Examples of Security Breaches & Best Practices to Thwart Them

Author: Kelley Donald - MarCom/Friday, October 28, 2022/Categories: Business Internet

 

Data Breach with Locks

For a long time, the Target data breach was thought to be as bad as things could get.

In 2013, a hacker bypassed Target’s front-line defenses and instead infiltrated the system of its HVAC vendor, which then provided easy back-door access into the main Target network.

The breach led to the theft of the financial information of more than 40 million shoppers, right around the Christmas holidays, and cost the retailer hundreds of millions of dollars in investigations, customer restitution, and enhanced security improvements, not to mention plenty of reputational damage.

That activity and other similar cyberattacks around that time led to other companies and public agencies to begin scrambling for ways to prevent something similar happening to them – or in some cases, such as the Office of Personnel Management, discovering that a major breach of personal information of government employees had already occurred but no one really noticed or knew what to do about it.

So we are all better and safer now, especially since Target has successfully patched its holes and put at least one hacker who contributed to the effort in jail?

Hardly. Although there’s more attention to cyberattacks, there are also more of them taking place at all levels.

According to TechRepublic, sharing a report from SonicWall, all types of attacks are on the rise, especially attacks on networks. In 2021, intrusion attempts grew 11 percent from the previous year to 5.3 trillion, Internet of Things malware attacks rose 6 percent to 60.1 million, and encrypted threats grew 167 percent to 10.4 million.

Ransomware attempts grew by 105 percent to 623.3 million, and crypto jacking cases increased by 19 percent to 97.1 million, with approximately 2,170 ransomware attempts per customer and 20 attempts a second.

Malware infections did drop by 4 percent, but at 5.4 billion attacks in 2021, it was still the second highest attack type in terms of volume. Some hackers are even combining ransomware attempts with other attacks, such as stealing info or introducing malware for future access, and then threatening to lock/wipe the machine or network.

Security watchers say bigger companies like Target are still vulnerable, but some hackers may prefer to go after smaller businesses, which potentially could present less complex security. Plus, some formerly solo hackers are now working together, sometimes with support from hostile governments or organized crime, further boosting their abilities and resources.

Even individuals and small business owners thinking, “it can’t happen to me” can still be vulnerable to hacking attempts if they don’t take precautions to create or improve safety measures, including employee education.

Because cyberattacks are becoming more frequent and more severe, companies are improving their security best practices. Sometimes, showing documented attention to safety and compliance is required to enter into partnerships or contracts. It makes sense: it often costs less in the end to increase protection as compared to dealing with the legal, financial, and public fallout from a breach. Working with a forward-thinking company that plans for attacks rather than simply hoping they will not happen can also provide a good deal more confidence.

Recent breaches

There are plenty of success stories -- and failures -- to look at when considering security upgrades, along with possible legislative solutions.

Herff-Jones

In spring 2021, the company known for graduation apparel and yearbooks announced that a cybersecurity incident resulted in the theft of customer payment information. The 101-year-old Indiana-based company works with high schools, colleges, churches, teams, and other institutions and has plenty of data about hundreds of thousands of customers, including addresses and credit card info.

The breach triggered seven lawsuits alleging faulty record keeping, poor security, and negligence to fail recommended cyber safety rules. It eventually turned into a class action suit representing thousands of potentially affected customers who used Herff-Jones payment data cards. Investigators believe that malware was introduced into the company’s network, and intruders first removed information to sell on the dark web and then used the customer info to make fraudulent purchases.

Although it denied specific allegations, Herff-Jones negotiated a class action settlement. Anyone who paid for anything between Aug. 1, 2020, and April 30, 2021, or paid for any monitoring/theft tools, could be eligible for benefits,

Drizly

The country’s largest alcohol delivery service announced in July 2020 that it suffered a breach earlier that year that exposed the personal info of 2.5 million customers, including names, addresses and passwords. At the time, it said no financial information was taken. It began its own investigation and encouraged users to change their passwords.

Although a class action settlement for all affected customers was considered, it was ultimately dismissed, and instead, a traditional settlement was approved in fall 2021. The settlement paid out $7.1 million, roughly up to $14 to each affected member, plus credit for service fees in future orders. The company also agreed to implement and maintain improved security measures.

