Data thefts far more common than just Sony and Epsilon

In the wake of the press reports concerning the recent data breaches at Sony and Epsilon, some organizations are getting the wrong idea about modern online attacks. The media largely chooses to cover mass-scale losses that affect large numbers of consumers from trusted brands.

While it is important to raise awareness about keeping your data safe online and alerting average internet users that they may be victims of data theft, most users are exposed to risk far more frequently and without their knowledge.

In a story published Tuesday on the Bank Information Security blog, Tracy Kitten detailed the exploits of Rogelio Hackett, Jr., who stole more than 675,000 credit cards. The resulting damages exceeded $36 million.

Hackett’s strategy? Find smaller organizations who have not coded their websites properly, allowing access to their data via SQL injection vulnerabilities. Based upon the reports I see from customers and other researchers, there are likely hundreds, if not thousands, of Hacketts out there systematically looking for low-hanging fruit.

Hackett may be sentenced to 12 years in prison for his crimes, but for every attacker who is caught, another one is ready to fill his shoes.

The FBI issued an alert Tuesday as well as warning American small and medium businesses that a coordinated group of attackers in China was making large wire transfers using stolen banking credentials.

To date these attackers have attempted to wire $20 million, with actual losses to the victims of $11 million. They appear to be using a combination of spearphishing and infected web pages, ultimately infecting victims with malware like ZBot and Spybot.

While it may be natural that the media asked me more than a dozen times yesterday, “Could this happen to XBox Live?” the better question would be “How many of our local businesses has this already happened to?”

Opportunistic criminals will seek out the weak and the strays and quietly steal their money, data and customer records, often without being noticed. If you work for an organization that you think is anonymous or not important enough to be targetted, the bad guys will love you.

The good news? You can take steps to secure your systems that will discourage these “script kiddies” and opportunists. Making your systems harder to hack and protecting your data by encrypting it will make you an undesirable target to much of this crime.

Why is spam moving to Facebook and Twitter? Because the filters on these services are less effective than the ones on your inbox. Why are criminals targeting small businesses? Because most often it is a heck of lot easier than targeting Sony, Epsilon and Heartland Payment Systems.

For insight into some best practices than can help secure your organization check out our security hubs.