Last week, companies are slow to stop phishing attacks, ransomware disrupts productivity, and IBM’s latest threat analysis outlines trends for 2020.
United States - Altice USA
Exploit: Phishing Attack
Altice USA: Cable and internet provider
Risk to Small Business: 2 = Severe: A phishing attack tricked an employee into providing hackers with email credentials that were used to access and download inbox content remotely. Although the breach was announced on February 5th, the phishing scam was executed in November 2019. It wasn’t discovered until December 2019, which raises questions about the company’s data security capabilities and notification strategy. As a result, Altice USA will have a difficult time restoring customer confidence, which will be critical to recovering from this preventable data breach.
Individual Risk: 2.285 = Severe: Customers’ personal information was compromised in the breach. This includes Social Security numbers, birth dates, and other personal details. The company claims that financial information was untouched by the breach and is offering free identity and credit monitoring services for affected victims to protect compromised data.
Customers Impacted: 12,000
How it Could Affect Your Customers’ Business: Phishing attacks are easy to deploy, and they are devastating to companies compromised by malicious messages. Although security processes are unlikely to keep all phishing emails out of their employees’ inboxes, they can render the attacks useless by providing comprehensive awareness training that teaches and trains employees to identify phishing scams.
United States - St. Louis Community College
Exploit: Phishing Attack
St. Louis Community College: Public academic institution
Risk to Small Business: 2.111 = Severe: Several employees fell for a phishing scam that compromised students’ personal information. The phishing attack, which took place on January 13th, happened just weeks before the school implemented two-factor authentication on January 31st. If this effective defensive measure was in place sooner, hackers would not have been able to access employee accounts, even after they provided their credentials on a phishing form. In response, the college is retraining employees who clicked on a phishing email, and they are updating their procedures to prevent a similar event in the future.
Individual Risk: 2.428 = Severe: Students’ personal data was compromised in the breach, including names, ID numbers, dates of birth, addresses, phone numbers, and email addresses. In addition, 71 students had their Social Security numbers stolen. This information can be used to execute identity fraud or to target victims with spear-phishing campaigns that could provide hackers with even more damaging personal data. Those impacted by the breach should enroll in credit and identity monitoring services to oversee the responsibility of identifying misuse, and they should carefully evaluate online communications for signs of a phishing scam.
Customers Impacted: 5,000
How it Could Affect Your Customers’ Business: This incident is a tragic reminder that, when it comes to data security, timing is everything. Phishing attacks awareness training and two-factor authentication can go a long way toward protecting the company and customer data, but they need to be in place before an attack occurs. Therefore, installing proactive measures should be a top priority in the days and weeks ahead.
Australia - Ashley Madison
Exploit: Unauthorized database access
Ashley Madison: Adult romance website
Risk to Small Business: 2 = Severe: Cybercriminals are redeploying data from Ashley Madison’s 2016 data breach to target Australian users with sextortion emails. These messages contain intimate and highly personal information gleaned from the breach, and cybercriminals are threatening to publicly release the information if victims don’t pay a Bitcoin ransom. The emails are highly personalized and include sensitive personal details derived from the initial data breach. While it’s easy to write-off a data breach at an adult website, it reflects the IT environment experienced by any company that collects personal data, and the many ways that hackers exploit that information to make money.
Individual Risk: 2.142= Severe: The personalized emails include users’ names, bank account numbers, phone numbers, addresses, and dates of birth. It also contains private content and communications conducted on the website.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Data breaches impact more than just a company’s bottom line. They often have tangible consequences for each individual compromised in a breach, and even years after a breach, they can continually reappear, causing personal, psychological, and financial trouble for victims. It should encourage every company to take every step possible to protect personal data.
1 - 1.5 = Extreme Risk
1.51 - 2.49 = Severe Risk
2.5 - 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.