Last week, online stores can’t protect their customers, phishing attack impacts personal health data, and CCPA prepares to go into effect.
United States - Rooster Teeth Productions
Exploit: Malware attack
Rooster Teeth Productions: Entertainment production company
Risk to Small Business: 2 = Severe: Hackers injected malware into the company’s online store that siphoned off customers’ payment details at checkout. The breach was first detected on December 2nd, and the company claims that the malware was removed on the same day. However, it’s unclear why they waited several weeks before notifying customers of the breach. Rooster Teeth Productions has sent breach notification letters to those impacted by the incident, but the episode will certainly have a negative impact on the brand’s reputation at a critical time of year for sales.
Individual Risk: 2.285 = Severe: Those impacted by the breach had their names, email addresses, telephone numbers, physical addresses, and payment card information stolen in the breach. As a result, they should immediately contact their financial institutions to report the breach. Rooster Teeth Productions is offering a free year of identity monitoring services and enrolling in this service can offer long-term oversight of personal data.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: The timing of this data breach couldn’t be worse. Customers continually demonstrate that they aren’t willing to make purchases from platforms that can’t secure data, so Rooster Teeth Productions will almost certainly lose business during the busy holiday shopping season. Any company relying on e-commerce sales needs to understand cybersecurity risks and take necessary steps to ensure their revenue centers do not become liabilities.
United States - Conway Medical Center
Exploit: Phishing attack
Conway Medical Center: Healthcare provider
Risk to Small Business: 1.555 = Severe: Several employees fell for a phishing scam that provided hackers access to patients’ personal data. Although the healthcare provider quickly identified the intrusion and cut off access to those accounts, they can’t recover information already accessed by cybercriminals. As a result, Conway Medical Center will face regulatory scrutiny, which often results in fines and other penalties that can damage their reputation and profitability.
Individual Risk: 2 = Severe: Hackers had access to patients’ personally identifiable information, including their names, dates of birth, Social Security numbers, phone numbers, dates of admission, account numbers, and account balances. Conway Medical Center is providing free identify and credit monitoring services to those impacted by the breach, and those affected should enroll in these services. In addition, they should be vigilant about monitoring their accounts for unusual or suspicious activity.
Customers Impacted: 2,250
How it Could Affect Your Customers’ Business: This major cybersecurity incident was entirely avoidable since phishing scams are only effective if employees engage with malicious emails. Unfortunately, Conway Medical Center will now bear the cost of credit and identity monitoring services for thousands of patients, as well as the fines and penalties that often accompany a breach. In contrast, comprehensive employee awareness training is a bargain, protecting your company against the phishing attacks that will inevitably make their way to employee inboxes.
Canada - Life Labs
Life Labs: Laboratory diagnostics and testing service
Risk to Small Business: 2.222 = Severe: Hackers accessed Life Labs’ IT, stealing copious amounts of customer information and demanding a ransom for the data’s return. In a notice to customers, Life Labs notes that it identified the breach in October, but waited until December to notify customers, a concerning timeframe that will make it more difficult for victims to protect their credentials against misuse. According to the company, they paid the ransom and their data was returned. Now they are declaring the incident a “low risk” to customers”, but given their poor communication so far, this is unlikely to assuage anyone’s concerns anytime soon.
Individual Risk: 2.285 = Severe: Hackers stole customers’ personally identifiable information, including their names, home addresses, email addresses, usernames, passwords, and health card numbers. Those impacted by the breach should monitor their accounts for unusual or suspicious activity, while being mindful that this information is often reused to commit other cybercrimes, including phishing attacks, that attempt to extract even more sensitive personal information.
Customers Impacted: 15,000,000
How it Could Affect Your Customers’ Business: Life Labs had a number of missteps in their handling of this data breach. However, the company did deploy Dark Web monitoring to ensure that their customers’ information wasn’t for sale to the highest bidder. These services can provide peace-of-mind to customers while also helping companies mitigate the often cascading consequences of a data breach.
1 - 1.5 = Extreme Risk
1.51 - 2.49 = Severe Risk
2.5 - 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
New Ransomware Strain Targets Healthcare Sector
Each week, our newsletter has examples of companies devastated by ransomware attacks that carry an incredible cost and inflict reputational damage. Unfortunately, these attacks have become more pervasive this year, and hackers are not content to rest on their laurels.
Instead, a new variant of ransomware called Zeppelin is being deployed throughout the US, Canada, and Europe to target healthcare companies and IT organizations. In addition, the ransomware is using MSPs to further infect companies via their management software. Notably, the ransomware is being deployed through remote desktop servers that are publicly exposed to the internet.
The incident is a reminder that SMBs can’t afford to leave cybersecurity up to chance. These attacks can have devastating financial consequences for any organization, which means that a robust defensive posture is a bottom-line issue that will continue to become more critical in the year ahead.
A Note From Kobargo
CCPA Goes Into Effect on January 1st
While many people are counting down the days to their new year’s celebrations, another countdown is underway that will have significant implications for companies around the world. California’s new data privacy law, the California Consumer Privacy Act, officially goes into effect on January 1, 2020.
The law gives consumers new rights to their personal data, and, like Europe’s General Data Protection Regulation that came before it, CCPA promises financial penalties for companies that can’t comply with its standards. For companies of all sizes, it’s evident that the next year will be marked by new compliance measures both in the US and abroad. Fortunately, nobody has to tackle this issue alone. ID Agent is ready to provide a comprehensive assessment of your cybersecurity posture. Our products, like phishing scam awareness training and account security protocols, can help ensure that cybersecurity incidents don’t impede your 2020 goals and aspirations.