Ransomware went critical: It came as no surprise that 2021 has been another record-breaking year for ransomware attacks; each of the past several years have seen an increase in incidents, severity and payouts. What made 2021 a standout were several high-profile attacks on critical infrastructure, most notably with the Colonial Pipeline attack, which disrupted fuel distribution on the East Coast during the summer. Authorities were able to recover roughly half of the ransom paid by Colonial Pipeline to regain access to their systems, and the suspected ransomware gang responsible for the attack went quiet shortly afterwards. That send a clear message to cybercriminals: Critical infrastructure meant bigger-than-ever paydays. Similar attacks on JBS, the world’s largest meat processor and two separate agricultural supply chain cooperatives in the following months signaled the likelihood of more such attacks.
Everyone hates Mark: Mark Zuckerberg’s Facebook empire suffered a one-two punch in October when widespread outages hit the company only days after a series of widely publicized whistleblower complaints against the company and its leadership. Dogged by revelations about Meta’s internal politics, its overall effects on society and the mental health of its users (not to mention a $150 billion lawsuit over alleged complicity in a genocide), Mark Zuckerberg announced the rebranding and name change. The move seemed equal parts desperate and out-of-touch, and the newly branded company carried the same bruised reputation. Nearing the end of 2021, Mark Zuckerberg was declaredThe New Republic’s “Scoundrel of the Year.” Meta meanwhile has been plagued by a talent gap, with employees fleeing high-paying positions out of fear of damage to their professional reputations.
GDPR is toothless: There were high hopes for the European Union’s General Data Protection Regulation (GDPR), a flagship legal framework that went into 2018 with the promise of greater data protection and heavy fines for violators. Fast-forward to 2021 when the GDPR revealed itself to be meh. High-profile enforcement against major tech companies like Amazon, WhatsApp and Google yielded paltry fines and did little to protect user privacy. EU member states expressed frustration with the apparent lack of progress. The most visible change brought to the internet by the GDPR has been the need to adjust cookies on websites, a move that is ironically meant to prevent data collection by providing trackable information to advertisers.
Looted cryptocurrency funds were returned: Cryptocurrency funds and accounts are favorite targets for hackers. Their relatively anonymous nature makes them easy to transfer quickly enough that victims are often unaware of the hack until it’s too late. In August, crypto platform Poly Network was hit by a record-breaking attack to the tune of $600 million in digital currency. The leadership tried a tack no one thought would work, namely by asking the hacker for the money back. In an even stranger twist, the hacker agreed to do it. Poly Network recovered the funds and offered “Mr. White Hat” (that’s really his name) a $500,000 bug bounty fee and a position at the company.
Log4J: This story is still unfolding, but it has the potential to be the biggest cybersecurity fail of the year. A massive security vulnerability was found in Log4J, an open-source logging tool used on internet-based servers. Nearly every major tech service from Apple to Tesla was affected. The organization responsible for Log4J’s development quickly issued an emergency patch to address the vulnerability. This patch opened servers up to another vulnerability, requiring a third patch. Problem solved? Not quite. The third patch fixed the first two, but introduced yet another security hole.Reports of ransomware attacks, server takeovers and other related outages have begun to make headlines, but most cybersecurity experts agree that the worst is yet to come.