Last week, small businesses fail to prevent phishing attacks, online shoppers have their data access snatched, and a new study reveals the prominent role of human error in data breaches.
United States - Idaho Central Credit Union
Exploit: Unauthorized data access
Idaho Central Credit Union: Financial institution
Risk to Small Business: 1.555 = Severe: The Idaho Central Credit Union has reported two data access breaches that compromised personally identifiable customer information. The first incident occurred in November 2019 when a third-party mortgage portal was victimized by hackers. While investigating the first breach, cybersecurity experts identified a second incident stemming from several compromised employee email accounts. In today’s digital economy, a company’s competitive advantage is predicated on its ability to protect customer data. Two consecutive data breaches will have far-reaching repercussions for the credit union.
Individual Risk: 2.142 = Severe: In both incidents, the personally identifiable information of the bank’s customers was compromised. This included names, dates of birth, Social Security numbers, financial account information, tax identification numbers, and other sensitive financial details. Cybercriminals can redeploy this information in a host of harmful ways. Those impacted by the breach should enroll in identity and credit monitoring services as soon as possible.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Email accounts are serious vulnerabilities for every company, as there are many ways by which cybercriminals can exploit social engineering and malware to find their way in. However, every company can lock down their email accounts by implementing two-factor authentication to prevent unauthorized access, even if login credentials are compromised.
United States - Monroe County Hospital & Clinics
Exploit: Phishing scam
Monroe County Hospital & Clinics: Public medical practice
Risk to Small Business: 1.666 = Severe: Hackers gained access to the clinic’s email system, which contained patients’ protected health information. The breach, which was discovered in December 2019, spanned several months and gave bad actors plenty of time to misuse patient data. Now Monroe County Hospital and Clinics face intense regulatory scrutiny due to the sensitive nature of the breach, and their reputation has been badly damaged in an industry that is especially sensitive to privacy concerns. In addition to other recovery expenses, they will bear the cost burden of providing credit and identity monitoring services for the thousands of patients impacted by the breach.
Individual Risk: 2.428 = Severe: Personal data was compromised in the breach. This includes names, dates of birth, addresses, insurance information, and treatment information. In some cases, patients’ Social Security numbers were also exposed. Those impacted by the breach are encouraged to enroll in the credit monitoring service provided by the company and monitor their accounts and digital communications for potential instances of fraud.
Customers Impacted: 7,500
How it Could Affect Your Customers’ Business: Despite incredible advancements in fraud detection technology, phishing scams will inevitably make their way into employees’ inboxes. When employees engage with malicious content, it can have enormous consequences for your organization. Nobody wants to endure the rising costs associated with a data breach, and comprehensive employee awareness training can ensure that those phishing scams don’t impact your bottom line.
Australia - Ashley Madison
Exploit: Unauthorized database access
Ashley Madison: Adult romance website
Risk to Small Business: 2 = Severe: Cybercriminals are redeploying data from Ashley Madison’s 2016 data breach to target Australian users with sextortion emails. These messages contain intimate and highly personal information gleaned from the breach, and cybercriminals are threatening to publicly release the information if victims don’t pay a Bitcoin ransom. The emails are highly personalized and include sensitive personal details derived from the initial data breach. While it’s easy to write-off a data breach at an adult website, it reflects the IT environment experienced by any company that collects personal data, and the many ways that hackers exploit that information to make money.
Individual Risk: 2.142= Severe: The personalized emails include users’ names, bank account numbers, phone numbers, addresses, and dates of birth. It also contains private content and communications conducted on the website.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Data access breaches impact more than just a company’s bottom line. They often have tangible consequences for each individual compromised in a breach, and even years after a breach, they can continually reappear, causing personal, psychological, and financial trouble for victims. It should encourage every company to take every step possible to protect personal data.
1 - 1.5 = Extreme Risk
1.51 - 2.49 = Severe Risk
2.5 - 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
3 GDPR-Covered Countries Experience 100,000 Breaches
It’s been nearly two years since GDPR changed the data privacy landscape by bringing regulatory oversight to the digital Wild West. According to the latest reports, more than 160,000 data breaches have been reported in that span. Incredibly three countries account for 100,00 breaches - The Netherlands, Germany, and the United Kingdom.
These numbers reflect both the undeniable value of stealing sensitive personal data and the difficulty that many organizations experience when trying to protect that information. As a result, GDPR fines are becoming increasingly common for companies under the regulations’ purview. The ten most significant GDPR breaches have resulted in hefty financial penalties totaling an eye-popping sum of nearly $500 million.
Europe isn’t the only country implementing regulatory standards for data security. In the US, California's Consumer Privacy Act and New York’s SHIELD Act both reinforce and extend GDPR’s expectations. At ID Agent, our comprehensive Compliance Manager is ready to help your organization achieve, maintain, and document compliance.
A Note From Kobargo
Human Error is a Top Cause of Data Access Breaches
Companies face cybersecurity threats on many fronts every day, but human error may be the most pervasive – and the most preventable. A 2019 study analyzing data from the UK’s Information Commissioner’s Office found that human error played a role in 90% of data breaches last year. This represents a significant increase from just two years ago when only 61% of breaches were attributed to human error.
The study concluded that phishing scams were the primary cause of breaches with unauthorized access to systems ranking a close second. However, the study’s authors were also quick to point out that while employees represent a noteworthy data privacy risk, they can also serve as a critical defense against cybercriminals. When equipped with the right tools, like phishing scam awareness training, employees can be transformed from a potential weak point into a crucial asset in the fight against cybercriminals and fraud.