2020 IT Security Roundup

COVID-19 turned 2020 into an unusual spectacle on many fronts. In particular, the pandemic slowed down business activity worldwide and forced organisations to more deeply incorporate software and technology in their workflows.

Although overall beneficial, this shift has caused a wide array of issues, especially connected with remote work. For an estimated 20% of businesses, remote workers have caused security breaches due to negligence, unsafe software, or unprotected personal devices.

The ICT security landscape has certainly changed quite dramatically, and attackers weren’t slowed down by the pandemic – in this article we present 2020 security statistics from Australia, the US and EU.

2020 Security Breach Statistics for Australia

The Office of the Australian Information Commissioner (OAIC) publishes reports on notifiable data breaches on a bi-annual basis. As of mid-January 2021, the latest available OAIC report covered the period from January 1st, 2020, to June 30th, 2020.

Here are some of the key findings from the report:

• 518 breaches were notified, which was 3% down from 532 in the previous 6 months but up 16% from 447 notifications in January-June 2019.
• Of the 518 breaches, 317 or 61%, (7% down compared to July-December 2019) were due to malicious or criminal attacks, 176 or 34% (up 7%) were due to human error, and 25 or 5% (down 7%) were due to system fault.
• The healthcare sector continued to be the highest reporting sector, comprising 115 notifications or 22% of all breaches, followed by finance with 75 notifications or 14% of all cases.

Breakdown of malicious/criminal attack breaches

Constituting 61% or 317 notifications, malicious or criminal attacks were the leading cause of data breaches in January-June 2020. These 317 breaches were caused by:

• Cyber incidents – 218 cases (225 in July-December 2019).
• Social engineering/impersonation – 50 cases (34 in July-December 2019).
• Rogue employee/insider threat – 25 cases (41 in July-December 2019).
• Theft of paperwork or data storage devices – 24 cases (40 in July-December 2019).

Notably, the number of incidents caused by social engineering/impersonation increased by 47% compared to the previous 6 months.  And one in twelve malicious attacks was committed by an insider, making that attack vector a real threat in the Australian security landscape.

The three leading triggers of cyber incidents were as follows:

• Phishing (compromised credentials) – 78 notifications (36%).
• Compromised or stolen credentials (method unknown) – 55 notifications (25%).
• Ransomware – 33 notifications (15%).

The OAIC notes that ransomware attacks have substantially increased from January to June 2020. Compared to the previous six months, the occurrence of ransomware attacks increased by 150% – from 13 to 33 notifications.

The human factor appears to have been exploited in many cyber incidents as well – through phishing in particular. Accidental disclosure of confidential information – like passwords – was another exploit used by malicious actors.

2020 Data Breach Statistics For The United States

US figures below are from the reports by the Identity Theft Resource Center (ITRC). The ITRC is a non-profit organisation and a partner of the US Department of Justice that provides education and assistance to security breach victims.

As of mid-January 2021, the ITRC had published reports on the first half and Q3 of calendar 2020.  The key takeaways from the January-June 2020 report are as follows:

• The ITRC catalogued 540 publicly-reported data breaches – a 33% drop from the same period in 2019.
• The number of individuals impacted in the first half of 2020 was about 163 million – 66% less than in the same period in 2019.
• Compromises caused by internal threat actors were at a three-year low since more people were working from home and had less access to internal systems (it was surmised).
• 2020 was on trend to see the lowest number of data breaches and exposures since 2015, likely because hacker groups were exploiting existing data collected in previous years rather than gathering new identity information.
• However, this trend isn’t expected to be long-term – hackers will likely return to replace and refresh identity information.

Q3 2020 stats were as follows:

• There were 218 publicly-reported data compromises – versus 374 in Q3 2019.
• About 73 million individuals were impacted – about 5.5 times less than in Q3 2019.
• Data breaches through September 30, 2020, were down about 30% compared to 2019. 292 million individuals were affected – 60% less than in 2019.
• Mass data breaches of personal information declined, with threat actors shifting their focus on ransomware, phishing, and brute force attacks against pandemic-related government benefits and company funds.

