Aman Johal, Lawyer and Director of Your Lawyers, looks back at the most significant data breaches of 2020 and their fallout.
The cyber landscape in 2020
The past year has profoundly accelerated the growth in digital dependence. Recurring lockdowns have pushed employees to work from home, students to learn online, and consumers to turn to eCommerce.
Global internet bandwidth surged 35%, the largest one-year increase since 2013, and with this online migration came a correlating increase in cyber threats. Cyberattacks have increased by 400% since the beginning of the pandemic, and the National Cyber Security Centre (NCSC) revealed that 25% of all cyberattacks in 2020 were linked to the pandemic.
The threat has reached a critical level, with the NCSC launching its Cyber Aware campaign to inform businesses and consumers about cybersecurity risks and how to prepare for cyberattacks should they occur.
One cyberattack can create a domino effect of risks for victims. Stolen personal information can be used by hackers in a number of ways, including to access bank accounts, open new accounts and take out loans in the victims’ names. They could also make fraudulent purchases, transfer money from compromised accounts, or use the data to contact victims and dupe them into handing over access to accounts or money directly.
Some of the most significant breaches of the year
In mid-January, it was revealed that Marriott International had experienced its second substantial data breach, just two years after the huge previous one was revealed. The incident is understood to have affected 5.2 million guests when hackers procured the login credentials of two staff members and used the credentials to access guest details, including names, dates of birth, phone numbers, and loyalty account numbers.
One cyberattack can create a domino effect of risks for victims.
easyJet suffered a monumental data breach that was revealed in the springtime. In what was described as a “highly sophisticated cyber-attack”, the personal details of some 9 million customers were exposed, with the card details of 2,208 individuals reportedly compromised. Affected individuals were notified in May.
Following its surge in popularity as the world entered into lockdowns, users of the video platform Zoom also experienced cyberattacks. It is understood that some 500,000 compromised passwords were put up for sale on the dark web at a time when the app had reached 300 million active monthly users. Hackers were able to carry out the cyberattacks by collecting databases of usernames and passwords from crime forums, which themselves had been obtained in data breaches reportedly dating back to 2013. It was not a case of information being stolen from Zoom databases directly, but a case of data harvested from other breaches being used to target Zoom users.
The targeting of Zoom users is a stark reminder of the long-term repercussions of cyber theft, and why it is important to avoid using the same login credentials across multiple platforms, to employ strong passwords, and to respond to data breaches proactively.
More recently, Google suffered a significant cyberattack in December. It is an impressive feat to be able to hack Google, and the quantity of data which may have been compromised remains unknown at this time. Specialists believe that it is highly likely that a State actor is behind the attack. With increasingly sophisticated attacks and increasingly high stakes, it is clear that 2021 needs to be a turning point with regard to cybersecurity.
A complacency crisis?
The frequency of data breaches, exemplified above, suggests the advent of corporate “breach fatigue”, where leadership understands the cybersecurity risks at hand, but passively accept that an incident is inevitable. Marriott, as a two-time offender of serious data breaches, perhaps highlights this apparent nonchalance.
[ymal]
However, an activist watchdog may encourage companies to step up to their duties of data protection. The ICO has faced criticism over its dispensing of fines, as exemplified by Marriott’s 2018 incident, for which it was fined just £18.4 million instead of the original intention of a £99 million fine. The British Airways fine is another case in point: they were issued with a £20 million fine in October instead of the original intention to fine in the sum of £183 million. Both represent significant reductions, and the concern is that these huge climb-downs could prevent fines from having the dissuasive effect that they are designed to produce.
Beyond the fines, organisations that breach the GDPR may also face significant compensation pay-outs. BA alone could be facing pay-outs that total up to £3 billion on the basis of a £6,000 average claim for each of the circa 500,000 victims.
Data breach compensation amounts should reflect the significant impact on victims, and can account for financial, emotional and psychological damage. Action Fraud, the UK’s National Fraud and Cybercrime Reporting Centre, reported that cyber scams in 2020 resulted in losses of £16.6 million during the first lockdown alone. It is important for all interest groups that the serious cybersecurity lapses of 2020 are not replicated in the future.
A look towards 2021
Public confidence in cyber resilience needs to be improved after 2020 being yet another year of significant data breaches. It is critical that businesses and consumers focus on high standards of cybersecurity over the course of the year to come.