November 5, 2019

Keep reading, remember we’re not trying to scare you! Data breaches are a fact of our digital age, learning how they happen, who to, and how victim companies respond, can help you to improve your cybersecurity efforts.

Let’s look at some of the past week’s data breaches:

West Berkshire Council, UK – 1,107 records affected

In the UK, West Berkshire’s county council sent a leisure survey to 1,107 recipients. All of them could see each other’s email addresses. It’s simple breach, a mistake rather than an attack. The council said in a statement:

“On 25 October, the council was made aware of an incident by which a large number of service users were copied into an email containing a survey about leisure centres.”

It appears to be a case of the email’s author using the CC field in the email, rather than the BCC field so that recipient email addresses were hidden. In a second email to services users and affected residents, the council added:

“We’re really sorry that your email address was shared in this way.”

As per BBC reporting West Berkshire Council has reported the breach, as required, to the Information Commissioner’s Office (ICO).

Desjardins Group, Canada – 4.2 million members

The Desjardins Group breach actually happened in June 2019. The Quebec-based federation of credit unions revealed personal information of three million members was, as per Global News, shared illegally by an employee.

The individual reportedly sent social insurance numbers and other such sensitive information of Desjardins’ members to outside parties. The group has now announced the breach is larger than previously thought and has affected 4.2 million individuals. Desjardins president and CEO, Guy Cormier, says:

“What we are announcing is not a new leak. This is an update on the same breach by the same malicious person.”

The accused employee has reportedly been fired. Quebec’s provincial law enforcers have questioned 17 “people of interest,” met with 91 witnesses, and conducted property searches, according to Global News. As well as action by Quebec’s police force, the breach is being investigated by the Office of the Privacy Commissioner of Canada, and Quebec’s access to information commission.

Desjardins Group provided affected members with Equifax credit monitoring in July and will now extend this provision to all of its members. As of the latest reports, there have been no discoveries of fraud due to the breach. Quebec’s Finance Minister Éric Girard has confirmed he is “satisfied” with how Desjardins Group is handling the data breach.

– Engage your staff with scenario-based security awareness training or “In-the-Moment” training.

Web.com users warned to change their passwords

Internet registrar and website creation platform Web.com and a number of its subsidiaries have been affected by an apparent attack. Web.com says a third-party gained access to some of its computer systems and in a statement revealed user account information may have been accessed.

Web.com has said that no credit card information was compromised, and users have been advised to change their passwords. The company has customers situated around the globe but its Register.com is a popular platform in New Zealand. As per Newshub, it revealed:

“Upon discovery of this unauthorised access, the company immediately began working with an independent cybersecurity firm to conduct a comprehensive investigation to determine the scope of the incident, including the specific data impacted.”

Customers based in New Zealand were informed of the breach last Monday and the incident occurred in August.

A SiliconANGLE report suggests the breach may have affected millions of users.

Washington University School of Medicine, St Louis, US

As per Becker’s Hospital Review, some patients of Washington University School of Medicine’s ophthalmology and visual sciences department could have had their information viewed by an unauthorized individual. The breach was discovered after patients received an “unusual letter” and the individual may have gained access to a university employee’s email account through their personal laptop.

Though there is no evidence that patient information has been misused, the exposed data could have included personal information, medical records, and health and social insurance numbers. The university has reportedly said in a statement:

“We regret any concern or inconvenience this incident may cause. We remain committed to protecting the confidentiality and security of our patients’ information. To help prevent something like this from happening in the future, we have reinforced education with our staff on best practices for passwords and are making additional security enhancements.”

Cybersecurity education and security awareness training is vital for every employee

This past week’s breaches carry a clear message we can’t help but iterate, education on cyber risk and cyber security awareness can prevent data breaches.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Both the West Berkshire Council and the Washington University School of Medicine breaches appear due to employee mistakes or lack of knowledge, or due attention. With the first, individuals appear to have been CC’d rather than BCC’d. Whilst the latter could have been due to poor password practices. Though both breaches may have happened regardless of any knowledge or training, they might just have been prevented through education and greater security awareness.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this: