Last week, phishing scams compromise patient data, a music service gets notified by the media of their hacked database, and more than half of organizations acknowledge that they are not ready for a cyberattack.
United States – McLaren Health Plan
Exploit: Phishing scam
McLaren Health Plan: Health maintenance organization
Risk to Small Business: 1.666 = Severe: A successful phishing attack on one of the company’s third-party vendors compromised patient data at McLaren Health Plan. The hackers used a compromised email account to send spam emails, putting patient data at risk. The exposure will inevitably lead to reputational damage, and the sensitive nature of the information breached will invite scrutiny from healthcare regulators along with the prospect of financial penalties.
Individual Risk: 2.571 = Moderate: The breach exposed patients’ personally identifiable information, including names, dates of birth, identification numbers, health plan information, providers, diagnosis, drug information, and authorization information. Notably, this information has been available since October, so those impacted by the breach should quickly examine their accounts for unusual activity and take precautions to ensure that their personal information remains secure.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Third-party partnerships represent an opportunity to expand your company’s capabilities but can also manifest themselves as cybersecurity risks. Given the increasingly onerous consequences of a data breach, cybersecurity standards should be a top consideration when establishing such relationships. Better product or service offerings can be a boon, but not if they come at the expense of data security.
United States – On The Border
Exploit: Malware attack
On The Border: Casual restaurant chain
Risk to Small Business: 1.888 = Severe: Hackers installed malware on the restaurant’s payment processing platform, which provided access to customers’ payment information from locations across 27 states. The attack occurred between April 10th and August 10th, and it did not include franchised restaurants or catering orders. Unfortunately, the breach wasn’t discovered until November 14th, giving hackers ample time to misuse customers’ personal information and financial data. Moreover, it’s unclear why the company waited several weeks to notify customers of the breach, a misstep that will certainly slow the recovery process.
Individual Risk: 2.571 = Moderate: Customers at certain restaurant locations had their personal and financial information stolen, including their names, credit card numbers, credit card expiration dates, and security codes printed on the back of the cards. This information not only has a ready market on the Dark Web, but it can be used directly by hackers to commit financial crimes. Therefore, those impacted by the breach should immediately notify their financial institutions and enroll in identity and credit monitoring services to ensure that their information isn’t misused now or in the future.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Recovering from a data breach is a challenging process, as companies are tasked with demonstrating their data security improvements while also wooing back customers that inevitably abandon them after a breach. While the best option is to prevent a data security incident from occurring in the first place, companies can expedite the recovery process by supporting their customers at every turn. In this case, understanding what happened to payment data after it was stolen can go a long way toward mitigating the damage and restoring customer confidence.
United Kingdom – Mixcloud
Exploit: Exposed database
Mixcloud: Audio streaming platform
Risk to Small Business: 1.777 = Severe: The music streaming platform failed to secure a database containing customer data, and that information was quickly shared on the Dark Web. Embarrassingly, the company was notified of the error by the media who were contacted by the hackers who stole the information in early November. Now, Mixcloud has to contend with a deluge of public criticism as well as a cadre of angry customers who are upset that their personal information is available for purchase on the Dark Web.
Individual Risk: 2.714 = Moderate: The stolen data includes usernames, email addresses, and encrypted passwords. In addition, the breach included sign-in data, including IP addresses and links to profile photos. This information can be used in identity crimes or to execute other cybercrimes, such as phishing scams. Those impacted by the breach should be especially critical of unusual digital correspondence while monitoring their accounts for unusual or suspicious activity.
Customers Impacted: 20,000,000
How it Could Affect Your Customers’ Business: The cost of a data breach is enormous, and it’s continually climbing. Given that reality, an unforced error, like an exposed database, is an especially egregious way to diminish your business prospects. Indeed, companies that don’t adequately account for their data security will face harsh technical, consumer, and regulatory costs now and in the years ahead.
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
More Than Half of All Organizations Admit They Aren’t Ready for Cyberattack
Data security incidents continue to make headlines every week. Even so, a recent survey found that most organizations still aren’t prepared for the veritable inevitability of a data breach.
Indeed, more than 800 CISOs from three continents expressed similar sentiments about their data security standards. Notably, 51% do not believe that they are ready to respond to a data breach, while nearly a third have untested response plans in place.
Meanwhile, the vast majority believe that the cybersecurity landscape will worsen or stay the same in the year ahead. Perhaps that’s why 76% plan to increase their cybersecurity budgets in 2020. When establishing their priorities, CISOs identified security software and employee awareness training as their top priority. As it stands, too many companies aren’t responding to the real and escalating threat of a data loss event.
A Note From Kobargo
60% of Digital Businesses Will Suffer Service Interruption by 2020
For many businesses, an online presence is a vital part of their competitive strategy. Unfortunately, it’s also creating their most prescient vulnerability. According to a recent study by Gartner, by next year, more than half of all digital businesses will incur one or more cyber threats that will significantly disrupt their business.
The report notes that cybercriminals are aware of the increasingly critical and valuable data sets that companies are bringing online, and they are targeting that information to turn a profit. It also found that products for perpetuating cybercrime such as pre-packaged ransomware and phishing capabilities have never been more prevalent, with an underground marketplace fueled by the Dark Web.
In response, companies with a digital agenda have a responsibility to audit their defensive posture, ensuring that they are prepared to meet the moment by identifying and addressing the latest cyber trends. Notably, most cyber threats can be addressed in-house by ensuring that employees are able to identify risks and implement best practices, like strong unique passwords, and two-factor authentication across all their accounts.