DATA BREACH, CYBER ALERT MONDAY:
Last week's customer loyalty programs were compromised, employees continued to fall for phishing scams, and data breach costs continued to increase.
United States - Lyons insurance
Exploit: Unauthorized email account access
Lyons Insurance: Independent insurance broker and employee benefits firm
Risk to Small Business: 1.333 = Extreme: An unauthorized party gained access to two employee email accounts that contained customers’ personally identifiable information. The data from one account was available between February 4th and March 12th, and information from the second account was available for several hours on March 12th. The company hired a third-party cybersecurity firm to audit their security standards, and they’ve made changes to prevent a similar breach in the future. However, it’s unclear why the company waited so long to notify customers, and future reparations will not be able to recover the damage of the data that’s already stolen.
Individual Risk: 2.143 = Severe: Impacted email accounts contained personal information, including customers’ names, dates of birth, contact information, drivers’ license information, financial information, medical record numbers, patient identification numbers, and treatment-related information. In addition, some users had their Social Security numbers compromised in the breach. Lyons is providing free credit monitoring and identity restoration services for everyone impacted by the breach. Since this information is incredibly valuable to cybercriminals on the Dark Web, breach victims should take advantage of these services to help ensure the integrity of their data.
Customers Impacted: Unkown
How it Could Affect Your Business: Few things can cripple a business like a data breach, and post-breach security initiatives can’t help those whose personal information is already available on underground marketplaces. Consumers and employees are increasingly unwilling to associate with companies that cannot protect their information, making cybersecurity a bottom-line problem for every business. Identifying and addressing vulnerabilities before a breach occurs offers tangible benefits over waiting until after a data disaster to make changes.
United States - Presbyterian Healthcare Services
Exploit: Phishing scam
Presbyterian Healthcare Services: Private not-for-profit healthcare system and provider
Risk to Small Business: 1.555 = Severe: An employee unwittingly opened a phishing email that provided hackers with access to a treasure trove of patients’ personally identifiable information. The breach occurred on or before May 9th, and it wasn’t discovered for nearly a month. While the healthcare provider began notifying those impacted by the breach in early August, the latest accounting reveals even more extensive damage than originally identified. Moreover, Presbyterian Healthcare Services expects that they still have to understand the full scope of the breach. Healthcare is a highly regulated industry, so Presbyterian Healthcare Services will endure a significant repair cost, along with increased scrutiny from regulatory bodies.
Individual Risk: 2.571 = Moderate: While hackers didn’t have access to electronic health records or billing information, they were able to access patient names, dates of birth, Social Security numbers, and health plan information. Although Presbyterian Healthcare Services hasn’t found the data on the Dark Web yet, those impacted by the breach should assume that it will be exploited for fraud in the near future.
Customers Impacted: 183,000
How it Could Affect Your Business: Companies that store copious amounts of sensitive personal information are sitting ducks for data thieves and have an obligation to take necessary precautions to protect their customers’ data. Fortunately, phishing scams are entirely defensible, and comprehensive awareness training can render such attacks useless. With phishing attacks on the rise, this training should be mandatory for every company storing personal data of employees or customers.
United States - Oregon Judicial Department
Exploit: Phishing Scam
Oregon Judicial Department: Judicial branch of the state of Oregon
Risk to Small Business: 1.444 = Extreme risk: A phishing campaign effectively duped five employees into opening malicious emails that compromised the personal information of thousands of people. The attack occurred on July 15th, and it left affected accounts exposed for four hours before IT admins could disable access to personal data. Consequently, the department is responsible for providing credit monitoring services to impacted individuals, an expense that will hinder the efforts of an already cash strapped organization.
Individual Risk: 2.286 = Severe: The data breach exposed personally identifiable information, including names, full and partial dates of birth, financial information, health data, and Social Security numbers. Anyone impacted by the breach should enroll in the provided credit monitoring services to keep tabs on their financial data. Meanwhile, they should be vigilant about monitoring their personal accounts for suspicious or unusual activity.
