I Read the News Today, Oh Boy

Every morning, I begin my day with the same routine I’ve had for many years. You and I aren’t that close yet, so I won’t go into the specifics of my dawn activities, but I can safely divulge that it involves fleece, coffee, and a quick scan of the world’s news that transpired over the previous night. Increasingly, that news is accompanied by a mention of a cyberattack or the discovery of a breach of sensitive data.

Like clockwork, this week’s mornings have buzzed with news about data breaches at Newegg, MedCall, and GovPayNow. To note:

  • MedCall: This pharmacy services provider left private customer information on an unsecured S3 bucket. While the total numbers are relatively low (3000 employees in 181 different business for companies like Piggly Wiggly, KFC, and Hampton Inn were affected), the nature of the data is the story. Detailed medical information and social security numbers for all 3000 individuals were exposed. These included recordings of phone calls, prescription scripts, medical history files, and other data that is not just private but could be used to damage people’s careers and reputations.
  • NewEgg: The online storefront for computer components, peripherals, and other hardware was attacked by the hacker organization known as Magecart. The organization used a malicious script injected into the Newegg payments page to steal financial data during the customer check out process. As payment information loaded in online forms, it was redirected, via SSL/TLS, to a domain that skimmed the scripts. The earliest reports indicate that this was happening for more than a month before the company became aware of it.
  • GovPayNow.com: This website is used by 2,300 government agencies in 35 states to facilitate payment of state and local fees paid by citizens for various government services, including court fees, traffic fines, bail payments, and other forms of restitution. Krebs reports that more than 14 million records, going back as far as 2012, were exposed, all of which had sensitive payment information in them.

While these are among the many similar stories we see daily, we cannot become inured to them. Just these three stories constitute PII for potentially 15 million people, data which could jeopardize their ability to get credit or a job. The personal impact is devastating, but so is the economic one.

Consider Newegg, which gets approximately 50 million monthly visitors and has a business valued at more than $2.5 billion. The depth of the attack is yet to be known, but they will lose customer faith and will need to spend a small fortune to staff-up, deploy solutions, and even fend off lawsuits that are sure to come.

Any organization that handles employee and/or customer data (which, by definition, is every organization, for-profit or otherwise) has an ethical and contractual obligation to protect that data. The responsibility involves knowing what is happening in their IT environments and then isolating and fixing issues when they arise…and make no mistake, they will surface at some point.

But step one is knowledge – know your environment and have insight into what’s going on within it. And you can do one better by having baselines of normal behavior, knowing what constitutes anomalies, and then immediately isolating and fixing issues.

My morning routine hasn’t changed in a long time, but I’m hoping that with your help, I’ll be able to see more headlines about puppies and flowers instead of cyberattacks.