Last week, a third party compromises user data, hackers attack digital points of sale, and SMBs struggle to hire top cybersecurity talent.
United States – Web.com
Exploit: Unauthorized database access
Web.com: Domain name registration and web services provider
Risk to Small Business: 2.111 = Severe: An unauthorized third party accessed Web.com’s network, which compromised their customers’ personally identifiable information. The intrusion took place in August 2019, but IT personnel were not able to identify the breach until October 16th. Data breach notifications went out this week, but the significant detection delay will certainly compound the damage for both the company and its customers.
Individual Risk: 2.285 = Severe: The breach compromised names, addresses, phone numbers, email addresses, and service information. Security experts believe that the breach extends beyond Web.com and includes users of Network Solutions and Register.com. This information often makes its way to the Dark Web where it can be repurposed for additional cyber-attacks or identity fraud. Anyone impacted by the breach should scrutinize their online communications, as hackers will use compromised data to orchestrate spear phishing attacks
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Survey after survey reveals that customers are increasingly wary of doing business with companies that can’t protect their personal information. This reality is only exacerbated when companies are slow to detect or respond to security incidents.
As a result, data security and response protocols are an integral part of doing business. In 2019, cybersecurity isn’t just for the IT department to consider. It needs to be a top-down priority that impacts every facet of the company.
United States – sPower
Exploit: Cyber-attack
sPower: Renewable energy provider
Risk to Small Business: 1.444 = Extreme: sPower was the victim of a cyber-attack that brought down its services and disconnected its hardware from the electrical grid. Although the attack occurred in April, the details are emerging as part of a Freedom of Information Act filing by reporters covering the energy sector. Hackers were able to leverage a vulnerability in the company’s firewall that allows outside entities to access their network. The event could significantly harm the company’s reputation within the energy industry, impacting its ability to land future contracts and compete with other companies.
Individual Risk: No personal information was compromised in the breach.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Reputation management can mean the difference between earning the next contract and losing out to a competitor. In that regard, ensuring that your organization’s most prescient threats are accounted for can help avoid the bad press and brand erosion that follow in the wake of a cyberattack. While every industry’s threats are unique, every consumer or collaborator wants the same thing: sufficient cybersecurity to meet the moment.
United States – City of San Marcos
Exploit: Cyber-attack
City of San Marcos: Local government municipality
Risk to Small Business: 1.666 = Severe: Hackers accessed the city’s computer systems and restricted access to significant portions of their IT infrastructure. The attack, which began on October 24th, brought down email accounts and other communication services. As a result, messages sent to city employees were not delivered, though government facilities remain open. Recovering from the attack is proving especially difficult, as the services are still restricted for more than a week after the initial event. To prevent further attacks, employees are being asked to change their passwords and enable two-factor authentication on their accounts.
Individual Risk: No personal information was compromised in the breach.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Many cybersecurity vulnerabilities can be mitigated by adopting adequate preventative measures. For instance, using strong, unique passwords and two-factor authentication can prevent hackers from using stolen credentials to access accounts and dig deeper into your company’s IT environment. As the costs associated with breach continue to pile up, the ROI on implementing cybersecurity defense becomes easily apparent.
Italy – UniCredit
Exploit: Exposed database
UniCredit: Banking and financial services company
Risk to Small Business: 1.555 = Severe: UniCredit recently discovered an exposed database containing personal information for millions of the company’s customers. Shockingly enough, the database had been accessible since 2015. This is the company’s third data breach in recent years, and it sent their share price down by 4%. The bank is spending a significant amount of money to update its IT infrastructure to prevent such an event in the future, but that is unlikely to alleviate the reputational damage and regulatory repercussions heading their way.
Individual Risk: 2.428 = Severe: The exposed database contains email addresses and phone numbers for the banks’ clients. Hackers did not have access to login credentials, but that doesn’t mean that those impacted by the breach are out of the woods. Personal details can be used to facilitate additional cybercrimes that can compromise even more sensitive information.
