Heading rapidly into 2020 the data breach threat is not letting up.
2019 now appears to be the worst year ever for data security, a label not entirely unexpected as attack surfaces widen with new technology, cyber criminals evolve their tactics, and the simple human capacity for error perseveres.
Ponemon Institute’s 2019 Cost of a Data Breach Report now puts the average cost of a data breach at a record $3.92 million. As per HelpNetSecurity and Teramind data breaches increased by 54% in the first half of 2019 and at least 4.1 billion records were exposed last year.
IT Governance puts the number of records breached in December 2019 alone at 627 million records. It reports that a total of 90 breaches and cyber attacks were revealed across the month.
Risk Based Security puts data breaches as having jumped 33% in 2019 compared to 2018 and says a total of 5,200 breaches exposed nearly eight billion records. ScoreSense says as many as 4 in 10 Americans have been affected by some kind of breach in the past year.
IBM declares malicious breaches, rather than human error, are still the most common cause of data exposure.
Let’s look at, and learn from, just some of the past few weeks data breaches.
LifeLabs, Canada, 15 million individuals affected
Canada’s largest lab testing company, LifeLabs Medical Laboratory Services, has been hit by a ransomware attack and it paid a ransom after the theft of 85,000 lab test results and potentially the data of 15 million customers.
As per The Globe and Mail, LifeLabs paid an “undisclosed sum” to retrieve the data and have engaged cybersecurity experts to asses the damage. So far, the experts have advised that customer risk is “low” and there has not yet been “any public disclosure of customer data.” The experts are monitoring the dark web and online locations where such stolen data often surfaces.
The stolen data may include names, addresses, email addresses, logins, passwords, and health card information which was stored on LifeLabs’ breached systems.
– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series
UK honours list recipients
As per The Guardian. 1,000 key figures and celebrities on this years UK honours list have had their home and work addresses inadvertently posted on a government website. The list includes more than twelve Ministry of Defence employees and senior counter-terrorism officers. It was published in a downloadable format and visible online for around an hour according to the Cabinet Office.
Ex-head of the civil services, Sir Bob Kerslake says:
“It is a serious and indeed extraordinary breach because this is a well-established process that has gone on in pretty much the same way for years, so I think an urgent investigation is certainly needed.”
It has been speculated that the list was posted through “human error,” Kerslake adds:
“Of course, it’s likely to be human error, as has been suggested, but we need to know how well staff were trained about the importance of maintaining security. Were they briefed on the potential consequences if this information was released.”
The incident has been reported to the Information Commissioners Office (ICO) and the Cabinet Office said it was contacting individuals to advise in regard to security concerns as well as to apologise. The ICO will be the body under GDPR which decides if fines will be due in the breach.
Former work and pensions secretary Iain Duncan Smith says:
“Everybody knows virtually everything about me. It’s much more concerning for private citizens, like those who have been involved in policing or counter-terrorism or other such sensitive cases, to have their addresses published.”
Singapore Ministry of Defence Contractor ST Logistics, 2,400 records breached
2,400 Ministry of Defence (Mindef) and Singapore Armed Forces (SAF) staff may have been affected by a data breach, according to The Straits Times, which occurred after malware entered systems via a phishing email attack.
ST Logistics provides retail and equipping services for SAF and the data exposed may include names, numbers, email, and residential addresses.
Wawa, USA, customers of 850 stores since March 2019
The US convenience store chain has revealed it has discovered malware capable of exposing card numbers, expiration dates, and cardholder names. CEO Chris Gheysens says the breach affects, “potentially all Wawa in-store payment terminals and fuel dispensers.” Potentially any customer who used a debit or credit card at any of Wawa’s 850 locations since March may have been affected.
Wawa did not reveal to The Washington Post exactly how many customers it believes have been affected but did say it is not aware of any card fraud following the breach. Gheysens said in a statement and apology:
“I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident.”