There are valuable lessons to be learned from the cybersecurity stories of a challenging year.
In June, we compiled the biggest data breach stories from the first half of 2020, and now we’re wrapping up the year with a rundown of recent data breaches.
Many of the stories on this list feature familiar culprits: human error, compromised credentials, and determined hackers. Other stories are uniquely 2020 — they reflect a year that has created a host of cybersecurity challenges. This year, businesses had to adapt to an already fraught threat landscape that was made even more dangerous by world events. (For example, one study reported that 40% of all Coronavirus-related emails are malicious in nature.)
Despite the challenges, many of the stories here showcase companies stepping up to make amends in the wake of a breach and limiting the damage with smart data management policies. Each of them offers a lesson to businesses on how to defend against breaches — and how to respond to them when they occur.
1. SolarWinds Attack Devastates U.S. Government and Corporations
December saw one of the worst breach stories in history. Hackers who are widely believed to be affiliated with the Russian government breached some of the most highly-guarded networks in American government, including the Departments of Defense and Treasury. According to NPR, 18,000 public and private networks were breached, including Microsoft’s source code.
The attack seems to have been designed to observe and gather intelligence rather than commit sabotage, but the damage is still severe, and the extent of it is not fully known.
How the breach happened
This massive hack was executed through malicious code inserted into widely-used SolarWinds software.
As Columbia University professor Jason Healey explained to Vox, “The Russians, knowing they would struggle mightily to get into hard targets — the U.S. government and also members of the Fortune 500 — instead found that they all used the same software for network management, made by a company called SolarWinds.”
This malware may have started circulating in March, so hackers had months to explore the infiltrated networks before being detected.
What data was compromised
At this juncture, it seems the hackers accessed the non-classified systems of multiple departments of the U.S. government, including the Energy Department’s nuclear arsenal.
However, more departments and companies are continuing to come forward to reveal the scope of the breach. On January 6, the Department of Justice revealed the attackers seized their Office 365 system and accessed some email accounts.
To quote Healey’s Vox interview again, “With the access that Putin had with the SolarWind software — and then, oh, my god, it’s even worse if they got into Microsoft — imagine the damage that Russia could do if it switched from espionage to disruption.”
The lesson for businesses
Today, our public and private sectors operate on an intricately connected web of software from different suppliers. This model, with its myriad moving parts, has the potential to make us more resilient because our systems aren’t monoliths. But, as this attack illustrates, this approach also means that every software update to every backend system can be a potential gateway for hackers.
The lesson here isn’t to wall off your networks and “trust no one,” but not to take a third-party solution provider’s security for granted. Conduct rigorous, ongoing security audits of your systems to be sure there’s not a nasty surprise hiding there.
2. Garmin Pays Millions in Ransomware Attack
On July 23, Garmin, makers of smart wearables, GPS devices, and aviation technology, suffered an attack that brought down its website and some of its services.
In August, Sky News broke the story of what had happened: Garmin was locked out of its own systems by ransomware and paid the attackers millions of dollars for the decryption key. According to Sky News’ report, the attack was believed to have come from Evil Corp, a Russian-based crime syndicate currently under U.S. sanctions.
The first cybersecurity firm Garmin approached about paying the ransom refused due to the sanctions. They next went to another firm, Arete I.R., which agreed to handle the payment. (Arete I.R. maintains that Evil Corp may not be responsible for the ransomware.)