Customers Impacted: 3,000,000
How it Could Affect Your Customers’ Business: The path to restoring customer confidence after a data breach is one that is not well-charted. However, companies are testing their customers’ limits when they endure multiple cybersecurity incidents. Each episode forces businesses to restart the restoration process. Knowing what happens to exposed or stolen customer data is the first step to a swift response that can revive customer confidence.
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
Small Businesses Struggle to Acquire Top Cybersecurity Talent
Few institutions are at more risk of a cyber-attack than SMBs. Unfortunately, these same companies are struggling to compete with major corporations for the IT and cybersecurity talent that can keep their infrastructure and data security.
In general, this trend reveals a growing chasm between escalating cybersecurity threats and the availability of affordable, qualified professionals who can defend against them. In Canada alone, it’s estimated that organizations will need to fill 3,600 cybersecurity positions alone, meaning that the market forces of supply and demand are inextricably working against SMBs with more modest budgets.
Moreover, today’s cybercrimes are becoming increasingly sophisticated and exponentially more expensive. For instance, credential stuffing and ransomware attacks often require specialized personnel to adequately defend against these threats.
However, SMBs don’t have to bring all of this talent under their own roof. Instead, they can partner with qualified cybersecurity specialists (Like us!) to augment their capabilities and ensure their data security in a dangerous digital environment.
A Note From Kobargo.
Data Breaches Are Pushing SMBs Into Bankruptcy
A recent survey by Zogby Analytics confirmed what many people already knew: data breaches are wreaking havoc on SMBs. In particular, the financial implications of a data breach are overwhelming their capacity and forcing them to take drastic action.
The survey, which questioned more than 1,000 small business leaders, found that 37% of SMBs that experienced a data breach suffered financial loss and 25% filed for bankruptcy. Ultimately, 10% of SMBs went out of business following a data breach.
At the same time, leaders understand the threat. 88% of respondents indicated that their company was “somewhat likely” to experience a data breach, while nearly half believe that they are “very likely” to be the victim of a data loss event. As today’s world continues to grow increasingly aware of the costs and prevalence of data breaches, the responsibility for leaders to defend against them has never been greater.
Contact Kobargo Technology Partners to schedule a free consultation today!
Last week, ransomware takes business infrastructure offline, spear-phishing campaign costs local government thousands, and executives continue to ignore spooky cybersecurity risks.
United States – Billtrust
Exploit: Ransomware attack
Billtrust: B2B billing service provider
Risk to Small Business: 2.333 = Severe: A ransomware attack crippled Billtrust’s customer-facing systems, forcing them to bring all infrastructure offline to stop the malware’s spread. The company discovered the attack on October 17th, and it’s taken nearly a week just to begin recovery efforts. Fortunately, Billtrust maintained backups that were unaffected by the attack, which made it possible to avoid paying the ransom demand. Nevertheless, the lost revenue, reputational damage, and recovery expenses will definitely chip away at the company’s bottom line.
Individual Risk: No personal information was compromised in the breach.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Whether in the form of ransomware payments to regain access to their networks or interrupted processes due to downed servers, the costs associated with ransomware can quickly escalate. With such attack vectors on the rise, businesses must take responsibility and protect their valuable IT infrastructure.
United States – Kalispell Regional Healthcare
Exploit: Phishing attack
Kalispell Regional Healthcare: Family healthcare provider
Risk to Small Business: 1.555 = Severe: Several employees fell for a phishing campaign that compromised their login credentials and patients’ personally identifiable information. Hackers accessed the data between May 24, 2019, and August 28, 2019. As a result, the company will bear the cost of identity and credit monitoring services for all victims, and they will face intense regulatory scrutiny. Brand reputation is also jeopardized, as the hospital was formerly recognized as a highly-ranked healthcare provider for their cybersecurity practices.
Individual Risk: 2 = Severe: Personally identifiable information that may have been compromised includes their names, Social Security numbers, addresses, medical record numbers, dates of birth, phone numbers, email addresses, and medical history. The healthcare provider is offering victims a year of free credit and identity monitoring services, and those impacted by the breach should enroll in these programs. Cybercriminals can use the data to facilitate additional attacks, so they should carefully scrutinize unusual or unexpected messages or account activity.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Before the breach, Kalispell Regional Healthcare was acknowledged for its distinguished data security readiness standards. Unfortunately, the lack of employee awareness training led to a phishing scam that made the entire network vulnerable. In today’s digital landscape, comprehensive phishing scam awareness training should be a routine requirement for any employee with an email address.
