As the year draws to a close, let’s look at:
- What were some of the biggest breaches in 2024?
- What threats should you be aware of this Christmas?
- How can organisations stay safe during the festive season?
3 major data breaches from 2024
COMBs (compilations of many breaches) aside – like the MOAB (mother of all breaches) in January 2024, which leaked more than 26 billion records – let’s look at three major breaches from 2024:
1. National Public data breach
In August 2024, NPD (National Public Data) confirmed a breach that compromised sensitive information, including Social Security numbers, affecting nearly all Americans.
The breach was linked to unauthorised access attempts in December 2023 and potential data leaks in April and summer 2024.
Personal data of up to 2.9 billion individuals was reportedly posted on the dark web for $3.5 million (about £2.8 million).
2. Ticketmaster data breach
In May 2024, Ticketmaster, a subsidiary of Live Nation, experienced a significant data breach, apparently affecting 560 million users.
The threat actor ShinyHunters claimed responsibility, offering 1.3 TB of customer data, including personal data and credit card details, for sale on the dark web.
3. Internet Archive data breach
In October 2024, the Internet Archive, including its Wayback Machine, suffered a cyber attack that exposed data of potentially 31 million users.
The breach involved a malicious JavaScript pop-up that directed users to check compromised email addresses and passwords.
Exposed data included email addresses, usernames and bcrypt password hashes.
3 threats organisations face during the holiday season
1. Ransomware attacks
During the holiday period, cyber criminals know that many organisations have fewer staff available, and potentially more lax security. This can lead to increased ransomware incidents, as illustrated by last year’s holiday season.
Today’s ransomware doesn’t just encrypt data – it often exfiltrates data, too.
Threat actors exploit a range of vulnerabilities for this, including:
- Weak passwords;
- Unpatched systems;
- Zero-day vulnerabilities; and
- Insecure remote access solutions.
2. DoS (denial-of-service) attacks
Retailers and e-commerce platforms are particularly vulnerable to DoS attacks during peak shopping times, aiming to disrupt services and cause financial losses.
A DoS attack involves a cyber attacker flooding your servers with requests such that they can’t cope. That can result in your website, emails and other services going down, depending on the server targeted.
Platforms may also be targeted by a DDoS (distributed denial-of-service) attack. This is a variant of a DoS attack, with the key difference that DDoS attacks involve multiple machines attacking the target.
(With a DoS attack, just one computer is attacking the server.)
Attackers may also launch a DoS attack to distract you from a different attack – ransomware, for example.
3. Phishing and social engineering
Phishing and social engineering attacks invariably rise during the holidays, targeting both consumers and employees.
Common holiday scams include:
- Fake delivery notifications;
- Fake charities requesting donations;
- Fraudulent vacation offers and rentals;
- Social media scams – impersonated brands and fake giveaways; and
- Fake shopping sites with urgent deals and too-good-to-be-true offers.
With more staff out of office, threat actors may also impersonate an employee, asking a ‘colleague’ to take action on their behalf.
Such emails often contain a sense of urgency, or try to manipulate you in another way. Don’t forget: social engineering is all about exploiting your psychology.
As our penetration tester Hilmi Tin explained in this interview, attackers take advantage of the fact we’re curious, or make clever use of fear tactics.
He also recommends simply taking ten seconds to look out for warning signs – particularly if the message is unexpected and making you feel like you need to do something.
How to protect your sensitive data
To protect your sensitive data – including personal data – make sure you’re clear on:
- What data you hold;
- Where it’s stored; and
- Who can access that data.
Tools like data inventories, data flow maps and ROPAs (records of processing activities) will help with this. Ideally, these also highlight the technical and/or organisational measures in place to process and secure that data, as required by the GDPR (General Data Protection Regulation).
Other tools like DPIAs (data protection impact assessments) also provide valuable information, making it easier to understand your data, so you can better manage your risks.
Up-to-date policies and procedures will also improve your cyber security and privacy stance, and ensure you’re ready to deal with any threats.
Finally, staff awareness training offers another valuable boost to your security.
Going the extra mile
But to find out whether your training and other measures are effective, consider launching a (simulated) real-world attack.
Our unique simulated phishing programme combines interactive staff training, simulated phishing attacks and a session with an ethical hacker to significantly improve your resilience to phishing attacks.
Following testing, employees will receive personalised feedback on their vulnerabilities, practical advice on phishing detection and a clear understanding of how to protect your organisation better.
We’ve trialled this programme with various organisations, and the results have been incredible. The live training sessions dramatically reduce the risk of phishing attacks, and end users find the interaction and ability to ask questions invaluable.