While the new year brings such hope for the months ahead, January sadly didn’t fulfil that promise, with more than 277.6 million records breached – higher than in any single month last year. Data from a breach of Twitter was the biggest culprit, with 220 million email addresses leaked by hackers. In other news, T-Mobile identified yet another hack (which actually took place back in November) affecting 37 million records; AirFrance and KLM both notified customers of a breach although the extent of each is unknown; Zurich Japan was impacted by a breach affecting 750,000 records; and Oxford University took its dating platform offline for students and staff following a major breach.

Here’s the other top stories you need to read:

Supply chain attacks top the predictions for 2023

Supply chain or lateral attacks are top of the predictions for the year ahead. They occur when hackers deliberately target third-party service providers, gain access, and then use that access to onward attack other companies. Common examples include web servers and data centres for example. The idea is that onward victims will be familiar with the breached brand, and therefore more trusting of communications, enabling onward breaches. The best counter is to employ a zero-trust policy for all communications. Here’s a handy guide from the National Cyber Security Centre (NCSC).

Data Privacy Week 2023

The 22-28 January 2023 was Data Privacy Week, shining a light on all things online privacy. We shared a lot of great content over on our LinkedIn channels, including:

Windows 8 becomes end of life

Microsoft operating system Windows 8.1 became end of life on 10 January, meaning no future security updates or patches. Many assume end of life means that the software stops working; it doesn’t, but it does become increasingly obsolete, and importantly, security patches are no longer provided, making it increasingly insecure. On a par with Windows 8 end of life was the Windows XP end of life. Several years after XP became end of life, thousands of PCs were still using it, making them vulnerable. Hackers exploited known vulnerabilities with the WannaCry ransomware, taking down much of the NHS computer network, which hadn’t been upgraded! Now is the time to be checking your network for Windows 8.1.

Warnings that Russian attacks will increase on UK infrastructure and businesses

Supporting its land-based attacks, Russia has been carrying out extensive cyber attacks with a view to disrupting opposition. As well as targeting national infrastructure, the ambition is also to disrupt daily business, with SMEs also on the hit list. The National Cyber Security Centre (NCSC) warned that primarily, these attacks are likely to be “spear phishing” and are encouraging businesses to get clued up. Spear-phishing involves an attacker sending malicious links, for example via email, to specific targets in order to try to encourage them to share sensitive information. Read the full report +

UK is trending ahead of international breach benchmarks

In a report from Check Point Research, which highlights trends in international cyber attacks from 2022, the UK was highlighted as having an above trend increase in cyber attacks. Globally, there was a 38% increase in cyber attacks in 2022 compared with 2021, while the UK specifically saw a 77% rise. Interestingly, the nature of attacks has shifted from large-scale, targeted attacks, to smaller-scale, more agile attacks aimed at as much reach as possible across networks. Read the full report +

FBI issued warning to pause before you click

The FBI issued a security bulletin warning users to be careful what adverts they click on. A recent increase in threat actors using advertising platforms such as Google Ads, is putting user networks at risk from malicious content. Read the bulletin +

Twitter hacked, investigated, and data leaked

January was a bad month for popular social media platform Twitter, which saw a hacker demand a ransom not to reveal more than 400 million records that they had stolen, releasing an initial sample as proof. From there, Ireland’s Data Protection Commission (DPC) launched an investigation into the data privacy compliance of the platform, citing concerns over security. Twitter made no comment on the claim, and presumably refused to negotiate, resulting in the hacker subsequently selling 220 million user email addresses.

JD Sports hack possibly breaches 10 million records

JD Sports has issued a warning to customers that their data may have been compromised following a hack. The stored data of more than 10million customers may have been accessed, and included names, addresses, email accounts, phone numbers, order details and the final four digits of bank cards, but is not believed to have included passwords. The risk to customers is said to be low, and the full extent of the breach is currently unclear.

Royal Mail loses ability to ship internationally

Between Christmas and New Year, UK postal delivery service Royal Mail suffered an outage, leaving the website inaccessible. Over the course of January, it quickly became clear the extent of the breach, as Royal Mail asked customers to stop sending international parcels. Deliveries resumed in February, but it is clear there has been lasting damage to the brand in the wake of strike action disruption and the cyber attack.

Meta fined £346m over use of data for targeted ads

Meta, the parent company for brands including Facebook, Instagram and WhatsApp, faces a significant fine after breaching EU data laws. The Irish Data Protection Commission (DPC) says that asking users to consent to the way their data is used or leave the platform, is unlawful, and has given the social media giant three months to change their approach. Data privacy campaigners are thrilled, saying that it will force the platform to give users real choice about how their data is used and how ads are targeted. This is the second major fine from the DPC in just three months, after they also fined Meta £228m in November 2022 for a data breach that saw personal user data published online.

35,000 PayPal accounts breached due to “credential stuffing”

Mid-January, PayPal introduced emergency security lockdowns and notified a selection of customers, after identifying a credential stuffing breach. Credential stuffing is the result of individuals sharing the same password across multiple logins. One instance of this login is then breached (not via PayPal in this instance), before hackers attempt to use combinations of the username and passwords to brute-force access to other platforms. The result is that data stolen in one breach can allow other platforms to be breached. It’s an important reminder for good password hygiene and not recycling the same passwords.