2020: On track to hit data breach record

Ruth Lanigan

Ruth Lanigan

2020: On track to hit data breach record

As we are just over half way through the year, 2020 is already looking to have the highest number of data breaches to ever occur in one year.

The facts so far:

The number of records exposed in Q1 2020 skyrocketed to 8.4 billion – a 273% increase compared to Q1 2019. COVID-19 set cybercrime heights soaring. Not only has the attack surface massively expanded but cybercriminals leverage the emergency by sending out various attacks that lure internet users to click on malicious links or files. This can allow the hackers to steal sensitive data or even take control of a user’s device and use it to direct further attacks. At Smarttech247, we have noted a 6000% increase in phishing attacks since February 2020.

While the 273% rise in compromised records so far this year has been mainly down to the infamous breach, a misconfigured ElasticSearch cluster that exposed 5.1 billion records, if you exclude this record, it still brings the number of records breached to a 48% increase compared to Q1 2019.

While the number of publicly reported breaches in Q1 2020 decreased by 58% compared to 2019, the COVID-19 pandemic gave cybercriminals the opportunity to thrive. Phishing and social-engineering scams soared and defrauded millions of internet users who were now shifting to a working from home model. The very surprising decline in public disclosed breaches can be very misleading and the reason for this can be attributed to the confusion that the pandemic caused.

Has the healthcare industry suffered the most?

Healthcare organisations continue to be the most exposed industry to cyber attacks this year, with the industry accounting for more than four in ten breaches. When hospitals shifted their focus and resources to their primary role and the demand of managing the extraordinary emergency, placed them in a very vulnerable situation.

In Q1, more than 100 incidents were reported, affecting more than 2.5 million individuals. Medical records are highly sought after on the dark web, and the number of medical identity theft cases is only expected to rise.

One of the largest attacks on a healthcare organisation was the Health Share of Oregon when a laptop was stolen and the breach affected 654,000 patients. The theft of an employee laptop shows that physical security controls and vendor management need equal attention as cybersecurity priorities.

Magellan Health was hit by a ransomware attacks in April of this year with almost 365,000 patients and employees impacted. The hackers gained access by leveraging a social engineering phishing scheme that impersonated a Magellan Health client, just five days before the ransomware was deployed. During that time, hackers first exfiltrated sensitive data from the impacted server.

Right around when the Coronavirus cases started surging, a medical facility on standby to help test any coronavirus vaccine was hit by a ransomware group that promised not to target medical organisations – Maze.

Today, the news broke that hackers backed by the Russian government are attempting to steal information from researchers and pharmaceutical companies racing to find a COVID-19 vaccine. Britain’s National Cybersecurity Centre said the hackers were “almost certainly” connected to Russia’s intelligence services. Britain made the announcement in coordination with authorities in the U.S. and Canada.

These breaches on our healthcare systems during this time only prove that, no industry is immune to the risk of a breach and no location is a breach-free zone.

The COVID-19 pandemic has forced the healthcare industry into a new reality. The industry has been no doubt a direct target or collateral victim of many recent cybersecurity attacks but with the whole cybersecurity community working together to support the healthcare sector as the pandemic develops we hope to combat the effects of these breaches on the healthcare system in recent months.

Breaches on other industries

Email is the largest threat vector of attack and so it comes as no surprise that cybercriminals launched many phishing campaigns related to COVID-19. Many of the emails, purportedly from official organisations, containing updates and recommendations connected to COVID-19.

Phishing campaigns tied to COVID-19 peaked in mid-April and the rate of ransomware attacks and reported data breaches slowed amid the crisis.

Our own pentesters at Smarttech247 reported that from monitoring forum sites on the dark web to understand whether discussions of COVID-19 are as popular there as they are on the clear web and what exactly cyber criminals are discussing about COVID-19. Some of the most notable themes were carding, phishing, Android Spyware and ransomware.

Some of the largest hacks during the first half of 2020 are:

Hospitality giant – Marriott was hit by a second data breach that exposed the personal information of 5.2 million guests in March with the attackers gaining travel information, names, addresses and loyalty member data.

As many of us know all too well, that EasyJet became victim to an attack on May 19th 2020 that exposed the personal details of 9 million customers.

A Virgin Media database was left unsecured for 10 months, exposing the personal information of 900,000 customers. While the data breach was not a result of a cyber-attack, anyone could have stumbled upon the database and viewed the names, phone numbers, emails, and home addresses of users.

Additionally, a lot of dating applications were found leaking 845GB of sensitive data, with over 20 million files containing photos, users name and financial data.

It’s true that some data breaches pose higher risks to victims, but cyber criminals can work wonders with miscellaneous data gathered from their intrusions. Human error plays a big part in data breach incidents, and if your information is still safe, your personal identifiable information will eventually be up for grabs.

Personal information is not safe online. While most internet users do not understand the importance and value of their data, cyber criminals do.

What about our Critical Infrastructure?

One of the interesting things is that many organisations that never considered themselves part of the critical infrastructure discussion are now classified as such – because certain companies suddenly become critical to national welfare. So, we have seen a few notable attacks on critical infrastructure, for example In May, Taiwan’s state-owned energy company suffered a ransomware attack, Israel reported cyberattacks on its water systems, Japan’s telecommunications firm NTT said hackers breached its internal network and stole data on 621 customers. German intelligence agencies warned of Russian hacking threats to critical infrastructure.

