In theory, enterprises should not only have security measures in place to prevent a data breach but should also have detailed plans for a response in the event of a breach. And they should periodically conduct drills to test those plans.
Industry-wide best practices for incident response are well established. “In general, you want breach responses to be fairly timely, transparent, communicate with victims in a timely manner, prevent further harm to victims as best as they can do that, and tell stakeholders what they are doing to mitigate future attacks,” says Roger Grimes, data-driven defense evangelist at KnowBe4.
However, as former heavyweight fighter Mike Tyson once said, “Everyone has a plan until they get punched in the mouth.” In other words, when a company gets hit with a serious data breach, the best-laid plans often go out the window.
Over the past few years, there have been numerous examples of high-profile data breaches that severely impacted the company’s fortunes. Think Equifax, Sony, and SolarWinds. Here are some recent examples of the best and worst responses to data breaches, based on the criteria cited above.
WORST: Cash App
It’s bad enough when you fail to enforce basic cybersecurity practices such as cutting off an employee’s access to sensitive customer data when that employee leaves the company. But how about discovering a breach in December 2021 and not disclosing that fact until it comes out in an April 2022 filing with the US Securities and Exchange Commission (SEC)?
That was the scenario at Block, the financial services company that owns mobile payment vendor Cash App. The SEC filing said an employee who had regular access to customer account data while employed at the company, accessed those reports “without permission after their employment ended.”
According to Block, the downloaded data of 8.2 million customers did not include usernames, passwords, Social Security numbers, or bank account information. It did include full names and brokerage account numbers, which are used to identify a user’s stock activity on Cash App Investing. The breached information “included brokerage portfolio value, brokerage portfolio holdings and/or stock trading activity for one trading day.” Block hasn’t fully explained how the breach happened or why it took so long to go public.
Not surprisingly, investors filed a class-action lawsuit in August 2022 seeking damages due to Block’s “negligent” behavior. The suit alleges that some customers have had unauthorized charges made against their accounts and points out that Cash App’s delay in notifying users of the breach caused additional harm to customers that “they otherwise could have avoided had a timely disclosure been made.”
The suit goes on to assert that the notice to data breach victims was “not just untimely but woefully deficient.” The allegations have not been proven in court. Block didn’t offer details regarding how the former employee was able to access customer information, whether the data was encrypted, or how Block learned about the breach. Block has also failed to offer any credit or identity theft monitoring services to those whose information was compromised.
BEST: International Committee of the Red Cross (ICRC)
We’ve become accustomed to hackers targeting schools and hospitals, but cybercriminals hit a new low when they conducted a sophisticated attack against the Red Cross in late 2021. The attackers accessed a database that contained names, addresses, and contact information for 515,000 people separated from their families by war and natural disasters.
The Red Cross responded with outrage. Robert Mardini, ICRC’s director-general, called the attack an “affront to humanity.” The agency publicly pleaded with the hackers not to use the information. Beyond that, the Red Cross response was swift, transparent, and comprehensive.
The agency quickly posted a lengthy FAQ on its website that described the hack and the response. The Red Cross immediately took the compromised servers offline and only relaunched the Restoring Family Links service after deploying enhanced security measures such as two-factor authentication and advanced threat detection, then conducting external penetration tests.
In addition, the Red Cross made extraordinary efforts to contact people who might have been affected, including phone calls, hotlines, public announcements, letters, and in some cases sending teams to remote communities to inform people in person.
The agency posted a detailed description of the hack itself, which was first discovered by a cyber security consultant working for the agency, who spotted an anomaly on ICRC servers. An investigation determined that the breach occurred on November 9, 2021, so hackers were inside the agency’s systems for more than two months before being detected.
Essentially, the attackers exploited an unpatched critical vulnerability in an authentication module. This enabled the hackers to compromise administrator credentials, conduct lateral movements, and exfiltrate registry hives and Active Directory files. The hackers disguised themselves as legitimate users or administrators, which allowed them to access the data, which was encrypted.
“We determined the attack to be targeted because the attackers created a piece of code designed purely for execution on the targeted ICRC servers. The tools used by the attacker explicitly referred to a unique identifier on the targeted servers (its MAC address),” according to the Red Cross. The agency also fessed up to its mistake: “The timely application of critical patches is essential to our cyber security, but unfortunately, we did not apply this patch in time before the attack took place.”
The Red Cross has continued to issue updates and according to the latest information: “We have not had any contact with the hackers and no ransom ask has been made. To our knowledge, the information has not been published or traded.”
