As July drew to a close, almost 100million records had been breached, which was nearly three times as many as were breached in June 2022. The number of incidents didn’t spike particularly (85 in July compared with 80 in June 2022), but the severity of some single incidents created the uplift in breached records. Virtual pet website Neopets (think Tamagotchi) was compromised by a hacker who has stolen the source code for the website along with the personal details of 69million users, meanwhile at Mangatoon, a website for reading comics, had data stolen from an unsecured database, releasing almost 23 million personal records. Twitter also ranked highly this month after a vulnerability in the system led to hackers securing 5.4million records, including that of celebrities and companies using the platform. All in all a disastrous month that once again highlights the value of data and the essential tasks facing businesses to ensure data privacy and security.
IBM annual report links data breaches to inflation
According to the 2022 cost of a data breach report from IBM, the average cost of large-scale data breaches from the companies it studies, had reached an all-time high of $4.35million, an increase of nearly 13% over the last two years. While an ever-increasing number and cost of incidents is no surprise, the report found a link between the breaches and the rising costs of goods and services. 60% of the businesses affected raised their prices as a direct result of a breach, in a bid to recoup some of the costs. This just as the cost of goods soar worldwide amid inflation and supply chain issues.
Other figures from the report:
- 83% of studied organisations have suffered more than one breach in their lifetime
- nearly 50% of breach costs are incurred more than a year after the breach
- 28% of breaches were ransomware or destructive attacks, yet 80% of critical infrastructure companies don’t operate a “zero trust” policy
- paying the ransom doesn’t pay: despite paying the ransom, those that chose to pay experienced only a $630,000 lower cost, not including the cost of the ransom paid. In many cases, the cost of the ransom was higher (average ¢812,000 in 2021) than the saving from paying it
- 43% of organisations have not applied security patches across their cloud infrastructure, despite obvious security benefits
- 17% of breaches are caused after a business leader or partner was initially compromised
- 19% of breaches are caused by compromised credentials and 16% by phishing.
Many of the stats highlight that employees are still the weakest link, but that the adoption of good management strategies, cyber training, and adoption of suitable technology and settings can all help to significantly reduce risk.
1 in 3 employees don’t appreciate the importance of cybersecurity
A report from Tessian surveyed 2,000 business employees and 500 business leaders and found that while most leaders (99%) agreed that a strong security culture is important, this does not translate down to employees. The stats show that:
- only 39% of employees say that they’re very likely to report a security incident, and when asked why they might not report it, 42% said they wouldn’t know whether they had caused the incident and 25% said that they don’t care enough to mention it
- 20% say that they don’t care about cybersecurity at work at all, and 10% don’t care about it at home either
- on average, business leaders rate their cybersecurity at 8 out of 10, yet 75% of the businesses have experienced an incident in the last 12 months
- training is highlighted by businesses as having a positive influence on security culture, but only 28% of employees believe training is engaging, 36% say that they don’t fully pay attention, and only 50% believe it is helpful, while the other 50% cite a negative experience to training. Overall, 1 in 5 employees don’t even bother to turn up.
This highlights the need to focus on a multifaceted approach, adopting technologies and settings that do some of the work, adding safeguards, policies and procedures where possible, then approaching the employee angle to inspire confidence and the right culture, and introduce training that is manageable and interesting too. Our MD Claire has written a thought leadership piece about creating the right culture, which you can read here…
Threat actor secured 1million records in four months with Facebook phishing login
If ever there is a reminder to adopt a zero trust policy, it’s this. A threat actor has used Facebook to distribute links to a fake facebook login that allows an ever-increasing cycle of phishing logins. Uncovered by PIXM, the phishing scam highlights the evolving approach to phishing scams and their complexity. Taking users to a duplicate Facebook login page, the page was in fact linked to a number of different database servers, reached by a number of redirects. The threat actor used the site famous.co to generate thousands of legitimate links for the app, each with unique ideas, making it almost impossible to prevent from spreading through Facebook messenger. The case is utterly complex, but the message is simple: be careful what you login to, don’t click on links, and check URLs before you enter anything.
Hackers leak student data
A hacker has obtained the data of thousands of children and teenagers, sourced from the databases or five schools and one college. It includes private data such as passports, disciplinary files and child protection data, leaving children at risk of grooming experts have warned. The data became available to purchase on the dark web.
UK Army latest to suffer a hack
UK Army social media accounts including YouTube and Twitter were hacked and used to share videos about cryptocurrency and NFTs. The accounts were restored a few days later but not before hackers had changed the names and credentials of the accounts. Read the full story +
Gloucester County Council updates hack details
A hack of the Council in December 2021 took a number of services offline and compromised resident data. It has now been revealed that the breach has included resident signatures, addresses, national insurance numbers, bank details and even driver’s licences.