Hack me once, shame on thee. Hack me twice, shame on me.

The popular email marketing company, MailChimp, suffered a data breach last year after cyberattackers exploited an internal company tool to gain access to customer accounts. The criminals were able to look at around 300 accounts and exfiltrate data on 102 customers. They also accessed some customers’ AIP keys, which would have enabled them to send email campaigns posing as those customers.

This data breach attack wasn’t especially noteworthy — until less than six months later, it happened again. As before, an intruder accessed internal tools to compromise data on 133 MailChimp accounts. The breach was made possible by a social engineering attack on employees and contractors to gain access to employee passwords.

The attack engendered follow-on attacks. One of MailChimp’s customers was the cloud service provider, DigitalOcean. As a result of the attack, that company was unable to communicate with customers for a few days and had to request that customers reset their passwords.

After the first breach, MailChimp told TechCrunch it had added an unspecified “additional set of enhanced security measures” and replaced its CISO.

The experience of getting attacked in a similar manner as a previous attack isn’t rare. In fact, it’s very common.

MailChimp is just one example of many

Repeated attacks are actually the norm, not the exception. Some two-thirds (67%) of companies attacked get attacked again within one year, according to a global study by the security posture management company, Cymulate. And 10% of companies experienced 10 or more incidents within a single year.

For ransomware attacks specifically, the number of companies suffering repeated ransomware attacks rose to 80%, according to an international Cybereason survey.

Which raises the question: Why are repeat attacks so incredibly common?

What goes wrong in attack recovery that invites new attacks?

Here’s an under-appreciated fact about what happens after a cyberattack: Malicious actors learn what’s possible.

In the MailChimp example, cyberattackers learned that 1) internal tools were vulnerable, and 2) they could be used to steal customer data.

Once that knowledge was out there, it gave cyber crooks an incentive and a target. In other words, we can assume that the most likely next attack will target the same vulnerabilities as the last attack. The second a cyber incident is publicized, the clock starts ticking on a copycat attack.

The worst thing a company can do is nothing.

The best thing is to focus like a laser beam on the specific vulnerabilities that lead to the attack in the first place so that copycat attackers can’t exploit the same issues.

What should companies do to prevent repeat attacks?

While, of course, all companies should do all they can to prevent cyberattacks, it’s especially important to prioritize protection against the kind of attack that has already occurred.

The right response to a major cyberattack is to launch a thorough reset of the organization’s cybersecurity approach and posture. The SolarWinds hack is one great example.

In December 2020, we learned of a sophisticated supply chain cyberattack launched by a nation-state using the SolarWinds Orion network management system. Through this software, the Russian-backed cyberattackers (APT29, aka Cozy Bear) breached systems inside multiple U.S. and European government agencies and private companies, including multinational drug and biotech company AstraZeneca. The attack was discovered by the security firm FireEye when it was itself compromised by the attack.

Changes to industrial and national policy after the SolarWinds catastrophe are well known. But less appreciated are the steps SolarWinds itself took after the attack. They handled the aftermath well.

SolarWinds added a cybersecurity committee to its board of directors, added former CISA Chief Chris Krebs and former Facebook and Yahoo Security Chief Alex Stamos as consultants to the board, and they instituted major changes to how they build software to support strong cybersecurity.

Of course, it’s unlikely most companies are going to bring on board two of the most prominent names in cybersecurity. But the SolarWinds example captures the necessary spirit of change — boosting security best practices into everything from how leadership leads to company code.

Effectively regrouping after an attack

After a major attack, every organization should do some soul-searching. It’s important to evaluate how leadership failed to lead, how the company failed to invest, how the policies were inadequate and how the company culture around cybersecurity was insufficient to prevent malicious attacks through social engineering or other methods. The result of this postmortem should be:

  • Changes in the org chart: Additions to the staff of senior-level security specialists like a CISO, a change in who reports to whom or the injection of strong cybersecurity experience to the board of directors.
  • A total overhaul of cybersecurity training for employees
  • Strong improvements to how and when patching and updates happen
  • The overhaul of the security posture to embrace Zero Trust.

In short, the particular vulnerabilities that opened the door to a cyberattack need to be aggressively prioritized for remediation. Because the bad guys see the published details of a cyberattack as an instruction manual to launch another one.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Intelligence & Analytics

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today