Breach Report – January 2020
Welcome back to your monthly overview of the biggest cybersecurity headlines and network breaches in the country. Stay abreast of the latest developments in IT security so you can keep your company safe.
Security Topics of the Month
Company Data Broker Fails to Secure Internal Server
Customers and companies are increasingly unwilling to partner with organizations that can’t secure their data. One such organization that’s been added to this list is LimeLeads, a B2B leads generation company.
LimeLeads failed to secure an internal server, allowing a threat actor to acquire and sell 49 million user records on the Dark Web. Company data has been for sale since October 2019, including:
- Email addresses
- Employer/company names
- Phone numbers
- Total revenue numbers
This information can be strategically deployed in spear-phishing attacks against the impacted companies.
To make matters worse, security researchers found the database was publicly exposed since at least July 27, 2019, meaning the company had ample time to secure the database before bad actors became involved. LimeLeads failed to set up a password for an internal server, which allowed anyone on the internet to access the company’s crucial customer data.
Now they must grapple with crippling losses, including the brand erosion that accompanies a data breach.
Cybercriminals Increasingly Targeting Financial Services Organizations
According to the 2019 Financial Breach Report, financial services organizations are increasingly targeted by cybercriminals. These breaches are putting people’s personally identifiable information at risk. In 2019, 6% of all data breaches impacted financial services organizations, including the Capital One breach that affected 6 million U.S. and Canadian customers.
Despite the relatively small fraction of organizations breached, the industry accounted for 60% of all leaked records. Hacking and malware were the top causes of these breaches. Financial services organizations collect and store people’s most sensitive information, so any failure in this sector can have devastating consequences.
The average cost of a stolen financial services record reached $210 in 2019, second only to the cost of a compromised healthcare record. Fortunately, preemptive measures like phishing scam avoidance training can help ensure that cybercriminals can’t capitalize on stolen data.
The Worst Passwords of 2019
Using strong, unique passwords is a simple and effective way for everyone to keep their online accounts secure. Unfortunately, despite numerous warnings and seemingly unending headlines about new, devastating data breaches, people are often unwilling to adopt this practice in their daily lives.
In a year-end rundown, security researchers compiled a list of the worst commonly used passwords in 2019. Predictably, “12345,” “test1,” and “password” all made the top five most popular passwords. Other passwords included simple number combinations, popular female names, and horizontal or vertical letters or numbers on a QWERTY keyboard.
It’s clear that millions of people can simply improve their passwords to strengthen their security posture. More robust passwords coupled with other easy-to-use features like two-factor authentication can better defend digital environments.
Too Many Businesses Are Paying Ransom Demands
Ransomware attacks have been one of the definitive cyber threats of 2019. Despite their growing prominence, business leaders are still struggling to determine the most effective response.
Unfortunately, many organizations are bending to hackers’ demands by paying the ransom to retrieve their data. In fact, the number of organizations giving in to extortion demands more than doubled in 2019. In total, nearly 40% of businesses breached by a ransomware attack are paying criminals to decrypt company data.
This trend goes against the recommendations of law enforcement agencies and many cybersecurity experts who fear that ransom payments will embolden criminals to continue attacking businesses, schools, and government facilities. In addition, making a ransom payment doesn’t guarantee that data will be recovered.
Of course, even those that don’t pay the ransom will not escape unscathed, as the cost of recovery can be as steep as the ransom itself. However, SMBs do have the power to protect themselves. By ensuring that their software is up-to-date and that their accounts are secure through simple features like two-factor authentication, they can take away many of the footholds hackers use to infect businesses with this costly malware.
Georgia Supreme Court Gives Data Breach Victims the Right to Sue
Data breaches carry all kinds of expenses that can do serious damage to a company’s bottom line. That reality became more prominent in December when the Georgia Supreme Court ruled that data breach victims could sue for damages.
The verdict overturned an earlier ruling pertaining to a 2016 data breach at Athens Orthopedic Clinic, which endured a breach that compromised patients’ personally identifiable information that eventually made its way to the Dark Web. While the clinic moved to dismiss the case, the court ruled that victims could sue the company for damages.