Customers Impacted: 6,607
How it Could Affect Your Business: Phishing scams may be incredibly prevalent, but they are also entirely preventable. Despite the best efforts of automated detection services, businesses should assume that some phishing emails will make their way to your employees’ inboxes, making comprehensive awareness training a critical component of holistic data security. By training employees to spot and respond to phishing campaigns, it’s possible to mitigate persistent attacks while demonstrating cybersecurity prowess.
United States - Wisconsin Diagnostic Laboratories
Exploit: Unauthorized database access
Wisconsin Diagnostic Laboratories: Medical laboratory and testing service provider
Risk to Small Business: 1.556 = Severe: A June 2019 data breach at one of the company’s partners has compromised the personal information of patients at Wisconsin Diagnostic Laboratories. The company has severed the relationship with their third-party vendor, and they are taking steps to retrieve and secure compromised patient data. Of course, retrieving information once it reaches the web is extremely difficult, and Wisconsin Diagnostic Laboratories will certainly face regulatory scrutiny that will cost time and resources.
Individual Risk: 2.857 = Moderate Risk: The data breach revealed personal data including patient names, dates of birth, dates of service, and other medical information. In some cases, payment information, including credit card numbers and bank account details, was exposed. Social Security numbers and payment data were excluded in the breach. Since this type of information is frequently exchanged on the Dark Web, those impacted by the breach should monitor their accounts closely.
Customers Impacted: 114,985
How it Could Affect Your Business: Today’s business environment often requires partnering with third-parties to provide the best experiences for your customers. Unfortunately, this also increases your company’s exposure to various cybersecurity risks, and every business needs to have effective recovery protocols in place to respond to these incidents. In this way, companies can benefit from relationships with strategic partners with cybersecurity expertise in order to proactively secure sensitive information.
In Other News:
Data Breaches Expected to Cost Businesses $5 Trillion by 2024
By now, every business should be aware of the costs associated with a data breach. Unfortunately, such damages are not being contained. Instead, they are rising steadily, culminating in a $5 trillion price tag by 2024, according to the latest report from Juniper Research.
A recent report, “The Future of Cybercrime & Security,” found that regulatory fines and lost business will be the primary drivers of this expense.
Consumers continually demonstrate a disdain for platforms that can’t protect their data, making opportunity cost one of the most arduous, often immeasurable consequences of a data breach.
At the same time, the report notes that cybercrimes are likely to accelerate as hackers deploy increasingly sophisticated technology, like AI, to perpetuate even more disruptive cybercrimes.
However, Juniper Research found that cybersecurity-related expenditures are only expected to increase by 8% over the next four years, meaning that enterprises are turning to other methodologies to protect their data. Most prominently, the report concluded, employee awareness training is seen as the most efficient and cost-effective way to protect a company’s data.
Regardless of the technique, one truth is certain. The cybersecurity landscape will not look the same in four years, and every business needs to be prepared to adapt and meet the shifting challenges of its time.
A Note From Kobargo..
Ransomware Attacks Have Doubled in 2019
The scourge of ransomware attacks around the world are well documented, appearing in front-page headlines and disrupting everything from SMBs to local municipalities.
Even so, the scope of the problem is even more extensive than many people realize. The latest McAfee Labs Threat Report found a 118% rise in ransomware attacks in the first quarter of 2019.
The precipitous increase follows years of decline for malware as it appeared to fall out of vogue with cybercriminals. However, in 2019, the practice has been monetized by targeting SMBs and local governments, soft targets that don’t often have the resources to effectively update their defenses against ransomware.
The report found that three ransomware strains – Dharma, Ryuk, and GandCrab – are used in the vast majority of attacks, and McAfee notes that a large number of organizations are willing to pay six-figure payments to help ensure that such strategies will continue to adapt and remain relevant well into the future.
Given the high cost of recovering from a ransomware attack, the cybersecurity services that can fortify a company’s defenses are a relative bargain. Especially for SMBs, a strong defensive posture comes with the cost of doing business, and it’s more affordable than cybersecurity failure.