Breach Report – October 2019
Welcome to your one-stop shop for the hottest topics in cybersecurity and overviews of major cyberattacks.
Security Topics of the Month
Cyber Insurance Cost Rises Only 5% in 2019
Despite a significant uptick in cybersecurity lapses, the average cost of cyber insurance only rose by 5% in 2019, according to a recent report.
At first glance, this seems like good news for companies. Cyber insurance is an important commodity in today’s dangerous digital environment that every business needs to have.
However, the insurance industry is getting better at controlling its own losses by imposing high deductibles and offering limited payouts. For instance, the sub limit on a $1 million ransomware policy can be as low as $25,000, and deductibles often exceed $10,000.
At the same time, the cost of a data breach is escalating quickly. However, insurance payouts aren’t adjusting to this new reality. That means even WITH an insurance reimbursement, companies often incur significant direct losses from a data breach.
Taken together, it underscores the importance of building a strong defensive posture. Because once a data breach occurs, there are no helpful or affordable options.
Only 31% of Employees Receive Annual Cybersecurity Training
The rise in phishing scams and malware attacks has made employee cybersecurity training a critical component of any cyber defense strategy.
However, a recent report by Chubbs indicates that many businesses aren’t providing cybersecurity training to their employees. The report found that only 31% of employees receive cybersecurity training, while 70% of companies claim to have “excellent” or “good” cybersecurity standards.
As data breaches continue to make headlines and damage businesses’ bottom lines, too many organizations are unnecessarily putting themselves at risk. Companies with disengaged or ignorant employees pose a serious cybersecurity threat.
Comprehensive employee awareness training is an affordable way to bolster your cyber defenses. It should be a key component of your cybersecurity plan.
U.S. Senate Passes Ransomware Response Law
Ransomware has become such a scourge that a bill governing ransomware response tactics received bipartisan support from a divisive U.S. Senate.
The new legislation calls for dedicated teams tasked with providing organizations best practice advice for protecting against and responding to ransomware attacks. These resources will be available for SMBs, government agencies, and schools.
The fact that the law exists at all underscores the incredible need for more companies to adopt a defensive posture.
However, this law alone won’t solve everything. SMBs need to understand the ways their IT infrastructure might be vulnerable, and make addressing those concerns a top priority.
Twitter Uses 2FA for Targeted Ads
This week, Twitter acknowledged that it used the phone number and email address data from its two-factor authentication protocol to develop targeted advertisements.
The information was used by the company’s tailored audiences program that allows companies to create targeted advertisements by matching their own marketing lists with Twitter user data. The company resolved the issue on September 17th, but it’s unclear how long companies will benefit from the information.
More importantly, this misuse of personal data might discourage users from adopting these security protocols in the future, a decision that would put both parties at risk for a data breach.
20,000 E-commerce Sites Could Be Compromised by Magecart
In early October, the notorious Magecart malware infected Volusion, a cloud hosting platform for online stores. Already, more than 6,500 stores have been compromised. However, Volusion boasts a customer base of more than 20,000 companies, so the number of infected web stores might continue to grow.
Most prominently, Volusion hosts the Sesame Street Live online store, which was brought offline after the attack was revealed.
Now thousands of companies will be left grappling with the consequences of lost sales both now and in the future. Notably, this underscores the importance of understanding the specific cyber threat landscape that most prominently impacts your business.
Businesses Underestimate Threat of Stolen Employee Data
A recent survey found that many companies are not paying attention to the threat posed by stolen employee data. Only 11% of respondents reported believing that compromised employee credentials like usernames and passwords pose high risk.
The reality is that years of extensive data breaches have resulted in employee information being readily available on the Dark Web. Hackers then use these credentials in credential stuffing attacks to access company networks undetected.
By failing to account for the entire threat landscape, businesses are opening themselves up to attacks that could involve customer information.
The Month in Breach
Words with Friends Players’ Data Exposed
Hackers gained access to Zynga’s database, which exposed the personally identifiable information of millions of customers.
The data breach applies to all users of the platform’s popular Words with Friends gaming app who registered on or before September 2, 2019. In addition, some users of Draw Something, another mobile game produced by Zynga, were compromised.
The exposed information includes names, email addresses, login IDs, hashed passwords, password reset tokens, phone numbers, Facebook IDs, and other Zynga account details.
The company discovered the breach in September. Unfortunately, by the time they responded, hackers had already uploaded the user data to various hacker forums.
Zendesk Chat Data Breach Disclosed
More than three years after the event, Zendesk acknowledged a data breach after a third party notified the customer service software company of unauthorized data access.
The breach impacts Support and Chat accounts, and it includes personal data from all categories of Zendesk users, including customers, agents, and end users. This includes names, email addresses, phone numbers, passwords, and other technically-oriented data.
The company is resetting all passwords for users that registered before November 1, 2016. However, the platform touts many high-profile companies as clients, which means that the breach could have far-reaching repercussions for all stakeholders involved.
EA Games Accidentally Leaks Gamer Data
EA Sports inadvertently leaked the personal data of 1,600 gamers who participated in the FIFA 20 Global Series competition on the company’s website.
The leaked data includes email addresses, account ID numbers, usernames, and dates of birth.
Aside from becoming a PR nightmare on social media, the leak occurred just hours after the company’s announcement of new security features and promotional events related to the UK’s National Cybersecurity Month.
TOMS Customers Receive Odd Email
In an unusual cybersecurity incident, a hacker hijacked the mailing list for TOMS and sent a message encouraging customers to log off their devices and enjoy the outdoors.
The message was not malicious in nature, but the hacker admitted that he accessed the platform for a significant time period before sending the email. The hacker also ridiculed bad actors, describing their actions in obscene language sent to TOMS customers.
Fortunately, the hacker didn’t disrupt any other elements of TOMS’ IT infrastructure, but his actions highlight the company’s weak cybersecurity standards, which could negatively impact the company on many fronts.
Hospital Employees Fall for Phishing Attack
A phishing attack tricked several employees of UAB Medicine into providing their email credentials to hackers. The email purported to originate from a hospital executive, asking employees to participate in a fake business survey.
This subsequently exposed the protected health information of thousands of patients. Hackers had access to patient names, medical record numbers, dates of birth, dates of service, location of service, and other medical-related information. Some patients also had their Social Security numbers compromised.
Pitney Bowes Hit with Malware
A malware attack prevented Pitney Bowes’ employees and customers from accessing critical services. The company, which specializes in mail management, lost business directly as a result of the attack.
Customers were unable to refill postage or upload transactions on their mailing machines. In addition, news of the announcement sent the company’s shares down 4%, which underscores the many ways that a cybersecurity incident can negatively impact a company’s bottom line.
The company claims customer data was not compromised in the breach.