As 2016 comes to an end, we look back at six of the year’s worst data breaches and what went wrong.

It seems like not a day went by this year without reports of yet another major data breach, or two or three data breaches. From healthcare to fast food to adult entertainment, no industry was spared the wrath of hackers. Even the U.S. presidential election ended up being impacted by cyber security concerns, both real and perceived. Here, we review six of 2016’s worst offenders and what went wrong.

1. The Yahoo Data Breaches

What happened: Three months ago, Yahoo disclosed that it had fallen victim to the biggest security breach in history, which compromised 500 million user accounts, resulted in at least 23 lawsuits, and put the company’s planned acquisition by Verizon at risk. As if that weren’t bad enough, last week, Yahoo announced that it had uncovered yet another breach, this one involving a staggering 1 billion accounts and casting another dark shadow over the Verizon deal.

What went wrong: Yahoo is paying the price for spending years putting “the user experience” ahead of cyber security. Afraid that strong security measures would annoy its end users, Yahoo continued to release products that it knew were vulnerable to hacks. While social media networks are full of memes expressing consumer annoyance at security requirements such as strong passwords, it’s far better to risk annoying customers than to leave their personal information open to data breaches.

2. The DNC Email Hack

What happened: The 2016 U.S. presidential race was already shaping up to be one of the most contentious in modern history when, in an echo of the 2014 Sony Pictures email hack, WikiLeaks released a number of damaging emails stolen from the Democratic National Committee’s email server. While most of the messages consisted of boring, routine correspondence, others were quite scandalous, including what appeared to be messages written by high-ranking party officials plotting to discredit candidate Bernie Sanders and planning to reward high-dollar DNC donors with federal appointments had Hillary Clinton won the election. In the end, the scandal forced the DNC’s chairperson, CEO, and communications director to resign.

What went wrong: Among other missteps, the DNC chose to run its own enterprise email server. This is almost always a bad idea, as most organizations simply do not have the monetary and human resources to properly secure one. While outsourcing enterprise email to a provider such as Google is not a guarantee against data breaches, it’s a good proactive step to tilt the odds in the organization’s favor.

3. The Wendy’s Point-of-Sale System Hack

What happened: At nearly the same time Wendy’s announced it would be switching from human clerks to automated ordering kiosks, the fast-food giant disclosed that its existing point-of-sale systems had been hacked, compromising customer credit card information from 1,000 of its locations in the U.S. In a [failed] attempt to deflect responsibility, Wendy’s implied that the data breaches were not the company’s fault because “only” independently owned franchises, not company-owned locations, had been breached, and that the franchisees were the bad guys because they’d chosen the wrong third-party providers to service their POS systems.

What went wrong: In addition to trying to pass the buck, which is a bad idea on numerous levels, a class action lawsuit against the company on behalf of dozens of credit unions alleges that the company, similar to Yahoo, knew that its POS systems had security problems but declined to address the issues. As the old saying goes, the first step to solving a problem is admitting that you have one.

4. The SWIFT Network Attacks

What happened: The SWIFT Network, a proprietary messaging system that banks around the world use to communicate with each other, was thought to be one of the most secure systems on Earth – until hackers managed to get into it by breaching user banks’ systems, accessing their SWIFT credentials, and requesting billions of dollars in fraudulent money transfers. Most of these were caught and flagged, but about $81 million, from a bank in Bangladesh, went through. The hackers behind the attacks are still at large, and SWIFT, as well as banks around the world, remain at risk of similar heists.

What went wrong: The methods used by hackers to breach the user banks’ systems were not new or particularly sophisticated; it appears that they used email phishing schemes to steal login credentials from unwitting bank employees. Many security experts believe that SWIFT may have been dependent on “security through obscurity.” Before this year’s hack, few people outside the finance world had even heard of SWIFT. Unfortunately, the internet has brought even the most obscure technology into the light, and organizations can no longer depend on their systems being un-hackable because “nobody has ever heard of them.”

5. The FriendFinder Networks Data Breaches

What happened: What could possibly be more embarrassing than having your political party’s dirty laundry aired by WikiLeaks? Having your account on the “World’s Largest Sex and Swinger Community” compromised. In October, FriendFinder Networks, the owners of numerous adult-oriented websites, disclosed that 412 million user accounts from six of its sites had been exposed, most of them from a swingers’ dating site called Adult FriendFinder. In addition to breaching user data, hackers also accessed source code and public/private key pairs.

