At this time of year, news feeds are chock full of Predictions For The Next Year – and for good reason. Everybody wants to be prepared for what lies ahead.
But if you’re looking for guidance on what 2020 has in store, we suggest you follow the maxim that the best predictor of future behaviour is past behaviour.
So, as we enter a new year – and indeed a new decade – let’s take a look back at 2019 and see what lessons can be gleaned.
Anyone doubting whether supervisory authorities would use the disciplinary measures imposed by the GPDR (General Data Protection Regulation) began the year with a jolt, as Google was fined €50 million by the CNIL, France’s data protection authority.
The penalty, which was by far the biggest GDPR fine in the eight months that the Regulation had been in effect, related to two violations: Google had failed to adequately explain to its users why it was collecting their data, and it didn’t document a legal basis for doing so.
Valentine’s Day 2019 proved to be particularly disheartening for many people, after rumours swirled that OkCupid users were being harassed by criminal hackers who had broken into their accounts.
The dating site denied that it had suffered a data breach, even though many users took to Twitter saying that someone had got into their account and changed their login credentials.
Worse, they changed the email address associated with the account, preventing them from resetting their password. At least one victim said that the “hacker started harassing him with strange text messages”.
Dating sites are popular targets for cyber crime, and OkCupid wouldn’t be the first to disclose an incident. Plenty of Fish, eHarmony, AdultFriendFinder, Zoosk and – famously, Ashley Madison – have all reported breaches.
The important thing is that organisations handle breaches responsibly, letting affected customers know promptly to give them a chance to respond appropriately. For example, customers might want to change passwords for other sites or check their bank account for signs of fraud.
Aluminium manufacturing plant Norsk Hydro showed organisations across the globe how to respond to a ransomware attack in March, after it’s superb response to an infection that shut off systems throughout its plants.
Employees were left to file paperwork manually and share documents via fax machines. The BBC reported that “There were people from sales who were drafted in to do production line work. There were people from finance making sandwiches for the team. Everything in the company was turned upside down.”
Meanwhile, senior executives had a tough decision to make. The ransomware was accompanied by a note: “Your files are encrypted with the strongest military algorithms. Without our special decoder it is impossible to restore the data.”
To access the decoder, the organisation was asked to pay a large ransom in bitcoin.
Fortunately, Norsk Hydro’s CEO, Eivind Kallevik, announced that the company would be able to recover quickly because it had recently backed up its systems.
Backups enable organisations to wipe the infected systems and restore a previous version. This can take anywhere from a few hours to a few days, but if you act quickly, the delays won’t be any longer than if you were waiting for your filed to be decrypted.
US food giant Mondelez sued insurance company Zurich American for denying a $100 million (about €88 million at the time) claim filed after the NotPetya attack.
The confectioner, which owns Cadbury and Oreo, says it lost 1,700 servers and 24,000 laptops as the ransomware swept through its systems, but Zurich American argued the damage was the result of an “an act of war” and therefore isn’t covered in its policy.
Most experts agree that Mondelez has a strong claim despite NotPetya’s relation to Ukraine–Russia tensions. Zurich American agreed at first, offering an initial payment of $10 million.
However, the insurer soon changed its mind, claiming an exclusion for “hostile and warlike action in time of peace and war [by] a government or sovereign power”.
May 2019 was a slightly less frantic affair. Some commenters, like IT Governance’s Senior Consultancy Manager Nicky Whiting, found that organisations had become complacent about their GDPR compliance requirements.
“Organisations are not fully prepared, and still have a long way to go and a lot of work to do. This can be attributed to a lack of resource, Brexit distractions and a lack of buy-in from senior management,” she said.
“As media attention has waned, a lot of organisations have taken their eye off the ball. Many have concluded that the ICO [Information Commissioner’s Office] won’t be imposing fines, since there’s been little news coverage about enforcement action.”
A ransomware epidemic in the US reached fever pitch in June, after three Florida cities were targeted within the space of a few weeks.
