In the first two parts of the 2021 overview, we discussed the context in which sophisticated attacks emerged, the industries that were severely affected, and the cost of fraud. What have all of these taught us? – That all these incidents came with a high price to pay. For this third part of the article, let’s further delve into some of the most notable organizations in Europe affected by security issues. We will also see the GDPR fees mandated by the authorities. We will learn how certain businesses faced both the cause and the effect of their particular attack. Lastly, we will find what can be done better.
When the fraudster’s gambit pays off
In December 2021, Germany-based T-Mobile announced it had suffered yet another cyberattack. This followed a massive data breach in August. The breach exposed almost 50 million customers’ social security numbers, names, and dates of birth. As per the documents shared in The T-Mo Report, for the second attack, customers faced various scenarios. They either fell victim to a SIM swapping attack, had personal plan information exposed or both. The data exposed comprises allegedly customers’ billing account name, phone and account number, or lines attached to their account.
Exploiting a technical vulnerability is one of the most dangerous actions a cyberattacker could take on. The first step in a data breach chain is bypassing all security mechanisms. The goal is to make a web application operate in an unintended way. We addressed this threat by developing a full 360 Security solution that constantly monitors our clients’ application security posture.
The energy sector in Italy was struck as well. Renewable energy group ERG was reportedly hacked. This left the company with “only a few minor disruptions” for its information and communications technology (ICT) infrastructure. La Repubblica believes that the LockBit 2.0 ransomware group coordinated the attack. The group is a gang that began its operations in September 2019 and launched the LockBit 2.0 Ransomware-as-a-Service in June 2021.
In France, IT services firm Inetum Group was subject to a cyberattack that disrupted certain operations. As per the company’s statements, the attack did not affect its infrastructures, communication, collaboration tools or delivery operations for its clients. However, Inetum Group isolated all its servers and switched off its client VPNs.
In November, the wind turbine company Vestas shut down its IT systems across multiple business units and locations due to a security incident, which compromised some personal information such as names, contact details and CVs. Other cases of more vulnerable details include social security numbers and bank account information.
Online classified advertisement and community website Gumtree.com suffered a data leak. A security researcher confirmed that he could access personally identifiable information (PII) of advertisers by pressing F12 on the keyboard. Once the researcher checked the HTML source code of the advertising shown on Gumtree’s site, he could easily access sensitive leaked data. This data included the registered advertisers’ full name, username, account registration date, account type, email address or postcode or GPS coordinates.
Companies enrich their applications with new features, frameworks, or elements such as 0-Day security exploits. Therefore, room is left even for the tiniest flow. However, our Software Composition Analysis, part of the previously mentioned 360 Security solution, aims to scan the application source code base and to generate an inventory with the open-source components containing security vulnerabilities. Hence, our clients are provided with details regarding the existing vulnerabilities and fixing recommendations.
The aftermath: GDPR fees
The plethora of internal company data stolen and the multitude of attacks in 2021 calls for more vigilance, protection measures and strategic consideration. It is concerning that hacks targeting the business’ security hygiene or its performance software affect more and more companies nowadays. This is why authorities across Europe did not catch a break from watching the infringements of the General Data Protection Rules (GDPR). As a result, fines for violations of the EU’s landmark privacy law soared. They totaled USD 1.25 billion since 28th of January. This is a record number, if we compare it with the USD 180 million imposed fines in 2020.
Big Tech companies were at the top of the iceberg of the 2021 penalties. Regulators in Ireland imposed a EUR 225 million penalty to Meta’s WhatsApp. The claims showed that its messaging service had failed to properly explain its data processing practices in the privacy notice. The Luxembourg’s privacy watchdog fined Amazon a sanction of EUR 746 million – USD 850 million. The National Commission for Data Protection’s reason: the online retailer’s targeted advertising failed to adhere with the bloc’s GDPR. This penalty is the highest GDPR fine to date, surpassing the total of all GDPR fines since 2018.
The German online electronics retailer notebooksbillger.de violated the GDPR rules, so it received a significant fine, EUR 10.4 million. The company video monitored its employees for over two years without any legal basis. They recorded workplace, sales-rooms, warehouses, and common areas.
The Austrian Post saw the largest GDPR fine in Austria’s history. They received a sanction of EUR 9.5 million for failing to allow people to make inquiries about stored personal data via email.
When it comes to sensitive data stored online, cyberattackers do not back down from breaching the defense walls to have a grasp on this information. To avoid becoming such a victim and consequently paying expensive fines, we recommend using tools like our Secrets Detection. This tool reveals and keeps track of any keys, hard-coded passwords, API tokens, or other sensitive materials in the application source code during build time. Moreover, our Container Scanning tool aims to provide automated vulnerability scanning for containers and their components. It also spots security threats and mitigates risks.
In Spain, the AEPD or Agencia Española de Protección de Dato or Data Protection Authority imposed EUR 8.15 million on Vodafone España. The amount totals four separate fines for activities including marketing and prospecting by telephone and electronic communications infringements. The AEPD did not stop there, as it also fined Caixabank S.A. for the amount of EUR 6 million. The sum was split: EUR 4 million for failing to provide a mechanism to collect the data subject’s consent. EUR 2 million given for a lack of transparency under the legal basis behind the purposes of personal data processing.
Italy’s DPA or the Garante imposed a penalty to telecoms company Fastweb for allowing unsolicited and unconsentual telephone marketing. The EUR 4.5 million penalty was a result of using “fraudulent” telephone numbers. Fastweb had not registered them with Italy’s Register of Communication Operators.
The above mentioned facts and figures show us that there’s no silver bullet to security. Yes, the numbers of fraud cases are concerning. But surely attackers will have no rest to explore new cracks and vulnerabilities. This means that there should not be any leisure for business either. It is now more important than ever, especially for those who didn’t put much emphasis on the digital space, that security should not be neglected anymore. The question then is: how well prepared is your company for any possible cyberattack?
Zitec experts are always up to date with the state-of-the-art attacks, the current cyber-related issues, and most importantly, the best security practices to prevent or detect software threats. Crisis can be a wake up call for checking your security processes and defensive walls. But it can also be a catalyst for necessary changes. If you are concerned about your organization’s safety or have any questions related to cybersecurity, feel free to get in touch to discuss the appropriate steps.
Contact us at any time for more details!