Earlier this month, it emerged that hackers had found a way to break into Progress Software’s MOVEit Transfer tool. The US company quickly released a downloadable security update but not before many of its clients had been affected. Those clients included payroll services provider Zellis in the UK, subsequently leading to the BBC, British Airways, Boots and Aer Lingus losing data. Today then we look at data breach incidents and how you can avoid them.
These occur when an organisation’s stored information is stolen or accessed without prior authorisation. Cyber-criminals obtaining this info can then use it in phishing emails or texts to make them appear legitimate (for example). In many cases, individuals are targeted. In others, criminals send messages posing as an organisation that has suffered a recent breach. High profile breaches are typically acted upon whilst they are still fresh in the mind, leading to people being tricked into clicking on scam messages.
Following a breach, there are certain actions that can be taken. If you are a customer of any organisation that has suffered one, you should try to find out if you’ve been affected. You can do this by contacting the organisation using their official website. Do not click on any links in any messages you may have been sent. As per guidance on phishing scams from the NCSC: “Be alert to suspicious messages… which may be sent some time after the breach is made public. Remember, your bank… will never ask you to supply personal information.” Look out for any official-sounding messages about passwords or compensation, particularly if you are asked to act immediately. You can check to see if your details have appeared in any other public data breaches via online tools such as https://haveibeenpwned.com.
Guidance for organisations suffering a breach
If you are a UK organisation that has suffered a breach, then the ICO has detailed guidance on how to manage a breach. Essential actions are as follows:
- Report the breach to the ICO within 72 hours of it being detected (the link above has instructions for this)
- Be prepared to inform any individuals affected
- Keep a record of the breach
Ideally, your organisation will already have breach detection, investigation and reporting procedures in place. These will all be part of your overall IT security strategy. For further advice on this, do not hesitate to get in touch with our experts.
How to avoid data breaches
The following tips combine input from our cyber security professionals plus those at the ICO and the NCSC:
- Store personal data securely
- Only provide access to this data to authorised personnel (you should have robust access controls in place)
- If the data is held in physical documents, store them in locked cabinets
- Ensure that all devices are password or passphrase protected
- Implement robust security policies (including clear desk and remote working)
- Back up your systems on a regular basis
Other points to consider include:
- Keep customer records up-to-date (contact them regularly to ask if they have changed any of their contact details)
- Maintain clear, consistent naming conventions for all documentation and files
- Review access controls on a regular basis
- Deploy regular staff training
- Above all else, treat all data as if it were your own
- Regularly re-evaluate your IT security strategy and policies / processes
This last point is crucial, because cyber-criminals are constantly evolving. The threat landscape is ever-growing, and what was once secure might not be tomorrow. Indeed, if you are uncertain whether or not your existing IT systems are ‘up-to-scratch’, then CRIBB can help via our ‘Detection & Defence’ services.
Penetration testing & vulnerability scans
CRIBB are CREST-certified penetration testers, which means we can deliver pen tests in an efficient and effective manner. A pen test is essentially an authorised, simulated attack. Depending upon your requirements, our experts will perform the test to evaluate existing security levels. They will deploy the same techniques as attackers, using the same tools, to find any weaknesses which may be exploited.
Vulnerability scanning is a similar process, although it is not quite as involved. Here, our team will scan networks or systems to identify any security vulnerabilities. Since attackers are constantly seeking weaknesses, the proactive measure to take is to find them first and then address them accordingly.
What are the 3 biggest data breaches of all time? (In the US; Yahoo!, 2013-2016, over 3 billion user accounts exposed. Then Microsoft, Jan 2021, 60,000 companies affected worldwide. Finally, First American Financial Corp., May 2019, 885 million records leaked)
What are examples of data breaches? (Hacks, insider threat, human error)
What causes 90% of data breaches? (Employee mistakes)
‘Data breach incidents: How to avoid them’ attempts to provide a broad look at a serious cyber security threat. If you have suffered a breach, then we want to hear from you. How did it happen? Which steps did you take in the aftermath? By sharing this information, we can work together to raise cyber awareness.