Last week, hackers gain access to data from popular delivery service, ransomware diverts ambulance services, and few employees report sufficient cybersecurity training.
United States – Thinkful
Exploit: Unauthorized database access
Thinkful: E-learning website for developers
Risk to Small Business: 2.333 = Severe: By leveraging an employee’s stolen credentials, an unauthorized third party was able to access the company’s database. While sensitive data, such as social security information, was not exposed, it’s possible that other personal information was accessed. In response, Thinkful has notified its users of the data breach and is requiring password resets on all accounts. While the company wrote to its users that it is taking additional steps to enhance security, these efforts will not help those whose credentials were already compromised in the breach. This incident follows on the heels of the company being acquired by Chegg.
Individual Risk: 2.857 = Moderate: Users’ Social Security numbers were not compromised in the breach, but other personal information could have been accessed by hackers. Users should create unique passwords, enroll in multi-factor authentication, and monitor their accounts for suspicious activity in the wake of the attack.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Thinkful’s data breach announcement is especially problematic since it immediately followed news that the company was being acquired by Chegg. It’s unclear how this cybersecurity incident will impact the deal, but cybercriminals often target small companies before an acquisition, hoping to infiltrate their IT infrastructure before coming under the protection of the larger, more robust system of their new parent company. Therefore, businesses must consider cybersecurity as both a moral imperative and financial necessity, especially in the realm of mergers and acquisitions.
United States – Campbell County Memorial Hospital
Campbell County Memorial Hospital: Healthcare provider operating as part of the Campbell County Health Department
Risk to Small Business: 2.111 = Severe: A ransomware attack on Campbell County Memorial Hospital forced the healthcare provider to divert ambulance services, cancel surgeries, and stop admitting patients. The hospital’s emergency room remains operational, but many services are curtailed. Hackers did not send a ransom demand, leaving hospital IT administrators grappling for a solution. Campbell County Memorial Hospital reports that no patients were harmed because of the outage. However, with no solution in sight, patient care remains dubious and the long-term financial ramifications of the incident could be extensive.
Individual Risk: No personal information was compromised in the breach.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Unfortunately, once a ransomware attack infects your network, there are usually no get-out-of-jail-free cards. Ransom demands themselves often cost companies hundreds of thousands, whereas restorative services can be even more expensive. Moreover, the opportunity costs associated with interrupting business processes only makes matters worse. In this case, patients’ lives could have been put at risk, which is a worst-case scenario for any cybersecurity incident.
Canada – DoorDash
Exploit: Unauthorized database access
DoorDash: Food delivery service
Risk to Small Business: 1.555 = Severe: Hackers infiltrated a DoorDash server, providing them with access to user and driver data. In response, the company is encouraging all users to reset their passwords. Although the breach was discovered in early September, it’s unclear why they waited nearly a month before notifying users. Now, DoorDash will likely face legal and reputational blowback that will damage its standing in an already competitive market.
Individual Risk: 2.285 = Severe: Hackers accessed personal data for both DoorDash users and drivers, including names, email addresses, delivery addresses, phone numbers, hashed passwords, and the last four digits of payment cards. However, full payment card data was not accessible. In addition, the breach does not include DoorDash users who joined after April 5, 2018. The platform is encouraging all users to reset their passwords and to monitor their financial accounts for unusual activity. Moreover, those impacted by the breach should know that this data can be used to facilitate additional cyberattacks, including phishing scams, that can further compromise personal information.
Customers Impacted: 4,9000,000
How it Could Affect Your Customers’ Business: In 2019, companies can’t afford to spare any expense when it comes to protecting their data. With the initial cost of a breach soaring and the long-term damage becoming clearer, the big-picture threat is a tangible reality for every company. Rather than hoping to avoid being caught in the crosshairs by hackers, every business should take steps to identify vulnerabilities and to apply best practice solutions to mitigate the risk of a devastating data breach.
In Other News:
Cyber Insurance Rises 5% in 2019
Despite a significant uptick in cybersecurity lapses, the average cost of cyber insurance only rose by 5% in 2019, according to a recent report.
In some ways, this is good news for companies as cyber insurance has become an important commodity in today’s dangerous digital environment. However, the report also found that the insurance industry is getting more adept at controlling its own losses by imposing high deductibles and offering limited payouts.
For instance, the sub-limit on a $1 million ransomware policy can be as low as $25,000, and deductibles often exceed $10,000.
At the same time, the cost of a data breach is escalating quickly, and insurance payouts aren’t adjusting to this new reality, meaning that, even with insurance reimbursement, companies often incur significant direct losses from a data breach.
Taken together, it underscores the importance of a strong defensive posture when it comes to cybersecurity risks as there are no helpful or affordable options once a data breach occurs.
A Note From Kobargo
Few Employees Receive Cybersecurity Training
The precipitous rise in phishing scams and malware attacks has made employee cybersecurity training a critical component of any cyber defense strategy. However, a recent report by Chubbs indicates that many businesses aren’t providing cybersecurity training to their employees.
The report found that only 31% of employees receive cybersecurity training, while 70% of companies claim to have “excellent” or “good” cybersecurity standards.
These divergent claims contradict one another as companies with disengaged or ignorant employees pose a serious cybersecurity threat to their cybersecurity posture.
As data breaches continue to make headlines and to damage businesses’ bottom lines, it seems that too many organizations are unnecessarily putting themselves at risk. Comprehensive employee awareness training is an affordable way to bolster your defensive posture, and it can make a significant impact on the most prescient threats facing businesses today.