The Ponemon Institute released the 14th edition of its annual “Cost of a Data Breach Report” earlier this month. As you might expect, the numbers do not exactly inspire encouragement.
According to the report, the average 2019 data breach cost $3.92 million, an increase of 1.3 percent over 2018. Among the four categories of breach-related costs, Lost Business accounts for the highest share (36.2%), followed by Detection and Escalation (31.1%) and Post-Breach Response (27.3%).
Some other key findings from the Ponemon report:
- Heavily regulated industries incurred the most costs, with healthcare costs running 65 percent higher than average
- Malicious attacks cost over one-third more than system glitches or human errors
- It takes a cumulative 279 days to contain a data breach, 4.9 percent longer than in 2018
- America incurred the highest cost of a data breach by country, at $8.19 million per incident
Another new report, this time coming from Juniper Research, found that the annual total cost of data breaches will reach $5 trillion by 2024. That estimate accounts for data breaches around the world, although North American businesses will absorb the largest share. The yearly cost of worldwide data breaches currently sits at about $3 trillion. According to the report, the upswing “will primarily be driven by increasing fines for data breaches as regulation tightens.” Even worse, Juniper forecasts that by 2024, most cyber incidents will target small- to medium-sized enterprises.
Without further ado, let’s dive into this week’s network security news roundup.
U.S. NETWORK SECURITY NEWS (Sept. 1-16, 2019)
It’s bad enough when hackers target schools and city governments, but now the evildoers are attacking our chocolate. The Kansas City-based candy giant recently announced that customer credit and debit card information got exposed in a cyberattack. This cyberattack only affected customers at Russell Stover’s brick-and-mortar stores, not any online customers.
The breach started when Russell Stover point-of-sale systems got infected with malware in February of this year. First and last names, payment card numbers and expiration dates got exposed by the breach. Russell Stover advises customers to monitor their financial statements for any suspicious activity.
In a potentially devastating development for a company that built its reputation on security, news broke that nation-state hackers infected Apple iPhones with spyware for two years. The attack exploited a security vulnerability that Apple patched earlier this year without notifying affected customers.
A visit to a “small number of tainted websites” would infect the iPhone and initiate the installation of a “monitoring implant” on the device. This type of scheme is known as an “indiscriminate watering hole attack.” One the implant installed, hackers could see a user’s texts, emails, photos, location data and more.
Hackers infected the network of this Pennsylvania school district with malware over Labor Day weekend, just as students returned for the fall semester. Once they learned about the attack, district IT workers disabled the districtwide network to prevent any further damage. Meanwhile, the district sent a letter to parents with assurances that financial information remained safely stored offsite.
Homeland Security, the FBI and the Secret Service will assist with recovery efforts, along with local authorities and a cybersecurity company. However, Souderton Area School District refused to reveal the full extent of the attack.
More fallout from the disastrous Pearson data breach that compromised the PII of nearly one million students across 13 states. An Illinois woman and her daughter filed suit against British-owned educational publisher Pearson. The lawsuit alleges that Pearson concealed the breach from parents and students for more than four months. Illinois was one of the states most heavily affected by the data breach.
Flagstaff Unified School District in Arizona canceled classes for several days earlier this month following a ransomware attack. The district plans to restore its systems through data backups, rather than pay the ransom. Other Arizona school districts started performing security assessments to make sure they didn’t suffer a similar attack.
As the PII of children gets increasingly targeted, schools need to step up cyber security through network monitoring and improved password policies. After experiencing a ransomware attack earlier this year, school board officials at Rockford Public Schools in Illinois will vote on a proposal to spend over $376,000 on IT upgrades. Some of the proposed upgrades include improved network security, backup software and security awareness training for district employees.
Some network security news stories come with a happy ending. When city computers in New Bedford, Mass. got encrypted by a Ryuk ransomware attack in July, the hackers demanded $5.3 million in bitcoin to release the data. The city offered $400,000 as a stalling tactic, then used that time to restore most of their information through a data backup service. According to a study by the research firm Recorded Future, only 17 percent of municipalities attacked with ransomware end up paying the hackers.
FBI officials are investigating a $4.2 million cyber theft from a fund for retired Oklahoma state troopers and state agents. The attack occurred on Aug. 26, the result of a hacked employee email account. A spokesperson for Oklahoma Gov. Kevin Stitt said the matter “underscores the importance of modernizing and consolidating the state’s information technology infrastructure.”
The data breach of a third-party vendor exposed the PII of children and parents associated with the Boy Scouts of America. BSA uses Trails End to facilitate online sales of popcorn, which helps sponsor activities and events. Some of the PII potentially exposed in the breach includes full names, dates of birth, email addresses and phone numbers. Over 2 million children and over 1 million adults belong to the Boy Scouts, although the BSA did not announce how many users the breach affected.
Within two days, two different Florida school districts announced that a “ransomware incident” disrupted their networks. Jackson County discovered the virus late on a Friday afternoon, shutting down servers to prevent further infection. The cyberattack got publicized the following Monday morning. Just one day later, Wakulla County revealed that a similar incident made emails inaccessible districtwide. Both districts will work with forensic firms to investigate the incidents. As of press time, it remains unclear if anything links the two attacks.
Wolcott Public Schools in Connecticut recently experienced the second cyberattack in the last three months. Last June, Wolcott got hit with a ransomware attack that shut down the school computer systems. When the second attack got discovered on Sept. 4, the Wolcott IT director shut down school computer systems to prevent a similar incident. Teachers and students are working without email and internet access while international security firm Kivu investigates the attack.
A March data breach compromised the PII on customers of Lyons Companies, one of the top insurance brokers in Delaware. This incident started on March 12, when the firm noticed “unusual activity” on an employee email account. After a lengthy investigation, Lyons determined that two employee accounts got compromised in the attack. Personal information contained in the exposed accounts includes customer names, driver’s license numbers, birthdates, bank account information, patient health information and some Social Security numbers.
Three North Korean hacking groups suspected of stealing roughly $2 billion received an official sanction from the United States Treasury. The hacking groups pulled off some of the most notorious cyberattacks in recent years, including the Sony hack in 2014 and the WannaCry ransomware attack in 2017. Sanctions make it easier to seize assets of the hacking groups, which funnel stolen money into North Korea’s missile programs. It’s not just the United States getting attacked, as the hacking groups also targeted banks in India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile and Vietnam.
Photos, videos and reports related to pending investigations got lost in a cyberattack against the Robstown Police Department in Texas. RPD servers got “hacked and/or compromised by a virus sometime in the last couple of weeks,” according to a press release from the Nueces County District Attorney’s Office. The lost evidence relates to all pending investigations from 2018 and 2019. Robstown officers will need to use a written list of cases to figure out precisely what data was lost.
The U.S. Commodities Futures Trading Commission (CFTC) levied a $1.5 million fine against Phillip Capital Inc (PCI). The penalty stems from a Feb. 2018 phishing attack that targeted a PCI employee. After the hackers acquired company credentials, they initiated a $1 million wire transfer from a PCI client to a Hong Kong bank. CFTC’s fine includes $1 million in restitution to the victim, as well as a $500,000 for not informing customers about the data breach.
The Federal Emergency Management Agency (FEMA) recently informed 2.5 million natural disaster survivors that their PII got exposed by a third party. FEMA mistakenly shared data with a third-party contractor, impacting anyone who applied for temporary housing assistance between 2008 and 2018. In addition to personal information, banking information got shared in most cases. People affected by the breach can receive 18 months of free credit monitoring from FEMA.