Breach Report – November 2019
Enjoy our monthly overview of major cyberattacks from around the country as well as the latest tips and hottest topics in cybersecurity.
Security Topics of the Month
Consumers Stop Engaging with Brands Online After Data Breach
In a recent survey by Business Wire, nearly 50% of respondents are more concerned about data security then they were a year ago. Notably, 81% indicated they would stop engaging with brands online after a data breach. And 63% of consumers believe that the company is always responsible for data security.
In today’s digital landscape, failing to protect customer data won’t just be inconvenient. It could be the beginning of the end for many businesses.
Data Breaches are Pushing SMBs into Bankruptcy
A recent survey by Zogby Analytics confirmed that data breaches are wreaking havoc on SMBs. In particular, the financial implications of a data breach are overwhelming their capacity and forcing them to take drastic action.
The survey, which questioned more than 1,000 small business leaders, found that 37% of SMBs that experienced a data breach suffered financial loss – and 25% filed for bankruptcy. Ultimately, 10% of SMBs went out of business following a data breach.
At the same time, leaders understand the threat. 88% of respondents indicated their company was “somewhat likely” to experience a data breach, while nearly half believe they are “very likely” to be the victim of a data loss event.
Google Has Access to Personal Health Information of Millions of U.S. Patients
Recently Google quietly partnered with Ascension – one of the largest health systems in America. Ascension operates 150 hospitals in 21 states. This new partnership gives Google access to all of Ascension’s patient data.
The effort was code named “Project Nightingale,” and has allowed some Google employees access to data including names, birth dates, addresses, family members, allergies, immunizations, radiology scans, hospitalization records, lab tests, medications, medical conditions, and even some billing records.
The current agreement does not appear to be a violation of HIPAA (Health Insurance Portability and Accountability Act). Google has been looking to expand its health information efforts, including plans to acquire Fitbit. However, Google has stated the data will not be used other than to assist Ascension medical providers.
Data Breaches Reach New Highs
According to Risk Based Security’s Q3 2019 Data Breach Report, 2019 is the worst year ever for data breaches.
The year’s third quarter saw a year-over-year increase of 112% in the total records exposed. SMBs, government agencies, and educational institutions are seeing an uptick in cybersecurity incidents, together creating a 33.3% increase in the total number of breaches for the year.
Notably, many of these data breaches were avoidable. From misconfigured databases to phishing attacks, businesses have many options at their disposal for proactively protecting their most sensitive information.
There is no indication that this recent data breach trend is likely to abate anytime soon, so businesses of every size have plenty of reasons to ensure that negligence isn’t the cause of yet another data catastrophe.
New Threat Actor Impersonates Government Agencies
Cybersecurity researchers are warning consumers of a new threat actor impersonating government email accounts in the U.S. and EU. Hoax email from the U.S. Postal Service, the German Federal Ministry of Finance, and the Italian Revenue Agency are delivering ransomware.
While researchers found that cybercriminals are targeting a broad audience with their messages, they concluded that most are heavily skewed toward businesses, which offer higher payouts and more robust data sets when attacks are successful.
Fortunately, malicious emails rely on user response, so businesses can protect themselves by training their employees to spot fraudulent emails. This particular attack might be new, but the strategy is well-established. Today’s employees need to be aware of the threats that are potentially lurking in their inboxes.
The Month in Breach
Municipality Forks Over $500K in Spear Phishing Attack
Not all phishing attacks steal data. A particularly sneaky spear phishing attack convinced an Ocala City employee to transfer $640,000 to a fraudulent bank account.
Cybercriminals sent an email purportedly from one of the city’s construction contractors requesting payment to a bank account that didn’t belong to the contractor. While the email and bank account were fraudulent, the invoice was legitimate, making this scam especially difficult to detect.
The account still had $110,000 left when the city identified the scam, but the cybercriminals walked away with over $500,000.
As more information becomes available to bad actors, businesses need to plan for this reality by training employees to spot small differences that often reveal a threat. The Ocala City incident tells a cautionary tale that failing to adjust to today’s threats can be an expensive mistake.
U.S. Energy Provider Knocked Off the Grid by Cyberattack
sPower was the victim of a first-of-its-kind cyberattack that brought down its services and disconnected its hardware from the electrical grid.
The root cause of the attack? An unpatched firewall that allowed outside entities to access the network.
The event could significantly harm the company’s reputation within the energy industry, impacting its ability to land future contracts and compete with other companies.
Web Hosting Platform Locked Up by Ransomware
Hackers encrypted SmartASP.NET’s data, crippling both its IT infrastructure and customer data. After the attack, the company’s phones and website were both inaccessible. SmartASP.NET was forced to notify customers that their data was encrypted.
In addition to encrypting customer-facing infrastructure (a common target for ransomware attacks), the attack locked up significant amounts of back-end data and delayed recovery efforts considerably.
Ransomware attacks inevitably have significant financial repercussions, and this is only compounded by the reputational damage that follows such a newsworthy incident. However, hackers need an avenue to deploy this malware. Companies can protect themselves by ensuring that their defensive posture is sufficient to repel key threats.