Light Dark
October 9, 2024 By Sue Poremba 4 min read
Risk Management

When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.

October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad enough.)

The ultimate clickbait victim

A construction company suffered significant theft and transfer of money from the organization to a bad actor. Needless to say, the boss wasn’t happy, and since it involved a financial loss, it was brought to the attention of federal authorities.

Upon review of the incident details, it was discovered that a user had a habit of clicking on links in emails — not just any links, but all of them! This user failed everything taught in the awareness training and repeatedly fell victim to phishing schemes. Even more concerning, this was known to management and ownership.

Further investigation uncovered that during the security incident and subsequent network compromise, official company forms were stolen and used against the organization. The threat actor used these official forms to move money and alter vendor payment information, as well as employee payroll direct deposits.

But perhaps the scariest part of the story is that the user, known to click on everything imaginable, was still allowed to operate in such an influential and high-profile position.

Public WiFi shares too much information

A senior executive decided to work from a coffee shop over a weekend, connecting to the public WiFi and then accessing their company’s servers. This person worked in sales, and due to their senior position, they had admin access to customer records, sensitive data and customer financial details.

What seemed like a little stint of out-of-office work turned into the perfect scenario for a hacker to launch a man-in-the-middle attack and begin to siphon sensitive data from the connection between this person’s computer and the company servers. By interacting with these sensitive files, they unknowingly exposed them to the malicious actor.

Luckily, the security team caught this mishap before any major damage was caused. If this had gone wrong, the customer’s banking data could have been breached. It really shows how easy it can be to become a victim of an attack and, even more importantly, highlights how essential it is to protect your data.

Guilty of malicious downloading

A law firm suffered a ransomware attack. It originated when someone was searching for a court case and downloaded a PDF from one of the first links they came across.

The law firm called their insurance company, which connected them to a breach response team. That team had them turn off all of the computers in the environment. The entire firm was shut down for over two weeks while the response team cloned drives, deployed them in sandbox environments and tried to identify the initial point of entry. Once they were reasonably confident that they knew where the entrance point was, it took another two weeks to gradually reimage and bring back online the rest of the computers.

To prevent future ransomware attacks, the firm instituted regular cybersecurity training, added new monitoring tools and tightened up the sites (e.g., via trusted DNS) that could be accessed by their employees.

Rogue blog

An online retailer was compromised when an admin installed a WordPress blog on their e-commerce web server. While the action was well-intended, it was poorly executed. The CMS was not incorporated into routine maintenance or vulnerability scanning, so it remained unpatched, including a critical vulnerability in the password reset process. Poor coding habits meant that a webshell uploaded via the CMS admin portal was quickly able to discover hardcoded database credentials.

A second well-intended but poorly executed step was when the person who first discovered the breach tried to purge the webshell, scrubbing a lot of forensic artifacts in the process and significantly impeding the subsequent investigation.

The case of the missing laptop

A medical practice administrator had work to do over a holiday weekend, so they took their work laptop home. This person was a long-standing employee, well-liked and had great employee reviews — the type of individual any organization would trust to be a responsible caretaker of any sensitive data in their possession.

The particular work laptop the employee took home contained patient information subject to HIPAA protections, as well as financial data that could very quickly do the organization damage if it fell into the wrong hands.

On the first workday after the holiday weekend, the medical practice received a phone call. A family member called to inform them that the administrator had died, killed in an auto accident.

Workers at the medical practice were appropriately distraught over losing the coworker they had known for years and offered their condolences to the family and each other. At the same time, there was concern about the laptop and the sensitive information it held. The family was informed about the need to return the laptop to the medical facility, but it could not be found.

The medical practice was now faced with the possibility of having to report the situation as a data breach, but still wanted to make sure the data would remain secure and private. The organization used a Managed Service Provider (MSP), which implemented security tools across the medical practice’s devices, including encryption and remote data security tools, like revocation of access, remote data wiping and other security and reporting tools.

The MSP quickly performed a check of the computer and discovered that it was indeed connected and online. By deploying another anti-theft tool, it was possible to activate the laptop’s webcam to see where the laptop was, and who was using it.

The image revealed none other than the deceased administrator — very much alive and holed up in an RV in the desert. Apparently, they were watching YouTube videos with a new dirt bike resting against the wall. The police were contacted, and further traces located the rogue employee’s position. The authorities discovered the administrator with the stolen laptop, $8,000 in cash, and soon learned that the RV was stolen as well.

Encryption would not have been enough on its own (since the administrator had the credentials). What was important was the ability to remotely remove access and remotely wipe sensitive data from a device altogether.

Stay safe from cyber horror

There’s one thing these cybersecurity horror stories make clear: You can never truly know when or how a breach will occur. But when organizations use a combination of cybersecurity tools, education and planning ahead, the results of a cyberattack or breach don’t have to be downright terrifying.

 |  | 
Sue Poremba

More from Risk Management
November 20, 2024

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

November 15, 2024

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

November 13, 2024

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature