Like years past, 2019 has brought a number of changes and technological advances, particularly in the IT world. However, 2019 was also an important year for cybersecurity. Dozens of companies experienced cyber attacks last year, resulting in data loss, malware infections, and other costs. If cybersecurity in 2019 has taught us anything, it’s that now is not the time to abandon critical security measures.
The United States has the highest costs for cybercrime at $27 million (hashedout.com). Perhaps even more startling is the fact that cybercrime costs the global economy $2.9 million every minute (Help Net Security).
By looking back on the state of cybersecurity in 2019, we can learn from the past and better prepare for future years.
New Privacy Regulations
Privacy regulations have been changing rapidly in the last couple of years. In May of 2018, the General Data Protection Regulation (GDPR) set forth a new set of rules for all companies operating within the European Union (EU). These rules were designed to give individuals more control over their personal data.
In 2019, additional privacy concerns have emerged. A year ago in January, France fined Google $57 million for violating GDPR.
Google’s breach of conduct led to other violations, such as the fine imposed on Facebook by the Federal Trade Commision in July. The FTC demanded $5 billion, the largest penalty ever given to a company for abusing consumers’ privacy rights.
Predictions for Privacy in 2020
The California Privacy Law (CCPA) will take effect on January 1st, 2020. CCPA will affect all California residents and “any business who buys, receives, sells, or shares the personal information of at least 50,000 California residents, households, or devices annually” (Cookie Bot).
The law requires greater transparency between companies and consumers. Individuals will have the right to know whether their personal data is being collected and sold. Additionally, consumers have the right to sue businesses if login information (such as an email address and password) is stolen due to the business’s negligence.
2019 Security Breaches
Perhaps the most documented events of the year were the cyber attacks befalling various companies. Many of these breaches resulted in leaked customer data, while others were more costly.
Marriott International
In 2018, hackers stole sensitive data from Marriott International, including 5.3 million unencrypted passport numbers and details for over 350,000 payment cards. The breach occurred via a reservation database called Starboard, which is no longer in use.
Almost a year later, the UK Information Commissioner’s Office (ICO) fined Marriott 99.2 million British pounds (equivalent to roughly $124 million). The ICO said that Marriott had failed to implement proper security measures with regard to Starwood.
Quest Diagnostics
Quest Diagnostics experienced a breach in June that exposed the sensitive information of over 11.9 million patients. This information included credit card numbers, bank account information, and social security numbers.
Capital One
Former Amazon Web Services (AWS) employee Paige Thompson was charged in July with accessing the personal information of 106 million Capital One credit card users. She was also caught stealing data from over 30 other companies. A vulnerability in Amazon’s firewall allowed Thompson to access the data.
Citrix
Last spring, Citrix systems disclosed that foreign cybercriminals broke into its network. The criminals downloaded business documents that possibly contained personal information about ex-employees, including social security numbers and financial data.
According to the company’s investigators, the hackers used a flimsy method called “password spraying.” This involves entering a series of common passwords until one works.
Amazon
In May, Amazon also experienced a breach. Bloomberg reported that hackers had broken into the accounts of 100 Amazon sellers.
The hackers supposedly broke into these merchant accounts through phishing scams. After accessing the accounts, they quickly emptied all funds.
Sprint
Just two months later, Sprint admitted to a security breach in which hackers also broke into accounts to view customer information. Spring assured its customers that “No other information that could create a substantial risk of fraud or identity theft was acquired.”
The criminals responsible for the attack found a backdoor into Sprint’s database through a Samsung webpage. Samsung reported that it has since adopted security measures to prevent further attacks of this kind.
Imperva
Imperva reported a breach in August, which had exposed customer email addresses and passwords. The breach allegedly stemmed from the unauthorized use of an administrative API key in a production AWS account.
After taking control of these keys, attackers could whitelist themselves and begin attacking the customer’s site.
Comodo
By October, Comodo had joined the list of unlucky victims. Comodo says hackers exploited a vulnerability in its user forum. As a result, the criminals stole information from nearly 250,000 users, including passwords and social media usernames.