United States – Ocala City
Exploit: Spear phishing attack
Ocala City: Local municipality
Risk to Small Business: 1.666 = Severe: A spear-phishing attack convinced an Ocala City employee to transfer $640,000 to a fraudulent bank account. The account still had $110,000 left when the city identified the scam, but cybercriminals still walked away with over $500,000. To trick the employee, cybercriminals sent an email purportedly from one of the city’s construction contractors and requested payment to a bank account that did not belong to the contractor. While the email and bank account were fraudulent, the invoice was legitimate, which made this incident especially difficult to detect.
Individual Risk: No personal information was compromised in the breach.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Spear phishing attacks are highly targeted and can be difficult for employees to identify. However, as more data becomes available to bad actors, businesses need to plan for this reality, training employees to spot small differences that often reveal a threat. Ocala City tells a cautionary tale that failing to adjust to today’s threats can be an expensive mistake.
New Zealand – Competitive Pest Services
Exploit: Insider data theft
Competitive Pest Services: Pest control service
Risk to Small Business: 2.222 = Severe: Before leaving the company, a former employee downloaded customer data and shared it with his new employer. The information was then used to solicit business from Competitive Pest Services’ customers. In response, the company has updated its data security software to restrict access to sensitive company data and notify IT admins when information is downloaded. Unfortunately, reactive responses cannot secure customer data, and it likely won’t help restore consumers’ confidence in their data management practices.
Individual Risk: 2.142 = Severe: Personally identifiable information was limited to customer names, addresses, and phone numbers. However, this is more than enough information to perpetuate additional cyberattacks that could compromise even more sensitive data. Therefore, those impacted by the breach should carefully monitor their identity information, and they may want to consider enrolling in identity monitoring software to provide long-term oversight of their information.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Taking proactive measures to protect your customers’ data is the best way to protect against a breach. This requires that companies remain up-to-date on the most prescient threats and take steps to mitigate their exposure before a data loss event takes place. Too many companies choose to update their protocols after a breach, a step that won’t repair the damage that’s already been done.
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
Australian CEOs Fail to Appreciate Cyberthreats
Today, data breaches are top-of-mind for companies and consumers alike; however, those concerns appear don’t appear to have made it all the way to the C-suite.
According to a recent survey of Australian executives, those in leadership positions significantly overestimate their company’s cybersecurity capabilities, exposing a serious disconnect between decision-makers and those charged with securing a company’s data.
For example, 63% of CISOs surveyed said that their company experienced a data breach in the past 12 months, but only 6% of CEOs shared this viewpoint. Similarly, 44% of CEOs thought that their company was prepared to respond to a cyberthreat, while only 26% of CISO’s were confident in this assertion.
This disparity doesn’t just relate to technological capabilities. 69% of CISOs view cybersecurity as an integral part of their business plan and only 27% of CEOs saw it as a bottom-line issue.
Other surveys have shown that cybersecurity professionals are quickly becoming overwhelmed by their jobs, and many are considering leaving the field altogether. Without support from top-level executives, this problem will only get worse, which means that data security will become more problematic.
A Note From Kobargo.
Consumers Will Stop Engaging with Brands Online After Data Breach
After years of high-profile data breaches, consumers are fed up with companies that can’t protect their data, and they are increasingly willing to cut off brands that fail in this regard.
In a recent survey by Business Wire, nearly 50% of respondents are more concerned about data security then they were a year ago. Notably, 81% indicated that they would stop engaging with brands online after a data breach, and 63% of consumers believe that the company is always responsible for data security.
These findings place a significant burden on companies to evaluate their cybersecurity posture. In today’s digital landscape, failing to protect customer data won’t just be inconvenient. It could be the beginning of the end for many businesses.
Rather than leaving it to chance, get the support that you need to ensure that your company is ready to address consumer demands as the costs of failing to meet the moment is incredibly steep.
