Now that the figures are in by any standard 2020 was a dismal year for cyber protection.  Twenty billion personal information records were exposed online, lost or hacked.  The number is so big it’s near impossible to visualise. We can picture a 100,000 football fans cramming into a stadium, 30,000 people competing in a marathon and even what $1 million stacked on a table might look like. But what does 20 billion of anything look like? Compared to the 12 billion records exposed in 2019 it represents a whopping 66 per cent increase, according to Scirge, the company that put the figures together

What’s going on?

We’ve become so used to large scale data loss we have almost become inured to figures like these. But if we break the 2020 figures down a bit they become easier to digest, as well as revealing the apparently parlous condition of cyber security.
  • In the first quarter of 2020 the Dutch government lost a hard drive containing 6.9 million confidential citizen data records.
  • The UK government exposed 28 million children's data to betting companies.
  • Microsoft exposed 250 million customer support records including customers' geographic data, IP addresses, and other private information.
  • Zoom lost 500,000 passwords just as the world shifted towards home working.
  • Budget airline EasyJet lost 9 million customer records. It didn’t notify customers until April and May 2020. Emails and travel information were amongst the information that was breached, and over 2,000 customers had their credit and debit card details accessed.
  • BlueKai, owned by Oracle, leaked over two billion web tracking data records by storing it on an unsecured server.
  • 300,000 Spotify users fell victim to account takeover attempts after their credentials were made public.
  • A months-long global cyber-espionage campaign, known as the Solar Winds hack, potentially exposed 300,000 global customers, including more than 425 of Fortune 500 companies, the top 10 global telco companies, government and military and the world’s top five accounting firms.
And this isn’t to mention well-known organisations such as Estee Lauder, Marriott, Nintendo, Virgin Media, GoDaddy and the United Nations who were all involved in large-scale breaches.

Even tech outfits slip up

One of the striking things about these breaches is that some of the most noteworthy breaches were blue chip tech companies such as Microsoft and Oracle’s BlueKai.

This clearly reveals that despite the most sophisticated cyber defences, data can be exploited because of the simplest of errors or oversights. BlueKai, for instance, was storing data on an unsecured server.
  • The most common cause behind data breaches is the leak/loss of some type of authentication measure such as a username, password, or a server or application that isn’t password protected.
  • Sometimes malware, such as banking Trojans, also infiltrates a computer or network and harvests personal sensitive data. Or a hacker uses malware as a means to get into a network, identify structural vulnerabilities and data targets and then siphon off information.
One of the most cunning malware examples from the list above is the SolarWinds attack. The attackers compromised one piece of security software, a security tool called Orion developed by SolarWinds, enabling them to gain access to an extraordinary array of potential targets including many sensitive government systems. The attack is believed to be state sponsored.

Is anything safe?

Given the gigantic scale of data mishaps it’s a fair question to ask whether any personal data is safe.  At BullGuard we always urge people lock down security on their own devices and home networks with antimalware software and a VPN.

These are fundamental steps in home cyber protection and to guard against personal data being exposed in attacks, such as those listed above, we are also enthusiastic advocates of identity protection to warn users if payment card and bank account information is being traded on the dark web.

It’s also important to have strong passwords, use different passwords for different online service and to make use of two factor authentication.
  • If you use the same password for different web sites and services you’re making it easy for attackers.  If a web site, online service or company is compromised and your ID credentials are exposed attackers can gain access to your personal accounts using techniques like credential stuffing or password spraying.
Of course it’s near impossible to remember strong complex passwords for each service or website you use.  As such passwords managers are useful tools.  They create complex passwords and automatically apply them when you’re accessing your accounts. They are a type of digital strongbox and you only need to apply a master password to open it.

There’s very little you can do when your data is exposed by other organisations and its clear from the list above the current condition of cyber security awareness leaves a lot to be desired. However, by taking the few simple steps as outlined above you can create a strong defensive moat in your personal life which can militate against the sloppy mishaps and practises of other organisations.