Cyber attacks and data breaches in review: January to June 2020

How can we even begin to summarise 2020? It’s been a year in which so much and yet so little has happened.

Many of us have spent the year at home trying to keep our sanity and avoid the world on fire outside.

For those who have homeschooled children, been furloughed at work, had long-awaited plans cancelled or lost loved ones, it’s been an even more difficult year.

Yet, for cyber criminals, business continued as usual. In fact, many have benefitted from our increased reliance on technology and the year-long uncertainty and confusion that the pandemic brought.

To close out the year, we’ve rounded up the most notably cyber security stories from 2020.

You can find the part one below, in which we look at January to June, with part two to follow.


January

A German privacy watchdog opened an investigation into the clothing retailer H&M after it was accused of spying on customer service representatives.

Hamburg’s data protection commissioner said in a statement that a hard drive containing 60 GB of data revealed that managers at H&M’s Nuremberg site kept “detailed and systematic” records on employees’ health, private lives and holiday experiences.

The database was then leaked to other H&M staff who shouldn’t have had access to sensitive employee data.

The data protection officer overseeing the case, Johannes Caspar, said the records, which were accessible to all company managers, showed that employees were comprehensively spied on “in a way that’s unparalleled in recent years”.

H&M told affected employees about the leak in October 2019 and reported it to their data protection authority.

It apologised for the incident and said that it has since implemented measures to better protect employees’ data privacy.

“The local team has taken a range of action and is in close dialogue with all colleagues”, an H&M spokeswoman said in a statement. “Since the incident is in legal examination […] we cannot further comment on that at the moment.”


February

In February, the low-cost airline Transavia confirmed that it suffered a cyber attack affecting up to 80,000 passengers.

The breached data included passengers’ full names, date of birth, luggage reservations and whether or not they required assistance at the airport.

That all sounds about standard, right? It’s a typical breach that shows how every organisation is vulnerable to a cyber attack even if you think you don’t store any sensitive information.

Except there are two things that made this incident notable. First is that the attackers didn’t break into Transavia’s databases; the information was sitting in an employee’s email inbox.

Second, the information dates back over five years – relating to anyone who flew with one of the airline’s subsidiaries between 21 January and 31 January 2015.

Why was this information sitting in an employee’s inbox when the GDPR (General Data Protection Regulation) has strict rules on data retention?

Specifically, it states that organisations can only hold on to personal information if there’s a clear reason to do so; once they no longer need the information, it must be disposed of.

This incident was a perfect example of why that rule is in place. Transavia may or may not have had a legitimate reason to hold on to the data, but either way, it needed to be more careful about how it protected it.


March

And so it began. COVID-19 infections in Europe soared throughout March, and we began to realise the ramification of the disease.

Italy was the first country in Europe to go into lockdown, but it wasn’t long before others followed suit.

On our sister site, we reported that experts were warning that cyber criminals would use this opportunity for their own goal – and that proved to be the case.

Organisations scrambled to set up remote working capabilities and bolster their defences, while criminals sent a barrage of attacks targeting individuals and organisations.

Everything from emails regarding hygiene protocols to coronavirus conspiracy theories became cause for suspicion.


April

With people across the world confined to their homes, many of us resorted to video conferencing software to stay in touch with friends and colleagues.

That was good news for Zoom, which saw the number daily use increasing from 10 million in December 2019 to 300 million in April.

Unfortunately, the service was plagued with cyber security concerns, including vulnerabilities that enabled people to steal passwords, take over microphones, “Zoom-bomb” attendees, plant malware and steal users’ personal information.

Zoom hurried to address the myriad issues, which – as Bloomberg’s Tae Kim argues – were not entirely the fault of the organisation’s security team.

“Much of its problems stem from the unintended consequences of when demand explodes in unexpected ways,” Tae wrote.

“Originally founded in 2011 for corporate clients, Zoom’s software is now being used in situations it was never designed for.”

Tae also noted that the organisation was slow to recognise the changing demands of its users, many of whom weren’t familiar with the security features that would have prevented many of these issues.

Yet the problems continue. In November, the Federal Trade Commission announced that Zoom “engaged in a series of deceptive and unfair practices that undermined the security of its users”, ordering the organisation to implement new processes.


May

The COVID-19 nightmare continued in May, as the German hospital operator Fresenius suffered a ransomware attack.

The organisation, which is a major provider of dialysis products and services that are in high demand thanks to the pandemic, said that the incident has limited some of its operations, but patient care was unaffected.

Ransomware attacks like this are unfortunately common. We recorded 17 of them in May, although the actual figure will be much higher given how rarely they are publicly disclosed.

Security researchers believe that the attackers used the Snake ransomware strain, which identifies IT processes that are tied to enterprise management tools and large-scale industrial control systems, such as production and manufacturing networks.

It then siphons unencrypted files, encrypts computers on a network, and tells victims that they have 48 hours to pay up or the hackers will post the stolen data online.


June

In June, more than 100 high-profile executives at a German multinational were targeted by a series of phishing attacks.

The unnamed organisation is part of a coronavirus task force responsible for purchasing personal protective equipment for healthcare workers.

Researchers at IBM X-Force said that the attackers targeted multiple organisations and third-party supply chain partners associated with the task force.

The phishing email directed victims to a fake Microsoft login page in order to capture their login details.

This is the same method that was used in a series of attacks that compromised the accounts of 150 executives in the finance industry in May.

However, whereas that attack was linked to criminal hackers in Nigeria and South Africa, this campaign is tied to Russia.

You can find part 2 of our review of the year in the next few weeks. Subscribe to our Weekly Round-up to make sure you catch it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.