Last week, malware compromises online stores, accidents lead to expensive data breaches, and phishing scams top the UK’s threat list.
United States – Hanna Andersson
Exploit: Malware attack
Hanna Andersson: Children’s clothing maker
Risk to Small Business: 2.222 = Severe: Cybercriminals infected Hanna Andersson’s online store with payment skimming malware that collects customers’ personally identifiable information. The breach impacted customers shopping between September 16 and November 11, 2019. The company only identified the breach after being notified by law enforcement, and the consequences were exacerbated because Hanna Andersson failed to follow PCI standards for payment card encryption and CVV management. As a result, the company will likely face both customer blowback and regulatory scrutiny, neither of which will help the business thrive.
Individual Risk: 2.285 = Severe: Hackers obtained customers’ personal and financial data entered at checkout. This includes their names, shipping addresses, billing addresses, payment card numbers, CVV codes, and expiration dates. Unfortunately, it appears that some customers were already victimized by hackers, as law enforcement identified the breach because of fraudulent purchases made online using these credentials. Therefore, anyone impacted by the breach should immediately notify their financial institutions of the event. They also need to carefully review their account details for unusual or fraudulent activity. Credit and identity monitoring services can keep an eye on long-term misuse, ensuring that victims’ information remains secure even after the urgency of the matter has decreased.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Customers and companies are increasingly unwilling to partner with organizations that can’t secure their data. Consequently, avoidable data breaches are an especially egregious way to compromise a company’s long-term viability. Inevitably, mistakes will be made, but identifying those errors and making corrections before hackers can capitalize on the information is critical to any defensive posture.
United States – Health Quest
Exploit: Phishing scam
Health Quest: Network of hospitals and healthcare providers
Risk to Small Business: 1.666 = Severe: Health Quest is updating its data breach announcement from an event that initially occurred in July 2018 when several employees fell for a phishing attack that compromised patients protected health information (PHI). In the attack, employees provided their email account credentials to hackers who used their information to access patient data. The hospital sent breach notifications in May 2019, but the latest announcement expands the depth and scope of the breach. However, it’s unclear why it took the company nearly a year to issue the initial notification and another year to update their assessment. Healthcare breaches are the most expensive of any sector, and Health Quest will likely endure high recovery costs along with intense regulatory scrutiny.
Individual Risk: 2.142 = Severe: REMOVE
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: After the breach, Health Quest announced that it would implement two-factor authentication to secure employee accounts and is instituting employee awareness training to guard against future phishing attacks. Unfortunately, these efforts won’t recover any compromised data, and it won’t mitigate the damage from this breach. To protect data, these highly effective defense tactics need to be deployed before a breach occurs.
United States – The Center for Neurological and Neurodevelopment
Exploit: Phishing scam
The Center for Neurological and Neurodevelopment (CNNH): Healthcare provider
Risk to Small Business: 1.777 = Severe: Hackers gained access to an employee account containing patients’ protected health information. The unauthorized access lasted for more than a month, occurring between October 7, 2019 and November 22, 2019. In response, CNNH secured the account and hired a third-party forensics team to investigate the breach. However, the diagnosis is unlikely to be positive, and the company likely faces an expensive road ahead.
Individual Risk: 2 = Severe: The data breach doesn’t include all CNNH patients, but hackers did have access to patient data contained in the employee email account. This could include patient names, addresses, dates of birth, health insurance information, medical/patient record numbers, and treatment information. CNNH encourages all victims to closely monitor their accounts and insurance statements to check for fraudulent activity and to notify their insurance providers if they discover false charges.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: CNNH secured the account by resetting its credentials and is updating company-wide email standards by enabling two-factor authentication and updating employee training initiatives. These simple data security measures should be standard at every company, and they have to be implemented before a breach occurs. With the cost and consequences of a breach continually increasing, companies can’t afford to wait until it’s too late to take steps to protect their data.
