As 2018 draws to a close, it’s a good time to reflect on the year that was in cyber-security to learn from past mistakes and identify trends that will likely continue into the new year.
2018 saw no shortage of major breaches, new critical vulnerabilities and policy changes that enterprise IT organizations will still be grappling with in one form or another in 2019. 2018 was the year of Meltdown and Spectre, and it was the year that GDPR went into effect. It was also a year of intense security privacy challenges for Facebook, and was a year in which tens of millions of Americans had their data stolen in large data breaches.
In this year-end wrap-up, eWEEK looks back at some of the top IT security incidents of 2018.
Meltdown and Spectre
It didn’t take long for the first major IT security issue to be disclosed in 2018. The year kicked off, on Jan. 3, with speculation about a major new critical flaw in Intel chips that ended up with the disclosure of the Meltdown and Spectre CPU flaws. The initial Meltdown and Spectre issues involved three identified vulnerabilities (CVE-2017-5754, CVE-2017-5753 and CVE-2017-5715) and impacted all modern processors, including ones from Intel, Advanced Micro Devices and ARM. The flaws abused design features used by silicon vendors, including a capability known as speculative execution, and could have potentially enabled attackers to gain access to system memory.
As it turns out, the initial Meltdown and Spectre disclosure in early January were only the tip of the iceberg, with at least seven variants disclosed over the course of 2018. The most recent Meltdown- and Spectre-related flaw is Foreshadow and was publicly disclosed on Aug. 14. Over the course of 2018, Intel and operating system vendors alike scrambled to keep up with the flow of Meltdown and Spectre patches, leading to one of the top Linux kernel developers openly criticizing Intel’s handling of the disclosure.
“This was not good. Intel really messed up on this,” Linux kernel maintainer Kroah-Hartman said at an event in August.
It’s likely that there will still be a few more Meltdown- and Spectre-related issues that show up in 2019, and enterprises need to make sure they continue to patch.
The biggest IT security policy event of 2018 was the official launch date for the European Union’s General Data Protection Regulation (GDPR) on May 25.
GDPR provides a set of guidelines and rules for organizations doing business in the European Union that are intended to help protect user privacy and personally identifiable information (PII). GDPR also includes reporting requirements for organizations to disclose data breaches within 72 hours, as well as impose harsh penalties for organizations that do not protect user data.
While GDPR is a European directive, U.S. companies raced to meet compliance as well, since many do business in the EU and the penalties for non-compliance provided additional incentive.
In 2019, U.S. companies will once again be focused on privacy issues as part of the run-up to the implementation of the California Consumer Privacy Act (CCPA), which goes into effect on Jan. 1, 2020, and introduces its own set of privacy requirements that organizations will need to consider.
2018 was also a year of large cyber-attacks launched by specific hacker groups. Among the most impactful was the Magecart effort, which was implicated in attacks against multiple payment card systems, including those operated by Ticketmaster and British Airways.
The Ticketmaster attack was disclosed on June 27 and involved a widget on the ticket seller’s website that was compromised by Magecart. British Airways reported its data breach on Sept. 7, impacting at least 380,00 customers.
The Magecart campaigns typically involved the injection of some form of card-stealing malware on supply chain systems used by the victims. It’s likely the Magecart effort will continue to be an issue into 2019 as supply chain security, particularly in the payment card industry, remains a risk.
2018 was a challenging year for Facebook’s security teams on multiple fronts. In March, the Cambridge Analytica scandal first erupted, with the disclosure that the data mining company had gained access to user information and was able to use it for different efforts including political campaigns.
In the Cambridge Analytica case, Facebook had erroneously enabled the data to be available, but that wasn’t the case with a September breach in which 30 million users were impacted. Facebook initially reported on Sept. 28 that unknown attackers had gained unauthorized access to user data tokens, enabling access to user information.
In 2019, scrutiny into Facebook’s security practices will continue, and no doubt attackers will also continue attempts to breach the social networking giant’s defenses.
There were a number of large data breach disclosures in 2018 that impacted millions of individuals. On March 29, Under Armour reported a data breach impacting 150 million user accounts. The data breach specifically involved users of Under Armour’s popular MyFitnessPal application, which provides exercise, diet and calorie counting capabilities.
On July 8, social media service Timehop disclosed that it was the victim of a data breach that impacted 21 million users. The Timehop service enables users to be reminded of past events from their social media timelines.
The largest single data breach disclosure of 2018 didn’t happen until Nov. 30, when Marriott International disclosed that information from approximately 500 million individuals was taken in a data breach of its Starwood Hotels and Resorts division.
Large data breaches were not a new phenomenon in 2018, and there is no reason to suspect that there won’t be more disclosures in 2019. Overall, the big data breaches and security incidents of 2018 serve to highlight the continued need for organizations of all sizes to remain vigilant, actively patch systems and continuously engage in threat hunting exercises to rapidly identify potential threats.
The drive toward compliance with GDPR in 2018 and CCPA in 2020 will also hopefully serve as touchstones for organizations to improve cyber-security and limit the risk of data breaches on personal information.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.