Learning from recent breaches in the news

A photograph of a person sat on a bench reading a newspaper. A "Spotlight on InfoSec" roundel is stamped in the middle.

This is our latest article in a series putting the spotlight on Information Security.

Here, Sarah Coles looks at 3 recent breaches that hit the headlines, and offers 3 key tips from each example on how to stay protected.

North Face accounts hacked in credential stuffing attack

Outdoor clothing brand North Face made the news in September as a major cyber-attack saw nearly 200,000 customer accounts hacked [1].

Attackers used ‘credential stuffing’, which attempts to break into other services with stolen credentials from previous data breaches. 

Automated bots attempt several logins at once, sparking a race between the hackers accessing the information and the security teams noticing and shutting down the attack. 

This kind of attack is extremely successful because people still reuse passwords. In the North Face incident, the attackers didn’t need to rely on a weakness in North Face’s network. They simply used passwords leaked by another companies’ weak security. But it’s North Face that’s suffering reputational damage.

Key learnings:

  1. Use (and encourage your clients to use) unique passwords, especially for high-risk services, such as your platform.
  2. Enable multi-factor authentication (MFA) . This is highly effective in preventing attacks as it requires another piece of information (such as an SMS code or mobile prompt) as well as a username and password. 
  3. Sign up to services monitoring the dark web (such as haveibeenpwned.com), to tell you if your information is being sold online so you can quickly change reused passwords.

Marriott confirms another data breach

In July, hotel group Marriott International experienced its second high profile data breach within the last 5 years. This time, attackers tricked one employee into providing their credentials, and then used them to access Marriott’s systems and steal 20GB of data [2]. 

When Marriott refused to pay the ransom, the credit card and personal information of employees and hotels guests were sold online.

Marriott’s shares fell over 3% after they admitted the breach. [3] They may face another substantial ICO fine, having already paid £18.4 million in October 2020 for their failings in a 2018 cyber-attack [4]. 

Key learnings:

  1. Just one employee mistake can cause a major data breach costing millions in damages, so security awareness training should be delivered regularly.
  2. You’re more likely to be targeted by cyber-criminals once you’ve already suffered an attack.  Regularly test your defences to make sure there aren’t any gaps.
  3. Keep up to date with phishing and social engineering tactics, and continually educate staff on spotting scam signals.

Multi-national tech company Cisco confirms data breach

In August, the technology provider Cisco confirmed they’d fallen victim to a ransomware attack. The gang accessed their network in late May and stole 2.7GB of internal data [5].

The breach stemmed from a Cisco employee’s personal Google account being compromised, likely through a social engineering or phishing attack. The employee enabled password syncing via Google Chrome and stored their Cisco credentials in their browser, which synchronised to their personal Google account.

After obtaining the Cisco credentials, the attackers successfully bypassed MFA. They used a series of techniques, including voice phishing (“vishing”) under the guise of a trusted third-party and MFA fatigue (sending a high volume of notifications to the target’s mobile until they accept, either accidently or through frustration). The Cisco employee accepted the MFA push notifications initiated by the attacker, which granted remote access to the Cisco network.

Key learnings:

  1. Corporate passwords should never be stored in personal services, such as a personal password manager or email account.
  2. Use a dedicated password manager, rather than storing passwords in your browser.
  3. Cyber-criminals are advancing to keep up, so it’s important to be aware of their new techniques like MFA fatigue. 

How to stay protected

Setting unique passwords and enabling MFA has proven to be one of the single most effective controls people can do to protect their digital information. There will always be advancements in technology and the ways cyber criminals attempt to circumvent it. If a company is a specific target (such as those who can afford to pay high ransom fees to receive their data back), you’ll see these advancements come into play (e.g. the use of MFA Fatigue). However, cyber-criminals will usually go after the weakest link, so enabling MFA ensures you stay a cut above the rest.

Sarah Coles

Information Security Manager

 

[1] https://www.bleepingcomputer.com/news/security/200-000-north-face-accounts-hacked-in-credential-stuffing-attack/

[2] https://www.bleepingcomputer.com/news/security/marriott-confirms-another-data-breach-after-hotel-got-hacked/

[3] https://seekingalpha.com/news/3854686-marriott-stock-slips-as-second-chain-admits-second-data-breach-of-2022

[4] https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2020/10/ico-fines-marriott-international-inc-184million-for-failing-to-keep-customers-personal-data-secure/

[5] https://tech.co/news/cisco-confirms-data-breach