Your company’s data is potentially compromised without you being informed and you should take those breaches seriously.
We all know about the nefarious actions of both state sponsored and private hackers. We’ve heard about how someone clicked on an email and then ransomware encrypts files holding them for ransom until paid with Bitcoin. We’ve seen companies, governments, hospitals and individuals all fall victim. However, what we don’t hear about are the not-so-nefarious data breaches. The ones caused by internal errors within many hosting companies and third party vendors. They never make national news and often their customers will never know. Yet they are just as serious and can compromise your company’s sensitive data. In fact, these data breaches happen every day, multiple times a day and to multiple companies. Depending on policies and procedures these data breaches may not even be reported to you. This article will discuss several real types of data breaches that do occur and the implications these breaches may have for your business.
Your company’s website suddenly goes offline. Your losing money because your B2B (Business to Business) website is how your customers order products and services and make payments. You immediately call your third party vendor who hosts your servers. An incident ticket is created and details about your server like the server name, it’s IP address, and it’s FQDN (Fully Qualified Domain Name) along with your name and contact information are entered. The ticket is assigned to a Tier 3 engineer. The engineer fixes the issue and responds back using email but inadvertently sends the email containing the incident ticket number to the wrong customer contact. No other information is provided.
Initially, this may seem to be nothing to worry about but the impact can be major if exploited correctly. In the world of hacking, most hacking isn’t done through computer viruses or backdoor programs in order to get access to credentials or data. Nearly 90% of hacking is done through what’s known as Social Engineering. All it takes is for a person with ill intent to simply respond back with a cleverly crafted email designed to elicit specific information typically provided when an incident ticket is created. In most cases, the engineer will only look at the subject line, which they created and sent to the wrong person, and respond back providing the seemingly innocuous request for information. That response could include a wealth of information that potentially could expose your systems to additional hacking attempts that your company may not recover from.
Your hosting company notifies you that they need to patch your servers and requests to have a maintenance window scheduled. You have multiple servers and each of those servers have owners of critical business applications. You request that all of those owners be notified before patching starts so they can stop the services and then again after patching so they can bring those services back up. The hosting company’s coordinator sends out an email confirming the scheduling of the maintenance window but mistakenly adds the email address of another customer because the auto fill function of the email system mistakenly placed a similar email address into the field. The hosting company’s coordinator sends out the email without noticing the error.
Again, this may not seem like much but if the person who incorrectly received the email wants to do something with that information, there are plenty of people willing to pay good money for the information. Once armed with the email any hacker can begin the process of Social Engineering. They now potentially have names of specific people within your organization associated with specific applications. They potentially have server names that have the names of specific applications that have been disclosed in the email chain. This is just the beginning of a seriously bad situation. The hacker has potentially hit the jackpot!
The fact of the matter is organizations have to be ever vigilant when it comes to protecting its data. If your organization uses a third party to manage the server infrastructure, website, or network be aware of what their policy and procedures are when it comes to handling these types of data breaches. Most larger hosting and managed services vendors have policies and procedures in place to deal with these situations. However, if there aren’t any, then you may want to consider the business and legal impact to your organization by staying with the vendor if your data is breached.