As a trainer, one of my main goals is to make sure that Commonwealth’s home office staff and our network of financial advisors are aware of (though not paranoid about) information security threats.
And there certainly have been a lot of threats recently. As the year comes to a close, I’d like to take a look back on the biggest information security incidents of 2017 and show that for every bad thing that happened, an invaluable lesson was learned. The bad guys are getting smarter, but so are the good guys.
1) Equifax Breach
Although this story is no longer dominating the headlines, it’s far from over. Given that approximately 143 million Americans’ sensitive information (just about every American with a credit history) was compromised, the Equifax breach will go down as one of the biggest information security incidents of all time.
Sure, the Yahoo! breach still beats the number of victims about sevenfold, but with Equifax, our most critical information was potentially compromised: social security numbers plus at least one piece of identifying information (e.g., date of birth, address, driver’s license number). That’s a treasure trove for identity thieves.
A helping hand? As Equifax announced the breach in September, the credit bureau revealed a new self-service portal that anyone can use to determine whether they’ve been affected. Any visitor—victim or not—is also provided with one free year of TrustedID Premier, Equifax’s credit monitoring and identity theft protection service.
Many did not take this to be a genuine offer of help, however. The media claimed that anyone enrolling in the free TrustedID service was waiving their right to sue Equifax. (To be fair, the terms of service language was pretty confusing.) This quickly turned into a story of Equifax taking advantage of victims—not only preventing class-action lawsuits, but also promoting a product of its own in the wake of a major database breach.
It turns out, however, that the legal language only applied to the TrustedID product itself and not the security breach.
Note just how quickly the public opinion of Equifax hit rock bottom. After the breach, every action the credit bureau took and every statement it made was met with complete distrust. This fiasco is exactly what information security programs strive to prevent. Regardless of any good Equifax has done in its history as a business, this one event will likely leave a permanent mark on its reputation.
2) Ransomware Gone Global
Ransomware is a type of malware that, once it infects your computer, encrypts your information (i.e., locks it) and demands a payment from you to get it back. Because ransomware is so easy for criminals to use—and so profitable—it’s becoming the cyber attack of choice for most hackers.
WannaCry. We haven’t seen a larger global cyber attack than WannaCry, a ransomware infection that spread to more than 200,000 victims across 150 countries in May 2017. Many well-known organizations, including Honda and FedEx, fell victim to WannaCry. According to the BBC, hospitals in England and Scotland were infected by the ransomware and had to turn away non-emergency patients because the hospital systems were down.
What one thing did all of the victims have in common? Their Windows operating systems had not been updated, so they were missing a critical security patch that Microsoft had released two months earlier. This patch would’ve prevented a WannaCry infection.
NotPetya. One month after the WannaCry attack, news broke of another global cyber attack—dubbed NotPetya. Although it managed to spread to parts of Europe and the U.S., this ransomware seemed targeted at Ukraine specifically, and experts believed that it didn’t even seek to make a profit. NotPetya was built to encrypt information without returning it.
What’s surprising is that NotPetya exploited the same weakness WannaCry did, and all victims were still missing that patch. If everyone had updated their systems regularly, the impact of these attacks would not have been nearly as significant. Of course, it can be tempting to delay an update when we’re in the middle of something—but keep in mind that the longer you delay, the longer you could be leaving yourself vulnerable to an attack.
The other silver bullet with ransomware is maintaining a reliable backup process. If your information is held ransom, but you have another copy elsewhere, why even consider paying? In this day and age where ransomware is the new standard cyber attack, backups are crucial.
3) Attack of the Spoilers
This year, hackers tried to hit us where it hurts us most: our favorite TV shows. In two separate incidents, hackers gained access to unreleased episodes of Netflix’s Orange Is the New Black and HBO’s Game of Thrones. The hackers demanded a ransom, or else they’d leak episodes to the public.
In the end, HBO did not pay, deciding that, ultimately, the amount of money wasn’t worth what was at stake. Netflix, on the other hand, paid the full sum of $50,000. Unfortunately, the unreleased season of Orange Is the New Black was leaked anyway. If you’re ever faced with a ransom-based attack, remember that there is no honor among thieves, and paying up could potentially be adding more to your loss.
The Netflix leaks also serve as a great reminder to always perform the proper due diligence on your vendors. Experts found that Netflix itself wasn’t breached; its post-production vendor was. Before signing on with any vendors, ensure that their security posture won’t weaken yours.
4) Year of the Phish
According to the 2017 Verizon Data Breach Investigations Report, 90 percent of all security breaches start with phishing e-mails—whether they convince users to click on links, open attachments, or reply with sensitive information. Once you fall for these scams, just about anything can happen. Phishing campaigns are constantly evolving and taking on new disguises.
Google Docs phish. This phishing campaign masked as a Google Docs “share” message, claiming that a contact wanted to share a document with the recipient. Those who fell for it became “hosts” to the attack themselves, sending out the phishing e-mail from their own accounts. The message was so convincing that it reached approximately one million Gmail users before Google could contain it.
DocuSign phish. In May, DocuSign, a provider of electronic signature technology, suffered a database breach in which only customer e-mail addresses were compromised; attackers knew how to use that to their advantage. They began sending out phishing e-mails, pretending to come from DocuSign, to all the compromised e-mail addresses. As these users already expect regular DocuSign messages, many overlooked the suspicious red flags (like the incorrect “From:” address) in these e-mails.
Equifax phish. During the week of the Equifax breach, we heard reports of phishing e-mails taking advantage of the event. To get ahead of the inevitable phishing campaigns, Equifax stated that it would not notify victims of the breach by e-mail. Yet, attackers are still masquerading as Equifax and offering people “help” to capitalize on all the confusion as the story develops.
Improving Habits for 2018
The world experienced a number of major global cyber attacks in 2017. But as we approach the new year, we should move forward knowing how easily we could have prevented some of the biggest information security incidents and try to use what we’ve learned to avoid similar events in the future:
- Keep your operating systems and software up to date to help protect you from hackers.
- Perform the proper due diligence to help keep your vendors from becoming an attacker’s point of entry into your information.
- Develop a heightened awareness of phishing e-mails to help prevent attacks like the Google Docs worm or DocuSign malware.
Some security events are completely out of our control (e.g., the Equifax breach), but for many others, adopting some simple, secure habits can go a long way in protecting your information.
How do you ensure the safety of your personal information? What precautions does your firm take to protect against information security threats? Please share your thoughts with us below.