Office of Personnel Management Director Katherine Archuleta resigned last Friday, a day after revealing that the recent data breach of employee information was much larger than originally thought and had probably affected 22.1 million current, former and prospective US government employees and their family members. Archuleta’s departure has been confirmed in an email she sent to OPM staff. Beth Cobert, previously the U.S. chief performance officer and a deputy director at OPM, has taken over as the acting director of OPM since last Saturday.
Category: Data Breach Page 3 of 4
As a protest against the Indian government’s recent push on net neutrality and Digital India, AnonOpsIndia, a hacktivist group, compromised BSNL (Bharat Sanchar Nigam Limited) Telecommunications’ websites on Friday. Prior to the BSNL hack, AnonOpsIndia, usually referred as “Anonymous India,” has already compromised the nation’s PAN database and a coal-sector website last week.
A new report from the U.S. Government Accountability Office (GAO) suggests that U.S. banking regulators must hire and train more examiners with technology expertise to give more useful cyber security recommendations to small and mid-sized banks. According to GAO, many U.S. credit unions are vulnerable to cyber threats from outside vendors that help run their businesses, because their overseer, the National Credit Union Administration (NCUA) lacks authority to review technology practices of those companies.
If businesses are to survive the growing threat of DDoS (Distributed Denial of Service) attacks, then DDoS protection must evolve quickly and respond even faster. Hackers have no shortage of options when it comes to launching DDoS attacks. In early October, Akamai warned that hackers are now targeting Universal Plug and Play devices, or UPnP, to launch their attacks. The firm estimated that there were more than 4 million UPnP devices, from home routers to web cams, that were vulnerable to being conscripted by hackers to launch devastating DDoS attacks.
It’s been a good time for malware and its authors, but a very bad time for businesses and especially those that have suffered a data breach. A variety of point of sale (PoS) malware has run rampant through thousands of business and retailers in just the last few months, creating a massive haul of stolen credentials for hackers worldwide. And making consumers a very nervous bunch.
The Home Depot Data Breach
The latest victim is Home Depot, which only just announced that it had lost at least 56 million customer credit and debit cards to hackers who used a variant of PoS malware that’s growing in popularity amongst criminals — because it apparently works very well.
As yet another series of data breaches unfolds, there’s been more focus on PCI compliance than ever before. And for good reason. Apparently the PCI Standards Council, the body that overseas PCI, thinks that too many companies are failing in their obligations.
In just the last two weeks we’ve seen major data breaches announced at firms like JP Morgan Chase, Community Health Systems (4.5 million Social Security Numbers exposed), UPS, Dairy Queen, and more than 1,000 retailers.
There’s no such thing as an easy security breach. Unless of course you’re a hacker — all too often they seem to easily breach the security of way too many websites. (Check out the OWASP Top 10 to learn more about common exploits)
But if you’re a business owner, being the victim of a data breach is certainly costly. Just how costly is a data breach? Well, that depends a great deal on circumstances and luck.
But here’s just a selection of some of the costs you might be facing:
Seems like hardly a day goes by without a report of yet another data breach. And that’s because a day doesn’t go by without one. There has been an average of one reported data breach every day for the last five years, and 2014 has no intention of bucking the trend.
According to the non-profit Identity Theft Resource Center, there have been 411 reported data breaches in the U.S. in the first six months of this year. That works out to an average of more than two data breaches every day. And those data breaches combined have exposed an estimated 11 million records.
Did you know that there was an average of one data breach every single day in the U.S. last year? That more than 800 million records were exposed in data breaches last year? Or that the average cost of a data breach is now a staggering $3.5 million?
These are not statistics you want to be part of or costs you want to incur. So remember the following tips as part of your breach prevention program:
It’s not often we get a chance to attend a security breach postmortem — a step-by-step, hack-by-hack, mistake-by-mistake account of what went so horribly wrong. The U.S. Commerce Department recently presented their report into all the mistakes Target made, and which could have avoided, in its recent massive data breach.
The report provides what’s referred to as an “intrusion kill chain” that highlights all the places Target had a chance to spot the breach and stop it. But missed. For example:
- The hackers were able to identify a potential Target vendor or supplier to exploit because Target made such a list publicly available. That was the starting point for the hackers.
- The vendor targeted had very little security in place. The only malware defense they appeared to have used to protect their business was free software meant for personal and not business use.
- The vendor’s employees had received little if any security awareness training, and especially on how to spot a phishing email. So the hackers used a phishing email to trick at least one of those employees into letting them in the back door.
- Once in the vendor’s systems, the hackers were able to use stolen passwords without the need for authentication because Target did not require two-factor authentication for low-level vendors.
- The hackers are suspected of gaining further access from the vendor by using a default password in the billing software the vendor used. If the default password had been changed, the attack might have stopped right there.
- There were few controls in place to limit access the vendor had on the Target network. Once the vendor had been compromised, Target’s entire networks were exposed.
- When the hackers installed their Point of Sale malware on Target’s networks and began testing the malware, that activity was detected by Target’s security systems but the alarms were simply ignored.
- When the hackers created an escape route and began moving the stolen data off Target’s networks, that activity triggered alarms too but once again, the alarms were ignored.
- Some of the data was moved to a server in Russia, an obvious red flag for Target security which once again was missed.
- The login credentials of the vendor were used throughout the attack, yet Target’s security system wasn’t able to detect that those credentials were being used to perform tasks they weren’t approved for.
We keep saying that every business large and small has important lessons to learn from Target. Don’t waste the opportunity. Double-check your own security and see if there are any obvious gaps you haven’t spotted but need to be sealed. Need help? Give SiteLock a call any time, 24/7/365, at 855.378.6200.