Breach Report – December 2019
Welcome to Breach Report! Start your 2020 armed with the latest cybersecurity news and data breaches from around the country.
Security Topics of the Month
Phishing Scams Target Office 365 Admins
Cybercriminals are using information readily available on the internet to target business administrators with phishing scams in hopes of attaining their Office 365 login credentials.
Office 365 admin credentials are gold to cybercriminals. These credentials provide full access to IT infrastructure. Admin accounts can be used to infiltrate other user accounts. They can also create new accounts that can further distribute phishing campaigns.
It’s important to train all employees about the risk of phishing attacks – and keep them abreast of the latest trends and tactics. Hackers are nimble with their tactics; businesses need to be just as dynamic in their training efforts.
Report Reveals Ransomware’s Growing Reach
A report from the National Cyber Security Center in the Netherlands found that 1,800 companies around the world are currently impacted by ransomware. It’s a staggering number that officials believe underrepresents the real sum, since many ransomware incidents go unreported.
What’s more, the report found cybercriminals often rely on a single network intruder to plant ransomware. Corporate login credentials can cost as much as $20,000 on the Dark Web, but they are readily available. Businesses need to know if their login information is available on underground marketplaces to protect their IT from infiltration.
Our free Dark Web Scan can detect if any of your company’s usernames or passwords are for sale to bad actors.
Ransomware attacks have proven to be a low-risk, high-reward endeavor for many cybercriminals. That means these attacks are unlikely to abate any time soon. Instead, SMBs should focus on maintaining a robust defensive posture capable of ensuring that their company name isn’t added to the growing list of organizations impacted by ransomware.
More Than Half of Organizations Not Ready for a Cyberattack
A recent survey found most organizations still aren’t prepared for the inevitability of a data breach.
More than 800 CISOs from three continents expressed similar sentiments about their data security standards. Notably, 51% do not believe they are ready to respond to a data breach, while nearly a third have untested response plans in place.
Meanwhile, the vast majority believe that the cybersecurity landscape will worsen or stay the same in the year ahead. Perhaps that’s why 76% plan to increase their cybersecurity budgets in 2020. CISOs identified security software and employee awareness training as their top priorities moving forward.
60% of Digital Business Will Suffer Service Interruption by 2020
For many businesses, an online presence is a vital part of their competitive strategy. Unfortunately, it’s also creating a major vulnerability. According to a recent study by Gartner, by 2020, more than half of all digital businesses will incur one or more cyber threats that will significantly disrupt their business.
The report notes cybercriminals are targeting the increasingly critical and valuable data sets that companies are bringing online. It also found that products such as pre-packaged ransomware and phishing capabilities have never been more prevalent, thanks to an underground marketplace fueled by the Dark Web.
Companies with a digital presence have a responsibility to audit their defensive posture, ensuring they’re prepared to meet the latest cyber threats. Notably, most cyber threats can be addressed in-house by ensuring that employees are able to identify risks and implement best practices, like strong unique passwords and two-factor authentication across all accounts.
Third-Party Breaches Present a Serious Risk
Partnering with a third-party can place your company’s data at risk in a major way. It’s a risk factor every business should consider when exploring new collaborative opportunities.
Many vendors are so overwhelmed by data breaches that they struggle to bring their services back online, if they survive at all. In either case, your company’s data may not be their top priority, which puts your business at risk.
In today’s regulatory environment, organizations face intense scrutiny when a data breach occurs, even if it doesn’t originate at your company. That threat should give every company working with third parties a reason to carefully consider cybersecurity implications before signing the contract.
A solid vendor risk management program backed up by technology, policies, and procedures is the best protection. Good review and audit processes can catch any vendor-related problems before they become data breaches.
Too Many Employees Don’t Change Their Passwords
A new survey by YouGov research found many employees aren’t taking even the most basic steps to secure their accounts. Although the survey focused on Ireland, it represents a globally commonplace approach to password security.
It found 39% of employees haven’t updated their passwords in more than a year. Many respondents expressed annoyance with security features like Captcha random image or one-time passcodes sent via text or email.
However, with the number of compromised email accounts growing every day, strong password standards coupled with additional security features like two-factor authentication can significantly decrease the risk of a data breach. It’s an obvious and proactive step that everyone can take to protect their personal and professional data from falling into the wrong hands.
New Ransomware Strain Targets Healthcare Sector
A new variant of ransomware called Zeppelin is being deployed throughout the U.S., Canada, and Europe targeting healthcare companies and IT organizations. Notably, the ransomware is deployed through remote desktop servers that are publicly exposed to the internet.
The ransomware also uses managed services providers to further infect companies via their management software.
SMBs can’t afford to leave cybersecurity up to chance. These attacks can have devastating financial consequences, which means that a robust defensive posture is an issue that will continue to be critical in the year ahead.
CCPA Goes Into Effect on Jan. 1st
California’s new data privacy law, the California Consumer Privacy Act, officially goes into effect on January 1, 2020.
The law gives consumers new rights to their personal data. Like Europe’s General Data Protection Regulation that came before it, CCPA promises financial penalties for companies that can’t comply with its standards.
The CCPA grants users a number of fundamental rights, including rights to:
- Know what personal information is being collected about them
- Access this information
- Know whether it is sold and to whom
- Ask that their personal data be deleted
- Refuse to allow that it keeps being sold
- Receive equal service and price, even if they have exercised the previous right to opt-out
Businesses should make detailed inventories of personal information pertaining to California residents and ensure it can be readily accessed by users.
The Month in Breach
PayMyTab User Data Exposed Since July 2018
The PayMyTab app lets you review, split, and pay for your check at restaurants and other venues. Thanks to an unsecured AWS bucket, the personal data of tens of thousands of PayMyTab users was left exposed since July 2018.
The impacted data included customer names, email addresses, telephone numbers, order details, restaurant visit information, and the last four digits of payment card numbers.
The data was unprotected because PayMyTab failed to follow Amazon’s security protocols. Although this error was discovered by white hat hackers, bad actors had plenty of time to find and exploit the data.
This incident was an entirely avoidable mistake – and could cost the company in many ways. It’s essential to take cybersecurity seriously in your business. Don’t be tempted to compromise or take shortcuts.
Academy Sports + Outdoors Suffers Credential Stuffing Attack
Hackers used previously stolen, legitimate login credentials to access customer accounts at Academy Sports + Outdoors. The company noticed the breach after detecting unusual activity on certain user logins. Customers’ financial data wasn’t compromised in the breach, but account information, including usernames and passwords, was impacted.
Unfortunately, the breach occurred during the busy holiday shopping season. Customers have increasingly shown that they are less willing to engage with platforms that have a track record of cybersecurity lapses.
A data breach is more than just a cyber incident. It’s a collapse in customer service of the highest magnitude, and a priority that retailers looking to succeed in today’s digital environment must immediately address.