Equifax

The credit monitoring service saw a breach of more than 147 million personal records in 2017. A forensic investigation revealed the problem stemmed from the non-renewal of one security certificate, which intruders were able to exploit to enter several networks.

The company eventually reached a $700 million settlement, where affected members were offered free credit monitoring tools for a year and then could pay for them. Those who already had these tools were offered $125 but those who did not were eligible for $7. Only about 10 percent, or 1.4 million, of the potential class agreed to these terms.

Breach best practices

There is certainly no end of reports of breaches, which seem to affect all sorts of businesses. So what can be done about them?

The best thing is to prepare well. Although there is plenty you can say and do after a breach takes place -- being honest goes a long way – it is more useful to prepare and constantly update a prevention plan. Items on it can include:

  • Stronger software. Anti-virus/malware programs need to be updated regularly and put on devices besides desktop computers. Because more employees are working remotely post-COVID, viruses or malware can infect their personal mobile devices or home computers. Consider requiring separate devices or computers for work or personal use to avoid cross-contamination. Even extra authentication beyond a password, such as requiring a text, to enter the network, helps.
  • Education/training. You could have super security, but a weak point could be an employee who opens the wrong email, clicks the wrong link, activates the wrong file, or plugs in an unknown thumb drive. Training can be provided in what to look for in phishing emails or how to detect bogus sites. This also includes education about what to do or who to alert if a ransomware attack happens. Remind employees that being vigilant now helps avoid damage later.
  • Create backups. If a ransomware breach occurs, having fresh system backups ready to go will result in little time off-line and little lost data. It will also allow the company to function while an investigation occurs on the affected machine or machines.
  • Section off areas of networks. Adding security levels to different areas can help, especially if IT can track who accesses certain high-security zones. A company might even consider putting its most critical data on a machine not connected to the network and must be accessed in person. This prevents hackers from breaching especially sensitive information even if they make it into the main network.

All these tasks can present a picture of smart compliance along with a possible road map to launch an investigation if a breach occurs.

Why compliance matters

Besides the basic principles of “avoiding bigger problems later,” what is the value of focusing on strong security? Plenty.

  • Customer confidence. Whether it is a new or existing customer, they want to make sure their information is protected. They may not understand the technical details of firewalls or double authentication, but they do want the reassurance that your company is taking every precaution it can to keep their data private and safe.
  • Technology changes fast. Protection should be thought of as a moving target rather than a fixed objective. Because you prepared for last year’s threats does not mean that you will not be vulnerable to next year’s threats. Trying to always be on top of ongoing threats – and what you can do -- is wise since new forms of attacks keep emerging.
  • Keep ahead of law changes. In order to encourage companies to take steps to improve their own cybersecurity, more municipalities are considering or passing legislation creating rules and policies such as increased penalties for online intruders or increased liability for companies that do not take steps to reduce breach risk. In 2021, 45 states and Puerto Rico proposed some sort of cybersecurity laws, and 36 states successfully created new laws. These ranged from authorizing studies to closer examine future changes to codifying specific rule changes in the insurance industry. Some states offer financial incentives for companies that improve their security, and others added more procedures, such as requiring reporting to law enforcement if ransomware attacks take place.
  • Better future interactions. Expect to see more expectations or even requirements for cyber compliance, whether it’s vendors, sub-contractors or even contracts with municipalities. The State of Texas and the Federal Communications Commission have both offered tips and strategies to businesses to improve training and prevention efforts. The U.S. Department of Health and Human Services said that health care providers will be penalized less for HIPAA privacy violations if they indicate they have current security procedures in place. A ‘safe harbor’ law states that organizations that follow current cyber safety rules may see less severe penalties or shorter audits.

With the number of breaches steadily increasing, along with the damage this can cause organizations, it is vital to stay current with your security practices and incorporate new tools. Consolidated Communications is a preferred choice to create a customized defense plan for the present and future. Contact us to get started!

 

 

Print

Number of views (1018)/Comments (0)