For hackers, e-mail is one of the main gateways to compromising their victims’ IT system. E-mail is by far the most-used method for communication in business – in 2018, worldwide over 280 billion e-mails were sent and received daily.
Undertaking an objective and scaled assessment of IT security and data breaches is not an easy endeavour. What factors play the biggest role? Is the amount of hacked data (or of affected users) to be deemed more important than the value of the data? Or is the financial damage that was caused by the attack a more important criterion than the ramifications that result from facilities whose IT systems were crashed?
Here, we list our top 3 data and security breaches of 2018; cases that best illustrated the most common problems and most clearly showed the grave consequences that can result from flaws in IT security.
Top 3 data and security breaches of 2018
Number 3: Fürstenfeldbruck Hospital
In November 2018, a virus crashed the entire IT system of Fürstenfeldbruck hospital in Germany for several days. During that time, approximately 450 computers could not be used, and it was no longer possible to contact the hospital via telephone or e-mail. Patients could only be admitted to a limited extent, and patient data had to be recorded with pen and paper. Employees had to take care of tasks manually that used to be routinely executed by computers – ranging from documentation of medical treatments to the patients’ menu plan. Additionally, the hospital had logged out of the rescue control centre so that only life-threatening emergencies were taken to Fürstenfeldbruck hospital. A Trojan, hidden in an e-mail attachment, was the root cause for the fact that not a single computer in the hospital could function. After the attachment had been opened, the virus was able to quickly spread throughout the network and start causing damage.
Number 2: US universities
In March of last year, the US Justice Department filed charges against nine Iranian citizens. They are alleged to have infiltrated, among other institutions, 144 universities in the United States. The attacks were conducted by spear phishing via e-mail; professors and other members of university were led to click on malicious links and tricked into entering their network credentials. The hackers attacked 100,000 user accounts overall and gained access to 3768 of them in the United States. According to the US Justice Department, the hackers stole 31 terabytes of data that contained proprietary information worth $3 billion.
Number 1: UnityPoint Health
In 2018, hackers twice successfully attacked the medical care provider UnityPoint Health. First, at the beginning of the year personal data of 16,000 patients was affected by a phishing attack. However, the second cyberattack that occurred just a short while later was significantly more serious in its outcome. Yet again, hackers managed to infiltrate UnityPoint Health’s system via e-mail. They used a targeted phishing attack, where e-mails were seemingly sent by an executive of UnityPoint Health. As a result of this infiltration, hackers had access to internal e-mail accounts from 14 March to 03 April. Data of 1.4 million patients was affected, including medical data and treatment details, lab results, and insurance information. In some cases, even financial transactions were exposed.
Is protection against cyberattacks sufficiently prioritised now?
Hackers conducted their attacks in many ways in 2018, and 2019 will certainly be no exception to this. Sometimes it was an insufficiently secured server that became easy prey for cybercriminals, other times it was an elaborate phishing attack that fooled users. What all these cases had in common is that successful cyberattacks had grave consequences for those affected and often came at a high price.
Unfortunately, it appears that the alarms set off by attacks such as “WannaCry” have not been enough to result in appropriate IT security. Early last year, for example, all 200 British NHS trusts tested for cybersecurity failed – a clear indication that, despite all efforts up to this point, there does indeed remain a lot to be done.
GDPR has been in force since May 2018, manifesting a higher sense of priority that politicians placed upon data protection. Businesses now require a security strategy for their communications, since security breaches that violate data protection can result in severe financial penalties – another incentive to act and establish meaningful protection from cyberattacks. It is therefore no longer left up to the businesses’ discretion and moral stance on data protection whether they protect their data (inventory) or not.
But what is the main gateway for cyberattacks? Where is protection most urgently needed? The overwhelming majority of malware is transferred via e-mail; according to Verizon’s 2018 Breach Investigation report, it is a staggering 92 percent. With respect to attacks via e-mail, phishing is the most effective method for hackers, now executed in a more targeted way than ever before. Therefore, an increasing number of IT security experts consider phishing e-mails the biggest security threat they are forced to find an answer to.