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
Phishing Tops UK Cyber Threat Landscape
Today’s companies face a litany of cybersecurity threats, but, according to the results of a new study, none are more prevalent than phishing attacks. The study, which surveyed UK ICO reports, found that there were 1,080 phishing-related beaches in 2019, a significant increase from 877 the year before. In total, phishing attacks caused 45% of all data breaches. While other notable causes like unauthorized access, ransomware, and brute force password attacks run rampant, none are even close to as prominent as phishing attacks.
This trend reflects cybercriminals’ desire to target employees and individuals who may not be prepared to identify and respond to the innocent-looking messages that frequently arrive in their inboxes. In response, companies can focus their defense initiatives to combat this trend. Employee awareness training is a proven way for companies to transform their employees from a potent risk to a proven line of defense against cybercrime.
To get help implementing comprehensive employee awareness training, contact ID Agent to learn more about how our simulated phishing attacks can equip your employees to respond to this prominent threat.
A Note From Kobargo
Data Privacy Fines Reach $126 Million
It’s been just over a year and a half since GDPR’s implementation, and the fines are starting to add up. According to the latest report, the expansive data privacy regulation has levied $126 million in penalties on companies throughout Europe. To some, the fines are relatively modest, a reminder that regulatory oversight can be slow to impact businesses’ bottom lines. However, others see the figure as an ominous reminder that data privacy failures won’t come without consequences.
At the same time, Europe isn’t the only place imposing financial penalties on companies that can’t protect customer data. California’s Consumer Privacy Act and New York’s SHIELD Act both carry monetary penalties. In 2020, it’s clear that regulation is going to become more normative, not less, and businesses need to prepare. Contact ID Agent today to improve your defensive posture and avoid regulatory fines resulting from a breach.
Contact Kobargo Technology Partners to schedule a free consultation today!
Last week, phishing scams cost millions, oversights compromise customer data, and Magecart targets Australian brushfire donors.
United States – LimeLeads
Exploit: Unsecured database
LimeLeads: B2B lead generation service
Risk to Small Business: 2 = Severe: LimeLeads failed to secure an internal server, allowing a prominent threat actor to acquire and subsequently sell the company’s data on the Dark Web. The data breach could have significant implications for the company, whose business model centers around brokering company data for marketing initiatives. Security researchers found that the database was publicly exposed since at least July 27, 2019, meaning that the company had ample time to secure the database before bad actors became involved. Now they must grapple with crippling losses, including the less quantifiable brand erosion that accompanies a data breach.
Individual Risk: 2.428 = Severe: Company data has been for sale since October 2019, spanning across personally identifiable information such as their names, titles, email addresses, employer/company names, addresses, phone numbers, and even total revenue numbers. This information can be strategically deployed in spear-phishing attacks, so those impacted by the breach should be especially critical of online communications while also closely monitoring their accounts for suspicious or unusual information.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Customers and companies are increasingly unwilling to partner with organizations that can’t secure their data. Consequently, avoidable data breaches are an especially egregious way to compromise a company’s long-term viability. Inevitably, mistakes will be made, but identifying those errors and making corrections before hackers can capitalize on the information is critical to any defensive posture.
United States – New Albany Airport
Exploit: Ransomware attack
New Albany Airport: New York-based airport authority
Risk to Small Business: 2.111 = Severe: A ransomware attack on one of the airport’s MSPs spread to its servers, encrypting backup files, administrative information, and other resources. Fortunately, the malware did not extend to the Albany International Airport or airline computers. However, the company was forced to pay a five-figure ransom to recover their information. The attack’s effectiveness was predicated on the organization’s outdated hardware and lax cybersecurity standards. In response, the New Albany Airport Authority terminated its contract with the MSP and is taking steps to upgrade its defensive posture.
Individual Risk: At this time, no personal information was compromised in the breach.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: This incident underscores the cascading consequences of a data breach. For the New Albany Airport Authority, they will bear the financial cost of recovery while their MSP will lose an important contract since they failed to protect their customers’ IT. From both directions, it’s clear that data security failure is a deal breaker in today’s digital environment.
