It’s that time of year again where the true holiday spirit is embodied by the checkout line up and everyone likes to put together some sort of summation Top 10 list. While we are far from the exception, we thought we’d take a “naughty/nice” approach to our list, in the spirit of the elf-stained, chubby, white-bearded guy himself.

The Naughty - Top Cyber Security Breaches of 2019

Data breaches continue to dominate the headlines and with these startling numbers, it’s no surprise. According to Norton, to date there have been 3,800 reported breaches in 2019 which exposed an estimated 4.1 billion records, an increase of 54% over 2018.

Here are some of the most startling breaches, in no particular order.

Considered one of the largest breaches in history, 106 million records containing customer credit card application information such as names, addresses, email addresses, self-reported income, credit scores and limits and bank balances were exposed by Paige Thompson. She exploited a misconfigured web application firewall to mine the data, costing Capital One an estimated $100-150 million USD after customer notification, providing free credit monitoring for its customers and legal action defense.

100 million records were breached including customers’ names, email addresses, passwords and IP address when an unauthorized party got into an inactive data storage file that held sensitive information on Evite’s users dating from 2013 and earlier. Surprisingly, Evite claims that its customers financial and payment data was not affected, as Evite doesn’t store this information. No financial losses were reported.

Canva, a design website, experienced a security breach in which data of roughly 139 million users was exfiltrated. The exposed data included real names, usernames, addresses and geographical information, as well as password hashes for some users.

This suprema-based security platform had 28 million records breached, affecting thousands of companies who use the service and over 1 million people across the globe. Vpnmentor researchers discovered an unecrypted database that contained fingerprint data, facial recognition data, face photos of users, plain text usernames and passwords, logs of facility access, security levels and clearance and even personal details of staff.

An app-based food-delivery service, DoorDash revealed an unauthorized third party breach that potentially affected 4.9 million people. User and driver account information such as names, email addresses, delivery addresses, phone numbers, and the last four digits of payment cards and bank accounts were exposed.

According to the Financial Times, Israel’s NSO group installed surveillance technology on the phones of WhatsApp users who answered their phones through the app, which they of course denied. While WhatsApp has over 1.5 billion users, it is still unclear as to how many were actually affected.

Google Project Zero researchers discovered malicious websites that were used to infiltrate iPhones, making every iPhone potentially vulnerable to exposing passwords, messages and location data. Apple has been very tight-lipped about the potential breach numbers, stating that the problem was patched within 10 days of its discovery.

Working with the US Department of Transportation, the National Institutes of Health and, yikes, the US Department of Homeland Security, Miracle Systems was hacked and several of its systems were put up for sale on the Dark Web. As reported by the Business Insider, Miracle Systems was hit by the malware strain known as Emotet which is typically distributed through email attachments.

Hackers allegedly broke into Microsoft’s Visual Studio and seeded backdoors into at least three video game companies that use the tool. Wired reported that the group responsible is likely the Chinese hacker collective known as Barium and as many as 92,000 computers were running malicious versions of the affected video games. The attack is known as a supply chain hack, where hackers seed malicious code into a company’s software that is in turn distributed to clients. This is a questionable attack, as the evidence leans more to third-party sites being infected as opposed to Microsoft itself.

Users of this massively popular online game were hit with a ransomware attack that encrypted files on the users’ computers and demanded payment for them to be unlocked. It was obtained by players downloading third-party software to gain an unfair advantage over other players, prompting Fortnite to respond, “Don’t download third-party applications to cheat.” Pretty solid advice across the board.

The Nice - Top Cyber Security Innovations of 2019

As quickly as hackers and malicious actors are coming up with ways to illegally obtain data, cyber warriors are coming up with ways to shore up systems and better protect sensitive data. Here are some of the top innovations that happened in 2019 and will happen in 2020.

GDPR and Tightening Regulations - while GDPR (and other regulatory laws coming into play) has not halted cyber criminal activity per se, its strict regulations, compliance and transparency laws has not only raised public awareness, but has forced companies to take a harder stance on data protection and their overall security architecture to avoid the hefty fines for non-compliance.

Deep Learning Evolution - Deep learning encompasses a number of technologies, most notably artificial intelligence and machine learning. It focuses on anomalous behavior by looking at entities as opposed to users. Recent developments in machine-learning models now enable us to look at the various entities that exist across the enterprise at the micro to the macro levels at line speed. The more the learning database expands, the more intuitive the DL systems get, giving us a higher recognition factor of attacks at a faster detection rate.

IoT Device Hardening - Long tarnished for their hackability ease, the tightening of security on Iot devices, starting in 2020, will require all IoT devices to be sold already set up with unique passwords. It’s a start.

Hardware for Authentication - By combining a variety of hardware-enhanced factors at the same time to validate a user’s identity, Intel has built on previous efforts to dedicate a portion of the chipset for security functions to make a device part of the authentication process. View a demo of their latest attempt here.

Improved User Behavior Analytics - Compromised accounts can be flagged in systems that employ user behavior analytics (UBA). The technology uses big data analytics to identify anomalous behavior by a user.

Emerging Data Loss Prevention Technology - A key to data loss prevention is technological improvements in areas such as encryption and tokenization. They can protect data down to field and subfield levels, potentially benefiting an enterprise in a number of ways, like foiling cyber attackers attempts to monetize data and safe data movement across an enterprise’s infrastructure. Techradar has a good article that goes deeper into the future of DLP.

Cloud Security Refinements - As cloud storage becomes the norm, more approaches to security that are built specifically in and for the cloud will appear, such as stronger virtualized security hardware, firewalls, and intrusion detection and prevention systems. Cloud providers are dedicated to start providing more robust tools for keeping cloud users’ data safe.

Of course, overall general awareness, education and good cyber hygiene - particularly with malware, phishing and ransomware attacks initiated via email - will always be the best first line of defense. The more we realize that security breaches and data compromise CAN happen to all of us, the more we can even the playing field. Or, as Bruce Schneier succinctly puts it, “Security is a process, not a product.”