By Mandy Pattenden, Marketing Communications Director
Data breaches, privacy and security concerns are dominating the headlines this month. From the Facebook data privacy scandal, to four other high profile and major data breaches in the U.S. within the last week. We can hardly escape the barrage of news about the many and varied ways our sensitive, personal data is being exposed to risk every day.
On April 1, news broke that hackers stole the credit and debit card information of more than 5 million shoppers at Saks and Lord & Taylor department stores. A well-known ring of cybercriminals installed software on point of sale (POS) systems in stores to syphon shoppers’ payment card numbers.
In the same week, hundreds of thousands of additional U.S consumers awoke to the news that their payment card data had been exposed in separate breaches affecting Delta, Sears and Panera Bread. The Delta and Sears breaches were both the result of a malware attack that originated at a software vendor called 7 which provides Delta, Sears and other businesses with online chat services. Customers’ names, addresses, payment card numbers, CVVs and expiration dates were all leaked. Though the breach occurred in September of 2017, apparently the software provider did not notify the companies until mid-March of 2018!
Key Findings from Verizon’s Annual Report
Many of the factors in these recent breaches follow a familiar pattern. According to the recently released Data Breach Investigations Report from Verizon, the majority of data breaches (73 percent) are perpetrated by outsiders and involved either hacking techniques (48 percent) or malware (30 percent). The annual report examined 53,308 security incidents in 65 countries from November 2016 through October 2017, an increase of 11,000 more incidents than the previous year’s report.
Additionally, the report analysed 2,216 confirmed data breaches (defined as a security incident that results in confirmed disclosure – not merely potential exposure – of data to an unauthorised party), an increase from 1,935 the previous year. If consumers feel like data breaches are becoming more and more common, that’s because they are.
Financial Gain Motivating Hackers
This year’s Data Breach Investigations Report once again revealed that financial gain was the biggest motivating factor in attacks, accounting for 76 percent of breaches. The top data varieties targeted in the breaches were personal information and payment data, followed by medical information. The four most common types of attacks that resulted in data breaches involved the use of stolen credentials, followed by RAM scraper malware such as the kind used to compromise the POS systems at the department store chain Saks, then phishing attacks, and last but not least privilege abuse.
Ransomware on the Rise
One of the most interesting aspects of this year’s report was the tremendous increase in ransomware attacks. A type of malware that allows the attacker to lock down access to a computer or network, or to hold data hostage until the victim pays a sum of money, ransomware has doubled year over year. Last year, it was only the fifth most prevalent type of malware involved in security incidents. This year it was the first. Notably, ransomware no longer mainly targets user desktops. Instead, attackers are increasingly going after business networks, leading to bigger ransom demands and greater profits for the criminals.
Social Engineering Surging
Verizon’s report also showed that users are three times more likely to be breached via social engineering tactics than through security vulnerabilities. Incidents of financial pretexting – when an attacker adopts a false persona or story (often over the phone) to procure information from an employee– rose from 61 incidents in 2017 to 170 this year. Many of the pretexting incidents investigated in the report were targeting Human Resources/Personnel departments, with attackers attempting to obtain W-2 information. But, as we’ve discussed, social engineering tactics like pretexting and vishing (phishing conducted over the phone) frequently target enterprise contact centres, which often have access to a wealth of sensitive customer information, including payment data. In fact, the report states that pretexting is financially motivated 95 percent of the time.
Vertical Industry Trends
Finally, the annual Data Breach Investigations Report takes in-depth look at different vertical industries. The professional and technical services vertical – which encompasses a range of organisations providing B2B and B2C services, and likely includes business process outsourcers like third-party contact centres – faired poorly in terms of their ability to detect and respond to a breach. The report states that often, it took days or weeks for these organisations to detect breaches. In 60 percent of cases, the breach was discovered by an external party, and in 26 percent of cases, a customer notified the organization that there had been a breach. This shows that many professional and technical services organisations are not doing enough to audit their data security practices. Sadly, this seems to fit right in line with the Delta and Sears data breaches, which occurred on the watch of their online chat service provider, 7, and shockingly took months to be reported and remedied.
Lessons Learned from Verizon’s Data Breach Investigations Report
Here are our top five takeaways:
- Keep sensitive data out of business infrastructures: Organisations are increasingly targeted by criminal gangs and hackers seeking personally identifiable information (PII) and payment data they can fraudulently use for financial gain. Organisations and enterprise contact centres can make themselves less of a target is by keeping sensitive data out of their business infrastructure. As ransomware attacks against organisations continue to increase, it is truer than ever that they can’t hack (or hold ransom) data you don’t hold. For contact centres, DTMF masking solutions, like Semafone’s Cardprotect, help ensure that customers’ payment data never even makes it into the contact centre’s environment in the first place.
- Continually train and educate employees: With phishing and pretexting incidents on the rise, employees need to know how to spot social engineering tactics and how to handle them. Employee education is one of the most effective things a business can do to lower its risk. Organisations should provide mandatory data security awareness training to employees in all roles and provide frequent refreshers.
- Enforce the least-privilege user access (LUA) principle on computer systems: This means providing employees and contact centre agents the minimum level of access necessary to do their job. A data breach only takes one rogue employee or one innocent mistake by a member of staff that has been socially engineered. Ensuring that employees don’t have unnecessary access to data will help organisations minimize these risks.
- Champion compliance: Make sure that your partners, business process outsourcers and professional/technical service providers are compliant with all data security regulations, follow best practices and have a comprehensive incident response plan in place. When it comes specifically to organisations handling payment data, look for ISO:27001 accreditation, PA-DSS, PCI DSS and the official Visa Merchant listing. These industry regulations and accreditation programs help ensure that an organisation’s people, processes and technologies have been extensively vetted and follow best practices for the highest possible levels of data security.
As always, the annual Data Breach Investigations Report provides valuable insights on the state of data security across industries and around the world. Data security seems to be a game of cat-and-mouse, with hackers and cybercriminals continually changing their techniques to circumvent the technologies and processes that organisations put in place to stop them. However, one thing remains the same: the more an organisation can do to keep sensitive data out of its network infrastructure, the less of a target it will be.