United States – Manor Independent School District
Exploit: Phishing scam
Manor Independent School District: Public school district
Risk to Small Business: 1.777 = Severe: Hackers successfully executed a phishing scam against employees, and they used the stolen credentials to siphon $2.3 million from the district. It took three separate transactions to acquire a significant sum, but their efforts were ultimately successful. The lost funds are just the start of an expensive process that will undoubtedly involve updating cybersecurity protocols, implementing employee awareness training, and upgrading IT infrastructure.
Individual Risk: 2.428 = Severe: While the phishing scam didn’t compromise the district’s data, those implicated in the scheme submitted their account credentials to cybercriminals. They will need to update their account information to ensure its long-term security. At the same time, they should closely monitor their other accounts for unusual or suspicious activity.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: While some companies might be reticent to invest in employee awareness training, this incident demonstrates that the cost of a successful phishing scam far exceeds the expense of preventative measures. The district is working to recoup lost funds but is not likely to emerge unscathed. This news offers a cautionary tale for organizations of all shapes and sizes; preventative measures are only effective if they are implemented before a breach occurs.
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
Magecart Attack Targets Australian Bushfire Donations
Australia’s bushfire natural disaster is one of the most profound in recent memories, inspiring donors from around the world to contribute resources to the cause. Unfortunately, a legitimate donations site was infected with a Magecart payment-card skimmer that stole donors’ personal information when making an online payment.
The breach was discovered by security researchers, who declined to identify the specific website impacted by the breach. Payment-card skimming malware is an increasing concern for e-commerce platforms, as it collects users’ most sensitive personal data. In addition, it undermines customer confidence in the online payment process, which could decrease their willingness to spend money online.
In this case, payment-card skimming could cost valuable resources in a dire situation. For all companies relying on e-commerce to drive revenue, it’s a reminder that customer confidence is a crucial component of successful online sales initiatives.
A Note From Kobargo
Two-thirds of UK Healthcare Organizations Breached in 2019
Healthcare companies store peoples’ most sensitive personal information, and data breaches in the industry are both increasingly prevalent and incredibly expensive. A compromised healthcare record is nearly twice as costly as that of the next highest sector.
The consequences of this new reality are especially acute in the UK, where two-thirds of healthcare organizations experienced a data breach in 2019. According to a study by Vanson Bourne, nearly half of these incidents were malware-related. At the same time, other factors, including unauthorized data sharing, phishing scams, and noncompliance with data protection policies, also represented serious threats to healthcare data.
Notably, as the industry becomes increasingly tech-driven and comprised of third-party partnerships, these risks will continue to expand. In the year ahead, healthcare organizations around the world will need to reprioritize data security as an added element of quality patient care.
Contact Kobargo Technology Partners to schedule a free consultation today!
Last week, smart home technology targeted by hackers, a phishing scam breaches health information, and the UK has a rough year for data security.
United States – Alomere Health
Exploit: Phishing attack
Alomere Health: General medical and surgical hospital
Risk to Small Business: 1.777 = Severe: Two employees fell for a phishing scam that gave hackers access to patients’ protected health information. The first breach occurred between October 31, 2019, and November 1, 2019, while a second breach took place on November 6, 2019. In response, the company is updating its email security protocols, an effort that won’t restore the stolen data nor repair the company’s already-damaged reputation. In addition, Alomere Health could face regulatory penalties because of the nature and scope of the data breach.
Individual Risk: 2.285 = Severe: The compromised employee email accounts stored patient data, including names, addresses, dates of birth, medical record numbers, health insurance information, along with sensitive diagnosis and treatment details. In addition, some patients had their Social Security numbers and driver’s license numbers exposed. Alomere Health is offering free credit and identity monitoring services to those impacted by the breach, and anyone affected should enroll in these services. In addition, they should be especially critical of online communications, as the stolen data can be deployed in phishing scams that can collect additional personal data.
