The Aftermath of the eBay Cyber-Attack and the Lessons to be Learnt…

In May it was announced on news sites such as the BBC and SkyNews that the popular e-commerce site eBay was breach late February and early March. The breached database contained phone numbers, addresses, date of birth, other personal data and encrypted passwords. The company never disclosed how many of the 148 million active accounts were affected but, has asked all active users to change their passwords. The hackers infiltrated the network by obtaining, a small number of employees’ login credentials. Luckily the hacker did not access eBay subsidiary, Paypal’s financial database because it was stored on a separate network.

The Aftermath

Since the news many customers have complained and criticised the way the situation was handled, Attorney Generals in at least 3 states in the US has begun investigating the cyber-attack incident. Users was also outraged that eBay waited 2 weeks before publishing the breach after they found out, their explanation was:-

“For a very long period of time we did not believe that there was any eBay customer data compromised,” commented the Global Marketplaces Chief Devin Wenig shortly after the news was announced.

After promising they will make password resets mandatory on the website, it was days before this was carried out and for users that wanted to change their passwords after the initial announcement, they were unable to because the site struggled with the abnormal number of reset requests. Both of these factors added to the negative feelings amongst eBay users.

In a bid to assure customers they released a statement saying they have seen no indication of increased fraudulent account activities on the site but, it would seem eBay has missed the point as the main concern is… what the cybercriminals can potentially do with the non-encrypted information they stole like the numbers, addresses, date of birth, etc. – so the question is, why wasn’t this personal data encrypted like the passwords?

Considering eBay is responsible for a vast amount of personal data, you would assume they have a better incident response and management, breach detection, network admin login protection, and communication practices.

The most important lessons to take from this data incident is that good IT security practices for networks is essential for all businesses, regular network security assessments are required, educate staff on security and have good crisis management.

Breaches can happen to any company and poor incident response and management can just be like rubbing more salt to the wound, with the potential to create more long-term brand reputation damage.

For more information on IT network security practices and services please feel free to contact us on 0845 603 5552

Netshield to Discuss How Vulnerable Businesses are to Cyber Threats

Managed ICT Services Provider Netshield on the 24th April 2014, will be discussing the issue of Cyber Threats and different types of IT protection methods at a seminar held at the British Embassy in Brussels.

Working with UK Trade & Investment (UKTI) in Belgium Richard Carty, Commercial Director at Netshield will discuss why ICT Security needs to be a high priority, the common threats and ways in which organisations can protect their network and data.

The seminar will be aimed at organisations operating in sectors such as legal, financial, recruitment and the service industry and will take place on the 24th April 2014, at the prestigious British Embassy in Brussels from 9.30 – 13.00 (Central European Time).

‘ICT security is a growing concern with an increasing trend of professional services being a target for malicious behaviour, due to the high levels of business data they hold. The seminar will provide insight to the current threat landscape, security risks of current technological trends and protection methods’ commented Richard Carty.

The seminar will also include a live security breach demonstration from our guest speaker Rodrigo Marcos from SecForce and discussions on data security from a Legal perspective by Paul Van den Bulck, McGuireWoods.

‘We are delighted that the British Ambassador Jonathan Brenton, Paul Van de Bulck Partner at McGuireWoods and Rodrigo Marcos at SecForce will be able to join us to discuss the topic of ICT security and examine how exposed are businesses to the cyber threat in the changing workplace environment. With majority of businesses reliant on technology and data to be operational it emphasises why a secure ICT network is essential’ added Richard Carty.

For more information or to register click here

Malware – The Potential Horrific Consequences

In the Kaspersky Security Bulletin it suggests Corporations are increasingly falling victim to Cybercrime, a whopping 91% of those surveyed by Kaspersky Lab and B2B International  fell victim to a cyber-attack at least once in the last 12 months. The top causes included Viruses, Malware, Spam and Phishing – in 2013 alone Kaspersky Lab products detected almost 3 billion malware attacks on user computers!

Spam and Phishing is certainly not a new concept but, the emails sent are becoming more sophisticated, they are adopting an appearance of something that the recipient is familiar with – appear like it is from a delivery company, social media, stores etc.

Spam can just be a simple form of electronic junk but, it can also be malicious spam with the purpose of either make money, obtain sensitive information or spread malicious codes – like CyptoLocker, which surfaced in 2013, it would encrypt the victim’s data and sell it back to them for monetary gains. It is a Trojan Ransomware distributed through a series of phishing campaigns. The emails imitated well-known delivery companies and financial institution preying, on our trust of these companies and our curiosity to see what the attachment is about. It effected over 12,000 victims within one week and to this day there are still stories of CyptoLocker causing chaos and victims paying to obtain decryption keys for their own data.

The sophistication of spam, malware and phishing attacks is not just limited to emails being sent through a computer – but, in January it was found 750,000 spam emails were sent from compromised smart fridges!

However these fridges were not infected using traditional methods like a Trojan Horse but, most of them have been ‘simply left open, so existing software running on them can be used by attackers’ said a spokesperson for Proofpoint who made the discovery. It would be interesting to know, how many people have smart fridges and how many people would buy one?

The US retailer ‘Target’ would be one of the recent examples of how malware can cause horrific consequences. Target’s point-of-sale (POS) system was infected with malware, causing as many as ‘40 million credit and debit card details and 70 million customers’ personal details being stolen in a cyber-attack!

This POS malware attack has caused financial losses, decrease in brand reputation and consumer confidence. In a recent press release issued by Target due to the attacks they had to reviewed their forecasts, predicting a 2% – 6% decrease in sales for this quarter and whether it is directly related to the data breach or not, Target also stated there will be store closures in May.

Target’s incident shows being a victim can have an impact on profits, consumer confidence and brand reputation. A malware breach on this scale is not something that a company can recover from overnight and it can potentially have long-term implications but, only the coming months will reveal the true scale of the consequences for Target.

The consequences of being victims of spam, malware, viruses and phishing is never a good one. In general the motive is simple – cybercriminals want to obtain business data and make money! So, be vigilant and make sure your systems are protected.

To discuss methods of protection against malicious software contact us today.