The first was Riviera Beach, a small city north of Miami. But despite – or perhaps because of – its size, the city felt compelled to pay the cyber criminals’ $600,000 (about €520,000 at the time) ransom after its systems had been shut down for three weeks.
The city had already set aside $1 million to buy new computers and hardware following the attack but decided it would be quicker and less expensive to simply pay up.
That was a disastrous decision, as it reinforced the precedent that if you infect local governments then they will pay up.
A week later, Lake City, a waypoint for tourists heading towards Orlando and southern Florida, caved to a $460,000 ransomware demand.
The following day Key Biscayne was infected, which would force the United States Conference of Mayors to meet to address the problem. You can find out what their proposed solution was by reading part two of our review of the year, which will be released later shortly.
The second half of the year began with a wave of GDPR fines and investigations.
Soon after Ireland’s Data Protection Commission launched an enquiry into Apple for the lawfulness of its data subject access request processes, the Netherland’s data protection authority announced a €460,000 fine against Haga Hospital.
Haga was investigated by the AP after 85 hospital employees had access to the medical records of Samantha de Jong, AKA Barbie, a well–known Dutch reality TV star.
All of this came amid the backdrop of a hammer blow from the UK’s data protection authority, the ICO (Information Commissioner’s Office).
The Swedish data protection authority, Datainspektionen fined a local authority 200,000 Swedish Krona (about €18,000 at the time) for unlawfully trialling a facial recognition programme at a high school.
The GDPR classes facial images and other biometric information as being a special category of data, with added restrictions on its use.
September saw a landmark data protection ruling by the European Court of Justice. It deemed that Google didn’t need to apply the ‘right to be forgotten’ globally, because it’s an EU law.
The case goes back to 2015 when the French data protection authority, the CNIL, ruled that Google must remove damaging or false information from the search engine when the ‘right to be forgotten’ is requested.
Google was also fined €100,000 for failing to apply the law worldwide, but it will now no longer have to pay that penalty. More importantly, it confirms that individuals outside the EU aren’t necessary protected by EU rights even if the organisation is based in Europe.
n 30 October, the Japanese media giant Nikkei revealed that, in late September, an employee of its American subsidiary, Nikkei America, fell victim to a scam that cost the company $29 million.
Nikkei disclosed little information about the incident, but confirmed that a fraudster emailed the employee posing as an executive. In other words, it was a form of BEC (business email compromise).
BEC attacks begin with a spear phishing attack sent to someone in the organisation who handles payments. Once the scammer gains access, they’ll monitor the victim’s email account, learning about suppliers and projects, seeking an opportunity to set their trap.
This often involves sending a fraudulent invoice that requests payment to a bank account that the criminal controls.
BEC scams have been on the rise in the past year, according to the FBI’s Internet Crime Complaint Center, which identified a 100% increase in financial losses between May 2018 and June 2019.
November saw the usual annual increase in phishing scams as attackers sought to take advantage of the seasonal spike in online shopping: the cyber security company ZeroFOX reported that it detected 61,305 potential scams in the weeks leading up to the Black Friday/Cyber Monday weekend.
However, the most common type of scam this year didn’t involve online-only retailers like Amazon but high-street shops. This was probably because more people would be shopping offline than online, so scams imitating well-known chains would have a greater chance of success.
It was a bad end to the year for two German organisations who were fined for GDPR failures.
A Rhineland-Palatinate hospital, which was unnamed in the European Data Protection Board disclosure, received a €105,00 fine for several failures related to patient admittances that resulted in patients receiving incorrect invoices.
The Internet service provider 1&1 Telcom GmbH received a much sterner penalty – €10 million – for failing to implement appropriate technical and organisational security measures.
It was fitting way to end the year for GDPR optimists, as not only has Germany lived up to its expectation as the most rigorous country in the EU when it comes to data protection but it encourages other supervisory authorities to follow suit.
The flow of GDPR fines began to come a little faster in the second half of the year, but we expect things will pick up even more in 2020.
As always, we’ll be covering every incident as it happens throughout the year, so please do keep an eye on our blog for the latest cyber security news and advice.