Security News Survey – February 8, 2019

A look at the GDPR notification and fine tally and utility companies’ cybersecurity woes across the globe.

Data breaches seem like the (unwanted) gift that keeps on giving, especially in today’s climate of increasing regulation around cybersecurity and relevant offenses. This week, we saw some headlines pop up that served as pointed reminders of the costs associated with cybersecurity lapses, and one in particular that offered a case study (or two) of how not to respond to an incident.

Let’s take a look.

GDPR: 59,000 breach notifications and 91 fines since implementation date

A new DLA Piper report has tallied up the total number of data breaches reported to GDPR regulators: 59,430. The global law firm also revealed that, since the GDPR implementation day in May 2018, regulators have issued 91 fines for violations—60 were doled out to German companies. Many folks have questioned the number of fines in comparison to the number of breaches, but the report does shed some light on the discrepancy: resources are stretched thin. According to DLA Piper, GDPR regulators are facing an enormous backlog of breach notifications and are being forced to prioritize the biggest breaches first. So, companies that have disclosed breaches but haven’t been slapped with a fine might not yet be out of the woods. No doubt, regulators shouldn’t expect to see too much of a decline in the backlog in 2019. Data breaches disclosures will continue and fines are expected to increase, too.

Duke Energy fined for security violations

In last week’s Survey, we mentioned new warnings by U.S. intelligence officials about the cybersecurity of our critical infrastructure assets like electrical grids and natural gas pipeline networks. We’re continuing to see cybersecurity conversations in this industry, and not in encouraging ways. Duke Energy, a utility giant with more than 7 million customers, was slapped with a $10 million fine by the North American Electric Reliability Corporation (NERC) for multiple “security violations,” including managerial oversight, deficient internal controls and processes, and poor training. Thankfully, it doesn’t appear that any hackers took advantage of the company’s many security gaps and, to Duke Energy’s credit, the company self-reported most of these violations and has agreed to pay the fine.

South African utility giant in double cybersecurity trouble

Duke Energy’s attitude is much more palatable than a South African counterpart. The country’s biggest utility provider, Eskom, is facing severe criticism this week after a cybersecurity researcher publicly censured them for a data leak. The researcher, Devin Stokes, took to Twitter after multiple attempts to alert the company (which supplies electricity to most of South Africa and almost half of the continent) about a server security issue that was exposing sensitive customer data, including financial information. Stokes and followers chided Eskom for its lack of response, and the story was quickly picked up by journalists across the world. On Thursday, Eskom finally issued a short statement on Twitter, denying ownership of the server in question but stating that an investigation is underway.

Unfortunately for the company, this is isn’t the only cybersecurity incident it’s had to deal with this week. On Wednesday, the company was notified by a MalwareMustDie security researcher that malware had been installed in their system by an employee, whose company credentials were compromised. Eskom first denied the claim, but have recalled those denials and confirmed that the company is investigating the matter. Sounds like the company has a lot of investigating to get to.  

Eskom may be across the pond from many of us, but it adds to the growing mandate across the world: critical infrastructure companies can’t be blasé about cybersecurity. No company can. Between consumers, media, and regulators, someone is bound to hold you accountable.