What went wrong: Apparently, FriendFinder Networks learned absolutely nothing from the 2015 Ashley Madison hack. It stored its users’ email addresses and passwords in a wildly insecure manner, as plain text and converted to all lower-case. Because it engaged in few, if any, proactive cyber security measures, FriendFinder was a data breach waiting to happen.

6. The Hollywood Presbyterian Medical Center Ransomware Attack

What happened: While not technically a data breach, the ransomware attack on Hollywood Presbyterian Medical Center, which occurred in February 2016, set the stage for a spate of similar attacks on medical facilities in the United States, Canada, and the U.K. Hackers used ransomware to disable the hospital’s entire network, including its electronic health records (EHR) system. Desperate to get back in, the facility paid a $17,000+ ransom in Bitcoin. This greatly incentivized hackers by proving that they could easily extort big paydays from healthcare organizations.

What went wrong: It is believed that the Hollywood Presbyterian attack, like most ransomware attacks (and data breaches) occurred after hackers got hold of legitimate system login credentials, possibly through a phishing email or another social engineering scheme, then used them to get into the hospital’s systems and install malware. The healthcare industry is notorious for not providing its front-line employees with cyber security awareness training or taking other proactive steps to prevent ransomware attacks and data breaches.

Let’s hope that 2016 was the year everyone finally learned their lesson about the importance of proactive cyber security, and 2017 will be the year when organizations strike back against hackers.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

[bpscheduler_booking_form]

In a new report, UC Berkeley’s Center for Long-Term Cybersecurity offers suggestions to President Elect Trump

Now that the election is over, the nation’s attention has turned to President Elect Donald Trump and what a Trump Administration will mean for cyber security. Notably, information security was the only tech-related topic Trump addressed directly on his official website. However, Trump’s plan outlines procedural generalities and does not go into technical specifics, something that is to be expected from a candidate who hails from a business background and has admitted to not being particularly tech-savvy. Since Trump’s election, his cyber security team has been slow to take shape.

In light of this and the fact that data breaches, ransomware attacks, and other cyber crimes are escalating in intensity, frequency, and cost, the Center for Long-Term Cybersecurity at UC Berkeley has come up with a list of five suggestions for President Elect Trump:

1. Publicly Declare a New Era of “Active Defense”

The first suggestion UC Berkeley has is for Donald Trump to make a strong public declaration that the U.S. is entering a new era of “active defense” against cyber crime. In particular, the Center wants two norms established: 1) a more active role for the federal government in responding to nation-state cyber attacks and 2) an acknowledgement that electoral systems are a matter of national security both in the U.S. and abroad, that the U.S. will not interfere with other countries’ electoral systems, and that the U.S. will respond forcefully to any attempts by foreign cyber criminals to interfere with ours.

2. Build Public Awareness of Cyber Security

It is well-known that the weakest link in any organization’s cyber security plan is its people. The overwhelming majority of data breaches are the result of hackers obtaining legitimate login credentials, usually through phishing emails and other social engineering schemes. Unfortunately, most Americans are woefully uneducated on cyber security issues, which is why these incidents keep happening. To mitigate this problem, UC Berkeley would like to see President Elect Trump “make cyber security the next seatbelt” and implement a public awareness and education campaign to make everyday citizens aware of best cyber security practices. The Center would also like to see cyber security taught at the K-12 level as part of basic computer literacy, just as many schools are now teaching basic coding.

3. Address the Cyber Security Skills Shortage

The cyber security field is grappling with a severe skills shortage; there are approximately 200,000 unfilled cyber security jobs in the U.S., and demand is expected to increase by 53% by 2018. To address this problem, the center has three suggestions for President Elect Trump:

• Forgive or, at least, defer student loans for new graduates who want to build careers in the cyber security field; (Just like the military forgives your student debt for military service, so should the same for federal service.)
• Offer special cyber security visas for foreign-trained talent; and (This is easily abused by corporations who want to displace American workers so regulations are definitely required here.)
• Establish online education programs so that anyone with the desire to study cyber security can do so. (A great resource to look at is Western Governors University. They have great accreditation and are non-profit.)

4. Establish a “Cyber Workforce Incubator”

UC Berkeley points out that a great number of cyber security professionals are concentrated on the West Coast. For numerous reasons, it can be difficult to entice these workers to move to the East Coast, where the federal government is headquartered. The Center suggests that Trump set up a national “Cyber Workforce Incubator,” headquartered on the West Coast, that would allow these professionals “to work on national security challenges without giving up their work cultures and networks.” The Center envisions that these professionals would be given the opportunity to work in the incubator for one to two years at a time, allowing them to serve their country by working on “the most important national security challenges before returning to the private sector refreshed and inspired.”

5. Create a New Government Agency Dedicated to Cyber Security

The Center’s final suggestion is that President Elect Trump set up a new government agency, tentatively called the Cyber Advanced Research Projects Agency (CARPA), to “aggregate existing government and DARPA cyber initiatives and focus specifically on innovating in a field that is increasingly critical to civilian as well as military life.” The Center’s logic is that, in an increasingly digitized world, cyber security has a fundamental part of national security. The defense of our nation’s critical digital infrastructure cannot be left solely to the private sector anymore than the defense of our physical infrastructure and borders.

Throughout his campaign, Donald Trump referred to cyber security in the context of national security. It is possible that his administration will increase spending on cyber security at the federal level and impose more stringent requirements on state and local governments. These would be welcome changes. As the new administration moves forward and coalesces its policies, it’s important that cyber security professionals and private sector businesses vocalize our ideas and issues and ensure that our concerns are heard.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.

[bpscheduler_booking_form]

Cyber Security Due Diligence Has Become a Fundamental Part of M&A Transactions

Data breaches and a failure to comply with governmental and industry standards can impact a company in many ways, as Yahoo is finding out the hard way. The company’s recent disclosure of a massive data breach, which resulted in 500 million user accounts being compromised, resulted in multiple class action lawsuits being filed against the company and may trigger a government investigation into why it took so long to disclose the breach.

The Yahoo breach and what it says about cyber security due diligence has also shaken up the mergers and acquisitions (M&A) world, and the hack may have put its planned acquisition by Verizon at risk. CSO Online reports:

Verizon has signaled that Yahoo’s massive data breach may be enough reason to halt its US$4.8 billion deal to buy the internet company.

On Thursday, Verizon’s general counsel Craig Silliman said the company has a “reasonable basis” to believe that the breach involving 500 million Yahoo accounts has had a material impact on the acquisition. This could give the company room to back out or get a large discount.

“We’re looking to Yahoo to demonstrate to us the full impact,” he added. “If they believe that it’s not, then they’ll need to show us that.”

As data breaches, ransomware, DDoS attacks, and other cyber attacks escalate in frequency, severity, and cost, cyber security due diligence has emerged as a serious issue in the M&A sector. Information security issues at an acquisition target could significantly impact a deal’s price, keep the deal from going forward at all, or, if the problems are not detected during the due diligence process, inflict a world of pain on the acquirer company; should its deal to acquire Yahoo go through, Verizon is reportedly planning to put $1 billion in reserve to cover the costs to clean up the breach.

While the Yahoo breach has put cyber security due diligence into the spotlight, scenarios where M&A deals were negatively impacted by cyber security issues have been occurring for some time. A recent survey of senior M&A executives by consulting firm West Monroe Partners, published several months before the Yahoo hack, found the following:

• 80% of respondents felt cyber security issues were “highly important” to M&A due diligence
• 40% of acquirers had discovered a cyber security issue at an acquired firm after a deal had gone through
• 32% of respondents pointed to a lack of qualified personnel involved in the diligence process in recent deals

Respondents also reported that the three most common cyber security problems uncovered during the M&A due diligence process were compliance issues (70%), the lack of a comprehensive data security infrastructure (40%), and vulnerability to insider threats (37%).

What Can Acquirers and Acquisition Targets Do?

The Yahoo hack did not happen out of thin air; it was the result of years of the company repeatedly putting the product user experience ahead of security and refusing to implement even the most basic proactive cyber security measures. Acquisition targets must take their cyber security as seriously as they take their accounting practices. This includes not just protection against breaches but ensuring that the company is compliant with all applicable regulatory and industry standards. Conversely, acquirers must pore over a target company’s cyber security and compliance practices as carefully as they would the company’s books.

Additionally, nearly 1/3 of the respondents to the West Monroe survey complained of a lack of qualified personnel to perform cyber security due diligence. This is not surprising. Cyber security is a complex, dynamic field; new threats and technologies are emerging daily, and most firms do not have the monetary or human resources to handle their own information security in-house. Outside cyber security experts should be involved in the M&A process on both ends. Target companies should have security vulnerability studies conducted before putting themselves on the market, and acquirers must enlist help to perform due diligence during the acquisition process.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call +1 (888) 896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization secure its systems.

Schedule some time with our Superheroes for a Free Assessment!