Another “Year of the Data Breach”

As the summer heats up, we begin the process of assessing the first half of 2019. As with years past, we reach this point, and immediately, the clichés begin to fly. “This is the year of the data breach…” We said this is in 2016, 2017, and 2018. Unfortunately, 2019 is shaping up to be yet another “year of the data breach.” From an increase in new types of ransomware to a new focus on municipalities, the first half of this year has been anything but quiet. As we look to the second half of 2019, we must consider the impact of the California Consumer Privacy Act (CCPA) and other state regulations in regards to proactive and responsive cybersecurity. 

One of the significant shifts we saw in the first half of this year was a move towards compromises involving cloud storage exposure due to lack of encryption, bad IAM policies, and poor logging and threat identification. We also are continuing to see the dangers of storing decades of personally identifiable information (PII) and electronic personal health information (ePHI) in email or on shared servers accessible to the outside world.  

Data Breaches of 2019

By now, everyone has heard about the constant source of data leaks and security failures that have originated at Facebook. From an internal server containing hundreds of thousands of user credentials to the April disclosure of the exposure of 540 million Facebook user records, the list of accidental and configurations errors continue to grow. However, Facebook is not the only company that has recently suffered from poor cyber practices. 

Just last month, medical testing and lab services company Quest Diagnostics disclosed that information for up to 11.9 million patients were compromised. This data breach occurred as a result of a security incident at a third-party billing vendor. This incident, as well as many others, highlights the increasing need for third party vendor cybersecurity management by the hiring company. “It’s not our problem” is no longer a reasonable excuse for these types of breaches. 

“It’s not our problem” is no longer a reasonable excuse for these types of breaches. 

In quite possibly the most egregious example of failure to discover a breach, real estate and insurance giant, First American, revealed in April of this year that a data breach dating as far back as 2003, exposed 885 million customer records. The information included Social Security numbers, driver’s license images, financial data, and transaction records. Even worse, the data had been publicly available on the firm’s website for anyone to access. 

Lastly, in each of the last six months, at least one municipal government in the US has been the victim of what appears to be a targeted ransomware attack. In March, Jackson County Georgia paid a $400,000 ransom. In June, at least 3 Florida cities were victims of ransomware. Also, as recently as June 30, the Administrative Office of the Georgia Courts was victimized. This increase in attacks focused at municipal governments is not new, but the tools used in the attacks are where the real advancements are occurring.  

“Spray and Pray” Ransomware Cyber Attacks

Previous ransomware attacks have typically been “spray and pray” attacks. In a “spray and pray,” attackers send hundreds or thousands of emails to as many email addresses as possible and then automatically encrypt and ransom the systems that click on the links in the malicious email. In the newer attacks, well organized criminal enterprises are leveraging software developed by countries such as North Korea, to gain a foothold in targeted systems and then leverages a secondary payload to cause further havoc. One of the most recent forms of this attack type comes via the Ryuk ransomware, targeting only the most crucial assets in a network, and leverages standard modules such as Trickbot and Emotet. What ends up happening is nothing short of a “one, two, three punch knockouts.” The Emotet module inserts the TrickBot virus into the system, and then the TrickBot virus steals the information. As a final farewell, Trickbot then downloads the Ryuk ransomware and locks the system from access.  

Four Cybersecurity Lessons Learned in 2019

What lessons can be learned from the attacks we have seen in the first half of 2019?

  1. The basics (strong passwords, multi-factor authentication, phishing training of employees) still work as well today as they have in the past. It doesn’t matter if the data is stored onsite or in the cloud; the rules have not changed.
  2. It is vital to do regular checks and audits of the systems, software, policies, and processes used in your environment. Knowing where your sensitive data is and who has access to it is the first line of defense.
  3. Properly managing vendors to ensure they are meeting the same minimum-security standards is no longer a negotiable element of a maturing information security program.
  4. As the CCPA and other state and federal regulations are developed and come online, the increased public attention resulting from breaches will only intensify.  

Here’s to a secure, safe, and successful second half of 2019! To learn more about Doug Brush and the Cybersecurity solutions at EQ, visit our website.

Douglas Brush is the Vice President of Cyber Security Solutions at EQ, a division of Special Counsel. Connect with Doug on Linkedin or via email today.