In today’s world of deep fakes and fake news, perception gaps are understandable. However, the perception gap regarding cyber breaches and small businesses seems wider than the Grand Canyon.
A recent online survey conducted by Keeper Security confirmed that yawning perception gap. Although 67 percent of SMBs experienced a cyberattack within the last year, 66 percent of respondents believe an attack “unlikely.” If these respondents stuck their heads any deeper in the sand, they would be ostriches.
The 2019 SMB Cybersecurity Study surveyed “500 senior decision-makers at SMBs” about their experiences and policies regarding cyber breaches. As it turns out, a whopping 60 percent of SMBs do not have a cyberattack prevention plan in place. According to the survey, only 9 percent of SMBs consider cyber security a top business priority. Meanwhile, 18 percent of SMB decision-makers rank it as their lowest priority.
At the same time, Forbes recently reported that Chinese hackers are suspected of conducting a July attack on U.S. utility companies. Authorities believe that the Chinese state-sponsored hacking group APT10 launched a spear-phishing campaign that targeted utility company employees. Supposedly sent by the National Council of Examiners for Engineering and Surveying (NCEES), the social engineering emails contained malicious Microsoft Word attachments.
Experts believe that APT10 previously compromised the systems of at least ten cellular carriers around the world. This Chinese attack follows organized campaigns against the U.S. infrastructure by Iran, North Korea and Russia. In addition to targeting utilities, foreign hackers are also going after the financial services industry, as well as aerospace and defense companies.
Now for this week’s news stories about cyber breaches affecting organizations across the country.
U.S. CYBER BREACHES (Aug. 1-14, 2019)
The Los Angeles Police Department sent out a notification about a data breach that exposed the information of both officers and applicants. Over 17,000 applicants had their information exposed in the breach. Stolen data included names, emails, dates of birth, partial employee serial numbers and passwords. Officials did not offer an explanation for the cause of the data breach, but an investigation is ongoing.
Washington-based Premera Blue Cross, the largest health insurer in the Pacific Northwest, could pay $74 million to settle a court case related to a 2014 data breach. The $74 million settlement would include $32 million to pay damages to affected customers and $42 million to improve cyber security. Premera knew about security vulnerabilities in its system before a phishing email caused a data breach, but did nothing to address the problems. A consulting firm later found that agents associated with the Chinese government instigated the breach.
A July cyberattack extended summer vacation by at least two weeks for students in Houston County, Alabama. This marks the second time that the district postponed the first day of school since a malware attack compromised its system. Although Houston County did not receive a ransom demand, all 4,000 district computers need to get reconfigured before the network can come back online. In the meantime, Houston County schools are returning to a paper-based system.
An “unauthorized third party” accessed names, usernames, genders, city data, email addresses and more from Poshmark, an online clothing marketplace. Poshmark claims that customer financial data did not get compromised in the attack, but outside forensics firm Kroll is still investigating the incident. Poshmark boasts roughly 50 million users.
The network of Papillon-La Vista Community Schools got hit with a costly phishing attack in May. In addition to rebuilding the servers and replacing computers and hard drives, some teacher laptops will also need to get replaced. Unfortunately, the district does not carry cyber insurance, which might have mitigated some of the costs. Meanwhile, the FBI is still investigating the attack. Cyber breaches of public schools seem to be on the rise, if only because hackers love to target low-hanging fruit.
After an unauthorized person accessed the PII of 183,000 patients and health plan members, Albuquerque-based Presbyterian Health Care Services started mailing data breach notification letters on Aug. 2. The exposed information includes names, dates of birth, Social Security numbers and more. Although the cyberattack began on May 9 when multiple employees clicked a phishing email, Presbyterian Health did not become aware of the breach until June 6. Presbyterian Health is offering free credit monitoring and identity protection to anyone affected by the breach.
A successful spear-phishing attack on city employees will cost Southwest Florida beach town of Naples a whopping $700,000. The attacker posed as a representative from Wright Construction Group, a company contracted to do infrastructure work in downtown Naples. While Naples’ data systems did not get impacted, the city still lost $700,000 in an apparent wire transfer scam.
Education software company Pearson announced an attack on its AIMSweb 1.0 system. The attack compromised data on at least 100,000 students at more than 13,000 schools and universities. Exposed PII includes names, dates of birth and email addresses, but not Social Security numbers or credit card data. A popular third-party vendor, Pearson is offering complimentary credit monitoring to affected students.
After the Pearson story broke, affected schools across the country started getting identified. Clark County School District in Nevada announced that the breach compromised the data of both students and staff members. Meanwhile, the PII of nearly 4,000 past and present students at Victor Central School in New York got leaked in the breach.
Online fashion and sneaker trading platform StockX recently set out a password reset email to users, claiming that it related to “system updates.” However, it turns out that StockX suffered a cyber breach in May, with customer data stolen and sold on the dark web. The stolen data included names, email addresses, scrambled passwords and other profile information. Headquartered in Detroit, StockX recently got valued at $1 billion.
Not all cyber breaches result from a direct attack by hackers. State Farm, the largest property and casualty insurance provider in America, recently got breached through a “credential stuffing attack.” In this type of attack, hackers buy or steal usernames and passwords from other data breaches. Then, the hackers use those credentials to log in to other sites, since many people use the same password for multiple accounts.
In this case, the hackers were able to get usernames and passwords from State Farm policyholder accounts. State Farm claims that no personal information got viewed, but the company still reset all passwords for breached accounts. This security incident only underlines the importance of adopting smart password policies, but for yourself and your business.
Over three months after the Baltimore Ransomware Attack first became public, a sense of normalcy is finally returning to the city. On Aug. 7, the city sent out water bills for the first time since the attack started on May 6. The bills are going out in batches of 10,000 per day, and they reflect charges for April, May, June and July.
The Fire Department of New York started notifying people about a recent data breach affecting more than 10,000 patients. Rather than a hack, the information got compromised when an employee downloaded patient data to an external hard drive, which subsequently got stolen.
Although the theft happened five months ago, FDNY is just not making it public. Compromised PII includes names, addresses, telephone numbers, dates of birth, insurance numbers and Social Security numbers. FDNY is offering free credit monitoring to the roughly 3,000 patients whose Social Security numbers got compromised.
A lawsuit with over 100 class members got filed against Epic Games, the company behind the popular online game Fortnite. The suit claims that Epic failed to “maintain adequate security measures and notify users of the security breach in a timely manner.” Epic went public with the incident in Jan. 2019, two months after the XSS attack occurred. Millions of users had their PII exposed in the attack.