Examples of human error and social engineering incidents which have led to data breaches and financial loss.
RSA IT security – Spear-phished employee causes massive data breach
Risk: social engineering, malware, phishing
As a provider of public-key cryptosystems, RSA is one of the largest IT security companies in the world. However, it was still not immune from a social engineering attack. In 2011, one of its employees opened an Excel attachment with the subject line entitled: “2011 Recruitment Plan.” However, unbeknownst to them, the file contained a zero-day threat that enabled the hacker to gain control of their computer. Once “in”, the hacker was able to steal several of the user’s passwords and subsequently gain access to the rest of the RSA network and exfiltrate out data. Once their customers, such as banks and financial institutions, had gleaned knowledge of the breach, many then lost confidence in the company’s SecurID product. To restore customer confidence, RSA had to replace almost 40 million SecurID tokens. Even then, the reputational damage they suffered as a result of this incident is unquantifiable – all because of one imprudent employee opening an email. Our awareness training primes users to detect and mitigate such threats to protect your organisation from resultant data breaches and damage incurred by cyberthreats.
How this could have been prevented: The best defence against the increasing threat of social engineering attacks is security awareness training, which will warn your organisation’s employees of the risks and also train them how to protect your organisation’s data.
Supplier to US department store Target gets spear-phished
Risk: malware, phishing
In 2013, Target, the American department store, had the details of up to 40 million credit card details stolen from its computers. The genesis of this attack started when a third-party mechanical services contractor that had access to their network was spear-phished. The hackers, using the contractor’s logon credentials, installed malware on their point-of-sale systems in a substantial number of their branches. The malware exfiltrated credit card details to servers in Moscow and other locations across the globe, where they were subsequently sold on the dark web. As a result of the hack, their customers had to cancel their credit and debit cards just before the holiday season. The company ended up paying $18.5 million in settlement claims made by 47 states when the legal costs, settlements and loss of consumer trust were considered. Target estimated that the total cost of the breach was $202 million. Many independent analysts estimate the loss to be much more.
How this could have been prevented: Malware is frequently used to steal usernames and passwords. Cybersecurity awareness training educates end-users so that they know how they can prevent malware being inadvertently installed onto their systems. This incident also highlights the importance of security awareness for any third-party contractors who might have access to your IT infrastructure.
Senior human resources manager of Seagate gets socially engineered into releasing the tax details of thousands of employees
Risk: social engineering, CEO fraud
A senior executive in the HR department of Seagate, the data storage device manufacturer, became the victim of a spear-phishing attack. When an email message, purporting to be from the CEO, was sent to them, requesting the income tax data of present and past employees of the company, the employee complied with the request, which exposed hundreds of employees to tax and identity fraud risks. Seagate’s own employees launched a class-action law suit against the company for malpractice and the negligent handling of data.
How this incident could have been prevented: The risk posed by “CEO fraud” is a threat more prevalent than people think. Cybersecurity awareness training educates users on the identification of CEO fraud scams and the psychological tricks used by cybercriminals to influence users.
Barbie-maker Mattel loses $3 million in a CEO phishing scam
Risk: social engineering, CEO fraud
A senior finance executive with the toymaker Mattel received an email purportedly to be from her boss requesting an electronic funds transfer of $3 million to a new supplier in China. Eager not to disappoint, she wired the money to the “new supplier”, only to later discover that the email request was fraudulent.
How this incident could have been prevented: With IT security awareness training there would be a much higher probability that the executive would have identified the signs of CEO fraud and mitigated the threat.
Austrian aircraft parts manufacturer fires its CEO and CFO after falling for a whaling scam
Risk: social engineering, CEO fraud
FACC, an Austrian aircraft parts manufacturer for Airbus and Boeing, lost €50 million when its accounts department received an email purportedly from the CEO requesting an international money transfer. The request was authorised by the firm’s chief financial officer but the receiving account was, in fact, owned by cybercriminals. Both the CEO and the CFO were subsequently fired after the incident.
Business email compromise and Meath County Council
Risk: Phishing, malware, business email compromise
Business email compromise commonly occurs when a piece of data-stealing malware, usually delivered by phishing, gets installed on an employee’s computer. Common targets include employees who work in finance or procurement functions. The malware steals their email login details and sends them back to a command and control server. The attacker can now watch-and-wait until a large payment is due for processing. At the last minute, they will block emails from the bona fide supplier and impersonate them while sending their own account details to the victim. This is what happened to an employee of Meath County Council who inadvertently transferred €4.3 million to a Hong Kong bank account owned by a cybercriminal group.
