Last week, ransomware brings bad news for employees, security doorbell users endure a serious privacy breach, and too many companies are giving in to criminals’ demands.
United States - The Heritage Company
The Heritage Company: Telemarketing firm
Risk to Small Business: 2.333 = Severe: A ransomware attack forced The Heritage Company to temporarily shutter its operations, even after making a ransom payment to release its critical IT infrastructure. IT admins were unable to use the decryption key to access company data, resulting in the company’s CEO notifying employees that they would not be able to return to work until at least January 2nd. The attack has already cost the company hundreds of thousands of dollars. If they can’t recoup their valuable information, it’s possible that this ransomware attack could permanently cripple their business.
Individual Risk: No personal information was compromised in the breach.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Ransomware can feel like an inevitability in today’s digital landscape, but SMBs have many tools at their disposal to protect their critical information. Notably, ransomware always requires a foothold to infiltrate a company, and this avenue is often achieved through known exploits in legacy systems or phishing scams that induce employees to grant network access to cybercriminals. By addressing these known flaws, companies can improve their defenses against this costly risk.
United States - Ring
Exploit: Accidental data sharing
Ring: Video doorbell and security camera maker
Risk to Small Business: 2 = Severe: Security researchers discovered Ring users’ account credentials posted on the Dark Web. The information could provide hackers with front door access to customer accounts. Given the sensitive nature of their business, this type of access could be especially problematic for users. Moreover, the episode is the company’s second cybersecurity incident this year, which raises questions about its efficacy in an industry that demands excellence when it comes to data security and privacy.
Individual Risk: 2.285 = Severe: Usernames and passwords are often used to directly access user accounts where criminals can steal additional information or otherwise wreak havoc. While Ring told customers that they are actively monitoring for unusual account activity, users should update their passwords and enable two-factor authentication to ensure that hackers can’t deploy this readily available information to access their accounts.
Customers Impacted: 1,562
How it Could Affect Your Customers’ Business: Ring is emblematic of the consequences of failing to embrace data security as a top priority. As a result of multiple data security instances and allegations of weak data privacy standards, Ring has endured significant brand erosion, and these episodes continue to degrade their competitive advantage. In an industry where customers have many options to choose from, this could be a serious factor in the company’s future financial success.
United States - PayPal
Exploit: Phishing attack
PayPal: Online payment platform
Risk to Small Business: 2.333 = Severe: Some PayPal users are receiving phishing emails purportedly notifying of unusual account activity and requiring users to verify their personal information to restore full account access. The hackers fabricate a sense of urgency by noting that user accounts will be disabled until they confirm their identity. Although the messages contain many tell-tale signs of a phishing scam, they pose a serious risk to PayPal customers and the company’s reputation.
Individual Risk: 2.428 = Severe: Although recipients have to provide their personal information to be at risk, anyone who responds to this email has compromised nearly all of their personally identifiable information. If that’s the case, they should immediately report the activity to PayPal, as well as to their other financial institutions. Unfortunately, this information can be used to perpetuate more than just financial crimes, and those who were compromised should also enroll in an identity monitoring services to ensure that their information isn’t being misused in other ways.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: As we’ve reported on our blog, the latest phishing attack trends have adopted many of the hallmarks of internet security, including HTTPs encryption, to dupe unsuspecting recipients into compromising critical data. Although such attacks are difficult to spot, SMBs can ensure that their employees serve as the first line of defense by implementing consistent awareness training that keeps employees abreast of the latest trends.
1 - 1.5 = Extreme Risk
1.51 - 2.49 = Severe Risk
2.5 - 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
Too Many Businesses Are Paying Ransom Demands
Ransomware attacks have been one of the definitive cyber threats of 2019, and, despite their growing prominence, business leaders are still struggling to determine the most effective response.
Unfortunately, many organizations are bending to hackers’ demands by paying the ransom to retrieve their data. In fact, the number of organizations giving in to extortion demands has more than doubled this year. In total, nearly 40% of businesses breached by a ransomware attack are paying criminals to decrypt company data.
This trend goes against the recommendations of law enforcement agencies and many cybersecurity experts who fear that ransom payments will embolden criminals to continue attacking businesses, schools, and government facilities. In addition, as we’ve noted in this week’s newsletter, making a ransom payment doesn’t guarantee that data will be recovered.
Of course, even those that don’t pay the ransom will not escape unscathed, as the cost of recovery can be as steep as the ransom itself. However, SMBs do have the power to protect themselves. By ensuring that their software is up-to-date and that their accounts are secure through simple features like two-factor authentication, they can take away many of the footholds that hackers use to infect businesses with this costly malware.
A Note From Kobargo
Georgia Supreme Court Gives Data Breach Victims the Right to Sue
Data breaches carry all kinds of expenses that can do serious damage to a company’s bottom line. That reality became more prominent this week when the Georgia Supreme Court ruled that data breach victims could sue for damages.
The verdict overturned an earlier ruling pertaining to a 2016 data breach at Athens Orthopedic Clinic, which endured a breach that compromised patients’ personally identifiable information that eventually made its way to the Dark Web. While the clinic moved to dismiss the case, the court ruled that victims could sue the company for damages.
Ultimately, the ruling underscores another financial front that businesses need to account for when considering the risks of a data breach, and it should encourage companies to get the support they need they need to ensure that they are keeping sensitive data secure.