2020 Security Breach Trends In The European Union

Cybersecurity in the European Union is under the authority of the European Union Agency for Cybersecurity (ENISA). The latest ENISA Threat Landscape reports reviewed the period between January 2019 and April 2020.

Here are the key trends from the ENISA Threat Landscape – The year in review ­report (both in the EU and worldwide):

• Malware was the top threat in 2019-2020, followed by web-based attacks and phishing.
• The large-scale adoption of technology due to COVID-19 weakened existing cybersecurity measures.
• Looking to quickly respond to changes imposed by the pandemic, cybersecurity professionals found themselves acting at the limits of their capacities.
• While working from home, employees have used less trusted components and data channels, such as unsecured video streaming services or remote access through the public internet.
• Malicious actors adapted to the transformation of the IT landscape quickly, focusing on the personalisation of attack vectors via highly-targeted phishing attacks, advanced social engineering, and more extensive network penetration.
• Attacks on high-value data – such as state secrets or intellectual property – are being carefully planned, targeted, and executed by state-sponsored groups.
• Social and economic norms after the COVID-19 pandemic will become even more dependent on cybersecurity.
• Ransomware remains widespread, while the number of phishing victims continues to grow due to the weakness of the human factor in cybersecurity.

ENISA pointed out a new vector of development for cybercriminals – artificial intelligence (AI) and machine learning (ML). If hacker groups make AI part of their modus operandi, we may see an increase in successful attacks and undetected campaigns.

How Much Did Data Breaches Cost Businesses In 2020?

The IBM-sponsored Ponemon Institute’s Cost of a Data Breach Report 2020 gives us insight into the financial consequences of security breaches for businesses.

For 2020, very small and very large incidents were excluded from the calculation not to skew the cost estimate. The figure is based on how much affected businesses have spent on:

• The detection and escalation of the issue.
• Notification measures.
• Post-data breach response.
• Activities that minimise lost business.

In 2020, the global average cost of a data breach was 3.86 million USD – down from 3.9 million USD in 2019. Ponemon Institute specifies that the costs were lower for more mature companies and industries and much higher for organisations with weak security automation and incident response systems.

Note that this is only the average – the cost of a data breach significantly varies between countries. A data breach in the United States, for example, cost 8.64 million USD on average (8.19 million in 2019), while in Australia, the figure was noticeably lower than the global average – only 2.15 million USD (2.13 million in 2019).

The Most Noteworthy Security Breaches of 2020

2020 has seen many attacks, but the SolarWinds breach was perhaps the most momentous of them all – primarily because it has affected the United States federal government and a number of top-tier tech companies.

The breach was acknowledged on December 13, but it had started in March 2020, if not earlier.

Likely backed by the Russian government, hackers exploited vulnerabilities in SolarWinds’ Orion network monitoring program, launching malware into the cybersystems of at least 18,000 governmental and private networks.

Among government agencies impacted by the malware were the Department of State, the Pentagon, the Department of Homeland Security, and the National Nuclear Security Administration. Tech giants such as Intel, Nvidia, Cisco, VMware, Belkin, and Microsoft were affected as well.  The final fallout from the breach is still a long way off being known.

Another significant attack was the Twitter bitcoin scam. In a successful spear-phishing attack, hackers gained access to internal support and account management tools. This allowed the attackers to promote a Bitcoin scam via 45 high-profile Twitter accounts, including those belonging to Barack Obama, Jeff Bezos, Mike Bloomberg, and others.

Some other notable US and international attack news was, according to ZDNet.

• Manor Independent School District, January 2020. A data leak caused by a phishing attack cost the school district 2.3 million USD.
• University of California San Francisco (UCSF), June 2020. UCSF paid 1.14 million USD to hackers to save COVID-19 research.
• Cisco, August 2020. The company lost 2.4 million USD fixing massive damage caused by a former engineer.
• 8 years jail for attacker, November 2020.  A Russian individual who controlled a botnet that scraped web data and was used to cause more than $100m in financial damage was sentenced to 8 years in jail in the US.

