Data breaches, data privacy and protection, and the thorny issue of open source security were all hot topics this year. Meanwhile, security companies frequently found themselves hitting the headlines, and not always for good reasons. Here are Computer Weekly’s top 10 cyber security stories of 2024
The year 2024 threw up another diverse crop of stories in the world of cyber security, with much to pay attention to, particularly in the realm of artificial intelligence (AI), which continued to dominate the headlines.
This year, we steer away from AI fear, uncertainty and doubt to focus on some of the other big issues, such as data privacy and protection, large scale breaches, and the tricky issues surrounding the security of widely used open source components.
There was also trouble at the mill for cyber security companies themselves, which often found themselves in the headlines, often after the privileged access afforded by their products and services was abused to attack their customers. Ivanti, Microsoft and Okta all make our top 10 this year – and we would be remiss not to mention CrowdStrike.
Here are Computer Weekly’s top 10 cyber security stories of 2024.
1. Leak of 26 billion records may prove to be ‘mother of all breaches’
At the end of January 2024, a data dump comprising 26 billion records and totalling more than 25GB in size was discovered by researchers. Dubbed the largest leak in history, and the “mother of all breaches”, the majority of the data related to Chinese social media platforms, but the likes of Adobe, Dropbox, LinkedIn, MyFitnessPal, Telegram and X were also included.
Much of the data appeared to have been compiled from various smaller leaks, likely a broker who intended to sell it on to others for use in identity theft, phishing attacks and account takeovers.
2. Okta doubles down on cyber in wake of high-profile breaches
In February, identity and access management (IAM) provider Okta announced plans to double its investment in security over the next 12 months and launched a Secure Identity Commitment. This came in the wake of the exploitation of its products and services during a series of cyber attacks during 2023, and earlier.
The company’s leadership said that as a security leader it recognised it needed to work a lot harder to stop ne’er-do-wells from taking advantage of the identity data its customers entrust to it.
3. Widespread Ivanti vulnerabilities make waves
Another cyber company was in the news at the start of 2024, Ivanti, a specialist in asset, identity and supply chain management found a series of vulnerabilities in its Policy Secure network access control (NAC), Ivanti Connect Secure secure socket layer virtual private network (SSL VPN), and Ivanti Neurons for zero-trust access (ZTA) products caused concern at organisations worldwide after being exploited by a threat actor.
The three vulnerabilities in question enabled attackers to access privileged data and obtain elevated access rights on their victims’ systems.
4. Open source alert over intentionally placed backdoor
In April, users of the open source XZ Utils data compression library narrowly avoided falling victim to a major supply chain attack, after evidence of an apparently intentionally placed backdoor in the code was revealed. The malicious code, embedded in versions 5.6.0 and 5.6.1 of the library, enabled unauthorised access to affected Linux distributions.
It later emerged that the dodgy code was placed there by a malicious actor who intentionally worked hard over a long period to gain the trust of the projects’ developers. The security of widely used open source components was to be one of the big themes of the year.
5. Microsoft beefs up cyber initiative after hard-hitting US report
In May, Microsoft doubled down on its Secure Future Initiative (SFI), expanding the programme – which set out to address the software and vulnerability issues frequently exploited by threat actors – in the wake of a damning US government Cyber Safety Review Board (CSRB) report.
Redmond said the rapid evolution of the threat landscape underscored the severity of the threats that face both its own operations and those of its customers, and admitted that given its central role in the world’s IT ecosystem, it had a “critical responsibility” to earn and maintain trust.
6. CrowdStrike update causes worldwide chaos
The biggest IT story of 2024 – arguably – was not strictly speaking a security incident, but appears here since it originated at a security company. On 19 July, IT pros all over the UK and beyond awoke to a fast spreading IT outage downing key systems, originating at cyber firm CrowdStrike after it pushed a flawed rapid response update to key threat detection sensors that caused Windows computers to enter a so-called boot loop.
The extensive disruption caused no major security incidents at the time, but the ramifications continue to this day, with CrowdStrike execs facing legal repercussions and even being called to account for the incident in front of politicians. As with the XZ Utils scare a couple of months previously, the CrowdStrike incident shows again the importance of paying close attention to one’s code.
7. Campaigners call for evidence to reform UK cyber laws
Those who have been following the CyberUp campaign for legal reform over the past few years will know well the difficulties the group has had in convincing Britain’s politicians that the time has come to reform the outdated Computer Misuse Act of 1990, which – thanks to archaic wording in regard to the offence of “unauthorised” access to a computer – puts security professionals in the UK at risk of prosecution simply for doing their jobs.
With Keir Starmer moving into 10 Downing Street, the campaign team seized the opportunity to launch a fresh call for evidence and views during the summer, saying that about a third of UK security firms had experienced monetary losses due to the law, putting at risk £3bn of the sector’s £10.5bn annual contribution to the economy.
8. NCSC celebrates eight years as Horne blows in
In eighth place on the Computer Weekly list, the National Cyber Security Centre celebrated its eighth birthday this year, although its new leader, Richard Horne, who took up the post in October, is only the organisation’s third official CEO.
Eight years may not be a particularly long time – the Brexit referendum was eight years ago – but the cyber security landscape has changed radically in that time, and looking ahead, as the interdependency between security and intelligence would become more critical, and the risks and opportunities of new technologies and more sophisticated threats increase, the NCSC’s work to get better at addressing the security of those technologies and how to use them to the UK’s advantage continues.
9. Zero-day exploits increasingly sought out by attackers
In November, the NCSC and its US equivalent, CISA, published new annual data revealing that of the 15 most exploited vulnerabilities of 2023, the majority were zero-days compared with less than half in 2022. The trend has continued through 2024, and the NCSC warned that defenders need to dramatically up their game when it comes to vulnerability management and patching.
Among some of the most heavily exploited CVEs were some that are now widely known, including infamous issues in Progress Software’s MOVEit Transfer, Log4Shell and Citrix, many of them dating back years.
10. US TikTok ban imminent after appeal fails
At the end of 2024 came the news that TikTok is likely to be banned in the US in mere weeks after a Washington DC appeal court rejected representations from the China-owned social media platform, which claimed its First Amendment rights were being violated.
Legitimate concerns about the firm’s data protection and privacy practices – and the possibility that the data TikTok holds may be exploited by the Chinese government – lie at the core of the potential ban which would have global ramifications and impact millions of users, influencers and businesses alike.
Somewhat ironically, given he once tried to ban it himself, the platform’s best hope for a reprieve may now lie with president-elect Donald Trump, who will undoubtedly be an impactful force in the cyber security world in 2025.