Contact Kobargo Technology Partners to schedule a free consultation today!
Last week, ransomware will cost companies critical revenue, repeat offenders put customer loyalty at risk, and businesses fail to account for the risks of compromised employee credentials.
United States – Alphabroder
Exploit: Ransomware attack
Alphabroder: Promotional product supplier
Risk to Small Business: 1.555 = Severe: A ransomware attack temporarily halted Alphabroder’s processing and shipping platform. Since the ransomware prevented the company from executing orders, Alphabroder was forced to make a statement on social media and interrupt most business processes. Alphabroder did subscribe to cybersecurity insurance to help offset the costs, but the reputational damage and long-term infrastructure costs can be difficult to quantify and are capable of significantly dampening the company’s financial prospects in the near term.
Individual Risk: No personal information was compromised in the breach.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Cybercriminals are always looking for new ways to profit from businesses’ IT vulnerabilities. Unfortunately, these bad actors only have to execute their strategy once to inflict incredible long-term damage to a company. This complicated threat landscape makes it especially important that businesses regularly assess their cybersecurity stance to ensure that they are ready to defend whatever comes their way.
United States – Stripe
Exploit: Phishing attack
Stripe: Online payment processing company
Risk to Small Business: 1.888 = Severe: Hackers are deploying fake and invalid Stripe support alerts to engage customers and procure user credentials. After clicking on the fictitious support alert, users are prompted to enter their bank account information and user credentials on a fake customer login page. This isn’t the first time that Stripe customers have been targeted in phishing attacks, and such attacks are becoming increasingly sophisticated and prevalent.
Individual Risk: 2.428 = Severe: Given that Stripe is an online financial platform, users can easily be tricked into providing their most sensitive personal data to cybercriminals. It’s unclear if any Stripe customers have fallen for this phishing scam, but any users who responded to one of these malicious messages had their personal data compromised. They should immediately report this to Stripe and their other financial institutions, and they should take steps to ensure their data’s long-term integrity.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Cybersecurity has taken center stage among customers and employees, and both are demonstrating an unwillingness to work with companies that can’t protect their information. Especially for companies operating in a crowded and competitive market, top-shelf cybersecurity standards are a prerequisite to a thriving business model
United States – Pitney Bowes Inc.
Exploit: Malware attack
Pitney Bowes Inc.: Mail management company
Risk to Small Business: 2.111 = Severe: A malware attack prevented Pitney Bowes’ employees and customers from accessing critical services. The company, which specializes in mail management, lost business directly as a result of the attack. Customers were unable to refill postage or upload transactions on their mailing machines. In addition, news of the announcement sent the company’s shares down 4%, which underscores the many ways that a cybersecurity incident can negatively impact a company’s bottom line.
Individual Risk: No personal information was compromised in the breach.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Regardless of the attack methodology, cybersecurity events are incredibly costly for companies. In this case, Pitney Bowes was punished by investors, lost revenue opportunities, and endured reputational damage that will have long-term implications for the company. Given the high cost of recovery, pursuing robust cybersecurity services is a bargain.
United Kingdom – Sonic Jobs
Exploit: Exposed database
Sonic Jobs: Job recruitment website
Risk to Small Business: 2.111= Severe: An exposed database revealed the personal information of thousands of job seekers. Sonic Jobs, which partnered with Amazon Web Services for its database, failed to change the database configuration to private, meaning that all users could view the details of job applicants and anyone who knew the locations of the servers could have downloaded the information.
Individual Risk: 2= Severe: The exposed data was provided by job seekers, and it includes their names, addresses, contact information, and work experience. This information can quickly be sold on the Dark Web, where it can be used to facilitate other cybercrimes including phishing and identity scams. To protect themselves, anyone impacted by the breach should enroll in identity monitoring services while also being especially critical of unusual or unexpected communications.
Customers Impacted: 29,202
How it Could Affect Your Customers’ Business: In its response, Sonic Jobs cited its limited resources as one reason that the database’s configuration went undetected. Unfortunately for the company, consumers and global regulators don’t look at this metric when deciding how to respond to a data breach. Given the enormous financial and reputational costs of a data breach, acquiring the services to assess and secure your cybersecurity landscape is a no brainer.
