With so much cybersecurity news flying around, it is hard to keep track of the bigger stories that emerged. Here is the GFI Security round-up of the three top cybersecurity stories of May 2018.

FBI tells world to reboot routers to dismantle botnet

At the end of May, the FBI issued a warning explaining that a Russian computer hacker group had allegedly compromised hundreds of thousands of home and office routers. The group could collect user information or shut down network traffic. Reports say the threat, known as VPNFilter, has already infected more than half a million routers across 50 countries.

Their report states: “Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide.”

The FBI, after an intense investigation, managed to take over the command and control website, the main hub empowered to issue instructions to infected routers. Despite the command and control centre being taken offline, the FBI has issued advice that routers be rebooted, firmware be updated, and that passwords be changed.

The malicious group reportedly involved in this router hack is referred to by a number of names: Sofacy, APT28 or Fancy Bear. This Russia-based group has been blamed for many infamous hacks, including the hack on the Democratic National Committee during the 2016 U.S. presidential campaign.

“People should also consider disabling remote-management settings, changing passwords and upgrading to the latest firmware,” says the FBI advisory.

As GDPR becomes law, complaints against tech giants are immediately filed

After months – nay, years – of preparation, we see the EU’s biggest privacy law come into effect. While the public has been inundated with emails from services for which they have accounts, companies have been scrambling to sort out their privacy and security processes and policies in order to align themselves with the new European General Data Protection Regulation.

GDPR is now seen as the world’s most stringent privacy law, giving EU subjects greater right to privacy, in part, by holding organizations collecting and/or processing the data to stricter standards of accountability and transparency.

Not only do subjects protected under GDPR have the right to access, edit or delete the data they have shared with said organisation, but organisations must now be transparent about why and how they are using the personal data, document procedures and follow much stricter guidelines for storing and transmitting that data.

As soon as GDPR became law, Austrian privacy rights campaigner Max Schrems filed three complaints worth €3.9 billion against Facebook and its WhatsApp and Instagram subsidiaries. He files a second complaint worth €3.7 billion against Google’s Android operating system. He’s accused them of forcing users to accept “coercive” new terms do not comply with GDPR stipulations.

With fines up to 4 percent of the previous financial year’s turnover, organizations found guilty of breaching GDPR may find they have to dig deep for failing to prepare properly for the GDPR’s arrival into enforceable law.

Here is a good round-up explaining the high-level changes that come with GDPR. More useful information can be found here.

Five years in jail for guy using data tied to 2014 Yahoo hack

Karim Baratov, a young computer hacker, has been sentenced to five years in prison and fined $250,000 at a  San Francisco hearing for using data stolen in the massive 2014 Yahoo data breach.

According to the Associated Press, Baratov was named in a federal indictment last year that charged two Russian spies with orchestrating the 2014 Yahoo breach involving 500 million users. “Baratov was charged with using that stolen data passed to him by Russia’s Federal Security Service to hack dozens of email accounts of journalists, business leaders and others.”

Prosecutors said Baratov was paid by Russia’s Federal Security Service to target a dozen email accounts, including those of Russian journalists, U.S. and Russian government officials and private business owners, obtained from the Yahoo data breach. Baratov reportedly collected more than $1 million in payments.

The two Russian spies, Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich,  remain at large and prosecutors believe they are living in Russia, outside the reach of U.S. extradition laws.