In February, a U.S. natural gas operator was forced to shut down for two days, after ransomware spread to the site’s OT network.

Newly critical organisations are under tremendous stress right now, because they are not accustomed to operating in a world where failure is not an option. Unfortunately, it seems likely that this trend will continue to grow in 2020.

What to watch out for in the second half of 2020?

With the rollout of 5G, more devices and sensors are expected to be connected to supply chains, communities, organisations, and localities. While this will usher a new wave of the communication revolution, experts note that it poses new risks to both consumers and businesses. As it’s a switch to all-software networks and a wider bandwidth, high-level hackers can tap into these emerging vulnerabilities and have a larger attack surface to exploit. Meanwhile, the ubiquity of sensors and devices will need a newer and tighter framework for endpoint security across industries.

As we move on from COVID-19 and enter the second half of 2020, industries will have to further adapt to the changing cybersecurity landscape to protect their data. With increased connectivity, the danger of a data breach is only going to increase.

Our tips on how to secure your systems:

When it comes to security, there are 3 key things to consider: What do we need to do to prevent a breach, what do we do during an attack, and what do we do after?

What do you need to do to prevent a breach?

1. Visibility is key

How can you protect what you don’t see? Visibility of what hardware and software assets you have in your network and physical infrastructure will help you gain a greater understanding of your organisation’s security posture. An asset inventory helps to understand what you have in place and build categories and ratings around the threats and vulnerabilities your assets may encounter. 

2. User awareness

Regular cyber security awareness training will ensure that your employees are always up-to-date with the latest phishing scams and malicious attempts to access your data or systems.

Be sure to follow all of the basic phishing recommendations—be aware that hackers are continuing to capitalise on fear of the unknown road ahead for many organisations.

But the question arises, how confident are you that, when encountering a phishing attack, your employees won’t fall prey? We recommend conducting phishing simulation in order to evaluate their awareness and skills to spot a potential breach. 

3. Updating and Patching

Make sure your devices have the latest security updates installed and an antivirus or anti-malware service. 

System patches also help avoid lost productivity. A cyberattack can cause system downtime leading to lost productivity. A company may experience monetary losses – often the cost of patching and delay of production or unproductive workers. Besides, system patching allows you to protect your business data, a very valuable asset for your business. 

4. Multi-factor authentication

Use multi-factor authentication (MFA) on all your accounts. Most online services now provide a way to use your mobile device or other methods to protect your accounts in this way.

5. Incident Response Plans

Prepare for a possible incident with a comprehensive Incident Response Plan. An incident response plan is a documented, written plan with clear distinct phases that helps IT professionals and staff recognise and deal with a cybersecurity incident like a data breach or cyber attack. Properly creating and managing an incident response plan involves regular updates and training. It is important to regularly test your incident response plan in order to simulate a real-life attack and document how your organisation is in a position to respond, should one occur.

6. Security Intelligence and Monitoring

24/7 Monitoring can provide early warnings of cyberthreats and risk sensing that can detect patterns of criminal activity. Preventing, detecting or disrupting the attack at the earliest opportunity limits the business impact and the potential for reputational damage.

7. Back up

Data is the lifeblood of an organisation. Data loss is often as damaging, monetary and brand, to an organisation as a data breach. Many organisations never fully recover from data loss events, some go out of business entirely. A copy of critical data in a secure offsite location is one small step that should not be overlooked.

What do we do during an attack?

Reputational damage is significant following a data breach, particularly if a company fails to respond promptly. 

The first step is investigation. You will need to calmly assess precisely what has happened. Assemble a suitably qualified and experienced investigation team. Typically, this will include members of senior management, legal, IT and public relations teams. The team should devise an investigation plan setting out issues, work-streams, responsibilities and deadlines.

The team should establish, as clearly as possible, what has happened. What is the nature of the attack? Who was involved? How much money has been lost? Is it clear that the incident is not simply due to a technological failure?

If you need to dig deeper, conduct a forensic investigation and find the source of the attack and contain it in order to limit the damage.

If the attack is serious, get help. For example, at Smarttech247 we offer emergency incident response service, which is a subscription-based service that provides access to a team of trusted experts trained to help you effectively respond to threats. This service can give greater visibility into threats, significantly reduce response and recovery times and reduce the impact of a breach.

If a breach puts personal or sensitive information at risk, you will need to notify those affected. To avoid further unauthorised disclosure, the notification should not include unnecessary personal information. 

What do we do after an attack?

While you are working to repair the damage from the present breach, you also need to ensure that your organisation will not be compromised again. Conduct full risk assessments, penetration tests and invest in technologies that will help you prevent future incidents. Consider outsourcing your security operations to have 24/7 monitoring and visibility.

Our security teams at Smarttech247 are working to protect our customers and provide you with the relevant information you need to stay secure. For additional information and best practices for staying secure during these challenging times, please don’t hesitate to contact our experts. There is no cost and we are here to support you.

Ruth Lanigan

Ruth Lanigan