2019 in review: data breaches, GDPR’s teeth, malicious apps, malvertising and more

Midyear reports showed a 54 percent increase in breaches over last year with more than 4 billion records compromised. The year is ending with news about breaches impacting customers of Macy’s and T-Mobile. Disney’s new streaming service, Disney+, wasn’t even online for a full day before hackers got in and compromised user accounts.

Data breach landscape

Despite the fact that 2019 saw an increase in breaches, there was something noticeable absent – there wasn’t one truly massive data breach. I’m talking about the Equifax, Yahoo, Marriot, TJ Maxx, and Target magnitude. For the past decade, just about every year has been punctuated by a signature data breach, one that made headline news for months and that are still talked about to this day. While 2019 might end up being the year with the most data breaches, there was no single massive data breach with lasting headline impact.

That’s not to say there weren’t major incidents. Hackers installed surveillance software on WhatsApp that had the potential to compromise more than a billion users worldwide. Fortnite users were warned they could be at risk after users were hit by ransomware. But while these incidents could have been huge, it appears that they didn’t have the type of impact the hackers might have hoped for.

It can’t be just luck. We know that the bad guys are still extremely active and aggressive, but have large organizations taken notes from these previous massive incidents and become better at protecting their large pools of data? Are they taking advantage of evolving security tools leveraging AI to detect and stop attacks before the damage is done? Are they more focused on basic security hygiene and practices, processes and training, so that if there is a breach, they are able to respond more efficiently? Something has changed in 2019 when it comes to that massive signature data breach – one that is a positive step forward.

GDPR has teeth

GDPR went into effect in May 2018. By September 2018, British Airways had disclosed its data breach had impacted 500,000 people. GDPR fines were imposed in 2019 at $230 million, or the cost of two jumbo jets for the airline.

So, yes, 2019 saw that GDPR has teeth. And this fine is chump change compared to fines expected for large tech companies; Facebook is facing fines of nearly $2 billion. Vulnerabilities were found in the Facebook code that allowed hackers to steal access tokens, affecting millions of EU users.

However, the British Airways case also brought to light one of the real worries about GDPR – third-party risk and the massive impact it can have on an organization. In the British Airways case, it was a third-party Java script service agent on the airline company’s website that became infected. Third parties have long created risk for businesses, but those risks are now amplified as more privacy regulations like CCPA and New York’s new privacy laws go into effect. A data breach caused by a failure in a vendor’s security protocols will cost you, something that British Airways has proved.

Increasing scrutiny of the mobile ecosystem

The Apple App Store has earned its reputation for its strict vetting system, but the system isn’t foolproof. Earlier this year, a reported 18 malicious apps managed to bypass Apple’s vetting, a situation that shows the need for increased scrutiny of the mobile ecosystem.

This is the year that, even if the risks have long been there, we are finally taking notice that apps regularly compromise our security and privacy. Take the Chinese app TikTok as an example. The app shares short video clips and is the most downloaded app globally. It is also under investigation for national security and data privacy violations, raising the question if the Chinese government has compromised every millennial who has used the app.

The increased awareness of the security problems surrounding apps will hopefully lead to better vetting before they are offered in the marketplace come 2020.

Next wave of fake ads during the elections

The next elections are just shy of a year away, but election season has already been in full swing in 2019. And so are the fake ads. It’s not just ads that are sharing false information to voters, but there are election ads with malicious payloads delivering malware. Malvertising is something we can expect to see grow in 2020 as election fever ramps up.

It all goes back to phishing

Phishing still remains the biggest attack vector, whether it comes via email or through social media. Hackers continue to create information that will get people to click on a link or open an attachment or watch a video. Hackers are taking the data harvested on their victims and weaponizing it to create tailored, customized phishing attacks with the goal of financial gain.

Hackers continue to return to phishing attacks because they work. But we can expect they will also look to new attack vectors, like mobile apps we once thought safe, to gather data. While the lack of a massive attack may show we are getting better with our defenses, the new privacy regulations show that there is still a lot of room for improvement. These are just some of the trends from 2019. What can we expect in 2020?