A Look Back at Some of the Biggest Cyber Incidents of 2019
It’s once again that time of year.
As 2019 draws to a close and 2020 looms just over the horizon, everyone’s falling into one of two camps. On one side are people who are nostalgic and misty-eyed, reflecting on what a great year it was for them. On the other are people who are still trying to figure out exactly what happened and how they’re even still standing after such a 12-month trainwreck.
In the cybersecurity space, you’ll probably find more of the latter than the former.
That’s because 2019 was, to be blunt, an incredible year for cyber-crime. Over the course of the year, we witnessed some of the largest and most high-profile data breaches and cyber-incidents in history. As a matter of fact, we’re even a little hesitant to release this article right now — we’re not convinced December doesn’t still have some major incident in store for us.
For now, though, here are some of the most significant cyber-incidents of 2019.
Fortnite Players Get Baited
In January, developer and publisher Epic Games revealed that immensely-popular battle royale shooter Fortnite suffered from a rather glaring flaw with its login system. Essentially, the vulnerability, which was discovered by security agency Checkpoint Security, allowed a hacker to log into someone’s Fortnite account without requiring a password.
The source of the bug? An Epic Games website created way back in 2004. Basically, hackers could use the page to redirect access tokens to their own server instead of Epic’s servers, meaning they could gain access to someone’s account simply by convincing them to click a phishing link.
The page was deactivated shortly after news of the bug broke, but Checkpoint estimated it could have impacted an unknown number of the game’s 80 million players.
The lesson: Security flaws can surface in the most unexpected places. Always be ready to take action to mitigate them, and make it a point to retire unused legacy systems before they cause problems.
Google Researchers Uncover Massive iPhone Hack
Researchers with Google’s Project Zero, a team of security analysts tasked with finding zero-day vulnerabilities, made a disturbing discovery in August. It revealed that for at least the past two years, iPhones have been suffering from a series of targeted attacks originating from hacked websites. And every iPhone to date was vulnerable to these attacks.
The hacks themselves were incredibly sophisticated, suggesting a state-backed effort. TechCrunch even reported that they may have been an effort by the Chinese government to monitor Uighur Muslims, news which makes this entire situation even more chilling.
The lesson: No matter how secure a system seems to be, it is still vulnerable. Complacency is itself a security risk. Remember when everyone thought iPhones were more secure than Android devices?
Quest Diagnostics Exposes 11.9 Million Patient Records
In June, clinical laboratory Quest Diagnostics announced that nearly 11.9 million patient records had been compromised, accessed by an unknown and unauthorized user. As reported by Reuters, this individual had access to the data for several months sometime between August 2018 and March 2019. As more information on the breach surfaced, it came to light that it wasn’t Quest itself that was responsible.
Rather, it was a partnered organization, Retrieval-Masters Creditors Bureau Incorporated, also known as American Medical Collection Agency. It has since filed for bankruptcy, citing fallout from the breach as the cause.
The lesson: If your supply chain is not secure, then you are not secure. Hold your vendors and partners to the same standards as you hold yourself. Otherwise, you’ve only yourself to blame if you suffer a breach.
Capital One Data Breach Puts Tens of Millions At Risk
One hundred million Americans and 6 million Canadians. That’s how many individuals were impacted by this year’s Capital One breach, one of the largest financial services hacks in history. Compromised data included names and addresses, postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
Transactions and customer status were also accessed, and a smaller number of individuals had their social security numbers, bank account numbers, and social insurance numbers compromised. The bank announced that it would notify affected individuals by mail, and offer them free credit monitoring and identity protection.
Eventually, the culprit was revealed as Paige Thompson, who was briefly employed at Amazon Web Services, where she worked in the division that hosted Capital One’s data.
The lesson: Employee training, access controls, and proper logging and monitoring goes a long way towards guarding against insider threats.
Baltimore Is Brought To Its Knees
In May, the entire city of Baltimore screeched to a halt. Well, sort of. Criminals used the RobbinHood ransomware to lock down large portions of the city’s servers and government systems, including the city’s voicemail, email, parking fines database, billing platforms, and vehicle citations.
This was the second time in just over a year the city was targeted, and it was apparently caught off-guard a second time. The total cost of the attack has been estimated at around $18.2 million. The city’s CIO has since departed his position due to his poor handling of the incident.
The lesson: Backups are critical to protecting against ransomware. Baltimore had no data backup process for many of its key systems, which left it particularly susceptible to attack.