Posted by Trevagh Stankard on Thu, Jan 7th, 2021
Businesses have had to deal with a lot of challenges in 2020, data breaches being a large concern. Moving to remote working, retaining customers, and a surge in cyber-attacks, has meant that organizations around the world over have had a difficult year. The specter of the cyber-threat knows no boundaries and companies of all sizes, across all sectors, are open to attack. For example, in December 2020, a renewable energy firm, People’s Energy, suffered a data breach that impacted at least one-quarter of a million customers. The breach resulted in stolen data, including names, addresses, phone numbers, email addresses, as well as energy-related data. Worse still, the firms’ small business clients also had bank account details stolen.
When data is stolen, it doesn't end there: Data is a lucrative entity and the gift that keeps on giving well into 2021.
Methods and mechanisms of data theft
The People’s Energy data breach was attributed to an unauthorized person gaining access to internal systems and databases, and then subsequently, to customer information. How exactly this happened is still yet to be revealed. However, certain tried and tested techniques are likely to be behind this and most other data breaches. These cyber-attacks tactics include:
Chances are, the People’s Energy breach, like many similar breaches, began with a phishing email, or more likely, a spear phishing email. As mentioned in a previous blog, phishing is used in 90% of data breaches, with 1 in 3 employees clicking on a link in a phishing email. The phished employee typically enters login credentials into a spoof login page, the credentials being stolen by the fraudster and then used to access real company resources and often sold on to other fraudsters.
The 2020 Verizon Data Breach Investigations Report (DBIR) noted that in 43% of all data breaches, web applications were the target. During 2020, a noticeable increase in misconfigurations of web apps, servers, and other components, lead to exploitable vulnerabilities. A 2020 survey of cloud engineering and security teams concurred, with 73 % seeing more than ten incidents a day.
Remote Working Threats
2020 has more than any other year, presented many firms with the challenge of dealing with a remote workforce. This included an increase of phishing attacks focusing on remote workers. Remote working has meant that businesses have had to increase their use of online collaboration platforms and apps like Microsoft 365. This has seen the attention of cybercriminals turn towards these apps to exploit vulnerabilities and use social engineering tactics (including phishing) to gain entry via cloud apps.
The Results of Stolen Business and Personal Data
People’s Energy is a good case in point of what can happen after a data breach to both the company and its customers:
Breach Notifications and regulatory compliance: In the People’s Energy breach example, the company had to abide by the UK’s data protection law (DPA2018) and make a public notification about the breach as well as contact customers directly. Depending on an organization's location and industry sector, any company affected by a data breach will have to take notice to the appropriate authority on the details of the breach.
Fines: Regulations, such as GDPR, CCPA, HIPAA, and others, typically have clauses whereby if a company has not taken due care in protecting personal data then a fine is issued. For example, the GDPR fine tracker shows that in 2020, there were over 300 fines issued for GDPR non-compliance. This included a fine to British Airways of over 22 million euros for “insufficient technical and organizational measures to ensure information security”.
Reputation losses: The impact of a data breach goes way beyond fines for non-compliance with data protection laws. Company reputation is impacted too. Customer relationships are built on trust and when data is stolen, that trust is affected.
Once data is stolen it is used over and over to commit fraud. In the case of the People’s Energy data breach, these data also included business financial data. These data can then be used to either directly remove funds from the corporate bank account or for use in persistent fraud and scams. Cybersecurity trends such as wire fraud and Business Email Compromise (BEC) are of concern going into 2021. Phishing attacks and general data breaches all feed into the potential for business-related cybersecurity scams. The FBI recently chimed in on the issue, putting out an alert on BEC scammers who have been observed in taking advantage of the auto-forwarding feature when an email account is compromised. The fraudsters use the fact that many businesses do not sync web-based email client forwarding with a desktop client. The result is that system administrators cannot detect when fraudsters send malicious emails from a compromised account. The FBI alert also refers to fraudsters targeting Microsoft Office 365.
The FBI alert provides several mitigating measures that can help protect a business against BEC and similar fraud including:
- Enable security features that block malicious email, such as anti-phishing and anti-spoofing policies
- Ensure both the desktop and web applications are running the same version to allow appropriate syncing and updates
- Enable multi-factor authentication for all email accounts.
Closing the data breach gap in 2021
The gap between secure systems and cybercriminal activity must be closed to prevent data breaches in 2021. Research from a consortium made up of Google, PayPal, Samsung, and Arizona State University provide some intelligence on how to mitigate phishing campaigns. The results set out several effective mechanisms to prevent phishing-based attacks that end in stolen data. This includes the use of browser-based warnings that can reduce compromised phishing successes within one hour after detection to 71.51%. The researchers conclude, however, that the use of proactive mitigation and an extended anti-phishing ecosystem is the best way to deal with sophisticated and complex campaigns to steal data.
In 2021, we should expect that data breaches will continue to be the food that fuels cybercrime. However, with some mitigating measures that focus on reducing the likelihood of phishing businesses can make inroads into a complex system of attacks.
Protect your organization in 2021 from data breaches by using an email security solution such as SpamTitan. Start a free trial and discover how SpamTitan can protect your organization and customers. Start Free Trial today.