Data Breaches: Big and Small; is Cyber Insurance Necessary?

Jared and Kay Jewelers

In late 2018, it was discovered that the parent company of diamond retailers Jared and Kay Jewelers would send order confirmation e-mails to customers that were highly susceptible to exploits.

By changing a component of the customer specific link in the confirmation e-mail, one could view another customer’s order, including personal information. The simple process of changing values for URL parameters is a very common, preventable exploit known as HTTP Parameter Pollution.

After the matter was brought to Signet’s attention it took a few weeks to plug the data leak. While this isn’t an example of a massive data breach, I wanted to point out an example of smaller data trickle that is very common and can be easily used to bypass security measures and glean personal information.

Virginia National Bank

One of the most effective tactics that adversaries use to breach into unauthorized networks is with a good ol’ fashioned phishing e-mail. Last year, an employee at The National Bank of Blacksburg (Virginia) fell victim to a targeted phishing attack.

The malicious e-mail led the attackers to install malware onto the victim’s computer and eventually compromise a second computer which had access to the STAR Network – a system run by First Data that the bank uses to handle debit card transactions of their customers. With access to this, the hackers successfully disabled anti-theft and anti-fraud protections on customer’s cards and proceeded to use hundreds of ATMs throughout the country to dispense funds from bank customer’s accounts.

Over the course of one weekend, the hackers stole more than $560,000. Just 8 months later, the hackers once again gained access into the bank’s systems through another phishing attack. At the end of both heists, the bank’s total reported loss from this breach was $1,833,944.

Over and over we see examples of how the people of an organization are the weakest link in security. Falling victim to two targeted phishing e-mails in an 8 month period shows just how difficult it is to maintain a high level of company-wide security awareness.

I suspect many banks will look at these incidents with this Virginia bank and begin heavily weighing the importance of security education for their personnel. One last interesting detail is that the phishing payload that these hackers sent to bank employees was through an infected Microsoft Word document.

Data Breaches, Big and Small

The payment breaches we hear about are usually the big ones: Marriot, Target, Home Depot; However, according to Cisco’s SMB Cybersecurity Report, there is a huge surge in cyber attacks against small and mid-size businesses, and the impact they leave on business owners can be catastrophic.

60% of small businesses that fall victim to a breach will close within 6 months.

A small market businesses is defined as having fewer than 250 employees, and a midmarket business is defined as a company with 250-499 employees. According to Cisco, over half (53%) of all midmarket businesses have been victim to breaches. Over half!

The thing about smaller businesses is that they are much less likely to have contingency plans to enact in times of an attack, because they simply don’t have the resources for response and recovery. They are less likely to have multiple locations or business segments and their core systems are almost always more interconnected than bigger organizations. All of this means that when a threat hits it can easily spread from the network onto other systems which inevitably leads to greater downtimes.

Attacks on Small Businesses

Brian Krebs looks at two attacks on small businesses, the First National Bank of Coffee County located in rural Georgia, and Consolidated Concrete based in Hastings, Nebraska.

In the summer of 2012, attackers broke into the computers of a fuel supplier in south Georgia and attempted to transfer over a million and a half dollars out of the company’s accounts. While that failed, the attackers were successful in putting through a fraudulent payroll batch of over $300,000 which the victim’s bank (the First National Bank of Coffee County) allowed to go through.

The attackers were able to breach the victim’s computer systems through a phishing attack (which downloaded the ZeuS Trojan onto the victim’s PC). A similar attack occurred on Consolidated Concrete in Nebraska where the attackers were able to take off with more than $100,000.

Krebs points out that both of these victim businesses managed their money online at small, local banks who lacked fundamental security practices to secure their customer’s accounts.

For a small business owner, a targeted phishing attack or ransomware poses a significant threat – with the potential for completely stopping the flow of business until the problem is fixed. Unfortunately, these data breaches often lead to the owner having to shut down their business.

A Look at Cyber Insurance

The average cost of data breaches seems to rise every year. As we’ve already seen, the majority of businesses will experience a breach of some kind. These two facts lead to the rise of organizations getting a cyber insurance coverage. It has pretty much become a necessity for any organizations that collects data. There are three types of cyber insurance coverage categories:

  • First-party coverage: Direct losses resulting from data destruction, extortion, theft, hacking and DoS attacks; business interruption costs; data restoration costs; public relations expenses to manage reputational damage; legal expenses; etc.
  • Third-party coverage: losses and costs incurred by other entities including liability claims and fines. This coverage offers protection for the tech and IT companies (and independent contractors) who were responsible for the safe storage of data; this includes legal fees associated with lawsuits
  • Other benefits: Costs and services associated with regular security audits, post-incident public relations, investigative expenses, and criminal reward funds.

The premiums an organization pays will vary widely based on their circumstances. Insurers will determine what industry standards and security controls are necessary that insured organizations ought to implement in order to mitigate their digital risk. Rankin comments how cyber insurance is only part of the solution to measuring and managing cyber risk. He notes that just because an organization is insured, they shouldn’t ‘rest easy’ assuming they are safe — a full comprehensive risk management program (where risk transfer is just one element) is necessary!