Talking about all the latest data breaches might seem a little like scaremongering. But, it’s not. Each data breach that hits the press may hold an important lesson in how breaches occur, the impact of them, and sometimes how to or how not to deal with a data breach.
A Ponemon Institute study on behalf of IBM found the average amount of time to identify a data breach is 197 days. And, the average time to contain a data breach even after it is identified is 69 days.
Let’s look at some of last week’s data breaches:
The Home Group – affecting 4,000 customers
On October 21, 2019, the BBC reported that Newcastle-based Home Group had experienced a breach affecting 4,000 customers. The breached data included customer names, addresses and contact information, but not says the BBC, financial data.
The Home Group is a UK charity providing rented homes to 116,000 tenants in England and Scotland. The breach itself was identified by a third-party cyber security expert and was apparently resolved with 90 minutes.
The Home Group’s chief financial officer, John Hudson, spoke on the matter saying:
“We have a robust incident response protocol in place to deal with situations such as this, which meant the vulnerability was identified and fixed extremely quickly.”
The cyber attacker would have needed “expert cyber security knowledge” according the report. And, the Home Group says, it follows strict guidelines and protocols and has contacted all customers involved.
7-Eleven’s Fuel Application
A petrol buying application created by 7-Eleven which has been downloaded two million times was taken offline on Thursday, October 25,2019, for a number of hours.
As per The Guardian reporting a customer found he was able to access the personal information of other customers in his application including being able to see the amount of money in the other customers account. When he logged out, and back in, he could see a different person’s account.
The customer informed 7-Eleven who have only said so far that the matter is under investigation. The company did take the application down for maintenance, returning it to operation later in the day. A spokesperson said:
“The 7-Eleven Fuel App experienced a technical issue. The issue has been resolved, and the 7-Eleven Fuel App is now online for all customers. We are continuing to investigate and have informed the relevant authorities.”
The Guardian notes that under Australian law companies must inform “the office of the Australian information commissioner and affected people when a data breach involving personal information is likely to result in serious harm.” And, the publication reports the commissioner’s office was notified.
Adobe Creative Cloud
This Adobe breach first emerged on October 19 discovered by security researcher and data-breach hunter Bob Diachenko. Comparitech and Gizmodo broke the news which revealed customer records of 7.5 million Adobe Creative Cloud users were discovered online in an exposed database.
There’s no news yet as to whether the records were discovered by any illicit actors, who theoretically could use them to conduct social engineering and spear fishing cyber-attacks on the Adobe Customers. The data exposed reportedly didn’t contain passwords and payment information, but did include information on customer accounts, products used, member ID’s, and subscription and payment statuses. Adobe reportedly responded quickly and secured the exposed database on the same day saying:
“We are reviewing our development processes to help prevent a similar issue occurring in the future.”
Experts have warned that Adobe customers should be on the lookout for suspicious emails purporting to be from Adobe. This would indicate cybercriminals have gotten hold of some of the data and are using it to trick customers into falling for revealing more information or allowing malware infections into their home systems or corporate networks.
The Betty Jean Kerr People’s Health Center – St Louis, US.
Lastly this week for data breaches, a St Louis health centre revealed Friday they had been victim of a ransomware attack where patient addresses and social security numbers were locked by attackers. The cybercriminals demanded a ransom to unlock the data, the center refused and contacted police. To date it’s not known if the patient records, potentially pertaining to up to 152,000 individuals, have been viewed or access by the attackers.
Knowledge is power
When data breaches hit the news we often only hear the headlines, sometimes even about a fraction of a whole breach, over time we get the full story. Sometimes that story is better for the company involved, other times it is not.
For cybersecurity managers it’s worth watching how these incidents and others like them play out to get important insights for data protection and security. We’ve said it before, but an important part of cybersecurity is security awareness and of course, knowledge is power. Being armed with the knowledge of what cyber risks exist, how they permeate a business, and how to protect against them, is part of the foundation for an effective cybersecurity strategy.
Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.