Hacking and malware attacks continue to cause organisations concern when it comes to the threat of a data breach. As they are leveraged primarily by external actors, these types of campaigns don't generally succeed on their own. Their success hinges on the extent to which an attacker can exploit certain conditions within the internal network. That might take the form of leveraging zero-day vulnerabilities to break into a system, but in most cases, that will involve provoking or capitalising on human error.
Human error has a well-documented history of causing data breaches, so much so that in CompTIA's Trends in Information Security (2015), a majority of respondents (52 percent) from hundreds of companies located around the United States said it was the leading cause behind data breaches. More specifically, respondents for that study identified "end user failure to follow policies and procedures" and "general carelessness" as the top examples of human error. Both of those factors help to explain common security incidents that might snowball into a data breach, such as a successful phishing attack granting a bad actor entry onto the corporate network.
Human error, i.e. an employee's failure to spot a phishing attack, has caused many of the largest data breaches ever recorded. Cyber Security and Compliance awareness training can help change this behaviour and the use of high quality engaging eLearning can be a solution to to educate employees about digital threats and security best practices.
Here is a brief review of eight well-known mega-breaches.
In the late-spring of 2014, news first broke about a breach against the e-commerce website.
An investigation later determined that a group of attackers leveraged phishing attacks to steal the credentials of as many as 100 eBay employees. They used that information to gain access to eBay's internal network, where they then exfiltrated the names, passwords, email addresses, physical addresses, and other personal information of 145 million customers.
The attackers allegedly had unfettered access to eBay's systems for 229 days.
Following the breach, eBay lowered its annual sales target by $200 million USD. It also struggled to recover customer confidence and brand value for months after the incident.
American health insurance company Anthem revealed in early-2015 that attackers obtained the personal information including names, social security numbers, addresses, and income data of both consumers and employees.
The first sign of the attack came when one of Anthem's system administrators noticed someone had used his unique identifier code to initiate a database query. Many now believe the attackers responsible for the breach used social engineering techniques to steal the administrator's credentials and gain access to the health insurance company's network.
In total, 80 million customers were affected by the breach. There are no exact costs available for the incident as of this writing, though some in the healthcare industry estimate the total costs will surpass $31 billion USD.
The 2014 breach against Sony Pictures Entertainment began when attackers sent many of Sony's top executives fake Apple ID verification emails. Each email led to a phishing site that stole a target's Apple credentials.
In the hope that someone had reused their Apple ID information across multiple accounts, the hackers abused those usernames and passwords in conjunction with employees' LinkedIn profiles to guess their way onto Sony's network.
Upon gaining access, the hackers used Wiper malware to cripple the company's computer networks and make off with 100 terabytes of data. The hackers, who the United States believes were working for North Korea, eventually posted much of that information online.
Sony Pictures Entertainment spent $35 million repairing its IT system, though the total cost of the breach could be significantly higher than that amount.
In the spring of 2014, hackers stole the login credentials for one of the employees at JPMorgan Chase, a leading global financial services firm. Those attackers then exploited an oversight--the bank's security had forgotten to implement two-step verification (2SV) on one of the network servers--to gain access to JPMorgan Chase's corporate network.
Following that initial intrusion, the attackers moved laterally across the bank's network, gaining access to 90 servers in total. They didn't steal any sensitive financial information before they were detected and blocked in August, but they did succeed in making off with the names, addresses, phone numbers, email addresses, and other information of around 76 million households and approximately 7 million small businesses.
JPMorgan Chase didn't report the cost of the breach. However, the bank did announce it would begin spending about $250 million annually on information security and employing 1,000 security professionals to prevent similar intrusions from happening in the future.
On November 15, 2013, attackers broke into Target's network using network credentials stolen from Fazio Mechanical Services, a provider of refrigeration and HVAC systems. Two sources close to the investigation told information security journalist Brian Krebs the attackers used Citadel, a password-stealing malware which is a derivative of the ZeuS banking trojan. That information could not be confirmed, however.
After gaining access to the retailer's network, the attackers installed malware on the point-of-sale (POS) terminals at one of Target's stores. That malware facilitated the theft of 40 million credit- and debit-card records, as well as an additional 70 million customer records (including addresses and phone numbers).
Accounting for tax deductions and insurance reimbursement, the breach cost Target approximately $105 million.
News first broke of the Home Depot breach on September 2, 2014.
Similar to the case of Target, the actual intrusion began when a group of attackers used a third-party vendor's stolen username and password to enter the perimeter of the retailer's network. There, they elevated their privileges and deployed malware onto 7,500 self-checkout systems in the United States and Canada.
The attackers ultimately made off with 56 million customers' credit and debit card details as well as 53 million customers' email addresses. After an insurance reimbursement of $15 million, the breach cost Home Depot $28 million, or .01% of its sales in 2014.
In July 2015, attackers used a spear-phishing attack that "exposed a new and different vulnerability" to hack the Pentagon's Joint Staff unclassified email system.
The attack consisted of encrypted social media accounts for coordination as well as an "automated system that rapidly gathered massive amounts of data and within a minute distributed all the information to thousands of accounts on the Internet."
Sources believe Russian attackers coordinated the attack, an assault which forced the Pentagon to shut down its email system for two weeks. Approximately 4,000 military and civilian personnel were affected by the outage.
The exact costs of repairing the email system are unknown.
On September 1, a staff member of the 56 Dean Street (SoHo) clinic sent a newsletter out to 781 subscribers of "Option E," a service which allows patients with HIV to receive test results, schedule appointments, and receive newsletters via email. Instead of entering the emails in the "BCC" field, the individual entered them into the "To" field, which allowed all recipients of the newsletter to view every other subscriber's email address.
In addition, the full names belonging to 730 of those 781 subscribers were included in the leaked email addresses, allowing recipients to look up the names of the clinic's patients online.
In response to the breach, the United Kingdom Information Commissioner's Office issued a fine of £180,000 to the Chelsea and Westminster Hospital National Health Service (NHS) Foundation Trust, which operates the clinic.
You should also read:
As revealed in the case studies above, human error can compromise the information of hundreds of millions of customers and cost organizations upwards of tens of billions of dollars.
All organisations have an incentive to avoid those damages. Many are striving to do so by investing in security awareness training for their employees.
Ongoing security awareness education helps employees spot a phish, create stronger passwords, avoid browsing to suspicious websites, and understand the organisation's corporate polices when it comes to BYOD, threat mitigation, and use of social media during the work day. To instruct their employees about these issues, more and more organisations are turning to off-the-shelf training solutions, which offer companies the ability to roll out employee training quickly and at a lower cost than if they were to develop a security training program in-house.
Metacompliance, an organisation that specialises in cyber security and compliance training software can assist security professionals to manage insider threat mitigation and educate employees to protect company assets. To achieve positive and lasting changes in staff behaviour the Metacompliance team would recommend their cyber security and compliance awareness eLearning modules.
To learn about how Metacompliance's eLearning solutions can help your company reduce instances of human error, please click here.