Last week, ransomware costs companies on multiple fronts, phishing scams have extensive data security consequences, and companies fail to adequately evaluate their third-party data sharing standards.
United States – DeBella’s Subs
Exploit: Malware attack
DeBella’s Subs: Rochester-based restaurant chain
Risk to Small Business: 2 = Severe: Credential stealing malware was discovered in the restaurant chain’s information systems almost a year after the initial incident. However, the company acknowledged that the breach investigation was completed well before the company notified the public, a misstep that will undoubtedly mar the recovery process. The company is taking steps to ensure that this type of attack won’t be successful in the future, but that won’t help the hundreds of thousands impacted by this data breach.
Individual Risk: 2.428 = Severe: Customers’ personal and financial data may have been compromised in the breach. This includes names, payment card numbers, expiration dates, and CVV numbers. The breach is limited to customers in Connecticut, Indiana, Michigan, Ohio, New York, and Pennsylvania between March 22, 2018, and December 28, 2018. Although the damage resulting from the data exposure may already be inflicted, those impacted should still take necessary precautions such as contacting their financial institutions and reviewing card histories to check for unauthorized charges.
Customers Impacted: 305,000
How it Could Affect Your Customers’ Business: Reputation management and restoration is a critical component of an effective data breach response plan. Although it’s more difficult to quantify than direct financial losses, the reputational damage can be extremely problematic for any company and even place their ability to recover in jeopardy. Instead, providing timely communications and a comprehensive overview of what happens to customer data after it’s stolen can help companies demonstrate that they are serious about data security, helping restore customer confidence along the way.
United States – Magellan Rx Management
Exploit: Phishing scam
Magellan Rx Management: Full-service pharmacy benefit manager
Risk to Small Business: 1.777 = Severe: An employee fell for a phishing scam that provided hackers with access to his account, which contained health plan member data. The breach occurred back on May 28th, and it wasn’t identified until July 5th. However, it’s unclear why the company waited until November before disclosing the breach to the public. Officials haven’t found any evidence that the data was misused, but the lengthy response time makes it more difficult for those impacted by the breach to secure their information before it’s used for nefarious purposes.
Individual Risk: 2 = Severe: The breach included member information, including names, dates of birth, health plan member ID numbers, health plan names, providers, diagnoses, and other healthcare-related information. This information is often used to facilitate additional cybercrimes like spear-phishing attacks, so those impacted by the breach should be critical of digital communications, especially those requesting personal information.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Despite advanced security practices and other defensive efforts, phishing scams will inevitably make their way into employees’ inboxes. Fortunately, such messages can be rendered harmless, unless they are acted upon by an employee. Every business can enhance its defensive posture by providing comprehensive awareness training to keep employees abreast of the latest threats and the best practices for protecting company data.
Netherlands – Vistaprint
Exploit: Exposed database
Vistaprint: Small business marketing product provider
Risk to Small Business: 1.888 = Severe: Vistaprint left an unencrypted database exposed, allowing anyone to access information related to customer service calls, chats, and emails. After the company was publicly alerted to the oversight on Twitter, they brought the database offline. The database has been exposed since November 5th, giving cybercriminals extensive access to sensitive customer data. At the very least, the episode was embarrassing for Vistaprint, which was exposed in a public forum and forced to issue a public notification of their poor data management standards. This hard-to-quantify reputational damage can be an impediment to businesses operating in competitive, digital spaces where customers are increasingly unwilling to do business with companies that can’t protect their data.
Individual Risk: 2.285 = Severe: In addition to information related to users’ customer service interactions, the data breach compromised personally identifiable information, including names, email addresses, phone numbers. The company can’t guarantee that this information wasn’t accessed by bad actors. Since personally, identifiable information has a robust market on the Dark Web, those impacted by the breach should closely monitor their online accounts for suspicious activity, and some users may want to enroll in identity monitoring services.
Customers Impacted: 51,000
How it Could Affect Your Customers’ Business: Today’s customers are increasingly unwilling to do business with companies that can’t protect their personal data. That reality makes an unforced error, like an exposed database, especially egregious. In today’s tech-centered business environment, expansion and advanced features can’t be implemented at the expense of data security, a reality that privacy regulators and ordinary consumers are ready to enforce.
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
Australian Companies Have Dangerous Data Sharing Practices
Third-party partnerships have become a normative, even necessary, component of doing business in 2019. Unfortunately, for many companies, these potentially beneficial relationships are often a liability when it comes to data security. According to a recent study by Security in Depth, 84% of Australian companies had not completed a formal review of their data-sharing practices with third-party partnerships, a staggering amount of negligence in today’s digital environment.
For instance, nearly 60% of those surveyed acknowledged that they had experienced a third-party data breach in the past 12 months, a 3% increase from the previous year. These figures reveal a growing chasm between the known threat landscape and the steps that companies are willing to take to protect their valuable company and customer data.
Indeed, today’s threat landscape is expansive, but companies can mitigate many of the most prescient threats by partnering with MSPs that can offer best practices for securing third-party vulnerabilities. As the cost of a data breach quickly escalates, business leaders have millions of reasons to focus on cybersecurity as a business priority.
A Note From Kobargo
Netherlands Warns of Global Ransomware Attacks
As this week’s newsletter reveals, ransomware attacks are impacting businesses of every size in every sector. This malware, which restricts access to a company’s IT infrastructure, is often totally debilitating, resulting in opportunity and productivity costs that accompany the already high price associated with ransomware recovery.
Now a report from the National Cyber Security Center in the Netherlands is shedding some light on just how expansive this malady really is. The report found that 1,800 companies around the world are currently impacted by ransomware, a staggering number that officials believe underrepresents the real sum since many ransomware incidents go unreported.
What’s more, the report found that cybercriminals often rely on a single network intruder to plant the malware. These credentials can cost as much as $20,000 on the Dark Web, but they are readily available, and businesses need to know if their information is available on underground marketplaces to protect their IT from infiltration. Ransomware attacks have proven to be a low-risk, high-reward endeavor for many cybercriminals, which means that these attacks are unlikely to abate any time soon. Instead, SMBs should turn their attention towards maintaining a robust defensive posture capable of ensuring that their company name isn’t added to the growing list of companies impacted by ransomware.