The Data Breach is Over... let the Phishing Begin!

phishingLast week it was revealed that more than 53 million email addresses were stolen as part of the Home Depot breach discovered last September. Combined with the 76 million email addresses stolen in the JPMC data breach in June, we're talking about more than 125 million email addresses available for cyber criminals to use in highly targeted email phishing scams.

But are breach-wary consumers and businesses still paying attention to this news? Are they aware of the risks they still face even as the breach itself has been contained?

Caution & Confusion

Communications from the breached organizations have been somewhat vague. Victims are being emailed and told to be on the lookout for suspicious emails that look like they could be coming from the organization. Victims are also being told the risk is low that they will be targeted, and corporate communications have also indicated that not all people whose information may have been compromised will be contacted.

A tweet from Bob Rudis sums this up the confusing situation nicely:


It's not just consumers who are at risk

If businesses think this is only a consumer issue, they need to think again.

Phishing continues to be a very successful attack vector for hackers. The 2014 Verizon Data Breach Investigation Report found that nearly 67% of breaches were carried out through phishing. With the information stolen from these breaches, criminals now have access to multiple data points on customers whom they can target with highly personalized, authentic looking email campaigns.

security ratings snapshot example

Request your free Security Rating Snapshot to find the gaps in your security program and how you compare to others in your industry.

Get Your Rating
Button Arrow

But attackers aren't just after account log-in details in these campaigns. Often, they are also installing malware that can then steal information and credentials from a machine, and possibly infect an entire network. The risk to businesses in this scenario lies not in being targeted by the attackers directly, but through the behaviors of their employees on network connected devices. One simple point to think about: how often do your employees check personal email on a work machine?

Even if a business believes that all of their staff are well informed and capable of spotting a phishing scam, how confident can they be in their third party suppliers and partners? Both the Target breach and the Home Depot breach serve as examples of the importance of vendor risk management. All it takes is for one employee or vendor to be fooled by one of these campaigns, and your information is placed at risk. The attackers know this- but are your employees, vendors and suppliers aware?

The not-so-simple truth

Besides better training and awareness programs, what this all points to is the need for rapid identification and response when it comes to detecting a potential breach. The 2014 M-Trends Report from Mandiant found that the median dwell time for an attack was 229 days in a network before it was discovered! They also found that only 33% of attacks were discovered by the breached organization.

All of the breaches highlighted in this blog post went undiscovered for months. And two were breached through a weakness in a third party's network. To avoid becoming the next victim, organizations need to be more vigilant in monitoring their entire information supply chain and knowing what security risks are emerging across the extended enterprise. The risk from phishing and other attack vectors is real, and we need to be prepared to identify and respond to attacks before they can cause the massive amounts of damage we are becoming so tired of hearing about.