Customers Impacted: 49,351
How it Could Affect Your Customers’ Business: Phishing scams are the leading cause of data breaches, but they are also entirely avoidable. With the cost associated with a compromise continually escalating, training employees to identify and avoid phishing scams is a relatively low-cost initiative that can transform employees into a robust defense rather than an imminent vulnerability.
United States – Wyze
Exploit: Unprotected database
Wyze: Low-budget home security company
Risk to Small Business: 2.222 = Severe: A cybersecurity company identified an exposed database containing the personal details of millions of Wyze users. The breach, which has not been confirmed by Wyze, is an unforced error that could have serious and financial and reputational implications. Smart home technology is often targeted by hackers due to its sensitive nature, and many consumers are already unwilling to work with companies that cannot protect their personal data, especially when it impacts their peace of mind and security.
Individual Risk: 2.428 = Severe: Users’ personal data, including email addresses, a list of cameras, camera names, Wi-Fi SSID, API tokens, and Alexa tokens, were all publicly available from the exposed database. Those impacted by the breach should reset their account passwords, enable two-factor authentication, and closely monitor their accounts for unusual activity.
Customers Impacted: 2,400,000
How it Could Affect Your Customers’ Business: Today’s consumers are beginning to make buying decisions based on a brand’s data security reputation. Especially in a sensitive sector like smart home technology, a strong cybersecurity posture is a prerequisite for long-term success. Unforced errors, such as leaving a database exposed, become especially egregious. Of course, mistakes do happen, and businesses need a response plan to contain the event and to identify the scope of the problem as quickly as possible.
United States – Children’s Choice Pediatrics
Exploit: Ransomware
Children’s Choice Pediatrics: Pediatric healthcare provider
Risk to Small Business: 1.555 = Severe: A ransomware attack encrypted patient data and exposed patient records to hackers. The attack, which was discovered on October 27, 2019, encrypted the healthcare provider’s entire network. When records were restored, the provider discovered that some were irretrievably deleted. In response, Children’s Choice Pediatrics is upgrading its cybersecurity protocols to ensure that they don’t give a foothold to future ransomware attacks. However, the opportunity cost, reputational damage, and recovery expenses will continue to weigh down the practice now and for the foreseeable future.
Individual Risk: 2.285 = Severe: While hackers often encrypt company data to extract a ransom, many are turning to data theft as a means to exact additional money from a ransomware attack. In this case, some patients’ personally identifiable information may have been exposed to hackers. Those impacted by the breach should stay vigilant in monitoring their online accounts and scrutinizing digital communications as this data is often redeployed in phishing attacks that compromise additional data.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Reactive cybersecurity measures can’t undo the damage of a data breach. With the holistic cost associated with exposure at an all-time high, companies have millions of reasons to embrace a robust defensive posture against cybercrime. Often, this means starting by securing accounts using best practices, like two-factor authentication, to keep intruders out.
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
UK Businesses Endured an Attack Every Minute in 2019
For companies around the world, 2019 was a terrible year for data security. This is especially true for UK businesses, which endured a deluge of cybersecurity episodes equal to an attack every minute. Individually, it’s estimated that each business experienced 576,575 attempts to compromise company data in 2019, a 152% year-over-year increase.
The report, compiled by Beaming, a Hastings-based ISP, identified China as the origin for nearly ⅕ of the attacks. Hackers commonly pursued domain admin tools and IoT endpoints to gain access to company networks. In total, the report concluded that 2019 was the worst year on record for UK data breaches. Moreover, the report cautioned SMBs to take cybersecurity issues more seriously by recognizing the profound risk and implementing basic protection plans, including adopting two-factor authentication to secure web platforms.
A Note From Kobargo
ID Agent Speaks with The Cyber Wire Podcast
This week, The Cyber Wire Podcast replayed my conversation in which I discussed the role of monitoring initiatives in helping victims recover from the 2015 data breach at the US Office of Personnel Management, which compromised 4.2 million government employees.
