BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

What we can learn from three key 2015 data breaches

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 7 Jan 2016 19:25:42 -0700
http://www.nhbr.com/January-22-2016/What-we-can-learn-from-three-key-2015-data-breaches/

As we look back on the companies that experienced data breaches or hacks in
2015, we can quickly ascertain that there is no longer a traditional target
for a data breach.

The traditional data breach target organization would have data that an
attacker could use for monetary or personal gain, such as financial
institutions or companies that hold personal or health information. All of
this data can be used to fraudulently establish credit or health services.

It seems that there has been a shift in 2015. Do not get me wrong – we
still saw a fair share of the traditional targets with organizations such
as the U.S. Office of Personnel Management, Anthem, Premera and Experian
making the news.

However, looking back at the 2015 hacks, it is the nontraditional targets,
such as Ashley Madison, the Hacking Team and VTech, that prove most
interesting. The target only depends on the motivation of the attacker.
Let’s take a deeper look into the nontraditional hacks.

 • Ashley Madison, the online personals and dating destination for married
people looking to have extramarital affairs, had 32 million of its customer
records posted publicly. As for the motivation, those who claimed
responsibility for the hack, the “Impact Team” stated it was a matter of
morals. However, all is not necessarily as you would think. The company
that owns the site promised to delete customer data from the site for a fee
of $19, which the company failed to do.

 • The Hacking Team is an Italian cybersecurity company that builds
security solutions for law enforcement agencies, and it was hacked in 2015.
Following the announcement of the hack, it was learned that the company
built and sold software that is capable of spying on users of iPhones and
iPads, as well as Skype, WhatsApp, and Viber conservations. Motivation is
speculated as being retaliation.

 • The VTech hack really puts the nontraditional target into perspective,
with hackers stealing the personal information of millions of children
(including their pictures) and personal information of their parents. This
hack and data breach truly hits home and demonstrates that as we bring
technology into our inner most personal lives through our homes, we are
placing a lot of trust with those businesses who product the products.

‘Risk profile’

What have we learned in hindsight from the 2015 hacks and data breaches?
That no matter who you are, or what your business is, you may be a target.

The important thing is to recognize the potential risk to your business
with a “risk profile” and begin to identify how best to protect your
business. It may seem like a daunting task, and it may be, if you don’t
prioritize according to risk. It’s like protecting your home: In order to
protect it properly, you want to start with the basics, such as using a
lock and/or deadbolt on your doors. If you live in the city or a
higher-than-average risk area, you may consider a dog or a security system
for extra protection.

Protecting your business needs the same approach. Start with the basics by
applying best practices, such as good password management for your systems,
applying patches as they come out. Then understand the “neighborhood” in
which you reside in on the Internet. What extra precautions do you need to
put into place? If you are not sure, I would highly recommend that you have
someone come in and perform a risk assessment. It’s not as expensive as you
think, and it will save you money in the long run by prioritizing your
safeguards and identifying your “biggest bang for your buck.”

The most important thing for us to learn from 2015 is that we need to do
something. Ignoring the risks will not make them go away.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.
Previous By Date Next
Previous By Thread Next

Current thread: