The Big Lie Behind the Biggest Data Breaches

Posted: 09/02/2014 6:11 pm EDT Updated: 09/03/2014 3:59 pm EDT

By Neal O'Farrell, Security and Identity Theft Expert for CreditSesame.com

Enough with the data breach excuses already. Not only are they as jaded as the breaches themselves,

they're often just not true. In the aftermath of almost every data breach, chances are you're going to get

a boilerplate public statement that includes old reliables like: "The attack was very advanced and

sophisticated," "We have not detected any fraud as a result," "There's no reason to believe the

information will ever be used," and of course "Free credit monitoring for everyone in the audience."

Except not right now, because it could take us a couple of weeks to set all that up.

Here's just a sample of the most recent data breach walk of shame in just the last few weeks:

The FBI announced that more than 1,000 retailers fell victim to the same malware as Target

JP Morgan Chase fell victim to suspected Russian hackers.

300 oil companies in Norway were hacked.

UPS and Dairy Queen joined the hall of shame.

My personal favorite was when Community Health Systems in Tennessee announced on August 18th

that while Chinese hackers had managed to steal more than 4.5 million patient Social Security numbers

(yes, the worst kind of breach), the company couldn't see any reason why the hackers would actually

use them. Really? So, why did they break in and steal them? By mistake? Oh, sorry, my bad, wrong

server. Have a great day. But you're still not getting your data back.

But perhaps the most troubling truth about most of these hacks is that they weren't advanced or

sophisticated. At least not advanced or sophisticated enough that they couldn't have been stopped.

Seems like most of these hacks relied on the oldest trick in the hacker playbook. The hackers simply sent

a malware-laced email to some careless employees who by simply clicking on a link or attachment let

the hackers in. That's it. That's all. Nothing sophisticated or advanced about that. A simple trick targeted

against a clueless or untrained user, and as famed hacker Kevin Mitnik used to say: "That's all she wrote

baby, they got everything!"

That's exactly the trick that was used in the massive Target breach that exposed more than 110 million

customer records. A 17-year-old created some malware that was then emailed to the employee of a

small contractor who unhesitatingly opened the email and let the hounds of hell loose on a sleeping

Target.

Looks like a similar tactic was used in the eBay breach in May of this year that affected possibly 145

million eBay users, when hackers simply sent infected emails to a select group of eBay employees. Same

again in the most recent attack on JP Morgan Chase. Not to mention the successful attack against more

than 300 energy and oil companies in Norway announced on August 27th.

There are clear patterns emerging:

Hackers target the easiest links and there are plenty of them. Millions of them.

The malware is tested on all the most common antivirus software first so the hackers already know

your antivirus software won't catch it.

The biggest problem is that companies are simply not training their employees to be vigilant and to

stop doing dumb things.

The attacks are not sophisticated or advanced, not really, not in the grand scheme of things.

The breached businesses are lying to you because the truth will have you seeing red.

The next time a breached business talks about how sophisticated the attack was, or how committed

they have always been to security and privacy, try this never-fail litmus test. Ask them how often their

employees are reminded or trained to be vigilant. If the answer is in the realm of once or twice a year,

then you probably just found the hole in the fence.

Neal O'Farrell, security and identity theft expert for CreditSesame.com, is one of the most experienced

consumer security experts on the planet. Over the last 30 years he has advised governments,

intelligence agencies, Fortune 500 companies and millions of consumers on identity protection,

cybersecurity, and privacy. As Executive Director of the Identity Theft Council, Neal has personally

counseled thousands of identity theft victims, taken on cases referred to him by the FBI and Secret

Service, and interviewed some of the nation's most notorious identity thieves.

Follow CreditSesame.com on Twitter: www.twitter.com/creditsesame

More:

Data Protection Data Breaches Identity Theft Data Security Internet Security Hackers