The data breach is one of the most significant data breaches in history, and it serves as a harbinger for our current data landscape. Hackers effectively obtained a dossier on millions of Americans and monitoring the Dark Web for this information was an enormous, sprawling effort that provided security and peace-of-mind to those impacted by the breach.
Listen to the Cyber Wire Podcast to learn more about the team responsible for restoring and protecting the identities of more than four million government employees in the Office of Personnel Management. Today, this type of data disaster is much more common, and the risk of both companies and consumers has never been higher. At ID Agent, we provide the tools to help protect your customer and company data from falling into the wrong hands
Contact Kobargo Technology Partners to schedule a free consultation today!
Last week, a phishing scam penetrates a popular health care network, a nonprofit organization has its donor list compromised, and “password” remains a stubbornly popular password.
United States – Sinai Health System
Exploit: Phishing scam
Sinai Health System: Chicago-based healthcare network
Risk to Small Business: 1.555 = Severe: Two employees fell for a phishing scam that gave hackers access to email accounts containing patients’ personal data. The attack, which occurred on October 16th, wasn’t discovered until December. In response, Sinai Health Network reset employees’ email passwords and provided employees with phishing scam awareness training to prevent a similar event in the future. Unfortunately, these actions cannot undo the damage of a data breach, and the healthcare network will now endure heavy regulatory scrutiny, as the Office for Civil Rights has launched an investigation into the incident.
Individual Risk: 2.285 = Severe: Patients’ personal information was compromised in the breach, including their names, addresses, dates of birth, Social Security numbers, health information, and health insurance information. Hospital administrators contend that there is no evidence of misuse, but patients impacted by the breach should not presume that their data is secure. Instead, they should closely monitor their accounts for unusual activity, and they should consider enrolling in identity monitoring services to ensure that their information isn’t misused down the road.
Customers Impacted: 12,578
How it Could Affect Your Customers’ Business: It’s inevitable that phishing scams will make their way into your employees’ inboxes. Fortunately, these attacks are useless if employees identify the threat and don’t engage with the email. Employee awareness training can empower email recipients to become a strong defense against phishing scams but waiting until after a breach to provide this training is fruitless. As Sinai Health System just learned, if employees aren’t ready to respond before an incident occurs, the training efforts won’t save your company’s data or its dollars.
United States – Special Olympics NY
Exploit: Phishing scam
Special Olympics NY: Nonprofit organization
Risk to Small Business: 2.222 = Severe: Cybercriminals hacked the organization’s network and used this access to send phishing emails to its previous donors. Special Olympics NY contacted those impacted by the event, asking them to disregard the phishing communication and to offer confidence that their data was secure. Criminals created a sense of urgency by alerting donors that an automatic donation for $1,942,49 was scheduled to debit in two hours, and the emails invited users to confirm their donation by inputting their personal data on a malicious website.
Individual Risk: No personal information was compromised in the breach.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: While it’s unclear how cybercriminals accessed the organization’s communications platform, it’s possible that they walked right through the proverbial front door. With millions of user logins available on the Dark Web, many hackers have critical login information available at their fingertips. Unfortunately, the consequences for businesses can be devastating. For Special Olympics NY, it’s possible that this event could discourage donors from contributing in the future, a damaging blow to one of their critical revenue streams.
United States – Active Network
Exploit: Unauthorized database access
Active Network: Educational software developer
Risk to Small Business: 1.888 = Severe: Hackers infiltrated Active Network’s IT infrastructure and gained access to customers’ personally identifiable information. Bad actors had access to the network between November 1, 2019, and November 13, 2019, but the company didn’t identify the breach until December. The breach is limited to the Active Network’s Blue Bear software platform used by public K-12 schools. This incident is an irrevocable stain on a company operating in an industry that demands data privacy as a prerequisite for doing business, meaning this breach could have significant negative consequences for their business in the future.
Individual Risk: 2.287 = Severe: Hackers accessed user names, payment card expiration dates and security codes, and Blue Bear account usernames and passwords. However, Social Security numbers, driver’s license numbers, and government ID numbers were not included in the breach. Every Blue Bear user should reset their account passwords, and those impacted by the breach should notify their financial institutions of the event. Active Network is offering free identity monitoring services to victims and enrolling in this service can help ensure that their personal information isn’t misused now or in the future.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Brand reputation is a cherished and hard-earned standard that can quickly erode when a data breach strikes. With more consumers demanding a track record of high data security standards before doing business with a company, organizations have every incentive to build their reputation on the bedrock of strong data security procedures. Simply put, to remain competitive in today’s digital environment, businesses can’t just talk about data security, they actually have to protect customers’ information.
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
Financial Services Organizations Increasingly Targeted By Cybercriminals
According to the 2019 Financial Breach Report, financial services organizations are increasingly targeted by cybercriminals, and these breaches are putting peoples’ personally identifiable information at risk. In 2019, 6% of all data breaches impacted financial services organizations, including the Capital One breach that impacted 6 million Canadian and US customers.
However, despite the relatively small fraction of organizations breached, the industry accounted for 60% of all leaked records, with hacking and malware serving as the top cause for these breaches. Financial services organizations collect and store peoples’ most sensitive information, so any failure in this sector can have devastating consequences.
For companies, this new reality is manifesting in their bottom lines. The average cost of a stolen financial services record reached $210 in 2019, second only to the cost of a compromised healthcare record. Fortunately, preemptive measures like phishing scam avoidance training and network analysis can help ensure that cybercriminals can’t capitalize on stolen data.
A Note From Kobargo
The Worst Passwords of 2019
Using strong, unique passwords is a simple and effective way for everyone to keep their online accounts secure. Unfortunately, despite numerous warnings and seemingly unending headlines about new, devastating data breaches, people are often unwilling to adopt this practice in their daily lives.
In a year-end rundown, security researchers compiled a list of the worst commonly used passwords in 2019. Predictably, “12345,” “test1,” and “password” all made the top five most popular passwords. Other passwords included simple number combinations, popular female names, and horizontal or vertical letters or numbers on a QWERTY keyboard. It’s clear that millions of people can take a simple step to improve their defensive posture, and, when coupled with other easy-to-use features like two-factor authentication, they can promote a robust defense of their digital environment.
Contact Kobargo Technology Partners to schedule a free consultation today!
Last week, ransomware brings bad news for employees, security doorbell users endure a serious privacy breach, and too many companies are giving in to criminals’ demands.
United States – The Heritage Company
Exploit: Ransomware
The Heritage Company: Telemarketing firm
Risk to Small Business: 2.333 = Severe: A ransomware attack forced The Heritage Company to temporarily shutter its operations, even after making a ransom payment to release its critical IT infrastructure. IT admins were unable to use the decryption key to access company data, resulting in the company’s CEO notifying employees that they would not be able to return to work until at least January 2nd. The attack has already cost the company hundreds of thousands of dollars. If they can’t recoup their valuable information, it’s possible that this ransomware attack could permanently cripple their business.
Individual Risk: No personal information was compromised in the breach.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Ransomware can feel like an inevitability in today’s digital landscape, but SMBs have many tools at their disposal to protect their critical information. Notably, ransomware always requires a foothold to infiltrate a company, and this avenue is often achieved through known exploits in legacy systems or phishing scams that induce employees to grant network access to cybercriminals. By addressing these known flaws, companies can improve their defenses against this costly risk.
United States – Ring
Exploit: Accidental data sharing
Ring: Video doorbell and security camera maker
Risk to Small Business: 2 = Severe: Security researchers discovered Ring users’ account credentials posted on the Dark Web. The information could provide hackers with front door access to customer accounts. Given the sensitive nature of their business, this type of access could be especially problematic for users. Moreover, the episode is the company’s second cybersecurity incident this year, which raises questions about its efficacy in an industry that demands excellence when it comes to data security and privacy.
