What risk managers can learn from the biggest cyber attacks of 2019

Cyber threats have been rapidly rising up the corporate agenda, and every year attacks and fines clearly show why companies need to take the risks associated with technology more seriously.

In fact, research released earlier this year from Hiscox found that 61 per cent of public and private sector organisations in the US, UK, Belgium, France, Germany, Spain and the Netherlands have suffered one or more cyber attacks in the past year. Even worse, large firms suffered losses of £551,000 compared with £128,000 a year ago.

Another study, this time carried out by GTT Security found that finance has been the most attacked industry in six of the past seven years, accounting for 17 percent of all attacks, and manufacturing remains one of the most highly targeted industry sectors.

In the UK, manufacturing comes second only to the technology sector with 20 per cent of all attacks. What’s more, half of all attacks on manufacturing come from three attack sources – China (27 per cent), the US (16 per cent) and Russia (6 percent).

Here’s a roundup of some of the biggest breaches in 2019, and more importantly, what risk managers can learn from them.

The Cathay Pacific breach

What happened?

While Cathay Pacific was actually breached in 2018, the full extent of the damage - and repercussions - wasn’t fully known until June this year.

The airline suffered one of the biggest data breaches in history when the personal data of 9.4 million passengers was compromised.

Attacks affected four systems, the customer loyalty programme, a shared back-end database for web-based applications, a reporting tool that extracted and compiled data from other databases, and an Asia Miles loyalty scheme database.

Lessons for risk managers

Mark Parsons, Mark Lin and Byron Phillips from Hogan Lovells in Hong Kong said: ”The enforcement notice raises key practical compliance points for those assessing and managing data security risk:

• an organisation’s failure to have completed a data inventory could amount to a breach of the PDPO;
• multi-factor authentication may now be a requirement under the PDPO for remote access to personal data by company employees; and
• PDPO compliance may require organisations to take appropriate professional advice on information security matters and ensure that best practices are being followed.

”Further, because of the scale of the Cathay Pacific data breach, as well as the lapse of time between discovery and reporting, there is speculation that Hong Kong may introduce a mandatory data breach notification obligation to the PDPO.

“Comprehensive mandatory data breach notification obligations already exist in Australia, the Philippines, Taiwan and South Korea, with Singapore likely to adopt this soon. The PCPD encourages breach notification, but as in China and Japan, this remains a recommended best practice rather than a mandatory requirement.”

The Marriott Hotels breach

What happened?

Again, this breach actually occurred in the last couple of weeks of 2018, but the issues were still ongoing well into 2019.

The hotel chain was hit by a significant cyber hack, affecting 500,000 customers, who had sensitive data stolen, including names, addresses, dates of birth and passport numbers.

Marriott – which runs around 6,000 hotels in 127 countries – raised concerns that credit card details might have been exposed too.

Lessons for risk managers

One key lesson for businesses that came out of the Marriott breach is the importance of reacting quickly and having thorough monitoring in place. The four year gap between when the attack happened and when it was spotted was deemed unacceptable by many risk experts.

James Pothecary, special risks co-ordinator at risk management service provider, Healix International, said: “Despite unauthorised users accessing the guest reservation database of its Starwood subsidiary since 2014, the company only became aware of the breach in September last year.

“A time lag of four years between incident and detection demonstrates that even major multinational companies lack the sophisticated cyber-security systems required to mitigate the threat posed by hackers.”

Another key learning was the importance of authorising staff access to systems in a secure way and making sure that software updates are deployed throughout a business including subsidiary and acquired companies.

Businesses need to ensure that every device is protected, whether that’s company-issued laptops or personal phones that staff use to access work emails.

Capitol One data breach

The personal details of approximately 106 million individuals across the US and Canada were stolen in a hack targeting financial services firm Capital One.

Capital One said the data included names, addresses and phone numbers of people who applied for its products, but maintained that the hacker did not gain access to credit card account numbers.

The data breach is believed to be one of the largest in banking history.

The hacker was reportedly caught after boasting about causing the breach on social media and in online forums. Capital One said she was able to “exploit” a “configuration vulnerability” in the company’s infrastructure.

Lessons for risk managers

One of the big lessons to come out of the Capital One breach is that as well as regulatory fines, companies that face breaches can also be faced with class action suits.

In Connecticut there is already a class action lawsuit (Kevin Zosiak et al. vs. Capital One Financial Corp.) that has been brought against the Virginia-based card provider and in New York State, the State Attorney General has already promised an investigation into the case, which could lead to further legal action, reports CPOMagazine.com.

Paul Martini, co-founder and CEO of Iboss told CPO Magazine: “Hackers are more sophisticated and targeted with their attacks than ever before, resulting in massive vulnerabilities for even the world’s largest organisations. These threats are made worse by the distributed nature of today’s workforce with employees using their own devices and constantly accessing cloud-based applications.

”Consumers and companies alike need to recognize the current threats to their personal information and implement the necessary barriers to protect themselves against the variety of attacks being waged.

”It will be interesting to learn about the length of time it took for Capital One to detect and respond to the attack. These two components are critical in minimising the severity of attacks as well as preventing future data breaches and while Capital One is armed with the resources to respond quickly, other organisations who aren’t in the same position will struggle.”

The attack also highlighted the significant risks of storing information in the cloud if it is not properly protected. An issue that many  businesses are currently grappling with.