Top 10 cyber security stories of 2019

Here are Computer Weekly’s top 10 cyber security stories of 2019

As usual, 2019 was a busy year in the world of cyber security, with big stories around network security, data privacy and protection, and the state of General Data Protection Regulation compliance all hitting the headlines – and that’s before we even get started on the issue of cyber crime.

Here are Computer Weekly’s top 10 cyber security stories of 2019.

1. Top VPNs secretly owned by Chinese firms

Almost a third (30%) of the world’s top virtual private network (VPN) providers are secretly owned by six Chinese companies, according to a study by privacy and security research firm VPNpro.

The study shows that the top 97 VPNs are run by just 23 parent companies, many of which are based in countries with lax privacy laws.

Six of these companies are based in China and collectively offer 29 VPN services, but in many cases, information on the parent company is hidden to consumers.

2. Government insists ‘nothing sinister’ about web user data gathering

Government officials have insisted there is “nothing sinister” in plans to gather user information through the Gov.uk website to help deliver more personalised digital services to citizens.

Alison Pritchard, director general of the Government Digital Service (GDS), which runs Gov.uk, said the project to analyse web traffic alongside other user data is purely intended to offer more joined-up services by better understanding what information users want.

“Are we trying to do anything more than you’d expect any organisation that has a complex web portal? No, absolutely not,” she said, in a media briefing at GDS’s Sprint 19 conference in London.

3. Nearly a quarter of tech firms do not security check products

Application security is not a priority for suppliers, with 23% of IT security professionals polled admitting their organisations do not carry out security testing on all products before launch.

This is one of the key findings of a survey of 121 security professionals at the 2019 RSA Conference in San Francisco by cyber threat assessment firm Outpost24.

Despite recent vulnerabilities disclosed by Huawei and Asus, it highlighted the importance of suppliers carrying out thorough security checks on technology before shipping to customers. The survey also shows that 31% of IT security professionals have admitted their organisation has marketed a product, which they knew contained security vulnerabilities so they could beat competition.

4. NCSC seeks new breed of cyber security startups

The National Cyber Security Centre (NCSC), together with Wayra UK, has launched a national call for 10 startups to join its accelerator programme to develop the next generation of cyber security products.

Since its launch in 2017, the government-funded NCSC Cyber Accelerator has mentored and supported the growth of technology startups, with previous participants securing more than £20m in funding.

One of the main aims of the NCSC Accelerator is helping entrepreneurs to get into the market and helping the market identify good solutions to real problems.

5. Facebook asked George Osborne to influence EU data protection law

Sheryl Sandberg, chief operating officer of Facebook, asked then-chancellor of the exchequer George Osborne to be “even more active and vocal” in his concerns about European data protection legislation, and to “really help shape the proposals”, during a lobbying campaign to influence EU policy.

As part of attempts to woo Osborne, Sandberg invited one of his children to visit a Facebook office after the chancellor told her they were “desperate” to have a Facebook account, internal company documents seen by Computer Weekly and The Observer revealed.

Sandberg hoped to build on Osborne’s concerns over the costs of the proposed European Data Protection Directive – what would later become the General Data Protection Regulation (GDPR) – which could have a serious impact on Facebook’s business.

6. GDPR non-compliance worse than feared

As the European Union GDPR legislation nears its 18 month anniversary, research by security software supplier Egress has suggested that 52% of UK businesses are not fully compliant with the rules, opening the door to severe penalties if they fall victim to a data breach.

Egress – which polled 250 decision-makers, split a third each way between small businesses, medium-sized businesses and large enterprises – reported that only 48% were fully compliant, and 42% “mostly” compliant.

If other, similar reports are accurate, this could suggest that non-compliance with GDPR is not only more widespread than thought, but in some cases, levels of compliance are being obfuscated by security professionals. In July 2019, two separate surveys – one by audit and tax consultancy RSM and the other by data virtualisation firm Delphix – found that 30% of European businesses were not confident they were compliant, and that some businesses were giving their leadership cause to believe they were compliant when this was not necessarily true.

7. EU patches 20-year-old open source vulnerability

A 20-year-old vulnerability in PuTTY, an open source network file transfer application, has been tracked down and patched during a wide-ranging bug bounty programme conducted by HackerOne on behalf of the European Union Free and Open Source Software Audit (EU-FOSSA).

The vulnerability could potentially have allowed a malicious actor to crash the programme and use it to achieve remote code execution. It was first spotted on 27 June 2019 and publicly disclosed on 20 September, netting its discoverer a €3,250 (£2,782) bonus.

HackerOne technical programme manager Shlomie Liberow said it was not necessarily a surprise that the vulnerability had lain undiscovered for two decades.

8. UK cyber experts to support global company boards

The National Cyber Security Centre (NCSC) and the Lloyd’s Register Foundation global charity are jointly funding a £1m research project to explore board decisions around cyber security and risk.

The Cyber Readiness for Boards project will also develop interventions to provide guidance and support, working initially with six multinational companies that are at particular risk due to their high profiles, before rolling out to involve more businesses, including small and medium-sized enterprises (SMEs) and larger enterprises in 2020.

The project will focus on evaluating board-level training interventions; assessing how boards evaluate cyber risks; investigating the significance of board composition, accountability and responsibility; and the impact of investor pressure on board decision-making on cyber risk.

9. Lawmakers study leaked Facebook documents made public today

Congressional lawmakers are analysing thousands of pages of leaked Facebook documents, containing high-level internal conversations between CEO Mark Zuckerberg and the technology firm’s most senior staff, as antitrust investigations against Facebook heat up.

The cache of confidential internal documents reveals how Facebook encouraged hundreds of thousands of app developers to build mobile applications on its platform before putting pressure on them to buy advertising or hand over data about their users to Facebook.

Computer Weekly has published all the documents to allow further public interest scrutiny by regulators, academics and journalists of Facebook and its policies towards competing companies (links to all documents are available here).

10. Breach of nearly 2.7 billion records underlines password flaws

A leak of 87GB of 772.9 million emails, 21.2 million passwords and 1.1 billion unique combinations of email addresses and passwords, has been revealed by security researcher Troy Hunt, who also manages the Have I Been Pwned service, which enables users to check if their personal data has been compromised.

The data leak, dubbed Collection #1, comprises 2.6 billion rows of data from 12,000 files and is being shared on hacking forums, Hunt revealed in a blog post.

The data presents a huge threat because cyber criminals can use the email and password combinations to test them across all online accounts using a technique called credential stuffing. This is enabled by the common practice of using the same email and password combination for multiple online and business application accounts.