Business Websites That Were Compromised In 2020

HIBP (Have I Been Pwned) maintains a list of websites that have been breached during the last few years. In 2020, among some of the most notable compromised websites were:

• 123RF (stock photo website). A March 2020 data breach impacted over 8 million subscribers. Stolen data incorporating email, IP and physical addresses, passwords, and phone numbers stored as MD5 hashes was put on sale online.
• Appen (AI training data company). A June 2020 breach exposed the details of nearly 5.9 million users, including IP and physical addresses, passwords, and phone numbers. The data was put on sale online.
• Drizly (US-based online alcohol delivery service). A July 2020 data breach exposed 2.5 million unique email addresses, physical and IP addresses, dates of birth, and passwords stored as bcrypt hashes.
• Experian South Africa (credit reporting company). An August 2020 data breach resulted in the exposure of 1.3 million customer records, including identity numbers, names, addresses, and occupations.
• Glofox (Irish gym management company). A March 2020 data breach exposed 2.3 million membership records containing phone numbers, names, dates of birth, and passwords stored as unsalted MD5 hashes.

Ransomware became more threatening than ever in 2020

Ransomware was a particularly ferocious threat in 2020, perhaps becoming more dangerous and impactful than ever. Here are some key insights into the state of ransomware in 2020 according to Security Intelligence and Infosecurity Magazine:

• Ransom demands are increasing exponentially, in some cases reaching and exceeding 40 million USD.
• The Sodinokibi aka REvil ransomware’s occurrence in 2020 was one in three. Together with Ryuk and Maze, Sodinokibi was one of the top three most active ransomware families in 2020. Maze and REvil follow the RaaS (ransomware-as-a-service) model where the malware is distributed by affiliates. Ryuk, in the meantime, is targeted at large organisations.
• Attackers became quite fond of schools and universities, which was most likely because many classes were shifted online due to the pandemic.
• Ransomware was particularly focused on manufacturing companies (nearly 25% of all incidents), the professional services sector (17%), and government organisations (13%). This suggests that hackers are targeting organisations with low tolerance of downtime.
• Hacker groups started putting more emphasis on data exfiltration, where sensitive data is stolen from the organisation before encryption. Unless a ransom is paid, hackers threaten to publicly release the stolen data.

Dozens Of Executives Compromised Through Phishing

Executive phishing, also known as whaling, is a rare phenomenon, but it can be devastating to an enterprise if it occurs. Spear-phishing techniques aimed at senior executives become more and more sophisticated and effective, and 2020 marked another fruitful year for hackers.

In 2020, Group-IB, a cybersecurity company based in Singapore, identified successful phishing attacks against 156 companies worldwide – primarily (about 50% of cases) financial services companies. Dubbed PerSwaysion due to the extensive abuse of Microsoft Sway, the phishing campaign has been active since at least mid-2019.

In early 2020, Guardian also revealed that Amazon founder and CEO Jeff Bezos’s phone had been hacked via a malicious file sent through WhatsApp by Mohammed bin Salman, the crown prince of Saudi Arabia. The hack had occurred in 2018, but details became available much later.

The hack resulted in a large amount of data being exfiltrated from Bezos’ phone. Not much else is known about the incident, but one thing is certain – executives are at no less risk of being compromised than any other employee. In fact, spear-phishing attacks aimed at executives can be more dangerous because they are targeted and prepared very meticulously.

How about you?  Did you learn more about your own cybersecurity in 2020?

One of our peers, USWired, has published a short quiz on cybersecurity learnings from 2020.  It’s a useful refresher on how to keep safe.  You can find it here: https://www.uswired.com/2021/01/quiz-what-has-2020-taught-you-about-cybersecurity/

The last word: 2020 Was Just Another Year, Albeit an Abnormal One

Despite the new trends, 2020 was just another year. Attackers sought financial gain, whereas defenders like Computer One employed their toolsets to crack down on illicit activities. All in all, the status quo was maintained, though organisations certainly need to continue adapting to ongoing trends.