When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.
October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad enough.)
The ultimate clickbait victim
A construction company suffered significant theft and transfer of money from the organization to a bad actor. Needless to say, the boss wasn’t happy, and since it involved a financial loss, it was brought to the attention of federal authorities.
Upon review of the incident details, it was discovered that a user had a habit of clicking on links in emails — not just any links, but all of them! This user failed everything taught in the awareness training and repeatedly fell victim to phishing schemes. Even more concerning, this was known to management and ownership.
Further investigation uncovered that during the security incident and subsequent network compromise, official company forms were stolen and used against the organization. The threat actor used these official forms to move money and alter vendor payment information, as well as employee payroll direct deposits.
But perhaps the scariest part of the story is that the user, known to click on everything imaginable, was still allowed to operate in such an influential and high-profile position.
Public WiFi shares too much information
A senior executive decided to work from a coffee shop over a weekend, connecting to the public WiFi and then accessing their company’s servers. This person worked in sales, and due to their senior position, they had admin access to customer records, sensitive data and customer financial details.
What seemed like a little stint of out-of-office work turned into the perfect scenario for a hacker to launch a man-in-the-middle attack and begin to siphon sensitive data from the connection between this person’s computer and the company servers. By interacting with these sensitive files, they unknowingly exposed them to the malicious actor.
Luckily, the security team caught this mishap before any major damage was caused. If this had gone wrong, the customer’s banking data could have been breached. It really shows how easy it can be to become a victim of an attack and, even more importantly, highlights how essential it is to protect your data.
Guilty of malicious downloading
A law firm suffered a ransomware attack. It originated when someone was searching for a court case and downloaded a PDF from one of the first links they came across.
The law firm called their insurance company, which connected them to a breach response team. That team had them turn off all of the computers in the environment. The entire firm was shut down for over two weeks while the response team cloned drives, deployed them in sandbox environments and tried to identify the initial point of entry. Once they were reasonably confident that they knew where the entrance point was, it took another two weeks to gradually reimage and bring back online the rest of the computers.
To prevent future ransomware attacks, the firm instituted regular cybersecurity training, added new monitoring tools and tightened up the sites (e.g., via trusted DNS) that could be accessed by their employees.
Rogue blog
An online retailer was compromised when an admin installed a WordPress blog on their e-commerce web server. While the action was well-intended, it was poorly executed. The CMS was not incorporated into routine maintenance or vulnerability scanning, so it remained unpatched, including a critical vulnerability in the password reset process. Poor coding habits meant that a webshell uploaded via the CMS admin portal was quickly able to discover hardcoded database credentials.
A second well-intended but poorly executed step was when the person who first discovered the breach tried to purge the webshell, scrubbing a lot of forensic artifacts in the process and significantly impeding the subsequent investigation.
The case of the missing laptop
A medical practice administrator had work to do over a holiday weekend, so they took their work laptop home. This person was a long-standing employee, well-liked and had great employee reviews — the type of individual any organization would trust to be a responsible caretaker of any sensitive data in their possession.
The particular work laptop the employee took home contained patient information subject to HIPAA protections, as well as financial data that could very quickly do the organization damage if it fell into the wrong hands.
On the first workday after the holiday weekend, the medical practice received a phone call. A family member called to inform them that the administrator had died, killed in an auto accident.
Workers at the medical practice were appropriately distraught over losing the coworker they had known for years and offered their condolences to the family and each other. At the same time, there was concern about the laptop and the sensitive information it held. The family was informed about the need to return the laptop to the medical facility, but it could not be found.
The medical practice was now faced with the possibility of having to report the situation as a data breach, but still wanted to make sure the data would remain secure and private. The organization used a Managed Service Provider (MSP), which implemented security tools across the medical practice’s devices, including encryption and remote data security tools, like revocation of access, remote data wiping and other security and reporting tools.
The MSP quickly performed a check of the computer and discovered that it was indeed connected and online. By deploying another anti-theft tool, it was possible to activate the laptop’s webcam to see where the laptop was, and who was using it.
The image revealed none other than the deceased administrator — very much alive and holed up in an RV in the desert. Apparently, they were watching YouTube videos with a new dirt bike resting against the wall. The police were contacted, and further traces located the rogue employee’s position. The authorities discovered the administrator with the stolen laptop, $8,000 in cash, and soon learned that the RV was stolen as well.
Encryption would not have been enough on its own (since the administrator had the credentials). What was important was the ability to remotely remove access and remotely wipe sensitive data from a device altogether.
Stay safe from cyber horror
There’s one thing these cybersecurity horror stories make clear: You can never truly know when or how a breach will occur. But when organizations use a combination of cybersecurity tools, education and planning ahead, the results of a cyberattack or breach don’t have to be downright terrifying.