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
Canadian Companies Victimized by Uptick in Ransomware
2019 has seen a precipitous increase in the number of ransomware attacks reaching SMBs, government agencies, and educational institutions. These attacks, which consist of encrypting a company’s files and then demanding a ransom payment, are becoming especially common among institutions that lack the resources to continually defend against the devastating attack vector.
Now, that reality is hitting Canadian businesses especially hard, a noteworthy development for a country that has often managed to avoid being victimized by such threats.
According to a recent survey, 88% of Canadian organizations experienced some type of data breach in the past year, and 82% noted an increased attack volume during that period. However, in that survey, ransomware only accounted for 14% of these breaches. Since then, a string of Canadian healthcare companies, small businesses, and government organizations have been targeted. Some are speculating that the malware’s success in other countries, including the U.S., has encouraged cyber criminals to broaden their horizons.
Regardless of the intention, with ransomware widely available for lease on the Dark Web, businesses shouldn’t expect these attacks to abate any time soon. Rather, they should continually review and update their cybersecurity posture to ensure that their infrastructure is capable of defending against the latest ransomware strains.
A Note From Kobargo.
Businesses Underestimate the Threat of Stolen Employee Data
While every business is busy finding ways to protect their customers’ data, a recent survey found that many are not paying attention to the threat posed by stolen employee data. Only 11% of respondents reported believing that compromised employee credentials like usernames and passwords pose a high risk.
However, the reality is that years of extensive data breaches have resulted in employee information being readily available on the Dark Web. Even more, hackers are leveraging tactics like credential stuffing attacks to access company networks undetected.
By failing to account for the entire threat landscape, businesses are opening themselves up to additional data exposure vulnerabilities that involve customer information.
Fortunately, companies can be proactive about identifying compromised credentials. Dark Web monitoring services alert businesses when their employee information is available for sale, providing them the opportunity to safeguard information before it is used against them.
Contact Kobargo Technology Partners to schedule a free consultation today!
Last week, phishing attacks expose protected health information, hackers hijack a shoe company’s email list, patients are upset about healthcare data breaches, and Twitter comes under fire for data misuse.
United States – UAB Medicine
Exploit: Phishing attack
UAB Medicine: Academic medical center based in Birmingham, Alabama
Risk to Small Business: 1.666 = Severe: A phishing attack tricked several employees into providing their email credentials to hackers, which subsequently exposed the protected health information for thousands of patients. The email purported to originate from a hospital executive, asking employees to participate in a fake business survey. Executives believe that hackers were trying to access the healthcare provider’s payroll system, but they were prevented from reaching this information. Regardless, the August 7th breach will have a significant impact on the patients whose data was compromised and on UAB Medicine, as they will bear the cost of credit monitoring and identity theft protection services as well as the increased regulatory scrutiny because of the nature of the information involved.
Individual Risk: 2.571 = Moderate: Hackers had access to patients’ protected health information, including names, medical record numbers, dates of birth, dates of service, location of service, and other medical-related information. Some patients also had their Social Security numbers compromised. UAB Medicine is encouraging anyone impacted by the breach to closely monitor their accounts and benefit statements for fraudulent activity. In addition, they should enroll in the year of free credit and identity monitoring services provided by UAB Medicine.
Customers Impacted: 19,557
How it Could Affect Your Customers’ Business: Despite your best efforts, phishing attacks will likely make their way into your employees’ inboxes at some point. Fortunately, comprehensive awareness training can empower employees to sidestep ongoing efforts at gaining access to your network and compromising your data. Given the growing costs associated with a data breach, the ROI on cybersecurity best practices is remarkably clear and should be required for every employee with an email account.
