Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

A Cautionary Tale of a Data Breach

If you're reading this blog, there's a good chance you're familiar with the topic of data breaches; they regularly make the headlines and cause a lot of extra work for IT, security and other staff in affected companies who battle to identify, contain and eradicate the attack. 

But while the news stories carry the attack's immediate impact, we're rarely aware of the long-term cost to the organization and its staff, both personal and financial. But that is a story that needs to be told because the data breach itself is only the beginning of what can be a very long road for the company, its employees, and its clients.

Changing the Name to Protect the Not-So Innocent

This blog is based on a true story, but let's change the company's name as there is no need to kick an organization while it's down. So, in the spirit of Wile E. Coyote and the Road Runner, let's call the firm Acme. Acme is a construction company headquartered near Birmingham, UK. It employs just under 1,000 staff split between its offices and customer sites. 

The Breach

In March 2022, Acme became aware that its network had suffered a breach. An observant sysadmin breach identified the breach by noticing some unusual behavior, including account creation with names that the sysadmin could not identify. 

Without a proper incident response plan in place, it, unfortunately, took Acme a couple of days before someone of sufficient authority took appropriate action, even though the corporate rumor mill had spread stories that something was amiss. 

How bad was the situation? The next step Acme took was dramatic. it opted to close down the company, turn everything off and cease operations. The staff was sent home with the information that "a breach was being investigated."

Acme's clients were left high and dry without even the little bit of info it gave to the workers. Instead, the company told its clients a tale that Acme was undergoing an extensive audit and until it was complete, they would not be able to do anything. Hmmm.

Acme's IT provider was called in to assist with the investigation; such work wasn't in its area of expertise, but it was a lot easier to use a company you have a commercial relationship with than to go out to the market and find someone else… especially when your communication and financial systems are offline. Needless to say, the investigation was long and expensive and the results weren't that conclusive or reassuring.

Immediate Consequences for Employees

While the company conducted the investigation, the staff were put on two weeks of compulsory leave. Workers who used their annual allowance before this point now had no vacation time remaining for the rest of the year. Either way, that holiday abroad you were planning may now have to include unpaid time off. 

As if that wasn't enough to worry about, as the investigation continued and the end of the month drew closer, there was no clarity on whether the company would make payroll. Luckily, at the last minute, the money did land in the employee's bank accounts, although the stress of not knowing until the eleventh hour didn't get acknowledged or compensated. 

Is it all over?

Finally, Acme is back in operation. The "audit" is over, but the company told everyone that if a client asks, they should stick to the fairy tale created. As it turned out, most clients did not believe that fairy tale.

The staff was also basically in the dark, being told nothing beyond that a hack had taken place during which the attacker accessed a limited amount of personal information.

Additionally, the company did not report the breach to the ICO (the UK regulator). Perhaps because it didn't meet what it judged to be the reporting threshold.

Over the next couple of months, events settled down. Work restarted, although it seems a little quieter around the office than previously; is it possible a few clients did some quiet due diligence and decided to go elsewhere? Very likely, clients are not stupid and treating them so is not a solid business move. A few staff continue to argue over their lost vacation time, but management isn't budging. 

Problems Continue

A few months later, those employees who regularly check their credit score noticed a loan had been applied for in their name but not by them. Taking a loan out without your knowledge is bad enough, but in a few extreme cases, this caused problems for people who were having mortgage applications processed at that time. As I write, affected staff are now trying to understand how they can fix this and how it happened when their employer reassured them that any loss of personal data was trivial. 

And Looking Into the future…

We must remember that this is a true story, with real victims, both inside and outside the company. While the company has dealt with the immediate effects of the breach and Acme is back in operation, some clients and many staffers are unhappy. 

Internal morale is very low, and some staff has resigned. Will Acme survive this setback? The likely answer is yes, but the effect on clients and particularly the loyal employees has been and continues to be negative. 

I cannot predict the future repercussions, but it could involve Acme being hit with regulatory fines followed by a loss of reputation and business.

However, if effective monitoring, a robust and tested incident response plan, a forensic response service on standby, and a Data Protection Officer to assess and advise on regulatory requirements had all been in place, none of which needs to cost the Earth, I would be relaying to you a much happier tale. 

The Last Word

Granted, this is an extreme case, but it's not as unusual as you might think, and the lessons which should be learnt are applicable to every organization. As I've outlined above, there are some simple steps an organization can take to avoid being caught in the same situation:

  • Monitor what is happening on your infrastructure; this is relatively simple these days and activities such as account creation and privilege changes should always raise some form of notification.
  • Have an incident response plan and test it; you have an evacuation plan and run occasional fire drills so why not do the same for a security incident? 
  • Purchase an incident response retainer; think of it like insurance but of far more value.
  • Build and test resilient infrastructure; having single points of failure means nothing else works if it goes down or is unavailable.
  • Take the steps needed to limit the ability for an attacker to hack into your systems in the first place; multi-factor authentication and a password policy, vulnerability management, and anti-malware.

The list goes on, but it's more important to note that none of these steps are difficult to implement or are inordinately expensive, unlike losing your clients, staff, and then your business. 

Trustwave Security Colony offers a Data Breach assessment tool. Click on the image below to sign up today!

18787_breach-monitor

 

Latest Trustwave Blogs

Phishing: The Grade A Threat to the Education Sector

Phishing is the most common method for an attacker to gain an initial foothold in an educational organization, according to the just released Trustwave SpiderLabs report 2024 Education Threat...

Read More

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More