By Neal O'Farrell, Security and Identity Theft Expert for CreditSesame.com
Enough with the data breach excuses already. Not only are they as jaded as the breaches themselves, they're often just not true. In the aftermath of almost every data breach, chances are you're going to get a boilerplate public statement that includes old reliables like: "The attack was very advanced and sophisticated," "We have not detected any fraud as a result," "There's no reason to believe the information will ever be used," and of course "Free credit monitoring for everyone in the audience." Except not right now, because it could take us a couple of weeks to set all that up.
Here's just a sample of the most recent data breach walk of shame in just the last few weeks:
- The FBI announced that more than 1,000 retailers fell victim to the same malware as Target
- JP Morgan Chase fell victim to suspected Russian hackers.
- 300 oil companies in Norway were hacked.
- UPS and Dairy Queen joined the hall of shame.
My personal favorite was when Community Health Systems in Tennessee announced on August 18th that while Chinese hackers had managed to steal more than 4.5 million patient Social Security numbers (yes, the worst kind of breach), the company couldn't see any reason why the hackers would actually use them. Really? So, why did they break in and steal them? By mistake? Oh, sorry, my bad, wrong server. Have a great day. But you're still not getting your data back.
But perhaps the most troubling truth about most of these hacks is that they weren't advanced or sophisticated. At least not advanced or sophisticated enough that they couldn't have been stopped.
Seems like most of these hacks relied on the oldest trick in the hacker playbook. The hackers simply sent a malware-laced email to some careless employees who by simply clicking on a link or attachment let the hackers in. That's it. That's all. Nothing sophisticated or advanced about that. A simple trick targeted against a clueless or untrained user, and as famed hacker Kevin Mitnik used to say: "That's all she wrote baby, they got everything!"
That's exactly the trick that was used in the massive Target breach that exposed more than 110 million customer records. A 17-year-old created some malware that was then emailed to the employee of a small contractor who unhesitatingly opened the email and let the hounds of hell loose on a sleeping Target.
Looks like a similar tactic was used in the eBay breach in May of this year that affected possibly 145 million eBay users, when hackers simply sent infected emails to a select group of eBay employees. Same again in the most recent attack on JP Morgan Chase. Not to mention the successful attack against more than 300 energy and oil companies in Norway announced on August 27th.
There are clear patterns emerging:
- Hackers target the easiest links and there are plenty of them. Millions of them.
- The malware is tested on all the most common antivirus software first so the hackers already know your antivirus software won't catch it.
- The biggest problem is that companies are simply not training their employees to be vigilant and to stop doing dumb things.
- The attacks are not sophisticated or advanced, not really, not in the grand scheme of things.
- The breached businesses are lying to you because the truth will have you seeing red.
The next time a breached business talks about how sophisticated the attack was, or how committed they have always been to security and privacy, try this never-fail litmus test. Ask them how often their employees are reminded or trained to be vigilant. If the answer is in the realm of once or twice a year, then you probably just found the hole in the fence.
Neal O'Farrell, security and identity theft expert for CreditSesame.com, is one of the most experienced consumer security experts on the planet. Over the last 30 years he has advised governments, intelligence agencies, Fortune 500 companies and millions of consumers on identity protection, cybersecurity, and privacy. As Executive Director of the Identity Theft Council, Neal has personally counseled thousands of identity theft victims, taken on cases referred to him by the FBI and Secret Service, and interviewed some of the nation's most notorious identity thieves.