Every year, we see news sources report on cybersecurity breaches and data leaks across numerous companies. The companies that make news headlines tend to be enterprise-level, recognizable companies. But many fail to realize that plenty more cybersecurity breaches happen without making news headlines. Many companies continue to believe they will not be the targets of cybercrime until it happens to them. Unfortunately, cybercrime has become so common in 2022 that the question should not be ‘if it will happen,’ but ‘when it will happen.’ More than 80% of companies in the USA have been targeted by threat actors, in many cases more than once. It is much easier to deal with a cybersecurity breach when you have systems to recover and prevent severe financial and legal repercussions.
Below are some notable security breaches of 2022 and what we can learn from them:
2022 started with the Canadian Red Cross (ICRC) discovering a data breach on January 18th. The data of more than 500,000 people was breached with attackers stealing data related to the ‘Restoring Family Links Program,’ which hosts information about those separated from families due to conflict, migration, war and disaster, missing persons and their families. The ICRC informed individuals affected by the breach via public announcements, phone calls and letters.
The ICRC stated that hackers were able to gain access to their systems via an unpatched vulnerability. While their malware systems did detect and block some of the files used by the hackers, it wasn’t until they installed an advanced endpoint detection and response (EDR) system that they detected an intrusion. They estimated that their system had been compromised for over two months (from November 2021 to January 2022, when it was detected.)
The average time to identify large-scale data breaches is 212 days. Many companies, especially small and medium businesses, do not have the proper security measures to detect that they have been breached in the first place. An endpoint detection and response system can help companies quickly detect the presence of a threat and deal with it quickly. In the case of ICRC, the hackers could enter their network and gain access to the system by exploiting an unpatched critical vulnerability. Patching is an extensive activity for any company, especially large enterprises. Although the ICRC has a multi-level cyber defense system, the humanitarian organization did recognize the failure to apply a critical patch before the attack resulting in this unfortunate event. Timely application of critical patches is essential to preventing cybersecurity vulnerabilities and should be part of any company’s vulnerability management plan.
In April 2022, the popular mobile payment company, Cash App, fell victim to a data breach that affected over 8 million current and former users. The company filed a report with the U.S. Securities and Exchange Commission in response to customer data being compromised on April 4th, 2022. Fortunately, personally identifiable information (PID) such as birthdate, social security numbers and addresses were not stolen. However, the hacker – an ex-employee from Cash App – could exfiltrate reports containing full names, portfolio values, stock trading information and brokerage numbers. Insider threats like this are not uncommon and have increased by 44% in the past two years.
The cyberattacker in this breach was an ex-employee of Cash App who had access to the reports because of their past job responsibilities. After termination, access to these reports should have been revoked. Unfortunately, the correct access control measures were not put in place. Part of a company’s security policies and implementation should include delegated access controls and policies for managing identity. This makes it so that employees can only access files and data relevant to their function within the company. Once an employee leaves the company, they should no longer be able to access any files. Having a proper identity and access controls can reduce the risk of insider threats.
In August 2022, Mailchimp published that their security team had become aware of an unauthorized actor accessing tools used by customer-facing teams for account administration and support. The hacker gained access to employee credentials through a social engineering phishing attack. In this case, the actor had pretended to be from a crypto-currency company and targeted Mailchimp’s crypto-related users. Their investigation found that just over 200 accounts were affected by the incident, mostly related to cryptocurrency and finance. Customers who had enabled multi-factor authentication on their accounts were saved from the data breach.
In 2022, stolen or compromised credentials were not only the most common cause of a data breach but, at 327 days, took the longest to identify. Social engineering from hackers has become more sophisticated and believable as cybercriminal activity becomes more and more profitable. Threat actors have stepped up their game to establish legitimacy in any way possible by creating realistic personas of employees within a company via emails, disguising themselves as delivery men, and even paying for google advertisements. This is all the more reason for organizations to educate their users through Security Awareness Training so that they can identify malicious activity even in situations where everything may seem ‘normal.’
Moreover, as was shown in this example of the Mailchimp breach, multi-factor authentication can be the difference maker when it comes to keeping customer data safe. Employees and customers should have multi-factor authentication enabled, especially when their account access could lead to a severe data breach within the company.