How this incident could have been prevented: For a substantial number of business email compromise attacks, the precursor is a malware-laden phishing email sent to an employee. Employees who have undergone anti-phishing and cybersecurity awareness training are much more likely to detect and thwart this sort of attack.
Laptop theft at Bord Gais headquarters
Risk: Physical theft of devices, unencrypted devices
Four laptops containing the details of 75,000 people were stolen from the headquarters of Bord Gais in Dublin. One of them was unencrypted.
How this could have been prevented: IT security awareness training that warned employees about the need for secure physical storage of mobile computing devices and the importance of device encryption might have prevented this data breach from occurring.
Dublin Zoo employee is subject to business email compromise attack
Risk: business email compromise, social engineering.
Dublin Zoo almost lost more than €500,000 when fraudsters intercepted emails between the zoo and a supplier. The “door was opened” for attackers when an employee opened up a phishing email inadvertently, which downloaded credential-stealing malware onto their PC. Using this malware, attackers were able to gain access to the email account of the employee.
How this could have been prevented:
The zoo was subject to an elaborate business email compromise scam. Cybersecurity awareness training educates employees how to spot the telltale signs of a BEC scam and how to mitigate it.
Data exfiltration attack on French multinational after personal assistant gets socially engineered
Risk: social engineering, phishing, vishing, double-barrelled attack, malware, data exfiltration
A personal assistant to the vice-president of a French-based multinational received an email that requested to view an invoice hosted on a popular file sharing service. A couple of hours later the assistant got a phone call from a gentleman purporting to be a senior executive of the company. He spoke authoritatively and with perfect French. Unfortunately, when the assistant opened the “invoice”, she unknowingly installed a Remote Access Trojan on her system. This software, which was linked to a server in Ukraine, enabled the attacker to record keystrokes, view the desktop and exfiltrate files.
How this attack could have been prevented:
The personal assistant was subject to a double-barrelled social engineering attack. The attackers used both phishing and vishing (impersonation over the telephone) to persuade the target to download the malicious software. They also exploited the human tendency to follow orders from those in higher authority. IT security awareness training deconstructs common social engineering techniques used by attackers so that end-users can “join the dots” if they are ever subject to this insidious attack.
Employee in medical clinic causes data breach due to email misdelivery error
Risk: email misdelivery, publishing error, human error
In 2015, an employee of an NHS clinic in London who specialised in HIV care sent a bulk email newsletter to hundreds of their patients. However, the employee inadvertently inserted all the recipient addresses in the “To” field instead of the “Bcc” field which resulted in a personal data breach and negative publicity.
How this attack could have been prevented: Robust data protection training gives employees actionable steps to follow when they communicate via email to minimise the risk of a data breach related to incidences, such as email misdelivery or publishing errors.
Coca-Cola phishing incident results in the collapse of acquisition deal
Risk: phishing, social engineering, malware, whaling attack
In 2009, Coca-Cola got an unexpected call from the FBI informing them that hackers had been exfiltrating data from their systems for the previous month. The initial attack vector took the form of a seemingly mundane email on energy saving that was sent to one of the companies’ regional vice-presidents. However, the email was laden with keylogging malware which stole network credentials and gave the attackers access to Coca-Cola’s corporate network. Only three days after this discovery, the company had to abort its acquisition plans for one of China’s largest soft drink manufacturers.
How this attack could have been prevented: Giving employees anti-phishing training/cybersecurity awareness training conditions employees to open up emails safely while minimising the risk of intellectual property loss. In particular, tailored IT security awareness training for executives educates them about “whaling attacks”, i.e. hyper-targeted phishing emails that are used to deceive them into downloading malware onto their computing devices.
Executives from a Norwegian telecoms firm gets phished, resulting in data exfiltration
Risk: phishing, malware, data exfiltration, intellectual property loss.
Telenor is a world-leading telecommunications firm from Norway. In 2013, Norwegian media reported that files and emails were stolen from the computers of its senior executives. It is believed the executives were subject to phishing emails that, when clicked on, led to Remote Access Trojans being installed on their computers. This enabled the attackers to exfiltrate intellectual property belonging to the organisation.
How this attack could have been prevented: Anti-phishing training for executives will make them more resilient to phishing attempts. Stopping this attack dead in its tracks prevented the inadvertent installation of malware from taking place and the subsequent exfiltration of data.