2019 Malware Attacks
Malware ranks as the most costly type of attack for organizations (hashedout.com). While data breaches cause a number of problems for companies, malware adds the risk of network infection and data loss.
Despite the risks involved, individuals and businesses are still falling prey to malware attacks each year.
Nansh0u
In May, a China-based malware campaign nicknamed Nansh0u infected over 50,000 servers. Each attack began with authentication attempts to an MS-SQL server, which continued until the attackers achieved a successful login.
Those affected included companies in healthcare, telecommunications, media, and IT fields.
iOS Security
Malware attacks don’t end with servers. In August, Google’s Project Zero detected at least 14 iOS vulnerabilities. These security gaps could expose user data, such as photos, messages, and GPS coordinates.
2019 Phishing Scams
A recent survey by cybersecurity company McAfee reports that 41% of Americans fell victim to email phishing schemes in 2019 (CNet). Additionally, 85% of organizations reported experiencing phishing attacks in 2019, a 16% increase from 2018 (hashedout.com).
Phishing scams are one of the most common forms of cyber attacks, and they can often be very difficult to identify. The state of cybersecurity in 2019 reveals that dozens of phishing attacks continued to affect people last year.
Hijacking Search Results
In December, Microsoft released a report on 2019’s malware and cybersecurity trends. Additionally, experts shared a few of the top phishing scams they had seen in 2019.
One such attack involved a group of criminals that hijacked Google search results to rank criminal websites at the top. The phishers also sent emails to victims, linking search results to an attacker-controlled website. The website would then redirect the user to a phishing page.
Misusing 404 Error Pages
Another clever trick involved the use of 404 error pages. Criminals emailed users with phishing links, but instead of sending them to a registered website, the link went to a nonexistent page.
When scanned by Microsoft’s security system, the link led to a 404 error page and was therefore deemed safe (since the link didn’t exist). However, when real users accessed the URL, the link automatically redirected to a phishing page.
Man-in-the-Middle Servers
A final phishing attack involved the use of a Man-in-the-Middle (MitM) server. The server copied elements from various websites in order to create landing pages that appeared legitimate.
This made the subsequent phishing scams a lot harder to detect, since the phishing website appeared almost identical to the original site. The only way for users to detect such an attack would be to inspect the page’s URL.
The Future of Cybersecurity
- Fake news
- Increased digitization
- Innovation of AI and machine learning
- Synthetic identities and deepfakes
Making Security a Priority
As technology continues to evolve, it will become more important than ever for businesses to prioritize security. Markus, Mikola, founder and CEO of ContractZen, shared the following prediction on Forbes:
“I believe that 2020 will be a watershed year when it comes to demand for higher cybersecurity standards in business software. It feels like hardly a week went by in 2019 where there wasn’t some kind of major cloud service breach in the news. I predict that in order to maintain trust and market positioning, more business SaaS companies are going to emphasize improved security and privacy.”
Here at CR-T, we take pride in providing enterprise-level IT services at prices that work for small businesses. Our team of experts can become your IT support department, responding to issues quickly, often before you even know about them. Covering everything from your servers and network infrastructure, to your computers, workstations and mobile devices, we provide end-to-end solutions for all your technology needs.
Time and experience have helped us develop best practices and workflow procedures designed to keep your focus on your business, not your technology.
Blog & Media
Cloud Services
Managed IT Support
Cyber Security
Project Services
Servers/Infrastructure
Firewalls
Networking
Hardware/Software
Microsoft Products/Cloud
Amazon Web Services
Penetration Testing vs Vulnerability Scanning
If you’re responsible for managing the security of your organization’s network or systems, you may have heard the terms “penetration testing” and “vulnerability testing” thrown
Backup and Disaster Recovery
Your organization can’t afford to neglect backup and disaster recovery. If it takes your business too long to get back online after a disaster, you
6 Steps to Secure Customer Data
Securing customer data is essential for one major reason: your business depends on it. As an IT director, you recognize the importance of cybersecurity when
5 Steps to Promote Compliance in the Workplace
You’re familiar with the ever-changing world of regulatory compliance. Robust compliance enables you to avoid legal liabilities while improving your organization’s effectiveness. And many of
