It is well understood that an organization can never be 100% safe from data breaches—but it is possible to lower your company’s likelihood of experiencing a breach by using a number of good cybersecurity practices. Below, we’ve outlined three recent headlining breaches and how they happened—as well as what could have potentially been done to mitigate the risk.
The company recently released a breach notification to the California Attorney General's office admitting to the breach, which impacted upward of 34,000 customers. They said the hackers accessed payment card numbers, addresses, names, and security codes—which can, of course, be used to commit identity theft—for customers who made purchases on the company’s website between May 12, 2015, and April 28, 2016.
Our Take: We don’t know whether Acer did or did not encrypt their data and other highly sensitive information, but that is a critical step towards preventing large scale data leakage. Also, it’s important to ensure that you have properly configured databases and that your website isn’t vulnerable to commonly known attack vectors like SQL injection attacks, which can leave your organization’s data particularly vulnerable.
News of this breach was reported by security researcher Brian Krebs in January 2016. It was a compromise of the Aloha point-of-sale (POS) terminals that Wendy’s fast food restaurants use to process payment card transactions. Originally it was thought to be a very limited number of stores that were compromised—but after further investigation, it turned out to be many more. Customer payment cards used at over 300 Wendy’s franchises—5% of all Wendy’s restaurants—were compromised in the breach.
Our Take: Nearly all companies outsource POS systems, so this is a cautionary tale for those companies—and any organization that has critical vendors handling highly sensitive data (like a POS company would). One important takeaway from this breach is to conduct accurate and thorough investigations following any breach. Wendy’s originally thought the breach was smaller than it ended up being, and because of that, the news story echoed for quite a while—this is something you’ll want to avoid.
Empire Life Insurance Breach
In June 2016, it came out that Empire Life Insurance, a Canadian insurance company, was the victim of an email phishing attack in November 2015. A hacker was able to gain access to several email accounts through what may have been a password-reset phishing scheme. At this time, it is unknown whether the attackers were able to gain any personally identifiable information (PII)—and we expect more details on this breach to come out in the next several weeks.
Our Take: It’s imperative to train employees to recognize phishy-looking emails with weird headers or misspelled words—anything that could arouse suspicion. Additionally, there are email authentication protocols—like SPF, DKIM, or DMARC—that reduce the likelihood of employees falling victim to phishing attacks by quarantining suspicious emails to spam folders. Proper application of email authentication protocols will help lower the chances of a breach.
What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by the...
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...