United States – TOMS
Exploit: Unauthorized database access
TOMS: Designer and producer of shoes, eyewear, coffee, apparel, and handbags
Risk to Small Business: 2.333 = Severe: In an unusual cybersecurity incident, a hacker hijacked the mailing list for TOMS and sent a message encouraging customers to log off their devices and enjoy the outdoors. The message was not malicious in nature, but the hacker admitted that he accessed the platform for a significant time period before sending the email. The hacker also ridiculed bad actors, describing their actions in obscene language sent to TOMS customers. Fortunately, the hacker didn’t disrupt any other elements of TOMS’ IT infrastructure, but his actions highlight the company’s weak cybersecurity standards, which could negatively impact the company on many fronts.
Individual Risk: No personal information was compromised in the breach.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: When it comes to protecting customer data, speed and precision are your best friends. Unfortunately, too many companies don’t have the IT capabilities to identify a data breach or to adequately investigate an event after it happens. As a result, customer data can virtually linger indefinitely before protective action can be taken, such as changing passwords or otherwise ensuring data integrity. This incident serves as an important reminder that every business needs to enlist in services that help proactively monitor and protect customer data.
United States – Methodist Hospitals
Exploit: Phishing attack
Methodist Hospitals: Community-based healthcare system located in Gary, Indiana
Risk to Small Business: 1.222 = Extreme: A successful phishing attack against two employees compromised the private health data for thousands of patients. The incident occurred in June, but the healthcare provider didn’t finish investigating the breach until August. It’s unclear why the company waited two months before making the breach public. Regardless, Methodist Hospitals will face intense regulatory scrutiny due to the nature of the information involved.
Individual Risk: 2.142 = Severe: The compromised data was accessed on June 12th or between July 1st and July 8th. It included patient names, addresses, health insurance information, Social Security numbers, government ID information, passport numbers, financial account numbers, payment card information, electronic signatures, usernames, and passwords. This incredibly expansive data set has a great value on the Dark Web, as it can be used to perpetuate additional cybercrimes. Therefore, those impacted by the breach should take every precaution to protect their data, including contacting their financial institutions and enrolling in credit and identity monitoring services.
Customers Impacted: 68,039
How it Could Affect Your Customers’ Business: Today’s digital landscape is replete with threats, but companies are not defenseless. Phishing scams require employees to actively compromise their credentials, and comprehensive awareness training can equip team members to identify and report fraudulent communications, effectively rendering them useless and creating a safe environment for your customers’ data.
Canada – TransUnion
Exploit: Unauthorized database access
TransUnion: Consumer credit reporting agency
Risk to Small Business: 2.111 = Severe: Using compromised user credentials, hackers accessed the personal information of Canadian TransUnion customers. The breach, which occurred between June 2019 and July 2019 and detected in August, shines a spotlight on the company’s delayed breach response and notification process. Although the company’s IT infrastructure wasn’t at fault, their inability to account for a holistic vulnerability that allowed hackers using stolen credentials to access their customers’ information, will bring negative media scrutiny and public attention to the company.
Individual Risk: 2.857 = Moderate: TransUnion did not release a specific overview of the compromised data; however, the sensitive nature of their business means that personally identifiable information was likely included in the event. Notably, the company acknowledged that credit report data was exposed in the breach. This can include individuals’ names, dates of birth, current and former addresses, information on existing card and loan obligations, social insurance numbers, and other sensitive data.
Customers Impacted: 37,000
How it Could Affect Your Customers’ Business: The deluge of data breaches in the past several years have made login credentials widely available to bad actors. Therefore, today’s companies should be proactive about identifying compromised credentials and taking intentional steps to limit accessibility using this information.
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
Twitter Uses Two-Factor Data for Targeted Advertising
Implementing cybersecurity best practices is critical for today’s companies, especially in regard to securing infrastructure throughout an increasingly complicated threat environment. Unfortunately, in many cases, organizations rely on their customers to adopt these priorities in order to effectively protect their data.
These protocols include initiatives such as using strong, unique passwords to secure accounts and implementing two-factor authentication to further secure this information. Of course, companies undermine user adoption when they use that information to serve up targeted advertising.
This week, Twitter acknowledged that it used the phone number and email address data from its two-factor authentication protocol to developing targeted advertisements. The information was used by the company’s tailored audiences program that allows companies to create targeted advertisements by matching their own marketing lists with Twitter user data. The company resolved the issue on September 17th, but it’s unclear how long companies benefit from this security-centered information.
