Breach Report 2019 – October

by Sarah Harvey / November 5th, 2019

Every month there is headline after headline reporting about new data breaches. Whether it’s a ransomware attack, a negligent employee opening a phishing email, or a state-sponsored attack, millions of individuals are impacted by data breaches and security incidents on a regular basis. Let’s take a look at some of the top data breaches that occurred during October and the lessons we can learn from them.

Krystal Fast Food Chain

What Happened?

In mid-October, popular southern fast food restaurant, Krystal, notified customers of a data breach impacting one of their payment card processing systems. While the organization is still working to investigate the data breach, here’s what we know according to a statement released by Krystal: “The security incident may have involved payment cards processed by a payment processing system used at certain restaurants between July through September 2019…We are working hard to determine the specific locations and dates for each restaurant involved in the attack. To date, our investigation has determined that about a third of our restaurants that are not impacted.”

Lesson Learned

This is not the first time a hospitality organization has experienced a data breach of this nature. In fact, attacks on POS systems are one of the most common among the hospitality industry, accounting for 90% of all breaches. To avoid enduring the fallout of a compromised POS system, organizations must be sure that the third parties that digitally process payment card information on behalf of their business must follow information security best practices and meet required security standards, like PCI and HIPAA.

Country of Georgia

What Happened?

Early last week, the country of Georgia suffered a major cyberattack – one that caused 2,000 sites to be taken down, including government, law enforcement, and media outlets. While the exact cause of the breach is unknown, many believe it to be a political attack, as many of the affected sites’ homepages were defaced with a photo of former Georgian President, Mikheil Saakashvili, in front of a Georgian flag, captioned with the phrase “I’ll be back.”

Lessons Learned

Politically motivated cyberattacks are becoming more and more common, and countries must be sure that they have a robust cybersecurity program in place, including a well-rehearsed incident response plan, in the event that a data breach occurs. While the breach impacting Georgia was one of the largest cyberattacks the nation had ever seen, their cybersecurity team was able to quickly contain the incident and get sites back online.

American Cancer Society

What Happened?

On October 24^th, security vendor Sanguine Security’s global malware monitor found malicious code associated with Magecart on the American Cancer Society’s e-commerce store. The payment skimmer was injected into the American Cancer Society’s site on October 24^th and was removed the next day.

Lessons Learned

The healthcare industry is just as responsible for securing payment card information as they are protected health information. When a healthcare organization, like the American Cancer Society, offers services that collect, use, store, or transmit any kind of payment card data, they must be sure to effectively mitigate any risks. This could be done using code review to find XSS flaws using OWASP’s XSS prevention rules, or it might involve undergoing web application penetration tests. Either way, we know that the healthcare industry is increasingly vulnerable to cyberattacks, and it’s necessary that healthcare organizations start performing their due diligence to provide the quality care and security that patients deserve.

CenturyLink

What Happened?

In mid-September, security researcher Bob Diachenko discovered an exposed MongoDB database that had been publicly accessible for at least 10 months. The database contained 2.8 million records including names, addresses, email addresses, and phone numbers. CenturyLink worked to close the exposed database within two days of being notified about the breach on September 17th but asked that Comparitech wait to publicly announce the breach so that they could investigate the security incident.

Lessons Learned

A primary takeaway from this breach is that given the association to CenturyLink and the PII involved, an attacker could craft a customized phishing campaign which includes some legitimate information, which could trick even a moderately-trained victim. As always, user education, security awareness training, and simulated phishing testing is a good idea for organizations to consider.

At KirkpatrickPrice, we know that data breaches are only a matter of when, not if, they’ll occur, no matter what industry you’re in or the size of your company. That’s why we’re committed to offering a variety of quality, thorough assurance services to help keep your organization protected. Want to learn more about our services and how they can help you mitigate the risk of experiencing a data breach? Contact us today.