Last week, accidental database access erodes brand reputation, ransomware disrupts operations, and insurers increase their scrutiny of cybersecurity policies.
United States – Edison Mail
Exploit: Coding error
Edison Mail: Email application
Risk to Small Business: 2.171 = Severe
A coding error in Edison Mail’s popular iOS app allowed messages to be viewed by other users. The update was released on Friday, May 15th, and the company claims that it was repaired by the end of the weekend. However, for an app that touts its advanced security features, this oversight undermines one of its primary selling points. What’s more, three days is an eternity in the cybersecurity space, giving bad actors ample time to take advantage of this vulnerability. Users, incensed by the oversight, aggressively criticized the platform on social media, adding a PR component to an already-arduous recovery process.
Individual Risk: 2.602 = Moderate
The app’s flaw only applies to iOS users who downloaded the update on May 15th. Many victims noted that they could read up to 100 emails from accounts that didn’t belong to them, potentially compromising anything in those messages. Those impacted by the breach should carefully monitor their accounts for misuse, and they should consider enrolling in credit and identity monitoring programs to help secure their information if it falls into the wrong hands.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: After years of seemingly endless cybersecurity incidents, many consumers are finally fed up with companies that can’t protect their privacy. As many users commented on social media, this event undermined their trust in the application, which could prompt them to turn to a competitor for a more compelling platform. In this way, cybersecurity can be considered a bottom-line differentiator that can make or break companies in the digital economy.
United States – Home Chef
Exploit: Unauthorized database access
Home Chef: Meal kit & food delivery company
Risk to Small Business: 1.790 = Severe
Hackers obtained a database containing customer data, and sold the information on the Dark Web. The database, which was lifted in a data breach in early May, was available for just $2,500, and it contains the personal data for more than 8 million customers. This incident will further stigmatize Home Chef, which is still grappling with the cybersecurity implications of the previous breach.
Individual Risk: 1.980 = Severe
The database stored customer details, including email addresses, encrypted passwords, partial credit card information, genders, ages, and subscription information. Victims should immediately update their Home Chef account passwords and any other platform credentials using the compromised data. In addition, they should carefully monitor their online accounts for instances of fraud or misuse.
Customers Impacted: 8,000,000
How it Could Affect Your Customers’ Business: Customers’ personal data is a valuable commodity, and there is an army of ready buyers on the Dark Web. In response, every company needs to know when their company or client data is being circulated in this nefarious environment, potentially giving them an opportunity to respond before bad actors can capitalize on its availability.
United States – Wishbone
Exploit: Unauthorized database access
Wishbone: Poll & Comparison App
Risk to Small Business: 1.562 = Severe
A company database was stolen by hackers, who then released the data in full on the Dark Web. The information was captured as part of a cybersecurity incident that occurred in January 2020, and it’s unclear why it took Wishbone more than five months to identify the incident. This is the second cybersecurity incident for the perennially popular company. Now, consumers are much less forgiving. In addition, today’s regulatory environment is significantly more critical of companies’ cybersecurity stance, which could contribute to a multifaceted problem for the platform moving forward.
Individual Risk: 1.670 = Severe
Users’ personal data was exposed in the breach. This includes usernames, email addresses, phone numbers, hashed passwords, and profile pictures. This information is easily obtained on the Dark Web, and everyone impacted should immediately update their account passwords and take steps to secure their personal details. Since this information can quickly be redeployed in a spear phishing campaign, victims need to be especially vigilant about monitoring the veracity of incoming messages.
Customers Impacted: 40,000,000
How it Could Affect Your Customers’ Business: Consumers and data privacy regulators are increasingly critical of companies that fail to protect customer data. Moving forward, it’s evident that data security will be a bottom-line issue for many companies, as they will rely on their defensive capabilities to bolster consumer sentiment and to ward off regulators, both of whom are ready to hold businesses accountable for privacy violations.
United States – Mathway
Exploit: Unauthorized database access
Mathway: Online tutoring and mathematics education platform
Risk to Small Business: 1.807 = Severe
Hackers accessed a company database and made it available for sale on the Dark Web. The breach was first detected by cybersecurity researchers when the platform’s data was available for private purchase. Now, it’s widely available to bad actors for $4,000. The incident is especially untimely, as students and teachers turn to online platforms to supplement learning opportunities while schools operate remotely. It could impact the platform’s ability to capitalize on this prominent moment for ed-tech services.
Individual Risk: 1.780 = Severe
While Mathway is unable to detail specific data sets compromised in the breach, they acknowledged that users’ account credentials were exposed. Consequently, all users should reset their account passwords and continue to monitor their accounts for instances of fraud. As the company provides more specific details, users should continue to adjust their response accordingly.
Customers Impacted: 25,000,000
How it Could Affect Your Customers’ Business: There are millions of account credentials available on the Dark Web, and businesses that are serious about securing their data will put an additional layer of protection between login credentials and IT infrastructure. Taking simple steps, like adding Dark Web monitoring to a company’s cybersecurity plan, can help companies keep their data secure even when passwords are compromised.
1 - 1.5 = Extreme Risk
1.51 - 2.49 = Severe Risk
2.5 - 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
Verizon’s 2020 Database Access Breach Investigations Report Narrows Down the Threat Landscape
Cybersecurity is a known threat that can be hard for non-tech folks to understand and can be seen as too broad to truly prioritize. Giving solid, actionable information about the nature and frequency of today’s threats is helpful when illustrating why cybersecurity matters. Verizon’s 2020 Data Breach Investigations Report shows that threats continue to grow and lays out a few facts that make it easier to quantify the importance of strong security, especially when supporting a remote workforce.
More than two-thirds of all data breaches are attributable to just three factors: credential theft, social engineering attacks like phishing scams, and human error.
Insider threats are a constant problem in the breach landscape, and that hasn’t changed. While we usually think of threats as coming from outside an organization, malicious insider threats are incredibly devastating and need to be a major concern.
The listed attack methodologies comprise the most likely vulnerabilities, allowing businesses to respond with more pinpoint precision. Cybersecurity tools are becoming more effective at blocking common malware strains, with human error overtaking malware this time. Some of it still gets through, though especially as part of a phishing attack.
The threat of phishing attacks has never been higher, making updated training and testing essential. Although technology has become more successful at filtering phishing scams, many continue to make their way to employees’ inboxes, which is why the report called for businesses to implement security awareness training programs to combat these attacks. BullPhish ID contains phishing training materials in 8 languages including COVID-19 phishing kits.
While today’s threat landscape is ominous and expansive, Verizon’s latest report makes it clear that businesses can make significant improvements to their defensive posture by prioritizing the most prescient risks in a comprehensive digital risk protection strategy.
A Note From Kobargo
Cyber Insurers Increase Scrutiny of COVID-19 Claims As the Pandemic Increases Their Submission
Businesses hoping to rely on cybersecurity insurance coverage to offset the cost of a database access breach may have a more difficult time recouping their losses. According to reporting by The Wall Street Journal, insurers are becoming increasingly critical of cybersecurity-related claims. Specifically, companies are adding questions to surveys used to calculate premiums and assess damages.
In some ways, this change is the result of a rapid shift to remote work. As we’ve covered extensively, remote work comes with many cybersecurity risks, and insurers are hedging their bets, assuming that they could incur an influx of claims as companies fail to grapple with the ramifications of remote work. For businesses, this is a reminder that they shouldn’t rely on cyber insurance to bail them out if they have a cybersecurity incident. Instead, they should invest in the tools that can prevent a cybersecurity incident in the first place.