Knowing what you should be looking for can help you prevent attacks as well as quickly identify and respond to suspicious activity. This blog looks at some real-world examples of some of the most common causes of data breaches and explains how they occurred.
Contrary to what many people think, you don’t need to be a sophisticated criminal hacker to commit cyber crime. Malware is a perfect example of just how simple attacks can be.
Here’s how it works: crooks purchase a piece of malware that’s designed to exploit a specific vulnerability. They find a system that contains that vulnerability. They plant the malware. They scoop up the rewards.
Malware is often associated with card transactions, because it offers the most direct returns (financial information), and POS (point-of-sale) systems have historically been plagued with vulnerabilities. Countless hotel chains, retailers and restaurants have been breached in recent years – particularly in the US, which by and large doesn’t use chip-and-PIN.
But there are many types of malware you need to be aware of, including adware, spyware, bots, ransomware, Trojan horses, viruses and worms. It’s often hard to know when you’ve been infected, as some malware sits on computers drawing as little attention to itself as possible. Other malware, such as ransomware, makes its presence clear, locking users’ computers and demanding payment for the decryption key.
Recent malware attacks
The most well-known malware attack is 2017’s WannaCry outbreak, but that’s not representative of how ransomware (or malware generally) works. The malware’s worming capabilities caused it to spiral out of control, meaning there was no way for the attackers to monitor who was infected, and the bank account that ransoms were to be paid into was under such scrutiny that the blackmailers didn’t even try to collect what little money they received.
Most ransomware attacks target one organisation at a time – and usually small ones that they think won’t have the cyber security knowhow to realise that paying ransoms is a bad idea.
For example, Scotland-based Arran Brewery was hit by a ransomware attack last month. The Register reports that it was a targeted attack, writing that “adverts for an already filled financial post at the brewery were placed on recruitment sites worldwide. This, in turn, resulted in an influx of CVs.
“Amidst this, hackers appear to have sent a booby-trapped email message featuring a ransomware payload carried within a PDF file. When an Arran Brewery staffer opened this contaminated email, its systems were infected.”
The crooks demanded 2 bitcoin (about £10,000) to hand over the decryption keys, but the brewery declined. It lost three months’ worth of data as a result, but there was no guarantee that the crooks would keep their word and return the information. Moreover, paying the ransom would have made Arran Brewery a target for future attacks.
There are more ways your employees can mess up than you can think of. For example, they could lose a laptop or USB containing sensitive information, misconfigure databases, accidentally disclose information or let a crook into your building and access your files.
Indeed, Verizon’s 2018 Data Breach Investigations Report found that almost one in five data breaches was the result of human error.
Accidental breaches are impossible to eradicate, because people inevitably make mistakes. Sometimes it’s just negligence: the employee forgot to follow the rules. Other times, breaches are the result of miscommunication: an employee wasn’t told what to do.
Most human error-related breaches involve a little of both. Take this data breach at Boeing from 2016:
An employee was having difficulty formatting a spreadsheet, so he sent it to his spouse, who didn’t work at Boeing but was an Excel whiz. However, the document contained employees’ full names, places of birth, employee IDs, and, in hidden columns, Social Security numbers and dates of birth.
The employee definitely shouldn’t have shared the information with someone outside the organisation. But Boeing should have done a better job reminding its employees not to disclose sensitive information.
Organisations can address both these failings by emphasising information security staff awareness training. It will help employees understand their security responsibilities, as well as helping the organisation understand its weaknesses and what it needs to improve.
Crooks send tens of millions of phishing emails every year, impersonating legitimate organisations and attempting to get recipients to click malicious links or attachments. If you fall for their scams, you hand over your personal information or allow malware to infect your systems.
Phishing attacks are often generic messages sent in bulk in the hope of catching people off guard. You might receive a message claiming to be an invoice that you need to pay, or someone pretending to be a colleague might ask you to send over a document.
Attacks often take advantage of current events. For example, in the run-up to the 2018 FIFA World Cup, millions of people received emails claiming to be from Coca-Cola, one of the tournament’s sponsors, offering a $1 million lottery prize. All you had to do was follow the link and provide your personal details.
Except there was no prize. The crooks got hold of people’s names and financial details, and off they went on a fraud splurge.
Are you ready for a breach?
Find out how prepared your organisation is for a data breach with our new quiz, which will give you a breach readiness score as well as a personalised report on how #BreachReady you are. You will also get a summary of your answers with advice on how you can make sure you’re prepared.