Individual Risk: 2.285 = Severe: Usernames and passwords are often used to directly access user accounts where criminals can steal additional information or otherwise wreak havoc. While Ring told customers that they are actively monitoring for unusual account activity, users should update their passwords and enable two-factor authentication to ensure that hackers can’t deploy this readily available information to access their accounts.
Customers Impacted: 1,562
How it Could Affect Your Customers’ Business: Ring is emblematic of the consequences of failing to embrace data security as a top priority. As a result of multiple data security instances and allegations of weak data privacy standards, Ring has endured significant brand erosion, and these episodes continue to degrade their competitive advantage. In an industry where customers have many options to choose from, this could be a serious factor in the company’s future financial success.
United States – PayPal
Exploit: Phishing attack
PayPal: Online payment platform
Risk to Small Business: 2.333 = Severe: Some PayPal users are receiving phishing emails purportedly notifying of unusual account activity and requiring users to verify their personal information to restore full account access. The hackers fabricate a sense of urgency by noting that user accounts will be disabled until they confirm their identity. Although the messages contain many tell-tale signs of a phishing scam, they pose a serious risk to PayPal customers and the company’s reputation.
Individual Risk: 2.428 = Severe: Although recipients have to provide their personal information to be at risk, anyone who responds to this email has compromised nearly all of their personally identifiable information. If that’s the case, they should immediately report the activity to PayPal, as well as to their other financial institutions. Unfortunately, this information can be used to perpetuate more than just financial crimes, and those who were compromised should also enroll in an identity monitoring services to ensure that their information isn’t being misused in other ways.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: As we’ve reported on our blog, the latest phishing attack trends have adopted many of the hallmarks of internet security, including HTTPs encryption, to dupe unsuspecting recipients into compromising critical data. Although such attacks are difficult to spot, SMBs can ensure that their employees serve as the first line of defense by implementing consistent awareness training that keeps employees abreast of the latest trends.
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
Too Many Businesses Are Paying Ransom Demands
Ransomware attacks have been one of the definitive cyber threats of 2019, and, despite their growing prominence, business leaders are still struggling to determine the most effective response.
Unfortunately, many organizations are bending to hackers’ demands by paying the ransom to retrieve their data. In fact, the number of organizations giving in to extortion demands has more than doubled this year. In total, nearly 40% of businesses breached by a ransomware attack are paying criminals to decrypt company data.
This trend goes against the recommendations of law enforcement agencies and many cybersecurity experts who fear that ransom payments will embolden criminals to continue attacking businesses, schools, and government facilities. In addition, as we’ve noted in this week’s newsletter, making a ransom payment doesn’t guarantee that data will be recovered.
Of course, even those that don’t pay the ransom will not escape unscathed, as the cost of recovery can be as steep as the ransom itself. However, SMBs do have the power to protect themselves. By ensuring that their software is up-to-date and that their accounts are secure through simple features like two-factor authentication, they can take away many of the footholds that hackers use to infect businesses with this costly malware.
A Note From Kobargo
Georgia Supreme Court Gives Data Breach Victims the Right to Sue
Data breaches carry all kinds of expenses that can do serious damage to a company’s bottom line. That reality became more prominent this week when the Georgia Supreme Court ruled that data breach victims could sue for damages.
The verdict overturned an earlier ruling pertaining to a 2016 data breach at Athens Orthopedic Clinic, which endured a breach that compromised patients’ personally identifiable information that eventually made its way to the Dark Web. While the clinic moved to dismiss the case, the court ruled that victims could sue the company for damages.
Ultimately, the ruling underscores another financial front that businesses need to account for when considering the risks of a data breach, and it should encourage companies to get the support they need they need to ensure that they are keeping sensitive data secure.
Contact Kobargo Technology Partners to schedule a free consultation today!