Cyber Security Disasters: 5 Companies That Weren't Prepared
Written by Steve Ross, 8 March 2016
How do businesses become the victims of a cyber-attack? We explore high profile examples of what happens when businesses fail to prepare for an attack...
Over the past few years, we've seen high-profile cyber-attacks cause chaos in some of the world's largest companies. With so many incidents to sort through, it's easy to skim the details - but if big businesses, with all their IT resources, can become victims, it stands to reason SMEs need to be especially vigilant.
Fortunately, high profile incidents aren't just 'car-crash' media stories - they act as learning tools which help us understand the threats we face. We've taken a look at 5 recent examples of companies which overlooked, ignored or failed to prepare for a cyber-attack: what went wrong... and how could the damage have been avoided?
TalkTalk - October 2015
What? Last year, TalkTalk suffered a Distributed Denial of Service attack which crippled network servers and allowed hackers to hijack the company's SQL database during the confusion. Around 157,000 customers had data stolen, at a cost of around £35 million.
How? TalkTalk should have understood that DDOS attacks are normally smokescreens for a more malicious attack - in this case, the database breach. They might have improved their intrusion detection software or configured routers to block or deflect traffic. Damage might also have been mitigated by encrypting data within the database.
Sony - November 2014
What? In late 2014, Sony suffered a highly-publicised cyber-security breach which saw the theft of 100TB of data. The initial penetration occurred in one vulnerable server - which gave the hackers access to Sony's wider network. The damage was estimated to have cost the company $35 million.
How? Experts traced the breach back to a phishing attack specifically targeting Sony execs by using fake Apple ID verification. Phishing attacks can be highly sophisticated but also exploit naivety - the attack demonstrates employees of every status are vulnerable: Sony's highest-ranked employees should have had better training at spotting and avoiding this type of threat.
Ashley Madison - July 2015
What? The fallout from the Ashley Madison website hack in 2015 might be measured in embarrassment as much as financial loss, but the fact remains the site's entire user database (32 million accounts) was compromised by a carefully planned cyber-attack. The release of that sensitive information and the salacious nature of the website itself ensured the hack stayed in the headlines for weeks.
How? CEO Noel Biderman suggested the breach may have been perpetrated by an internal employee which, if true, underlines the importance of security strategies looking both outwards and inwards: disgruntled employees, contracted staff, or someone simply lacking appropriate training may create a serious weak link in any cyber-security strategy.
eBay - May 2014
What? In mid-2014, eBay suffered a huge security breach, with the records of over 145 million users (usernames, phone numbers, home addresses) stolen by hackers. The unprecedented attack, perpetrated by a group known as the Syrian Electronic army, prompted eBay to advise all its customers to change their passwords.
How? Hackers accessed eBay's user database by targeting a handful of corporate accounts - eBay could have prepared better by making employees aware of current phishing and malware threats. More importantly, eBay might also have protected their reputation by informing users more effectively during and after the attack: months passed between the breach and its discovery, giving the hackers a time to utilise customer data.
JD Wetherspoon - December 2015
What? In a database breach four times the size of the TalkTalk incident, hackers stole the personal details of over 650,000 customers of pub chain JD Wetherspoon. The data included personal details like names, addresses and phone numbers - but also highly sensitive bank details.
How? Rather than going after Wetherspoon's current (and presumably better-protected) website, hackers targeted an older site hosted on third party servers. Security on the old servers had grown lax, to the point that the hackers were able to exploit weaknesses and steal the data. Not only should Wetherspoon have been aware of the vulnerability on their old server, but should have moved to inform customers of the breach more swiftly.
Preparing to defend
These incidents represent highly sophisticated and carefully planned attacks... but demonstrate how corporate behemoths can be undone by relatively simple gambits... even when a little extra awareness and training could have prevented disaster. Cyber-threats aren't something only enterprise need to worry about: as attacks on small businesses continue to rise at an alarming rate, preparation continues to be our best defence.
Are you prepared for threats to your business? Do you need advice on building a cyber-security strategy? Talk to us today...
Common Cyber-Security Misconceptions
Misconceptions about cyber-security can lead to disaster: make sure your small to medium business doesn't underestimate the threats it faces...
Shackleton's View: How We Deal with Malware
Malware attacks can grind small businesses down, but don't despair: we're sharing the process we use to address infections in our clients networks...