Click here to load reader
Upload
michael-holt
View
51
Download
1
Embed Size (px)
Citation preview
The Big Lie Behind the Biggest Data Breaches
Posted: 09/02/2014 6:11 pm EDT Updated: 09/03/2014 3:59 pm EDT
By Neal O'Farrell, Security and Identity Theft Expert for CreditSesame.com
Enough with the data breach excuses already. Not only are they as jaded as the breaches themselves,
they're often just not true. In the aftermath of almost every data breach, chances are you're going to get
a boilerplate public statement that includes old reliables like: "The attack was very advanced and
sophisticated," "We have not detected any fraud as a result," "There's no reason to believe the
information will ever be used," and of course "Free credit monitoring for everyone in the audience."
Except not right now, because it could take us a couple of weeks to set all that up.
Here's just a sample of the most recent data breach walk of shame in just the last few weeks:
The FBI announced that more than 1,000 retailers fell victim to the same malware as Target
JP Morgan Chase fell victim to suspected Russian hackers.
300 oil companies in Norway were hacked.
UPS and Dairy Queen joined the hall of shame.
My personal favorite was when Community Health Systems in Tennessee announced on August 18th
that while Chinese hackers had managed to steal more than 4.5 million patient Social Security numbers
(yes, the worst kind of breach), the company couldn't see any reason why the hackers would actually
use them. Really? So, why did they break in and steal them? By mistake? Oh, sorry, my bad, wrong
server. Have a great day. But you're still not getting your data back.
But perhaps the most troubling truth about most of these hacks is that they weren't advanced or
sophisticated. At least not advanced or sophisticated enough that they couldn't have been stopped.
Seems like most of these hacks relied on the oldest trick in the hacker playbook. The hackers simply sent
a malware-laced email to some careless employees who by simply clicking on a link or attachment let
the hackers in. That's it. That's all. Nothing sophisticated or advanced about that. A simple trick targeted
against a clueless or untrained user, and as famed hacker Kevin Mitnik used to say: "That's all she wrote
baby, they got everything!"
That's exactly the trick that was used in the massive Target breach that exposed more than 110 million
customer records. A 17-year-old created some malware that was then emailed to the employee of a
small contractor who unhesitatingly opened the email and let the hounds of hell loose on a sleeping
Target.
Looks like a similar tactic was used in the eBay breach in May of this year that affected possibly 145
million eBay users, when hackers simply sent infected emails to a select group of eBay employees. Same
again in the most recent attack on JP Morgan Chase. Not to mention the successful attack against more
than 300 energy and oil companies in Norway announced on August 27th.
There are clear patterns emerging:
Hackers target the easiest links and there are plenty of them. Millions of them.
The malware is tested on all the most common antivirus software first so the hackers already know
your antivirus software won't catch it.
The biggest problem is that companies are simply not training their employees to be vigilant and to
stop doing dumb things.
The attacks are not sophisticated or advanced, not really, not in the grand scheme of things.
The breached businesses are lying to you because the truth will have you seeing red.
The next time a breached business talks about how sophisticated the attack was, or how committed
they have always been to security and privacy, try this never-fail litmus test. Ask them how often their
employees are reminded or trained to be vigilant. If the answer is in the realm of once or twice a year,
then you probably just found the hole in the fence.
Neal O'Farrell, security and identity theft expert for CreditSesame.com, is one of the most experienced
consumer security experts on the planet. Over the last 30 years he has advised governments,
intelligence agencies, Fortune 500 companies and millions of consumers on identity protection,
cybersecurity, and privacy. As Executive Director of the Identity Theft Council, Neal has personally
counseled thousands of identity theft victims, taken on cases referred to him by the FBI and Secret
Service, and interviewed some of the nation's most notorious identity thieves.
Follow CreditSesame.com on Twitter: www.twitter.com/creditsesame
More:
Data Protection Data Breaches Identity Theft Data Security Internet Security Hackers