More importantly, this misuse of personal data might discourage users from adopting these security protocols in the future, a decision that would put both parties at risk for a data breach.
A Note From Kobargo.
20,000 E-commerce Sites Could Be Compromised by Magecart
Providing an online shopping experience is increasingly critical for SMBs looking to stay ahead of the competition. Unfortunately, malware attacks are infecting the checkout page of many stores, compromising customer payment data and undermining companies’ efforts to attract business through their websites.
This reality became even more prescient this week when the notorious Magecart malware-infected Volusion, a cloud hosting platform for online stores. Already, more than 6,500 stores have been compromised, and Volusion boasts a customer base of more than 20,000 companies, so the number of infected web stores might continue to grow.
Most prominently, Volusion hosts the Sesame Street Live online store, which was brought offline after the attack was revealed.
Now thousands of companies will be left grappling with the consequences of lost sales both now and in the future. Notably, this underscores the importance of understanding the specific cyber threat landscape that most prominently impacts your business. If necessary, get third-party support from cybersecurity experts to adequately identify your risks and to establish best practice responses that ensure that your business benefits because of your IT environment.
Contact Kobargo Technology Partners to schedule a free consultation today!
Last week, hackers make a sport of exploiting online gamers’ data, unauthorized database breach affect software firm, and business leaders lament today’s data landscape.
United States – Zynga
Exploit: Unauthorized database access
Zynga: Social game development company
Risk to Small Business: 2 = Severe: Hackers gained access to the company’s database, which exposed the personally identifiable information (PII) for millions of customers. The company discovered the breach in September, and they responded by hiring an external investigator to determine the scope and severity of the breach. Unfortunately, by the time they responded, hackers uploaded user data to various hacker forums.
Individual Risk: 2.428 = Severe: The data breach applies to all users of the platform’s popular Words with Friends gaming app on Android and iOS who registered on or before September 2, 2019. In addition, some users of Draw Something, another mobile game produced by Zynga, were compromised. The exposed information includes names, email addresses, login IDs, hashed passwords, password reset tokens, phone numbers, Facebook IDs, and other Zynga account details. Since this information is already available to bad actors on the Dark Web and will be used to perpetuate additional cybercrimes, those impacted by the breach should carefully monitor their accounts while being especially watchful for other fraudulent communications.
Customers Impacted: 218,000,000
How it Could Affect Your Customers’ Business: Data security is increasingly top of mind for consumers. For companies operating in a highly competitive marketplace, it can mean the difference between keeping your customers happy while increasing revenue or losing them forever. Therefore, businesses of every size need to meet the moment by understanding their vulnerabilities, embracing best practices for cyber defense, and building a breach response action plan.
United States – Zendesk
Exploit: Unauthorized database access
Zendesk: Customer service software company
Risk to Small Business: 1.888 = Severe: More than three years after the event, Zendesk acknowledged a data breach after a third party notified the customer service software company of unauthorized data access. The breach impacts Support and Chat accounts, and it includes personal data from all categories of Zendesk users, including customers, agents, and end-users. The company is resetting all passwords for users that registered before November 1, 2016. However, the platform touts many high-profile companies as clients, which means that the breach could have far-reaching repercussions for all stakeholders involved.
Individual Risk: 2.285 = Severe: The personal details of customers, agents, and end-users were compromised in the breach. This includes names, email addresses, phone numbers, passwords, and other technically-oriented data. The company is contacting all customers who could be impacted by the breach, and those affected should reset their Zendesk passwords and any redundant passwords used on other platforms.
Customers Impacted: 10,000
How it Could Affect Your Customers’ Business: When it comes to protecting customer data, speed and precision are your best friends. Unfortunately, too many companies don’t have the IT capabilities to identify a data breach or to adequately investigate an event after it happens. As a result, customer data can virtually linger indefinitely before protective action can be taken, such as changing passwords or otherwise ensuring data integrity. This incident serves as an important reminder that every business needs to enlist in services that help proactively monitor and protect customer data.