Ultimately, the ruling underscores another financial front that businesses need to account for when considering the risks of a data breach. This should encourage companies to get the support they need to ensure that they are keeping sensitive data secure.
The Month in Breach
Magecart Attack Targets Australian Bushfire Donations
A legitimate donations site was infected with a Magecart payment-card skimmer that stole donors’ personal information when making an online payment.
The breach was discovered by security researchers, who declined to identify the specific website impacted by the breach. Payment-card skimming malware is an increasing concern for e-commerce platforms, as it collects users’ most sensitive personal data. In addition, it undermines customer confidence in the online payment process, which could decrease their willingness to spend money online.
For all companies relying on e-commerce to drive revenue, it’s a reminder to take steps to prevent and mitigate Magecart attacks.
Ransomware Attack Shutters The Heritage Company
An October ransomware attack ultimately forced The Heritage Company to close its doors. Shortly before Christmas, the fundraising firm informed its staff that their operation was no longer tenable, even noting that the CEO was paying salaries out-of-pocket in an attempt to keep business going while systems were unavailable.
Unfortunately, three months after the attack, The Heritage Company was no longer financially solvent and chose to temporarily shutter its operations. The company may try to reopen if systems can be restored, but it appears likely that the institution, which existed for 60 years, was put out of business by a ransomware attack.
As security experts noted, the company’s ultimate failure wasn’t financial solvency but an inability to adopt cybersecurity standards that could have prevented a ransomware attack from crippling their operations. Even simple steps, like implementing two-factor authentication, can keep hackers out of your IT infrastructure and prevent a potentially devastating data disaster before it takes place.
Sinai Health System Fooled by Phishing Scam
Two Sinai Health Network employees fell for a phishing scam that gave hackers access to email accounts containing patients’ personal data. The attack, which occurred on October 16th, wasn’t discovered until December.
Patients’ personal information was compromised in the breach, including:
- Dates of birth
- Social Security numbers
- Health information
- Health insurance information
In response, Sinai Health Network reset employees’ email passwords and provided employees with phishing scam awareness training to prevent a similar event in the future. Unfortunately, these actions cannot undo the damage of a data breach, and the healthcare network will now endure heavy regulatory scrutiny, as the Office for Civil Rights has launched an investigation into the incident.
It’s inevitable that phishing scams will make their way into your employees’ inboxes. Fortunately, these attacks are useless if employees identify the threat and don’t engage with the email. Employee awareness training can empower email recipients to become a strong defense against phishing scams, but waiting until after a breach to provide this training is fruitless. As Sinai Health System just learned, if employees aren’t ready to respond before an incident occurs, the training efforts won’t save your company’s data or dollars.
Ring User Account Credentials Posted on Dark Web
Security researchers recently discovered Ring users’ account credentials posted on the Dark Web. The information could provide hackers with front door access to customer accounts, allowing them to steal additional information or otherwise wreak havoc.
Ring users should update their passwords and enable two-factor authentication to ensure that hackers can’t deploy this readily available information to access their accounts.
Hackers Pretend to be PayPal in Phishing Scheme
Some PayPal users are receiving phishing emails claiming unusual account activity and requiring users to verify their personal information to restore full account access. The hackers fabricate a sense of urgency by noting that user accounts will be disabled until they confirm their identity. Although the messages contain many tell-tale signs of a phishing scam, they pose a serious risk to PayPal customers and the company’s reputation.
Although recipients have to provide their personal information to be at risk, anyone who responds to this email will compromise nearly all of their personally identifiable information. If that’s the case, they should immediately report the activity to PayPal as well as to their other financial institutions.
The latest phishing attack trends have adopted many of the hallmarks of internet security (including HTTPs encryption) to dupe unsuspecting recipients into compromising critical data. Although such attacks are difficult to spot, SMBs can ensure their employees serve as the first line of defense by implementing consistent awareness training that keeps employees abreast of the latest trends.