Last week, C-suite executives are compromised, failure to password protect customer data leads to breach, and phishing scam awareness begins to improve.
United States – Slickwraps
Exploit: Unprotected database.
Slickwraps: Producer and distributor of hardware skins.
Risk to Small Business: 2 = Severe: The company’s databases lacked basic protections that exposed customer data to the internet. Slickwraps cited the long-term trust of its customers as a vital component of its business model, making this episode an especially problematic event for the business. The problem is compounded by the fact that an internet user tried to alert the company about the breach multiple times. Ultimately, Flickwraps discovered the breach after it was posted on Twitter.
Individual Risk: 2.428 = Severe: The company’s unsecured database exposed customer details to the internet. This included names, email addresses, physical addresses, phone numbers, and purchase histories. The breach does not extend to customers who accessed the online store as a guest, and it did not include financial data. Those impacted by the breach should be aware that this information can be used in spear-phishing attacks or for other malicious purposes. They should be especially vigilant in monitoring online communications.
Customers Impacted: 850,000
How it Could Affect Your Customers’ Business: Slickwraps has been extremely apologetic after the breach. However, this contrite posture is no replacement for simple steps that they could have taken to secure company and customer data from day one. Customers and regulatory authorities expect companies to follow basic best practices when dealing with sensitive data, and the company’s apologetic tone is unlikely to help avoid negative fallout from the incident.
United States – Clearview AI
Exploit: Unauthorized database access.
Clearview AI: Facial recognition software provider.
Risk to Small Business: 2.111 = Severe: Hackers obtained a copy of the company’s entire client list, which, given the sensitive nature of their work, is an especially egregious breach of data. In addition to the client list, hackers also obtained information identifying the number of accounts that clients set up and the number of searches conducted on the platform. In response, the company cited the inevitability of data breaches in the 21st Century, a platitude that is unlikely to placate the company’s clients. Indeed, Clearview AI is already enduring significant media scrutiny and customer blowback that could have significant implications for the company’s bottom line and future prospects.
Individual Risk: At this time, no personal information was compromised in the breach.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Data breaches may be an unfortunate reality in the 21st Century, but that doesn’t mean that they have to be inevitable. Adjusting your defensive posture to address the most probable threats can significantly lessen the likelihood of a breach. At the same time, having the right policies and procedures in place to respond to a breach will mitigate the damage, allowing your company to meet any cybersecurity challenge.
United States – Pacific Specialty
Exploit: Phishing scam.
Pacific Specialty: Insurance provider.
Risk to Small Business: 1.444 = Extreme: Several employees fell for a phishing scam that compromised customers’ personal data. The attack allowed hackers to access some employee accounts between March 20, 2019, and March 30, 2019. However, the insurance provider wasn’t aware of the breach until November 7, 2019, and did not identify details until January 14, 2020. In response, the company has hired a cybersecurity team to update its data privacy practices, and reset all employee login credentials while enabling two-factor authentication on its accounts. Nevertheless, the company will end up paying much more than they would have if they had invested in basic security solutions.
Individual Risk: 1.857 = Severe: Personally identifiable information was compromised in the breach. This includes customers’ names, Social Security numbers, drivers’ licenses or government-issued IDs, financial information, payment card data, medical details, and health insurance credentials. Pacific Specialty is offering 12 months of credit and identity monitoring service to victims.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Phishing scams are a known threat to every company, and organizations that are committed to data security will take steps to prevent this common attack methodology from negatively impacting customer data. Selecting strong, unique passwords for every account and enabling two-factor authentication can thwart cybercriminals, even when employees act upon a phishing scam, making them an obvious security feature for every organization. Of course, they can only prevent a breach if they are implemented before an incident occurs.
1 - 1.5 = Extreme Risk
1.51 - 2.49 = Severe Risk
2.5 - 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
A New Scam Targets Data Breach Victims
The costs associated with a data breach are well-documented, but they carry unique implications for each individual impacted by a data loss event. Now, a new scam is targeting data breach victims who are looking to recoup financial losses or exact justice. This scam originates from a website claiming to be run by the US Trade Commission, and it promises to provide financial compensation for data breaches involving personal data.
Unfortunately, the US Trading Commission does not exist, and the fraudulent website is collecting personal information, including names, credit card numbers, and Social Security numbers, which the website claims will be used for identification purposes. While the website boasts many hallmarks of a phishing scam, it can be enticing for victims to provide this information out of desperation or frustration.
Unfortunately, there isn’t a magic cure after a data breach hits. Instead, companies need to focus on their defensive strategies before an attack. For instance, securing accounts using two-factor authentication, training employees to spot phishing scams, and assessing your network for unseen vulnerabilities are all steps that companies can take to help ensure that a breach doesn’t occur in the first place.
A Note From Kobargo
Phishing Scam Awareness is On the Rise. So Are Phishing Scams.
This week marks the 100th issue of ID Agents Week in Breach newsletter. From the beginning, we’ve provided a weekly rundown of the most prescient cyber threats impacting SMBs, and phishing scams always make the top of the list.
Phishing scams, and their various iterations, including pharming, smishing, and vishing, account for a growing number of cybercrimes, according to the FBI’s latest Internet Crime Report. The latest iteration found a 59% increase since 2015. Similarly, business email compromise, which often includes elements of phishing scams, is up 160%.
However, the report doesn’t only include bad news. It found that 96% of people are aware of the possibility of a phishing scam, and 88% were able to accurately explain the threat. Unfortunately, many people only view phishing scams as an email threat, which, as we explained in a blog post last year, only accounts for one attack vector among many.
Ultimately, it appears that phishing scam awareness training is proving to be an effective tool to educate people on a growing threat category that impacts everyone.