Canada – The National Basketball Association
Exploit: Unauthorized database access
The National Basketball Association: Men’s professional basketball league in North America
Risk to Small Business: 2.111 = Severe: An unauthorized user accessed a server managed by the NBA for its Canadian business efforts. The league quickly identified the intrusion and took the server offline, began an investigation, and hired cybersecurity experts to make further recommendations. However, these measures can’t retroactively restore users’ data integrity, nor will it negate the reputational damage that always accompanies a privacy breach.
Individual Risk: 2.428 = Severe: The exposed user data includes names, addresses, email addresses, phone numbers, and other account-related information. Although the breach is limited to those who recently entered an online contest in Canada, this information is especially sensitive, and those impacted by the breach should take every precaution to ensure the long-term integrity of their credentials.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Digital platforms can be a great way to engage customers, but when data integrity is compromised, these initiatives can quickly become a liability. Therefore, cybersecurity needs to be the bedrock of any online engagement to ensure that such marketing efforts meet customers where they are secure, as opposed to manifesting into self-inflicted wounds on your company’s reputation and customer engagement.
The United Kingdom – EA Sports
Exploit: Accidental sharing
EA Sports: Developer and publisher of sports video games
Risk to Small Business: 2 = Severe: EA Sports inadvertently leaked the personal data of 1,600 gamers who participated in a competition on the company’s website. The breach is related to the company’s FIFA 20 Global Series competition. Aside from becoming a PR nightmare for EA Sports on social media, the leak occurred just hours after the company’s announcement of new security features and promotional events related to the UK’s National Cyber Security Month. The webform was removed after thirty minutes, and the competition was temporarily canceled.
Individual Risk: 2.142 = Severe: The leaked data includes email addresses, account ID numbers, usernames, and dates of birth. Those impacted by the breach should monitor their accounts for suspicious or unusual activity.
Customers Impacted: 1,600
How it Could Affect Your Customers’ Business: Even relatively small data breaches can have a sizable impact on a company’s reputation and future earnings potential. Even apart from the bad press and media scrutiny that often accompanies a breach, customers are quick to take to social media to voice their concerns. Taken together, a data breach can quickly escalate into a PR disaster. To protect your brand’s reputation, prioritize customer data security.
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
U.S. Senate Passes Ransomware Response Law
Ransomware is making a devastating comeback in 2019, impacting SMBs, government agencies, and educational institutions with frightening regularity and at great cost.
The scourge of attacks has been so profound that a bill governing ransomware response tactics actually elicited bipartisan support from a divisive U.S. senate.
The new legislation calls for dedicated teams tasked with providing organizations with best practice advice for protecting against and responding to ransomware attacks. These resources will be available for SMBs, government agencies, and schools, which were specifically addressed by the senate minority leader, Chuck Schumer.
The practical effects of such legislation are unclear, but the more prescient fact is that the law exists at all. It underscores the incredible need for more companies to adopt a best practice defensive posture and the chasm between those that are ready to defend themselves and those that remain vulnerable.
However, the law alone won’t solve SMBs problems. They need to understand the ways that their IT infrastructure might be vulnerable, and they need to make addressing those concerns a top priority.
A Note From Kobargo
UK Business Leaders Believe Data Breaches Are the New Normal
The majority of UK businesses have suffered some form of a data breach in 2019, and C-suite business leaders view this reality as the “new normal.”
This information was derived from the latest Carbon Black study, which surveyed 250 C-level business leaders from the UK. In total, 84% indicated that they endured a data breach in the past year, and the same amount indicated that cyber attacks were becoming more sophisticated.
This new reality is especially notable among smaller businesses, which reported a 57% increase in cyber attacks. While the financial repercussions varied significantly, 75% of executives noted that reputational cost is one of the most problematic results of a data breach.
Interestingly, two of the most prominent threats identified by executives, malware and phishing attacks, are defensible. By implementing comprehensive awareness training, companies of all sizes can neutralize a persistent and problematic threat group.
In a cybersecurity landscape that’s increasingly defined by continuous attacks, controlling some of the variables can give any organization a leg up on the best efforts of bad actors.
Contact Kobargo Technology Partners to schedule a free consultation today!