresses, and banking details.
Although there were hacks and breaches in nearly every sector, financial services are disproportionately targeted. When you look at the numbers, it makes sense: 86% of breaches are financially motivated, and 72% of breaches involve large business victims, so financial services firms are an ideal target. They’re wealthy companies and hold vast amounts of accurate customer data, which hackers can sell on for profit.
Financial services firms also tend to dedicate a similar proportion of budget to cyber security as other industries, but this doesn’t reflect how disproportionally more they are targeted.
With phishing attacks playing a major role in the attacks we’ve seen this year, and the increase of attacks playing off the pandemic, it’s more important than ever to instil the basics of cyber security in your teams, especially if they’re working from home and perhaps less in the loop with training and common phishing attempts.
Don’t make it easy for hackers – keep your employees clued up on how to avoid data being compromised. Our handy how-to guide means employees can take simple steps to protect themselves and your business.
Interested in talking about this further? Get in touch.