Data thefts far more common than just Sony and Epsilon

Filed Under: Data loss, Malware

Small business ownersIn the wake of the press reports concerning the recent data breaches at Sony and Epsilon, some organizations are getting the wrong idea about modern online attacks. The media largely chooses to cover mass-scale losses that affect large numbers of consumers from trusted brands.

While it is important to raise awareness about keeping your data safe online and alerting average internet users that they may be victims of data theft, most users are exposed to risk far more frequently and without their knowledge.

In a story published Tuesday on the Bank Information Security blog, Tracy Kitten detailed the exploits of Rogelio Hackett, Jr., who stole more than 675,000 credit cards. The resulting damages exceeded $36 million.

Hackett's strategy? Find smaller organizations who have not coded their websites properly, allowing access to their data via SQL injection vulnerabilities. Based upon the reports I see from customers and other researchers, there are likely hundreds, if not thousands, of Hacketts out there systematically looking for low-hanging fruit.

Hackett may be sentenced to 12 years in prison for his crimes, but for every attacker who is caught, another one is ready to fill his shoes.

The FBI issued an alert Tuesday as well as warning American small and medium businesses that a coordinated group of attackers in China was making large wire transfers using stolen banking credentials.

To date these attackers have attempted to wire $20 million, with actual losses to the victims of $11 million. They appear to be using a combination of spearphishing and infected web pages, ultimately infecting victims with malware like ZBot and Spybot.

While it may be natural that the media asked me more than a dozen times yesterday, "Could this happen to XBox Live?" the better question would be "How many of our local businesses has this already happened to?"

Opportunistic criminals will seek out the weak and the strays and quietly steal their money, data and customer records, often without being noticed. If you work for an organization that you think is anonymous or not important enough to be targetted, the bad guys will love you.

The good news? You can take steps to secure your systems that will discourage these "script kiddies" and opportunists. Making your systems harder to hack and protecting your data by encrypting it will make you an undesirable target to much of this crime.

Why is spam moving to Facebook and Twitter? Because the filters on these services are less effective than the ones on your inbox. Why are criminals targeting small businesses? Because most often it is a heck of lot easier than targeting Sony, Epsilon and Heartland Payment Systems.

For insight into some best practices than can help secure your organization check out our security hubs.

, ,

You might like

One Response to Data thefts far more common than just Sony and Epsilon

  1. Alex · 1187 days ago

    Sunlight is the best disinfectant. Although Im pssed off that these attacks have occurred against Sony, Epsilon, i do believe that them going public with the info is at least a help and a warning to other companies that if you dont protect yourself ur next.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.