The year 2019 was a mixed bag for those keeping track of trends. Retail sales were up, while the Hollywood box office was down. Wellness crazes were everywhere, along with CBD oil in just about everything. One upward trend that is nothing but bad news (well, unless you’re a white hat hacker looking for a job), is the continued, never-ending upward trend of cybersecurity breaches.
According to the RiskBased Data Breach QuickView Report 2019 Q3, as of the end of September, this year was already seeing a 33.3% increase in cybersecurity breaches, while the total number of records exposed more than doubled. While the total numbers for the year are still yet to be reported, 2019 will most surely be one for the record books.
The FBI warned that ransomware attacks were on the rise, and noted that small governments remain in the crosshairs of hackers and cyber criminals. The city of Baltimore was actually the target of ransomware for the second time.
“Ransomware will continue as stock in trade for digital thugs; we’ll see more of the same for no other reason than the industry allows it for want of following simple security practices,” explained Jim Purtilo, associate professor in the computer science department at the University of Maryland.
The problem has become so great that in July, at the United States Conference of Mayors, multiple city leaders from around the country agreed that members will “stand united” against paying any ransom should their respective city system be targeted.
The organization, which represents more than 1,400 mayors with cities that have at least 30,000 residents, pledged not to “pay off the barbarians” any further – evoking a stance that goes back to antiquity when city states in Greece and later Roman cities would pay off barbarian tribes not to sack their city.
Contractors in the Crosshairs
It wasn’t just government municipalities that were targeted by cyber criminals in 2019. Government contractor Miracle Systems was hit by a strain of the Emotet malware in September. The extent of the damage remains unclear, but reportedly cost the company $500,000 to $1 million – something Sandesh Sharda, president of the Arlington, VA-based firm Cyberscoop said was a very expensive “learning experience.”
While Sharda admitted “it could happen to anyone,” the monetary cost was just one factor. The firm works with the U.S. Department of Transportation, the National Institutes of Health and the U.S. Department of Homeland Security.
Another firm with government ties, clinical laboratory Quest Diagnostics, was also the target of hackers in June. Hackers may have accessed the data of as many as 11.9 million patients – whose credit card information and social security numbers may have been compromised.
Spying Eyes and Facial Recognition Breaches
Many of this year’s security breaches involved malware, and in May hackers utilized malicious software that installed surveillance technology for WhatsApp users. The Financial Times reported that as many as 1.5 billion users worldwide may have been victims of that attack.
Consumer products could be increasingly targeted, including smartphones – questioning whether government agencies and/or government contractors may need to rethink the “bring your own device” (BYOB) to work policies.
The move to 5G mobile networks could increase the opportunities for cyber criminals, as least in the short run.
“This bodes poorly for consumers in the coming year when we will see the early edge of IoT (Internet of Things) over 5G, which is a security beast of entirely different spots than manufactures are used to hunting,” Purtilo told ClearanceJobs. “The business incentive for developers is to slide 5G underneath existing products as if it is just another communication medium. The first to market often wins. But 5G opens entirely different attack surfaces, and those who don’t pay close attention to the system effects risk costly surprises. I expect we’ll see this in the New Year as 5G-based products take off faster than the awareness of security implications.”
Ironically much of the technology that is also meant to keep our devices safe and secure is already being weaponized in nefarious ways. In June, hackers stole U.S. Customs and Border Protection data, including travelers’ faces and license plates via a CBP subcontractor’s network. This may have affected as many as 100,000 travelers.
One of the largest hacks of a financial institution also occurred this past spring. Banking giant Capital One announced that a lone hacker – Paige Thompson – may have gained access to more than 100 million Capital One customer accounts. This included social security numbers, credit card applications and even bank account information.
“Many of the data breaches this year do not differ from previous years, and the breaches are a result of a phishing attack,” explained James McQuiggan, security awareness advocate at KnowBe4.
“The criminals are using the phishing and social engineering practices to get people to bypass their cognitive thinking and click on the links, open attachments and accept emails at face value or authentic,” McQuiggan told ClearanceJobs. “Some of the larger breaches came from organizations responsible for our credit card information, DNA information, and social engineering companies who consumers expect [to provide] a certain level of privacy.”
Such attacks will only continue in 2020 and beyond.
“To stop this type of attack, organizations need to have a robust security awareness and training program which educates their employees and significantly reduce the risk of a phishing scam being successful,” added McQuiggan. “The security awareness and training program is to support an organization’s robust security program, with asset management, change control and an up-to-date patching program.”