The past 12 months in cybersecurity have been a rough ride. In cybersecurity, everything is broken — it’s just a matter of finding it — and this year felt like everything broke at once, especially toward the end of the year. But for better or worse, we end the year knowing more than we did before.
Here we look back at the year that’s been, and what we learned along the way.
1. Ransomware costs businesses because of downtime, not ransom payments
The scourge of file-encrypting malware continues. Ransomware this year alone forced entire towns offline, blocked paychecks and caused fuel shortages, as entire company networks were held for ransom in exchange for millions of dollars in cryptocurrency payments. The U.S. Treasury estimates that ransomware operators are likely to make more from ransom payments in 2021 than they did during the past decade. But research shows that the businesses face the most losses through lost productivity and the often-arduous task of cleaning up after a ransomware attack — including incident response and legal support.
2. The FTC can order mobile spyware makers to notify their victims
SpyFone became the first-ever spyware maker to be banned in the U.S. following an order from the Federal Trade Commission in September. The FTC accused the “stalkerware” app maker of creating the stealthy malware to allow stalkers and domestic abusers real-time access to data, such as messages and location history, on their victims’ phones but without their knowledge. The FTC also ordered SpyFone to delete all of the data it had “illegally” collected and, for the first time, notify those whose phones were hacked by its software.
3. Cybersecurity VC funding doubled in size compared to last year
It was a record-breaking year for cybersecurity VC funding. By August, investors had poured $11.5 billion in total venture funding during the first half of 2021. That’s more than double the $4.7 billion spent during the same period a year earlier. The biggest raises include a $543 million Series A for Transmit Security and a $525 million Series D for Lacework. Investors said a boon in cloud computing, security consulting and risk and compliance helped fuel the investments.
4. A third of all legal demands for Microsoft user data are served with gag orders
It’s no secret that tech companies are some of the biggest holders of user data, and — less surprisingly — a frequent target of government data requests that seek information for criminal investigations. But Microsoft this year warned of the growing trend of the government attaching secrecy orders to search warrants, gagging the company from telling its users when their data is subject to an investigation.
Microsoft said one-third of all legal orders come with secrecy provisions, many of which are “unsupported by any meaningful legal or factual analysis,” according to the company’s consumer security chief Tom Burt. Microsoft said secrecy orders were endemic across the entire tech industry.
5. The FBI was allowed to hack into private networks to clean up after a cyberattack
In April, the FBI launched a first-of-its-kind operation to remove backdoors in hundreds of U.S. company email servers left behind by hackers weeks earlier. China was ultimately blamed for the mass exploitation of vulnerabilities in Microsoft’s Exchange email software, which the hackers used to attack thousands of company email servers around the U.S. to steal contact lists and mailboxes. The hacks left thousands of servers vulnerable, forcing companies to scramble to fix the flaws, but the patches didn’t remove a backdoor left behind, allowing the hackers to return and easily regain access.
A federal court in Texas authorized the operation allowing the FBI to exploit the same vulnerabilities as the hackers to remove the backdoors, fearing they could be further exploited by bad actors. Other countries have carried out similar “hack and patch” operations to take out botnets before, but this is the first known time the FBI effectively cleaned up private networks after a cyberattack.
6. Fraudsters are targeting car insurance sites for unemployment benefit scams
Several car insurance companies were targeted this year for an unlikely, but an increasingly common, scam. Metromile said a bug in its website used for storing insurance quotes was misused to obtain driver license numbers. Then, months later, Geico said it too was targeted and had driver license numbers scraped.
Geico’s data breach notice blamed scammers who used the stolen license numbers “to fraudulently apply for unemployment benefits in your name.” Turns out that many U.S. states need a driver’s license before you can apply for state unemployment benefits — hence why the car insurance companies were targeted.