When it comes to data breaches, is there a sliding scale? In other words, if a tiny school district gets hit with a ransomware attack, do we give the IT team a partial pass because they probably lack the resources and skill level of a more tech-savvy company? On the other hand, if a company whose entire business model is based on protecting user passwords gets hacked, do we judge them more harshly?
Which brings us to LastPass, which experienced an embarrassing breach that was first announced in August 2022 as simply a minor incident confined to the application development environment. By December that breach had spread to customer data including company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses.
LastPass gets high marks for transparency. The company continued to issue public updates following the initial August announcement. But each update raised questions about the accuracy of prior statements and called into question some basic security processes employed by LastPass.
The saga began on August 25, 2022, when LastPass CEO Karim Toubba announced that the company detected unusual activity within the LastPass development environment, but added, “We have seen no evidence that this incident involved any access to customer data or encrypted password vaults.” LastPass said the attacker stole some source code but assured customers that the breach was contained and that there was “no further evidence of unauthorized activity.”
On November 30, LastPass issued an update saying the hacker, using information gained in the August incident, was in fact able to gain access to customer information stored in a backup cloud service. Again, LastPass assured customers that passwords were safely encrypted.
Then it got worse. On December 22, LastPass had to admit that the attacker used information stolen in August to target another employee in order to obtain credentials and keys which were used to access and decrypt customer data stored in the cloud-based backup. LastPass also had to admit that website URLs visited by customers were not encrypted.
LastPass assured customers that if they used the default master password that controls access to all of their other passwords, it would be virtually impossible for hackers to conduct brute-force attempts to discover it.
However, if a customer did not use the default password, then all bets are off. LastPass explained, “If your master password does not make use of the defaults, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.” LastPass also told customers that the threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks.
The company continued to keep customers informed about its mitigation efforts. LastPass decommissioned the hacked development environment and built a new one from scratch. It added additional logging and alerting capabilities to help detect any further unauthorized activity including a second line of defense with a leading managed endpoint detection and response vendor.
The damage may have been done, Grimes says. “LastPass had always said they protected customers’ stored data, but when that data was breached, it was revealed that while LastPass did possibly protect customers’ stored passwords, they did not protect customer login names, website links, and other customer-specific private information. This gives the hacker in possession of the information a complete map of the sites the user visits and what their logon names are. At the very least it could lead to customized spear phishing attacks that appear to be from websites the victim frequents. On top of that, the breach revealed that LastPass was still allowing weak master passwords.”
Managed cloud services provider Rackspace announced in December 2022 that it had been hit with a clever ransomware attack perpetrated by the PLAY cybercrime group. The attack locked up the hosted Microsoft Exchange accounts of 30,000 customers, who were unable to access their emails for several weeks.
The Rackspace response was swift. When the company became aware of the issue, it powered down and disconnected its Exchange environment. The company hired an external team from security vendor CrowdStrike to investigate what happened. Rackspace then announced that it was exiting the hosted Exchange business for good, and would help its customers migrate to Office 365. That’s pretty dramatic.
The CrowdStrike investigation revealed that Rackspace had installed one patch recommended by Microsoft to combat the ProxyNotShell exploit, but there was some confusion about whether a second patch was necessary. Rackspace did not install the second patch and the hackers were able to chain together two vulnerabilities in order to access the Exchange servers.
In an analysis of the breach, industry veteran Paul Robichaux said: “To their credit, Rackspace did pretty much everything right: they went public with the incident, hired a very well-known security firm (CrowdStrike) to help them clean up, and then published a postmortem discussing what happened.”
WORST: Zacks Investment Research
Here’s the timeline of the Zacks Investment Research breach that affected 820,000 customers: the breach lasted nine months, from November 2021 to August 2022. The company didn’t discover the breach until late December and didn’t notify customers until the end of January 2023.
To date, the company has not disclosed much, except to say that the breach involved names, addresses, phone numbers, email addresses, and passwords used for its website Zacks.com. Zacks did explain that the information comes from an older database of customers who signed up for a Zacks service between 1999 and 2005. The company said it blocked access to accounts with the compromised passwords, so customers would need new passwords. Zacks added that if customers use the same passwords on other websites, they should change those as well. The company will not be providing credit monitoring services to affected customers.
“A month to notify affected customers that their current passwords, which are often shared with other unrelated sites and services, seems a bit excessive,” Grimes says. “You would hope any breached company would notify affected customers within days and not take weeks to make an official announcement.”
Copyright © 2023 IDG Communications, Inc.